Edit tour

Windows Analysis Report
Payment Challan.exe

Overview

General Information

Sample name:	Payment Challan.exe
Analysis ID:	1468050
MD5:	00801754bd615e4dd9e636a29823204a
SHA1:	3a4bea7747a8fbff333c51628e39e29bbbe34872
SHA256:	d10c34c796a14ad8a34aebb5311378dabcb15f14da5c1fdeb7cc1f1d7b499162
Infos:

Detection

Kutaki

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Kutaki Keylogger

C2 URLs / IPs found in malware configuration

Drops PE files to the startup folder

Initial sample is a PE file and has a suspicious name

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains an invalid checksum

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Payment Challan.exe (PID: 3476 cmdline: "C:\Users\user\Desktop\Payment Challan.exe" MD5: 00801754BD615E4DD9E636A29823204A)

cmd.exe (PID: 5292 cmdline: cmd.exe /c C:\Users\user\AppData\Local\Temp\NewBitmapImage.bmp MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

bkkmpxfk.exe (PID: 1824 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe" MD5: 00801754BD615E4DD9E636A29823204A)

bkkmpxfk.exe (PID: 7400 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe" MD5: 00801754BD615E4DD9E636A29823204A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Kutaki	Cofense characterizes Kutaki as a data stealer that uses old-school techniques to detect sandboxes and debugging. Kutaki however works quite well against unhardened virtual machines and other analysis devices. By backdooring a legitimate application, it can fool unsophisticated detection methodologies.	No Attribution	https://cofense.com/kutaki-malware-bypasses-gateways-steal-users-credentials/ https://sequretek.com/kutaki-stealer-analysis/	https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki

Malware Configuration

Threatname: Kutaki

{"C2 url": ["http://newlinkwotolove.club/love/three.php"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Payment Challan.exe	JoeSecurity_Kutaki	Yara detected Kutaki Keylogger	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	JoeSecurity_Kutaki	Yara detected Kutaki Keylogger	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.3380148756.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	JoeSecurity_Kutaki	Yara detected Kutaki Keylogger	Joe Security
00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Kutaki	Yara detected Kutaki Keylogger	Joe Security
00000009.00000000.2154345517.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	JoeSecurity_Kutaki	Yara detected Kutaki Keylogger	Joe Security
00000000.00000000.2125078534.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Kutaki	Yara detected Kutaki Keylogger	Joe Security
0000000B.00000000.2273906905.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	JoeSecurity_Kutaki	Yara detected Kutaki Keylogger	Joe Security
0000000B.00000002.2280602194.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	JoeSecurity_Kutaki	Yara detected Kutaki Keylogger	Joe Security
Process Memory Space: Payment Challan.exe PID: 3476	JoeSecurity_Kutaki	Yara detected Kutaki Keylogger	Joe Security
Process Memory Space: bkkmpxfk.exe PID: 1824	JoeSecurity_Kutaki	Yara detected Kutaki Keylogger	Joe Security
Process Memory Space: bkkmpxfk.exe PID: 7400	JoeSecurity_Kutaki	Yara detected Kutaki Keylogger	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.Payment Challan.exe.400000.0.unpack	JoeSecurity_Kutaki	Yara detected Kutaki Keylogger	Joe Security
0.0.Payment Challan.exe.400000.0.unpack	JoeSecurity_Kutaki	Yara detected Kutaki Keylogger	Joe Security
11.2.bkkmpxfk.exe.400000.0.unpack	JoeSecurity_Kutaki	Yara detected Kutaki Keylogger	Joe Security
9.0.bkkmpxfk.exe.400000.0.unpack	JoeSecurity_Kutaki	Yara detected Kutaki Keylogger	Joe Security
11.0.bkkmpxfk.exe.400000.0.unpack	JoeSecurity_Kutaki	Yara detected Kutaki Keylogger	Joe Security
9.2.bkkmpxfk.exe.400000.0.unpack	JoeSecurity_Kutaki	Yara detected Kutaki Keylogger	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Payment Challan.exe, ProcessId: 3476, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Payment Challan.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://newlinkwotolove.club/love/three.php

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: Payment Challan.exe

Malware Configuration Extractor: Kutaki {"C2 url": ["http://newlinkwotolove.club/love/three.php"]}

Multi AV Scanner detection for domain / URL

Source: http://newlinkwotolove.club/love/three.php

Virustotal: Detection: 15%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Virustotal: Detection: 40%			Perma Link

Multi AV Scanner detection for submitted file

Source: Payment Challan.exe	ReversingLabs: Detection: 52%
Source: Payment Challan.exe	Virustotal: Detection: 40%			Perma Link

Source: Payment Challan.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://newlinkwotolove.club/love/three.php

Source: Payment Challan.exe, 00000000.00000003.2148428882.0000000000938000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2145877919.0000000000938000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http:///.)
Source: Payment Challan.exe, 00000000.00000003.2156142551.00000000008FB000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2183683196.0000000000914000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2145988187.0000000000914000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000002.2189422479.0000000000915000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http:///.h
Source: bkkmpxfk.exe, 00000009.00000002.3387810374.0000000004351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http:///.u-
Source: Payment Challan.exe, 00000000.00000003.2148428882.0000000000938000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2167640238.0000000000938000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2145877919.0000000000938000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000002.2189580389.0000000000938000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http:///V.qK
Source: Payment Challan.exe, 00000000.00000003.2188079003.00000000008C1000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2156142551.00000000008C1000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2148428882.0000000000938000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2167640238.0000000000938000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000002.2189144089.00000000008C1000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2145877919.0000000000938000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000002.2189580389.0000000000938000.00000004.00000020.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000002.3381248941.000000000084D000.00000004.00000020.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000003.2173722958.000000000084F000.00000004.00000020.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000003.2175989886.000000000084D000.00000004.00000020.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000003.2175525819.000000000084D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http:///ordiagoff.htmf.htm
Source: bkkmpxfk.exe, 00000009.00000002.3381248941.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http:///ordiagoff.htmf.htmy
Source: Payment Challan.exe, 00000000.00000003.2177028191.0000000004B87000.00000004.00000800.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000002.3390569438.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000003.2189037882.0000000004B97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http:///res://ieframe.dll/dnserrordiagoff.htm#http:///
Source: bkkmpxfk.exe, 00000009.00000002.3390569438.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000003.2189037882.0000000004B97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http:///res://ieframe.dll/dnserrordiagoff.htm#http:///$u
Source: bkkmpxfk.exe, 00000009.00000002.3390569438.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000003.2189037882.0000000004B97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http:///res://ieframe.dll/dnserrordiagoff.htm#http:///Dv
Source: bkkmpxfk.exe, 00000009.00000002.3390569438.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000003.2189037882.0000000004B97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http:///res://ieframe.dll/dnserrordiagoff.htm#http:///dw
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Kutaki Keylogger

Source: Yara match	File source: Payment Challan.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Payment Challan.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Payment Challan.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.bkkmpxfk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.bkkmpxfk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.bkkmpxfk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.bkkmpxfk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3380148756.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.2154345517.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2125078534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.2273906905.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2280602194.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Challan.exe PID: 3476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bkkmpxfk.exe PID: 1824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bkkmpxfk.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe, type: DROPPED

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment Challan.exe

Source: C:\Users\user\Desktop\Payment Challan.exe	Code function: 0_2_00405494		0_2_00405494
Source: C:\Users\user\Desktop\Payment Challan.exe	Code function: 0_2_004E61ED		0_2_004E61ED

Source: C:\Users\user\Desktop\Payment Challan.exe	Code function: String function: 00404FE2 appears 38 times
Source: C:\Users\user\Desktop\Payment Challan.exe	Code function: String function: 00405042 appears 81 times

Source: Payment Challan.exe, 00000000.00000003.2155835952.000000000435C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCashier Module.exe2342342342342342342340 vs Payment Challan.exe
Source: Payment Challan.exe, 00000000.00000002.2190947516.000000000434A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs Payment Challan.exe
Source: Payment Challan.exe, 00000000.00000003.2183421304.000000000434A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs Payment Challan.exe
Source: Payment Challan.exe, 00000000.00000003.2183726823.000000000434A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs Payment Challan.exe
Source: Payment Challan.exe, 00000000.00000003.2182627234.000000000434A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs Payment Challan.exe
Source: Payment Challan.exe, 00000000.00000003.2185476524.000000000434A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs Payment Challan.exe
Source: Payment Challan.exe, 00000000.00000003.2157214813.000000000434A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs Payment Challan.exe
Source: Payment Challan.exe, 00000000.00000003.2148881332.000000000434A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs Payment Challan.exe
Source: Payment Challan.exe, 00000000.00000003.2184289439.000000000434A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs Payment Challan.exe
Source: Payment Challan.exe	Binary or memory string: OriginalFilenameCashier Module.exe2342342342342342342340 vs Payment Challan.exe

Source: Payment Challan.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Payment Challan.exe	Binary or memory string: S*\AC:\NEW LINK\NEW LINK UPDATE\120-CSC182\Cashier Platform.vbp
Source: bkkmpxfk.exe, 00000009.00000002.3380725774.0000000000538000.00000004.00000001.01000000.0000000F.sdmp	Binary or memory string: x~A*\AC:\NEW LINK\NEW LINK UPDATE\120-CSC182\Cashier Platform.vbp HmB
Source: Payment Challan.exe, 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmp, bkkmpxfk.exe, 0000000B.00000002.2280971205.0000000000538000.00000004.00000001.01000000.0000000F.sdmp	Binary or memory string: Hmx~A*\AC:\NEW LINK\NEW LINK UPDATE\120-CSC182\Cashier Platform.vbp Hm
Source: Payment Challan.exe, bkkmpxfk.exe.0.dr	Binary or memory string: S\AC:\NEW LINK\NEW LINK UPDATE\120-CSC182\Cashier Platform.vbpj@

Source: classification engine

Classification label: mal100.troj.adwa.spyw.winEXE@8/14@0/0

Source: C:\Users\user\Desktop\Payment Challan.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\dnserrordiagoff[1]

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_03

Source: C:\Users\user\Desktop\Payment Challan.exe

File created: C:\Users\user\AppData\Local\Temp\NewBitmapImage.bmp

Jump to behavior

Source: Payment Challan.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process

Source: C:\Windows\SysWOW64\cmd.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment Challan.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Payment Challan.exe, 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Payment Challan.exe, 00000000.00000000.2125078534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, bkkmpxfk.exe, 00000009.00000002.3380148756.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 00000009.00000000.2154345517.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000000.2273906905.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000002.2280602194.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe.0.dr	Binary or memory string: SELECT tblYearLevel.YearLevelTitle as lvKey, tblYearLevel.YearLevelTitle FROM tblYearLevel;4Please Select in the list.zLength of Base64 encoded input string is not a multiple of 4.RIllegal character in Base64 encoded data.
Source: Payment Challan.exe	Binary or memory string: SELECT tblYearLevel.YearLevelTitle as lvKey, tblYearLevel.YearLevelTitle FROM tblYearLevel;
Source: Payment Challan.exe, 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Payment Challan.exe, 00000000.00000000.2125078534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, bkkmpxfk.exe, 00000009.00000002.3380148756.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 00000009.00000000.2154345517.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000000.2273906905.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000002.2280602194.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe.0.dr	Binary or memory string: SELECT 'D-' & String$(2-Len(Count()+1),'0') & Count()+1 AS NewID( FROM tblDepartment;
Source: Payment Challan.exe, 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Payment Challan.exe, 00000000.00000000.2125078534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, bkkmpxfk.exe, 00000009.00000002.3380148756.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 00000009.00000000.2154345517.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000000.2273906905.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000002.2280602194.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe.0.dr	Binary or memory string: SELECT Count(*) AS SubjectCount, tblSubject.DepartmentID, tblSubject.YearLevelID From tblSubjectr GROUP BY tblSubject.DepartmentID, tblSubject.YearLevelIDJ HAVING (((tblSubject.DepartmentID)='B') AND ((tblSubject.YearLevelID)=L Where (((tblSubject.DepartmentID) = 'F') And ((tblSubject.YearLevelID) = > GROUP BY tblSubject.SubjectID;
Source: Payment Challan.exe, 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Payment Challan.exe, 00000000.00000000.2125078534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, bkkmpxfk.exe, 00000009.00000002.3380148756.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 00000009.00000000.2154345517.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000000.2273906905.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000002.2280602194.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe.0.dr	Binary or memory string: SELECT CStr(Year(Now()))+'-'+Left('00000000',7-Len(CStr(Max(Val(Right([tblStudent]![StudentID],7)))+1)))+CStr(Max(Val(Right([tblStudent]![StudentID],7)))+1) AS maxId FROM tblStudent;
Source: Payment Challan.exe, 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Payment Challan.exe, 00000000.00000000.2125078534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, bkkmpxfk.exe, 00000009.00000002.3380148756.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 00000009.00000000.2154345517.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000000.2273906905.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000002.2280602194.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe.0.dr	Binary or memory string: SELECT 'SUB-' & String$(6-Len(Count()+1),'0') & Count()+1 AS NewID" FROM tblSubject;
Source: Payment Challan.exe, 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Payment Challan.exe, 00000000.00000000.2125078534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, bkkmpxfk.exe, 00000009.00000002.3380148756.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 00000009.00000000.2154345517.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000000.2273906905.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe, 0000000B.00000002.2280602194.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, bkkmpxfk.exe.0.dr	Binary or memory string: SELECT 'SEC-' & String$(6-Len(Count()+1),'0') & Count()+1 AS NewID" FROM tblSection;

Source: Payment Challan.exe	ReversingLabs: Detection: 52%
Source: Payment Challan.exe	Virustotal: Detection: 40%

Source: C:\Users\user\Desktop\Payment Challan.exe

File read: C:\Users\user\Desktop\Payment Challan.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Payment Challan.exe "C:\Users\user\Desktop\Payment Challan.exe"
Source: C:\Users\user\Desktop\Payment Challan.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c C:\Users\user\AppData\Local\Temp\NewBitmapImage.bmp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment Challan.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe"
Source: C:\Users\user\Desktop\Payment Challan.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c C:\Users\user\AppData\Local\Temp\NewBitmapImage.bmp	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: twinui.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Section loaded: msiso.dll	Jump to behavior

Source: C:\Users\user\Desktop\Payment Challan.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Payment Challan.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Payment Challan.exe

Static file information: File size 1553618 > 1048576

Source: Payment Challan.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x137000

Source: bkkmpxfk.exe.0.dr	Static PE information: real checksum: 0x17e44e should be: 0x17f692
Source: Payment Challan.exe	Static PE information: real checksum: 0x17e44e should be: 0x17f692

Source: C:\Users\user\Desktop\Payment Challan.exe

Code function: 0_2_00402634 push esp; iretd

0_2_00402635

Source: C:\Users\user\Desktop\Payment Challan.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe

Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\Payment Challan.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Payment Challan.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe

Jump to behavior

Source: C:\Users\user\Desktop\Payment Challan.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe

Jump to behavior

Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Payment Challan.exe	Memory allocated: 3AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Memory allocated: 3A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Memory allocated: 48A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Memory allocated: 4A20000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Memory allocated: 4B60000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Memory allocated: 4BA0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Memory allocated: 3B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Memory allocated: 3AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Memory allocated: 48B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Memory allocated: 4A30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Memory allocated: 4B70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Memory allocated: 4BB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Payment Challan.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Payment Challan.exe, 00000000.00000003.2186068860.00000000008EA000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2156142551.00000000008EA000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000002.2189348191.00000000008EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: bkkmpxfk.exe, 00000009.00000002.3381248941.00000000007E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Payment Challan.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Challan.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	12 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	12 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Payment Challan.exe	53%	ReversingLabs	Win32.Trojan.Kutaki
Payment Challan.exe	41%	Virustotal		Browse
Payment Challan.exe	100%	Avira	TR/Dropper.Gen

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	53%	ReversingLabs	Win32.Trojan.Kutaki
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe	41%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http:///V.qK	0%	Avira URL Cloud	safe
http://newlinkwotolove.club/love/three.php	100%	Avira URL Cloud	malware
http:///ordiagoff.htmf.htmy	0%	Avira URL Cloud	safe
http:///res://ieframe.dll/dnserrordiagoff.htm#http:///dw	0%	Avira URL Cloud	safe
http:///.u-	0%	Avira URL Cloud	safe
http:///.)	0%	Avira URL Cloud	safe
http:///res://ieframe.dll/dnserrordiagoff.htm#http:///$u	0%	Avira URL Cloud	safe
http:///res://ieframe.dll/dnserrordiagoff.htm#http:///Dv	0%	Avira URL Cloud	safe
http:///.h	0%	Avira URL Cloud	safe
http:///ordiagoff.htmf.htm	0%	Avira URL Cloud	safe
http://newlinkwotolove.club/love/three.php	16%	Virustotal		Browse
http:///res://ieframe.dll/dnserrordiagoff.htm#http:///	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://newlinkwotolove.club/love/three.php	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http:///V.qK	Payment Challan.exe, 00000000.00000003.2148428882.0000000000938000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2167640238.0000000000938000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2145877919.0000000000938000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000002.2189580389.0000000000938000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.3.dr	false	URL Reputation: safe	unknown
http:///res://ieframe.dll/dnserrordiagoff.htm#http:///dw	bkkmpxfk.exe, 00000009.00000002.3390569438.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000003.2189037882.0000000004B97000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http:///.u-	bkkmpxfk.exe, 00000009.00000002.3387810374.0000000004351000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http:///ordiagoff.htmf.htmy	bkkmpxfk.exe, 00000009.00000002.3381248941.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http:///res://ieframe.dll/dnserrordiagoff.htm#http:///$u	bkkmpxfk.exe, 00000009.00000002.3390569438.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000003.2189037882.0000000004B97000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http:///.)	Payment Challan.exe, 00000000.00000003.2148428882.0000000000938000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2145877919.0000000000938000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http:///res://ieframe.dll/dnserrordiagoff.htm#http:///Dv	bkkmpxfk.exe, 00000009.00000002.3390569438.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000003.2189037882.0000000004B97000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http:///.h	Payment Challan.exe, 00000000.00000003.2156142551.00000000008FB000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2183683196.0000000000914000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2145988187.0000000000914000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000002.2189422479.0000000000915000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http:///ordiagoff.htmf.htm	Payment Challan.exe, 00000000.00000003.2188079003.00000000008C1000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2156142551.00000000008C1000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2148428882.0000000000938000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2167640238.0000000000938000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000002.2189144089.00000000008C1000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000003.2145877919.0000000000938000.00000004.00000020.00020000.00000000.sdmp, Payment Challan.exe, 00000000.00000002.2189580389.0000000000938000.00000004.00000020.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000002.3381248941.000000000084D000.00000004.00000020.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000003.2173722958.000000000084F000.00000004.00000020.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000003.2175989886.000000000084D000.00000004.00000020.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000003.2175525819.000000000084D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http:///res://ieframe.dll/dnserrordiagoff.htm#http:///	Payment Challan.exe, 00000000.00000003.2177028191.0000000004B87000.00000004.00000800.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000002.3390569438.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, bkkmpxfk.exe, 00000009.00000003.2189037882.0000000004B97000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1468050
Start date and time:	2024-07-05 09:23:27 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment Challan.exe
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.winEXE@8/14@0/0
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 28 Number of non-executed functions: 268
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, Microsoft.Photos.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target bkkmpxfk.exe, PID 1824 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtSetValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:24:19	API Interceptor	2x Sleep call for process: Payment Challan.exe modified
03:24:21	API Interceptor	23253x Sleep call for process: bkkmpxfk.exe modified
09:24:24	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\NewErrorPageTemplate[1]

Download File

Process:	C:\Users\user\Desktop\Payment Challan.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
SSDEEP:	24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\errorPageStrings[1]

Download File

Process:	C:\Users\user\Desktop\Payment Challan.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	4722
Entropy (8bit):	5.16192639844512
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g5O8b7A9I5:JsUOG1yNlX6ZzWpHOo/iP16CbM1k
MD5:	387B4FC78ABB97F378C5299D4D2CE305
SHA1:	6F2995FC620AB520C9EE1CA7244DF57367F983A2
SHA-256:	030209A13E2C84118139ABF0C4F08DBD203B4C802C7B73B74851860D79DF9CB7
SHA-512:	592D5E3FB7C78420F648281D87B0B303773749B8E0D3621A493ACAE257E2C1E77B782F3D6DAA0C2B3D37CBB4865B382617AF744E34F66C0F3E522DBCA7D71AAE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\httpErrorPagesScripts[1]

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\NewErrorPageTemplate[1]

Download File

Process:	C:\Users\user\Desktop\Payment Challan.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
SSDEEP:	24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\dnserrordiagoff[1]

Download File

Process:	C:\Users\user\Desktop\Payment Challan.exe
File Type:	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1681
Entropy (8bit):	4.567538112791388
Encrypted:	false
SSDEEP:	24:rC7cWhfs5mVM4mVMyIjmgAV28EFP8hRqh/k+CkE03vjqX:u7o5V4VtihV2lFUWlEqvj6
MD5:	C74D57042D3614B92F2E0AF783ACD5DE
SHA1:	415F8A0F5DBD61D622724034C182C0B15E80CD20
SHA-256:	05182A8C3A558E671705B8A8421712A9715A1D597606E3710A6D6CFEB00FB462
SHA-512:	F33BC2CDA990B07FE8EA37A1F68DDDBF5FA9A67CA028019EA4D848B70CC6410D1468E0CE8F8132665124F6E4B8438AFFC41FB562D9E4A1401498E46CD0D1A0EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css">.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can’t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:getInfo();">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can’t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>.. <l

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\errorPageStrings[1]

Download File

Process:	C:\Users\user\Desktop\Payment Challan.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	4722
Entropy (8bit):	5.16192639844512
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g5O8b7A9I5:JsUOG1yNlX6ZzWpHOo/iP16CbM1k
MD5:	387B4FC78ABB97F378C5299D4D2CE305
SHA1:	6F2995FC620AB520C9EE1CA7244DF57367F983A2
SHA-256:	030209A13E2C84118139ABF0C4F08DBD203B4C802C7B73B74851860D79DF9CB7
SHA-512:	592D5E3FB7C78420F648281D87B0B303773749B8E0D3621A493ACAE257E2C1E77B782F3D6DAA0C2B3D37CBB4865B382617AF744E34F66C0F3E522DBCA7D71AAE
Malicious:	false
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\httpErrorPagesScripts[1]

Download File

Process:	C:\Users\user\Desktop\Payment Challan.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\dnserrordiagoff[1]

Download File

Process:	C:\Users\user\Desktop\Payment Challan.exe
File Type:	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1681
Entropy (8bit):	4.567538112791388
Encrypted:	false
SSDEEP:	24:rC7cWhfs5mVM4mVMyIjmgAV28EFP8hRqh/k+CkE03vjqX:u7o5V4VtihV2lFUWlEqvj6
MD5:	C74D57042D3614B92F2E0AF783ACD5DE
SHA1:	415F8A0F5DBD61D622724034C182C0B15E80CD20
SHA-256:	05182A8C3A558E671705B8A8421712A9715A1D597606E3710A6D6CFEB00FB462
SHA-512:	F33BC2CDA990B07FE8EA37A1F68DDDBF5FA9A67CA028019EA4D848B70CC6410D1468E0CE8F8132665124F6E4B8438AFFC41FB562D9E4A1401498E46CD0D1A0EC
Malicious:	false
Preview:	.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css">.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can’t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:getInfo();">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can’t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>.. <l

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\NewErrorPageTemplate[1]

Download File

Process:	C:\Users\user\Desktop\Payment Challan.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
SSDEEP:	24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\dnserrordiagoff[1]

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe
File Type:	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1681
Entropy (8bit):	4.567538112791388
Encrypted:	false
SSDEEP:	24:rC7cWhfs5mVM4mVMyIjmgAV28EFP8hRqh/k+CkE03vjqX:u7o5V4VtihV2lFUWlEqvj6
MD5:	C74D57042D3614B92F2E0AF783ACD5DE
SHA1:	415F8A0F5DBD61D622724034C182C0B15E80CD20
SHA-256:	05182A8C3A558E671705B8A8421712A9715A1D597606E3710A6D6CFEB00FB462
SHA-512:	F33BC2CDA990B07FE8EA37A1F68DDDBF5FA9A67CA028019EA4D848B70CC6410D1468E0CE8F8132665124F6E4B8438AFFC41FB562D9E4A1401498E46CD0D1A0EC
Malicious:	false
Preview:	.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css">.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can’t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:getInfo();">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can’t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>.. <l

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\errorPageStrings[1]

Download File

Process:	C:\Users\user\Desktop\Payment Challan.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	4722
Entropy (8bit):	5.16192639844512
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g5O8b7A9I5:JsUOG1yNlX6ZzWpHOo/iP16CbM1k
MD5:	387B4FC78ABB97F378C5299D4D2CE305
SHA1:	6F2995FC620AB520C9EE1CA7244DF57367F983A2
SHA-256:	030209A13E2C84118139ABF0C4F08DBD203B4C802C7B73B74851860D79DF9CB7
SHA-512:	592D5E3FB7C78420F648281D87B0B303773749B8E0D3621A493ACAE257E2C1E77B782F3D6DAA0C2B3D37CBB4865B382617AF744E34F66C0F3E522DBCA7D71AAE
Malicious:	false
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\httpErrorPagesScripts[1]

Download File

Process:	C:\Users\user\Desktop\Payment Challan.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe

Download File

Process:	C:\Users\user\Desktop\Payment Challan.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1553618
Entropy (8bit):	6.149509296622149
Encrypted:	false
SSDEEP:	24576:Pfg8IQCyIHUUqOvMMMtUhBgsvAFaofmP/UDMS08Ckn3w:JIQCyg7vMMMtUh6svA4ofmP/SA8NA
MD5:	00801754BD615E4DD9E636A29823204A
SHA1:	3A4BEA7747A8FBFF333C51628E39E29BBBE34872
SHA-256:	D10C34C796A14AD8A34AEBB5311378DABCB15F14DA5C1FDEB7CC1F1D7B499162
SHA-512:	47FA210766B8B320C5DC299CCCE91F5586A91936E5079B5979A8E5ABFD49BD4724BD8651B5AF11B447E6E9358796C545AB6F02C8F017D712EADD48614505E035
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Kutaki, Description: Yara detected Kutaki Keylogger, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 53% Antivirus: Virustotal, Detection: 41%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...........6......5.....t5.....Rich.*..................PE..L....qf.................p... .......T............@.................................N.......................................4m..(...........................................................................0... ....................................text....l.......p.................. ..`.data...(...........................@....rsrc............ ..................@..@l.[J............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465931416561485
Encrypted:	false
SSDEEP:	6144:4zZfpi6ceLPx9skLmb0fBZWSP3aJG8nAgeiJRMMhA2zX4WABluuNLjDH5S:uZHtBZWOKnMM6bFpZj4
MD5:	326999FF42C0D33D990B00F026954C10
SHA1:	C911841F0D17FAEAC6D5BD0AA2E90BC7454B5396
SHA-256:	3748EE03B8D71C51CCF34B43BB53ABD5D43F19C613AF7D9ECEB14C0A84D8483F
SHA-512:	4B5F3BC9E9C19A6A391354FE63EDE27BF6932838EF2C29F9C9656D3AD42E83568A0A7C05A678D66B19C14FDF5BD1510BD0FB1794D616EDA1693B040D2ABE985D
Malicious:	false
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.o.Y.................................................................................................................................................................................................................................................................................................................................................;.m........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.149509296622149
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Payment Challan.exe
File size:	1'553'618 bytes
MD5:	00801754bd615e4dd9e636a29823204a
SHA1:	3a4bea7747a8fbff333c51628e39e29bbbe34872
SHA256:	d10c34c796a14ad8a34aebb5311378dabcb15f14da5c1fdeb7cc1f1d7b499162
SHA512:	47fa210766b8b320c5dc299ccce91f5586a91936e5079b5979a8e5abfd49bd4724bd8651b5af11b447e6e9358796c545ab6f02c8f017d712eadd48614505e035
SSDEEP:	24576:Pfg8IQCyIHUUqOvMMMtUhBgsvAFaofmP/UDMS08Ckn3w:JIQCyg7vMMMtUh6svA4ofmP/SA8NA
TLSH:	96758D23A3D4E727D5398E71597B5EB40619FC39156A890BA5403B0FEBB2EC2053732B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K............6......5.....t5.....Rich.*..................PE..L.....qf.................p... .......T............@........

File Icon


Icon Hash:	00869eb0b230201f

Static PE Info

General

Entrypoint:	0x405494
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x6671A3D3 [Tue Jun 18 15:12:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	bbbc09b8643dca9dcbc41feaf4f2fbb6

Entrypoint Preview

Instruction
push 0040620Ch
call 00007FA31CB93753h
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
add dword ptr [ebp-2E890B59h], eax
add eax, dword ptr [eax]
inc esi
mov al, CBh
xlatb
sbb al, F2h
jns 00007FA31CB93793h
retn 3D7Ah
mov eax, dword ptr [2E1FDF25h]
dec edi
mov ah, 2Dh
mov al, 36h
fucomip st(0), st(0)
and dword ptr [esi+33AD4F3Ah], esp
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+00h], al
add byte ptr [eax], al
add byte ptr [726F4600h], al
insd
xor dword ptr [eax], eax
or eax, 46000501h
outsd
jc 00007FA31CB937CFh
xor dword ptr [eax], eax
sbb dword ptr [ecx], eax
add byte ptr [edx+00h], al
and edi, edi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x136d34	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x148000	0x413f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x3b0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x136c18	0x137000	c5839c7ff98fa6f32c2b52494b2dd9e0	False	0.3043161864449357	data	5.617665253051609	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x138000	0xf828	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x148000	0x413f8	0x42000	3993e5db66e053692f32382b2f5e2d18	False	0.9822221235795454	data	7.972734114189162	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
CUSTOM	0x148230	0x40800	OpenPGP Public Key			1.0003444464631783
CUSTOM	0x188a30	0x16	ASCII text, with CRLF line terminators			1.3636363636363635
CUSTOM	0x188a48	0xff	data			0.8235294117647058
CUSTOM	0x188b48	0xe6	ISO-8859 text, with CRLF line terminators			0.14347826086956522
RT_ICON	0x188c30	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 256			0.3223684210526316
RT_ICON	0x188d60	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.19623655913978494
RT_ICON	0x189048	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192			0.4155405405405405
RT_GROUP_ICON	0x189170	0x30	data			1.0
RT_VERSION	0x1891a0	0x258	data	English	United States	0.485

Imports

DLL

Import

MSVBVM60.DLL

EVENT_SINK_GetIDsOfNames, __vbaVarSub, __vbaVarTstGt, __vbaStrI2, _CIcos, _adj_fptan, __vbaHresultCheck, __vbaVarMove, __vbaStrI4, __vbaVarVargNofree, __vbaAryMove, __vbaFreeVar, __vbaLenBstr, __vbaLateIdCall, __vbaStrVarMove, __vbaPut3, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, EVENT_SINK_Invoke, __vbaNextEachVar, __vbaRaiseEvent, __vbaFreeObjList, __vbaVarIndexLoadRef, __vbaStrErrVarCopy, _adj_fprem1, __vbaForEachCollAd, __vbaVarCmpNe, __vbaStrCat, __vbaRecDestruct, __vbaSetSystemError, __vbaLenBstrB, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, __vbaAryVar, Zombie_GetTypeInfo, __vbaAryDestruct, __vbaVarIndexLoadRefLock, __vbaLateMemSt, __vbaVarForInit, __vbaExitProc, __vbaForEachCollObj, __vbaI4Abs, __vbaCyAdd, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarIndexLoad, __vbaCyStr, __vbaFpR4, __vbaBoolVar, __vbaRefVarAry, __vbaFpR8, __vbaVarTstLt, __vbaBoolVarNull, _CIsin, __vbaErase, __vbaVargVarMove, __vbaNextEachCollObj, __vbaVarCmpGt, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaGet3, __vbaStrCmp, __vbaExitEachColl, __vbaAryConstruct2, __vbaVarTstEq, __vbaPutOwner4, __vbaObjVar, __vbaI2I4, DllFunctionCall, __vbaVarOr, __vbaVarLateMemSt, __vbaCastObjVar, __vbaLbound, _adj_fpatan, __vbaR4Var, __vbaLateIdCallLd, Zombie_GetTypeInfoCount, __vbaStrR8, __vbaR8Cy, __vbaRedim, EVENT_SINK_Release, __vbaNew, __vbaUI1I2, _CIsqrt, __vbaObjIs, __vbaVarAnd, EVENT_SINK_QueryInterface, __vbaStr2Vec, __vbaUI1I4, __vbaExceptHandler, __vbaPrintFile, __vbaStrToUnicode, __vbaDateStr, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaUbound, __vbaStrVarVal, __vbaVarCat, __vbaDateVar, __vbaI2Var, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaVar2Vec, __vbaVarLateMemCallLdRf, __vbaR8Str, __vbaInStr, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaVarSetObj, __vbaStrCopy, __vbaI4Str, __vbaVarCmpLt, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, __vbaR8Var, __vbaPowerR8, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarCmpEq, __vbaFpCy, __vbaAryLock, __vbaLateMemCall, __vbaVarAdd, __vbaStrComp, __vbaStrToAnsi, __vbaFreeVarg, __vbaVarDup, __vbaFpI2, __vbaFpI4, __vbaVarCopy, __vbaVarLateMemCallLd, __vbaVarSetObjAddref, __vbaLateMemCallLd, _CIatan, __vbaAryCopy, __vbaStrMove, __vbaCastObj, __vbaR8IntI4, __vbaStrVarCopy, __vbaForEachVar, _allmul, __vbaVarLateMemCallSt, __vbaLateIdSt, _CItan, __vbaNextEachCollAd, __vbaUI1Var, __vbaAryUnlock, __vbaVarForNext, _CIexp, __vbaStrCy, __vbaI4ErrVar, __vbaRecAssign, __vbaFreeObj, __vbaFreeStr

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	03:24:18
Start date:	05/07/2024
Path:	C:\Users\user\Desktop\Payment Challan.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment Challan.exe"
Imagebase:	0x400000
File size:	1'553'618 bytes
MD5 hash:	00801754BD615E4DD9E636A29823204A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Kutaki, Description: Yara detected Kutaki Keylogger, Source: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Kutaki, Description: Yara detected Kutaki Keylogger, Source: 00000000.00000000.2125078534.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:24:19
Start date:	05/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c C:\Users\user\AppData\Local\Temp\NewBitmapImage.bmp
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:24:19
Start date:	05/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:24:21
Start date:	05/07/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe"
Imagebase:	0x400000
File size:	1'553'618 bytes
MD5 hash:	00801754BD615E4DD9E636A29823204A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Kutaki, Description: Yara detected Kutaki Keylogger, Source: 00000009.00000002.3380148756.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_Kutaki, Description: Yara detected Kutaki Keylogger, Source: 00000009.00000000.2154345517.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_Kutaki, Description: Yara detected Kutaki Keylogger, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 53%, ReversingLabs Detection: 41%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	03:24:32
Start date:	05/07/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe"
Imagebase:	0x400000
File size:	1'553'618 bytes
MD5 hash:	00801754BD615E4DD9E636A29823204A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Kutaki, Description: Yara detected Kutaki Keylogger, Source: 0000000B.00000000.2273906905.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_Kutaki, Description: Yara detected Kutaki Keylogger, Source: 0000000B.00000002.2280602194.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.2%
Total number of Nodes:	1131
Total number of Limit Nodes:	92

Executed Functions

Function 00405494 Relevance: 1.9, APIs: 1, Instructions: 434
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(0040620C), ref: 00405499

Memory Dump Source

Source File: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: #100
String ID:
API String ID: 1341478452-0
Opcode ID: bb4bc993fa8c7b67d2646b44020640c57794a37a6937de1cf0fbc0d224e1c8f9
Instruction ID: b6095e9eed33486aa32d443838bc191667a2fc03c847f4f5a8a3c0c5b9cbe75c
Opcode Fuzzy Hash: bb4bc993fa8c7b67d2646b44020640c57794a37a6937de1cf0fbc0d224e1c8f9
Instruction Fuzzy Hash: F1E1F72244E7C18FC7038B7489762A67FB1AE1321471E45EBC4C1DF1E3E669184ACBA6

Function 005296DA Relevance: 500.7, APIs: 270, Strings: 15, Instructions: 1992
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 005296F8
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 0052973E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0052977F
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 0052978C
__vbaVarLateMemCallLd.MSVBVM60(?,00000000,?,?,?,00404F16), ref: 0052979C
__vbaVarTstEq.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00404F16), ref: 005297AC
__vbaFreeObj.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00404F16), ref: 005297BB
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,00000000,?,?,?,?,?,?,?,00404F16), ref: 005297D0
__vbaObjSet.MSVBVM60(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00404F16), ref: 00529816
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,?,00404F16), ref: 00529823
__vbaVarLateMemCallLdRf.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000), ref: 00529833
__vbaVarLateMemCallLd.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00529843
__vbaNew2.MSVBVM60(00415498,005381C4,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0052985E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00529897
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0), ref: 005298E1
#713.MSVBVM60(?), ref: 005298F8
__vbaStrMove.MSVBVM60(?), ref: 00529902
__vbaStrVarVal.MSVBVM60(?,?,00000008,000000FF,00000000,?), ref: 00529940
#711.MSVBVM60(?,00000000,?,?,00000008,000000FF,00000000,?), ref: 0052994D
__vbaAryVar.MSVBVM60(00002008,?,?,00000000,?,?,00000008,000000FF,00000000,?), ref: 0052995E
__vbaAryCopy.MSVBVM60(?,?,00002008,?,?,00000000,?,?,00000008,000000FF,00000000,?), ref: 00529974
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000,?,?,00002008,?,?,00000000,?,?,00000008,000000FF,00000000,?), ref: 00529987
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00529999
__vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 005299C6
__vbaObjSet.MSVBVM60(?,00000000), ref: 005299E8
__vbaDerefAry1.MSVBVM60(?,00000001,?,00000000), ref: 005299F8
__vbaLenBstr.MSVBVM60(00000000,?,00000001,?,00000000), ref: 005299FF
__vbaAryLock.MSVBVM60(?,?,00000000,?,00000001,?,00000000), ref: 00529A24
__vbaDerefAry1.MSVBVM60(?,00000001,?,?,00000000,?,00000001,?,00000000), ref: 00529A2E
#632.MSVBVM60(?,00004008,00000002,00000003), ref: 00529A5A
__vbaAryUnlock.MSVBVM60(?,?,00004008,00000002,00000003), ref: 00529A63
__vbaStrVarVal.MSVBVM60(?,?,?,?,00004008,00000002,00000003), ref: 00529A73

Part of subcall function 00531BEF: __vbaChkstk.MSVBVM60(00000000,00404F16,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00531C0B
Part of subcall function 00531BEF: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00404F16), ref: 00531C38
Part of subcall function 00531BEF: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00404F16), ref: 00531C46
Part of subcall function 00531BEF: __vbaStrCmp.MSVBVM60(0041A0C4,?,000000FF,?,?,?,00000000,00404F16), ref: 00531C5A
Part of subcall function 00531BEF: __vbaStrCopy.MSVBVM60(0041A0C4,?,000000FF,?,?,?,00000000,00404F16), ref: 00531C72
Part of subcall function 00531BEF: __vbaAryDestruct.MSVBVM60(00000000,000000FF,00531CE5,00000000,?,?,?,?,?,0041A0C4,?,000000FF,?,?,?,00000000), ref: 00531CCC
Part of subcall function 00531BEF: __vbaAryDestruct.MSVBVM60(00000000,?,00000000,000000FF,00531CE5,00000000,?,?,?,?,?,0041A0C4,?,000000FF), ref: 00531CD7
Part of subcall function 00531BEF: __vbaFreeStr.MSVBVM60(00000000,?,00000000,000000FF,00531CE5,00000000,?,?,?,?,?,0041A0C4,?,000000FF), ref: 00531CDF

__vbaStrMove.MSVBVM60(00000000,?,?,?,?,00004008,00000002,00000003), ref: 00529A83
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A4), ref: 00529AC4
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00529AE2
__vbaFreeObj.MSVBVM60(00000001,?,00000000), ref: 00529AED
__vbaFreeVarList.MSVBVM60(00000002,00000003,?,00000001,?,00000000), ref: 00529B02
#608.MSVBVM60(00000003,00000074,?,?,?,00000001,?,00000000), ref: 00529B1A
#608.MSVBVM60(?,00000065,00000003,00000074,?,?,?,00000001,?,00000000), ref: 00529B28
#608.MSVBVM60(?,0000006D,?,00000065,00000003,00000074,?,?,?,00000001,?,00000000), ref: 00529B36
#608.MSVBVM60(00000070,00000070,?,0000006D,?,00000065,00000003,00000074,?,?,?,00000001,?,00000000), ref: 00529B44
__vbaVarCat.MSVBVM60(00000000,?,00000003,00000070,00000070,?,0000006D,?,00000065,00000003,00000074,?,?,?,00000001,?), ref: 00529B5E
__vbaVarCat.MSVBVM60(00000065,?,00000000,00000000,?,00000003,00000070,00000070,?,0000006D,?,00000065,00000003,00000074), ref: 00529B72
__vbaVarCat.MSVBVM60(00000000,00000070,00000000,00000065,?,00000000,00000000,?,00000003,00000070,00000070,?,0000006D,?,00000065,00000003), ref: 00529B86
#667.MSVBVM60(00000000,00000000,00000070,00000000,00000065,?,00000000,00000000,?,00000003,00000070,00000070,?,0000006D,?,00000065), ref: 00529B8C
__vbaStrMove.MSVBVM60(00000000,00000000,00000070,00000000,00000065,?,00000000,00000000,?,00000003,00000070,00000070,?,0000006D,?,00000065), ref: 00529B96
__vbaFreeVarList.MSVBVM60(00000007,00000003,?,00000000,?,00000065,00000070,00000000,00000000,00000000,00000070,00000000,00000065,?,00000000,00000000), ref: 00529BCE
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000001,?,00000000), ref: 00529BF0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0), ref: 00529C3A
__vbaStrMove.MSVBVM60(00000000,?,0041B688,000000A0), ref: 00529C64

Part of subcall function 0050F083: __vbaChkstk.MSVBVM60(?,00404F16), ref: 0050F09F
Part of subcall function 0050F083: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 0050F0CF
Part of subcall function 0050F083: __vbaStrCopy.MSVBVM60(000000FF), ref: 0050F0F3
Part of subcall function 0050F083: __vbaOnError.MSVBVM60(000000FF,000000FF), ref: 0050F101
Part of subcall function 0050F083: #632.MSVBVM60(?,00004008,00000001,00000002), ref: 0050F14A
Part of subcall function 0050F083: __vbaVarMove.MSVBVM60(?,00004008,00000001,00000002), ref: 0050F155
Part of subcall function 0050F083: __vbaFreeVar.MSVBVM60(?,00004008,00000001,00000002), ref: 0050F15D
Part of subcall function 0050F083: __vbaVarTstEq.MSVBVM60(00008008,?,?,00004008,00000001,00000002), ref: 0050F17F
Part of subcall function 0050F083: __vbaObjSet.MSVBVM60(?,00000000,?,00000001,00008008,?,?,00004008,00000001,00000002), ref: 0050F1A3
Part of subcall function 0050F083: __vbaFreeVar.MSVBVM60(0050F23D,00008008,?,00008008,?,?,00004008,00000001,00000002), ref: 0050F237

__vbaObjSet.MSVBVM60(?,00000000,?), ref: 00529C77
__vbaFreeStr.MSVBVM60(?,00000000,?), ref: 00529C7F
__vbaFreeObj.MSVBVM60(?,00000000,?), ref: 00529C87
__vbaInStrVar.MSVBVM60(?,00000000,00000008,00000009,00000001), ref: 00529CDE
__vbaI2Var.MSVBVM60(00000000,?,00000000,00000008,00000009,00000001), ref: 00529CE4
__vbaFreeVarList.MSVBVM60(00000002,00000009,?,00000000,?,00000000,00000008,00000009,00000001), ref: 00529CFD
__vbaObjSet.MSVBVM60(?,00000000), ref: 00529D1F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00529D37
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0), ref: 00529D81
__vbaLenBstr.MSVBVM60(00000000), ref: 00529D98
#632.MSVBVM60(00000000,00000009,00000002,00000003,00000000), ref: 00529DF0
__vbaStrVarMove.MSVBVM60(00000000,00000000,00000009,00000002,00000003,00000000), ref: 00529DFC
__vbaStrMove.MSVBVM60(00000000,00000000,00000009,00000002,00000003,00000000), ref: 00529E06
__vbaFreeStr.MSVBVM60(00000000,00000000,00000009,00000002,00000003,00000000), ref: 00529E0E
__vbaFreeObjList.MSVBVM60(00000002,?,00000000,00000000,00000000,00000009,00000002,00000003,00000000), ref: 00529E1D
__vbaFreeVarList.MSVBVM60(00000003,00000009,00000003,00000000), ref: 00529E3C
__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 00529E5E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419ED8,00000014), ref: 00529EC0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B868,00000050), ref: 00529F16
__vbaChkstk.MSVBVM60(00000000,?,0041B868,00000050), ref: 00529F41
#689.MSVBVM60(00000000,saverbro,saverbro), ref: 00529F5F
__vbaStrMove.MSVBVM60(00000000,saverbro,saverbro), ref: 00529F69
__vbaFreeStr.MSVBVM60(00000000,saverbro,saverbro), ref: 00529F71
__vbaFreeObj.MSVBVM60(00000000,saverbro,saverbro), ref: 00529F79
__vbaVarDup.MSVBVM60(00000000,saverbro,saverbro), ref: 00529FA5
#711.MSVBVM60(00000003,?,00000009,000000FF,00000000,00000000,saverbro,saverbro), ref: 00529FBF
__vbaAryVar.MSVBVM60(00002008,00000003,00000003,?,00000009,000000FF,00000000,00000000,saverbro,saverbro), ref: 00529FD0
__vbaAryCopy.MSVBVM60(?,?,00002008,00000003,00000003,?,00000009,000000FF,00000000,00000000,saverbro,saverbro), ref: 00529FE6
__vbaFreeVarList.MSVBVM60(00000002,00000009,00000003,?,?,00002008,00000003,00000003,?,00000009,000000FF,00000000,00000000,saverbro,saverbro), ref: 00529FFB
__vbaUbound.MSVBVM60(00000001,?), ref: 0052A023
__vbaVarForInit.MSVBVM60(?,?,?,00000002,00000003,00000002), ref: 0052A070
__vbaI4Var.MSVBVM60(?), ref: 0052A08B
__vbaDerefAry1.MSVBVM60(?,00000000,?), ref: 0052A094
__vbaStrCat.MSVBVM60(0041F618,00000000,?,00000000,?), ref: 0052A0A0
__vbaStrMove.MSVBVM60(0041F618,00000000,?,00000000,?), ref: 0052A0AA
__vbaObjSet.MSVBVM60(?,00000000,00000000,0041F618,00000000,?,00000000,?), ref: 0052A0BD
__vbaFreeStr.MSVBVM60(?,00000000,00000000,0041F618,00000000,?,00000000,?), ref: 0052A0C5
__vbaChkstk.MSVBVM60(00000008,00000001,?,00000000,00000000,0041F618,00000000,?,00000000,?), ref: 0052A115
__vbaLateMemCallLd.MSVBVM60(00000009,?,Item,00000001,00000008,00000001,?,00000000,00000000,0041F618,00000000,?,00000000,?), ref: 0052A137
__vbaInStrVar.MSVBVM60(00000003,00000000,00000000,?,?), ref: 0052A149
__vbaVarTstGt.MSVBVM60(00008002,00000000,00000003,00000000,00000000,?,?), ref: 0052A156
__vbaFreeVarList.MSVBVM60(00000002,00000009,00000003,00008002,00000000,00000003,00000000,00000000,?,?), ref: 0052A172
__vbaVarForNext.MSVBVM60(?,?,?), ref: 0052AE23
__vbaFreeVarList.MSVBVM60(00000002,?,?,0052AF3F,?,?,00000000,?,?,?,?,?,?,?,00404F16), ref: 0052AECA
__vbaFreeVar.MSVBVM60(?,?,0052AF3F,?,?,00000000,?,?,?,?,?,?,?,00404F16), ref: 0052AED5
__vbaFreeStr.MSVBVM60(?,?,0052AF3F,?,?,00000000,?,?,?,?,?,?,?,00404F16), ref: 0052AEDD
__vbaFreeStr.MSVBVM60(?,?,0052AF3F,?,?,00000000,?,?,?,?,?,?,?,00404F16), ref: 0052AEE5
__vbaAryDestruct.MSVBVM60(00000000,?,?,?,0052AF3F,?,?,00000000,?,?,?,?,?,?,?,00404F16), ref: 0052AEF0
__vbaFreeStr.MSVBVM60(00000000,?,?,?,0052AF3F,?,?,00000000,?,?,?,?,?,?,?,00404F16), ref: 0052AEF8
__vbaFreeObj.MSVBVM60(00000000,?,?,?,0052AF3F,?,?,00000000,?,?,?,?,?,?,?,00404F16), ref: 0052AF00
__vbaFreeStr.MSVBVM60(00000000,?,?,?,0052AF3F,?,?,00000000,?,?,?,?,?,?,?,00404F16), ref: 0052AF08
__vbaAryDestruct.MSVBVM60(00000000,?,00000000,?,?,?,0052AF3F,?,?,00000000), ref: 0052AF13
__vbaFreeStr.MSVBVM60(00000000,?,00000000,?,?,?,0052AF3F,?,?,00000000), ref: 0052AF1B
__vbaAryDestruct.MSVBVM60(00000000,00000000,00000000,?,00000000,?,?,?,0052AF3F,?,?,00000000), ref: 0052AF26
__vbaAryDestruct.MSVBVM60(00000000,?,00000000,00000000,00000000,?,00000000,?,?,?,0052AF3F,?,?,00000000), ref: 0052AF31
__vbaFreeStr.MSVBVM60(00000000,?,00000000,00000000,00000000,?,00000000,?,?,?,0052AF3F,?,?,00000000), ref: 0052AF39
__vbaErrorOverflow.MSVBVM60(00000000,?,00000001,?,00000000), ref: 0052AF5E
__vbaChkstk.MSVBVM60(00000000,00404F16), ref: 0052AF81
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00404F16), ref: 0052AFC7
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00404F16), ref: 0052AFE6
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,00404F16), ref: 0052B004
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F08,00000050), ref: 0052B048
__vbaR8Str.MSVBVM60(?), ref: 0052B05F
__vbaStrR8.MSVBVM60(?,?,?), ref: 0052B079
__vbaStrMove.MSVBVM60(?,?,?), ref: 0052B083
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F08,00000054,?,?,?), ref: 0052B0BE

Strings

saverbro, xrefs: 00529F2A, 00529F52, 00529F57, 0052A954, 0052A959
uid, xrefs: 0052A0E4, 0052A7E7, 0052A990
", xrefs: 0052AE0A
Title, xrefs: 00529760
Uninstall, xrefs: 0052A507
/new/, xrefs: 0052ACCE
Body, xrefs: 005297F7
url, xrefs: 0052A3F0
DnE, xrefs: 0052A1A5
?dd=, xrefs: 0052AD23
innerText, xrefs: 005297F0
php.kj, xrefs: 0052ACE3
Target, xrefs: 0052974A
Item, xrefs: 0052A128, 0052A1CF, 0052A320, 0052A41A, 0052A45B, 0052A531, 0052A682, 0052A818, 0052A9D5
Reported, xrefs: 0052ADC5

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$List$Move$CheckHresult$CallChkstkDestructErrorLate$Copy$#608$#632Ary1Deref$#711BstrNew2$#667#689#713InitLockNextOverflowUboundUnlock
String ID: "$/new/$?dd=$Body$DnE$Item$Reported$Target$Title$Uninstall$innerText$php.kj$saverbro$uid$url
API String ID: 1266391951-3117464701
Opcode ID: 39344fb0e4de3ed775b3beae17fff78bceb9d0e9e53cb37e936b3a90d9d96a71
Instruction ID: 68c412fe7f20047a9069fab476c10d77f9a0f153bf8cf941048a03cc472bd112
Opcode Fuzzy Hash: 39344fb0e4de3ed775b3beae17fff78bceb9d0e9e53cb37e936b3a90d9d96a71
Instruction Fuzzy Hash: 5F03F7B1900628AFDB21EFA1CC45FDEB7B8BF04304F1040AAB509BB191DB755A85DFA5

Function 00533134 Relevance: 483.3, APIs: 263, Strings: 12, Instructions: 2030COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404F16,000000FF,?,?,?,?,00404F16), ref: 00533152
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16,000000FF), ref: 00533182
#670.MSVBVM60(?,000000FF,?,?,?,?,00404F16,000000FF), ref: 00533195
__vbaStrVarMove.MSVBVM60(?,?,000000FF,?,?,?,?,00404F16,000000FF), ref: 005331A1
__vbaStrMove.MSVBVM60(?,?,000000FF,?,?,?,?,00404F16,000000FF), ref: 005331AB
__vbaFreeVar.MSVBVM60(?,?,000000FF,?,?,?,?,00404F16,000000FF), ref: 005331B6
__vbaStrCmp.MSVBVM60(fsrtg,?,?,?,000000FF,?,?,?,?,00404F16,000000FF), ref: 005331CA
__vbaNew2.MSVBVM60(00415498,005381C4,fsrtg,?,?,?,000000FF,?,?,?,?,00404F16,000000FF), ref: 005331F1
__vbaChkstk.MSVBVM60 ref: 00533245
__vbaChkstk.MSVBVM60 ref: 00533259
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041BBE4,000002B0), ref: 005332A5
__vbaNew2.MSVBVM60(00419EE8,00539E00,fsrtg,?,?,?,000000FF,?,?,?,?,00404F16,000000FF), ref: 005337B1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419ED8,00000014), ref: 00533816
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B868,00000050), ref: 00533872
__vbaChkstk.MSVBVM60(00000000,?,0041B868,00000050), ref: 0053389D
#689.MSVBVM60(?,namebro,namebro), ref: 005338BE
__vbaStrMove.MSVBVM60(?,namebro,namebro), ref: 005338CB
__vbaFreeStr.MSVBVM60(?,namebro,namebro), ref: 005338D6
__vbaFreeObj.MSVBVM60(?,namebro,namebro), ref: 005338E1
__vbaLenBstr.MSVBVM60(?,?,namebro,namebro), ref: 005338F3
__vbaStrMove.MSVBVM60(00000006,?,?,namebro,namebro), ref: 00533925
__vbaStrCat.MSVBVM60(0042A71C,00000000,00000006,?,?,namebro,namebro), ref: 00533930
__vbaStrMove.MSVBVM60(0042A71C,00000000,00000006,?,?,namebro,namebro), ref: 0053393D
__vbaFreeStr.MSVBVM60(0042A71C,00000000,00000006,?,?,namebro,namebro), ref: 00533948
__vbaNew2.MSVBVM60(00419EE8,00539E00,0042A71C,00000000,00000006,?,?,namebro,namebro), ref: 00533967

Strings

*.exe, xrefs: 005341AA
.exe, xrefs: 00533FCD
achibat123, xrefs: 00533EDC
fsrtg, xrefs: 005331C5, 00533D15
bcc, xrefs: 00535694
[, xrefs: 005358D1
CUSTOM, xrefs: 00533D62, 005344E6, 0053461E
uol, xrefs: 00533E51
achibat, xrefs: 00534A3A, 00534B5A, 0053517C
i, xrefs: 00534632
hiva, xrefs: 0053549E
namebro, xrefs: 005338AE, 005338B3, 00533A42, 00533A47

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Move$ChkstkFree$CheckHresultNew2$#670#689BstrError
String ID: *.exe$.exe$CUSTOM$[$achibat$achibat123$bcc$fsrtg$hiva$i$namebro$uol
API String ID: 1214543835-1426509533
Opcode ID: 0711da85e6c3ed793689df75aa627ad68d40b8639b9b12de4e4dada06d2f43e8
Instruction ID: 23fdfe130865e9fec8966e5fcf29925c44189b3b983552162382674ac0bd0426
Opcode Fuzzy Hash: 0711da85e6c3ed793689df75aa627ad68d40b8639b9b12de4e4dada06d2f43e8
Instruction Fuzzy Hash: A91315719416299BDB21EB51CC49FDEBBB8BB04304F1040EAE109B7291DBB69B88DF54

Function 00522C25 Relevance: 258.5, APIs: 142, Strings: 5, Instructions: 1231COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 00522C43
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 00522C89
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00404F16), ref: 00522CA8
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00404F16), ref: 00522CC3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0), ref: 00522CF8
__vbaLenBstr.MSVBVM60(?), ref: 00522D0F
__vbaStrI4.MSVBVM60(00000000,?), ref: 00522D15
__vbaStrMove.MSVBVM60(00000000,?), ref: 00522D1F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F08,00000054), ref: 00522D48
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00522D66
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00404F16), ref: 00522D78
__vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,?,00404F16), ref: 00522D9A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0), ref: 00522DCF
__vbaStrCmp.MSVBVM60(YES,?), ref: 00522DEB
__vbaFreeStr.MSVBVM60(YES,?), ref: 00522DFE
__vbaFreeObj.MSVBVM60(YES,?), ref: 00522E06
__vbaObjSet.MSVBVM60(?,00000000), ref: 00522E31
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F08,00000050), ref: 00522E60
__vbaStrCat.MSVBVM60(?,Timer Val:), ref: 00522E7C
__vbaStrMove.MSVBVM60(?,Timer Val:), ref: 00522E86
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041BC14,000006FC), ref: 00522EBA
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00522ED8
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00404F16), ref: 00522EE3
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,00404F16), ref: 00522EEB
__vbaNew2.MSVBVM60(00419EE8,00539E00,YES,?), ref: 00522F0A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419ED8,00000014), ref: 00522F57
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B868,00000050), ref: 00522F98
__vbaChkstk.MSVBVM60(00000000,?,0041B868,00000050), ref: 00522FBD
#689.MSVBVM60(?,uparkx,uparkx), ref: 00522FD8
__vbaStrMove.MSVBVM60(?,uparkx,uparkx), ref: 00522FE2
__vbaFreeStr.MSVBVM60(?,uparkx,uparkx), ref: 00522FEA
__vbaFreeObj.MSVBVM60(?,uparkx,uparkx), ref: 00522FF2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041BBE4,00000054), ref: 00523024
__vbaObjSet.MSVBVM60(?,00000000), ref: 00523052
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000050), ref: 00523081
__vbaR8Str.MSVBVM60(?), ref: 00523098
__vbaFreeStr.MSVBVM60(?), ref: 005230CA
__vbaFreeObj.MSVBVM60(?), ref: 005230D2
__vbaR8Str.MSVBVM60(?,?), ref: 005230ED
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041BC14,000006F8), ref: 00523133
__vbaObjSet.MSVBVM60(?,00000000), ref: 0052316D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0), ref: 005231A2
__vbaLenBstr.MSVBVM60(?), ref: 005231B9
__vbaFreeStr.MSVBVM60(?), ref: 005231D1
__vbaFreeObj.MSVBVM60(?), ref: 005231D9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041BC14,0000073C), ref: 00523214
__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 00523242
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000014), ref: 0052328F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B868,00000050), ref: 005232D0
__vbaStrI2.MSVBVM60(00000001), ref: 005232E6
__vbaStrMove.MSVBVM60(00000001), ref: 005232F0
#690.MSVBVM60(?,uparkx,uparkx,00000000,00000001), ref: 00523303
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,uparkx,uparkx,00000000,00000001), ref: 00523312
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00404F16), ref: 0052331D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0052333C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00523357
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000050), ref: 00523386
__vbaR8Str.MSVBVM60(?), ref: 0052339D
__vbaStrR8.MSVBVM60(?,?,?), ref: 005233B7
__vbaStrMove.MSVBVM60(?,?,?), ref: 005233C1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F08,00000054,?,?,?), ref: 005233EA
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?), ref: 00523408
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 0052341A
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 0052343C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0), ref: 00523471
#581.MSVBVM60(?), ref: 00523488
__vbaObjSet.MSVBVM60(?,00000000), ref: 005234A3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F08,00000050), ref: 005234D2
#581.MSVBVM60(?), ref: 005234E9
__vbaFpR8.MSVBVM60(?), ref: 005234EE
__vbaFpR8.MSVBVM60(?), ref: 005234FC
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?), ref: 00523535
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00523547
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041BC14,000006F8), ref: 0052358D
__vbaObjSet.MSVBVM60(?,00000000), ref: 005235C7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0), ref: 005235FC
__vbaLenBstr.MSVBVM60(?), ref: 00523613
__vbaFreeStr.MSVBVM60(?), ref: 0052362B
__vbaFreeObj.MSVBVM60(?), ref: 00523633
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041BC14,00000718), ref: 0052366E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0052369C
__vbaStrI2.MSVBVM60(00000000,?,00000000), ref: 005236A6
__vbaStrMove.MSVBVM60(00000000,?,00000000), ref: 005236B0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000054), ref: 005236D9
__vbaFreeStr.MSVBVM60(00000000,00000000,00419F08,00000054), ref: 005236F0
__vbaFreeObj.MSVBVM60(00000000,00000000,00419F08,00000054), ref: 005236F8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00523717
__vbaObjSet.MSVBVM60(?,00000000), ref: 00523732
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0), ref: 00523767
__vbaR8Str.MSVBVM60(?), ref: 0052377E
__vbaStrR8.MSVBVM60(?,?,?), ref: 00523798
__vbaStrMove.MSVBVM60(?,?,?), ref: 005237A2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A4,?,?,?), ref: 005237D1
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?), ref: 005237EF
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00523801
__vbaObjSet.MSVBVM60(?,00000000), ref: 00523823
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0), ref: 00523858
__vbaStrCmp.MSVBVM60(lala,?), ref: 00523874
__vbaFreeStr.MSVBVM60(lala,?), ref: 00523887
__vbaFreeObj.MSVBVM60(lala,?), ref: 0052388F
__vbaObjSet.MSVBVM60(?,00000000), ref: 005238BA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0), ref: 005238EF
#581.MSVBVM60(?), ref: 00523906
__vbaFpR8.MSVBVM60(?), ref: 0052390B
__vbaFreeStr.MSVBVM60(?), ref: 0052393D
__vbaFreeObj.MSVBVM60(?), ref: 00523945
__vbaNew2.MSVBVM60(00419EE8,00539E00,?), ref: 00523970
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000014,?,?,?), ref: 005239BD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B868,00000050,?,?,?), ref: 005239FE
__vbaStrI2.MSVBVM60(00000000,?,?,?,?,?), ref: 00523A14
__vbaStrMove.MSVBVM60(00000000,?,?,?,?,?), ref: 00523A1E
#690.MSVBVM60(?,uparkx,uparkx,00000000,00000000,?,?,?,?,?), ref: 00523A31
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,uparkx,uparkx,00000000,00000000,?,?,?,?,?), ref: 00523A40
__vbaFreeObj.MSVBVM60 ref: 00523A4B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00523A6A
__vbaStrI2.MSVBVM60(00000000,?,00000000), ref: 00523A74
__vbaStrMove.MSVBVM60(00000000,?,00000000), ref: 00523A7E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A4), ref: 00523AAD
__vbaFreeStr.MSVBVM60(00000000,00000000,0041B688,000000A4), ref: 00523AC4
__vbaFreeObj.MSVBVM60(00000000,00000000,0041B688,000000A4), ref: 00523ACC
__vbaObjSet.MSVBVM60(?,00000000), ref: 00523AF0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0), ref: 00523B25
#581.MSVBVM60(?), ref: 00523B3C
__vbaFpR8.MSVBVM60(?), ref: 00523B41
__vbaFreeStr.MSVBVM60(?), ref: 00523B73
__vbaFreeObj.MSVBVM60(?), ref: 00523B7B
__vbaNew2.MSVBVM60(00419EE8,00539E00,?), ref: 00523BA6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000014), ref: 00523BF3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B868,00000050), ref: 00523C34
__vbaStrI2.MSVBVM60(00000000), ref: 00523C4A
__vbaStrMove.MSVBVM60(00000000), ref: 00523C54
#690.MSVBVM60(?,uparkx,uparkx,00000000,00000000), ref: 00523C67
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,uparkx,uparkx,00000000,00000000), ref: 00523C76
__vbaFreeObj.MSVBVM60 ref: 00523C81
__vbaObjSet.MSVBVM60(?,00000000), ref: 00523CA0
__vbaStrI2.MSVBVM60(00000000,?,00000000), ref: 00523CAA
__vbaStrMove.MSVBVM60(00000000,?,00000000), ref: 00523CB4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A4), ref: 00523CE3
__vbaFreeStr.MSVBVM60(00000000,00000000,0041B688,000000A4), ref: 00523CFA
__vbaFreeObj.MSVBVM60(00000000,00000000,0041B688,000000A4), ref: 00523D02
__vbaFreeStr.MSVBVM60(00523D54), ref: 00523D46
__vbaFreeStr.MSVBVM60(00523D54), ref: 00523D4E

Strings

Timer Val:, xrefs: 00522E74
uparkx, xrefs: 00522FCB, 00522FD0, 005232F6, 005232FB, 00523A24, 00523A29, 00523C5A, 00523C5F
%, xrefs: 00523C86
YES, xrefs: 00522DE6
lala, xrefs: 0052386F

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$List$Move$#581New2$#690Bstr$Chkstk$#689Error
String ID: %$Timer Val:$YES$lala$uparkx
API String ID: 962597961-2635924996
Opcode ID: 689cdc41f9e6eb78d151e7a513e048cff37c54f96596c4a38381b1444b45deeb
Instruction ID: a3494d8d6af9bfb6452078991d5473624590371776d8d60eb62e7fb422e06577
Opcode Fuzzy Hash: 689cdc41f9e6eb78d151e7a513e048cff37c54f96596c4a38381b1444b45deeb
Instruction Fuzzy Hash: 7AC20371900218AFDF10EFA5D849BDEBBB9FF08305F10406AE109BB1A1DB795A85DF94

Function 00527E85 Relevance: 131.7, APIs: 69, Strings: 6, Instructions: 490
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 00527EA3
__vbaStrCopy.MSVBVM60(?,?,?,?,00404F16), ref: 00527EE6
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 00527EF4
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00404F16), ref: 00527F21
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000,?,?,?,?,00404F16), ref: 00527F2B
__vbaVarLateMemCallLd.MSVBVM60(?,00000000,?,?,?,00404F16), ref: 00527F38
__vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,?,?,?,00404F16), ref: 00527F41
__vbaStrMove.MSVBVM60(00000000,?,?,?,?,?,?,?,00404F16), ref: 00527F4B
__vbaFreeObj.MSVBVM60(00000000,?,?,?,?,?,?,?,00404F16), ref: 00527F53
__vbaFreeVarList.MSVBVM60(00000002,?,?,00000000,?,?,?,?,?,?,?,00404F16), ref: 00527F62
__vbaLenBstr.MSVBVM60(?,?,?,00000000,?,?,?,?,?,?,?,00404F16), ref: 00527F74
__vbaStrCmp.MSVBVM60(control,?,?,?,?,00000000,?,?,?,?,?,?,?,00404F16), ref: 00527F90
__vbaObjSet.MSVBVM60(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00404F16), ref: 00527FCC
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,?,00404F16), ref: 00527FD6
__vbaVarLateMemCallLdRf.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000), ref: 00527FE3
__vbaVarLateMemCallLd.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00527FF0
__vbaLenVar.MSVBVM60(?,00000000), ref: 00528000
__vbaStrVarMove.MSVBVM60(00000000,?,00000000), ref: 00528006
__vbaStrMove.MSVBVM60(00000000,?,00000000), ref: 00528010
__vbaFreeObj.MSVBVM60(00000000,?,00000000), ref: 00528018
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,00000000,?,00000000), ref: 0052802B
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,00000000), ref: 00528062
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000,?,00000000,?,00000000), ref: 0052806C
__vbaVarLateMemCallLdRf.MSVBVM60(?,00000000,?,?,?,?,?,00000000,?,00000000), ref: 00528079
__vbaVarLateMemCallLd.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00528086
__vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0052808F
__vbaStrMove.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00528099
__vbaFreeObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 005280A1
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,00000000), ref: 005280B4
__vbaNew2.MSVBVM60(00415498,005381C4,?,?,?,00000000), ref: 005280D6
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000), ref: 0052810F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0,?,?,?,00000000), ref: 00528159
#713.MSVBVM60(00000000), ref: 00528170
__vbaStrMove.MSVBVM60(00000000), ref: 0052817A
#711.MSVBVM60(?,?,00000008,000000FF,00000000,00000000), ref: 005281AB
__vbaAryVar.MSVBVM60(00002008,?,?,?,00000008,000000FF,00000000,00000000), ref: 005281B9
__vbaAryCopy.MSVBVM60(?,?,00002008,?,?,?,00000008,000000FF,00000000,00000000), ref: 005281CF
__vbaFreeStrList.MSVBVM60(00000002,00000000,00000000,?,?,00002008,?,?,?,00000008,000000FF,00000000,00000000), ref: 005281DE
__vbaFreeObj.MSVBVM60(000000FF,00000000,00000000), ref: 005281E9
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,000000FF,00000000,00000000), ref: 005281F8
__vbaDerefAry1.MSVBVM60(?,00000001,?,?,?,000000FF,00000000,00000000), ref: 0052820C
__vbaStrCopy.MSVBVM60(?,00000001,?,?,?,000000FF,00000000,00000000), ref: 00528216
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,000000FF,00000000,00000000), ref: 00528235
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A4,?,?,?,000000FF,00000000,00000000), ref: 0052827E
__vbaFreeObj.MSVBVM60(?,?,?,000000FF,00000000,00000000), ref: 00528295
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,000000FF,00000000,00000000), ref: 005282B4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A4,?,?,?,000000FF,00000000,00000000), ref: 005282FF
__vbaFreeObj.MSVBVM60(?,?,?,000000FF,00000000,00000000), ref: 00528316
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,000000FF,00000000,00000000), ref: 00528335
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A4,?,?,?,000000FF,00000000,00000000), ref: 0052837E
__vbaFreeObj.MSVBVM60(?,?,?,000000FF,00000000,00000000), ref: 00528395
__vbaNew2.MSVBVM60(00419EE8,00539E00,?,?,?,000000FF,00000000,00000000), ref: 005283B4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419ED8,00000014,?,?,?,000000FF,00000000), ref: 00528416
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B868,00000050,?,?,?,000000FF), ref: 0052846C
#690.MSVBVM60(00000000,altmeml,altmeml,00420C3C), ref: 00528492
__vbaFreeStr.MSVBVM60(00000000,altmeml,altmeml,00420C3C), ref: 0052849A
__vbaFreeObj.MSVBVM60(00000000,altmeml,altmeml,00420C3C), ref: 005284A2
__vbaNew2.MSVBVM60(00419EE8,00539E00,00000000,altmeml,altmeml,00420C3C), ref: 005284C1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419ED8,00000014), ref: 00528523
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B868,00000050), ref: 00528579
#690.MSVBVM60(00000000,Alturl,Alturl,?), ref: 0052859D
__vbaFreeStr.MSVBVM60(00000000,Alturl,Alturl,?), ref: 005285A5
__vbaFreeObj.MSVBVM60(00000000,Alturl,Alturl,?), ref: 005285AD
__vbaFreeStr.MSVBVM60(0052862C,?,?,?,00000000,?,?,?,?,?,?,?,00404F16), ref: 005285FB
__vbaFreeStr.MSVBVM60(0052862C,?,?,?,00000000,?,?,?,?,?,?,?,00404F16), ref: 00528603
__vbaFreeStr.MSVBVM60(0052862C,?,?,?,00000000,?,?,?,?,?,?,?,00404F16), ref: 0052860B
__vbaFreeStr.MSVBVM60(0052862C,?,?,?,00000000,?,?,?,?,?,?,?,00404F16), ref: 00528613
__vbaAryDestruct.MSVBVM60(00000000,?,0052862C,?,?,?,00000000,?,?,?,?,?,?,?,00404F16), ref: 0052861E
__vbaFreeStr.MSVBVM60(00000000,?,0052862C,?,?,?,00000000,?,?,?,?,?,?,?,00404F16), ref: 00528626

Strings

innerText, xrefs: 00527FA6, 0052803C
Title, xrefs: 00527F02
altmeml, xrefs: 00528485, 0052848A
Body, xrefs: 00527FAD, 00528043
control, xrefs: 00527F8B
Alturl, xrefs: 00528590, 00528595

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CallCheckHresultLate$Move$List$CopyNew2$#690$#711#713Ary1BstrChkstkDerefDestructError
String ID: Alturl$Body$Title$altmeml$control$innerText
API String ID: 539958447-3668318966
Opcode ID: 647573541f219b4fed7959e034925e68562c98f5bddd7db591a19bfbcab940c1
Instruction ID: 47bd653479fbe890f8ebae39c9ee91143cb63872f432facb02d93fbc96e819ce
Opcode Fuzzy Hash: 647573541f219b4fed7959e034925e68562c98f5bddd7db591a19bfbcab940c1
Instruction Fuzzy Hash: B322E471900218AFDB10EBA1CD46FDEBBB8FF04304F5085AAF109BB191DB796A459F64

Function 005368AF Relevance: 87.8, APIs: 47, Strings: 3, Instructions: 278
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,00404F16,?,005264C5,00000000), ref: 005368CD
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00404F16), ref: 005368FD
__vbaNew2.MSVBVM60(00419EE8,00539E00,000000FF,?,?,?,00000000,00404F16), ref: 0053691C
__vbaChkstk.MSVBVM60(?), ref: 0053696E
__vbaChkstk.MSVBVM60(?), ref: 00536982
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419ED8,00000038), ref: 005369C5
#717.MSVBVM60(?,?,00000040,00000000), ref: 005369E5
__vbaStrVarMove.MSVBVM60(?,?,?,00000040,00000000), ref: 005369EE
__vbaStrMove.MSVBVM60(?,?,?,00000040,00000000), ref: 005369F8
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,00000040,00000000), ref: 00536A07
__vbaVarDup.MSVBVM60 ref: 00536A2A
#711.MSVBVM60(?,?,?,000000FF,00000000), ref: 00536A3E
__vbaAryVar.MSVBVM60(00002008,?,?,?,?,000000FF,00000000), ref: 00536A4C
__vbaAryCopy.MSVBVM60(?,?,00002008,?,?,?,?,000000FF,00000000), ref: 00536A62
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,00002008,?,?,?,?,000000FF,00000000), ref: 00536A71
__vbaDerefAry1.MSVBVM60(00000000,00000000,?,?,?,?,00000000,00404F16), ref: 00536A85
__vbaStrCopy.MSVBVM60(00000000,00000000,?,?,?,?,00000000,00404F16), ref: 00536A8F
__vbaVarDup.MSVBVM60 ref: 00536AAF
#667.MSVBVM60(?), ref: 00536AB8
__vbaStrMove.MSVBVM60(?), ref: 00536AC2
__vbaStrCat.MSVBVM60(0041EF1C,00000000,?), ref: 00536ACD
__vbaStrMove.MSVBVM60(0041EF1C,00000000,?), ref: 00536AD7
__vbaFreeStr.MSVBVM60(0041EF1C,00000000,?), ref: 00536ADF
__vbaFreeVar.MSVBVM60(0041EF1C,00000000,?), ref: 00536AE7
__vbaNew2.MSVBVM60(00419EE8,00539E00,0041EF1C,00000000,?), ref: 00536B06
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041EF1C), ref: 00536B58
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041EF1C), ref: 00536B6C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419ED8,00000038), ref: 00536BAF
__vbaVar2Vec.MSVBVM60(?,?), ref: 00536BCB
__vbaAryMove.MSVBVM60(?,?,?,?), ref: 00536BD8
__vbaFreeVar.MSVBVM60(?,?,?,?), ref: 00536BE0
__vbaStrCat.MSVBVM60(?,00000000,?,?,?,?), ref: 00536BF2
__vbaStrMove.MSVBVM60(?,00000000,?,?,?,?), ref: 00536BFC
__vbaFileOpen.MSVBVM60(00000020,000000FF,00000001,00000000,?,00000000,?,?,?,?), ref: 00536C11
__vbaPutOwner4.MSVBVM60(0042A880,?,00000001,00000001,00000020,000000FF,00000001,00000000,?,00000000,?,?,?,?), ref: 00536C2A
__vbaFileClose.MSVBVM60(00000001,0042A880,?,00000001,00000001,00000020,000000FF,00000001,00000000,?,00000000,?,?,?,?), ref: 00536C38
#713.MSVBVM60( c/ exe.dmc,00000001,0042A880,?,00000001,00000001,00000020,000000FF,00000001,00000000,?,00000000,?,?,?,?), ref: 00536C49
__vbaStrMove.MSVBVM60( c/ exe.dmc,00000001,0042A880,?,00000001,00000001,00000020,000000FF,00000001,00000000,?,00000000,?,?,?,?), ref: 00536C53
__vbaStrCat.MSVBVM60(00000000,?, c/ exe.dmc,00000001,0042A880,?,00000001,00000001,00000020,000000FF,00000001,00000000,?,00000000,?,?), ref: 00536C65
#600.MSVBVM60(00000008,00000000,00000000,?, c/ exe.dmc,00000001,0042A880,?,00000001,00000001,00000020,000000FF,00000001,00000000,?,00000000), ref: 00536C7A
__vbaFreeVar.MSVBVM60(00000008,00000000,00000000,?, c/ exe.dmc,00000001,0042A880,?,00000001,00000001,00000020,000000FF,00000001,00000000,?,00000000), ref: 00536C88

Strings

CUSTOM, xrefs: 00536945, 00536B2F
temp, xrefs: 00536A9B
c/ exe.dmc, xrefs: 00536C44

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$Chkstk$CheckCopyFileHresultListNew2$#600#667#711#713#717Ary1CloseDerefErrorOpenOwner4Var2
String ID: c/ exe.dmc$CUSTOM$temp
API String ID: 1536376004-1066934603
Opcode ID: 98767a6ed48474835c2a0a5a6be448d639d94f4a2f397032cac781cb970a4277
Instruction ID: 92e296f4bac5cd33598a90e2207655c7e0f6bdd6b0bf53c8119974d342f152a0
Opcode Fuzzy Hash: 98767a6ed48474835c2a0a5a6be448d639d94f4a2f397032cac781cb970a4277
Instruction Fuzzy Hash: 1DB117B1D00618AADB10EF91CC46BDEBBB9BF04308F50806AF504BB191DBB95A49CF55

Function 005365A2 Relevance: 82.4, APIs: 43, Strings: 4, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,00404F16), ref: 005365BE
__vbaOnError.MSVBVM60(000000FF,80020004,0000000A,00000001,00000000,00404F16), ref: 005365EE
#618.MSVBVM60(?,00000001,000000FF,80020004,0000000A,00000001,00000000,00404F16), ref: 00536601
__vbaStrMove.MSVBVM60(?,00000001,000000FF,80020004,0000000A,00000001,00000000,00404F16), ref: 0053660B
__vbaStrCmp.MSVBVM60(0041EF1C,00000000,?,00000001,000000FF,80020004,0000000A,00000001,00000000,00404F16), ref: 00536616
__vbaFreeStr.MSVBVM60(0041EF1C,00000000,?,00000001,000000FF,80020004,0000000A,00000001,00000000,00404F16), ref: 0053662A
__vbaStrCat.MSVBVM60(0041EF1C,?,0041EF1C,00000000,?,00000001,000000FF,80020004,0000000A,00000001,00000000,00404F16), ref: 00536648
__vbaStrMove.MSVBVM60(0041EF1C,?,0041EF1C,00000000,?,00000001,000000FF,80020004,0000000A,00000001,00000000,00404F16), ref: 00536652
#519.MSVBVM60(00000000,0041EF1C,00000000,?,00000001,000000FF,80020004,0000000A,00000001,00000000,00404F16), ref: 00536663
__vbaStrMove.MSVBVM60(00000000,0041EF1C,00000000,?,00000001,000000FF,80020004,0000000A,00000001,00000000,00404F16), ref: 0053666D
__vbaStrCmp.MSVBVM60(0041A0C4,00000000,00000000,0041EF1C,00000000,?,00000001,000000FF,80020004,0000000A,00000001,00000000,00404F16), ref: 00536678
__vbaFreeStr.MSVBVM60(0041A0C4,00000000,00000000,0041EF1C,00000000,?,00000001,000000FF,80020004,0000000A,00000001,00000000,00404F16), ref: 0053668B
__vbaStrCopy.MSVBVM60(0041A0C4,00000000,00000000,0041EF1C,00000000,?,00000001,000000FF,80020004,0000000A,00000001,00000000,00404F16), ref: 005366A7
#616.MSVBVM60(00000000,00000002,0041A0C4,00000000,00000000,0041EF1C,00000000,?,00000001,000000FF,80020004,0000000A,00000001,00000000,00404F16), ref: 005366BC
__vbaStrMove.MSVBVM60(00000000,00000002,0041A0C4,00000000,00000000,0041EF1C,00000000,?,00000001,000000FF,80020004,0000000A,00000001,00000000,00404F16), ref: 005366C6
__vbaStrCmp.MSVBVM60(0042A824,00000000,00000000,00000002,0041A0C4,00000000,00000000,0041EF1C,00000000,?,00000001,000000FF,80020004,0000000A,00000001,00000000), ref: 005366D1
__vbaFreeStr.MSVBVM60(0042A824,00000000,00000000,00000002,0041A0C4,00000000,00000000,0041EF1C,00000000,?,00000001,000000FF,80020004,0000000A,00000001,00000000), ref: 005366E5
__vbaStrCat.MSVBVM60(00000000,0042A824,0042A824,00000000,00000000,00000002,0041A0C4,00000000,00000000,0041EF1C,00000000,?,00000001,000000FF,80020004,0000000A), ref: 00536703
__vbaStrMove.MSVBVM60(00000000,0042A824,0042A824,00000000,00000000,00000002,0041A0C4,00000000,00000000,0041EF1C,00000000,?,00000001,000000FF,80020004,0000000A), ref: 0053670D
__vbaStrCat.MSVBVM60(00000000,?,0042A824,00000000,00000000,00000002,0041A0C4,00000000,00000000,0041EF1C,00000000,?,00000001,000000FF,80020004,0000000A), ref: 00536723
#645.MSVBVM60(00000008,00000000,00000000,?,0042A824,00000000,00000000,00000002,0041A0C4,00000000,00000000,0041EF1C,00000000), ref: 00536738
__vbaStrMove.MSVBVM60(00000008,00000000,00000000,?,0042A824,00000000,00000000,00000002,0041A0C4,00000000,00000000,0041EF1C,00000000), ref: 00536742
__vbaFreeVar.MSVBVM60(00000008,00000000,00000000,?,0042A824,00000000,00000000,00000002,0041A0C4,00000000,00000000,0041EF1C,00000000), ref: 0053674A
__vbaLenBstr.MSVBVM60(00000001,00000008,00000000,00000000,?,0042A824,00000000,00000000,00000002,0041A0C4,00000000,00000000,0041EF1C,00000000), ref: 00536759
__vbaInStr.MSVBVM60(00000000,fk.exe,00000001,00000001,00000001,00000008,00000000,00000000,?,0042A824,00000000,00000000,00000002,0041A0C4,00000000,00000000), ref: 00536779
__vbaStrCat.MSVBVM60(00000001,taskkill /im ,00000000,fk.exe,00000001,00000001,00000001,0000000A,00000000,00000000,fk.exe,00000001,00000001,00000001,00000008,00000000), ref: 00536795
__vbaStrMove.MSVBVM60(00000001,taskkill /im ,00000000,fk.exe,00000001,00000001,00000001,0000000A,00000000,00000000,fk.exe,00000001,00000001,00000001,00000008,00000000), ref: 0053679F
__vbaStrCat.MSVBVM60( /f,00000000,00000001,taskkill /im ,00000000,fk.exe,00000001,00000001,00000001,0000000A,00000000,00000000,fk.exe,00000001,00000001,00000001), ref: 005367AA
#600.MSVBVM60(00000008,00000000, /f,00000000,00000001,taskkill /im ,00000000,fk.exe,00000001,00000001,00000001,0000000A,00000000,00000000,fk.exe,00000001), ref: 005367BF
__vbaFreeStr.MSVBVM60(00000008,00000000, /f,00000000,00000001,taskkill /im ,00000000,fk.exe,00000001,00000001,00000001,0000000A,00000000,00000000,fk.exe,00000001), ref: 005367CA
__vbaFreeVar.MSVBVM60(00000008,00000000, /f,00000000,00000001,taskkill /im ,00000000,fk.exe,00000001,00000001,00000001,0000000A,00000000,00000000,fk.exe,00000001), ref: 005367D2
__vbaSetSystemError.MSVBVM60(000003E8,00000008,00000000, /f,00000000,00000001,taskkill /im ,00000000,fk.exe,00000001,00000001,00000001,0000000A,00000000,00000000,fk.exe), ref: 005367E8
#598.MSVBVM60(000003E8,00000008,00000000, /f,00000000,00000001,taskkill /im ,00000000,fk.exe,00000001,00000001,00000001,0000000A,00000000,00000000,fk.exe), ref: 005367F4
__vbaStrCat.MSVBVM60(0041EF1C,?,000003E8,00000008,00000000, /f,00000000,00000001,taskkill /im ,00000000,fk.exe,00000001,00000001,00000001,0000000A,00000000), ref: 0053680A
__vbaStrMove.MSVBVM60(0041EF1C,?,000003E8,00000008,00000000, /f,00000000,00000001,taskkill /im ,00000000,fk.exe,00000001,00000001,00000001,0000000A,00000000), ref: 00536814
__vbaStrCat.MSVBVM60(00000001,00000000,0041EF1C,?,000003E8,00000008,00000000, /f,00000000,00000001,taskkill /im ,00000000,fk.exe,00000001,00000001,00000001), ref: 0053681D
#529.MSVBVM60(00000008,00000001,00000000,0041EF1C,?,000003E8,00000008,00000000, /f,00000000,00000001,taskkill /im ,00000000,fk.exe,00000001,00000001), ref: 00536830
__vbaFreeStr.MSVBVM60(00000008,00000001,00000000,0041EF1C,?,000003E8,00000008,00000000, /f,00000000,00000001,taskkill /im ,00000000,fk.exe,00000001,00000001), ref: 00536838
__vbaFreeVar.MSVBVM60(00000008,00000001,00000000,0041EF1C,?,000003E8,00000008,00000000, /f,00000000,00000001,taskkill /im ,00000000,fk.exe,00000001,00000001), ref: 00536840
#645.MSVBVM60(0000000A,00000000,00000000,fk.exe,00000001,00000001,00000001,00000008,00000000,00000000,?,0042A824,00000000,00000000,00000002,0041A0C4), ref: 00536860
__vbaStrMove.MSVBVM60(0000000A,00000000,00000000,fk.exe,00000001,00000001,00000001,00000008,00000000,00000000,?,0042A824,00000000,00000000,00000002,0041A0C4), ref: 0053686A
__vbaFreeVar.MSVBVM60(0000000A,00000000,00000000,fk.exe,00000001,00000001,00000001,00000008,00000000,00000000,?,0042A824,00000000,00000000,00000002,0041A0C4), ref: 00536872
__vbaFreeStr.MSVBVM60(0053689E,00000001,00000008,00000000,00000000,?,0042A824,00000000,00000000,00000002,0041A0C4,00000000,00000000,0041EF1C,00000000), ref: 00536898

Strings

*.*, xrefs: 0053669F
/f, xrefs: 005367A5
fk.exe, xrefs: 00536772
taskkill /im , xrefs: 0053678D

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$Move$#645Error$#519#529#598#600#616#618BstrChkstkCopySystem
String ID: /f$*.*$fk.exe$taskkill /im
API String ID: 1319887025-904186722
Opcode ID: 88647ef56a5a0f94c8f98de4be24dc11daff97cc838a0e616c186d28e8357c6d
Instruction ID: e9ed8857e9494005692883da3e68e38b62778c0ca20e182d722c77bff8bcb144
Opcode Fuzzy Hash: 88647ef56a5a0f94c8f98de4be24dc11daff97cc838a0e616c186d28e8357c6d
Instruction Fuzzy Hash: A5714DB4A00209ABDB00FFA2C946BDEBBB5FF44708F50812AF501BB1D1DB795A45CB58

Function 0052876C Relevance: 54.5, APIs: 36, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 0052878A
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 005287D0

Part of subcall function 0051B964: __vbaChkstk.MSVBVM60(?,00404F16), ref: 0051B980
Part of subcall function 0051B964: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 0051B9B0

__vbaNew2.MSVBVM60(00419EE8,00539E00,000000FF,?,?,?,?,00404F16), ref: 005287FB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419ED8,00000014), ref: 00528848
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B868,00000050), ref: 00528889
__vbaNew2.MSVBVM60(00415498,005381C4), ref: 005288B0
__vbaObjSet.MSVBVM60(?,00000000), ref: 005288E9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BD0,00000040), ref: 0052891A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0), ref: 00528961
__vbaNew2.MSVBVM60(00415498,005381C4), ref: 00528988
__vbaObjSet.MSVBVM60(?,00000000), ref: 005289C1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BD0,00000040), ref: 005289F2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0), ref: 00528A39
__vbaNew2.MSVBVM60(00415498,005381C4), ref: 00528A60
__vbaObjSet.MSVBVM60(?,00000000), ref: 00528A99
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0), ref: 00528ACE
#690.MSVBVM60(?,?,?,000000FF), ref: 00528AEE
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,000000FF,?,?,?,000000FF), ref: 00528B05
__vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00528B27
__vbaNew2.MSVBVM60(00419EE8,00539E00,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00528B49
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419ED8,00000014), ref: 00528B96
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B868,00000050), ref: 00528BD7
__vbaNew2.MSVBVM60(00415498,005381C4), ref: 00528BFE
__vbaObjSet.MSVBVM60(?,00000000), ref: 00528C37
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BD0,00000040), ref: 00528C68
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0), ref: 00528CAF
__vbaNew2.MSVBVM60(00415498,005381C4), ref: 00528CD6
__vbaObjSet.MSVBVM60(?,00000000), ref: 00528D0F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BD0,00000040), ref: 00528D40
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0), ref: 00528D87
__vbaNew2.MSVBVM60(00415498,005381C4), ref: 00528DAE
__vbaObjSet.MSVBVM60(?,00000000), ref: 00528DE7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F08,00000050), ref: 00528E16
#690.MSVBVM60(?,?,?,?), ref: 00528E36
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,?,?,?), ref: 00528E4D
__vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 00528E6F

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$New2$FreeList$#690ChkstkError
String ID:
API String ID: 1709411753-0
Opcode ID: dce42cfe4860ad9e98b46e42cd71cbe191c29baf33dd1f2570cacada97e74d23
Instruction ID: cd960e837959caf6bcbb2493036fed78dec6341fc05c85b80538adacab82c0be
Opcode Fuzzy Hash: dce42cfe4860ad9e98b46e42cd71cbe191c29baf33dd1f2570cacada97e74d23
Instruction Fuzzy Hash: DF32F271901218EFDB10DFE4C849BEEBBB9BF09305F1044AAE106BB2A1CB755A85DF50

Function 00527266 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 00527282
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 005272C8
__vbaNew2.MSVBVM60(00419EE8,00539E00,000000FF,?,?,?,?,00404F16), ref: 005272E7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419ED8,00000014), ref: 0052732B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B868,0000007C), ref: 00527364
__vbaFreeObj.MSVBVM60(00000000,?,0041B868,0000007C), ref: 00527375
__vbaStrCopy.MSVBVM60(00000000,?,0041B868,0000007C), ref: 0052738C
__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 005273AB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419ED8,00000014), ref: 005273EF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B868,00000068), ref: 0052742A
__vbaFreeObj.MSVBVM60(00000000,?,0041B868,00000068), ref: 00527443
__vbaEnd.MSVBVM60(00000000,?,0041B868,00000068), ref: 00527457

Part of subcall function 00533134: __vbaChkstk.MSVBVM60(?,00404F16,000000FF,?,?,?,?,00404F16), ref: 00533152
Part of subcall function 00533134: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16,000000FF), ref: 00533182
Part of subcall function 00533134: #670.MSVBVM60(?,000000FF,?,?,?,?,00404F16,000000FF), ref: 00533195
Part of subcall function 00533134: __vbaStrVarMove.MSVBVM60(?,?,000000FF,?,?,?,?,00404F16,000000FF), ref: 005331A1
Part of subcall function 00533134: __vbaStrMove.MSVBVM60(?,?,000000FF,?,?,?,?,00404F16,000000FF), ref: 005331AB
Part of subcall function 00533134: __vbaFreeVar.MSVBVM60(?,?,000000FF,?,?,?,?,00404F16,000000FF), ref: 005331B6
Part of subcall function 00533134: __vbaStrCmp.MSVBVM60(fsrtg,?,?,?,000000FF,?,?,?,?,00404F16,000000FF), ref: 005331CA
Part of subcall function 00533134: __vbaNew2.MSVBVM60(00415498,005381C4,fsrtg,?,?,?,000000FF,?,?,?,?,00404F16,000000FF), ref: 005331F1
Part of subcall function 00533134: __vbaChkstk.MSVBVM60 ref: 00533245
Part of subcall function 00533134: __vbaChkstk.MSVBVM60 ref: 00533259
Part of subcall function 00533134: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041BBE4,000002B0), ref: 005332A5
Part of subcall function 00533134: __vbaNew2.MSVBVM60(00419EE8,00539E00,fsrtg,?,?,?,000000FF,?,?,?,?,00404F16,000000FF), ref: 005337B1

__vbaFreeVar.MSVBVM60(?), ref: 0052746F

Strings

[[$%]], xrefs: 00527381

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$ChkstkFreeNew2$ErrorMove$#670Copy
String ID: [[$%]]
API String ID: 2501325181-2471564671
Opcode ID: 76a56e91919ac2eba332ecd7725cac890c2c8114b1030cb4e14d96d1cfeb9131
Instruction ID: cb3eadfcd1e92a1ed0b563e367e1a67c9e971b86ac7e4b60c9667e99d583cb82
Opcode Fuzzy Hash: 76a56e91919ac2eba332ecd7725cac890c2c8114b1030cb4e14d96d1cfeb9131
Instruction Fuzzy Hash: D06103B0900218EFCB10EFA5D949B9EBBF4FF08305F20442AE505BB2A1C7B55A45EF94

Function 004FF2BD Relevance: 18.2, APIs: 12, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 004FF2D9
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 004FF31F
__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 004FF353
__vbaNew2.MSVBVM60(00415498,005381C4), ref: 004FF383
__vbaObjSetAddref.MSVBVM60(?,?), ref: 004FF3A1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419ED8,0000000C), ref: 004FF3CA
__vbaFreeObj.MSVBVM60 ref: 004FF3DB
__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 004FF3FA
__vbaObjSetAddref.MSVBVM60(?,?), ref: 004FF41E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419ED8,00000010), ref: 004FF447
__vbaFreeObj.MSVBVM60 ref: 004FF458

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$New2$AddrefCheckFreeHresult$ChkstkError
String ID:
API String ID: 3925160068-0
Opcode ID: 87400b8b6b85b1118ee94351c5e34632158258d52f943f307fef1fb86f145a7f
Instruction ID: 3e6d9c603ef2aae06ef99aaf6b49990d4a857eb94b058a2f0dcb17a4542357bb
Opcode Fuzzy Hash: 87400b8b6b85b1118ee94351c5e34632158258d52f943f307fef1fb86f145a7f
Instruction Fuzzy Hash: D4611A75900209EFCB00DF99C945BDEBBB5FF08315F10806AE505BB290C3B9A949DF99

Function 0052B695 Relevance: 4.5, APIs: 3, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 0052B6B1
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 0052B6F7

Part of subcall function 0050D3C3: __vbaSetSystemError.MSVBVM60(00000012), ref: 0050D484
Part of subcall function 0050D3C3: __vbaNew2.MSVBVM60(00415498,005381C4,00000012), ref: 0050D4BB
Part of subcall function 0050D3C3: __vbaObjSet.MSVBVM60(?,00000000), ref: 0050D4DA
Part of subcall function 0050D3C3: __vbaNew2.MSVBVM60(00415498,005381C4,?,00000000), ref: 0050D4F4
Part of subcall function 0050D3C3: __vbaObjSet.MSVBVM60(?,00000000), ref: 0050D50C
Part of subcall function 0050D3C3: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0), ref: 0050D533

__vbaFreeVar.MSVBVM60(000000FF,000000FF,?,?,?,?,00404F16), ref: 0052B70F

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$ErrorNew2$CheckChkstkFreeHresultSystem
String ID:
API String ID: 1532118498-0
Opcode ID: 01ce11cdff057b0d90a38fec607c50e698e511d7e6a909f7c3379cfb62078b26
Instruction ID: 42ccba5ba2849524a417c99df0ff5e36e849c03176907aee1aa070393fee8e72
Opcode Fuzzy Hash: 01ce11cdff057b0d90a38fec607c50e698e511d7e6a909f7c3379cfb62078b26
Instruction Fuzzy Hash: 2E0148B1800209AFDB00EFA8C94AB9DBFF4FF40754F508519F514AB2D1C3B8AA408B94

Function 0041EF44 Relevance: .0, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc3568a4cb554459f0d269936277d0ba9e7246d2468eba6332460c57e8471e6
Instruction ID: 1de71ca02f95cc6dad792a5d7f71e6f27c772f379a4c44e460ffe589b5a30191
Opcode Fuzzy Hash: fcc3568a4cb554459f0d269936277d0ba9e7246d2468eba6332460c57e8471e6
Instruction Fuzzy Hash: 05B012B8384007BF530086B5BC429643280A6403803381C23FC01C22D4CF7CED82C12D

Function 04AE0FBF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2156844168.0000000004AE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4ae0000_Payment Challan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
Instruction ID: b0f9589ff6244dc2e5f284de56af7fc39532b876afed5af436e92aef6959a401
Opcode Fuzzy Hash: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
Instruction Fuzzy Hash:

Function 04AE0FCF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2156844168.0000000004AE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4ae0000_Payment Challan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
Instruction ID: b0f9589ff6244dc2e5f284de56af7fc39532b876afed5af436e92aef6959a401
Opcode Fuzzy Hash: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
Instruction Fuzzy Hash:

Function 04AE0FC7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2156844168.0000000004AE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4ae0000_Payment Challan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
Instruction ID: b0f9589ff6244dc2e5f284de56af7fc39532b876afed5af436e92aef6959a401
Opcode Fuzzy Hash: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
Instruction Fuzzy Hash:

Function 04AE0FD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2156844168.0000000004AE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4ae0000_Payment Challan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
Instruction ID: b0f9589ff6244dc2e5f284de56af7fc39532b876afed5af436e92aef6959a401
Opcode Fuzzy Hash: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
Instruction Fuzzy Hash:

Function 04A60FBF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2155584208.0000000004A60000.00000010.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4a60000_Payment Challan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
Instruction ID: ecdc1212b5ffb8dfd16d6e71fb608f1ea7ed612dbd3b8d2373d880fead7a0661
Opcode Fuzzy Hash: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
Instruction Fuzzy Hash:

Function 04A60FC7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2155584208.0000000004A60000.00000010.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4a60000_Payment Challan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
Instruction ID: ecdc1212b5ffb8dfd16d6e71fb608f1ea7ed612dbd3b8d2373d880fead7a0661
Opcode Fuzzy Hash: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
Instruction Fuzzy Hash:

Function 04A60FCF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2155584208.0000000004A60000.00000010.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4a60000_Payment Challan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
Instruction ID: ecdc1212b5ffb8dfd16d6e71fb608f1ea7ed612dbd3b8d2373d880fead7a0661
Opcode Fuzzy Hash: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
Instruction Fuzzy Hash:

Function 04A60FD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2155584208.0000000004A60000.00000010.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4a60000_Payment Challan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
Instruction ID: ecdc1212b5ffb8dfd16d6e71fb608f1ea7ed612dbd3b8d2373d880fead7a0661
Opcode Fuzzy Hash: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
Instruction Fuzzy Hash:

Function 04AA0FBF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2156702566.0000000004AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4aa0000_Payment Challan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
Instruction ID: edcae62d8cf8c4625c7878d4908b8bdbd835410be6bbe4ec94fefab333503bb1
Opcode Fuzzy Hash: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
Instruction Fuzzy Hash:

Function 04AA0FCF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2156702566.0000000004AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4aa0000_Payment Challan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
Instruction ID: edcae62d8cf8c4625c7878d4908b8bdbd835410be6bbe4ec94fefab333503bb1
Opcode Fuzzy Hash: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
Instruction Fuzzy Hash:

Function 04AA0FC7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2156702566.0000000004AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4aa0000_Payment Challan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
Instruction ID: edcae62d8cf8c4625c7878d4908b8bdbd835410be6bbe4ec94fefab333503bb1
Opcode Fuzzy Hash: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
Instruction Fuzzy Hash:

Function 04AA0FD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2156702566.0000000004AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4aa0000_Payment Challan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
Instruction ID: edcae62d8cf8c4625c7878d4908b8bdbd835410be6bbe4ec94fefab333503bb1
Opcode Fuzzy Hash: ff76918a944367de81d1e556ded582aa5f4d5553cffdb7728517409e6615f5df
Instruction Fuzzy Hash:

Function 04B20FBF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2169502726.0000000004B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4b20000_Payment Challan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: 059baf8f8b64d14aa170cbea06fc1e64521c570df6f428a8fcc51e80c1e11549
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Function 04B20FD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2169502726.0000000004B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4b20000_Payment Challan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: 059baf8f8b64d14aa170cbea06fc1e64521c570df6f428a8fcc51e80c1e11549
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Function 04B20FC7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2169502726.0000000004B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4b20000_Payment Challan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: 059baf8f8b64d14aa170cbea06fc1e64521c570df6f428a8fcc51e80c1e11549
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Function 04B20FCF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2169502726.0000000004B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_4b20000_Payment Challan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: 059baf8f8b64d14aa170cbea06fc1e64521c570df6f428a8fcc51e80c1e11549
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Non-executed Functions

Function 004E61ED Relevance: 296.0, APIs: 164, Strings: 4, Instructions: 2023COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004E6294
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004E62BD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,00000090), ref: 004E62E9
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E6305
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 004E630F
__vbaCastObjVar.MSVBVM60(00000000), ref: 004E6318
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 004E6322
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A67C,00000024), ref: 004E6366
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A68C,00000034), ref: 004E6392
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E63A5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BD0,00000040), ref: 004E63D7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E63F7
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 004E6401
__vbaCastObjVar.MSVBVM60(00000000), ref: 004E640A
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 004E6414
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A67C,00000024), ref: 004E645E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A68C,00000034), ref: 004E6481
#681.MSVBVM60(?,?,?,?), ref: 004E64E1
__vbaCastObjVar.MSVBVM60(?,0041A69C,?,?,?,?), ref: 004E64FA
__vbaObjSet.MSVBVM60(?,00000000,?,0041A69C,?,?,?,?), ref: 004E6504
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,00000064), ref: 004E6527
__vbaFreeObjList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,?,?), ref: 004E655A
__vbaFreeVarList.MSVBVM60(00000008,?,00000002,?,00000002,0000000B,?,?,?,0000000B,?,?,?,?,?,?), ref: 004E6590
__vbaErrorOverflow.MSVBVM60(?,?,00000000,00000000), ref: 004E6633
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E66A9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000048), ref: 004E66C9
__vbaFreeObj.MSVBVM60(00000000,00000000,00419BD0,00000048), ref: 004E66DD
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E6711
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004E6734

Strings

FirstEnable, xrefs: 004E758A, 004E7864
PreviousEnable, xrefs: 004E7650, 004E78BD
LastEnable, xrefs: 004E77DC, 004E796F
NextEnable, xrefs: 004E7716, 004E7916

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$CastFree$CallLateList$#681ErrorOverflow
String ID: FirstEnable$LastEnable$NextEnable$PreviousEnable
API String ID: 1986361574-3285818338
Opcode ID: 6a1ec4cef01ce9c7b3649724efd4a18c353bad40f2547a4bd1181977aff05324
Instruction ID: a7ea8e266c14ed71a7c0d3652d9636e8c8f1548aefc2f5e334a53e86733ae8ba
Opcode Fuzzy Hash: 6a1ec4cef01ce9c7b3649724efd4a18c353bad40f2547a4bd1181977aff05324
Instruction Fuzzy Hash: 85F228B1900618ABDB10EFA5C885EDFB7BCFF08704F10456AF605EB191DB78A9458FA4

Function 0051C5A9 Relevance: 136.9, APIs: 67, Strings: 11, Instructions: 428COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 0051C634
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0), ref: 0051C65A
__vbaStrCat.MSVBVM60( WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,SELECT tblStudent.StudentID as lvID ,tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C669
__vbaStrMove.MSVBVM60( WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,SELECT tblStudent.StudentID as lvID ,tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C673
__vbaStrCat.MSVBVM60(?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,SELECT tblStudent.StudentID as lvID ,tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C67C
__vbaStrMove.MSVBVM60(?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,SELECT tblStudent.StudentID as lvID ,tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C686
__vbaStrCat.MSVBVM60(%')),00000000,?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,SELECT tblStudent.StudentID as lvID ,tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C691
__vbaStrMove.MSVBVM60(%')),00000000,?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,SELECT tblStudent.StudentID as lvID ,tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C69B
__vbaStrCat.MSVBVM60( ORDER BY [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName];,00000000,%')),00000000,?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,SELECT tblStudent.StudentID as lvID ,tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C6A6
__vbaStrMove.MSVBVM60( ORDER BY [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName];,00000000,%')),00000000,?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,SELECT tblStudent.StudentID as lvID ,tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C6B0
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?, ORDER BY [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName];,00000000,%')),00000000,?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,SELECT tblStudent.StudentID as lvID ,tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C6C7
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051C6F8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0), ref: 0051C71E
__vbaStrCat.MSVBVM60( FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C72D
__vbaStrMove.MSVBVM60( FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C737
__vbaStrCat.MSVBVM60( WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C742
__vbaStrMove.MSVBVM60( WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C74C
__vbaStrCat.MSVBVM60(?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C755
__vbaStrMove.MSVBVM60(?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C75F
__vbaStrCat.MSVBVM60(%')),00000000,?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C76A
__vbaStrMove.MSVBVM60(%')),00000000,?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C774
__vbaStrCat.MSVBVM60( GROUP BY tblStudent.StudentID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![Midd,00000000,%')),00000000,?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C77F
__vbaStrMove.MSVBVM60( GROUP BY tblStudent.StudentID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![Midd,00000000,%')),00000000,?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C789
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051C7BA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0), ref: 0051C7E0
__vbaStrCat.MSVBVM60( FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C7EF
__vbaStrMove.MSVBVM60( FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C7F9
__vbaStrCat.MSVBVM60( WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C804
__vbaStrMove.MSVBVM60( WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C80E
__vbaStrCat.MSVBVM60(?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C817
__vbaStrMove.MSVBVM60(?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C821
__vbaStrCat.MSVBVM60(%')),00000000,?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C82C
__vbaStrMove.MSVBVM60(%')),00000000,?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C836
__vbaStrCat.MSVBVM60( GROUP BY tblStudent.StudentID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![Midd,00000000,%')),00000000,?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C841
__vbaStrMove.MSVBVM60( GROUP BY tblStudent.StudentID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![Midd,00000000,%')),00000000,?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C84B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051C87C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0), ref: 0051C8A2
__vbaStrCat.MSVBVM60( FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C8B1
__vbaStrMove.MSVBVM60( FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C8BB
__vbaStrCat.MSVBVM60( WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C8C6
__vbaStrMove.MSVBVM60( WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C8D0
__vbaStrCat.MSVBVM60(?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C8D9
__vbaStrMove.MSVBVM60(?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C8E3
__vbaStrCat.MSVBVM60(%')),00000000,?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C8EE
__vbaStrMove.MSVBVM60(%')),00000000,?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C8F8
__vbaStrCat.MSVBVM60( GROUP BY tblStudent.StudentID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![Midd,00000000,%')),00000000,?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C903
__vbaStrMove.MSVBVM60( GROUP BY tblStudent.StudentID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![Midd,00000000,%')),00000000,?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C90D
__vbaStrCat.MSVBVM60( Having (((Count(tblGraduate.StudentID)) < 1) ),00000000, GROUP BY tblStudent.StudentID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![Midd,00000000,%')),00000000,?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C918
__vbaStrMove.MSVBVM60( Having (((Count(tblGraduate.StudentID)) < 1) ),00000000, GROUP BY tblStudent.StudentID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![Midd,00000000,%')),00000000,?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C922
__vbaStrCat.MSVBVM60( ORDER BY [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName];,00000000, Having (((Count(tblGraduate.StudentID)) < 1) ),00000000, GROUP BY tblStudent.StudentID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![Midd,00000000,%')),00000000,?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C92D
__vbaStrMove.MSVBVM60( ORDER BY [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName];,00000000, Having (((Count(tblGraduate.StudentID)) < 1) ),00000000, GROUP BY tblStudent.StudentID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![Midd,00000000,%')),00000000,?,00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C937
__vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,?,?, ORDER BY [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName];,00000000, Having (((Count(tblGraduate.StudentID)) < 1) ),00000000, GROUP BY tblStudent.StudentID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![Midd,00000000,%')),00000000), ref: 0051C95A
__vbaFreeObj.MSVBVM60(00000000, WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051C965
__vbaNew2.MSVBVM60(0041B32C,?), ref: 0051C97F
__vbaNew2.MSVBVM60(0041B2FC,00538028), ref: 0051C996
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051C9FF
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 0051CA09
__vbaCastObjVar.MSVBVM60(00000000), ref: 0051CA12
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 0051CA1C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C598,0000002C), ref: 0051CA3D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0051CA4C
__vbaFreeVar.MSVBVM60 ref: 0051CA57
__vbaHresultCheckObj.MSVBVM60(00000000,?,00420CB8,00000720), ref: 0051CA75
__vbaVarDup.MSVBVM60(00538028,?,?,000000FF), ref: 0051CAB0
#595.MSVBVM60(?,00000000,?,?,?,00538028,?,?,000000FF), ref: 0051CAC6
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,00000000,?,?,?,00538028,?,?,000000FF), ref: 0051CADD
__vbaFreeStr.MSVBVM60(0051CB42,?,000000FF), ref: 0051CB3C

Strings

FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud, xrefs: 0051C728, 0051C7EA, 0051C8AC
ORDER BY [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName];, xrefs: 0051C6A1, 0051C928
SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!, xrefs: 0051C723, 0051C7E5, 0051C8A7
Having (((Count(tblGraduate.StudentID)) < 1) ), xrefs: 0051C913
Having (((Count(tblGraduate.StudentID)) < 1) And ((Count(tblDropped.StudentID)) < 1)), xrefs: 0051C78F
GROUP BY tblStudent.StudentID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![Midd, xrefs: 0051C77A, 0051C83C, 0051C8FE
SELECT tblStudent.StudentID as lvID ,tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!, xrefs: 0051C65F
WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%, xrefs: 0051C664, 0051C73D, 0051C7FF, 0051C8C1
Having (((Count(tblDropped.StudentID)) < 1)), xrefs: 0051C851
%')), xrefs: 0051C68C, 0051C765, 0051C827, 0051C8E9
FATAL ERROR: PickStudent.cmdFind_Click - Connectrs, xrefs: 0051CA9F

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$CheckHresult$List$New2$#595CallCastLate
String ID: FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud$ GROUP BY tblStudent.StudentID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![Midd$ Having (((Count(tblDropped.StudentID)) < 1))$ Having (((Count(tblGraduate.StudentID)) < 1) )$ Having (((Count(tblGraduate.StudentID)) < 1) And ((Count(tblDropped.StudentID)) < 1))$ ORDER BY [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName];$ WHERE ((([tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName]) like '%$%'))$FATAL ERROR: PickStudent.cmdFind_Click - Connectrs$SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!$SELECT tblStudent.StudentID as lvID ,tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!
API String ID: 1236662129-13145291
Opcode ID: fe09020c9cb549fc763f4eb2cb33edd7dc02ec7617f3e6c4869f2985a753cf7f
Instruction ID: 4cab5b1aa9fc59440511f2d4d3266aa028ddf39dbdf42fb5c630c2961fc86f1e
Opcode Fuzzy Hash: fe09020c9cb549fc763f4eb2cb33edd7dc02ec7617f3e6c4869f2985a753cf7f
Instruction Fuzzy Hash: 9DE161B1A40619ABDB10EBA1DC46EEFBBBDEF54304F50012BF141F3191DA785A448FA9

Function 004FD595 Relevance: 121.1, APIs: 58, Strings: 11, Instructions: 388COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60( FROM tblFee LEFT JOIN tblCharge ON tblFee.FeeID = tblCharge.FeeID,SELECT Count(tblCharge.ChargeID) AS CountOfChargeID), ref: 004FD5ED
__vbaStrMove.MSVBVM60( FROM tblFee LEFT JOIN tblCharge ON tblFee.FeeID = tblCharge.FeeID,SELECT Count(tblCharge.ChargeID) AS CountOfChargeID), ref: 004FD5F7
__vbaStrCat.MSVBVM60( WHERE (((tblFee.FeeID)=,00000000, FROM tblFee LEFT JOIN tblCharge ON tblFee.FeeID = tblCharge.FeeID,SELECT Count(tblCharge.ChargeID) AS CountOfChargeID), ref: 004FD602
__vbaStrMove.MSVBVM60( WHERE (((tblFee.FeeID)=,00000000, FROM tblFee LEFT JOIN tblCharge ON tblFee.FeeID = tblCharge.FeeID,SELECT Count(tblCharge.ChargeID) AS CountOfChargeID), ref: 004FD60C
__vbaStrCat.MSVBVM60(?,00000000, WHERE (((tblFee.FeeID)=,00000000, FROM tblFee LEFT JOIN tblCharge ON tblFee.FeeID = tblCharge.FeeID,SELECT Count(tblCharge.ChargeID) AS CountOfChargeID), ref: 004FD618
__vbaStrMove.MSVBVM60(?,00000000, WHERE (((tblFee.FeeID)=,00000000, FROM tblFee LEFT JOIN tblCharge ON tblFee.FeeID = tblCharge.FeeID,SELECT Count(tblCharge.ChargeID) AS CountOfChargeID), ref: 004FD622
__vbaStrCat.MSVBVM60());,00000000,?,00000000, WHERE (((tblFee.FeeID)=,00000000, FROM tblFee LEFT JOIN tblCharge ON tblFee.FeeID = tblCharge.FeeID,SELECT Count(tblCharge.ChargeID) AS CountOfChargeID), ref: 004FD62D
__vbaStrMove.MSVBVM60());,00000000,?,00000000, WHERE (((tblFee.FeeID)=,00000000, FROM tblFee LEFT JOIN tblCharge ON tblFee.FeeID = tblCharge.FeeID,SELECT Count(tblCharge.ChargeID) AS CountOfChargeID), ref: 004FD637
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,));,00000000,?,00000000, WHERE (((tblFee.FeeID)=,00000000, FROM tblFee LEFT JOIN tblCharge ON tblFee.FeeID = tblCharge.FeeID,SELECT Count(tblCharge.ChargeID) AS CountOfChargeID), ref: 004FD64A
__vbaNew2.MSVBVM60(0041B32C,?,SELECT Count(tblCharge.ChargeID) AS CountOfChargeID), ref: 004FD664
__vbaNew2.MSVBVM60(0041B2FC,00538028,SELECT Count(tblCharge.ChargeID) AS CountOfChargeID), ref: 004FD67B
__vbaNew2.MSVBVM60(0041B32C,?,00538028,?,?,000000FF,SELECT Count(tblCharge.ChargeID) AS CountOfChargeID), ref: 004FD6AE
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,00000054), ref: 004FD6CF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B374,00000028,?,?,?,?,?), ref: 004FD70F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B384,00000034,?,?,?,?,?), ref: 004FD732
__vbaI4Var.MSVBVM60(?,?,?,?,?,?), ref: 004FD73B
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?), ref: 004FD74D
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?), ref: 004FD758
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?), ref: 004FD771
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,0000009C,?,?,?,?,?,?,?,?), ref: 004FD795
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?), ref: 004FD79D
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?), ref: 004FD7B0
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?), ref: 004FD7CB
__vbaStrCat.MSVBVM60(0041A4CC,This Fee entry cannot be deleted.,?,00000000,?,?,?,?,?,?,?,?), ref: 004FD7DE
__vbaStrMove.MSVBVM60(0041A4CC,This Fee entry cannot be deleted.,?,00000000,?,?,?,?,?,?,?,?), ref: 004FD7E8
__vbaStrCat.MSVBVM60(Reason: This entry contain ,00000000,0041A4CC,This Fee entry cannot be deleted.,?,00000000,?,?,?,?,?,?,?,?), ref: 004FD7F3
__vbaStrMove.MSVBVM60(Reason: This entry contain ,00000000,0041A4CC,This Fee entry cannot be deleted.,?,00000000,?,?,?,?,?,?,?,?), ref: 004FD7FD
__vbaStrI4.MSVBVM60(00000001,00000000,Reason: This entry contain ,00000000,0041A4CC,This Fee entry cannot be deleted.,?,00000000,?,?,?,?,?,?,?,?), ref: 004FD806
__vbaStrMove.MSVBVM60(00000001,00000000,Reason: This entry contain ,00000000,0041A4CC,This Fee entry cannot be deleted.,?,00000000,?,?,?,?,?,?,?,?), ref: 004FD810
__vbaStrCat.MSVBVM60(00000000,00000001,00000000,Reason: This entry contain ,00000000,0041A4CC,This Fee entry cannot be deleted.,?,00000000,?,?,?), ref: 004FD816
__vbaStrMove.MSVBVM60(00000000,00000001,00000000,Reason: This entry contain ,00000000,0041A4CC,This Fee entry cannot be deleted.,?,00000000,?,?,?), ref: 004FD820
__vbaStrCat.MSVBVM60( Charge/s record/s.,00000000,00000000,00000001,00000000,Reason: This entry contain ,00000000,0041A4CC,This Fee entry cannot be deleted.,?,00000000,?,?,?), ref: 004FD82B
__vbaStrMove.MSVBVM60( Charge/s record/s.,00000000,00000000,00000001,00000000,Reason: This entry contain ,00000000,0041A4CC,This Fee entry cannot be deleted.,?,00000000,?,?,?), ref: 004FD835
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000054,?,?,?,?,?,?,?,?), ref: 004FD84E
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004FD869
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004FD874
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004FD887
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,0000009C,?,?,?,?,?,?,?,?,?), ref: 004FD8AB
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004FD8B3
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004FD8C6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,0000009C,?,?,?,?,?,?,?,?,?), ref: 004FD8EA
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004FD8F2
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004FD921
__vbaLateIdSt.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004FD927
__vbaFreeObj.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004FD92F
__vbaStrCopy.MSVBVM60(00538028,?,?,000000FF,SELECT Count(tblCharge.ChargeID) AS CountOfChargeID), ref: 004FD943
__vbaStrCopy.MSVBVM60(00538028,?,?,000000FF,SELECT Count(tblCharge.ChargeID) AS CountOfChargeID), ref: 004FD950
__vbaStrCopy.MSVBVM60(00538028,?,?,000000FF,SELECT Count(tblCharge.ChargeID) AS CountOfChargeID), ref: 004FD95D
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,00538028,?,?,000000FF,SELECT Count(tblCharge.ChargeID) AS CountOfChargeID), ref: 004FD985
__vbaFreeVar.MSVBVM60(00538028,?,?,000000FF,SELECT Count(tblCharge.ChargeID) AS CountOfChargeID), ref: 004FD990
__vbaNew2.MSVBVM60(00419EE8,00539E00,00538028,?,?,000000FF,SELECT Count(tblCharge.ChargeID) AS CountOfChargeID), ref: 004FD9A7
__vbaObjSetAddref.MSVBVM60(?,?,00538028,?,?,000000FF,SELECT Count(tblCharge.ChargeID) AS CountOfChargeID), ref: 004FD9BF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000010), ref: 004FD9DE
__vbaFreeObj.MSVBVM60(00000000,00000000,00419ED8,00000010), ref: 004FD9E6
__vbaCastObj.MSVBVM60(00000000,0041B31C), ref: 004FD9F1
__vbaObjSet.MSVBVM60(?,00000000,00000000,0041B31C), ref: 004FD9FB
__vbaFreeStr.MSVBVM60(004FDA4E,?,00000000,00000000,0041B31C), ref: 004FDA40
__vbaFreeObj.MSVBVM60(004FDA4E,?,00000000,00000000,0041B31C), ref: 004FDA48

Strings

Unable to connect RS Charges count., xrefs: 004FD93B
Charge/s record/s., xrefs: 004FD826
));, xrefs: 004FD628
ShowDetail, xrefs: 004FD948
frmDeleteFee, xrefs: 004FD955
CountOfChargeID, xrefs: 004FD6E0
FROM tblFee LEFT JOIN tblCharge ON tblFee.FeeID = tblCharge.FeeID, xrefs: 004FD5C4
Reason: This entry contain , xrefs: 004FD7EE
SELECT Count(tblCharge.ChargeID) AS CountOfChargeID, xrefs: 004FD5BF
WHERE (((tblFee.FeeID)=, xrefs: 004FD5FD
This Fee entry cannot be deleted., xrefs: 004FD7D0

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$Move$CheckHresult$ListNew2$Copy$AddrefCastLate
String ID: Charge/s record/s.$ FROM tblFee LEFT JOIN tblCharge ON tblFee.FeeID = tblCharge.FeeID$ WHERE (((tblFee.FeeID)=$));$CountOfChargeID$Reason: This entry contain $SELECT Count(tblCharge.ChargeID) AS CountOfChargeID$ShowDetail$This Fee entry cannot be deleted.$Unable to connect RS Charges count.$frmDeleteFee
API String ID: 2621745569-1921875780
Opcode ID: 47de8874e73e4a54aae9a892cfd8422bd3f0f4a56892ea58ed0ae10bf0084cbb
Instruction ID: 8c4db93918f71890186d4eecb3146a5dc57bc85fd9db832be64e7ac782e9aa70
Opcode Fuzzy Hash: 47de8874e73e4a54aae9a892cfd8422bd3f0f4a56892ea58ed0ae10bf0084cbb
Instruction Fuzzy Hash: 22D11DB1D00619ABDB11EBA5CC46EEF77BDEF44704F10012BF501B7182DB789A458BA9

Function 00516B37 Relevance: 109.0, APIs: 57, Strings: 5, Instructions: 455COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 00516BAE
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 00516BB8
__vbaCastObjVar.MSVBVM60(00000000), ref: 00516BC1
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 00516BCB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C598,0000001C), ref: 00516BEA
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00516C04
__vbaFreeVar.MSVBVM60 ref: 00516C0F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00516C27
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000054), ref: 00516C48
__vbaFreeObj.MSVBVM60 ref: 00516C50
__vbaObjSet.MSVBVM60(?,00000000), ref: 00516C63
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000054), ref: 00516C84
__vbaFreeObj.MSVBVM60 ref: 00516C8C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00516CA1
__vbaObjSet.MSVBVM60(?,00000000), ref: 00516CC0
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 00516CCA
__vbaCastObjVar.MSVBVM60(00000000), ref: 00516CD3
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 00516CDD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C0B0,00000044), ref: 00516CFC
__vbaStrI4.MSVBVM60(00000001,Selected Entry: ), ref: 00516D18
__vbaStrMove.MSVBVM60(00000001,Selected Entry: ), ref: 00516D22
__vbaStrCat.MSVBVM60(00000000,00000001,Selected Entry: ), ref: 00516D28
__vbaStrMove.MSVBVM60(00000000,00000001,Selected Entry: ), ref: 00516D32
__vbaStrCat.MSVBVM60(0041EF24,00000000,00000000,00000001,Selected Entry: ), ref: 00516D3D
__vbaStrMove.MSVBVM60(0041EF24,00000000,00000000,00000001,Selected Entry: ), ref: 00516D47
__vbaStrI4.MSVBVM60(00080005,00000000,0041EF24,00000000,00000000,00000001,Selected Entry: ), ref: 00516D50
__vbaStrMove.MSVBVM60(00080005,00000000,0041EF24,00000000,00000000,00000001,Selected Entry: ), ref: 00516D5A
__vbaStrCat.MSVBVM60(00000000,00080005,00000000,0041EF24,00000000,00000000,00000001,Selected Entry: ), ref: 00516D60
__vbaStrMove.MSVBVM60(00000000,00080005,00000000,0041EF24,00000000,00000000,00000001,Selected Entry: ), ref: 00516D6A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F08,00000054), ref: 00516D87
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 00516DA2
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,00000005,?,?,?,?,?), ref: 00516DB5
__vbaFreeVar.MSVBVM60 ref: 00516DC0
__vbaObjSet.MSVBVM60(?,00000000), ref: 00516DE5
__vbaStrI4.MSVBVM60(00517868,Page ,00080001,?,00000000), ref: 00516E07
__vbaStrMove.MSVBVM60(00517868,Page ,00080001,?,00000000), ref: 00516E11
__vbaStrCat.MSVBVM60(00000000,00517868,Page ,00080001,?,00000000), ref: 00516E17
__vbaStrMove.MSVBVM60(00000000,00517868,Page ,00080001,?,00000000), ref: 00516E21
__vbaStrCat.MSVBVM60( of ,00000000,00000000,00517868,Page ,00080001,?,00000000), ref: 00516E2C
__vbaStrMove.MSVBVM60( of ,00000000,00000000,00517868,Page ,00080001,?,00000000), ref: 00516E36
__vbaStrI4.MSVBVM60(00080004,00000000, of ,00000000,00000000,00517868,Page ,00080001,?,00000000), ref: 00516E3D
__vbaStrMove.MSVBVM60(00080004,00000000, of ,00000000,00000000,00517868,Page ,00080001,?,00000000), ref: 00516E47
__vbaStrCat.MSVBVM60(00000000,00080004,00000000, of ,00000000,00000000,00517868,Page ,00080001,?,00000000), ref: 00516E4D
__vbaStrMove.MSVBVM60(00000000,00080004,00000000, of ,00000000,00000000,00517868,Page ,00080001,?,00000000), ref: 00516E57
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000054), ref: 00516E73
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 00516E8E
__vbaFreeObj.MSVBVM60 ref: 00516E99

Strings

of , xrefs: 00516E27
Page 0 of 0, xrefs: 00516C6C
Page , xrefs: 00516DF5
Selected Entry: , xrefs: 00516D0C
No Record, xrefs: 00516C30

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$CheckHresult$List$CallCastLate
String ID: of $No Record$Page $Page 0 of 0$Selected Entry:
API String ID: 906691426-2321649253
Opcode ID: 88b92d4c8a9c06f829b6f554573800a46e147da675c79301e7d08c79fe299425
Instruction ID: b5f503aabf8ffff7fb02a54d611aaa9cb1dc9b73b215d34f5a02cca9ef147caf
Opcode Fuzzy Hash: 88b92d4c8a9c06f829b6f554573800a46e147da675c79301e7d08c79fe299425
Instruction Fuzzy Hash: 7FF129B2D00619ABCB00EBE5CD85DDFBBBDEF48704F10452AF501F7191DA78AA458BA4

Function 0052E054 Relevance: 107.2, APIs: 60, Strings: 1, Instructions: 487COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00404F16,?,?,?,005189C5,?,asaso), ref: 0052E072
__vbaStrCopy.MSVBVM60(?,00000002,?,00000000,00404F16), ref: 0052E09F
__vbaStrCopy.MSVBVM60(?,00000002,?,00000000,00404F16), ref: 0052E0AA
__vbaAryConstruct2.MSVBVM60(?,0042A0B8,00000002,?,00000002,?,00000000,00404F16), ref: 0052E0BA
__vbaOnError.MSVBVM60(000000FF,?,0042A0B8,00000002,?,00000002,?,00000000,00404F16), ref: 0052E0C8
__vbaLenBstr.MSVBVM60(?,000000FF,?,0042A0B8,00000002,?,00000002,?,00000000,00404F16), ref: 0052E0D7
__vbaLenBstr.MSVBVM60(?,?,000000FF,?,0042A0B8,00000002,?,00000002,?,00000000,00404F16), ref: 0052E0EF
__vbaFreeStr.MSVBVM60(0052E852,?,?,00006011,00000040,00000000,?,?,?,?,?,?,00004008,00000080,00000000,?), ref: 0052E817
__vbaAryDestruct.MSVBVM60(00000000,?,0052E852,?,?,00006011,00000040,00000000,?,?,?,?,?,?,00004008,00000080), ref: 0052E82E
__vbaAryDestruct.MSVBVM60(00000000,?,00000000,?,0052E852,?,?,00006011,00000040,00000000,?,?,?,?,?,?), ref: 0052E839
__vbaAryDestruct.MSVBVM60(00000000,?,00000000,?,00000000,?,0052E852,?,?,00006011,00000040,00000000,?,?,?,?), ref: 0052E844
__vbaFreeStr.MSVBVM60(00000000,?,00000000,?,00000000,?,0052E852,?,?,00006011,00000040,00000000,?,?,?,?), ref: 0052E84C

Strings

&, xrefs: 0052E786

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Destruct$BstrCopyFree$ChkstkConstruct2Error
String ID: &
API String ID: 3246563234-1010288
Opcode ID: 2b8a2dd7505ac95e7a391a56eed8f40a61a962640bcd7cebd87354af5678a7e4
Instruction ID: e0e08cc99d4acb6725bc02ec7a6be24e3f852baf75f93ef3a322748780004e10
Opcode Fuzzy Hash: 2b8a2dd7505ac95e7a391a56eed8f40a61a962640bcd7cebd87354af5678a7e4
Instruction Fuzzy Hash: B03204B0D00228DFDB20DFA1C946BDEBBB5BF19305F1044AAE549B7281D7B85A88DF15

Function 0051E512 Relevance: 105.5, APIs: 55, Strings: 5, Instructions: 458COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 0051E530
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 0051E571

Part of subcall function 0050F083: __vbaChkstk.MSVBVM60(?,00404F16), ref: 0050F09F
Part of subcall function 0050F083: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 0050F0CF
Part of subcall function 0050F083: __vbaStrCopy.MSVBVM60(000000FF), ref: 0050F0F3
Part of subcall function 0050F083: __vbaOnError.MSVBVM60(000000FF,000000FF), ref: 0050F101
Part of subcall function 0050F083: #632.MSVBVM60(?,00004008,00000001,00000002), ref: 0050F14A
Part of subcall function 0050F083: __vbaVarMove.MSVBVM60(?,00004008,00000001,00000002), ref: 0050F155
Part of subcall function 0050F083: __vbaFreeVar.MSVBVM60(?,00004008,00000001,00000002), ref: 0050F15D
Part of subcall function 0050F083: __vbaVarTstEq.MSVBVM60(00008008,?,?,00004008,00000001,00000002), ref: 0050F17F
Part of subcall function 0050F083: __vbaObjSet.MSVBVM60(?,00000000,?,00000001,00008008,?,?,00004008,00000001,00000002), ref: 0050F1A3
Part of subcall function 0050F083: __vbaFreeVar.MSVBVM60(0050F23D,00008008,?,00008008,?,?,00004008,00000001,00000002), ref: 0050F237

__vbaObjSet.MSVBVM60(?,00000000,00000000,000000FF,?,?,?,?,00404F16), ref: 0051E58A

Part of subcall function 0050F027: __vbaStrCopy.MSVBVM60(00000000,00000000,?,?,?,00000000,00404F16,?,?,?,00000000,0041F538,?,00000001,?,?), ref: 0050F05B

__vbaStrMove.MSVBVM60(?,00000000,00000000,000000FF,?,?,?,?,00404F16), ref: 0051E5A0
__vbaStrCmp.MSVBVM60(0041A0C4,00000000,?,00000000,00000000,000000FF,?,?,?,?,00404F16), ref: 0051E5AB
__vbaObjIs.MSVBVM60(?,00000000,0041A0C4,00000000,?,00000000,00000000,000000FF,?,?,?,?,00404F16), ref: 0051E5BE
__vbaFreeStr.MSVBVM60(?,00000000,0041A0C4,00000000,?,00000000,00000000,000000FF,?,?,?,?,00404F16), ref: 0051E5D3
__vbaLateMemCallLd.MSVBVM60(?,?,count,00000000,?,00000000,0041A0C4,00000000,?,00000000,00000000,000000FF), ref: 0051E5FC
__vbaI4Var.MSVBVM60(00000000,?,?,?,00404F16), ref: 0051E605
__vbaFreeVar.MSVBVM60 ref: 0051E624
__vbaChkstk.MSVBVM60 ref: 0051E669
__vbaLateMemCallLd.MSVBVM60(?,?,Item,00000001), ref: 0051E688
#563.MSVBVM60(00000000,?,?,?,?,?,?,?,00000000), ref: 0051E691
__vbaFreeVar.MSVBVM60(00000000,?,?,?,?,?,?,?,00000000), ref: 0051E69F
__vbaNew2.MSVBVM60(00406ED0,00000000), ref: 0051E6F3
__vbaStrCopy.MSVBVM60(00406ED0,00000000), ref: 0051E722
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041BF08,0000003C), ref: 0051E760
__vbaFreeStr.MSVBVM60(00000000,?,0041BF08,0000003C), ref: 0051E777
__vbaNew2.MSVBVM60(00406ED0,00000000), ref: 0051E797
__vbaChkstk.MSVBVM60(00406ED0,00000000), ref: 0051E7D4
__vbaLateMemCallLd.MSVBVM60(00000000,?,Item,00000001), ref: 0051E7F3
__vbaStrErrVarCopy.MSVBVM60(00000000,?,?,?,?,?,?,?,00000000), ref: 0051E7FC
__vbaStrMove.MSVBVM60(00000000,?,?,?,?,?,?,?,00000000), ref: 0051E806
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041BF08,0000003C), ref: 0051E844
__vbaFreeStr.MSVBVM60(00000000,?,0041BF08,0000003C), ref: 0051E85B
__vbaFreeVar.MSVBVM60(00000000,?,0041BF08,0000003C), ref: 0051E863
__vbaNew2.MSVBVM60(00406ED0,00000000), ref: 0051E883
__vbaChkstk.MSVBVM60(00406ED0,00000000), ref: 0051E8C0
__vbaLateMemCallLd.MSVBVM60(00000000,?,Item,00000001), ref: 0051E8DF
__vbaStrErrVarCopy.MSVBVM60(00000000,?,?,?,?,?,?,?,00000000), ref: 0051E8E8
__vbaStrMove.MSVBVM60(00000000,?,?,?,?,?,?,?,00000000), ref: 0051E8F2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041BF08,0000003C), ref: 0051E930
__vbaFreeStr.MSVBVM60(00000000,?,0041BF08,0000003C), ref: 0051E947
__vbaFreeVar.MSVBVM60(00000000,?,0041BF08,0000003C), ref: 0051E94F
__vbaChkstk.MSVBVM60 ref: 0051E976
__vbaLateMemCallLd.MSVBVM60(00000000,?,Item,00000001), ref: 0051E995
__vbaObjVar.MSVBVM60(00000000,?,?,?,?,?,?,?,00000000), ref: 0051E99E
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 0051E9A8
__vbaFreeVar.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 0051E9B0
__vbaNew2.MSVBVM60(00406ED0,00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 0051E9CB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00422478,00000020), ref: 0051EA3A
__vbaStrMove.MSVBVM60(00000000,?,00422478,00000020), ref: 0051EA64
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041BF08,0000003C), ref: 0051EAA2
__vbaFreeStr.MSVBVM60(00000000,?,0041BF08,0000003C), ref: 0051EAB9
__vbaStrMove.MSVBVM60(?,00000000,0041A0C4,00000000,?,00000000,00000000,000000FF,?,?,?,?,00404F16), ref: 0051EAE0
__vbaVarDup.MSVBVM60 ref: 0051EB1E
#595.MSVBVM60(00000008,00000030,?,0000000A,0000000A), ref: 0051EB52
__vbaFreeStr.MSVBVM60(00000008,00000030,?,0000000A,0000000A), ref: 0051EB5A
__vbaFreeVarList.MSVBVM60(00000004,00000008,?,0000000A,0000000A,00000008,00000030,?,0000000A,0000000A), ref: 0051EB71
__vbaNew2.MSVBVM60(00406ED0,00000000), ref: 0051EB8F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041BF08,0000002C), ref: 0051EBEF
__vbaStrMove.MSVBVM60(00000000,?,0041BF08,0000002C), ref: 0051EC19
__vbaFreeObj.MSVBVM60(0051EC7D), ref: 0051EC67
__vbaFreeObj.MSVBVM60(0051EC7D), ref: 0051EC6F
__vbaFreeObj.MSVBVM60(0051EC7D), ref: 0051EC77

Strings

null, xrefs: 0051E71A
Item, xrefs: 0051E67C, 0051E7E7, 0051E8D3, 0051E989
Parser Error, xrefs: 0051EB01
count, xrefs: 0051E5F0
@, xrefs: 0051E9FB

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$Move$CheckChkstkHresult$CallCopyLateNew2$Error$#563#595#632AddrefList
String ID: @$Item$Parser Error$count$null
API String ID: 295895896-3956499610
Opcode ID: e5bafd7c6f1fa2d68cdcf287e929a1797b5f761caf8d33c91480cabed312eddb
Instruction ID: 3d8830c9f6c0c2f1caaa7adfc4f3f486c59c467bde047a7ce975feba157a2dc9
Opcode Fuzzy Hash: e5bafd7c6f1fa2d68cdcf287e929a1797b5f761caf8d33c91480cabed312eddb
Instruction Fuzzy Hash: 0412E5B0C00219EFEB20EFA5C846BDEBBB5BF08304F1084AAE505B7291DB755A85DF55

Function 0051B9C4 Relevance: 100.1, APIs: 45, Strings: 12, Instructions: 334COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0051BA40
__vbaStrCopy.MSVBVM60 ref: 0051BA4A
__vbaStrCat.MSVBVM60( ORDER BY [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName];,SELECT tblStudent.StudentID as lvID ,tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051BA98
__vbaStrMove.MSVBVM60( ORDER BY [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName];,SELECT tblStudent.StudentID as lvID ,tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051BAA2
__vbaStrCat.MSVBVM60( FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051BAD0
__vbaStrMove.MSVBVM60( FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051BADA
__vbaStrCat.MSVBVM60( GROUP BY tblStudent.StudentID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![Midd,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051BAE5
__vbaStrMove.MSVBVM60( GROUP BY tblStudent.StudentID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![Midd,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051BAEF
__vbaStrCat.MSVBVM60( Having (((Count(tblGraduate.StudentID)) < 1) ),00000000, GROUP BY tblStudent.StudentID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![Midd,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051BB72
__vbaStrMove.MSVBVM60( Having (((Count(tblGraduate.StudentID)) < 1) ),00000000, GROUP BY tblStudent.StudentID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![Midd,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051BB7C
__vbaStrCat.MSVBVM60( ORDER BY [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName];,00000000, Having (((Count(tblGraduate.StudentID)) < 1) ),00000000, GROUP BY tblStudent.StudentID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![Midd,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051BB87
__vbaStrMove.MSVBVM60( ORDER BY [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName];,00000000, Having (((Count(tblGraduate.StudentID)) < 1) ),00000000, GROUP BY tblStudent.StudentID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![Midd,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051BB91
__vbaFreeStrList.MSVBVM60(00000003,?,?,?, ORDER BY [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName];,00000000, Having (((Count(tblGraduate.StudentID)) < 1) ),00000000, GROUP BY tblStudent.StudentID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![Midd,00000000, FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud,SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!), ref: 0051BBA4
__vbaNew2.MSVBVM60(0041B32C,?), ref: 0051BBC0
__vbaNew2.MSVBVM60(0041B2FC,00538028), ref: 0051BBD7
__vbaOnError.MSVBVM60(00000001,00538028,?,?,000000FF), ref: 0051BC24
#592.MSVBVM60(00004009,00000001,00538028,?,?,000000FF), ref: 0051BC40
__vbaLateMemCallLd.MSVBVM60(?,?,hwnd,00000000,00004009,00000001,00538028,?,?,000000FF), ref: 0051BC5A
__vbaI4Var.MSVBVM60(?,?,000000FF), ref: 0051BC6A
__vbaSetSystemError.MSVBVM60(00000000,?,?,000000FF), ref: 0051BC75
__vbaFreeVar.MSVBVM60(00000000,?,?,000000FF), ref: 0051BC7D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00420CB8,0000071C), ref: 0051BCA4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00420C88,000002B0,?,?,?,?,000000FF), ref: 0051BDF6
__vbaStrCopy.MSVBVM60(?,?,?,?,000000FF), ref: 0051BE01
__vbaStrCopy.MSVBVM60(?,?,?,?,000000FF), ref: 0051BE0C
__vbaExitProc.MSVBVM60(?,?,?,?,000000FF), ref: 0051BE11
__vbaFreeStr.MSVBVM60(0051BE6D,?,?,?,?,000000FF), ref: 0051BE67

Strings

FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud, xrefs: 0051BACB, 0051BB09, 0051BB43
ORDER BY [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName];, xrefs: 0051BA93, 0051BB82
No Student Account to be selected., xrefs: 0051BCC8
SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!, xrefs: 0051BAC6, 0051BB04, 0051BB3E
Having (((Count(tblGraduate.StudentID)) < 1) ), xrefs: 0051BB6D
Please Add New Student Account first., xrefs: 0051BCE2
Having (((Count(tblGraduate.StudentID)) < 1) And ((Count(tblDropped.StudentID)) < 1)), xrefs: 0051BAF5
GROUP BY tblStudent.StudentID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![Midd, xrefs: 0051BAE0, 0051BB1E, 0051BB58
SELECT tblStudent.StudentID as lvID ,tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!, xrefs: 0051BA8E
Having (((Count(tblDropped.StudentID)) < 1)), xrefs: 0051BB33
@, xrefs: 0051BC2F
hwnd, xrefs: 0051BC4F

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Move$Copy$Free$CheckErrorHresultNew2$#592CallExitLateListProcSystem
String ID: @$ FROM tblGraduate RIGHT JOIN (tblDropped RIGHT JOIN tblStudent ON tblDropped.StudentID = tblStudent.StudentID) ON tblGraduate.Stud$ GROUP BY tblStudent.StudentID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![Midd$ Having (((Count(tblDropped.StudentID)) < 1))$ Having (((Count(tblGraduate.StudentID)) < 1) )$ Having (((Count(tblGraduate.StudentID)) < 1) And ((Count(tblDropped.StudentID)) < 1))$ ORDER BY [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]![MiddleName];$No Student Account to be selected.$Please Add New Student Account first.$SELECT tblStudent.StudentID AS lvID, tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!$SELECT tblStudent.StudentID as lvID ,tblStudent.StudentID, [tblStudent]![LastName]+', '+[tblStudent]![FirstName]+' '+[tblStudent]!$hwnd
API String ID: 1664497269-114479012
Opcode ID: e9bc46f51644a72534ce786907b473e92182be4f98c9cee188254cde971fac0e
Instruction ID: 02cef5a033a64381615e48e1f6dd211caeb3ed347f4e065392d4406d5840bc27
Opcode Fuzzy Hash: e9bc46f51644a72534ce786907b473e92182be4f98c9cee188254cde971fac0e
Instruction Fuzzy Hash: 63C1A0B1A002199BDB10EFA5C842EDE77B9FF48704F20416BF505B7182DB789A44CFA9

Function 0051D1F5 Relevance: 94.9, APIs: 48, Strings: 6, Instructions: 359COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 0051D26C
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 0051D276
__vbaCastObjVar.MSVBVM60(00000000), ref: 0051D27F
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 0051D289
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C598,0000001C), ref: 0051D2A8
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0051D2C2
__vbaFreeVar.MSVBVM60 ref: 0051D2CD
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051D2E5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000054), ref: 0051D306
__vbaFreeObj.MSVBVM60 ref: 0051D30E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051D321
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000054), ref: 0051D342
__vbaFreeObj.MSVBVM60 ref: 0051D34A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051D35F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051D37E
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 0051D388
__vbaCastObjVar.MSVBVM60(00000000), ref: 0051D391
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 0051D39B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C0B0,00000044), ref: 0051D3BA
__vbaStrI4.MSVBVM60(00000001,Selected Entry: ), ref: 0051D3D6
__vbaStrMove.MSVBVM60(00000001,Selected Entry: ), ref: 0051D3E0
__vbaStrCat.MSVBVM60(00000000,00000001,Selected Entry: ), ref: 0051D3E6
__vbaStrMove.MSVBVM60(00000000,00000001,Selected Entry: ), ref: 0051D3F0
__vbaStrCat.MSVBVM60(0041EF24,00000000,00000000,00000001,Selected Entry: ), ref: 0051D3FB
__vbaStrMove.MSVBVM60(0041EF24,00000000,00000000,00000001,Selected Entry: ), ref: 0051D405
__vbaStrI4.MSVBVM60(?,00000000,0041EF24,00000000,00000000,00000001,Selected Entry: ), ref: 0051D40E
__vbaStrMove.MSVBVM60(?,00000000,0041EF24,00000000,00000000,00000001,Selected Entry: ), ref: 0051D418
__vbaStrCat.MSVBVM60(00000000,?,00000000,0041EF24,00000000,00000000,00000001,Selected Entry: ), ref: 0051D41E
__vbaStrMove.MSVBVM60(00000000,?,00000000,0041EF24,00000000,00000000,00000001,Selected Entry: ), ref: 0051D428
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F08,00000054), ref: 0051D445
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0051D460
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,00000005,?,?,?,?,?), ref: 0051D473
__vbaFreeVar.MSVBVM60 ref: 0051D47E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051D4A3
__vbaStrI4.MSVBVM60(?,Page ,00000001,?,00000000), ref: 0051D4C5
__vbaStrMove.MSVBVM60(?,Page ,00000001,?,00000000), ref: 0051D4CF
__vbaStrCat.MSVBVM60(00000000,?,Page ,00000001,?,00000000), ref: 0051D4D5
__vbaStrMove.MSVBVM60(00000000,?,Page ,00000001,?,00000000), ref: 0051D4DF
__vbaStrCat.MSVBVM60( of ,00000000,00000000,?,Page ,00000001,?,00000000), ref: 0051D4EA
__vbaStrMove.MSVBVM60( of ,00000000,00000000,?,Page ,00000001,?,00000000), ref: 0051D4F4
__vbaStrI4.MSVBVM60(?,00000000, of ,00000000,00000000,?,Page ,00000001,?,00000000), ref: 0051D4FB
__vbaStrMove.MSVBVM60(?,00000000, of ,00000000,00000000,?,Page ,00000001,?,00000000), ref: 0051D505
__vbaStrCat.MSVBVM60(00000000,?,00000000, of ,00000000,00000000,?,Page ,00000001,?,00000000), ref: 0051D50B
__vbaStrMove.MSVBVM60(00000000,?,00000000, of ,00000000,00000000,?,Page ,00000001,?,00000000), ref: 0051D515
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000054), ref: 0051D531
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0051D54C
__vbaFreeObj.MSVBVM60 ref: 0051D557

Strings

of , xrefs: 0051D4E5
Page 0 of 0, xrefs: 0051D32A
Page , xrefs: 0051D4B3
Selected Entry: , xrefs: 0051D3CA
No Record, xrefs: 0051D2EE
P9@, xrefs: 0051D21E, 0051D5ED, 0051D614, 0051D22E, 0051D242, 0051D2D7, 0051D315, 0051D372, 0051D48A, 0051D5E1, 0051D5FD, 0051D606, 0051D619

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$CheckHresult$List$CallCastLate
String ID: of $No Record$P9@$Page $Page 0 of 0$Selected Entry:
API String ID: 906691426-3652893609
Opcode ID: 24e0a364752863c2ad65b5fd151926319501b573d8293f25c220619e8e65e8f6
Instruction ID: e9c8d808e40b4188e5305af428f17b958ad47f7f9fc12cc70a876f23bbd2663d
Opcode Fuzzy Hash: 24e0a364752863c2ad65b5fd151926319501b573d8293f25c220619e8e65e8f6
Instruction Fuzzy Hash: 6AC12AB2900618ABDB01EBE5CD85EDFBBBDEF48304F10442AF501F7191DA789A458FA4

Function 005063C5 Relevance: 84.4, APIs: 44, Strings: 4, Instructions: 429COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 005063E3
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 00506413
__vbaStrCat.MSVBVM60(00000000,Select querypayment.EnrolmentID,querypayment.SumOfAmountPay From querypayment where EnrolmentID=',000000FF,?,?,?,?,00404F16), ref: 00506429
__vbaStrMove.MSVBVM60(00000000,Select querypayment.EnrolmentID,querypayment.SumOfAmountPay From querypayment where EnrolmentID=',000000FF,?,?,?,?,00404F16), ref: 00506433
__vbaStrCat.MSVBVM60(0041CB7C,00000000,00000000,Select querypayment.EnrolmentID,querypayment.SumOfAmountPay From querypayment where EnrolmentID=',000000FF,?,?,?,?,00404F16), ref: 0050643E
__vbaStrMove.MSVBVM60(0041CB7C,00000000,00000000,Select querypayment.EnrolmentID,querypayment.SumOfAmountPay From querypayment where EnrolmentID=',000000FF,?,?,?,?,00404F16), ref: 00506448
__vbaFreeStr.MSVBVM60(0041CB7C,00000000,00000000,Select querypayment.EnrolmentID,querypayment.SumOfAmountPay From querypayment where EnrolmentID=',000000FF,?,?,?,?,00404F16), ref: 00506450
__vbaNew2.MSVBVM60(0041B32C,00000000,0041CB7C,00000000,00000000,Select querypayment.EnrolmentID,querypayment.SumOfAmountPay From querypayment where EnrolmentID=',000000FF), ref: 0050646B
__vbaNew2.MSVBVM60(0041B2FC,00538028,0041CB7C,00000000,00000000,Select querypayment.EnrolmentID,querypayment.SumOfAmountPay From querypayment where EnrolmentID=',000000FF), ref: 005064A2
__vbaStrCat.MSVBVM60(00000000,Select * From tblenrolment Where EnrolmentID = '), ref: 005064D9
__vbaStrMove.MSVBVM60(00000000,Select * From tblenrolment Where EnrolmentID = '), ref: 005064E3
__vbaStrCat.MSVBVM60(0041CB7C,00000000,00000000,Select * From tblenrolment Where EnrolmentID = '), ref: 005064EE
__vbaChkstk.MSVBVM60(00000001,00000003,000000FF,0041CB7C,00000000,00000000,Select * From tblenrolment Where EnrolmentID = '), ref: 00506506
__vbaChkstk.MSVBVM60(00000001,00000003,000000FF,0041CB7C,00000000,00000000,Select * From tblenrolment Where EnrolmentID = '), ref: 00506517
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,000000A0), ref: 0050654E
__vbaFreeStr.MSVBVM60 ref: 00506565
__vbaFreeVar.MSVBVM60 ref: 0050656D
__vbaNew2.MSVBVM60(0041B32C,00000000), ref: 00506588
__vbaNew2.MSVBVM60(0041B2FC,00538028), ref: 005065BF
__vbaChkstk.MSVBVM60(00000002,00000003,000000FF), ref: 00506602
__vbaChkstk.MSVBVM60(00000002,00000003,000000FF), ref: 00506613
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,000000A0), ref: 0050664A
__vbaNew2.MSVBVM60(0041B32C,00000000), ref: 00506674
__vbaObjSetAddref.MSVBVM60(?,?), ref: 0050669C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,00000098), ref: 005066DA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,00000054), ref: 0050672E
__vbaChkstk.MSVBVM60(0041CB7C), ref: 00506760
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B374,00000028), ref: 005067A3
__vbaNew2.MSVBVM60(0041B32C,00000000), ref: 005067CF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B364,00000054), ref: 0050681A
__vbaChkstk.MSVBVM60(00000000), ref: 00506849
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B374,00000028), ref: 0050687A
__vbaChkstk.MSVBVM60 ref: 005068AE
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B384,00000038), ref: 005068F1
__vbaFreeObjList.MSVBVM60(00000003,?,00000000,0041CB7C), ref: 00506913
__vbaFreeVar.MSVBVM60 ref: 0050691E
__vbaChkstk.MSVBVM60 ref: 00506949
__vbaChkstk.MSVBVM60 ref: 0050695A
__vbaHresultCheckObj.MSVBVM60(?,?,0041B364,000000AC), ref: 0050699A
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005069BE
__vbaFreeObj.MSVBVM60(00506A19,?,00000000), ref: 005069FB
__vbaFreeObj.MSVBVM60(00506A19,?,00000000), ref: 00506A03
__vbaFreeStr.MSVBVM60(00506A19,?,00000000), ref: 00506A0B
__vbaFreeObj.MSVBVM60(00506A19,?,00000000), ref: 00506A13

Strings

SumOfAmountPay, xrefs: 00506834
AmountPaid, xrefs: 0050674B
Select querypayment.EnrolmentID,querypayment.SumOfAmountPay From querypayment where EnrolmentID=', xrefs: 0050641F
Select * From tblenrolment Where EnrolmentID = ', xrefs: 005064CF

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Chkstk$CheckFreeHresult$New2$Move$Addref$ErrorList
String ID: AmountPaid$Select * From tblenrolment Where EnrolmentID = '$Select querypayment.EnrolmentID,querypayment.SumOfAmountPay From querypayment where EnrolmentID='$SumOfAmountPay
API String ID: 896846530-3953164346
Opcode ID: a815108247df196a5c4c35f2fa4bf9f1c35ba144d188ec78ee65dd2fe0125496
Instruction ID: b942890329e56f0d1846789083ba1fd2dc19e34ff3b71daa6cdc36e22b25c525
Opcode Fuzzy Hash: a815108247df196a5c4c35f2fa4bf9f1c35ba144d188ec78ee65dd2fe0125496
Instruction Fuzzy Hash: 89021270D00618DFDB20DFA5C849BDDBBB5FF09304F6044AAE508BB291CBB95A989F54

Function 004085BC Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 459COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004E753D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004E755E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,0000001C,?,?,?,?), ref: 004E75A8
__vbaBoolVar.MSVBVM60(?,?,?,?,?), ref: 004E75B6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,00000094,?,?,?,?), ref: 004E75D5
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?), ref: 004E75E4
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?), ref: 004E75EF
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?), ref: 004E7605
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040,?,?,?,?,?,?,?), ref: 004E7627
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,0000001C,?,?,?,?,?,?,?,?,?,?,?), ref: 004E766E
__vbaBoolVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004E767C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,00000094,?,?,?,?,?,?,?,?,?,?,?), ref: 004E769B
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004E76AA
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004E76B5
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004E76CB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040,?,?,?,?,?,?,?), ref: 004E76ED
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,0000001C,?,?,?,?,?,?,?,?,?,?,?), ref: 004E7734
__vbaBoolVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004E7742
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,00000094,?,?,?,?,?,?,?,?,?,?,?), ref: 004E7761
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004E7770
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004E777B
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004E7791
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040,?,?,?,?,?,?,?), ref: 004E77B3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,0000001C,?,?,?,?,?,?,?,?,?,?,?), ref: 004E77FA
__vbaBoolVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004E7808
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,00000094,?,?,?,?,?,?,?,?,?,?,?), ref: 004E7827
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004E7836
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004E7841
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,0000001C,?,?,?,?,?,?,?,?,?,?,?), ref: 004E7882
__vbaBoolVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004E788B
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004E789A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,0000001C), ref: 004E78DB
__vbaBoolVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004E78E4
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004E78F3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,0000001C), ref: 004E7934
__vbaBoolVar.MSVBVM60(?), ref: 004E793D
__vbaFreeVar.MSVBVM60(?), ref: 004E794C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,0000001C), ref: 004E7988
__vbaBoolVar.MSVBVM60(?), ref: 004E7991
__vbaFreeVar.MSVBVM60(?), ref: 004E79A0

Strings

FirstEnable, xrefs: 004E758A, 004E7864
PreviousEnable, xrefs: 004E7650, 004E78BD
G, xrefs: 004085BC
LastEnable, xrefs: 004E77DC, 004E796F
NextEnable, xrefs: 004E7716, 004E7916

Memory Dump Source

Source File: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$Bool$List
String ID: FirstEnable$G$LastEnable$NextEnable$PreviousEnable
API String ID: 2835332757-1690132771
Opcode ID: f9b4282707c966170e8dffd37b0b2b80cfe28270e9ee135889b05fd354cf7964
Instruction ID: 30196dfd4c55aa9e8febd2af67a78309725a0d312a9e6dfcb34ec57121c611e0
Opcode Fuzzy Hash: f9b4282707c966170e8dffd37b0b2b80cfe28270e9ee135889b05fd354cf7964
Instruction Fuzzy Hash: 44F16B71D00609ABDB10EFA9C845EDFBBB8FF09714F10451AF610BB1D1D778A90A8BA5

Function 005020B3 Relevance: 79.0, APIs: 37, Strings: 8, Instructions: 276COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60( FROM (tblFee LEFT JOIN tblDepartment ON tblFee.DepartmentID = tblDepartment.DepartmentID) LEFT JOIN tblYearLevel ON tblFee.YearLe,SELECT tblFee.FeeID, tblFee.Title, tblFee.Amount, IIf(Len([tblFee]![SchoolYear])<1,'ALL',[tblFee]![SchoolYear]) AS SchoolYear, IIf), ref: 00502117
__vbaStrMove.MSVBVM60( FROM (tblFee LEFT JOIN tblDepartment ON tblFee.DepartmentID = tblDepartment.DepartmentID) LEFT JOIN tblYearLevel ON tblFee.YearLe,SELECT tblFee.FeeID, tblFee.Title, tblFee.Amount, IIf(Len([tblFee]![SchoolYear])<1,'ALL',[tblFee]![SchoolYear]) AS SchoolYear, IIf), ref: 00502121
__vbaI2I4.MSVBVM60( FROM (tblFee LEFT JOIN tblDepartment ON tblFee.DepartmentID = tblDepartment.DepartmentID) LEFT JOIN tblYearLevel ON tblFee.YearLe,SELECT tblFee.FeeID, tblFee.Title, tblFee.Amount, IIf(Len([tblFee]![SchoolYear])<1,'ALL',[tblFee]![SchoolYear]) AS SchoolYear, IIf), ref: 0050212E
__vbaHresultCheckObj.MSVBVM60(00000000,x)@,0041C4A8,000000A4), ref: 0050214D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050217C
__vbaLateIdSt.MSVBVM60(00000000,?,00000000), ref: 00502182
__vbaFreeObj.MSVBVM60(00000000,?,00000000), ref: 0050218A
__vbaObjSet.MSVBVM60(?,00000000), ref: 005021A7
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 005021B1
__vbaCastObjVar.MSVBVM60(00000000), ref: 005021BA
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 005021C4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C598,0000002C), ref: 005021DC
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005021EB
__vbaFreeVar.MSVBVM60(00000000,0041C598,0000002C), ref: 005021F6
__vbaNew2.MSVBVM60(0041B32C,?), ref: 00502211
__vbaNew2.MSVBVM60(0041B2FC,00538028), ref: 00502228
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050225A
__vbaStrCopy.MSVBVM60(?,00000000), ref: 00502277
__vbaObjSet.MSVBVM60(?,?,?,00000000), ref: 00502287
__vbaNew2.MSVBVM60(0041B32C,?,?,?,?,00000000), ref: 0050229A
__vbaFreeStr.MSVBVM60(?,?,?,?,?,00000064,?,?,?,?,?,00000000), ref: 005022C7
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,00000064,?,?,?,?,?,00000000), ref: 005022D6
__vbaFreeVar.MSVBVM60(?,?,00000000), ref: 005022E1
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050230F
__vbaLateIdSt.MSVBVM60(00000000,?,00000000), ref: 00502315
__vbaFreeObj.MSVBVM60(00000000,?,00000000), ref: 0050231D
__vbaStrCopy.MSVBVM60(00538028,?,?,?), ref: 0050232E
__vbaStrCopy.MSVBVM60(00538028,?,?,?), ref: 0050233B
__vbaStrCopy.MSVBVM60(00538028,?,?,?), ref: 00502348

Part of subcall function 00505836: __vbaStrCat.MSVBVM60( - ,?,?,00000000,?), ref: 00505898
Part of subcall function 00505836: __vbaStrMove.MSVBVM60( - ,?,?,00000000,?), ref: 005058A2
Part of subcall function 00505836: __vbaStrCat.MSVBVM60(00404F16,00000000, - ,?,?,00000000,?), ref: 005058AD
Part of subcall function 00505836: __vbaStrMove.MSVBVM60(00404F16,00000000, - ,?,?,00000000,?), ref: 005058B7
Part of subcall function 00505836: __vbaStrCat.MSVBVM60( - ,00000000,00404F16,00000000, - ,?,?,00000000,?), ref: 005058BE
Part of subcall function 00505836: __vbaStrMove.MSVBVM60( - ,00000000,00404F16,00000000, - ,?,?,00000000,?), ref: 005058C8
Part of subcall function 00505836: __vbaStrCat.MSVBVM60(?,00000000, - ,00000000,00404F16,00000000, - ,?,?,00000000,?), ref: 005058D3
Part of subcall function 00505836: #595.MSVBVM60(?,00000000,?,?,?,?,00000000, - ,00000000,00404F16,00000000, - ,?,?,00000000,?), ref: 005058F3
Part of subcall function 00505836: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,00000000,?,?,?,?,00000000, - ,00000000,00404F16,00000000, - ), ref: 00505906
Part of subcall function 00505836: __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?,00000003,?,?,?,?,00000000,?,?,?,?,00000000), ref: 0050591D

__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,00538028,?,?,?), ref: 00502370
__vbaFreeVar.MSVBVM60(00538028,?,?,?), ref: 0050237B
__vbaI2I4.MSVBVM60(00538028,?,?,?), ref: 00502384
__vbaHresultCheckObj.MSVBVM60(00000000,x)@,0041C4A8,000000A4), ref: 005023A3
__vbaCastObj.MSVBVM60(00000000,0041B31C), ref: 005023AE
__vbaObjSet.MSVBVM60(?,00000000,00000000,0041B31C), ref: 005023B8
__vbaFreeStr.MSVBVM60(0050241A), ref: 0050240C
__vbaFreeObj.MSVBVM60(0050241A), ref: 00502414

Strings

SELECT tblFee.FeeID, tblFee.Title, tblFee.Amount, IIf(Len([tblFee]![SchoolYear])<1,'ALL',[tblFee]![SchoolYear]) AS SchoolYear, IIf, xrefs: 005020E4
fees, xrefs: 0050225F
AllFee, xrefs: 00502340
Form_fillRecord, xrefs: 00502333
x)@, xrefs: 00502126, 00502134, 0050214B, 0050216F, 0050219B, 0050224E, 00502302, 0050238A, 005023A1, 005023BF
Fee record not connected, xrefs: 00502326
FROM (tblFee LEFT JOIN tblDepartment ON tblFee.DepartmentID = tblDepartment.DepartmentID) LEFT JOIN tblYearLevel ON tblFee.YearLe, xrefs: 005020E9
d, xrefs: 0050226D

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$List$CopyMove$CheckHresultLateNew2$Cast$#595Call
String ID: FROM (tblFee LEFT JOIN tblDepartment ON tblFee.DepartmentID = tblDepartment.DepartmentID) LEFT JOIN tblYearLevel ON tblFee.YearLe$AllFee$Fee record not connected$Form_fillRecord$SELECT tblFee.FeeID, tblFee.Title, tblFee.Amount, IIf(Len([tblFee]![SchoolYear])<1,'ALL',[tblFee]![SchoolYear]) AS SchoolYear, IIf$d$fees$x)@
API String ID: 804585743-3464722338
Opcode ID: ea5b86aa03d4a43b6a7899026707195ec446fb6e05d9449b4db9d6f18b248bae
Instruction ID: 36cd6fd1fb238ee9cd1e1a074d9902acc62b95e805238cdf67ccc68c30cbbe74
Opcode Fuzzy Hash: ea5b86aa03d4a43b6a7899026707195ec446fb6e05d9449b4db9d6f18b248bae
Instruction Fuzzy Hash: 7BA1F8B1D00619AACB11EBE5CC85EEFBBBCFF48704F50452BB111A7181DB789A058FA5

Function 004E9400 Relevance: 77.4, APIs: 43, Strings: 1, Instructions: 449COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 004E941E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 004E9454
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A7CC,000002C8), ref: 004E94A0
__vbaObjSet.MSVBVM60(?,?), ref: 004E94CE
__vbaForEachCollObj.MSVBVM60(0041A8C0,?,?,00000000,?,?), ref: 004E94E4
__vbaLateMemCallLd.MSVBVM60(?,?,Top,00000000,0041A8C0,?,?,00000000,?,?), ref: 004E9518
__vbaVarTstLt.MSVBVM60(?,00000000,?,?,?,00404F16), ref: 004E9525
__vbaFreeVar.MSVBVM60(?,00000000,?,?,?,00404F16), ref: 004E9534
__vbaLateMemCallLd.MSVBVM60(?,?,Top,00000000,?,00000000,?,?,?,00404F16), ref: 004E9559
__vbaI2Var.MSVBVM60(00000000,?,?,?,00000000,?,?,?,00404F16), ref: 004E9562
__vbaFreeVar.MSVBVM60(00000000,?,?,?,00000000,?,?,?,00404F16), ref: 004E956E
__vbaNextEachCollObj.MSVBVM60(0041A8C0,?,?,?,00000000,?,?,?,00404F16), ref: 004E958A
__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 004E95CE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419ED8,00000018), ref: 004E9630
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F18,00000080), ref: 004E968C
__vbaFpR4.MSVBVM60(00000000,?,00419F18,00000080), ref: 004E96CF
__vbaFreeObj.MSVBVM60 ref: 004E9704
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A7CC,000002C8), ref: 004E975F
__vbaObjSet.MSVBVM60(?,?), ref: 004E978D
__vbaForEachCollObj.MSVBVM60(0041A8C0,?,?,00000000,?,?), ref: 004E97A3
__vbaNew2.MSVBVM60(00419EE8,00539E00,0041A8C0,?,?,00000000,?,?), ref: 004E97CD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000018), ref: 004E982F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F18,00000080), ref: 004E988B
__vbaLateMemCallLd.MSVBVM60(?,?,Top,00000000), ref: 004E98CA
__vbaVarAdd.MSVBVM60(?,?,00000000,?), ref: 004E98DB
__vbaChkstk.MSVBVM60(?,?,00000000,?), ref: 004E98E5
__vbaLateMemSt.MSVBVM60(?,Top,?,?,00000000,?), ref: 004E98F8
__vbaFreeObj.MSVBVM60(?,Top,?,?,00000000,?), ref: 004E9900
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,Top,?,?,00000000,?), ref: 004E990F
__vbaNextEachCollObj.MSVBVM60(0041A8C0,?,?,?,?,00000000,?), ref: 004E992E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A7CC,000002C8), ref: 004E9992
__vbaObjSet.MSVBVM60(?,?), ref: 004E99C0
__vbaForEachCollObj.MSVBVM60(0041A8C0,?,?,00000000,?,?), ref: 004E99D6
__vbaLateMemCallLd.MSVBVM60(?,?,Top,00000000,0041A8C0,?,?,00000000,?,?), ref: 004E9A0A
__vbaVarSub.MSVBVM60(?,?,00000000,?), ref: 004E9A1B
__vbaChkstk.MSVBVM60(?,?,00000000,?), ref: 004E9A25
__vbaLateMemSt.MSVBVM60(?,Top,?,?,00000000,?), ref: 004E9A38
__vbaFreeVar.MSVBVM60(?,Top,?,?,00000000,?), ref: 004E9A40
__vbaNextEachCollObj.MSVBVM60(0041A8C0,?,?,?,Top,?,?,00000000,?), ref: 004E9A5C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A800,000007AC), ref: 004E9AAB
__vbaRaiseEvent.MSVBVM60(?,00000002,00000000), ref: 004E9ACD
__vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?,004E9B47), ref: 004E9B36
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,004E9B47), ref: 004E9B41

Strings

Top, xrefs: 004E950C, 004E954D, 004E98BE, 004E98F0, 004E99FE, 004E9A30

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$CollEachLate$Call$ChkstkNext$ListNew2$ErrorEventRaise
String ID: Top
API String ID: 2323951558-647256362
Opcode ID: 9cc9c80f0c24341b90485f7b943a05c9caf9000e8331034900e4002f679f9dd6
Instruction ID: b0ae7298c46908e408bc275ba98322c9405db2168a932e799d4c0dabe1bfa366
Opcode Fuzzy Hash: 9cc9c80f0c24341b90485f7b943a05c9caf9000e8331034900e4002f679f9dd6
Instruction Fuzzy Hash: 5B122471D01219EFDB20EF91C845BDEB7B8BF04305F1080AAE109BA291DB795A859F99

Function 004EC10E Relevance: 77.4, APIs: 38, Strings: 6, Instructions: 385COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,0000001C), ref: 004EC198
__vbaI4Var.MSVBVM60(00000000), ref: 004EC1A6
__vbaHresultCheckObj.MSVBVM60(00000000,00080005,0041A7CC,00000064), ref: 004EC1C3
__vbaFreeVar.MSVBVM60 ref: 004EC1CB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,0000001C), ref: 004EC212
__vbaI4Var.MSVBVM60(00000000), ref: 004EC220
__vbaHresultCheckObj.MSVBVM60(00000000,00080005,0041A7CC,00000064), ref: 004EC23D
__vbaFreeVar.MSVBVM60 ref: 004EC245
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004EC258
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,0000001C), ref: 004EC2A2
__vbaI4Var.MSVBVM60(00000000), ref: 004EC2B0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A510,0000005C), ref: 004EC2C9
__vbaFreeObj.MSVBVM60 ref: 004EC2D1
__vbaFreeVar.MSVBVM60 ref: 004EC2D9
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004EC2EC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,0000001C), ref: 004EC336
__vbaI4Var.MSVBVM60(00000000), ref: 004EC344
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A510,0000005C), ref: 004EC35D
__vbaFreeObj.MSVBVM60 ref: 004EC365
__vbaFreeVar.MSVBVM60 ref: 004EC36D
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004EC380
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,0000001C), ref: 004EC3CA
__vbaI4Var.MSVBVM60(00000000), ref: 004EC3D8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A510,0000005C), ref: 004EC3F1
__vbaFreeObj.MSVBVM60 ref: 004EC3F9
__vbaFreeVar.MSVBVM60 ref: 004EC401
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004EC414
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,0000001C), ref: 004EC45E
__vbaI4Var.MSVBVM60(00000000), ref: 004EC46C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A510,0000005C), ref: 004EC485
__vbaFreeObj.MSVBVM60 ref: 004EC48D
__vbaFreeVar.MSVBVM60 ref: 004EC495
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004EC4A8
__vbaHresultCheckObj.MSVBVM60(00000000,00401C28,0041A048,0000001C), ref: 004EC4ED
__vbaI4Var.MSVBVM60(00000000), ref: 004EC4FB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A510,0000005C), ref: 004EC514
__vbaFreeObj.MSVBVM60 ref: 004EC51C
__vbaFreeVar.MSVBVM60 ref: 004EC524

Strings

BackColor, xrefs: 004EC17A, 004EC1F4
BorderColor5, xrefs: 004EC4D4
BorderColor4, xrefs: 004EC440
BorderColor1, xrefs: 004EC284
BorderColor3, xrefs: 004EC3AC
BorderColor2, xrefs: 004EC318

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: BackColor$BorderColor1$BorderColor2$BorderColor3$BorderColor4$BorderColor5
API String ID: 3976024557-2150029538
Opcode ID: acd975aaad4430d8a93ac28022ec311616c3ff305c730f9e202014b175c69d1e
Instruction ID: b1fb9cfb904afd11cd5f009897b9356944baaa62eb7918af5c339a14e8ace795
Opcode Fuzzy Hash: acd975aaad4430d8a93ac28022ec311616c3ff305c730f9e202014b175c69d1e
Instruction Fuzzy Hash: F1D15C71900609AFDB00EFA5C899EDF7BB8FF09715F10441AF500BB192D778A5468B95

Function 00505B96 Relevance: 77.4, APIs: 43, Strings: 1, Instructions: 369COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 00505BB4
__vbaLateIdCallLd.MSVBVM60(?,00000000,00000011,00000000,?,?,?,?,00404F16), ref: 00505C03
__vbaI4Var.MSVBVM60(00000000,?,?,?,00404F16), ref: 00505C0C
__vbaFreeVar.MSVBVM60(00000000,?,?,?,00404F16), ref: 00505C22
__vbaChkstk.MSVBVM60 ref: 00505C4A
__vbaLateIdSt.MSVBVM60(00000000,00000011), ref: 00505C5F
__vbaChkstk.MSVBVM60 ref: 00505C7B
__vbaLateIdSt.MSVBVM60(00000000,00000011), ref: 00505C90
__vbaChkstk.MSVBVM60 ref: 00505CAE
__vbaLateIdSt.MSVBVM60(00000000,00000011), ref: 00505CC3
__vbaLateIdCallLd.MSVBVM60(?,00000000,00000002,00000000,0041D0CC,00000000,00000011), ref: 00505CE1
__vbaCastObjVar.MSVBVM60(00000000,?,?,?,00404F16), ref: 00505CEA
__vbaObjSet.MSVBVM60(?,00000000,00000000,?,?,?,00404F16), ref: 00505CF4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041D0CC,0000001C), ref: 00505D3B
__vbaFreeObj.MSVBVM60 ref: 00505D77
__vbaFreeVar.MSVBVM60 ref: 00505D7F
__vbaChkstk.MSVBVM60 ref: 00505DB4
__vbaLateIdSt.MSVBVM60(00000000,00000010), ref: 00505DC9
__vbaChkstk.MSVBVM60(00000000,00000010), ref: 00505DE3
__vbaLateIdSt.MSVBVM60(00000000,0000000F,00000000,00000010), ref: 00505DF8
__vbaLateIdCall.MSVBVM60(00000000,FFFFFDDA,00000000,00000000,0000000F,00000000,00000010), ref: 00505E10
__vbaLateIdCallLd.MSVBVM60(?,00000000,00000002,00000000,0041D0CC,?,?,?,?,?,?,00404F16), ref: 00505E31
__vbaCastObjVar.MSVBVM60(00000000,?,?,?,0041D0CC,?,?,?,?,?,?,00404F16), ref: 00505E3A
__vbaObjSet.MSVBVM60(?,00000000,00000000,?,?,?,0041D0CC,?,?,?,?,?,?,00404F16), ref: 00505E47
__vbaForEachCollObj.MSVBVM60(0041D5D0,?,?,00000000,?,00000000,00000000,?,?,?,0041D0CC), ref: 00505E5D
__vbaFreeVar.MSVBVM60(0041D5D0,?,?,00000000,?,00000000,00000000,?,?,?,0041D0CC), ref: 00505E6B
__vbaChkstk.MSVBVM60 ref: 00505E8A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041D5D0,0000006C), ref: 00505EC4
__vbaNextEachCollObj.MSVBVM60(0041D5D0,?,?), ref: 00505EEF
__vbaOnError.MSVBVM60(000000FF), ref: 00505F10
__vbaLateIdCallLd.MSVBVM60(?,00000000,00000002,00000000,0041D0CC,000000FF), ref: 00505F2E
__vbaCastObjVar.MSVBVM60(00000000,00000000,?,00000000,00000000,?,?,?,0041D0CC,?,?,?,?,?,?,00404F16), ref: 00505F37
__vbaObjSet.MSVBVM60(0041D0CC,00000000,00000000,00000000,?,00000000,00000000,?,?,?,0041D0CC), ref: 00505F41
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041D0CC,00000024), ref: 00505FA4
__vbaLateIdCallLd.MSVBVM60(00000000,00000000,00000011,00000000), ref: 00505FCE
__vbaI4Var.MSVBVM60(00000000,?,0041D0CC,00000000,00000000,00000000,?,00000000,00000000,?,?,?,0041D0CC), ref: 00505FD7
__vbaChkstk.MSVBVM60 ref: 00505FF8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041D5D0,0000006C), ref: 0050603E
__vbaFreeObjList.MSVBVM60(00000002,0041D0CC,?), ref: 0050605C
__vbaFreeVarList.MSVBVM60(00000003,00000000,00000000,?,?,?,00000000,?,0041D0CC,00000000,00000000,00000000,?,00000000,00000000), ref: 00506072
__vbaFreeObjList.MSVBVM60(00000002,?,?,005060DD,?,?,?,?,?,?,00000000,?,0041D0CC,00000000,00000000,00000000), ref: 005060CC
__vbaFreeObj.MSVBVM60(?,?,005060DD,?,?,?,?,?,?,00000000,?,0041D0CC,00000000,00000000,00000000,?), ref: 005060D7

Strings

H,@, xrefs: 00505C9E

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Late$ChkstkFree$Call$CheckHresult$CastList$CollEach$ErrorNext
String ID: H,@
API String ID: 561111420-3458543444
Opcode ID: a6c28a92626d4327ab9ffae6094f4c32d1f46933fb68423cdf1b6c376b4203b4
Instruction ID: bcbe3e5d03d3e9629d1625bb420204b10ce5acae4257cfd5b1e9df5d8f480026
Opcode Fuzzy Hash: a6c28a92626d4327ab9ffae6094f4c32d1f46933fb68423cdf1b6c376b4203b4
Instruction Fuzzy Hash: DAE12BB1D00619EADB21EFA4CC46BCEB7B9BF04304F1044AAF604BB2D2D7B95A549F54

Function 0052F987 Relevance: 72.5, APIs: 48, Instructions: 498COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 0052F9EC
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 0052F9F6
__vbaCastObjVar.MSVBVM60(00000000), ref: 0052F9FF
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 0052FA09
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C598,0000001C), ref: 0052FA28
__vbaI2I4.MSVBVM60(00000000,?,0041C598,0000001C), ref: 0052FA30
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0052FA49
__vbaFreeVar.MSVBVM60(?,0041C598,0000001C), ref: 0052FA54
__vbaObjSet.MSVBVM60(?,00000000), ref: 0052FA78
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 0052FA82
__vbaCastObjVar.MSVBVM60(00000000), ref: 0052FA8B
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 0052FA95
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C598,00000024,?,?,?,?,?,?,?,?), ref: 0052FAC5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C0B0,00000084,?,?,?,?,?,?,?,?), ref: 0052FAF3
__vbaCyStr.MSVBVM60(?), ref: 0052FAFB
__vbaCyAdd.MSVBVM60(?,?,00000000,?,?), ref: 0052FB08
__vbaFreeStr.MSVBVM60(?,?,00000000,?,?), ref: 0052FB16
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,?,00000000,?,?), ref: 0052FB29
__vbaFreeVar.MSVBVM60(?,00000000,?,?), ref: 0052FB34
__vbaObjSet.MSVBVM60(?,00000000), ref: 0052FB5C
__vbaStrCy.MSVBVM60(?,?,?,?,00000000), ref: 0052FB70
__vbaStrMove.MSVBVM60(?,?,?,?,00000000), ref: 0052FB7A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042A2E4,000006F8), ref: 0052FB97
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A4), ref: 0052FBBD
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0052FBCC
__vbaFreeObj.MSVBVM60(?,0041B688,000000A4), ref: 0052FBD7

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$List$CallCastLate$Move
String ID:
API String ID: 1985895518-0
Opcode ID: 4adc662bb0821c5c8421497d9a75fee3c3401fdcb9f23fc65cac5c80368cad72
Instruction ID: 879ecc6ecd9a8dae8fd22d7db1f7f82557f50997794875beb77ccb8905cbf812
Opcode Fuzzy Hash: 4adc662bb0821c5c8421497d9a75fee3c3401fdcb9f23fc65cac5c80368cad72
Instruction Fuzzy Hash: D91227B1900219EFCB01EFA4D849BDEBBB8FF48304F10456AF505BB1A1C7799A558FA4

Function 00515615 Relevance: 70.3, APIs: 32, Strings: 8, Instructions: 284COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00515691
__vbaStrCopy.MSVBVM60 ref: 005156A1
__vbaStrCopy.MSVBVM60 ref: 005156B9
__vbaStrCopy.MSVBVM60 ref: 005156D1
__vbaStrCat.MSVBVM60( From tblSchoolYear,SELECT tblSchoolYear.SchoolYear AS lvKey, tblSchoolYear.SchoolYear), ref: 005156E0
__vbaStrMove.MSVBVM60( From tblSchoolYear,SELECT tblSchoolYear.SchoolYear AS lvKey, tblSchoolYear.SchoolYear), ref: 005156EA
__vbaStrCat.MSVBVM60( WHERE (((Val(Left([SchoolYear],4)))>,00000000, From tblSchoolYear,SELECT tblSchoolYear.SchoolYear AS lvKey, tblSchoolYear.SchoolYear), ref: 005156F5
#617.MSVBVM60(?,?,00000004, WHERE (((Val(Left([SchoolYear],4)))>,00000000, From tblSchoolYear,SELECT tblSchoolYear.SchoolYear AS lvKey, tblSchoolYear.SchoolYear), ref: 00515720
__vbaVarCat.MSVBVM60(?,?,?,?,?,00000004, WHERE (((Val(Left([SchoolYear],4)))>,00000000, From tblSchoolYear,SELECT tblSchoolYear.SchoolYear AS lvKey, tblSchoolYear.SchoolYear), ref: 00515750
__vbaVarCat.MSVBVM60(?,?,00000000,?,?,?,?,?,00000004, WHERE (((Val(Left([SchoolYear],4)))>,00000000, From tblSchoolYear,SELECT tblSchoolYear.SchoolYear AS lvKey, tblSchoolYear.SchoolYear), ref: 00515761
__vbaVarCat.MSVBVM60(?,?,00000000,?,?,00000000,?,?,?,?,?,00000004, WHERE (((Val(Left([SchoolYear],4)))>,00000000, From tblSchoolYear,SELECT tblSchoolYear.SchoolYear AS lvKey, tblSchoolYear.SchoolYear), ref: 00515772
__vbaStrVarMove.MSVBVM60(00000000,?,?,00000000,?,?,00000000,?,?,?,?,?,00000004, WHERE (((Val(Left([SchoolYear],4)))>,00000000, From tblSchoolYear), ref: 00515778
__vbaStrMove.MSVBVM60(00000000,?,?,00000000,?,?,00000000,?,?,?,?,?,00000004, WHERE (((Val(Left([SchoolYear],4)))>,00000000, From tblSchoolYear), ref: 00515782
__vbaFreeStr.MSVBVM60(00000000,?,?,00000000,?,?,00000000,?,?,?,?,?,00000004, WHERE (((Val(Left([SchoolYear],4)))>,00000000, From tblSchoolYear), ref: 0051578A
__vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000,?,?,?), ref: 005157A5
__vbaNew2.MSVBVM60(0041B32C,?,00000000, From tblSchoolYear,SELECT tblSchoolYear.SchoolYear AS lvKey, tblSchoolYear.SchoolYear), ref: 005157C1
__vbaNew2.MSVBVM60(0041B2FC,00538028,00000000, From tblSchoolYear,SELECT tblSchoolYear.SchoolYear AS lvKey, tblSchoolYear.SchoolYear), ref: 005157D8
#592.MSVBVM60(?,00538028,?,?,000000FF,00000000, From tblSchoolYear,SELECT tblSchoolYear.SchoolYear AS lvKey, tblSchoolYear.SchoolYear), ref: 00515825
__vbaHresultCheckObj.MSVBVM60(00000000, 5@,00420088,00000718), ref: 00515855
__vbaHresultCheckObj.MSVBVM60(00000000, 5@,00420058,000002B0,?,?,?,?,00538028,?,?,000000FF,00000000, From tblSchoolYear,SELECT tblSchoolYear.SchoolYear AS lvKey, tblSchoolYear.SchoolYear), ref: 00515996
__vbaStrCopy.MSVBVM60(?,?,?,?,00538028,?,?,000000FF,00000000, From tblSchoolYear,SELECT tblSchoolYear.SchoolYear AS lvKey, tblSchoolYear.SchoolYear), ref: 005159A6
__vbaFreeStr.MSVBVM60(005159F8,?,?,?,?,00538028,?,?,000000FF,00000000, From tblSchoolYear,SELECT tblSchoolYear.SchoolYear AS lvKey, tblSchoolYear.SchoolYear), ref: 005159F2

Strings

Please Add New School Year first., xrefs: 00515893
)) , xrefs: 0051573A
AND ((tblSchoolYear.Locked)=No), xrefs: 005156C8
WHERE (((Val(Left([SchoolYear],4)))>, xrefs: 005156F0
No School Year to be selected., xrefs: 00515867
5@, xrefs: 00515646, 0051564B, 005157FE, 0051581B, 0051583A, 00515853, 005158FB, 0051597C, 00515994
From tblSchoolYear, xrefs: 005156DB
SELECT tblSchoolYear.SchoolYear AS lvKey, tblSchoolYear.SchoolYear, xrefs: 005156D6

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Copy$FreeMove$CheckHresultNew2$#592#617List
String ID: 5@$ From tblSchoolYear$ WHERE (((Val(Left([SchoolYear],4)))>$)) $AND ((tblSchoolYear.Locked)=No)$No School Year to be selected.$Please Add New School Year first.$SELECT tblSchoolYear.SchoolYear AS lvKey, tblSchoolYear.SchoolYear
API String ID: 1958973510-3742660777
Opcode ID: 825439f9759b138a91c827874b9453d62ad6e6e207362b9447a60b3f1463a492
Instruction ID: 9c27f343bce4d09409bf452d9a7a9ab7b2a048288894df4dce1a08b0ad87605f
Opcode Fuzzy Hash: 825439f9759b138a91c827874b9453d62ad6e6e207362b9447a60b3f1463a492
Instruction Fuzzy Hash: A6B13AB1900618EBDB10EF95C985ADEBBB8FF44700F1041ABF605A7282DB789A45CF95

Function 004FEA5F Relevance: 68.6, APIs: 35, Strings: 4, Instructions: 384COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004FEAE5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004FEB04
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 004FEB0E
__vbaCastObjVar.MSVBVM60(00000000), ref: 004FEB17
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 004FEB21
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041BB1C,00000038), ref: 004FEB39
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004FEB48
__vbaFreeVar.MSVBVM60 ref: 004FEB53
__vbaNew2.MSVBVM60(0041B32C,?), ref: 004FEB6D
__vbaNew2.MSVBVM60(0041B2FC,00538028), ref: 004FEB84
__vbaVarDup.MSVBVM60(00538028,?,?,000000FF), ref: 004FEBE2
#595.MSVBVM60(?,00000000,?,?,?,00538028,?,?,000000FF), ref: 004FEBF8
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,00000000,?,?,?,00538028,?,?,000000FF), ref: 004FEC0F
__vbaCastObj.MSVBVM60(00000000,0041B31C), ref: 004FEC1D
__vbaObjSet.MSVBVM60(?,00000000,00000000,0041B31C), ref: 004FEC27
__vbaNew2.MSVBVM60(0041B32C,?,00538028,?,?,000000FF), ref: 004FEC44
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,00000050), ref: 004FEC68
__vbaNew2.MSVBVM60(0041B32C,?), ref: 004FEC84
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,00000054), ref: 004FECA5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B374,00000028,?,?,?,?), ref: 004FECF4
__vbaNew2.MSVBVM60(0041B32C,?,?,?,?,?), ref: 004FED07
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,00000054,?,?,?,?), ref: 004FED28
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B374,00000028,?,?,?,?,?,?,?,?), ref: 004FED77
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?), ref: 004FED95
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000,?,?,?,?,?,?,?,?), ref: 004FED9F
__vbaCastObjVar.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004FEDA8
__vbaObjSet.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004FEDB2
__vbaVarDup.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004FEDFD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041BB1C,00000034,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004FEE63
__vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004FEE7E
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?,00000005,?,?,?,?,?), ref: 004FEEAA
__vbaNew2.MSVBVM60(0041B32C,?), ref: 004FEEC0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,00000090), ref: 004FEEE7
__vbaFreeObj.MSVBVM60(004FEF55,?,00000000,00000000,0041B31C), ref: 004FEF47
__vbaFreeStr.MSVBVM60(004FEF55,?,00000000,00000000,0041B31C), ref: 004FEF4F

Strings

SELECT * FROM tblCashier, xrefs: 004FEA8C
student, xrefs: 004FEDE9
error, xrefs: 004FEBCE
LoginName, xrefs: 004FECB1, 004FED39

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$New2$List$Cast$CallLate$#595Copy
String ID: LoginName$SELECT * FROM tblCashier$error$student
API String ID: 682102881-3419526446
Opcode ID: 715887b60a016ab82fe1319d86f6e451f7e92bea92b1d67ffeceb0280515415b
Instruction ID: ad0982c3b0c2c46641043d38e76b6842bb45ff244bd58b4770df948c24a39c96
Opcode Fuzzy Hash: 715887b60a016ab82fe1319d86f6e451f7e92bea92b1d67ffeceb0280515415b
Instruction Fuzzy Hash: D5E118B1D01619AACB10EF95C985EEFB7BCEF08304F50416BF209B7181D7786A498FA5

Function 0050C14A Relevance: 66.8, APIs: 34, Strings: 4, Instructions: 301COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,00000000,00402CC0), ref: 0050C1C3
__vbaNew2.MSVBVM60(0041B32C,?,?,00000000,00402CC0), ref: 0050C1D6
__vbaNew2.MSVBVM60(0041B2FC,00538028,?,00000000,00402CC0), ref: 0050C1F0
__vbaStrCat.MSVBVM60(?,Select * From queryPayment Where EnrolmentID = ',?,00000000,00402CC0), ref: 0050C214
__vbaStrMove.MSVBVM60(?,Select * From queryPayment Where EnrolmentID = ',?,00000000,00402CC0), ref: 0050C21E
__vbaStrCat.MSVBVM60(0041CB7C,00000000,?,Select * From queryPayment Where EnrolmentID = ',?,00000000,00402CC0), ref: 0050C229
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,000000A0), ref: 0050C275
__vbaFreeStr.MSVBVM60(00000000,?,0041B364,000000A0), ref: 0050C284
__vbaFreeVar.MSVBVM60(00000000,?,0041B364,000000A0), ref: 0050C28C
__vbaNew2.MSVBVM60(0041B32C,00000000), ref: 0050C2A0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B364,000000A4), ref: 0050C2C1
__vbaVarCopy.MSVBVM60(00000000,00000000,0041B364,000000A4), ref: 0050C2E2
__vbaNew2.MSVBVM60(0041B32C,00000000), ref: 0050C2F6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B364,00000050), ref: 0050C316
__vbaHresultCheckObj.MSVBVM60(00000000,0041B364,0041B688,000000A4), ref: 0050C34C
__vbaNew2.MSVBVM60(0041B32C,00000000), ref: 0050C365
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B364,00000054), ref: 0050C382
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B374,00000028,?,?,?,?), ref: 0050C3CD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B384,00000034,?,?,?,?), ref: 0050C3F0
__vbaVarDup.MSVBVM60(?,?,?,?), ref: 0050C416
__vbaVarSub.MSVBVM60(?,00000008,?,?,?,?,?), ref: 0050C439
__vbaVarMove.MSVBVM60(?,00000008,?,?,?,?,?), ref: 0050C443
#660.MSVBVM60(?,?,?,00000001,00000001,?,00000008,?,?,?,?,?), ref: 0050C45E
__vbaStrVarVal.MSVBVM60(?,?,?,?,?,00000001,00000001,?,00000008,?,?,?,?,?), ref: 0050C470
__vbaCastObj.MSVBVM60(00000000,0041B31C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0050C4D2
__vbaObjSet.MSVBVM60(00000000,00000000,00000000,0041B31C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0050C4DC
__vbaFreeVar.MSVBVM60(0050C553,00000000,00000000,00000000,0041B31C), ref: 0050C535
__vbaFreeStr.MSVBVM60(0050C553,00000000,00000000,00000000,0041B31C), ref: 0050C53D
__vbaFreeObj.MSVBVM60(0050C553,00000000,00000000,00000000,0041B31C), ref: 0050C545
__vbaFreeObj.MSVBVM60(0050C553,00000000,00000000,00000000,0041B31C), ref: 0050C54D

Strings

#,##0.00, xrefs: 0050C406
Select * From queryPayment Where EnrolmentID = ', xrefs: 0050C203
SumOfAmountPay, xrefs: 0050C38E
0.00, xrefs: 0050C2D2

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$New2$CopyMove$#660Cast
String ID: #,##0.00$0.00$Select * From queryPayment Where EnrolmentID = '$SumOfAmountPay
API String ID: 2576515754-147277438
Opcode ID: ee86e011ae9187ff5188b5e611187bf3abb5da1b05004e80fb085274e09dc1ec
Instruction ID: a873de350d863d82f0f2f2a037e9baf991a1039805e572fbca0a7e70e5839bd2
Opcode Fuzzy Hash: ee86e011ae9187ff5188b5e611187bf3abb5da1b05004e80fb085274e09dc1ec
Instruction Fuzzy Hash: D7B156B1D00629AADB10EFA5CC45FDEBBB8FF09704F4041AAF904B7181D7746A498FA5

Function 00508C31 Relevance: 65.1, APIs: 33, Strings: 4, Instructions: 320COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041B32C,?), ref: 00508C7E
__vbaNew2.MSVBVM60(0041B2FC,00538028), ref: 00508C9A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,000000A0,?,?,?,?,000000FF), ref: 00508CF9
__vbaNew2.MSVBVM60(0041B32C,?,?,?,?,?,000000FF), ref: 00508D09
__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,000000FF), ref: 00508D14
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,000000FF), ref: 00508D2A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0,?,?,?,?,000000FF), ref: 00508D50
__vbaStrCat.MSVBVM60(?,StudentID=,?,?,?,?,000000FF), ref: 00508D5D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,000000C0,?,?,?,?,?,?,?,?,000000FF), ref: 00508D98
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,000000FF), ref: 00508DA0
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,000000FF), ref: 00508DA8
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,000000FF), ref: 00508DB0
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,000000FF), ref: 00508DC3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,00000054,?,?,?,?,?,?,?,?,000000FF), ref: 00508DE9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B374,00000028,?,?,?,?), ref: 00508E29
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B384,00000034,?,?,?,?), ref: 00508E4C
__vbaStrVarMove.MSVBVM60(00000008,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00508E5A
__vbaStrMove.MSVBVM60(00000008,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00508E64
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A4,?,?,?,?), ref: 00508E83
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00508E8B
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,?,?,?), ref: 00508E9E
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?), ref: 00508EA9
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?), ref: 00508EBC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,00000054,?,?,?,?,?,?,?,?), ref: 00508EE2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B374,00000028,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00508F1F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B384,00000034,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00508F42
__vbaStrVarMove.MSVBVM60(00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00508F50
__vbaStrMove.MSVBVM60(00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00508F5A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F08,00000054,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00508F73
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00508F7B
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00508F8E
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00508F99
__vbaFreeObj.MSVBVM60(00508FD5,?,?,?,?,?,?,?,?), ref: 00508FCF

Strings

EnrolmentID, xrefs: 00508DFA
SectionTitle, xrefs: 00508EF3
Select * from searchstudent, xrefs: 00508CC5
StudentID=, xrefs: 00508D55

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$Move$New2$List$Addref
String ID: EnrolmentID$SectionTitle$Select * from searchstudent$StudentID=
API String ID: 1147427769-1128365378
Opcode ID: 584943f6d654ad0a430c0fdd02ab4a26ee3939b4d274a8eea41bd013fc077a4d
Instruction ID: 7367b71d53f9fe9f369d40bd9123ec4c0b8ccbd3197f1ce235db06722742663c
Opcode Fuzzy Hash: 584943f6d654ad0a430c0fdd02ab4a26ee3939b4d274a8eea41bd013fc077a4d
Instruction Fuzzy Hash: 9BB16A71900619ABDB00EBA5CC4AEEFBBBDFF45704F50052AF540BB1D1DB7899098BA4

Function 00500C86 Relevance: 65.1, APIs: 34, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 00500CE2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0), ref: 00500D12
__vbaLenBstr.MSVBVM60(?), ref: 00500D21
__vbaFreeStr.MSVBVM60(?), ref: 00500D3A
__vbaFreeObj.MSVBVM60(?), ref: 00500D42
__vbaVarDup.MSVBVM60(?), ref: 00500D7E
#595.MSVBVM60(?,00000030,?,?,?,?), ref: 00500D95
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,00000030,?,?,?,?), ref: 00500DAC
__vbaObjSet.MSVBVM60(?,00000000), ref: 00500DD0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0), ref: 00500DFB
#561.MSVBVM60(?), ref: 00500E14
__vbaFreeObj.MSVBVM60(?), ref: 00500E2B
__vbaFreeVar.MSVBVM60(?), ref: 00500E33
__vbaObjSet.MSVBVM60(?,00000000), ref: 00500E4F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0), ref: 00500E71
#581.MSVBVM60(?), ref: 00500E79
__vbaFpR8.MSVBVM60(?), ref: 00500E7E
__vbaFreeStr.MSVBVM60(?), ref: 00500E9D
__vbaFreeObj.MSVBVM60(?), ref: 00500EA5
__vbaObjSet.MSVBVM60(?,00000000), ref: 00500EC1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0), ref: 00500EE3
__vbaObjSet.MSVBVM60(?,00000000), ref: 00500EF6
#702.MSVBVM60(00000008,00000002,000000FE,000000FE,000000FE,?,00000000), ref: 00500F1C
__vbaStrMove.MSVBVM60(00000008,00000002,000000FE,000000FE,000000FE,?,00000000), ref: 00500F26
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A4), ref: 00500F41
__vbaFreeStr.MSVBVM60(00000000,00000000,0041B688,000000A4), ref: 00500F49
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00500F58
__vbaFreeVar.MSVBVM60 ref: 00500F63
__vbaVarDup.MSVBVM60(?), ref: 00500FC2
#595.MSVBVM60(00000008,00000030,?,?,?,?), ref: 00500FD9
__vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?,00000008,00000030,?,?,?,?), ref: 00500FF0
__vbaObjSet.MSVBVM60(?,00000000), ref: 00501006
__vbaFreeObj.MSVBVM60(00000008,?,?,00000000), ref: 0050101B
__vbaFreeVar.MSVBVM60(00000008,?,?,00000000), ref: 00501023

Strings

Title must not be empty. Please enter some value., xrefs: 00500D70
Amount must be in numeric value (ex: 100.00)., xrefs: 00500FAE
Amount must be greater than 0.00., xrefs: 00500F8B

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$List$#595$#561#581#702BstrMove
String ID: Amount must be greater than 0.00.$Amount must be in numeric value (ex: 100.00).$Title must not be empty. Please enter some value.
API String ID: 2855987267-3020099340
Opcode ID: b2a9b7e14c0ae21068e0dd779bae449425120d82bfec99d3d05a268089bda55e
Instruction ID: 59afada8616f895ae9d2d458db20890e0dff7bf9c0dc4b243bc270b20030f09c
Opcode Fuzzy Hash: b2a9b7e14c0ae21068e0dd779bae449425120d82bfec99d3d05a268089bda55e
Instruction Fuzzy Hash: 09C104B1D01209AFCB10EFA5C985AEEBBBCEF48304F20452AF145F7191DB385A058FA5

Function 005171F2 Relevance: 64.9, APIs: 43, Instructions: 415COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 0051727C
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 00517286
__vbaCastObjVar.MSVBVM60(00000000), ref: 0051728F
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 00517299
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C0B0,00000044), ref: 005172B5
__vbaObjSet.MSVBVM60(?,00000000), ref: 005172D2
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 005172DC
__vbaCastObjVar.MSVBVM60(00000000), ref: 005172E5
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 005172EF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C598,0000001C), ref: 00517314
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0051733F
__vbaFreeVarList.MSVBVM60(00000002,?,?,00000004,?,?,?,?), ref: 0051734E
__vbaHresultCheckObj.MSVBVM60(00000000,004035D0,00420088,00000708), ref: 00517384
__vbaObjSet.MSVBVM60(?,00000000), ref: 005173B7
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 005173C1
__vbaCastObjVar.MSVBVM60(00000000), ref: 005173CA
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 005173D4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C0B0,00000044), ref: 005173F3
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00517414
__vbaFreeVar.MSVBVM60 ref: 0051741F
__vbaHresultCheckObj.MSVBVM60(00000000,004035D0,00420088,00000708), ref: 0051745C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00517480
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 0051748A
__vbaCastObjVar.MSVBVM60(00000000), ref: 00517493
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 0051749D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C0B0,00000060), ref: 005174BA
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005174C9
__vbaFreeVar.MSVBVM60 ref: 005174D4
__vbaObjSet.MSVBVM60(?,00000000), ref: 005174EC
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 005174F6
__vbaCastObjVar.MSVBVM60(00000000), ref: 005174FF
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 00517509
__vbaObjSet.MSVBVM60(?,00000000), ref: 00517527
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 00517531
__vbaCastObjVar.MSVBVM60(00000000), ref: 0051753A
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 00517544
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C598,0000001C), ref: 00517563
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C598,00000024), ref: 00517599
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C0B0,00000060), ref: 005175B6
__vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,?), ref: 005175D1
__vbaFreeVarList.MSVBVM60(00000003,?,?,00000003,00000005,?,?,?,?,?), ref: 005175E4
__vbaHresultCheckObj.MSVBVM60(00000000,004035D0,00420088,00000708), ref: 00517620
__vbaHresultCheckObj.MSVBVM60(00000000,004035D0,00420088,00000708), ref: 00517652

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$CallCastLateList
String ID:
API String ID: 1199875407-0
Opcode ID: 4fddd2ad2f23156eee979e22e5d31f33ed407bbfe84f40a29f2be395752824d4
Instruction ID: 5491d6421fac182cf3e831bb249c80e9d5093a29af3e786aac8b14bdd547be4b
Opcode Fuzzy Hash: 4fddd2ad2f23156eee979e22e5d31f33ed407bbfe84f40a29f2be395752824d4
Instruction Fuzzy Hash: 0EE108B1D00609ABDB20EBA5CC49FDF77BCFF08304F10456AB515E7182EA79A9458FA4

Function 005160AC Relevance: 63.3, APIs: 30, Strings: 6, Instructions: 279COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60( From tblSchoolYear,SELECT tblSchoolYear.SchoolYearTitle AS lvKey, tblSchoolYear.SchoolYearTitle), ref: 00516131
__vbaStrMove.MSVBVM60( From tblSchoolYear,SELECT tblSchoolYear.SchoolYearTitle AS lvKey, tblSchoolYear.SchoolYearTitle), ref: 0051613B
__vbaStrCat.MSVBVM60( WHERE (((Val(Left([SchoolYearTitle],4)))>,00000000, From tblSchoolYear,SELECT tblSchoolYear.SchoolYearTitle AS lvKey, tblSchoolYear.SchoolYearTitle), ref: 00516146
#617.MSVBVM60(?,?,00000004, WHERE (((Val(Left([SchoolYearTitle],4)))>,00000000, From tblSchoolYear,SELECT tblSchoolYear.SchoolYearTitle AS lvKey, tblSchoolYear.SchoolYearTitle), ref: 00516177
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051619A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0), ref: 005161C9
__vbaVarCat.MSVBVM60(?,?,?), ref: 00516205
__vbaVarCat.MSVBVM60(?,?,00000000,?,?,?), ref: 00516216
__vbaVarCat.MSVBVM60(?,?,00000000,?,?,00000000,?,?,?), ref: 00516227
__vbaVarCat.MSVBVM60(?,?,00000000,?,?,00000000,?,?,00000000,?,?,?), ref: 0051623B
__vbaVarCat.MSVBVM60(?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,?), ref: 0051624F
__vbaStrVarMove.MSVBVM60(00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,?), ref: 00516255
__vbaStrMove.MSVBVM60(00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,?), ref: 0051625F
__vbaFreeStr.MSVBVM60(00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,?), ref: 00516267
__vbaFreeObj.MSVBVM60(00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,?), ref: 0051626F
__vbaFreeVarList.MSVBVM60(00000008,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0051629E
__vbaNew2.MSVBVM60(0041B32C,?,?,?,00000000,?,?,?), ref: 005162BA
__vbaNew2.MSVBVM60(0041B2FC,00538028,?,?,00000000,?,?,?), ref: 005162D1
__vbaFreeStr.MSVBVM60(00516484,?,00538028,?,?,000000FF,?,?,00000000,?,?,?), ref: 0051647E

Strings

%')) , xrefs: 005161EF
) AND ((SchoolYearTitle) like '%, xrefs: 0051617F
WHERE (((Val(Left([SchoolYearTitle],4)))>, xrefs: 00516141
SELECT tblSchoolYear.SchoolYearTitle AS lvKey, tblSchoolYear.SchoolYearTitle, xrefs: 005160D9
From tblSchoolYear, xrefs: 005160DE
FATAL ERROR: PickStudent.cmdFind_Click - Connectrs, xrefs: 005163DD

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$Move$New2$#617CheckHresultList
String ID: From tblSchoolYear$ WHERE (((Val(Left([SchoolYearTitle],4)))>$%')) $) AND ((SchoolYearTitle) like '%$FATAL ERROR: PickStudent.cmdFind_Click - Connectrs$SELECT tblSchoolYear.SchoolYearTitle AS lvKey, tblSchoolYear.SchoolYearTitle
API String ID: 3967149768-3532173672
Opcode ID: 41c41de2f32715fe87b79c009430420bb6a804740ebbc9488bfd6ad0551281e4
Instruction ID: f9c52de5ce3a6753dfffa272aaf3a9a92048b8554fd3f74220a498ec06a8df47
Opcode Fuzzy Hash: 41c41de2f32715fe87b79c009430420bb6a804740ebbc9488bfd6ad0551281e4
Instruction Fuzzy Hash: F6B108B1D01218ABDB11EF95C985EDFBBBCEF44304F1045ABB209F7181DA786A448FA5

Function 00531602 Relevance: 61.6, APIs: 33, Strings: 2, Instructions: 358COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00404F16,?,?,00000008,?,?,00404F16,000000FF), ref: 00531620
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00404F16), ref: 00531650
__vbaStrCopy.MSVBVM60(000000FF,?,00000000,?,00000000,00404F16), ref: 0053168F
__vbaAryDestruct.MSVBVM60(00000000,?,00531BD6,?,00000001,?,?,000000FF,?,00000000,?,00000000,00404F16), ref: 00531BD0

Part of subcall function 00532698: __vbaChkstk.MSVBVM60(00000000,00404F16,000000FF,?,?,?,00000000,00404F16,000000FF), ref: 005326B4
Part of subcall function 00532698: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00404F16,000000FF), ref: 005326E4
Part of subcall function 00532698: #516.MSVBVM60(0041F4D4,000000FF), ref: 00532701
Part of subcall function 00532698: #516.MSVBVM60(0041F4CC), ref: 00532715
Part of subcall function 00532698: __vbaGenerateBoundsError.MSVBVM60(0041F4CC), ref: 0053275D
Part of subcall function 00532698: __vbaUI1I2.MSVBVM60(0041F4CC), ref: 00532768
Part of subcall function 00532698: #516.MSVBVM60(0042A65C,0041F4CC), ref: 005327A6
Part of subcall function 00532698: #516.MSVBVM60(0042A654), ref: 005327BA
Part of subcall function 00532698: __vbaGenerateBoundsError.MSVBVM60(0042A654), ref: 00532802
Part of subcall function 00532698: __vbaUI1I2.MSVBVM60(0042A654), ref: 0053280D

__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000,000000FF,?,00000000,?,00000000,00404F16), ref: 00531716
__vbaLbound.MSVBVM60(00000001,?,?,000000FF,?,00000000,?,00000000,00404F16), ref: 00531733
__vbaDerefAry1.MSVBVM60(?,?,00000001,?,?,000000FF,?,00000000,?,00000000,00404F16), ref: 0053176E
__vbaDerefAry1.MSVBVM60(?,?,?,?,?,?,?,00420C04,?,?,00000001,?,?,000000FF,?,00000000), ref: 005317BD
__vbaUI1I2.MSVBVM60(?,?,00000001,?,?,000000FF,?,00000000,?,00000000,00404F16), ref: 005317E9
__vbaDerefAry1.MSVBVM60(?,?,?,?,?,?,?,?,?,00420C04,?,?,00000001,?,?,000000FF), ref: 00531820
__vbaUI1I2.MSVBVM60(?,?,00000001,?,?,000000FF,?,00000000,?,00000000,00404F16), ref: 0053184C
__vbaUI1I2.MSVBVM60(?,?,00000001,?,?,000000FF,?,00000000,?,00000000,00404F16), ref: 00531872
__vbaUI1I2.MSVBVM60(?,?,00000001,?,?,000000FF,?,00000000,?,00000000,00404F16), ref: 005318AC
__vbaUI1I2.MSVBVM60(?,?,00000001,?,?,000000FF,?,00000000,?,00000000,00404F16), ref: 005318E6
__vbaUI1I2.MSVBVM60(?,?,00000001,?,?,000000FF,?,00000000,?,00000000,00404F16), ref: 00531907
__vbaGenerateBoundsError.MSVBVM60 ref: 00531932
__vbaDerefAry1.MSVBVM60(?,00000000), ref: 00531943
__vbaGenerateBoundsError.MSVBVM60(?,00000000), ref: 00531991
__vbaDerefAry1.MSVBVM60(?,00000000,?,00000000), ref: 005319A2
#516.MSVBVM60(00420C04,?,00000000,?,00000000), ref: 005319D9
__vbaGenerateBoundsError.MSVBVM60(00420C04,?,00000000,?,00000000), ref: 00531A05
#681.MSVBVM60(?,0000000B,00004011,00000002,00420C04,?,00000000,?,00000000), ref: 00531A5C
__vbaUI1Var.MSVBVM60(?,?,0000000B,00004011,00000002,00420C04,?,00000000,?,00000000), ref: 00531A65
__vbaDerefAry1.MSVBVM60(?,00000000,?,?,0000000B,00004011,00000002,00420C04,?,00000000,?,00000000), ref: 00531A72
__vbaFreeVarList.MSVBVM60(00000003,0000000B,00000002,?,?,00000000,?,?,0000000B,00004011,00000002,00420C04,?,00000000,?,00000000), ref: 00531A8A
#516.MSVBVM60(00420C04,?,?,00000001,?,?,000000FF,?,00000000,?,00000000,00404F16), ref: 00531AB4
__vbaGenerateBoundsError.MSVBVM60 ref: 00531AE0
#681.MSVBVM60(?,0000000B,00004011,00000002), ref: 00531B37
__vbaUI1Var.MSVBVM60(?,?,0000000B,00004011,00000002), ref: 00531B40
__vbaDerefAry1.MSVBVM60(?,00000000,?,?,0000000B,00004011,00000002), ref: 00531B4D
__vbaFreeVarList.MSVBVM60(00000003,0000000B,00000002,?,?,00000000,?,?,0000000B,00004011,00000002), ref: 00531B65
__vbaStrMove.MSVBVM60(?,00000001,?,?,000000FF,?,00000000,?,00000000,00404F16), ref: 00531B99
__vbaErrorOverflow.MSVBVM60(000000FF,?,00000000,?,00000000,00404F16), ref: 00531BEA

Strings

4, xrefs: 00531B84
@, xrefs: 00531ACE

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Error$Ary1Deref$#516BoundsGenerate$#681ChkstkFreeList$CopyDestructLboundMoveOverflowRedim
String ID: 4$@
API String ID: 2677120483-1528247400
Opcode ID: 5ca9188a8de0cdd42793b4a2666be08142ee2a5730e6b9b39590489645a5dbde
Instruction ID: 80cfa4816c937cc37ec22b4d225eddd30026334fbab0b8b817042d436ecb3a86
Opcode Fuzzy Hash: 5ca9188a8de0cdd42793b4a2666be08142ee2a5730e6b9b39590489645a5dbde
Instruction Fuzzy Hash: 03F126B1805648EEDB00DFA5D955BDEBFB4FF05308F10809AE145BB282D7795A88DF28

Function 00511B3B Relevance: 61.6, APIs: 31, Strings: 4, Instructions: 311COMMON

Download Yara Rule

APIs

__vbaLenBstr.MSVBVM60(?), ref: 00511B92
#632.MSVBVM60(00000001,?,?,?,?), ref: 00511BD5
__vbaVarMove.MSVBVM60(00000001,?,?,?,?), ref: 00511BE3
__vbaFreeVar.MSVBVM60(00000001,?,?,?,?), ref: 00511BEB
__vbaVarTstEq.MSVBVM60(00004008,?,00000001,?,?,?,?), ref: 00511C0A
__vbaVarTstEq.MSVBVM60(?,?,00004008,?,00000001,00004008,00008008,00000002,?,00004008,?,00000001,?,?,?,?), ref: 00511C2D
__vbaVarTstEq.MSVBVM60(00004008,?,?,?,00004008,?,00000001,00004008,00008008,00000002,?,00004008,?,00000001,?), ref: 00511C50
__vbaVarTstEq.MSVBVM60(?,?,00004008,?,?,?,00004008,?,00000001,00004008,00008008,00000002,?,00004008,?,00000001), ref: 00511C73
__vbaVarTstEq.MSVBVM60(?,?,?,?,00004008,?,?,?,00004008,?,00000001,00004008,00008008,00000002,?,00004008), ref: 00511C96
__vbaVarTstEq.MSVBVM60(?,?,?,?,?,?,00004008,?,?,?,00004008,?,00000001,00004008,00008008,00000002), ref: 00511CB9
__vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,?,?,?,00004008,?,?,?,00004008,?,00000001,00004008), ref: 00511CDC
__vbaFreeVar.MSVBVM60(00511D8D,?), ref: 00511D87

Strings

newid, xrefs: 00511E68
FROM tblFee;, xrefs: 00511DD2
SELECT Max([tblFee].[FeeID])+1 AS NewID, xrefs: 00511DCD
x3@, xrefs: 00511B3B

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$#632BstrMove
String ID: FROM tblFee;$SELECT Max([tblFee].[FeeID])+1 AS NewID$newid$x3@
API String ID: 563547971-3626895865
Opcode ID: 49bd9e52716193c7d7920fdb9eaec4bf5cb12adb1dba73e799476bb0b227bf38
Instruction ID: 9288a970bc655634e617963b529d3311c10dd4ba67dec0cbc2b0aee9960a3c34
Opcode Fuzzy Hash: 49bd9e52716193c7d7920fdb9eaec4bf5cb12adb1dba73e799476bb0b227bf38
Instruction Fuzzy Hash: 34C15EB1C00609AADF10EF95C845ADEBFBCFF04704F50816BE611B7190DB745A458FA8

Function 0051E0A8 Relevance: 61.5, APIs: 33, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041B32C,?), ref: 0051E0F2
__vbaNew2.MSVBVM60(0041B2FC,00538028), ref: 0051E10E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,000000A0,?,?,?,?,000000FF), ref: 0051E16D
__vbaNew2.MSVBVM60(0041B32C,?,?,?,?,?,000000FF), ref: 0051E17D
__vbaHresultCheckObj.MSVBVM60(00000000,00000008,0041B364,000000A4,?,?,?,?,000000FF), ref: 0051E1A1
__vbaNew2.MSVBVM60(0041B32C,?,?,?,?,?,000000FF), ref: 0051E1B1
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,000000FF), ref: 0051E1CC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0,?,?,?,?,000000FF), ref: 0051E1F2
__vbaStrCat.MSVBVM60(?,SchoolYear >= ',?,?,?,?,000000FF), ref: 0051E1FF
__vbaStrMove.MSVBVM60(?,SchoolYear >= ',?,?,?,?,000000FF), ref: 0051E209
__vbaStrCat.MSVBVM60(0041CB7C,00000000,?,SchoolYear >= ',?,?,?,?,000000FF), ref: 0051E214
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,000000C0,?,?,?,?,?,?,?,?,000000FF), ref: 0051E250
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 0051E25F
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 0051E26A
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 0051E272
__vbaNew2.MSVBVM60(0041B32C,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 0051E281
__vbaHresultCheckObj.MSVBVM60(00000000,00000008,0041B364,00000050,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 0051E2A1
__vbaNew2.MSVBVM60(004067D8,00538390,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 0051E2C8
__vbaNew2.MSVBVM60(0041B32C,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 0051E2DD
__vbaCastObj.MSVBVM60(?,00421684,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 0051E2EB
__vbaObjSet.MSVBVM60(?,00000000,?,00421684,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 0051E2F5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041E8AC,00000028,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 0051E310
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 0051E318
__vbaNew2.MSVBVM60(004067D8,00538390,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 0051E32F
__vbaLateIdCall.MSVBVM60(80011003,00000000,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 0051E340
__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 0051E35A
__vbaObjSetAddref.MSVBVM60(?,?), ref: 0051E36E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000010), ref: 0051E387
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 0051E38F
__vbaCastObj.MSVBVM60(00000000,0041B31C), ref: 0051E39B
__vbaObjSet.MSVBVM60(?,00000000,00000000,0041B31C), ref: 0051E3A5
__vbaObjSetAddref.MSVBVM60(?,00000000,?,00000000,00000000,0041B31C), ref: 0051E3AC
__vbaFreeObj.MSVBVM60(?,00000000,?,00000000,00000000,0041B31C), ref: 0051E3B4

Strings

SchoolYear >= ', xrefs: 0051E1F7
Select * From qryStudentBilling, xrefs: 0051E139

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$New2$CheckHresult$Free$AddrefCast$CallLateListMove
String ID: SchoolYear >= '$Select * From qryStudentBilling
API String ID: 1856452880-3281463837
Opcode ID: 61058ab4c6eeb067af7da615e374986a6095d055229463c6f025982dd09addaa
Instruction ID: bb8e7ebf59fa4c887366a83afaf6a1ccf7f02b7527458ad666be772554a191d6
Opcode Fuzzy Hash: 61058ab4c6eeb067af7da615e374986a6095d055229463c6f025982dd09addaa
Instruction Fuzzy Hash: 0A81BD70940605ABDB11EBA1CC4AFEF7BA8FF50704F50042AF810B71D1CBB85845CA9A

Function 0051AAFC Relevance: 58.8, APIs: 39, Instructions: 326COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 0051AB18
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 0051AB5E
__vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,00404F16), ref: 0051AB7D
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00404F16), ref: 0051AB98
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F08,00000050), ref: 0051ABC7
__vbaR8Str.MSVBVM60(?), ref: 0051ABD8
__vbaStrR8.MSVBVM60(?,?,?), ref: 0051ABF2
__vbaStrMove.MSVBVM60(?,?,?), ref: 0051ABFC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F08,00000054,?,?,?), ref: 0051AC25
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?), ref: 0051AC3D
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00404F16), ref: 0051AC4F
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,00404F16), ref: 0051AC71
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F08,00000050), ref: 0051ACA0
#581.MSVBVM60(?), ref: 0051ACB1
__vbaFpR8.MSVBVM60(?), ref: 0051ACB6
__vbaFreeStr.MSVBVM60(?), ref: 0051ACDF
__vbaFreeObj.MSVBVM60(?), ref: 0051ACE7
__vbaHresultCheckObj.MSVBVM60(00000000,?,004207C8,0000070C), ref: 0051AD22
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051AD4A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F08,00000050), ref: 0051AD79
__vbaR8Str.MSVBVM60(?), ref: 0051AD8A
__vbaFreeStr.MSVBVM60(?), ref: 0051ADB3
__vbaFreeObj.MSVBVM60(?), ref: 0051ADBB
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051ADE6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BF0,0000005C), ref: 0051AE13
__vbaFreeObj.MSVBVM60(00000000,?,00419BF0,0000005C), ref: 0051AE2A
__vbaStrCat.MSVBVM60(0041EF1C,?), ref: 0051AE41
__vbaStrMove.MSVBVM60(0041EF1C,?), ref: 0051AE4B
__vbaStrCat.MSVBVM60(?,00000000,0041EF1C,?), ref: 0051AE57
#529.MSVBVM60(00000008,?,00000000,0041EF1C,?), ref: 0051AE6A
__vbaFreeStr.MSVBVM60(00000008,?,00000000,0041EF1C,?), ref: 0051AE72
__vbaFreeVar.MSVBVM60(00000008,?,00000000,0041EF1C,?), ref: 0051AE7A
__vbaStrCat.MSVBVM60(?,?,00000008,?,00000000,0041EF1C,?), ref: 0051AE92
#529.MSVBVM60(00000008,?,?,00000008,?,00000000,0041EF1C,?), ref: 0051AEA5
__vbaFreeVar.MSVBVM60(00000008,?,?,00000008,?,00000000,0041EF1C,?), ref: 0051AEAD
__vbaNew2.MSVBVM60(00419EE8,00539E00,00000008,?,?,00000008,?,00000000,0041EF1C,?), ref: 0051AECC
__vbaObjSetAddref.MSVBVM60(?,?,00000008,?,?,00000008,?,00000000,0041EF1C,?), ref: 0051AEF9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419ED8,00000010), ref: 0051AF22
__vbaFreeObj.MSVBVM60(00000000,?,00419ED8,00000010), ref: 0051AF39

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$#529ListMove$#581AddrefChkstkErrorNew2
String ID:
API String ID: 843709306-0
Opcode ID: 0a9d9d7b8757d7884dcb57ba0f7f09e1b74809dedfcc5786f4b810c8e4a4b0b6
Instruction ID: 589ae9ba9f7d66db4bd7a4f2dde7e899971ef52c6941d358b3d8a274741735e9
Opcode Fuzzy Hash: 0a9d9d7b8757d7884dcb57ba0f7f09e1b74809dedfcc5786f4b810c8e4a4b0b6
Instruction Fuzzy Hash: 19E1E271900608AFDB01EFA5C949BDDBBB9FF08305F10406AE105BB2A1D775AA86DF94

Function 0050C8BA Relevance: 58.1, APIs: 27, Strings: 6, Instructions: 381COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,0000000A), ref: 0050C8F9
__vbaNew2.MSVBVM60(0041B32C,?,?,0000000A), ref: 0050C90C
__vbaNew2.MSVBVM60(0041B2FC,00538028,?,0000000A), ref: 0050C929
__vbaHresultCheckObj.MSVBVM60(00000000,0000000A,0041B364,000000A0,?,?,?,?,000000FF,?,0000000A), ref: 0050C987
__vbaNew2.MSVBVM60(0041B32C,00000000,?,?,?,?,000000FF,?,0000000A), ref: 0050C99B
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,000000FF,?,0000000A), ref: 0050C9A7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,00000078), ref: 0050C9F2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,00000054), ref: 0050CA15
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B374,00000028,?,?,?,?), ref: 0050CA51
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B384,00000038,?,?,?,?,?,?,?,?), ref: 0050CA88
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?), ref: 0050CA97
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,00000054,?,?,?,?,?,?,?,?,?,?,?), ref: 0050CABD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B374,00000028,?,?,?,?), ref: 0050CAF9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B384,00000038,?,?,?,?,?,?,?,?), ref: 0050CB31
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?), ref: 0050CB40
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,00000054,?,?,?,?,?,?,?,?,?,?,?), ref: 0050CB66
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B374,00000028,?,?,?,?), ref: 0050CBA2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B384,00000038,?,?,?,?,?,?,?,?), ref: 0050CBDA
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?), ref: 0050CBE9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,000000AC,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0050CC38
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,000000A4,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0050CC5F
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0050CC6A
__vbaCastObj.MSVBVM60(00000000,0041B31C,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0050CC76
__vbaObjSet.MSVBVM60(00000000,00000000,00000000,0041B31C,?,00000000), ref: 0050CC80
__vbaFreeObj.MSVBVM60(0050CCB8,00000000,00000000,00000000,0041B31C,?,00000000), ref: 0050CCA2
__vbaFreeObj.MSVBVM60(0050CCB8,00000000,00000000,00000000,0041B31C,?,00000000), ref: 0050CCAA
__vbaFreeStr.MSVBVM60(0050CCB8,00000000,00000000,00000000,0041B31C,?,00000000), ref: 0050CCB2

Strings

Select * From tblDiscount, xrefs: 0050C957
0.00, xrefs: 0050CBAF
EnrollmentID, xrefs: 0050CA26
None, xrefs: 0050CB06
DiscountName, xrefs: 0050CACE
Amount, xrefs: 0050CB77

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$ListNew2$Addref$CastCopy
String ID: 0.00$Amount$DiscountName$EnrollmentID$None$Select * From tblDiscount
API String ID: 1129704336-2387283779
Opcode ID: acdf45ad98c53d5bb63d328967fd9fbe082e8c996a91b01d3429552294eb1675
Instruction ID: d2cf02889ab1a5740511b0b0ec08c2eb2b2713f022a793ede4addf739948aca8
Opcode Fuzzy Hash: acdf45ad98c53d5bb63d328967fd9fbe082e8c996a91b01d3429552294eb1675
Instruction Fuzzy Hash: CDD12971D00619ABDF00EFE8C885AEFBBB9FF45704F50011AF904BB291D775594A8B94

Function 00506A2C Relevance: 58.0, APIs: 31, Strings: 2, Instructions: 248COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 00506A8F

Part of subcall function 0050BE24: __vbaStrCopy.MSVBVM60(?, -@,00000000), ref: 0050BE76
Part of subcall function 0050BE24: __vbaNew2.MSVBVM60(0041B32C,?,?, -@,00000000), ref: 0050BE89
Part of subcall function 0050BE24: __vbaNew2.MSVBVM60(0041B2FC,00538028,?, -@,00000000), ref: 0050BEA3
Part of subcall function 0050BE24: __vbaStrCat.MSVBVM60(?,Select * from queryfees where EnrolmentID=',?, -@,00000000), ref: 0050BEBF
Part of subcall function 0050BE24: __vbaStrMove.MSVBVM60(?,Select * from queryfees where EnrolmentID=',?, -@,00000000), ref: 0050BEC9
Part of subcall function 0050BE24: __vbaStrCat.MSVBVM60(0041CB7C,00000000,?,Select * from queryfees where EnrolmentID=',?, -@,00000000), ref: 0050BED4
Part of subcall function 0050BE24: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,000000A0), ref: 0050BF1C
Part of subcall function 0050BE24: __vbaFreeStr.MSVBVM60(00000000,?,0041B364,000000A0), ref: 0050BF24
Part of subcall function 0050BE24: __vbaFreeVar.MSVBVM60(00000000,?,0041B364,000000A0), ref: 0050BF2C
Part of subcall function 0050BE24: __vbaHresultCheckObj.MSVBVM60(00000000,00000008,0041B688,000000A4), ref: 0050BF57

__vbaFreeObj.MSVBVM60(?,?,?,?,00000000), ref: 00506AA7
__vbaFreeVar.MSVBVM60(?,?,?,?,00000000), ref: 00506AAF
__vbaObjSet.MSVBVM60(?,00000000), ref: 00506AC2

Part of subcall function 0050C570: __vbaStrCopy.MSVBVM60(?, -@,00000000), ref: 0050C5CB
Part of subcall function 0050C570: __vbaNew2.MSVBVM60(0041B32C,?,?, -@,00000000), ref: 0050C5DE
Part of subcall function 0050C570: __vbaNew2.MSVBVM60(0041B2FC,00538028,?, -@,00000000), ref: 0050C5F8
Part of subcall function 0050C570: __vbaStrCat.MSVBVM60(?,Select * From qryDiscount Where EnrolmentID = ',?, -@,00000000), ref: 0050C614
Part of subcall function 0050C570: __vbaStrMove.MSVBVM60(?,Select * From qryDiscount Where EnrolmentID = ',?, -@,00000000), ref: 0050C61E
Part of subcall function 0050C570: __vbaStrCat.MSVBVM60(0041CB7C,00000000,?,Select * From qryDiscount Where EnrolmentID = ',?, -@,00000000), ref: 0050C629
Part of subcall function 0050C570: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,000000A0), ref: 0050C671
Part of subcall function 0050C570: __vbaFreeStr.MSVBVM60(00000000,?,0041B364,000000A0), ref: 0050C679
Part of subcall function 0050C570: __vbaFreeVar.MSVBVM60(00000000,?,0041B364,000000A0), ref: 0050C681

__vbaFreeObj.MSVBVM60(?,?,?,?,00000000), ref: 00506ADA
__vbaFreeVar.MSVBVM60(?,?,?,?,00000000), ref: 00506AE2
__vbaObjSet.MSVBVM60(?,00000000), ref: 00506AF5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0), ref: 00506B1F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00506B39
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0), ref: 00506B5E
__vbaR8Str.MSVBVM60(?), ref: 00506B66
__vbaR8Str.MSVBVM60(?,?), ref: 00506B74
__vbaFpCy.MSVBVM60(?,?), ref: 00506B89
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?), ref: 00506B9E
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000002,?,?,?,?), ref: 00506BAD
__vbaObjSet.MSVBVM60(?,00000000,?,?,?), ref: 00506BC3
__vbaVarDup.MSVBVM60(?,00000000,?,?,?), ref: 00506BE1
#650.MSVBVM60(?,?,00000001,00000001,?,00000000,?,?,?), ref: 00506C01
__vbaStrMove.MSVBVM60(?,?,00000001,00000001,?,00000000,?,?,?), ref: 00506C0B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A4,?,?,?), ref: 00506C2A
__vbaFreeStr.MSVBVM60(?,?,?), ref: 00506C32
__vbaFreeObj.MSVBVM60(?,?,?), ref: 00506C3A
__vbaFreeVar.MSVBVM60(?,?,?), ref: 00506C42
__vbaObjSet.MSVBVM60(?,00000000,?,?,?), ref: 00506C55
__vbaObjSet.MSVBVM60(?,00000000,?,?,?), ref: 00506C68
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0,?,?,?), ref: 00506C8A
__vbaObjSet.MSVBVM60(?,?,?,?,?), ref: 00506C9B
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?), ref: 00506CB7
__vbaFreeObjList.MSVBVM60(00000003,?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 00506CCA
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?), ref: 00506CD5
__vbaHresultCheckObj.MSVBVM60(00000000, -@,0041E024,0000071C,?,?,?), ref: 00506CF3

Strings

#,##0.00, xrefs: 00506BD3
-@, xrefs: 00506A5A, 00506A5F, 00506A65, 00506AB6, 00506AE9, 00506B2D, 00506BB7, 00506C49, 00506C5C, 00506CDC, 00506CF1

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$New2$ListMove$Copy$#650
String ID: -@$#,##0.00
API String ID: 2736144159-747735629
Opcode ID: de010200450db1846ade074d0c340d1e6ebe5960cc83ef0e83028f25bf45888e
Instruction ID: 9225be99b9f9009729a9489dd0f34a07e9b0059d890ee274d717a0a882306b8a
Opcode Fuzzy Hash: de010200450db1846ade074d0c340d1e6ebe5960cc83ef0e83028f25bf45888e
Instruction Fuzzy Hash: 8A91FAB1900619ABCB01EFE5C889EDEBBBCFF48304F44456AF145BB191DB38A9058F65

Function 0050A658 Relevance: 56.4, APIs: 24, Strings: 8, Instructions: 436COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,00402EB0,0041E8AC,0000008C), ref: 0050A6D3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA18,0000001C), ref: 0050A70F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA28,0000003C), ref: 0050A732
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA38,0000001C,?,?,?,?,?), ref: 0050A76E
__vbaLateMemSt.MSVBVM60(?,Caption,?,?,?,?,?,?,?,?,?), ref: 0050A787
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,Caption,?,?,?,?,?,?,?,?,?), ref: 0050A79E
__vbaHresultCheckObj.MSVBVM60(00000000,00402EB0,0041E8AC,0000008C,?,?,?,?,Caption), ref: 0050A7D3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA18,0000001C,?,?,?,?,?,?,?,?,Caption), ref: 0050A80F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA28,0000003C,?,?,?,?,?,?,?,?,Caption), ref: 0050A832
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA38,0000001C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0050A86E
__vbaLateMemSt.MSVBVM60(?,Caption,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0050A887
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,Caption,?,?,?,?,?,?,?,?), ref: 0050A89E
__vbaHresultCheckObj.MSVBVM60(00000000,00402EB0,0041E8AC,0000008C,?,?,?,?,Caption), ref: 0050A8D3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA18,0000001C,?,?,?,?,?,?,?,?,Caption), ref: 0050A90F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA28,0000003C,?,?,?,?,?,?,?,?,Caption), ref: 0050A932
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA38,0000001C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0050A96E
__vbaLateMemSt.MSVBVM60(?,Caption,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0050A987
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,Caption,?,?,?,?,?,?,?,?), ref: 0050A99E
__vbaHresultCheckObj.MSVBVM60(00000000,00402EB0,0041E8AC,0000008C,?,?,?,?,Caption), ref: 0050A9D3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA18,0000001C,?,?,?,?,?,?,?,?,Caption), ref: 0050AA0F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA28,0000003C,?,?,?,?,?,?,?,?,Caption), ref: 0050AA32
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA38,0000001C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0050AA6E
__vbaLateMemSt.MSVBVM60(?,Caption,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0050AA87
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,Caption,?,?,?,?,?,?,?,?), ref: 0050AA9E

Strings

Caption, xrefs: 0050A77E, 0050A87E, 0050A97E, 0050AA7E
lblSchoolName, xrefs: 0050A843
lblEncoder, xrefs: 0050A743
Section4, xrefs: 0050A7E4, 0050A8E4
lblSchoolYear, xrefs: 0050AA43
SecDetail, xrefs: 0050A9E4
lblSchoolAddress, xrefs: 0050A943
Section5, xrefs: 0050A6E4

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeLateList
String ID: Caption$SecDetail$Section4$Section5$lblEncoder$lblSchoolAddress$lblSchoolName$lblSchoolYear
API String ID: 3947987680-631835221
Opcode ID: 0005cc2e20042e9de88ab7741ea9e1d9587046a70eaefa9746a1137979121784
Instruction ID: 828bc21fb41461de7d7a526979490e1c1bc8a291275af738bd9231459c021e3f
Opcode Fuzzy Hash: 0005cc2e20042e9de88ab7741ea9e1d9587046a70eaefa9746a1137979121784
Instruction Fuzzy Hash: 50E14C71D40609ABDF00EFA9C845EDFBBB9FF49700F10841AF905BB292D67599058FA4

Function 0050C570 Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 247COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?, -@,00000000), ref: 0050C5CB
__vbaNew2.MSVBVM60(0041B32C,?,?, -@,00000000), ref: 0050C5DE
__vbaNew2.MSVBVM60(0041B2FC,00538028,?, -@,00000000), ref: 0050C5F8
__vbaStrCat.MSVBVM60(?,Select * From qryDiscount Where EnrolmentID = ',?, -@,00000000), ref: 0050C614
__vbaStrMove.MSVBVM60(?,Select * From qryDiscount Where EnrolmentID = ',?, -@,00000000), ref: 0050C61E
__vbaStrCat.MSVBVM60(0041CB7C,00000000,?,Select * From qryDiscount Where EnrolmentID = ',?, -@,00000000), ref: 0050C629
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,000000A0), ref: 0050C671
__vbaFreeStr.MSVBVM60(00000000,?,0041B364,000000A0), ref: 0050C679
__vbaFreeVar.MSVBVM60(00000000,?,0041B364,000000A0), ref: 0050C681
__vbaHresultCheckObj.MSVBVM60(00000000,00000008,0041B688,000000A4), ref: 0050C6AC
__vbaNew2.MSVBVM60(0041B32C,00000000), ref: 0050C6C0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B364,00000050), ref: 0050C6E4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A4), ref: 0050C715
__vbaCastObj.MSVBVM60(00000000,0041B31C,?,?,?,?,?,?,?,?), ref: 0050C83A
__vbaObjSet.MSVBVM60(00000000,00000000,00000000,0041B31C,?,?,?,?,?,?,?,?), ref: 0050C844
__vbaFreeStr.MSVBVM60(0050C89D,00000000,00000000,00000000,0041B31C,?,?,?,?,?,?,?,?), ref: 0050C88F
__vbaFreeObj.MSVBVM60(0050C89D,00000000,00000000,00000000,0041B31C,?,?,?,?,?,?,?,?), ref: 0050C897

Strings

#,##0.00, xrefs: 0050C7A7
0.00, xrefs: 0050C68D, 0050C692, 0050C6F7
-@, xrefs: 0050C590
SumOfAmount, xrefs: 0050C763
Select * From qryDiscount Where EnrolmentID = ', xrefs: 0050C602

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$New2$CastCopyMove
String ID: -@$#,##0.00$0.00$Select * From qryDiscount Where EnrolmentID = '$SumOfAmount
API String ID: 1299285802-304432971
Opcode ID: d2ffa01bdad4d66e39ddb2b537a3b9a8a484c9fca52396273ab170449fe1a0df
Instruction ID: ede667b09214333059decb794321a39e7fcee53216bdf02513ba506092fcd686
Opcode Fuzzy Hash: d2ffa01bdad4d66e39ddb2b537a3b9a8a484c9fca52396273ab170449fe1a0df
Instruction Fuzzy Hash: 98915970D00619AADB10EFA5C886FEEBBB8FF05704F50412AF544B7181DBB869898F95

Function 0050BE24 Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 240COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?, -@,00000000), ref: 0050BE76
__vbaNew2.MSVBVM60(0041B32C,?,?, -@,00000000), ref: 0050BE89
__vbaNew2.MSVBVM60(0041B2FC,00538028,?, -@,00000000), ref: 0050BEA3
__vbaStrCat.MSVBVM60(?,Select * from queryfees where EnrolmentID=',?, -@,00000000), ref: 0050BEBF
__vbaStrMove.MSVBVM60(?,Select * from queryfees where EnrolmentID=',?, -@,00000000), ref: 0050BEC9
__vbaStrCat.MSVBVM60(0041CB7C,00000000,?,Select * from queryfees where EnrolmentID=',?, -@,00000000), ref: 0050BED4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,000000A0), ref: 0050BF1C
__vbaFreeStr.MSVBVM60(00000000,?,0041B364,000000A0), ref: 0050BF24
__vbaFreeVar.MSVBVM60(00000000,?,0041B364,000000A0), ref: 0050BF2C
__vbaHresultCheckObj.MSVBVM60(00000000,00000008,0041B688,000000A4), ref: 0050BF57
__vbaNew2.MSVBVM60(0041B32C,00000000), ref: 0050BF6B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B364,00000050), ref: 0050BF8C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A4), ref: 0050BFBA
__vbaCastObj.MSVBVM60(00000000,0041B31C,?,?,?,?,?,?,?), ref: 0050C0CE
__vbaObjSet.MSVBVM60(00000000,00000000,00000000,0041B31C,?,?,?,?,?,?,?), ref: 0050C0D8
__vbaFreeStr.MSVBVM60(0050C12D,00000000,00000000,00000000,0041B31C,?,?,?,?,?,?,?), ref: 0050C11F
__vbaFreeObj.MSVBVM60(0050C12D,00000000,00000000,00000000,0041B31C,?,?,?,?,?,?,?), ref: 0050C127

Strings

#,##0.00, xrefs: 0050C049
Select * from queryfees where EnrolmentID=', xrefs: 0050BEAD
0.00, xrefs: 0050BF38, 0050BF3D, 0050BF9C
-@, xrefs: 0050BE44
SumOfAmount, xrefs: 0050C008

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$New2$CastCopyMove
String ID: -@$#,##0.00$0.00$Select * from queryfees where EnrolmentID='$SumOfAmount
API String ID: 1299285802-3465985663
Opcode ID: 04ec74c715a52d2e7e4703aca15d7abc82730004542457cb4aff65f774817ab4
Instruction ID: e284a2184967b500c0971177ea43963b752ac5068af4c167b069510881acf305
Opcode Fuzzy Hash: 04ec74c715a52d2e7e4703aca15d7abc82730004542457cb4aff65f774817ab4
Instruction Fuzzy Hash: DF813870D40619AADB10EFA5C88AFDEBBB8FF09704F50402AF940B71C1D7B859498FA5

Function 004085A2 Relevance: 54.7, APIs: 30, Strings: 1, Instructions: 416COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004E6C70
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004E6C99
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,00000090), ref: 004E6CC5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E6CE1
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 004E6CEB
__vbaCastObjVar.MSVBVM60(00000000), ref: 004E6CF4
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 004E6CFE
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A67C,00000024), ref: 004E6D42
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A68C,00000034), ref: 004E6D6E
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E6D81
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BD0,00000040), ref: 004E6DB3
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E6DD3
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 004E6DE0
__vbaCastObjVar.MSVBVM60(00000000), ref: 004E6DE9
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 004E6DF3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A67C,00000024), ref: 004E6E40
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A68C,00000034), ref: 004E6E63
#681.MSVBVM60(?,?,?,?), ref: 004E6EC3
__vbaCastObjVar.MSVBVM60(?,0041A69C,?,?,?,?), ref: 004E6EDC
__vbaObjSet.MSVBVM60(?,00000000,?,0041A69C,?,?,?,?), ref: 004E6EE6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,00000064), ref: 004E6F09
__vbaFreeObjList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,?,?), ref: 004E6F3C
__vbaFreeVarList.MSVBVM60(00000008,?,00000002,?,00000002,0000000B,?,?,?,0000000B,?,?,?,?,?,?), ref: 004E6F75
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E6F8B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004E6FB4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,000001C0), ref: 004E6FE0
__vbaSetSystemError.MSVBVM60(?,?), ref: 004E6FF4
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?), ref: 004E7003
__vbaSetSystemError.MSVBVM60(?,?,?,?), ref: 004E7014
__vbaRaiseEvent.MSVBVM60(004018F0,00000001,00000001), ref: 004E705C
__vbaErrorOverflow.MSVBVM60(?,?,00000000,00000000), ref: 004E7104
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E718D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004E71B4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,000001C0), ref: 004E71DD
__vbaSetSystemError.MSVBVM60(?,?), ref: 004E71EE
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?), ref: 004E71FD
__vbaSetSystemError.MSVBVM60(?,?,?,?), ref: 004E720E

Strings

O, xrefs: 004085A2

Memory Dump Source

Source File: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Error$FreeListSystem$Cast$CallLate$#681EventOverflowRaise
String ID: O
API String ID: 641470083-878818188
Opcode ID: f3db52c81af5e69224cf498a3aa8ecd0c92534446b945ff64044b29466b25f9a
Instruction ID: d217fc8bc82d5bf9d745c1762fccbc9e8a10098e4b65e8e175061a77e1891af4
Opcode Fuzzy Hash: f3db52c81af5e69224cf498a3aa8ecd0c92534446b945ff64044b29466b25f9a
Instruction Fuzzy Hash: 31F1F8B1900218ABCB10EFA5CC85EDEB7BCFF48304F5445AAF609E7241D7749A458FA4

Function 004E1898 Relevance: 52.9, APIs: 35, Instructions: 429COMMON

Download Yara Rule

APIs

__vbaI2I4.MSVBVM60 ref: 004E18FE
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E1916
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419EF8,0000008C), ref: 004E1939
__vbaFreeObj.MSVBVM60(00000000,00000000,00419EF8,0000008C), ref: 004E1941
__vbaHresultCheckObj.MSVBVM60(00000000,004015F0,004197B0,00000804), ref: 004E1966
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E1984
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E1999
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004E19C0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419EF8,00000058), ref: 004E19E3
__vbaObjSet.MSVBVM60(?,?), ref: 004E19F6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419EF8,0000005C), ref: 004E1A0F
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 004E1A26
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E1A49
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419EF8,00000130), ref: 004E1AC9
__vbaFreeObj.MSVBVM60(00000000,?,00419EF8,00000130), ref: 004E1AD1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E1AE4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419EF8,0000008C), ref: 004E1B08
__vbaFreeObj.MSVBVM60(00000000,00000000,00419EF8,0000008C), ref: 004E1B10
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E1B27
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004E1B48
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,0000009C), ref: 004E1B6E
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004E1B7D
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E1B93
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004E1BB5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,0000009C), ref: 004E1BDB
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004E1BEA
__vbaHresultCheckObj.MSVBVM60(00000000,004015F0,004197B0,00000804), ref: 004E1C0F
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E1C2C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004E1C4D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,0000009C), ref: 004E1C73
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004E1C82
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E1C98
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004E1CBA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,0000009C), ref: 004E1CE0
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004E1CEF

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$List
String ID:
API String ID: 3690971433-0
Opcode ID: bd54fb0f3249d0f981dc97a5d51360f39cc485523eb3ccad1641806168b60eb5
Instruction ID: 34a028eb7d9d693b933df450bb71e569231da5b4c35c5c11c30687d6b0449812
Opcode Fuzzy Hash: bd54fb0f3249d0f981dc97a5d51360f39cc485523eb3ccad1641806168b60eb5
Instruction Fuzzy Hash: 4BD19271940614AFCB10EBA5CC99EEF7BFCEF04704F14056AF505FB191DA7899418BA4

Function 004EC566 Relevance: 52.9, APIs: 24, Strings: 6, Instructions: 417COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,00080001,0041A7CC,00000060), ref: 004EC5CC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,00000020), ref: 004EC623
__vbaHresultCheckObj.MSVBVM60(00000000,00080001,0041A7CC,00000060), ref: 004EC649
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,00000020), ref: 004EC69D
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004EC6B3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A510,00000058), ref: 004EC6D3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,00000020), ref: 004EC727
__vbaFreeObj.MSVBVM60 ref: 004EC72F
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004EC745
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A510,00000058), ref: 004EC765
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,00000020), ref: 004EC7B9
__vbaFreeObj.MSVBVM60 ref: 004EC7C1
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004EC7D7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A510,00000058), ref: 004EC7F7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,00000020), ref: 004EC84B
__vbaFreeObj.MSVBVM60 ref: 004EC853
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004EC869
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A510,00000058), ref: 004EC889
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,00000020), ref: 004EC8DD
__vbaFreeObj.MSVBVM60 ref: 004EC8E5
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004EC8FB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A510,00000058), ref: 004EC91B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,00000020), ref: 004EC96F
__vbaFreeObj.MSVBVM60 ref: 004EC977

Strings

BackColor, xrefs: 004EC605, 004EC67F
BorderColor5, xrefs: 004EC951
BorderColor4, xrefs: 004EC8BF
BorderColor1, xrefs: 004EC709
BorderColor3, xrefs: 004EC82D
BorderColor2, xrefs: 004EC79B

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: BackColor$BorderColor1$BorderColor2$BorderColor3$BorderColor4$BorderColor5
API String ID: 3976024557-2150029538
Opcode ID: 496d1ac3301638069d58bc9b708fdc19f674f30fbba40fd8982204a751b31e83
Instruction ID: 7927d20ccb18b862f140b2fcae9133716b687aaff64aa2e4ca817e0cde82f827
Opcode Fuzzy Hash: 496d1ac3301638069d58bc9b708fdc19f674f30fbba40fd8982204a751b31e83
Instruction Fuzzy Hash: D3E17E71900A04AFCB01EFA9C889EDF7BB9FF09715F10041AF901BB291D775A946CB95

Function 004E3570 Relevance: 51.4, APIs: 34, Instructions: 446COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 004E358C
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 004E35D2
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00404F16), ref: 004E3603
__vbaChkstk.MSVBVM60 ref: 004E3649
__vbaChkstk.MSVBVM60 ref: 004E365A
__vbaChkstk.MSVBVM60 ref: 004E366B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A2DC,000000F4), ref: 004E36A8
__vbaFreeObj.MSVBVM60 ref: 004E36B9
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E36EA
__vbaChkstk.MSVBVM60 ref: 004E3747
__vbaChkstk.MSVBVM60 ref: 004E3758
__vbaChkstk.MSVBVM60 ref: 004E3769
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A2DC,000000F4), ref: 004E37A6
__vbaFreeObj.MSVBVM60 ref: 004E37B7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E37E8
__vbaChkstk.MSVBVM60 ref: 004E3845
__vbaChkstk.MSVBVM60 ref: 004E3856
__vbaChkstk.MSVBVM60 ref: 004E3867
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A2DC,000000F4), ref: 004E38A8
__vbaFreeObj.MSVBVM60 ref: 004E38BF
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E38F0
__vbaChkstk.MSVBVM60 ref: 004E394D
__vbaChkstk.MSVBVM60 ref: 004E395E
__vbaChkstk.MSVBVM60 ref: 004E396F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A2DC,000000F4), ref: 004E39B0
__vbaFreeObj.MSVBVM60 ref: 004E39C7
__vbaErrorOverflow.MSVBVM60 ref: 004E3A04
__vbaNew2.MSVBVM60(00419EE8,00539E00,?,00000002), ref: 004E3A4E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000018,?,00000002), ref: 004E3A72
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F18,00000080,?,00000002), ref: 004E3A9B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A318,00000080,?,00000002), ref: 004E3AC7
_adj_fdiv_m32.MSVBVM60(?,?,00000002), ref: 004E3AE0
__vbaFpI2.MSVBVM60(?,?,00000002), ref: 004E3AEB
__vbaFreeObj.MSVBVM60(?,?,00000002), ref: 004E3AF6

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Chkstk$CheckHresult$Free$Error$New2Overflow_adj_fdiv_m32
String ID:
API String ID: 2130883369-0
Opcode ID: 1cd5eea57ccc0873c10cb06f01822aff6cdfc13885c0f669d64bb1f40ee207a3
Instruction ID: b4db47b147f386dbed3f17ed2e1da4d326eef2d3950bf27f367d26b4be3f95b4
Opcode Fuzzy Hash: 1cd5eea57ccc0873c10cb06f01822aff6cdfc13885c0f669d64bb1f40ee207a3
Instruction Fuzzy Hash: A3025971800609AFCB01DFA5C849BDEBBB5FF48315F10446AF904BB2A1CBB95A85DF94

Function 00532698 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 257COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00404F16,000000FF,?,?,?,00000000,00404F16,000000FF), ref: 005326B4
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00404F16,000000FF), ref: 005326E4
#516.MSVBVM60(0041F4D4,000000FF), ref: 00532701
#516.MSVBVM60(0041F4CC), ref: 00532715
__vbaGenerateBoundsError.MSVBVM60(0041F4CC), ref: 0053275D
__vbaUI1I2.MSVBVM60(0041F4CC), ref: 00532768
#516.MSVBVM60(0042A65C,0041F4CC), ref: 005327A6
#516.MSVBVM60(0042A654), ref: 005327BA
__vbaGenerateBoundsError.MSVBVM60(0042A654), ref: 00532802
__vbaUI1I2.MSVBVM60(0042A654), ref: 0053280D
#516.MSVBVM60(00420C7C,0042A654), ref: 0053284B
#516.MSVBVM60(0041C0AC), ref: 0053285F
__vbaGenerateBoundsError.MSVBVM60(0041C0AC), ref: 005328A7
__vbaUI1I2.MSVBVM60(0041C0AC), ref: 005328B2
__vbaGenerateBoundsError.MSVBVM60(0041C0AC), ref: 005328FE
#516.MSVBVM60(00420C14,0041C0AC), ref: 0053290B
__vbaUI1I2.MSVBVM60(00420C14,0041C0AC), ref: 00532912
__vbaGenerateBoundsError.MSVBVM60(00420C14,0041C0AC), ref: 00532955
#516.MSVBVM60(0041EF24,00420C14,0041C0AC), ref: 00532962
__vbaUI1I2.MSVBVM60(0041EF24,00420C14,0041C0AC), ref: 00532969
__vbaGenerateBoundsError.MSVBVM60 ref: 005329EF
__vbaUI1I2.MSVBVM60 ref: 005329FE
__vbaGenerateBoundsError.MSVBVM60 ref: 00532A71
__vbaGenerateBoundsError.MSVBVM60 ref: 00532A9C
__vbaUI1I2.MSVBVM60 ref: 00532AAA

Strings

@, xrefs: 00532A62
?, xrefs: 00532A1E

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Error$#516BoundsGenerate$Chkstk
String ID: ?$@
API String ID: 1081176474-1463999369
Opcode ID: 90723f0878736c4139be63fd8a48367f1cf8309bd886694f347cc787d8cc0086
Instruction ID: 2a167449aedff822d4248d2360391e0ee64e9fb1beef2f9b0b51ecbd23c497ce
Opcode Fuzzy Hash: 90723f0878736c4139be63fd8a48367f1cf8309bd886694f347cc787d8cc0086
Instruction Fuzzy Hash: 6BC1C274C01649DADB14EFE5C6453EDBBB0FF18708F20809AE4117B292E7B90A85DF29

Function 00501587 Relevance: 49.2, APIs: 25, Strings: 3, Instructions: 250COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 005015F5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0), ref: 0050161B
#561.MSVBVM60(?), ref: 00501633
__vbaFreeObj.MSVBVM60(?), ref: 0050164A
__vbaFreeVar.MSVBVM60(?), ref: 00501652
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050166E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0), ref: 0050169E
#581.MSVBVM60(?), ref: 005016AD
__vbaFpR8.MSVBVM60(?), ref: 005016B2
__vbaFreeStr.MSVBVM60(?), ref: 005016D5
__vbaFreeObj.MSVBVM60(?), ref: 005016DD
__vbaObjSet.MSVBVM60(?,00000000), ref: 005016FE
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0), ref: 00501729
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050173C
#702.MSVBVM60(?,00000002,000000FE,000000FE,000000FE,?,00000000), ref: 0050175E
__vbaStrMove.MSVBVM60(?,00000002,000000FE,000000FE,000000FE,?,00000000), ref: 00501768
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A4), ref: 00501783
__vbaFreeStr.MSVBVM60 ref: 0050178B
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0050179A
__vbaVarDup.MSVBVM60(?), ref: 005017F4
#595.MSVBVM60(?,00000030,?,?,?,?), ref: 0050180B
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,00000030,?,?,?,?), ref: 00501822
__vbaObjSet.MSVBVM60(?,00000000), ref: 00501838

Part of subcall function 00503B01: __vbaChkstk.MSVBVM60(?,00404F16,?,?,?,?,?,?,004FE82C,?,?,?,00000000), ref: 00503B1D
Part of subcall function 00503B01: __vbaOnError.MSVBVM60(000000FF,00000000,00000000,004026F0,?,00404F16), ref: 00503B4D
Part of subcall function 00503B01: __vbaChkstk.MSVBVM60 ref: 00503B67
Part of subcall function 00503B01: __vbaLateMemSt.MSVBVM60(00000000,SelStart), ref: 00503B7F
Part of subcall function 00503B01: __vbaLateIdCallLd.MSVBVM60(?,00000000,00000000,00000000,00000000,SelStart), ref: 00503B98
Part of subcall function 00503B01: __vbaLenVar.MSVBVM60(?,00000000,00000000,004026F0,?,00404F16), ref: 00503BA5
Part of subcall function 00503B01: __vbaChkstk.MSVBVM60(?,00000000,00000000,004026F0,?,00404F16), ref: 00503BAF
Part of subcall function 00503B01: __vbaLateMemSt.MSVBVM60(00000000,SelLength,?,00000000,00000000,004026F0,?,00404F16), ref: 00503BC4
Part of subcall function 00503B01: __vbaFreeVar.MSVBVM60(00000000,SelLength,?,00000000,00000000,004026F0,?,00404F16), ref: 00503BCC
Part of subcall function 00503B01: __vbaLateMemCall.MSVBVM60(00000000,SetFocus,00000000,00000000,SelLength,?,00000000,00000000,004026F0,?,00404F16), ref: 00503BE4

__vbaFreeObj.MSVBVM60(?,?,?,00000000), ref: 0050184D
__vbaFreeVar.MSVBVM60(?,?,?,00000000), ref: 00501855

Strings

(@, xrefs: 005015B3, 005015C3, 005015CE, 00501662, 005016F2, 00501730, 0050182C
Amount must be greater than 0.00., xrefs: 005017C1
Amount must be in numeric value (ex: 100.00)., xrefs: 005017E4

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresultLate$Chkstk$CallList$#561#581#595#702ErrorMove
String ID: Amount must be greater than 0.00.$Amount must be in numeric value (ex: 100.00).$(@
API String ID: 1373028098-3431652106
Opcode ID: ad335ef2cd3e36f478f27a06481b859d9d6edd4cd43e0ae71c8ccdc3a74fa568
Instruction ID: d3e08bf37f8f08e1b9201118f076932efc63875f74c063efc50af616b4391888
Opcode Fuzzy Hash: ad335ef2cd3e36f478f27a06481b859d9d6edd4cd43e0ae71c8ccdc3a74fa568
Instruction Fuzzy Hash: 209129B1D01609ABCB10EFA5C945EEEBBBCFF48304F20452AF145E7191DB385A058FA9

Function 005111AD Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 194COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00404F16,?,?,?,?,?,00000001,?,00000000,00404F16), ref: 005111CB
__vbaOnError.MSVBVM60(000000FF,?,?,00000000,00000000,00404F16), ref: 005111FB

Part of subcall function 00511B3B: __vbaLenBstr.MSVBVM60(?), ref: 00511B92
Part of subcall function 00511B3B: #632.MSVBVM60(00000001,?,?,?,?), ref: 00511BD5
Part of subcall function 00511B3B: __vbaVarMove.MSVBVM60(00000001,?,?,?,?), ref: 00511BE3
Part of subcall function 00511B3B: __vbaFreeVar.MSVBVM60(00000001,?,?,?,?), ref: 00511BEB
Part of subcall function 00511B3B: __vbaVarTstEq.MSVBVM60(00004008,?,00000001,?,?,?,?), ref: 00511C0A
Part of subcall function 00511B3B: __vbaVarTstEq.MSVBVM60(?,?,00004008,?,00000001,00004008,00008008,00000002,?,00004008,?,00000001,?,?,?,?), ref: 00511C2D
Part of subcall function 00511B3B: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00004008,?,00000001,00004008,00008008,00000002,?,00004008,?,00000001,?), ref: 00511C50
Part of subcall function 00511B3B: __vbaVarTstEq.MSVBVM60(?,?,00004008,?,?,?,00004008,?,00000001,00004008,00008008,00000002,?,00004008,?,00000001), ref: 00511C73
Part of subcall function 00511B3B: __vbaVarTstEq.MSVBVM60(?,?,?,?,00004008,?,?,?,00004008,?,00000001,00004008,00008008,00000002,?,00004008), ref: 00511C96

#632.MSVBVM60(?,00004008,00000000,00000002), ref: 0051124E
__vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,?,?,00004008,00000000,00000002), ref: 00511272
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008008,?,?,?,?,?,?,00004008,00000000,00000002), ref: 00511288
#632.MSVBVM60(?,00004008,00000000,00000002), ref: 00511302
__vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,?,?,00004008,00000000,00000002), ref: 00511326
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008008,?,?,?,?,?,?,00004008,00000000,00000002), ref: 0051133C
__vbaErrorOverflow.MSVBVM60 ref: 005114DD

Strings

Invalid Boolean at position , xrefs: 00511387
false, xrefs: 00511307
: , xrefs: 005113C1
$A, xrefs: 005112AE, 005112BC, 00511207, 0051123E
true, xrefs: 00511253

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$#632Free$ErrorList$BstrChkstkMoveOverflow
String ID: : $$A$Invalid Boolean at position $false$true
API String ID: 3436194665-2728160037
Opcode ID: 3ba27e268bd9286e85d7eddd39143641779922d51bc55105a0ab443986e9ff33
Instruction ID: bcb4a3839c1a62437fd66d2e6cb74fee3c7a71c6b6aedd07715c65c1e3991edc
Opcode Fuzzy Hash: 3ba27e268bd9286e85d7eddd39143641779922d51bc55105a0ab443986e9ff33
Instruction Fuzzy Hash: 1281D7B1900618EBDF10DFD4CC45BDEBBB8FF04304F1485AAE609AB281DB799A498F55

Function 00530A0A Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 00530A69
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 00530A73
__vbaCastObjVar.MSVBVM60(00000000), ref: 00530A7C
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 00530A86

Part of subcall function 005056EB: __vbaOnError.MSVBVM60(00000001,X)@,00000000,00000000), ref: 0050572D
Part of subcall function 005056EB: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C0B0,0000004C), ref: 00505750
Part of subcall function 005056EB: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C0B0,0000004C), ref: 00505770
Part of subcall function 005056EB: __vbaLenBstr.MSVBVM60(?), ref: 00505788
Part of subcall function 005056EB: #619.MSVBVM60(?,00000008,-00000004,?), ref: 0050579F
Part of subcall function 005056EB: __vbaStrVarMove.MSVBVM60(?,?,00000008,-00000004,?), ref: 005057A8
Part of subcall function 005056EB: __vbaStrMove.MSVBVM60(?,?,00000008,-00000004,?), ref: 005057B2
Part of subcall function 005056EB: __vbaFreeStr.MSVBVM60(?,?,00000008,-00000004,?), ref: 005057BA
Part of subcall function 005056EB: __vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,00000008,-00000004,?), ref: 005057C9
Part of subcall function 005056EB: __vbaExitProc.MSVBVM60(00000008,-00000004,?), ref: 005057E0

__vbaStrMove.MSVBVM60(?,?,00000000,00000000), ref: 00530A99
__vbaLenBstr.MSVBVM60(00000000,?,?,00000000,00000000), ref: 00530A9F
__vbaFreeStr.MSVBVM60(00000000,?,?,00000000,00000000), ref: 00530AB7
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000000,?,?,00000000,00000000), ref: 00530AC6
__vbaFreeVar.MSVBVM60(?,00000000,00000000), ref: 00530AD1
__vbaVarDup.MSVBVM60(?,00000000,00000000), ref: 00530B11
#595.MSVBVM60(?,00000040,?,?,?,?,00000000,00000000), ref: 00530B28
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,00000040,?,?,?,?,00000000,00000000), ref: 00530B3F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00530B5B
__vbaLateIdCall.MSVBVM60(00000000,?,00000000), ref: 00530B61
__vbaObjSet.MSVBVM60(?,00000000), ref: 00530B80
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 00530B8A
__vbaCastObjVar.MSVBVM60(00000000), ref: 00530B93
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 00530B9D
__vbaStrMove.MSVBVM60(?,?,00000000,00000000), ref: 00530BB0
__vbaStrCopy.MSVBVM60(?,?,00000000,00000000), ref: 00530BBA
__vbaFreeStr.MSVBVM60(?,?,00000000,00000000), ref: 00530BC2
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000000,00000000), ref: 00530BD1
__vbaFreeVar.MSVBVM60(?,00000000,00000000), ref: 00530BDC
__vbaNew2.MSVBVM60(00419EE8,00539E00,?,00000000,00000000), ref: 00530BF3
__vbaObjSetAddref.MSVBVM60(?,?,?,00000000,00000000), ref: 00530C0B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000010), ref: 00530C2A
__vbaFreeObj.MSVBVM60 ref: 00530C32

Strings

Please Select in the list., xrefs: 00530B03

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$ListMove$CallCheckHresultLate$BstrCast$#595#619AddrefCopyErrorExitNew2Proc
String ID: Please Select in the list.
API String ID: 3279063598-2357414447
Opcode ID: 1605fb12c04e95cc55ab9ccd5a1d6dace9c54875992be6cdb58d333dbf8fc02f
Instruction ID: 1969814ff7ad0b4b38b3f6a4bbb34bd7986ff620ef41ca2456bd13486df0f8fb
Opcode Fuzzy Hash: 1605fb12c04e95cc55ab9ccd5a1d6dace9c54875992be6cdb58d333dbf8fc02f
Instruction Fuzzy Hash: 7161EDB1D00609AACB10EBE5C846EDFB7BCEF58304F50452BF215F7191EA7896058FA5

Function 0053008C Relevance: 48.3, APIs: 32, Instructions: 322COMMON

Download Yara Rule

APIs

__vbaObjSetAddref.MSVBVM60(?,?), ref: 005300E4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041D5D0,00000034), ref: 00530107
__vbaObjSet.MSVBVM60(?,00000000), ref: 00530146
__vbaLateIdSt.MSVBVM60(00000000,?,00000000), ref: 0053014C
__vbaFreeObj.MSVBVM60(00000000,?,00000000), ref: 00530154
__vbaObjSet.MSVBVM60(?,00000000), ref: 0053016F
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 00530179
__vbaI4Var.MSVBVM60(00000000), ref: 00530182
__vbaI4Abs.MSVBVM60(00000000), ref: 00530192
__vbaObjSet.MSVBVM60(?,00000000), ref: 005301BD
__vbaLateIdSt.MSVBVM60(00000000,?,00000000), ref: 005301C3
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000000,?,00000000), ref: 005301D2
__vbaFreeVar.MSVBVM60(00000000,?,00000000), ref: 005301DD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041D5D0,00000034), ref: 00530200
__vbaI2I4.MSVBVM60 ref: 00530211
__vbaObjSet.MSVBVM60(?,00000000), ref: 0053023D
__vbaLateIdSt.MSVBVM60(00000000,?,00000000), ref: 00530243
__vbaFreeObj.MSVBVM60(00000000,?,00000000), ref: 0053024B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00530277
__vbaLateIdSt.MSVBVM60(00000000,?,00000000), ref: 0053027D
__vbaFreeObj.MSVBVM60(00000000,?,00000000), ref: 00530285
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041D5D0,00000034), ref: 005302A8
__vbaI2I4.MSVBVM60 ref: 005302B5
__vbaFreeObj.MSVBVM60(005302F0), ref: 005302EA
__vbaErrorOverflow.MSVBVM60 ref: 0053030D
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,004046B8), ref: 00530371
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BE0,00000108,?,00000000,004046B8), ref: 00530398
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,004046B8), ref: 005303B2
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,004046B8), ref: 005303C7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BE0,00000108,?,00000000,004046B8), ref: 005303E9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BE0,00000074,?,?,00000000,004046B8), ref: 0053040F
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,?,00000000,004046B8), ref: 00530422

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$Late$List$AddrefCallErrorOverflow
String ID:
API String ID: 3171307682-0
Opcode ID: 29f326e7ad2b3dae72804684c7a80f060432fdeaca41ded8c70969e0d16e8885
Instruction ID: 396a8b318b5752467a65d9aec5bb99f4ed38027e3924af57fc547e27a966acb6
Opcode Fuzzy Hash: 29f326e7ad2b3dae72804684c7a80f060432fdeaca41ded8c70969e0d16e8885
Instruction Fuzzy Hash: C3B16EB1D00619ABCB10EFA5C899EEF7BBCFF48704F10456AF501AB281D77899058BA5

Function 00501275 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 247COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 005012C7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C1D8,000001E8), ref: 005012E9
__vbaFreeObj.MSVBVM60 ref: 005012F1
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00501304
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C1D8,000001EC), ref: 00501348
__vbaFreeObj.MSVBVM60 ref: 00501350
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00501363
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C1D8,000001EC), ref: 005013A7
__vbaFreeObj.MSVBVM60 ref: 005013AF
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 005013C2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C1D8,000001EC), ref: 00501406
__vbaFreeObj.MSVBVM60 ref: 0050140E
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00501421
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C1D8,000001EC), ref: 00501465
__vbaFreeObj.MSVBVM60 ref: 0050146D
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00501480
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C1D8,000001EC), ref: 005014C4
__vbaFreeObj.MSVBVM60 ref: 005014CC
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 005014DF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C1D8,000000F4), ref: 00501503
__vbaFreeObj.MSVBVM60 ref: 0050150B
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0050151E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A4), ref: 00501545
__vbaFreeObj.MSVBVM60 ref: 0050154D

Strings

All Department, xrefs: 00501527
III, xrefs: 00501441
All Year Level, xrefs: 00501324

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult
String ID: All Department$All Year Level$III
API String ID: 444973724-583678643
Opcode ID: 15c2842ae6ce356e15be6d85fd6bc1120bf8a5598a59e54b336e2bbdbbbf73dd
Instruction ID: 084435a962dac85e5a89991cede13c84e00cd689939a39dd8e8d9853f7b8d185
Opcode Fuzzy Hash: 15c2842ae6ce356e15be6d85fd6bc1120bf8a5598a59e54b336e2bbdbbbf73dd
Instruction Fuzzy Hash: C9813B71940605ABCB00EFA9CC8ABEF7ABCFF09704F104469F901BB192D77995458FA9

Function 004F9835 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 223COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004F987C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419EF8,0000008C), ref: 004F98A5
__vbaFreeObj.MSVBVM60 ref: 004F98B4
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F98C7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419EF8,0000008C), ref: 004F98E6
__vbaFreeObj.MSVBVM60 ref: 004F98EE
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F9901
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419EF8,0000008C), ref: 004F9920
__vbaFreeObj.MSVBVM60 ref: 004F9928
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F993B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419EF8,00000058), ref: 004F9957
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041AF54,00000198), ref: 004F9991
__vbaLateMemSt.MSVBVM60(?,MouseIcon), ref: 004F99AA
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,MouseIcon), ref: 004F99B9
__vbaFreeVar.MSVBVM60(?,?,MouseIcon), ref: 004F99C4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041AF54,00000198,?,?,MouseIcon), ref: 004F99FB
__vbaLateMemSt.MSVBVM60(?,MousePointer,?,?,?,?,?,?,MouseIcon), ref: 004F9A14
__vbaFreeObj.MSVBVM60(?,MousePointer,?,?,?,?,?,?,MouseIcon), ref: 004F9A1C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,MouseIcon), ref: 004F9A2F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419EF8,0000008C,?,?,?,?,?,?,MouseIcon), ref: 004F9A53
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,MouseIcon), ref: 004F9A5B
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,MouseIcon), ref: 004F9A6E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BF0,0000005C,?,?,?,?,?,?,MouseIcon), ref: 004F9A8C
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,MouseIcon), ref: 004F9A94

Strings

MouseIcon, xrefs: 004F99A1
c, xrefs: 004F99D3
MousePointer, xrefs: 004F9A0B

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$Late$List
String ID: MouseIcon$MousePointer$c
API String ID: 2783574866-521662661
Opcode ID: 431ebe4edfb9cad5eb47dfa2765246536b6fe7c668409c02c1000ebbf4e34edc
Instruction ID: 408c22a0a0ce91cba80fc2c624e6a640c4957dc7fb8fbc32433c1fd37beb25c1
Opcode Fuzzy Hash: 431ebe4edfb9cad5eb47dfa2765246536b6fe7c668409c02c1000ebbf4e34edc
Instruction Fuzzy Hash: 0B717A71900619ABDB00EFA6CC89FAF7BBCEF05704F10016AF505FB192DB7999058BA5

Function 0051BE92 Relevance: 46.7, APIs: 31, Instructions: 188COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 0051BEE2
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 0051BEEC
__vbaCastObjVar.MSVBVM60(00000000), ref: 0051BEF5
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 0051BEFF

Part of subcall function 005056EB: __vbaOnError.MSVBVM60(00000001,X)@,00000000,00000000), ref: 0050572D
Part of subcall function 005056EB: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C0B0,0000004C), ref: 00505750
Part of subcall function 005056EB: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C0B0,0000004C), ref: 00505770
Part of subcall function 005056EB: __vbaLenBstr.MSVBVM60(?), ref: 00505788
Part of subcall function 005056EB: #619.MSVBVM60(?,00000008,-00000004,?), ref: 0050579F
Part of subcall function 005056EB: __vbaStrVarMove.MSVBVM60(?,?,00000008,-00000004,?), ref: 005057A8
Part of subcall function 005056EB: __vbaStrMove.MSVBVM60(?,?,00000008,-00000004,?), ref: 005057B2
Part of subcall function 005056EB: __vbaFreeStr.MSVBVM60(?,?,00000008,-00000004,?), ref: 005057BA
Part of subcall function 005056EB: __vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,00000008,-00000004,?), ref: 005057C9
Part of subcall function 005056EB: __vbaExitProc.MSVBVM60(00000008,-00000004,?), ref: 005057E0

__vbaStrMove.MSVBVM60(?,?,00000000,00000000), ref: 0051BF12
__vbaLenBstr.MSVBVM60(00000000,?,?,00000000,00000000), ref: 0051BF18
__vbaFreeStr.MSVBVM60(00000000,?,?,00000000,00000000), ref: 0051BF2D
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000000,?,?,00000000,00000000), ref: 0051BF3C
__vbaFreeVar.MSVBVM60(?,00000000,00000000), ref: 0051BF47
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051BF68
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 0051BF72
__vbaCastObjVar.MSVBVM60(00000000), ref: 0051BF7B
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 0051BF85
__vbaStrMove.MSVBVM60(?,?,00000000,00000000), ref: 0051BF98
__vbaStrCopy.MSVBVM60(?,?,00000000,00000000), ref: 0051BFA2
__vbaFreeStr.MSVBVM60(?,?,00000000,00000000), ref: 0051BFAA
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000000,00000000), ref: 0051BFB9
__vbaFreeVar.MSVBVM60(?,00000000,00000000), ref: 0051BFC4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051BFDB
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 0051BFE5
__vbaCastObjVar.MSVBVM60(00000000), ref: 0051BFEE
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 0051BFF8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C0B0,00000084), ref: 0051C01F
__vbaStrCopy.MSVBVM60 ref: 0051C02A
__vbaFreeStr.MSVBVM60 ref: 0051C032
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0051C041
__vbaFreeVar.MSVBVM60 ref: 0051C04C
__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 0051C063
__vbaObjSetAddref.MSVBVM60(?,?), ref: 0051C078
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000010), ref: 0051C094
__vbaFreeObj.MSVBVM60 ref: 0051C09C

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresultListMove$CallCastLate$BstrCopy$#619AddrefErrorExitNew2Proc
String ID:
API String ID: 2213036983-0
Opcode ID: c2fad7587301677ba80fad00508f061099eff03541555bf8d00a52216c82bf22
Instruction ID: 72f13e4ee7127322e4829536290c8c3aa17946f196694f19ee743f18bdef7b6e
Opcode Fuzzy Hash: c2fad7587301677ba80fad00508f061099eff03541555bf8d00a52216c82bf22
Instruction Fuzzy Hash: 045101B1D0050AAADB14FBE5CC86EEFB77CEF44304F50452AF201B71C1EA7996458BA5

Function 004E4307 Relevance: 45.9, APIs: 20, Strings: 6, Instructions: 363COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004E4360
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A2DC,00000060), ref: 004E4380
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,00000020), ref: 004E43D7
__vbaFreeObj.MSVBVM60 ref: 004E43DF
__vbaHresultCheckObj.MSVBVM60(00000000,00080001,0041A318,00000110), ref: 004E440B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,00000020,?,ScaleMode), ref: 004E4460
__vbaHresultCheckObj.MSVBVM60(00000000,00080001,0041A318,00000060,?,ScaleMode), ref: 004E4486
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,00000020,?,?,?,?,?,?,?,ScaleMode), ref: 004E44DA
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,ScaleMode), ref: 004E44F0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A2DC,00000060,?,?,?,?,?,?,?,ScaleMode), ref: 004E4510
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,00000020), ref: 004E4564
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,ScaleMode), ref: 004E456C
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E4582
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A2DC,00000060), ref: 004E45A2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,00000020), ref: 004E45F6
__vbaFreeObj.MSVBVM60 ref: 004E45FE
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E4614
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A2DC,00000060), ref: 004E4634
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,00000020), ref: 004E4688
__vbaFreeObj.MSVBVM60 ref: 004E4690

Strings

BackColor, xrefs: 004E44BC
InsideBorderColor, xrefs: 004E4546
BorderColor, xrefs: 004E43B9
ScaleMode, xrefs: 004E4442
ShadowColor1, xrefs: 004E45D8
ShadowColor2, xrefs: 004E466A

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: BackColor$BorderColor$InsideBorderColor$ScaleMode$ShadowColor1$ShadowColor2
API String ID: 3976024557-1948237153
Opcode ID: 0c9638db6bbf20451a5dfb8443e86272cf7a9df2135951aa75c76d500e67a41b
Instruction ID: 5afe709948dbc53c70ef5f4352c24661b189a3444cf310c9be71b441c285de20
Opcode Fuzzy Hash: 0c9638db6bbf20451a5dfb8443e86272cf7a9df2135951aa75c76d500e67a41b
Instruction Fuzzy Hash: D7C19C71A00B08AFCB01EFA9C889EDF7BB9FF09710F10051AF941BB291D775A9458B95

Function 0052F341 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 216COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 0052F3A6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0), ref: 0052F3CC
__vbaNew2.MSVBVM60(0041B32C,?), ref: 0052F3DF
__vbaNew2.MSVBVM60(0041B2FC,00538028), ref: 0052F3F9
__vbaStrCat.MSVBVM60(?,Select * from tblReceipt where SchoolYear='), ref: 0052F415
__vbaStrMove.MSVBVM60(?,Select * from tblReceipt where SchoolYear='), ref: 0052F41F
__vbaStrCat.MSVBVM60(0041CB7C,00000000,?,Select * from tblReceipt where SchoolYear='), ref: 0052F42A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,000000A0), ref: 0052F473
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0052F489
__vbaFreeObj.MSVBVM60 ref: 0052F494
__vbaFreeVar.MSVBVM60 ref: 0052F49C
__vbaNew2.MSVBVM60(0041B32C,00000000), ref: 0052F4B1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B364,000000A4), ref: 0052F4D9
__vbaNew2.MSVBVM60(0041B32C,00000000), ref: 0052F4E9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B364,00000050), ref: 0052F506
__vbaNew2.MSVBVM60(004068EC,00538560), ref: 0052F52F
__vbaNew2.MSVBVM60(0041B32C,00000000), ref: 0052F545
__vbaCastObj.MSVBVM60(00000000,00421684), ref: 0052F554
__vbaObjSet.MSVBVM60(?,00000000,00000000,00421684), ref: 0052F55E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041E8AC,00000028), ref: 0052F577
__vbaFreeObj.MSVBVM60 ref: 0052F57F
__vbaNew2.MSVBVM60(004068EC,00538560), ref: 0052F597
__vbaLateIdCall.MSVBVM60(80011003,00000000), ref: 0052F5A9
__vbaFreeStr.MSVBVM60(0052F5F3), ref: 0052F5E5
__vbaFreeObj.MSVBVM60(0052F5F3), ref: 0052F5ED

Strings

Select * from tblReceipt where SchoolYear=', xrefs: 0052F403

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$New2$Free$CheckHresult$CallCastLateListMove
String ID: Select * from tblReceipt where SchoolYear='
API String ID: 1022106233-1272134175
Opcode ID: 806cf368602b5b19d16214b161ffdc71cf8b39f8fa71cd59faaf30aae9cfeb8b
Instruction ID: d2a9aa2a07587c1165dfccde93c8722041483d3648462efad0a423166e5a9299
Opcode Fuzzy Hash: 806cf368602b5b19d16214b161ffdc71cf8b39f8fa71cd59faaf30aae9cfeb8b
Instruction Fuzzy Hash: FC718871D00619AADB10EBA1EC8ABAFBBB8FF55314F50403AF400B71D1DBB859458BA5

Function 004E7C6B Relevance: 45.4, APIs: 30, Instructions: 386COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004E7CD1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BD0,00000048), ref: 004E7CF5
__vbaFreeObj.MSVBVM60 ref: 004E7D10
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E7D34
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BD0,00000040), ref: 004E7D56
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,00000090), ref: 004E7D82
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004E7DA1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E7DC1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BD0,00000040), ref: 004E7DE3
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E7E08
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 004E7E12
__vbaCastObjVar.MSVBVM60(00000000), ref: 004E7E1B
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 004E7E25
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A67C,00000024), ref: 004E7E5E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A68C,00000034), ref: 004E7E81
__vbaObjSet.MSVBVM60(?,?), ref: 004E7E9A
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E7EC6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BD0,00000040), ref: 004E7EE8
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E7F06
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 004E7F10
__vbaCastObjVar.MSVBVM60(00000000), ref: 004E7F19
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 004E7F23
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A67C,00000024), ref: 004E7F60
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A68C,00000034), ref: 004E7F83
__vbaObjSet.MSVBVM60(?,?), ref: 004E7F96
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,00000064), ref: 004E7FAF
__vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 004E7FCE
__vbaFreeVarList.MSVBVM60(00000002,?,00000002,00000006,?,?,?,?,?,?), ref: 004E7FDD
__vbaErrorOverflow.MSVBVM60(?,?,00000000,00000000), ref: 004E8058
__vbaHresultCheckObj.MSVBVM60(00000000,00401940,0041A610,000007A4), ref: 004E80B6

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$List$CallCastLate$ErrorOverflow
String ID:
API String ID: 1024909551-0
Opcode ID: a0c59cccc0f4d5f11fe4c1ca93c5a4f8f232f63bc6ad4c08065bc82bff2a3a2e
Instruction ID: 7f18e729d6229fc9af0dfb0654c79f27ca16982184e78db1cd85edb07ea7cb18
Opcode Fuzzy Hash: a0c59cccc0f4d5f11fe4c1ca93c5a4f8f232f63bc6ad4c08065bc82bff2a3a2e
Instruction Fuzzy Hash: F4D15BB1D00609AFDB10EBA6C849EEFBBBCEF48744F10442AF505F7181E67999458FA4

Function 004F7A0E Relevance: 45.4, APIs: 30, Instructions: 361COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F7A6A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F7A8C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419EF8,0000008C,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F7AB7
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F7ACD
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F7AE3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BD0,00000040,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F7B08
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419EF8,0000008C,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F7B2A
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F7B39
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F7B4F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BD0,00000040), ref: 004F7B74
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419EF8,0000008C), ref: 004F7B96
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004F7BA5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F7BBB
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F7BE4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004F7C05
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419EF8,0000008C), ref: 004F7C30
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004F7C46
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F7C5C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BD0,00000040,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F7C81
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419EF8,0000008C,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F7CA3
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F7CB2
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F7CC8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BD0,00000040), ref: 004F7D59
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419EF8,0000008C), ref: 004F7D7B
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004F7D8A
__vbaHresultCheckObj.MSVBVM60(00000000,00402308,0041AD58,0000082C), ref: 004F7DAB

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeList
String ID:
API String ID: 2772417511-0
Opcode ID: e6356108321fd75a61c823feac9e2531461e2f3fed845385b3f7e66940b2b93d
Instruction ID: 9997109a09d332a8c83e643e800400241895c1fff5d4b31f3a1b0cc507a61e26
Opcode Fuzzy Hash: e6356108321fd75a61c823feac9e2531461e2f3fed845385b3f7e66940b2b93d
Instruction Fuzzy Hash: ADC13D71900609ABDB00ABA5CC99FEF7BBCFF48704F14442AF245F7191E67995068BA8

Function 0051C18A Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 360COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041B32C,?), ref: 0051C1C8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051C205
__vbaLateIdSt.MSVBVM60(00000000,?,00000000), ref: 0051C20B
__vbaFreeObj.MSVBVM60(00000000,?,00000000), ref: 0051C213
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051C247
__vbaLateIdSt.MSVBVM60(00000000,?,00000000), ref: 0051C24D
__vbaFreeObj.MSVBVM60(00000000,?,00000000), ref: 0051C255
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051C284
__vbaLateIdSt.MSVBVM60(00000000,?,00000000), ref: 0051C28A
__vbaFreeObj.MSVBVM60(00000000,?,00000000), ref: 0051C292
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051C2D2
__vbaLateIdSt.MSVBVM60(00000000,?,00000000), ref: 0051C2D8
__vbaFreeObj.MSVBVM60(00000000,?,00000000), ref: 0051C2E0
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,00000000), ref: 0051C315
__vbaLateIdSt.MSVBVM60(00000000,?,00000000,?,00000000,?,00000000), ref: 0051C31B
__vbaFreeObj.MSVBVM60(00000000,?,00000000,?,00000000,?,00000000), ref: 0051C323
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,00000000,?,00000000), ref: 0051C352
__vbaLateIdSt.MSVBVM60(00000000,?,00000000,?,?,?,?,?,00000000,?,00000000), ref: 0051C358
__vbaFreeObj.MSVBVM60(00000000,?,00000000,?,?,?,?,?,00000000,?,00000000), ref: 0051C360

Strings

9@, xrefs: 0051C565, 0051C58C, 0051C575, 0051C57E, 0051C591

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$FreeLate$New2
String ID: 9@
API String ID: 4185012160-3209974744
Opcode ID: 47d6be9764d77f72d95507eeed8ae759ee47021eb56778d7bceaa0b479544432
Instruction ID: 6fec53c1dbbf01c4c1fd8ae87727d5c320d3fb9e6a6443c60c07d4f424a636a7
Opcode Fuzzy Hash: 47d6be9764d77f72d95507eeed8ae759ee47021eb56778d7bceaa0b479544432
Instruction Fuzzy Hash: E3C1A371800605AFCB10EFA9C989AEF7BF8FF49305F50496AF401A7181D779AA05CFA5

Function 00515C8D Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 360COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041B32C,?), ref: 00515CCB
__vbaObjSet.MSVBVM60(?,00000000), ref: 00515D08
__vbaLateIdSt.MSVBVM60(00000000,?,00000000), ref: 00515D0E
__vbaFreeObj.MSVBVM60(00000000,?,00000000), ref: 00515D16
__vbaObjSet.MSVBVM60(?,00000000), ref: 00515D4A
__vbaLateIdSt.MSVBVM60(00000000,?,00000000), ref: 00515D50
__vbaFreeObj.MSVBVM60(00000000,?,00000000), ref: 00515D58
__vbaObjSet.MSVBVM60(?,00000000), ref: 00515D87
__vbaLateIdSt.MSVBVM60(00000000,?,00000000), ref: 00515D8D
__vbaFreeObj.MSVBVM60(00000000,?,00000000), ref: 00515D95
__vbaObjSet.MSVBVM60(?,00000000), ref: 00515DD5
__vbaLateIdSt.MSVBVM60(00000000,?,00000000), ref: 00515DDB
__vbaFreeObj.MSVBVM60(00000000,?,00000000), ref: 00515DE3
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,00000000), ref: 00515E18
__vbaLateIdSt.MSVBVM60(00000000,?,00000000,?,00000000,?,00000000), ref: 00515E1E
__vbaFreeObj.MSVBVM60(00000000,?,00000000,?,00000000,?,00000000), ref: 00515E26
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,00000000,?,00000000), ref: 00515E55
__vbaLateIdSt.MSVBVM60(00000000,?,00000000,?,?,?,?,?,00000000,?,00000000), ref: 00515E5B
__vbaFreeObj.MSVBVM60(00000000,?,00000000,?,?,?,?,?,00000000,?,00000000), ref: 00515E63

Strings

`5@, xrefs: 00515EBA, 0051601E, 00516068, 0051608F, 00515ECA, 00515F3E, 00515FC5, 00515FCE, 00515FE7, 00515FF2, 00516007, 00516010, 00516023, 0051605C, 00516078, 00516081, 00516094

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$FreeLate$New2
String ID: `5@
API String ID: 4185012160-1669042452
Opcode ID: 0da69247b096c7fe0f4f74dd3ccb15d1e36e55a976effbb7333f5e78f76142b8
Instruction ID: dce7a79b0a69cd5196ba88117c38dd7c4dd555e422056a42a17c4b4f3757d35d
Opcode Fuzzy Hash: 0da69247b096c7fe0f4f74dd3ccb15d1e36e55a976effbb7333f5e78f76142b8
Instruction Fuzzy Hash: 64C15F71900A05EFDB10EFA9C989AEF7BF8FF48304F50456AF401A7181D779AA458FA1

Function 004E5AE8 Relevance: 44.1, APIs: 20, Strings: 5, Instructions: 323COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004E5B41
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A510,00000058), ref: 004E5B61
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,00000020), ref: 004E5BB8
__vbaFreeObj.MSVBVM60 ref: 004E5BC0
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E5BD6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A510,00000058), ref: 004E5BF6
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,00000020), ref: 004E5C4A
__vbaFreeObj.MSVBVM60 ref: 004E5C52
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E5C68
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A510,00000058), ref: 004E5C88
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,00000020), ref: 004E5CDC
__vbaFreeObj.MSVBVM60 ref: 004E5CE4
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E5CFA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A510,000000A0), ref: 004E5D20
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,00000020), ref: 004E5D79
__vbaFreeObj.MSVBVM60 ref: 004E5D81
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E5D97
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A510,000000A0), ref: 004E5DBD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,00000020), ref: 004E5E13
__vbaFreeObj.MSVBVM60 ref: 004E5E1B

Strings

BorderStyle1, xrefs: 004E5D5B
BorderColor1, xrefs: 004E5B9A
BorderColor3, xrefs: 004E5CBE
BorderStyle2, xrefs: 004E5DF5
BorderColor2, xrefs: 004E5C2C

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: BorderColor1$BorderColor2$BorderColor3$BorderStyle1$BorderStyle2
API String ID: 3976024557-1902202711
Opcode ID: 9d8efd63a9ec0660efaeb3f6b3cdaf3e217d92ac7c483542563c9d8c851976dc
Instruction ID: 22aea9ef0601dd451a69ee4799e1c56bcb2910aca177f989aace922272d1cff7
Opcode Fuzzy Hash: 9d8efd63a9ec0660efaeb3f6b3cdaf3e217d92ac7c483542563c9d8c851976dc
Instruction Fuzzy Hash: 16B19C71D00A08AFCB01EFA9C889EDF7BB9FF09315F10041AF941BB291D779A9458B95

Function 00506186 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 005061DA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0), ref: 00506200
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 0050620D
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00506215
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 0050621D
__vbaNew2.MSVBVM60(0041B32C,UdP), ref: 00506231
__vbaStrCat.MSVBVM60(reP,EnrollmentID='), ref: 00506242
__vbaStrMove.MSVBVM60(reP,EnrollmentID='), ref: 0050624C
__vbaStrCat.MSVBVM60(0041CB7C,00000000,reP,EnrollmentID='), ref: 00506257
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B364,000000C0), ref: 00506291
__vbaFreeStr.MSVBVM60(00000000,00000000,0041B364,000000C0), ref: 00506299
__vbaFreeVar.MSVBVM60(00000000,00000000,0041B364,000000C0), ref: 005062A1
__vbaObjSet.MSVBVM60(?,00000000), ref: 005062B4
__vbaObjSet.MSVBVM60(?,00000000), ref: 005062C7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0), ref: 005062ED
__vbaObjSet.MSVBVM60(?,?), ref: 005062FE
__vbaFreeStr.MSVBVM60(00000008,reP,?,?,?,?), ref: 0050631A
__vbaFreeObjList.MSVBVM60(00000003,?,?,00000000,00000008,reP,?,?,?,?), ref: 0050632D
__vbaFreeVar.MSVBVM60(?,?,?,?), ref: 00506338
__vbaHresultCheckObj.MSVBVM60(00000000,00402CC0,0041E024,0000072C), ref: 00506356
__vbaHresultCheckObj.MSVBVM60(00000000,00402CC0,0041E024,00000718), ref: 00506374

Strings

reP, xrefs: 0050623D, 0050630D
EnrollmentID=', xrefs: 00506238
UdP, xrefs: 0050622B

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$CopyListMoveNew2
String ID: EnrollmentID='$UdP$reP
API String ID: 1888022208-3385079204
Opcode ID: fde65e36994f433c895909edbc608e0a3fbc97ff2c1cd57adae847c60cab9a4d
Instruction ID: 1491c7c2462ea94c5f744c32b104884dcbc6dc57ee05bf4373fba538051b9183
Opcode Fuzzy Hash: fde65e36994f433c895909edbc608e0a3fbc97ff2c1cd57adae847c60cab9a4d
Instruction Fuzzy Hash: EB513271901609ABCB00EFA5C88AFEFBBBCEF54304F50056AF501B7191D778A9458FA5

Function 004F9556 Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 216COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,00404F16,0041AF54,00000058), ref: 004F95CF
__vbaSetSystemError.MSVBVM60(?,?), ref: 004F95E0
__vbaSetSystemError.MSVBVM60(?,?,?), ref: 004F95EE
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F961F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BF0,0000005C), ref: 004F963C
__vbaFreeObj.MSVBVM60 ref: 004F9644
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F9657
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419EF8,0000008C), ref: 004F967F
__vbaFreeObj.MSVBVM60 ref: 004F968E
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F96A1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419EF8,0000008C), ref: 004F96C0
__vbaFreeObj.MSVBVM60 ref: 004F96C8
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F96DB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419EF8,0000008C), ref: 004F96FA
__vbaFreeObj.MSVBVM60 ref: 004F9702
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F9715
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419EF8,0000008C), ref: 004F9734
__vbaFreeObj.MSVBVM60 ref: 004F973C
__vbaHresultCheckObj.MSVBVM60(00000000,00404F16,0041AF54,00000198), ref: 004F9770
__vbaLateMemSt.MSVBVM60(?,MousePointer), ref: 004F9789
__vbaFreeObj.MSVBVM60(?,MousePointer), ref: 004F9791

Strings

H$@, xrefs: 004F957F, 004F958F, 004F9613, 004F964B, 004F9695, 004F96CF, 004F9709
MousePointer, xrefs: 004F9780

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$ErrorSystem$Late
String ID: H$@$MousePointer
API String ID: 368042229-3445746230
Opcode ID: 901a3aa331561da1f81f57e5d3dabc593f6c3aadad91149a578b78968998e66e
Instruction ID: 19137614716b304411c118841627488d2ca2450aa1ce260f7f583cabb6fc0718
Opcode Fuzzy Hash: 901a3aa331561da1f81f57e5d3dabc593f6c3aadad91149a578b78968998e66e
Instruction Fuzzy Hash: 06711771910608ABDB10EFE5CC89EEEB7BCFF48704F10442AF145EB191DB3999458BA9

Function 005056EB Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 174COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,X)@,00000000,00000000), ref: 0050572D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C0B0,0000004C), ref: 00505750
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C0B0,0000004C), ref: 00505770
__vbaLenBstr.MSVBVM60(?), ref: 00505788
#619.MSVBVM60(?,00000008,-00000004,?), ref: 0050579F
__vbaStrVarMove.MSVBVM60(?,?,00000008,-00000004,?), ref: 005057A8
__vbaStrMove.MSVBVM60(?,?,00000008,-00000004,?), ref: 005057B2
__vbaFreeStr.MSVBVM60(?,?,00000008,-00000004,?), ref: 005057BA
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,00000008,-00000004,?), ref: 005057C9
__vbaExitProc.MSVBVM60(00000008,-00000004,?), ref: 005057E0

Strings

- , xrefs: 0050587A, 0050587F, 005058BD
X)@, xrefs: 00505709

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultMove$#619BstrErrorExitListProc
String ID: - $X)@
API String ID: 1598897035-1464288788
Opcode ID: cf64215642b74f61b76aee5d3b4815ee24ab1af1b1f835c6c3d0a4a4bb2d7bd5
Instruction ID: b6449a8d42ee99ef83d3e12ffabc245e31446bfd5cd878b1cb458a0fd8817479
Opcode Fuzzy Hash: cf64215642b74f61b76aee5d3b4815ee24ab1af1b1f835c6c3d0a4a4bb2d7bd5
Instruction Fuzzy Hash: 7351E7B2D00619ABDB00EFA5C885EDEBBB8FF48304F54412AF505B7191EB7859058FA9

Function 0050EE28 Relevance: 39.1, APIs: 26, Instructions: 143COMMON

Download Yara Rule

APIs

#525.MSVBVM60(00000104), ref: 0050EE73
__vbaStrMove.MSVBVM60(00000104), ref: 0050EE7D
__vbaLenBstr.MSVBVM60(?,00000104), ref: 0050EE85
__vbaStrToAnsi.MSVBVM60(?,?,?,?,00000104), ref: 0050EE98
__vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,00000104), ref: 0050EEA5
__vbaStrToUnicode.MSVBVM60(?,?,00000000,?,?,?,?,00000104), ref: 0050EEB1
__vbaFreeStr.MSVBVM60(?,?,00000000,?,?,?,?,00000104), ref: 0050EEB9
__vbaLenBstr.MSVBVM60(?,?,?,00000000,?,?,?,?,00000104), ref: 0050EEC5
#525.MSVBVM60(?,?,?,?,00000000,?,?,?,?,00000104), ref: 0050EEDB
__vbaStrMove.MSVBVM60(?,?,?,?,00000000,?,?,?,?,00000104), ref: 0050EEE5
__vbaLenBstr.MSVBVM60(?,?,?,?,?,00000000,?,?,?,?,00000104), ref: 0050EEED
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000104), ref: 0050EF00
__vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000104), ref: 0050EF0B
__vbaStrToUnicode.MSVBVM60(?,?,00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?), ref: 0050EF17
__vbaFreeStr.MSVBVM60(?,?,00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?), ref: 0050EF1F
__vbaInStr.MSVBVM60(00000000,0041F538,?,00000001,?,?,00000000,?,?,?,?,00000104), ref: 0050EF2F
#616.MSVBVM60(?,-00000001,00000000,0041F538,?,00000001,?,?,00000000,?,?,?,?,00000104), ref: 0050EF41
__vbaStrMove.MSVBVM60(?,-00000001,00000000,0041F538,?,00000001,?,?,00000000,?,?,?,?,00000104), ref: 0050EF4B
__vbaVarDup.MSVBVM60(?,-00000001,00000000,0041F538,?,00000001,?,?,00000000,?,?,?,?,00000104), ref: 0050EF63
#681.MSVBVM60(?,0000000B,?,?,?,-00000001,00000000,0041F538,?,00000001,?,?,00000000,?,?,?), ref: 0050EF99
__vbaStrVarMove.MSVBVM60(?,?,0000000B,?,?,?,-00000001,00000000,0041F538,?,00000001,?,?,00000000,?,?), ref: 0050EFA2
__vbaStrMove.MSVBVM60(?,?,0000000B,?,?,?,-00000001,00000000,0041F538,?,00000001,?,?,00000000,?,?), ref: 0050EFAC
__vbaFreeStr.MSVBVM60(?,?,0000000B,?,?,?,-00000001,00000000,0041F538,?,00000001,?,?,00000000,?,?), ref: 0050EFB4
__vbaFreeVarList.MSVBVM60(00000004,0000000B,?,?,?,?,?,0000000B,?,?,?,-00000001,00000000,0041F538,?,00000001), ref: 0050EFCB
__vbaFreeStr.MSVBVM60(0050F010,?,00000104), ref: 0050F00A
__vbaErrorOverflow.MSVBVM60(00000000,0041F538,?,00000001,?,?,00000000,?,?,?,?,00000104), ref: 0050F022

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$FreeMove$BstrError$#525AnsiSystemUnicode$#616#681ListOverflow
String ID:
API String ID: 1215140460-0
Opcode ID: 82ba1a746a71d81a6227f33e1f443209725c950989da72f659c64ad1617da1ec
Instruction ID: 60fa10efb4cc761e7776927b78f4d2f6efd5250780fbcf93519cbb0d7c65572e
Opcode Fuzzy Hash: 82ba1a746a71d81a6227f33e1f443209725c950989da72f659c64ad1617da1ec
Instruction Fuzzy Hash: 945197B1C0061AAACF11EFE5C8869EFBFB9EF48704F10452BF101B7192DA785645CBA4

Function 0040D198 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 275COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00404F16), ref: 0052FC46
__vbaOnError.MSVBVM60(000000FF), ref: 0052FC8C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042A2B4,00000098), ref: 0052FCC5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042A2B4,00000080), ref: 0052FD14
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042A2B4,00000084), ref: 0052FD6A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042A2B4,00000088), ref: 0052FDAC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042A2B4,0000008C), ref: 0052FE02
__vbaObjSet.MSVBVM60(?,00000000), ref: 0052FE2A

Strings

C, xrefs: 0040D198

Memory Dump Source

Source File: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$ChkstkError
String ID: C
API String ID: 119773187-1037565863
Opcode ID: 37e74626e38be91460312cd605431f2db63a27096c7ad108ad96ebd783281e2d
Instruction ID: f1ccf1aff180f26f2281c6ba5f5c65318e807a73553642994cc7dad418f27b7b
Opcode Fuzzy Hash: 37e74626e38be91460312cd605431f2db63a27096c7ad108ad96ebd783281e2d
Instruction Fuzzy Hash: 77B12370900618EFCB01EFA4D849B8DBFB4FF09344F108576F945AB2A1C7B99A949F94

Function 00517E60 Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 218COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000, 6@,0041E8AC,0000008C), ref: 00517ECD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA18,0000001C), ref: 00517F0C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA28,0000003C), ref: 00517F2F
__vbaObjSet.MSVBVM60(?,?), ref: 00517F40
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?), ref: 00517F4F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA38,0000001C,?,?,?,?,?,?,?,?), ref: 00517F96
__vbaLateMemSt.MSVBVM60(?,Caption,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00517FAF
__vbaFreeObj.MSVBVM60(?,Caption,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00517FB7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA38,0000001C), ref: 00517FFB
__vbaLateMemSt.MSVBVM60(?,Caption), ref: 00518014
__vbaFreeObj.MSVBVM60(?,Caption), ref: 0051801C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA38,0000001C), ref: 00518060
__vbaLateMemSt.MSVBVM60(?,Caption), ref: 00518079
__vbaFreeObj.MSVBVM60(?,Caption), ref: 00518081
__vbaObjSetAddref.MSVBVM60(?,00000000,?,Caption), ref: 0051808C
__vbaFreeObj.MSVBVM60(005180BF,?,00000000,?,Caption), ref: 005180B9

Strings

lblSchoolName1, xrefs: 00517F63
Caption, xrefs: 00517FA6, 0051800B, 00518070
lblSy, xrefs: 0051802D
secHeader, xrefs: 00517EE1
6@, xrefs: 00517E89, 00517E99, 00517EA8, 00517ECB
lblSchoolAddress, xrefs: 00517FC8

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$Late$AddrefList
String ID: 6@$Caption$lblSchoolAddress$lblSchoolName1$lblSy$secHeader
API String ID: 680853955-2824336815
Opcode ID: b407d86fc41cddbb8548028c3379e6f2325404b596c39d04dc49ade4fe89bbaa
Instruction ID: 5fe2ca820013fa08e216660d34b191c5ad287a5d3914a4d40d9cd040a69c4f82
Opcode Fuzzy Hash: b407d86fc41cddbb8548028c3379e6f2325404b596c39d04dc49ade4fe89bbaa
Instruction Fuzzy Hash: EA716871D00619ABDF00EFA9CC86AEFBBB9FF59300F50441AF904BB281D77555468B94

Function 005114E2 Relevance: 38.6, APIs: 19, Strings: 3, Instructions: 149COMMON

Download Yara Rule

APIs

Part of subcall function 00511B3B: __vbaLenBstr.MSVBVM60(?), ref: 00511B92
Part of subcall function 00511B3B: #632.MSVBVM60(00000001,?,?,?,?), ref: 00511BD5
Part of subcall function 00511B3B: __vbaVarMove.MSVBVM60(00000001,?,?,?,?), ref: 00511BE3
Part of subcall function 00511B3B: __vbaFreeVar.MSVBVM60(00000001,?,?,?,?), ref: 00511BEB
Part of subcall function 00511B3B: __vbaVarTstEq.MSVBVM60(00004008,?,00000001,?,?,?,?), ref: 00511C0A
Part of subcall function 00511B3B: __vbaVarTstEq.MSVBVM60(?,?,00004008,?,00000001,00004008,00008008,00000002,?,00004008,?,00000001,?,?,?,?), ref: 00511C2D
Part of subcall function 00511B3B: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00004008,?,00000001,00004008,00008008,00000002,?,00004008,?,00000001,?), ref: 00511C50
Part of subcall function 00511B3B: __vbaVarTstEq.MSVBVM60(?,?,00004008,?,?,?,00004008,?,00000001,00004008,00008008,00000002,?,00004008,?,00000001), ref: 00511C73
Part of subcall function 00511B3B: __vbaVarTstEq.MSVBVM60(?,?,?,?,00004008,?,?,?,00004008,?,00000001,00004008,00008008,00000002,?,00004008), ref: 00511C96

#632.MSVBVM60(?,?,?,?,?,?,?,?,00000000), ref: 00511573
__vbaVarTstEq.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00511597
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005115AC
__vbaVarMove.MSVBVM60(?,?,00000000), ref: 005115D0
__vbaStrCat.MSVBVM60(Invalid null value at position ,?,?,00000000), ref: 005115F2
__vbaStrMove.MSVBVM60(Invalid null value at position ,?,?,00000000), ref: 005115FC
__vbaStrI4.MSVBVM60(?,00000000,Invalid null value at position ,?,?,00000000), ref: 00511604
__vbaStrMove.MSVBVM60(?,00000000,Invalid null value at position ,?,?,00000000), ref: 0051160E
__vbaStrCat.MSVBVM60(00000000,?,00000000,Invalid null value at position ,?,?,00000000), ref: 00511614
__vbaStrMove.MSVBVM60(00000000,?,00000000,Invalid null value at position ,?,?,00000000), ref: 0051161E
__vbaStrCat.MSVBVM60( : ,00000000,00000000,?,00000000,Invalid null value at position ,?,?,00000000), ref: 00511629
#632.MSVBVM60(?,00004008,?,00000002, : ,00000000,00000000,?,00000000,Invalid null value at position ,?,?,00000000), ref: 00511666
__vbaVarCat.MSVBVM60(?,?,?,?,00004008,?,00000002, : ,00000000,00000000,?,00000000,Invalid null value at position ,?,?,00000000), ref: 00511687
__vbaVarCat.MSVBVM60(?,00008008,00000000,?,?,?,?,00004008,?,00000002, : ,00000000,00000000,?,00000000,Invalid null value at position ), ref: 00511698
__vbaStrVarMove.MSVBVM60(00000000,?,00008008,00000000,?,?,?,?,00004008,?,00000002, : ,00000000,00000000,?,00000000), ref: 0051169E
__vbaStrMove.MSVBVM60(00000000,?,00008008,00000000,?,?,?,?,00004008,?,00000002, : ,00000000,00000000,?,00000000), ref: 005116AA
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000,?,00008008,00000000,?,?,?,?,00004008,?,00000002, : ), ref: 005116BD
__vbaFreeVarList.MSVBVM60(00000005,0000000A,?,?,?,?,00000003,?,?,?,00000000,?,00008008,00000000,?,?), ref: 005116D8
__vbaErrorOverflow.MSVBVM60(?,?,00000000), ref: 00511745

Strings

null, xrefs: 00511583
Invalid null value at position , xrefs: 005115ED
: , xrefs: 00511624

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$#632List$BstrErrorOverflow
String ID: : $Invalid null value at position $null
API String ID: 2513549710-1318792781
Opcode ID: ab9866116170c97e3a663e1f42fa3043407719c8d99b2814224a2ba23bf8fc7d
Instruction ID: 706e42cbcf4453f176c55b48d6bcde5ab5de4e75983395d3a7dd99f2c633815f
Opcode Fuzzy Hash: ab9866116170c97e3a663e1f42fa3043407719c8d99b2814224a2ba23bf8fc7d
Instruction Fuzzy Hash: 1A51DAB1C00629AADB10EFD5CC41BDEBBBDFB08704F14416BF209B6141DB745A498FA5

Function 00517934 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 218COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,00403600,0041E8AC,0000008C), ref: 005179A7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA18,0000001C), ref: 005179E6
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA28,0000003C), ref: 00517A09
__vbaObjSet.MSVBVM60(?,?), ref: 00517A1A
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?), ref: 00517A29
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA38,0000001C,?,?,?,?,?,?,?,?), ref: 00517A70
__vbaLateMemSt.MSVBVM60(?,Caption,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00517A89
__vbaFreeObj.MSVBVM60(?,Caption,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00517A91
__vbaNew2.MSVBVM60(00407AA8,005383A4,?,Caption,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00517AA9
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00517AC1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00517AE7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA38,0000001C,?,?,?,?), ref: 00517B2D
__vbaLateMemSt.MSVBVM60(?,Caption,?,?,?,?,?,?,?,?), ref: 00517B46
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,Caption,?,?,?,?,?,?,?,?), ref: 00517B55
__vbaFreeVar.MSVBVM60(?,?,Caption,?,?,?,?,?,?,?,?), ref: 00517B60
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,Caption,?,?,?,?,?,?,?,?), ref: 00517B6B
__vbaFreeObj.MSVBVM60(00517BAE,?,00000000,?,?,Caption,?,?,?,?,?,?,?,?), ref: 00517BA8

Strings

Caption, xrefs: 00517A80, 00517B3D
lblSchoolName, xrefs: 00517A3D
Label11, xrefs: 00517AFA
Section4, xrefs: 005179BB

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$LateList$AddrefNew2
String ID: Caption$Label11$Section4$lblSchoolName
API String ID: 785059870-435521290
Opcode ID: ef6ca61cd59487c8de45eae3d6803314be827369219a9fd2e5626052343b04ed
Instruction ID: 258f6056bf99ecf4de19104ecc43dcbf7bed699fe3dcf74d1330dabf5b6ca860
Opcode Fuzzy Hash: ef6ca61cd59487c8de45eae3d6803314be827369219a9fd2e5626052343b04ed
Instruction Fuzzy Hash: 94714C71D00608ABDB10EFA9C846EEFBBB9FF59700F20441AF910BB191D7799A058F94

Function 005311A4 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 218COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,00404780,0041E8AC,0000008C), ref: 00531211
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA18,0000001C), ref: 00531250
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA28,0000003C), ref: 00531273
__vbaObjSet.MSVBVM60(?,?), ref: 00531284
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?), ref: 00531293
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA38,0000001C,?,?,?,?,?,?,?,?), ref: 005312DA
__vbaLateMemSt.MSVBVM60(?,Caption,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005312F3
__vbaFreeObj.MSVBVM60(?,Caption,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005312FB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA38,0000001C), ref: 0053133F
__vbaLateMemSt.MSVBVM60(?,Caption), ref: 00531358
__vbaFreeObj.MSVBVM60(?,Caption), ref: 00531360
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA38,0000001C), ref: 005313A4
__vbaLateMemSt.MSVBVM60(?,Caption), ref: 005313BD
__vbaFreeObj.MSVBVM60(?,Caption), ref: 005313C5
__vbaObjSetAddref.MSVBVM60(?,00000000,?,Caption), ref: 005313D0
__vbaFreeObj.MSVBVM60(00531403,?,00000000,?,Caption), ref: 005313FD

Strings

lblSchoolName1, xrefs: 005312A7
Caption, xrefs: 005312EA, 0053134F, 005313B4
lblSy, xrefs: 00531371
secHeader, xrefs: 00531225
lblSchoolAddress, xrefs: 0053130C

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$Late$AddrefList
String ID: Caption$lblSchoolAddress$lblSchoolName1$lblSy$secHeader
API String ID: 680853955-693008238
Opcode ID: 97b38c80f3090dcd0b2cf99c2ce884fe930721f1c61dae1a7473dce4ff990fa3
Instruction ID: 0c54a170856b817b6c0d27a7e2828bb93e51623c148da768e5d3162ef616ccb1
Opcode Fuzzy Hash: 97b38c80f3090dcd0b2cf99c2ce884fe930721f1c61dae1a7473dce4ff990fa3
Instruction Fuzzy Hash: 4D718971D00A19ABCF00EFA9CC86AEFBBB9FF49300F10441AF900BB281D77555468B94

Function 004F2DFE Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 190COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004F2E51
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419EF8,00000058), ref: 004F2E71
__vbaHresultCheckObj.MSVBVM60(00000000,00080005,0041AA4C,00000198), ref: 004F2EAA
__vbaLateMemSt.MSVBVM60(?,MouseIcon), ref: 004F2EC3
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,MouseIcon), ref: 004F2ED2
__vbaFreeVar.MSVBVM60(?,?,MouseIcon), ref: 004F2EDD
__vbaHresultCheckObj.MSVBVM60(00000000,00080005,0041AA4C,00000198,?,?,MouseIcon), ref: 004F2F14
__vbaLateMemSt.MSVBVM60(?,MousePointer,?,?,?,?,?,?,MouseIcon), ref: 004F2F2D
__vbaFreeObj.MSVBVM60(?,MousePointer,?,?,?,?,?,?,MouseIcon), ref: 004F2F35
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,MouseIcon), ref: 004F2F48
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,MouseIcon), ref: 004F2F5D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419EF8,00000058,?,?,?,?,?,?,MouseIcon), ref: 004F2F7D
__vbaObjSet.MSVBVM60(?,?,?,?,?,?,?,?,MouseIcon), ref: 004F2F90
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419EF8,0000005C,?,?,?,?,?,?,MouseIcon), ref: 004F2FA9
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,MouseIcon), ref: 004F2FBC
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,MouseIcon), ref: 004F2FD2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BF0,0000005C,?,?,?,?,?,?,?,?,?,?,MouseIcon), ref: 004F2FF0
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,MouseIcon), ref: 004F2FF8

Strings

MouseIcon, xrefs: 004F2EBA
c, xrefs: 004F2EEC
MousePointer, xrefs: 004F2F24

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$LateList
String ID: MouseIcon$MousePointer$c
API String ID: 1491238182-521662661
Opcode ID: cfbddc94a3118940d30afa63275d3dd3bed1f38030987af9ff8149638912038f
Instruction ID: ef6e47e3228b61852d1154af9b54e0207e214b07f2a700d5454d24024b6d7023
Opcode Fuzzy Hash: cfbddc94a3118940d30afa63275d3dd3bed1f38030987af9ff8149638912038f
Instruction Fuzzy Hash: 1F513A71900618AFDB00EFA5C989EEF7BBCEF08744F14442AF501FB181DA7999458FA5

Function 005259E1 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 147COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00419EE8,00539E00,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00525A3E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000014,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00525A62
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B868,00000050,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00525A85
__vbaStrI2.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00525A8B
__vbaStrMove.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00525A95
#690.MSVBVM60(?,uparkx,uparkx,00000000,00000000), ref: 00525AA5
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,uparkx,uparkx,00000000,00000000), ref: 00525AB4
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00525ABF
__vbaNew2.MSVBVM60(00419EE8,00539E00,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00525AD6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000014,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00525AFA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B868,00000050,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00525B1D
#690.MSVBVM60(?,saverbro,saverbro,0041A0C4,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00525B31
__vbaFreeStr.MSVBVM60(?,saverbro,saverbro,0041A0C4,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00525B39
__vbaFreeObj.MSVBVM60(?,saverbro,saverbro,0041A0C4,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00525B41
__vbaStrI2.MSVBVM60(00000000,?,saverbro,saverbro,0041A0C4), ref: 00525B49
__vbaStrMove.MSVBVM60(00000000,?,saverbro,saverbro,0041A0C4), ref: 00525B53
__vbaHresultCheckObj.MSVBVM60(00000000,(?@,0041BBE4,00000054,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00525B6C
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00525B74

Strings

saverbro, xrefs: 00525B27, 00525B2C, 00525B2D
uparkx, xrefs: 00525A9B, 00525AA0, 00525AA1
(?@, xrefs: 00525A0A, 00525A1A, 00525B59, 00525B6A

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$#690MoveNew2$List
String ID: (?@$saverbro$uparkx
API String ID: 3417264740-1943647816
Opcode ID: 267cbee1afbda80ca4c8648193d47c221b4f3e6be9f922626717fda533a656c8
Instruction ID: 7e2036c5c810b8f6830d95bd3a9b13456d7dff1d9b23d2b81e4c44e356b4f4a1
Opcode Fuzzy Hash: 267cbee1afbda80ca4c8648193d47c221b4f3e6be9f922626717fda533a656c8
Instruction Fuzzy Hash: 28415FB1940A15ABCB04EB96CC8AEAF7BBCFF54705F50042AF101B71D1D7B89945CBA4

Function 005029A9 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 119COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60( From tblcashier,SELECT *,00000000,00000000,004026F0,?,?,?,?,?,?,?,?,?,?,?), ref: 005029F2
__vbaStrMove.MSVBVM60( From tblcashier,SELECT *,00000000,00000000,004026F0,?,?,?,?,?,?,?,?,?,?,?), ref: 005029FC
__vbaNew2.MSVBVM60(0041B32C,00404F16, From tblcashier,SELECT *,00000000,00000000), ref: 00502A13
__vbaNew2.MSVBVM60(0041B2FC,00538028, From tblcashier,SELECT *,00000000,00000000), ref: 00502A2B
__vbaNew2.MSVBVM60(0041B2FC,00538028,00538028,00404F16,?,000000FF, From tblcashier,SELECT *,00000000,00000000), ref: 00502A5A
__vbaFreeVarg.MSVBVM60(00538028,00404F16,?,000000FF, From tblcashier,SELECT *,00000000,00000000), ref: 00502A76
__vbaStrCat.MSVBVM60(?,update tbluser set [Online_Status]= True where username=',0000000A,000000FF,?,00538028,00404F16,?,000000FF, From tblcashier,SELECT *,00000000,00000000), ref: 00502A91
__vbaStrMove.MSVBVM60(?,update tbluser set [Online_Status]= True where username=',0000000A,000000FF,?,00538028,00404F16,?,000000FF, From tblcashier,SELECT *,00000000,00000000), ref: 00502A9B
__vbaStrCat.MSVBVM60(0041CB7C,00000000,?,update tbluser set [Online_Status]= True where username=',0000000A,000000FF,?,00538028,00404F16,?,000000FF, From tblcashier,SELECT *,00000000,00000000), ref: 00502AA6
__vbaStrMove.MSVBVM60(0041CB7C,00000000,?,update tbluser set [Online_Status]= True where username=',0000000A,000000FF,?,00538028,00404F16,?,000000FF, From tblcashier,SELECT *,00000000,00000000), ref: 00502AB0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B698,00000040), ref: 00502AC9
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00502AD8
__vbaFreeObj.MSVBVM60(0041B698,00000040), ref: 00502AE3
__vbaFreeVar.MSVBVM60(0041B698,00000040), ref: 00502AEB
__vbaCastObj.MSVBVM60(00000000,0041B31C,00538028,00404F16,?,000000FF, From tblcashier,SELECT *,00000000,00000000), ref: 00502B06
__vbaObjSet.MSVBVM60(00404F16,00000000,00000000,0041B31C,00538028,00404F16,?,000000FF, From tblcashier,SELECT *,00000000,00000000), ref: 00502B10
__vbaFreeStr.MSVBVM60(00502B50,00404F16,00000000,00000000,0041B31C,00538028,00404F16,?,000000FF, From tblcashier,SELECT *,00000000,00000000), ref: 00502B42
__vbaFreeObj.MSVBVM60(00502B50,00404F16,00000000,00000000,0041B31C,00538028,00404F16,?,000000FF, From tblcashier,SELECT *,00000000,00000000), ref: 00502B4A

Strings

From tblcashier, xrefs: 005029D8
update tbluser set [Online_Status]= True where username=', xrefs: 00502A8A
SELECT *, xrefs: 005029D3

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$MoveNew2$CastCheckHresultListVarg
String ID: From tblcashier$SELECT *$update tbluser set [Online_Status]= True where username='
API String ID: 1807557273-1984685722
Opcode ID: 393f66b884762ca8a1af9b613ce251d5d30c3b0d8762d150b0f7e6836087442c
Instruction ID: 7cf33693c485650bdd897678abc32033a803e3ec813e3d6531d8e891e5703bcb
Opcode Fuzzy Hash: 393f66b884762ca8a1af9b613ce251d5d30c3b0d8762d150b0f7e6836087442c
Instruction Fuzzy Hash: 134121B1D40609AACB11EF92CC86EEFBBBCEF54314F50012BF511B21D1DBB859458BA9

Function 00408595 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 246COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004E66A9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000048), ref: 004E66C9
__vbaFreeObj.MSVBVM60(00000000,00000000,00419BD0,00000048), ref: 004E66DD
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E6711
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004E6734
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,00000090), ref: 004E675D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004E6778
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E6793
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004E67B6
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E6823

Strings

O, xrefs: 00408595

Memory Dump Source

Source File: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$List
String ID: O
API String ID: 3690971433-878818188
Opcode ID: ac67d20215f7d0d425e125225237aec1e198ad77be89ca2e623cb048a780c0fb
Instruction ID: 2b8bec280cc775e5d8d582287deffbf70287bad75aabd6e13edac721882362f9
Opcode Fuzzy Hash: ac67d20215f7d0d425e125225237aec1e198ad77be89ca2e623cb048a780c0fb
Instruction Fuzzy Hash: 0A811AB1901209AFDB10EBA5C889EEFB7FCEF18344F10406AF545E7191D678A945CBA8

Function 004FFE22 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 244COMMON

Download Yara Rule

APIs

#685.MSVBVM60 ref: 004FFE96
__vbaObjSet.MSVBVM60(?,00000000), ref: 004FFEA0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041ACA8,00000044), ref: 004FFEEE
__vbaFreeObj.MSVBVM60(00000000,00000000,0041ACA8,00000044), ref: 004FFEF6
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004FFF0D
#685.MSVBVM60 ref: 004FFF34
__vbaObjSet.MSVBVM60(?,00000000), ref: 004FFF3E
#644.MSVBVM60(005002C8), ref: 004FFF89
#644.MSVBVM60(005002C8), ref: 004FFFD4
__vbaSetSystemError.MSVBVM60(?,?,0050037F), ref: 0050002A
__vbaErrorOverflow.MSVBVM60 ref: 00500086
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00404F16), ref: 005000D1
__vbaInStr.MSVBVM60(?,?,?,?), ref: 005000E7
__vbaI4Str.MSVBVM60(?), ref: 005000F3
__vbaStrI4.MSVBVM60(?,?,00000000,?), ref: 005000FF
__vbaStrMove.MSVBVM60(?,?,00000000,?), ref: 00500109
__vbaInStr.MSVBVM60(00000000,00000000,?,?,00000000,?), ref: 00500110
__vbaFreeStr.MSVBVM60(00000000,00000000,?,?,00000000,?), ref: 0050011A
__vbaFreeStr.MSVBVM60(00500147,00000000,00000000,?,?,00000000,?), ref: 00500141

Strings

((@, xrefs: 005000B9, 005000BE

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$#644#685Error$CheckCopyHresultListMoveOverflowSystem
String ID: ((@
API String ID: 555510163-3802014064
Opcode ID: ece765ef6ae4f83d3e7f9fa763f3063419db8b7e92576dd085306f5ff78c7f45
Instruction ID: 08fafdb72eedba08e4d7fe9ef0f62c66a6cf70e0cdca134c5e0f0009ffb463b2
Opcode Fuzzy Hash: ece765ef6ae4f83d3e7f9fa763f3063419db8b7e92576dd085306f5ff78c7f45
Instruction Fuzzy Hash: 519117B1D00209AFCB19EFA5C995BEEBBB9FF48300F50416EE50AA7290D7345A44CF65

Function 004F3053 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004F30C8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BE0,000001C0), ref: 004F30EE
__vbaSetSystemError.MSVBVM60(?,?), ref: 004F30FF
__vbaFreeObj.MSVBVM60(?,?), ref: 004F3107
__vbaSetSystemError.MSVBVM60(?,?,?), ref: 004F3115
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F3146
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BF0,0000005C), ref: 004F3163
__vbaFreeObj.MSVBVM60 ref: 004F316B
__vbaHresultCheckObj.MSVBVM60(00000000,00080001,0041AA4C,00000198), ref: 004F319E
__vbaLateMemSt.MSVBVM60(?,MousePointer), ref: 004F31B7
__vbaFreeObj.MSVBVM60(?,MousePointer), ref: 004F31BF
__vbaHresultCheckObj.MSVBVM60(00000000,00402018,0041AA7C,000007F4), ref: 004F31E1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F31FB
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F3218
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F322D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419EF8,00000058), ref: 004F324D
__vbaObjSet.MSVBVM60(?,?), ref: 004F3260
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419EF8,0000005C), ref: 004F3279
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004F328C

Strings

MousePointer, xrefs: 004F31AE

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$ErrorSystem$LateList
String ID: MousePointer
API String ID: 1218144987-933594070
Opcode ID: 29175cf687fde63d0f5536127135994b93bf85a12280a87f722574618708b932
Instruction ID: 5ddb8a0c3e2631276d04c05804c258fc4d0a2a5e5dfc80bfbc304f2ca2d7a559
Opcode Fuzzy Hash: 29175cf687fde63d0f5536127135994b93bf85a12280a87f722574618708b932
Instruction Fuzzy Hash: 50714871910618BBDB00EFA5C889EEFB7BCFF08704F10056AF505EB191DA789A458BA5

Function 00511DA3 Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 142COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60( FROM tblFee;,SELECT Max([tblFee].[FeeID])+1 AS NewID,00000000,004028C8), ref: 00511DEF
__vbaStrMove.MSVBVM60( FROM tblFee;,SELECT Max([tblFee].[FeeID])+1 AS NewID,00000000,004028C8), ref: 00511DF9
__vbaNew2.MSVBVM60(0041B2FC,00538028, FROM tblFee;,SELECT Max([tblFee].[FeeID])+1 AS NewID,00000000,004028C8), ref: 00511E14
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,00000054), ref: 00511E57
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B374,00000028,?,?,?), ref: 00511E94
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B384,00000034,?,?,?), ref: 00511EB7
__vbaStrVarMove.MSVBVM60(?,?,?,?), ref: 00511EC0
__vbaStrMove.MSVBVM60(?,?,?,?), ref: 00511ECA
#581.MSVBVM60(00000000,?,?,?,?), ref: 00511ED0
__vbaFpI4.MSVBVM60(00000000,?,?,?,?), ref: 00511ED5
__vbaFreeStr.MSVBVM60(00000000,?,?,?,?), ref: 00511EE0
__vbaFreeObjList.MSVBVM60(00000002,00000000,?,00000000,?,?,?,?), ref: 00511EEF
__vbaFreeVar.MSVBVM60(?,00000000,?,?,?,?), ref: 00511EFA
__vbaCastObj.MSVBVM60(00000000,0041B31C,00538028,?,?,000000FF, FROM tblFee;,SELECT Max([tblFee].[FeeID])+1 AS NewID,00000000,004028C8), ref: 00511F12
__vbaObjSet.MSVBVM60(?,00000000,00000000,0041B31C,00538028,?,?,000000FF, FROM tblFee;,SELECT Max([tblFee].[FeeID])+1 AS NewID,00000000,004028C8), ref: 00511F1C

Strings

newid, xrefs: 00511E68
FROM tblFee;, xrefs: 00511DD2
SELECT Max([tblFee].[FeeID])+1 AS NewID, xrefs: 00511DCD

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultMove$#581CastListNew2
String ID: FROM tblFee;$SELECT Max([tblFee].[FeeID])+1 AS NewID$newid
API String ID: 782633276-3378887862
Opcode ID: dac8d9ecbb3bc6bb2a2ea4efafeb7dc4e732f452f0f2cf8a67b499d8dd103e9c
Instruction ID: 21ae95221f268a0fa6d24689ce7b42d8f97107ac2fb2df61a0fc84e3ffb2a4d0
Opcode Fuzzy Hash: dac8d9ecbb3bc6bb2a2ea4efafeb7dc4e732f452f0f2cf8a67b499d8dd103e9c
Instruction Fuzzy Hash: 134152B1D00619AADB10EBA5C846AEFBFBCEF44704F10012AF501B71C1DB785A468FE4

Function 00523D78 Relevance: 35.1, APIs: 19, Strings: 1, Instructions: 113fileCOMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 00523D96
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 00523DD7
#608.MSVBVM60(?,00000074,000000FF,?,?,?,?,00404F16), ref: 00523DE9
#608.MSVBVM60(?,00000065,?,00000074,000000FF,?,?,?,?,00404F16), ref: 00523DF4
#608.MSVBVM60(?,0000006D,?,00000065,?,00000074,000000FF,?,?,?,?,00404F16), ref: 00523DFF
#608.MSVBVM60(?,00000070,?,0000006D,?,00000065,?,00000074,000000FF,?,?,?,?,00404F16), ref: 00523E0D
__vbaVarCat.MSVBVM60(?,?,?,?,00000070,?,0000006D,?,00000065,?,00000074,000000FF), ref: 00523E1E
__vbaVarCat.MSVBVM60(?,?,00000000,?,?,?,?,00000070,?,0000006D,?,00000065,?,00000074,000000FF), ref: 00523E2F
__vbaVarCat.MSVBVM60(?,?,00000000,?,?,00000000,?,?,?,?,00000070,?,0000006D,?,00000065,?), ref: 00523E43
#667.MSVBVM60(00000000,?,?,00000000,?,?,00000000,?,?,?,?,00000070,?,0000006D,?,00000065), ref: 00523E49
__vbaStrMove.MSVBVM60(00000000,?,?,00000000,?,?,00000000,?,?,?,?,00000070,?,0000006D,?,00000065), ref: 00523E53
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,00000000,?,?,?,00000000,?,?,00000000,?,?,00000000,?), ref: 00523E7F
__vbaStrCat.MSVBVM60(\log.txt,00000074,?,00000074,000000FF,?,?,?,?,00404F16), ref: 00523E96
__vbaStrMove.MSVBVM60(\log.txt,00000074,?,00000074,000000FF,?,?,?,?,00404F16), ref: 00523EA0
__vbaFileOpen.MSVBVM60(00000008,000000FF,00000001,00000000,\log.txt,00000074,?,00000074,000000FF,?,?,?,?,00404F16), ref: 00523EAC
__vbaFreeStr.MSVBVM60(00000008,000000FF,00000001,00000000,\log.txt,00000074,?,00000074,000000FF,?,?,?,?,00404F16), ref: 00523EB4
__vbaPrintFile.MSVBVM60(00420ACC,00000001,00000000,00000008,000000FF,00000001,00000000,\log.txt,00000074,?,00000074,000000FF), ref: 00523ECC
__vbaFileClose.MSVBVM60(00000001,00000000,\log.txt,00000074,?,00000074,000000FF,?,?,?,?,00404F16), ref: 00523EDD
__vbaFreeStr.MSVBVM60(00523F3C,00000001,00000000,\log.txt,00000074,?,00000074,000000FF,?,?,?,?,00404F16), ref: 00523F36

Strings

\log.txt, xrefs: 00523E91

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$#608$FileFree$Move$#667ChkstkCloseErrorListOpenPrint
String ID: \log.txt
API String ID: 2789730974-1519802361
Opcode ID: 123dc4b647151ed1064811f673b5431bb5922bfda094e2a2f0f613bffac4b74f
Instruction ID: e94aedbf66fdc8028ae91110b0b6b83341974bcdcdc31f9cd5de0e1aeacb30ea
Opcode Fuzzy Hash: 123dc4b647151ed1064811f673b5431bb5922bfda094e2a2f0f613bffac4b74f
Instruction Fuzzy Hash: A041EDB2900608AADB11EFD1CD46FCFBBBCAF44704F50416AB605B71C1DB799A488F95

Function 004E2DB2 Relevance: 34.8, APIs: 23, Instructions: 309COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 004E2DD0
__vbaRaiseEvent.MSVBVM60(?,00000001,00000000,?,?,?,?,00404F16), ref: 004E2E1B
__vbaOnError.MSVBVM60(000000FF,?,?,00404F16), ref: 004E2E2C
__vbaObjSet.MSVBVM60(?,00000000,?,?,00404F16), ref: 004E2E5D
__vbaChkstk.MSVBVM60 ref: 004E2E93
__vbaChkstk.MSVBVM60 ref: 004E2EA4
__vbaChkstk.MSVBVM60 ref: 004E2EB5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419EF8,00000130), ref: 004E2EF2
__vbaFreeObj.MSVBVM60(00000000,?,00419EF8,00000130), ref: 004E2F09
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E2F3A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419EF8,00000078), ref: 004E2F69
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004E2FA2
__vbaChkstk.MSVBVM60(00000000,00000000), ref: 004E3003
__vbaChkstk.MSVBVM60(00000000,00000000), ref: 004E3014
__vbaChkstk.MSVBVM60(00000000,00000000), ref: 004E3025
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419EF8,00000130,?,00000000,00000000), ref: 004E3062
__vbaFreeObjList.MSVBVM60(00000002,?,00000000,?,00000000,00000000), ref: 004E3080
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E30B4
__vbaChkstk.MSVBVM60 ref: 004E30FA
__vbaChkstk.MSVBVM60 ref: 004E310B
__vbaChkstk.MSVBVM60 ref: 004E311C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A2DC,000000F4), ref: 004E3159
__vbaFreeObj.MSVBVM60(00000000,?,0041A2DC,000000F4), ref: 004E3170

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Chkstk$CheckHresult$Free$ErrorEventListRaise
String ID:
API String ID: 1097782831-0
Opcode ID: dae7ef8a279efc882efa435499ac7d11a77f82a6dbb2c0d8269b26ce9d79160a
Instruction ID: 58c883fc63a617ee506eb1cb224c9a3f1efcc9f5d9f2dc3cf79163c90cf90336
Opcode Fuzzy Hash: dae7ef8a279efc882efa435499ac7d11a77f82a6dbb2c0d8269b26ce9d79160a
Instruction Fuzzy Hash: ECC11771900608EFCB01DF94C849BDEBBB5BF49314F10446AF908AB2A1C7BA9A85DF55

Function 00501E7B Relevance: 34.7, APIs: 23, Instructions: 194COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 00501ECB
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 00501ED5
__vbaCastObjVar.MSVBVM60(00000000), ref: 00501EDE
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 00501EE8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C598,0000001C), ref: 00501F07
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00501F22
__vbaFreeVar.MSVBVM60 ref: 00501F2D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00501F65
__vbaLateIdSt.MSVBVM60(00000000,?,00000000), ref: 00501F6B
__vbaFreeObj.MSVBVM60(00000000,?,00000000), ref: 00501F73
__vbaObjSet.MSVBVM60(?,00000000), ref: 00501F86
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C5A8,00000074), ref: 00501FA4
__vbaFreeObj.MSVBVM60 ref: 00501FAC
__vbaObjSet.MSVBVM60(?,00000000), ref: 00501FBF
__vbaObjSet.MSVBVM60(?,00000000), ref: 00501FF8
__vbaLateIdSt.MSVBVM60(00000000,?,00000000), ref: 00501FFE
__vbaFreeObj.MSVBVM60(00000000,?,00000000), ref: 00502006
__vbaObjSet.MSVBVM60(?,00000000), ref: 00502019
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C5A8,00000074), ref: 00502037
__vbaFreeObj.MSVBVM60 ref: 0050203F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00502052
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C5A8,00000074), ref: 00502070
__vbaFreeObj.MSVBVM60 ref: 00502078

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$Late$CallCastList
String ID:
API String ID: 3750005124-0
Opcode ID: 82956e97e2219bd517dde5922ef5ae306ad018343990fa640a7f3187849c87cc
Instruction ID: 8619254de873e392783b81297bbeeba79853b1ef306e1b8281dea6bb6b9b2997
Opcode Fuzzy Hash: 82956e97e2219bd517dde5922ef5ae306ad018343990fa640a7f3187849c87cc
Instruction Fuzzy Hash: BE515EB1800615ABCB10EBA5CD89EDF7BBCFF08354F50056AB505FB1D1DB789A048BA5

Function 004E2633 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 280COMMON

Download Yara Rule

APIs

__vbaI2I4.MSVBVM60 ref: 004E2688
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E26A8
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E26BE
__vbaI2I4.MSVBVM60(?,?,00000000), ref: 004E26CF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BD0,00000040), ref: 004E26EC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419EF8,00000058), ref: 004E270F
__vbaObjSet.MSVBVM60(?,?), ref: 004E2724
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419EF8,0000005C), ref: 004E2741
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 004E2758
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E277B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419EF8,00000130), ref: 004E2804
__vbaFreeObj.MSVBVM60 ref: 004E280C
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E281F
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E284F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419EF8,0000008C), ref: 004E2872
__vbaFreeObj.MSVBVM60 ref: 004E287A
__vbaHresultCheckObj.MSVBVM60(00000000,00401618,0041993C,00000390), ref: 004E28B4

Strings

GradTheme, xrefs: 004E2884

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$List
String ID: GradTheme
API String ID: 3690971433-2629687681
Opcode ID: cccbea16cc48e828b58e7225e05827f7968bd321b27356dea7b5189484d6b473
Instruction ID: 1db31b6d7e98065f4bccfd37a3810468e32ec6ca3d459cf2cc273110fe060c20
Opcode Fuzzy Hash: cccbea16cc48e828b58e7225e05827f7968bd321b27356dea7b5189484d6b473
Instruction Fuzzy Hash: F1A15CB1900618AFCB00EFA5C889EDFBBBCFF08700F14416AF505EB291D77999418BA5

Function 00515A1D Relevance: 33.1, APIs: 22, Instructions: 138COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 00515A6D
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 00515A77
__vbaCastObjVar.MSVBVM60(00000000), ref: 00515A80
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 00515A8A

Part of subcall function 005056EB: __vbaOnError.MSVBVM60(00000001,X)@,00000000,00000000), ref: 0050572D
Part of subcall function 005056EB: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C0B0,0000004C), ref: 00505750
Part of subcall function 005056EB: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C0B0,0000004C), ref: 00505770
Part of subcall function 005056EB: __vbaLenBstr.MSVBVM60(?), ref: 00505788
Part of subcall function 005056EB: #619.MSVBVM60(?,00000008,-00000004,?), ref: 0050579F
Part of subcall function 005056EB: __vbaStrVarMove.MSVBVM60(?,?,00000008,-00000004,?), ref: 005057A8
Part of subcall function 005056EB: __vbaStrMove.MSVBVM60(?,?,00000008,-00000004,?), ref: 005057B2
Part of subcall function 005056EB: __vbaFreeStr.MSVBVM60(?,?,00000008,-00000004,?), ref: 005057BA
Part of subcall function 005056EB: __vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,00000008,-00000004,?), ref: 005057C9
Part of subcall function 005056EB: __vbaExitProc.MSVBVM60(00000008,-00000004,?), ref: 005057E0

__vbaStrMove.MSVBVM60(?,?,00000000,00000000), ref: 00515A9D
__vbaLenBstr.MSVBVM60(00000000,?,?,00000000,00000000), ref: 00515AA3
__vbaFreeStr.MSVBVM60(00000000,?,?,00000000,00000000), ref: 00515AB8
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000000,?,?,00000000,00000000), ref: 00515AC7
__vbaFreeVar.MSVBVM60(?,00000000,00000000), ref: 00515AD2
__vbaObjSet.MSVBVM60(?,00000000), ref: 00515AF3
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 00515AFD
__vbaCastObjVar.MSVBVM60(00000000), ref: 00515B06
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 00515B10
__vbaStrMove.MSVBVM60(?,?,00000000,00000000), ref: 00515B23
__vbaStrCopy.MSVBVM60(?,?,00000000,00000000), ref: 00515B2D
__vbaFreeStr.MSVBVM60(?,?,00000000,00000000), ref: 00515B35
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000000,00000000), ref: 00515B44
__vbaFreeVar.MSVBVM60(?,00000000,00000000), ref: 00515B4F
__vbaNew2.MSVBVM60(00419EE8,00539E00,?,00000000,00000000), ref: 00515B66
__vbaObjSetAddref.MSVBVM60(?,?,?,00000000,00000000), ref: 00515B7B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000010), ref: 00515B97
__vbaFreeObj.MSVBVM60 ref: 00515B9F

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$Move$CheckHresultList$BstrCallCastLate$#619AddrefCopyErrorExitNew2Proc
String ID:
API String ID: 2127399331-0
Opcode ID: 243b491eb1ade134284bf4b6d16a02e648a9b54be48ec62045c91dbc1640082f
Instruction ID: b72cbe577d3072234750cf6dc2127f46e0c066ed529997a527761f8d05d7e368
Opcode Fuzzy Hash: 243b491eb1ade134284bf4b6d16a02e648a9b54be48ec62045c91dbc1640082f
Instruction Fuzzy Hash: A941F0B1D00609AADB14FBA6CC86EEFB77CEF44305F50452AF201B31D1EA789645CBA5

Function 005291E8 Relevance: 31.7, APIs: 21, Instructions: 196COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 00529206
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 0052924C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00404F16), ref: 0052926B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0), ref: 005292B5

Part of subcall function 00531BEF: __vbaChkstk.MSVBVM60(00000000,00404F16,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00531C0B
Part of subcall function 00531BEF: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00404F16), ref: 00531C38
Part of subcall function 00531BEF: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00404F16), ref: 00531C46
Part of subcall function 00531BEF: __vbaStrCmp.MSVBVM60(0041A0C4,?,000000FF,?,?,?,00000000,00404F16), ref: 00531C5A
Part of subcall function 00531BEF: __vbaStrCopy.MSVBVM60(0041A0C4,?,000000FF,?,?,?,00000000,00404F16), ref: 00531C72
Part of subcall function 00531BEF: __vbaAryDestruct.MSVBVM60(00000000,000000FF,00531CE5,00000000,?,?,?,?,?,0041A0C4,?,000000FF,?,?,?,00000000), ref: 00531CCC
Part of subcall function 00531BEF: __vbaAryDestruct.MSVBVM60(00000000,?,00000000,000000FF,00531CE5,00000000,?,?,?,?,?,0041A0C4,?,000000FF), ref: 00531CD7
Part of subcall function 00531BEF: __vbaFreeStr.MSVBVM60(00000000,?,00000000,000000FF,00531CE5,00000000,?,?,?,?,?,0041A0C4,?,000000FF), ref: 00531CDF

__vbaNew2.MSVBVM60(00415498,005381C4), ref: 005292DC
__vbaObjSet.MSVBVM60(?,00000000), ref: 00529315
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0), ref: 0052935F
#713.MSVBVM60(?), ref: 00529376
__vbaStrMove.MSVBVM60(?), ref: 00529380
#711.MSVBVM60(?,?,00000008,000000FF,00000000,?), ref: 005293B1
__vbaAryVar.MSVBVM60(00002008,?,?,?,00000008,000000FF,00000000,?), ref: 005293BF
__vbaAryCopy.MSVBVM60(?,?,00002008,?,?,?,00000008,000000FF,00000000,?), ref: 005293D5
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000,?,?,00002008,?,?,?,00000008,000000FF,00000000,?), ref: 005293E8
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,00404F16), ref: 005293FA
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,00404F16), ref: 0052940C
__vbaDerefAry1.MSVBVM60(?,00000001,?,?,?,?,?,?,?,?,?,00404F16), ref: 00529420
__vbaStrCopy.MSVBVM60(?,00000001,?,?,?,?,?,?,?,?,?,00404F16), ref: 0052942A
#595.MSVBVM60(00000008,00000000,0000000A,0000000A,0000000A,?), ref: 00529484
__vbaFreeVarList.MSVBVM60(00000004,00000008,0000000A,0000000A,0000000A,00000008,00000000,0000000A,0000000A,0000000A,?), ref: 0052949B
__vbaFreeStr.MSVBVM60(00529508), ref: 005294F7
__vbaAryDestruct.MSVBVM60(00000000,?,00529508), ref: 00529502

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CopyList$Destruct$CheckChkstkErrorHresult$#595#711#713Ary1DerefMoveNew2
String ID:
API String ID: 4291582672-0
Opcode ID: 986373c2a170de46aa36c99193d8ba44c9c950487be75e66c36d6c940ca54a48
Instruction ID: 5df96cb1168c9ea6d9bfa8e835deceac9a7e29aee595fb51132682e1ccb08ef9
Opcode Fuzzy Hash: 986373c2a170de46aa36c99193d8ba44c9c950487be75e66c36d6c940ca54a48
Instruction Fuzzy Hash: BA81B1B1D00218AFDB11EF94C845BDEBBB9FF08304F1081AAE115BA291DB755A45CF65

Function 004FDB27 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 005127F1: __vbaStrCat.MSVBVM60( From tblFee,DELETE *,?,00402690,00000000,?,?,?,004FDB90,004026C4), ref: 00512837
Part of subcall function 005127F1: __vbaStrMove.MSVBVM60( From tblFee,DELETE *,?,00402690,00000000,?,?,?,004FDB90,004026C4), ref: 00512841
Part of subcall function 005127F1: __vbaStrCat.MSVBVM60( WHERE (((tblFee.FeeID)=,00000000, From tblFee,DELETE *,?,00402690,00000000,?,?,?,004FDB90,004026C4), ref: 0051284C
Part of subcall function 005127F1: __vbaStrMove.MSVBVM60( WHERE (((tblFee.FeeID)=,00000000, From tblFee,DELETE *,?,00402690,00000000,?,?,?,004FDB90,004026C4), ref: 00512856
Part of subcall function 005127F1: __vbaStrCat.MSVBVM60(?,00000000, WHERE (((tblFee.FeeID)=,00000000, From tblFee,DELETE *,?,00402690,00000000,?,?,?,004FDB90,004026C4), ref: 00512861
Part of subcall function 005127F1: __vbaStrMove.MSVBVM60(?,00000000, WHERE (((tblFee.FeeID)=,00000000, From tblFee,DELETE *,?,00402690,00000000,?,?,?,004FDB90,004026C4), ref: 0051286B
Part of subcall function 005127F1: __vbaStrCat.MSVBVM60());,00000000,?,00000000, WHERE (((tblFee.FeeID)=,00000000, From tblFee,DELETE *,?,00402690,00000000,?,?,?,004FDB90,004026C4), ref: 00512876
Part of subcall function 005127F1: __vbaStrMove.MSVBVM60());,00000000,?,00000000, WHERE (((tblFee.FeeID)=,00000000, From tblFee,DELETE *,?,00402690,00000000,?,?,?,004FDB90,004026C4), ref: 00512880
Part of subcall function 005127F1: __vbaFreeStrList.MSVBVM60(00000003,?,00000000,00402690,));,00000000,?,00000000, WHERE (((tblFee.FeeID)=,00000000, From tblFee,DELETE *,?,00402690,00000000), ref: 00512893
Part of subcall function 005127F1: __vbaNew2.MSVBVM60(0041B32C,?,DELETE *), ref: 005128AD
Part of subcall function 005127F1: __vbaNew2.MSVBVM60(0041B2FC,00538028,DELETE *), ref: 005128C4
Part of subcall function 005127F1: __vbaCastObj.MSVBVM60(00000000,0041B31C,00538028,?,004FDB90,000000FF,DELETE *), ref: 005128F3
Part of subcall function 005127F1: __vbaObjSet.MSVBVM60(?,00000000,00000000,0041B31C,00538028,?,004FDB90,000000FF,DELETE *), ref: 005128FD
Part of subcall function 005127F1: __vbaFreeStr.MSVBVM60(00512931,?,00000000,00000000,0041B31C,00538028,?,004FDB90,000000FF,DELETE *), ref: 00512923
Part of subcall function 005127F1: __vbaFreeObj.MSVBVM60(00512931,?,00000000,00000000,0041B31C,00538028,?,004FDB90,000000FF,DELETE *), ref: 0051292B

__vbaNew2.MSVBVM60(00419EE8,00539E00,004026C4), ref: 004FDBAC
__vbaObjSetAddref.MSVBVM60(?,00402690,004026C4), ref: 004FDBC4
__vbaVarDup.MSVBVM60(004026C4), ref: 004FDC04
#595.MSVBVM60(?,00000010,?,?,?,004026C4), ref: 004FDC1B
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,00000010,?,?,?,004026C4), ref: 004FDC32
__vbaStrCopy.MSVBVM60(?,004026C4), ref: 004FDC42
__vbaStrCopy.MSVBVM60(?,004026C4), ref: 004FDC4F
__vbaStrCopy.MSVBVM60(?,004026C4), ref: 004FDC5C
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,004026C4), ref: 004FDC84
__vbaFreeVar.MSVBVM60(?,?,?,?,?,004026C4), ref: 004FDC8F
__vbaNew2.MSVBVM60(00419EE8,00539E00,?,?,?,?,?,004026C4), ref: 004FDCA6
__vbaObjSetAddref.MSVBVM60(?,00402690,?,?,?,?,?,004026C4), ref: 004FDCBE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000010), ref: 004FDCDD
__vbaFreeObj.MSVBVM60(00000000,00000000,00419ED8,00000010), ref: 004FDCE5

Strings

Unable to delete Fee entry., xrefs: 004FDBF6
frmDeleteFee, xrefs: 004FDC54
Unable to delete Fee entry, xrefs: 004FDC3A
cmdDelete_Click, xrefs: 004FDC47

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$MoveNew2$CopyList$Addref$#595CastCheckHresult
String ID: Unable to delete Fee entry$Unable to delete Fee entry.$cmdDelete_Click$frmDeleteFee
API String ID: 2736314101-1961867069
Opcode ID: 1562d81af09c1355dfc5f4ac734c89e1bd5a517311e99429c17a1a2edeafed32
Instruction ID: f77dfd4355c81773504a8f4ab23ad9f634e81e674f7a324be7d341aae21b711f
Opcode Fuzzy Hash: 1562d81af09c1355dfc5f4ac734c89e1bd5a517311e99429c17a1a2edeafed32
Instruction Fuzzy Hash: 4F51EBB1D0120DABCB10DF95C981ADEB7BDFF48304F60452BE605A7281E778AA45CF95

Function 0051544F Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 005154BD
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 005154C7
__vbaCastObjVar.MSVBVM60(00000000), ref: 005154D0
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 005154DA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C598,0000001C), ref: 005154F9
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00515514
__vbaFreeVar.MSVBVM60 ref: 0051551F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00515543
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 0051554D
__vbaCastObjVar.MSVBVM60(00000000), ref: 00515556
__vbaVarLateMemSt.MSVBVM60(?,txtStudentID), ref: 0051557A
__vbaFreeObj.MSVBVM60(?,txtStudentID), ref: 00515582
__vbaFreeVarList.MSVBVM60(00000002,?,00000009,?,txtStudentID), ref: 00515593
__vbaObjVar.MSVBVM60(?,Show,00000001,?,00000002,?,00000009,?,txtStudentID), ref: 005155B5
__vbaLateMemCall.MSVBVM60(00000000,?,Show,00000001,?,00000002,?,00000009,?,txtStudentID), ref: 005155BB
__vbaFreeVar.MSVBVM60(005155F8), ref: 005155F2

Strings

txtStudentID, xrefs: 00515570
Show, xrefs: 005155AB

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$Late$Call$CastList$CheckHresult
String ID: Show$txtStudentID
API String ID: 3744299174-734351202
Opcode ID: 94600608589f70704b962d0ae0faef80976e95b0b6716cadd7e7ce010b1c769d
Instruction ID: efe6818d93fdfedf8779d8997c96b49c32280b844002797893f398166813acb3
Opcode Fuzzy Hash: 94600608589f70704b962d0ae0faef80976e95b0b6716cadd7e7ce010b1c769d
Instruction Fuzzy Hash: 6F414EB2C00608AACB10EFA5C885EDFBBBCEF48304F10452BF515F7181DA799A458FA4

Function 00530833 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 135COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00530881
__vbaNew2.MSVBVM60(0041B32C,?), ref: 00530895
__vbaNew2.MSVBVM60(0041B2FC,00538028), ref: 005308B3
__vbaFreeStr.MSVBVM60(00538028,?,?,000000FF), ref: 005308D3
__vbaNew2.MSVBVM60(0041B32C,?,00538028,?,?,000000FF), ref: 005308EB
__vbaObjSet.MSVBVM60(?,00000000), ref: 00530913
__vbaStrCopy.MSVBVM60(?,00000000), ref: 00530931
__vbaObjSet.MSVBVM60(?,?,?,00000000), ref: 00530941
__vbaNew2.MSVBVM60(0041B32C,?,?,?,?,00000000), ref: 00530950
__vbaFreeStr.MSVBVM60(?,?,?,?,?,00000064,000000FF,?,?,?,?,00000000), ref: 0053097D
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,00000064,000000FF,?,?,?,?,00000000), ref: 0053098C
__vbaFreeVar.MSVBVM60 ref: 00530997
__vbaCastObj.MSVBVM60(00000000,0041B31C,00538028,?,?,000000FF), ref: 005309AB
__vbaObjSet.MSVBVM60(?,00000000,00000000,0041B31C,00538028,?,?,000000FF), ref: 005309B5
__vbaFreeObj.MSVBVM60(005309ED,?,00000000,00000000,0041B31C,00538028,?,?,000000FF), ref: 005309E7

Strings

SELECT tblYearLevel.YearLevelTitle as lvKey, tblYearLevel.YearLevelTitle FROM tblYearLevel;, xrefs: 00530861
year, xrefs: 0053091C
d, xrefs: 00530927

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$New2$Copy$CastList
String ID: SELECT tblYearLevel.YearLevelTitle as lvKey, tblYearLevel.YearLevelTitle FROM tblYearLevel;$d$year
API String ID: 1115885562-185359574
Opcode ID: 181fbb130cb9ed01e94facdf1395c82ba5b5ae3e1cdc49220c8c4ee110eb1f24
Instruction ID: af0b21406ca92381cb023dd1d599d0e063fabe2e84389a475a068a92e7192ae1
Opcode Fuzzy Hash: 181fbb130cb9ed01e94facdf1395c82ba5b5ae3e1cdc49220c8c4ee110eb1f24
Instruction Fuzzy Hash: 2451DAB2C10219ABCB11EBD5C8969EFBBBCFB48714F50012BF611B3181DB785A45CBA5

Function 004FFB0E Relevance: 30.2, APIs: 20, Instructions: 220COMMON

Download Yara Rule

APIs

#685.MSVBVM60 ref: 004FFB8C
__vbaObjSet.MSVBVM60(?,00000000), ref: 004FFB96
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041ACA8,00000044), ref: 004FFBE4
__vbaFreeObj.MSVBVM60 ref: 004FFBEC
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004FFC03
__vbaLenBstrB.MSVBVM60(00404F16), ref: 004FFC15
#525.MSVBVM60(0050013E,0050012E,00404F16), ref: 004FFC3C
__vbaStrMove.MSVBVM60(0050013E,0050012E,00404F16), ref: 004FFC46
__vbaStrCat.MSVBVM60(00000000,0050013E,0050012E,00404F16), ref: 004FFC4C
__vbaStrMove.MSVBVM60(00000000,0050013E,0050012E,00404F16), ref: 004FFC56
__vbaStrCopy.MSVBVM60(00000000,0050013E,0050012E,00404F16), ref: 004FFC5F
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,0050013E,0050012E,00404F16), ref: 004FFC6E
#644.MSVBVM60(0050012E,00404F16), ref: 004FFC88
__vbaSetSystemError.MSVBVM60(?,?,00500135), ref: 004FFD00
#644.MSVBVM60(00404F16,?,?,00500135), ref: 004FFD0A
__vbaSetSystemError.MSVBVM60(?,00000000,?,00404F16,?,?,00500135), ref: 004FFD21
__vbaErrorOverflow.MSVBVM60 ref: 004FFD8B
__vbaStrCopy.MSVBVM60 ref: 004FFDD3
__vbaHresultCheckObj.MSVBVM60(00000000,00402808,0041BF08,00000044), ref: 004FFDF2
__vbaFreeStr.MSVBVM60(004FFE05), ref: 004FFDFF

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$Error$#644CheckCopyHresultListMoveSystem$#525#685BstrOverflow
String ID:
API String ID: 3375691159-0
Opcode ID: 0b38a11026eaa9e5aa297c55c5da61a3823ecc2a599c0d0c0f4ae2c08770e353
Instruction ID: 75cac9393c7306a615719a7545e6449cd417eb520330802f669e1a2f40aff2c7
Opcode Fuzzy Hash: 0b38a11026eaa9e5aa297c55c5da61a3823ecc2a599c0d0c0f4ae2c08770e353
Instruction Fuzzy Hash: DB813EB1D00609AFCB14EF95C981AEEBBB9FF08300F40446EF616A7291D738A945CF59

Function 005099D8 Relevance: 30.1, APIs: 20, Instructions: 94COMMON

Download Yara Rule

APIs

__vbaCastObj.MSVBVM60(00000000,0041B31C,?,?,?,?,?,00404F16), ref: 00509A24
__vbaObjSet.MSVBVM60(?,00000000,00000000,0041B31C,?,?,?,?,?,00404F16), ref: 00509A2E
__vbaObjSetAddref.MSVBVM60(00402E58,00000000,?,00000000,00000000,0041B31C,?,?,?,?,?,00404F16), ref: 00509A38
__vbaFreeObj.MSVBVM60(00402E58,00000000,?,00000000,00000000,0041B31C,?,?,?,?,?,00404F16), ref: 00509A40
__vbaCastObj.MSVBVM60(00000000,0041B31C,00402E58,00000000,?,00000000,00000000,0041B31C,?,?,?,?,?,00404F16), ref: 00509A47
__vbaObjSet.MSVBVM60(?,00000000,00000000,0041B31C,00402E58,00000000,?,00000000,00000000,0041B31C,?,?,?,?,?,00404F16), ref: 00509A51
__vbaObjSetAddref.MSVBVM60(00402E5C,00000000,?,00000000,00000000,0041B31C,00402E58,00000000,?,00000000,00000000,0041B31C), ref: 00509A5B
__vbaFreeObj.MSVBVM60(00402E5C,00000000,?,00000000,00000000,0041B31C,00402E58,00000000,?,00000000,00000000,0041B31C), ref: 00509A63
__vbaCastObj.MSVBVM60(00000000,0041B31C,00402E5C,00000000,?,00000000,00000000,0041B31C,00402E58,00000000,?,00000000,00000000,0041B31C), ref: 00509A6A
__vbaObjSet.MSVBVM60(?,00000000,00000000,0041B31C,00402E5C,00000000,?,00000000,00000000,0041B31C,00402E58,00000000,?,00000000,00000000,0041B31C), ref: 00509A74
__vbaObjSetAddref.MSVBVM60(00402E64,00000000,?,00000000,00000000,0041B31C,00402E5C,00000000,?,00000000,00000000,0041B31C,00402E58,00000000,?,00000000), ref: 00509A7E
__vbaFreeObj.MSVBVM60(00402E64,00000000,?,00000000,00000000,0041B31C,00402E5C,00000000,?,00000000,00000000,0041B31C,00402E58,00000000,?,00000000), ref: 00509A86
__vbaCastObj.MSVBVM60(00000000,0041B31C,00402E64,00000000,?,00000000,00000000,0041B31C,00402E5C,00000000,?,00000000,00000000,0041B31C,00402E58,00000000), ref: 00509A8D
__vbaObjSet.MSVBVM60(?,00000000,00000000,0041B31C,00402E64,00000000,?,00000000,00000000,0041B31C,00402E5C,00000000,?,00000000,00000000,0041B31C), ref: 00509A97
__vbaObjSetAddref.MSVBVM60(00402E50,00000000,?,00000000,00000000,0041B31C,00402E64,00000000,?,00000000,00000000,0041B31C,00402E5C,00000000,?,00000000), ref: 00509AA1
__vbaFreeObj.MSVBVM60(00402E50,00000000,?,00000000,00000000,0041B31C,00402E64,00000000,?,00000000,00000000,0041B31C,00402E5C,00000000,?,00000000), ref: 00509AA9
__vbaCastObj.MSVBVM60(00000000,0041B31C,00402E50,00000000,?,00000000,00000000,0041B31C,00402E64,00000000,?,00000000,00000000,0041B31C,00402E5C,00000000), ref: 00509AB0
__vbaObjSet.MSVBVM60(?,00000000,00000000,0041B31C,00402E50,00000000,?,00000000,00000000,0041B31C,00402E64,00000000,?,00000000,00000000,0041B31C), ref: 00509ABA
__vbaObjSetAddref.MSVBVM60(00402DC8,00000000,?,00000000,00000000,0041B31C,00402E50,00000000,?,00000000,00000000,0041B31C,00402E64,00000000,?,00000000), ref: 00509AC4
__vbaFreeObj.MSVBVM60(00402DC8,00000000,?,00000000,00000000,0041B31C,00402E50,00000000,?,00000000,00000000,0041B31C,00402E64,00000000,?,00000000), ref: 00509ACC

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$AddrefCastFree
String ID:
API String ID: 247606873-0
Opcode ID: 5bbb2bc0c0d7ab2ebfd7eb43f7f8b4e0ea673c359a17d7bd9092401dd0af8bde
Instruction ID: c22e50662ba2086f373ccdcc3ccea26a236720af8ca12cbec6637e7069a3a612
Opcode Fuzzy Hash: 5bbb2bc0c0d7ab2ebfd7eb43f7f8b4e0ea673c359a17d7bd9092401dd0af8bde
Instruction Fuzzy Hash: 1221C1B180050A7AC710FFA2CD86DDFBB6DEF44354B40453BB205B3582DB3C95559AE8

Function 004F52DD Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004F5329
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F533C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000050), ref: 004F535C
__vbaStrCmp.MSVBVM60(?,?), ref: 004F5367
__vbaFreeStr.MSVBVM60(?,?), ref: 004F5378
__vbaFreeObj.MSVBVM60(?,?), ref: 004F5380
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F539C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000054), ref: 004F53BB
__vbaFreeObj.MSVBVM60(00000000,00000000,00419F08,00000054), ref: 004F53C3
__vbaHresultCheckObj.MSVBVM60(00000000,00402188,0041AD58,000007EC), ref: 004F53E5
__vbaHresultCheckObj.MSVBVM60(00000000,00080001,0041AD28,00000198), ref: 004F5422
__vbaLateMemSt.MSVBVM60(?,Caption), ref: 004F543B
__vbaFreeObj.MSVBVM60(?,Caption), ref: 004F5443
__vbaHresultCheckObj.MSVBVM60(00000000,00402188,0041AD28,00000390), ref: 004F547D
__vbaFreeStr.MSVBVM60(004F54A3,?,?), ref: 004F549D

Strings

Caption, xrefs: 004F5432
Caption, xrefs: 004F544D

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$CopyLate
String ID: Caption$Caption
API String ID: 2651179779-3329938670
Opcode ID: dce33f57fec2bae2627d2827de5931dd9079944315ac80ea112f936993a9e4ab
Instruction ID: 51e1083a89575581d0b654c8b2fe37ab06d9dd21906dc291f67f168726e75e06
Opcode Fuzzy Hash: dce33f57fec2bae2627d2827de5931dd9079944315ac80ea112f936993a9e4ab
Instruction Fuzzy Hash: 84517C71900A18ABCF01EFA5CC89EEFBBB8FF54305F10015AF601BB191C77899458BA9

Function 0050352A Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00419EE8,00539E00,004026C0,00538024,00000000,?,?,?,?,00404F16,?,?,?,004FE157,?,?), ref: 0050357B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000014,?,?,?,?,00404F16,?,?,?,004FE157,?,?), ref: 0050359F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B868,00000050,?,?,?,?,00404F16,?,?,?,004FE157,?,?), ref: 005035C2
__vbaStrCat.MSVBVM60(\Cashier_Config.txt,?,?,?,?,?,00404F16,?,?,?,004FE157,?,?), ref: 005035CF
__vbaStrMove.MSVBVM60(\Cashier_Config.txt,?,?,?,?,?,00404F16,?,?,?,004FE157,?,?), ref: 005035D9
__vbaStrToAnsi.MSVBVM60(?,00000000,\Cashier_Config.txt,?,?,?,?,?,00404F16,?,?,?,004FE157,?,?), ref: 005035E3
__vbaStrToAnsi.MSVBVM60(00404F16,WO,00000000,?,00000000,\Cashier_Config.txt,?,?,?,?,?,00404F16,?,?,?,004FE157), ref: 005035F2
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00404F16,WO,00000000,?,00000000,\Cashier_Config.txt,?,?,?,?,?,00404F16), ref: 00503601
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,00000000,00404F16,WO,00000000,?,00000000,\Cashier_Config.txt,?), ref: 00503610
__vbaSetSystemError.MSVBVM60(00000000,?,?,00000000,?,?,00000000,00404F16,WO,00000000,?,00000000,\Cashier_Config.txt,?), ref: 0050361B
__vbaStrToUnicode.MSVBVM60(?,?,00000000,?,?,00000000,?,?,00000000,00404F16,WO,00000000,?,00000000,\Cashier_Config.txt,?), ref: 00503624
__vbaStrToUnicode.MSVBVM60(?,?,?,?,00000000,?,?,00000000,?,?,00000000,00404F16,WO,00000000,?,00000000), ref: 0050362D
__vbaStrToUnicode.MSVBVM60(WO,00404F16,?,?,?,?,00000000,?,?,00000000,?,?,00000000,00404F16,WO,00000000), ref: 00503636
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,00404F16,?,?,WO,00404F16,?,?,?,?,00000000,?,?), ref: 00503655
__vbaFreeObj.MSVBVM60(00404F16,WO,00000000,?,00000000,\Cashier_Config.txt,?,?,?,?,?,00404F16,?,?,?,004FE157), ref: 00503660

Strings

\Cashier_Config.txt, xrefs: 005035CA
WO, xrefs: 005035E8, 005035EC, 00503635

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Ansi$Unicode$CheckFreeHresult$ErrorListMoveNew2System
String ID: WO$\Cashier_Config.txt
API String ID: 757334767-3006931933
Opcode ID: 54dc00f48490bc864f7e0f226594ab53b32477df724646570c4aaad047c99f0b
Instruction ID: 6d875dbcf84ee5f0de19bbbcce25508e8d4d25fa891ba3564322d070dc041683
Opcode Fuzzy Hash: 54dc00f48490bc864f7e0f226594ab53b32477df724646570c4aaad047c99f0b
Instruction Fuzzy Hash: EC41FBB2D00609AACB11EBD6CC46EEFBBBDEF58304F10451BF500B7191D6799A058BA5

Function 00517BCB Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,00403610,0041E8AC,0000008C), ref: 00517C46
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA18,0000001C), ref: 00517C82
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA28,0000003C), ref: 00517CA5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA38,0000001C,?,?,?,?,?), ref: 00517CE1
__vbaLateMemSt.MSVBVM60(?,Caption,?,?,?,?,?,?,?,?,?), ref: 00517CFA
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,Caption,?,?,?,?,?,?,?,?,?), ref: 00517D11
__vbaHresultCheckObj.MSVBVM60(00000000,00403610,0041E8AC,0000008C,?,?,?,?,Caption), ref: 00517D46
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA18,0000001C,?,?,?,?,?,?,?,?,Caption), ref: 00517D82
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA28,0000003C,?,?,?,?,?,?,?,?,Caption), ref: 00517DA5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041EA38,0000001C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00517DE1
__vbaLateMemSt.MSVBVM60(?,Caption,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00517DFA
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,Caption,?,?,?,?,?,?,?,?), ref: 00517E11

Strings

Caption, xrefs: 00517CF1, 00517DF1
lblSchoolName, xrefs: 00517CB6
Section4, xrefs: 00517C57, 00517D57
lblSchoolAddress, xrefs: 00517DB6

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeLateList
String ID: Caption$Section4$lblSchoolAddress$lblSchoolName
API String ID: 3947987680-3727147838
Opcode ID: 0a01cbb010ed3728ed5a9b7cd0cf625fd2dd2617a5c84c60aa495c79309c9c82
Instruction ID: 219b7fae8ceadae27b32e0772ef9552230d67ee7c92984017fea7f5d79a380f7
Opcode Fuzzy Hash: 0a01cbb010ed3728ed5a9b7cd0cf625fd2dd2617a5c84c60aa495c79309c9c82
Instruction Fuzzy Hash: 0A8139B1D40609ABDF00EFA9C845EDFBBB9FF49704F10841AF905BB291D6759A058FA0

Function 0053056E Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 005219B0: __vbaNew2.MSVBVM60(0041B32C,?), ref: 005219E7
Part of subcall function 005219B0: __vbaNew2.MSVBVM60(0041B32C,?,?,0041B32C,?), ref: 00521A04
Part of subcall function 005219B0: __vbaCastObj.MSVBVM60(00000000,0041B31C,?,0041B32C,?), ref: 00521A25
Part of subcall function 005219B0: __vbaObjSet.MSVBVM60(?,00000000,00000000,0041B31C,?,0041B32C,?), ref: 00521A2F
Part of subcall function 005219B0: __vbaFreeObj.MSVBVM60(00521A42,?,00000000,00000000,0041B31C,?,0041B32C,?), ref: 00521A3C

__vbaVarDup.MSVBVM60 ref: 00530613
#595.MSVBVM60(?,00000030,?,?,?), ref: 0053062A
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,00000030,?,?,?), ref: 00530641
__vbaNew2.MSVBVM60(00419EE8,00539E00,?,?), ref: 0053065B
__vbaObjSetAddref.MSVBVM60(?,F@,?,?), ref: 00530673
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000010), ref: 00530692
__vbaFreeObj.MSVBVM60 ref: 0053069A
__vbaVarDup.MSVBVM60 ref: 005306F5
#595.MSVBVM60(?,00000030,?,?,?), ref: 0053070C
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,00000030,?,?,?), ref: 00530723
__vbaNew2.MSVBVM60(00419EE8,00539E00,?,?), ref: 0053073D
__vbaObjSetAddref.MSVBVM60(?,F@,?,?), ref: 00530755
__vbaHresultCheckObj.MSVBVM60(00000000,F@,0042A3B8,000002B0), ref: 005307C5
__vbaStrCopy.MSVBVM60 ref: 005307D0

Strings

There are no revords yeat in Year Level., xrefs: 00530602, 005306E4
F@, xrefs: 0053059F, 005305A4, 00530668, 005306AD, 0053074A, 005307AB, 005307C3

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$FreeNew2$#595AddrefCheckHresultList$CastCopy
String ID: There are no revords yeat in Year Level.$F@
API String ID: 2779379616-513993038
Opcode ID: 067a1a5ec39c6b28ae3fce5b05e092164ff3c71a085c6d4324db72053eaaf7f4
Instruction ID: 76fe8f7da888ea085071114993b14d46530f57587f3e1a31a2ac86a1ffeb52fe
Opcode Fuzzy Hash: 067a1a5ec39c6b28ae3fce5b05e092164ff3c71a085c6d4324db72053eaaf7f4
Instruction Fuzzy Hash: 897128B1D00309ABDB11DF95C985BDEBBBDFF44304F20806AE509AB281D7B46A48CF95

Function 004FF072 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 131COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004FF0EA
__vbaLateIdSt.MSVBVM60(00000000,?,00000000), ref: 004FF0F0
__vbaFreeObj.MSVBVM60(00000000,?,00000000), ref: 004FF0F8
__vbaNew2.MSVBVM60(00419EE8,00539E00,00000000,?,00000000), ref: 004FF110
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000014), ref: 004FF134
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B868,00000050), ref: 004FF157
__vbaStrCat.MSVBVM60(\Flash\warning.swf,?), ref: 004FF164
__vbaObjSet.MSVBVM60(?,00000000), ref: 004FF191
__vbaLateIdCall.MSVBVM60(00000000,?,00000000), ref: 004FF197
__vbaFreeStr.MSVBVM60 ref: 004FF1A2
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004FF1B3
__vbaFreeVar.MSVBVM60 ref: 004FF1BE
__vbaFreeVar.MSVBVM60(00000008), ref: 004FF1D9
__vbaEnd.MSVBVM60(00000008), ref: 004FF1DE

Strings

\Flash\warning.swf, xrefs: 004FF15F
('@, xrefs: 004FF09B, 004FF0AB, 004FF0DD, 004FF184

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresultLate$CallListNew2
String ID: ('@$\Flash\warning.swf
API String ID: 3894332140-1451043412
Opcode ID: 7cf81d0e125ea9d75afcfa6ce8efc00ef3ece26b92ba762ed8a9f3802aab3011
Instruction ID: e2dc3138621bdef2719a7ded0c19aa0bea28ca0bcb37333a656e7d04b08b765c
Opcode Fuzzy Hash: 7cf81d0e125ea9d75afcfa6ce8efc00ef3ece26b92ba762ed8a9f3802aab3011
Instruction Fuzzy Hash: A74119B1910619ABDB10EFA5C88AFEF7BB8FF04704F50452AF500B7191D77855098BA5

Function 0053642A Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

#594.MSVBVM60(?,0041B688,00403798,00000000), ref: 00536473
__vbaFreeVar.MSVBVM60(?,0041B688,00403798,00000000), ref: 0053647B
__vbaStrCopy.MSVBVM60(?,0041B688,00403798,00000000), ref: 00536488
#593.MSVBVM60(?,?,0041B688,00403798,00000000), ref: 005364B2
__vbaLenBstr.MSVBVM60(?,?,?,?,?,0041B688,00403798,00000000), ref: 005364CE
__vbaR8IntI4.MSVBVM60(?,?,?,?,?,0041B688,00403798,00000000), ref: 005364F8
#631.MSVBVM60(?,00000000,?,?,?,?,?,0041B688,00403798,00000000), ref: 00536501
__vbaStrMove.MSVBVM60(?,00000000,?,?,?,?,?,0041B688,00403798,00000000), ref: 0053650B
__vbaStrCat.MSVBVM60(00000000,?,00000000,?,?,?,?,?,0041B688,00403798,00000000), ref: 00536511
__vbaStrMove.MSVBVM60(00000000,?,00000000,?,?,?,?,?,0041B688,00403798,00000000), ref: 0053651B
__vbaFreeStr.MSVBVM60(00000000,?,00000000,?,?,?,?,?,0041B688,00403798,00000000), ref: 00536523
__vbaFreeVarList.MSVBVM60(00000002,?,00000002,00000000,?,00000000,?,?,?,?,?,0041B688,00403798,00000000), ref: 00536532
__vbaFreeStr.MSVBVM60(00536584,?,0041B688,00403798,00000000), ref: 0053657E
__vbaErrorOverflow.MSVBVM60(0041B688,00403798,00000000), ref: 0053659D

Strings

abdefgijklmnopqrstuvwxyz, xrefs: 00536480
(N@, xrefs: 0053648D

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$Move$#593#594#631BstrCopyErrorListOverflow
String ID: (N@$abdefgijklmnopqrstuvwxyz
API String ID: 4221327549-1121117905
Opcode ID: 68f638ab15ab0d5441395c4b92d849e0b3aa80a49041d8bc9530d289ed12f4c7
Instruction ID: 912fcc2f610a28c7f4ed0155a63749caa6e865eeaf23d027328a493cb1116158
Opcode Fuzzy Hash: 68f638ab15ab0d5441395c4b92d849e0b3aa80a49041d8bc9530d289ed12f4c7
Instruction Fuzzy Hash: 123110B1D00219ABCF10EFA6D942AEEBBB8FF48705F60403AF505B6191D7385A41CF59

Function 004E8DE9 Relevance: 27.3, APIs: 18, Instructions: 272COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004E8E5E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004E8E86
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,000001C0), ref: 004E8EB6
__vbaSetSystemError.MSVBVM60(?,?), ref: 004E8EC7
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?), ref: 004E8ED6
__vbaSetSystemError.MSVBVM60(?), ref: 004E8EE7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E8F24
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004E8F47
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E8F60
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004E8F83
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,00000060), ref: 004E903D
__vbaObjSet.MSVBVM60(?,?), ref: 004E9053
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,00000064), ref: 004E906C
__vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,?), ref: 004E9087

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$ErrorFreeListSystem
String ID:
API String ID: 2156755004-0
Opcode ID: c1a2c309341df0e796f8200b61e9aaa41c037e478bcb8c7fa7c166990101a566
Instruction ID: 16f69df2d21a698a426fc821ba328ac90564830026baa822fa95da0de00bf891
Opcode Fuzzy Hash: c1a2c309341df0e796f8200b61e9aaa41c037e478bcb8c7fa7c166990101a566
Instruction Fuzzy Hash: 94915EB1A01608BFDB10EBA5C889EDFB7FCFF08704F10452AF545E7181D678A9058BA4

Function 0051012B Relevance: 27.2, APIs: 18, Instructions: 177COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00404F16), ref: 00510147
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00404F16), ref: 00510177

Part of subcall function 00511B3B: __vbaLenBstr.MSVBVM60(?), ref: 00511B92
Part of subcall function 00511B3B: #632.MSVBVM60(00000001,?,?,?,?), ref: 00511BD5
Part of subcall function 00511B3B: __vbaVarMove.MSVBVM60(00000001,?,?,?,?), ref: 00511BE3
Part of subcall function 00511B3B: __vbaFreeVar.MSVBVM60(00000001,?,?,?,?), ref: 00511BEB
Part of subcall function 00511B3B: __vbaVarTstEq.MSVBVM60(00004008,?,00000001,?,?,?,?), ref: 00511C0A
Part of subcall function 00511B3B: __vbaVarTstEq.MSVBVM60(?,?,00004008,?,00000001,00004008,00008008,00000002,?,00004008,?,00000001,?,?,?,?), ref: 00511C2D
Part of subcall function 00511B3B: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00004008,?,00000001,00004008,00008008,00000002,?,00004008,?,00000001,?), ref: 00511C50
Part of subcall function 00511B3B: __vbaVarTstEq.MSVBVM60(?,?,00004008,?,?,?,00004008,?,00000001,00004008,00008008,00000002,?,00004008,?,00000001), ref: 00511C73
Part of subcall function 00511B3B: __vbaVarTstEq.MSVBVM60(?,?,?,?,00004008,?,?,?,00004008,?,00000001,00004008,00008008,00000002,?,00004008), ref: 00511C96

#632.MSVBVM60(?,00004008,00000000,00000002), ref: 005101C1
__vbaVarMove.MSVBVM60(?,00004008,00000000,00000002), ref: 005101CC
__vbaFreeVar.MSVBVM60(?,00004008,00000000,00000002), ref: 005101D4
__vbaVarTstEq.MSVBVM60(00008008,?,?,00004008,00000000,00000002), ref: 005101F6
__vbaVarTstEq.MSVBVM60(00008008,?,00008008,?,?,00004008,00000000,00000002), ref: 00510240
__vbaVarSetObj.MSVBVM60(000000FF,00000000,00000000,00000000,00008008,?,00008008,?,?,00004008,00000000,00000002), ref: 00510263
__vbaFreeVar.MSVBVM60(005103FB,00000000,00000000,00008008,?,00008008,?,00008008,?,?,00004008,00000000,00000002), ref: 005103F5

Part of subcall function 0050F251: __vbaChkstk.MSVBVM60(00000000,00404F16,000000FF,?,?,?,00000000,00404F16), ref: 0050F26F
Part of subcall function 0050F251: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00404F16,000000FF), ref: 0050F29F
Part of subcall function 0050F251: __vbaNew.MSVBVM60(0041F5BC,000000FF,?,?,?,00000000,00404F16,000000FF), ref: 0050F2B0
Part of subcall function 0050F251: __vbaObjSet.MSVBVM60(?,00000000,0041F5BC,000000FF,?,?,?,00000000,00404F16,000000FF), ref: 0050F2BA
Part of subcall function 0050F251: #632.MSVBVM60(?,00004008,00000000,00000002), ref: 0050F30D
Part of subcall function 0050F251: __vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?,?,00004008,00000000,00000002), ref: 0050F331
Part of subcall function 0050F251: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008008,?,?,?,?,?,?,00004008,00000000,00000002), ref: 0050F347
Part of subcall function 0050F251: __vbaStrCat.MSVBVM60(Invalid Object at position ,?,00000000,00404F16,000000FF), ref: 0050F370
Part of subcall function 0050F251: __vbaStrMove.MSVBVM60(Invalid Object at position ,?,00000000,00404F16,000000FF), ref: 0050F37A
Part of subcall function 0050F251: __vbaStrI4.MSVBVM60(00000000,00000000,Invalid Object at position ,?,00000000,00404F16,000000FF), ref: 0050F385
Part of subcall function 0050F251: __vbaStrMove.MSVBVM60(00000000,00000000,Invalid Object at position ,?,00000000,00404F16,000000FF), ref: 0050F38F
Part of subcall function 0050F251: __vbaStrCat.MSVBVM60(00000000,00000000,00000000,Invalid Object at position ,?,00000000,00404F16,000000FF), ref: 0050F395
Part of subcall function 0050F251: __vbaStrMove.MSVBVM60(00000000,00000000,00000000,Invalid Object at position ,?,00000000,00404F16,000000FF), ref: 0050F39F
Part of subcall function 0050F251: __vbaStrCat.MSVBVM60( : ,00000000,00000000,00000000,00000000,Invalid Object at position ,?,00000000,00404F16,000000FF), ref: 0050F3AA

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$#632$ChkstkError$BstrList
String ID:
API String ID: 242834920-0
Opcode ID: c36bad70940d98501cc0fc6b0f1b2be292a39c3c2eb4faf5e2410a4f3097b2fb
Instruction ID: 2550c397fac2b4322b401e905efb2081b6314d9406ae1a0abb7fe43cf52b9025
Opcode Fuzzy Hash: c36bad70940d98501cc0fc6b0f1b2be292a39c3c2eb4faf5e2410a4f3097b2fb
Instruction Fuzzy Hash: 0A71F9B180065DEBDF00DFD4CC88AEEBBB9BF04308F50492AE114AB191DBB99649DF54

Function 00532AE9 Relevance: 27.1, APIs: 18, Instructions: 146COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00404F16,000000FF,?,?,?,00000000,00404F16,000000FF), ref: 00532B05
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00404F16,000000FF), ref: 00532B32
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00404F16,000000FF), ref: 00532B40
__vbaStr2Vec.MSVBVM60(?,?,000000FF,?,?,?,00000000,00404F16,000000FF), ref: 00532B5A
__vbaAryMove.MSVBVM60(?,?,?,?,000000FF,?,?,?,00000000,00404F16,000000FF), ref: 00532B67
__vbaUbound.MSVBVM60(00000001,?,?,?,?,?,000000FF,?,?,?,00000000,00404F16,000000FF), ref: 00532B7F
__vbaAryMove.MSVBVM60(000000FF,?,00000001,?,?,?,?,?,000000FF), ref: 00532BB1
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000,00000001,?,?,?,?,?,000000FF), ref: 00532BE0
__vbaDerefAry1.MSVBVM60(?,00000000), ref: 00532C44
__vbaDerefAry1.MSVBVM60(?,-00000001,?,00000000), ref: 00532C65
#516.MSVBVM60(00420C34,?,-00000001,?,00000000,?,00000000,?,-00000001,?,00000000), ref: 00532CA0
__vbaUI1I4.MSVBVM60(?,-00000001,?,00000000), ref: 00532CB5
__vbaDerefAry1.MSVBVM60(?,00000000,?,-00000001,?,00000000), ref: 00532CC2
__vbaAryMove.MSVBVM60(000000FF,?), ref: 00532CE4
__vbaAryDestruct.MSVBVM60(00000000,?,00532D30,000000FF,?), ref: 00532D17
__vbaAryDestruct.MSVBVM60(00000000,?,00000000,?,00532D30,000000FF,?), ref: 00532D22
__vbaFreeStr.MSVBVM60(00000000,?,00000000,?,00532D30,000000FF,?), ref: 00532D2A
__vbaErrorOverflow.MSVBVM60(00000001,?,?,?,?,?,000000FF,?,?,?,00000000,00404F16,000000FF), ref: 00532D44

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Ary1DerefMove$DestructError$#516ChkstkCopyFreeOverflowRedimStr2Ubound
String ID:
API String ID: 4001886128-0
Opcode ID: 4040559e005dea3fae8db6afe20516485b231a731fb1a5493dd019619aeb53c6
Instruction ID: cf0e8421833037900cf952881c21d71fb28d7b682b07e8218e1415ed8f24f6a3
Opcode Fuzzy Hash: 4040559e005dea3fae8db6afe20516485b231a731fb1a5493dd019619aeb53c6
Instruction Fuzzy Hash: 925129B1C01609EEDB04DFA5C946BDEBBB9FF44308F20446AF100BB291C7B99A449B24

Function 004F281F Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 136COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 004F283B
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 004F2876
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041AA4C,000002C8), ref: 004F28B9
__vbaObjSet.MSVBVM60(?,?), ref: 004F28D8
__vbaForEachCollObj.MSVBVM60(0041A8C0,?,?,00000000,?,?), ref: 004F28EB
__vbaChkstk.MSVBVM60(0041A8C0,?,?,00000000,?,?), ref: 004F290E
__vbaLateMemSt.MSVBVM60(?,Enabled,0041A8C0,?,?,00000000,?,?), ref: 004F2924
__vbaFreeVar.MSVBVM60(?,Enabled,0041A8C0,?,?,00000000,?,?), ref: 004F292C
__vbaNextEachCollObj.MSVBVM60(0041A8C0,?,?,?,Enabled,0041A8C0,?,?,00000000,?,?), ref: 004F2945
__vbaChkstk.MSVBVM60(0041A8C0,?,?,00000000,?,?), ref: 004F297D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041AA4C,00000390), ref: 004F29B4
__vbaFreeObjList.MSVBVM60(00000002,?,?,004F29ED), ref: 004F29DC
__vbaFreeObj.MSVBVM60(?,?,00404F16), ref: 004F29E7

Strings

Enabled, xrefs: 004F296C
Enabled, xrefs: 004F291C

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$ChkstkFree$CheckCollEachHresult$ErrorLateListNext
String ID: Enabled$Enabled
API String ID: 4272747919-1837025117
Opcode ID: b547d69daf4cbbee1270fc6070fca8a0ac200de8861b92e87d487375b12b1de0
Instruction ID: 1432edc7b5fcac11c34539cf59136f1e24001303acb05ae90ba4820d74cfce18
Opcode Fuzzy Hash: b547d69daf4cbbee1270fc6070fca8a0ac200de8861b92e87d487375b12b1de0
Instruction Fuzzy Hash: 425109B1900608EFDB00EF91C945BDEBBB8EF08314F20442AF505BB291D7B95A45CF95

Function 004FF934 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__vbaLenBstrB.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FF97C
#525.MSVBVM60(00080005,004FFDF7,?), ref: 004FF9C4
__vbaStrMove.MSVBVM60(00080005,004FFDF7,?), ref: 004FF9CE
__vbaStrCat.MSVBVM60(00000000,00080005,004FFDF7,?), ref: 004FF9D4
__vbaStrMove.MSVBVM60(00000000,00080005,004FFDF7,?), ref: 004FF9DE
__vbaStrCopy.MSVBVM60(00000000,00080005,004FFDF7,?), ref: 004FF9E7
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,00080005,004FFDF7,?), ref: 004FF9F6
#644.MSVBVM60(004FFDF7,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FFA07
#644.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FFA23
__vbaSetSystemError.MSVBVM60(?,00000000,?,?), ref: 004FFA34
__vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FFA7A
__vbaStrCopy.MSVBVM60 ref: 004FFAC2
__vbaHresultCheckObj.MSVBVM60(00000000,'@,0041BF08,0000003C), ref: 004FFADE
__vbaFreeStr.MSVBVM60(004FFAF1), ref: 004FFAEB

Strings

'@, xrefs: 004FFAAF, 004FFAB4, 004FFACD, 004FFADC

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$#644CopyErrorFreeMove$#525BstrCheckHresultListOverflowSystem
String ID: '@
API String ID: 1882833851-1210607465
Opcode ID: d0e797eb8d374f114fb1e35545189be38c12dc3bf3783d57218864c06b786644
Instruction ID: fc941d61f71e188c0fd2a56b230efdca615af12e4205ef1e4361531fa495c2b6
Opcode Fuzzy Hash: d0e797eb8d374f114fb1e35545189be38c12dc3bf3783d57218864c06b786644
Instruction Fuzzy Hash: AB514F71900609AFCB10EFA5C946EAEBBB8FF44304F10446AF605B7691D778A905CF59

Function 004DEE94 Relevance: 25.7, APIs: 17, Instructions: 231COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 004DEEB0
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00404F16), ref: 004DEF07
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BD0,00000040), ref: 004DEF38
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,0000009C), ref: 004DEF77
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004DEF8F
__vbaObjSet.MSVBVM60(?,00000000,?,?,00404F16), ref: 004DEFB1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BD0,00000040), ref: 004DEFE2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,000001C0), ref: 004DF023
__vbaSetSystemError.MSVBVM60(?,?), ref: 004DF03D
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?), ref: 004DF04C
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,00404F16), ref: 004DF064
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,?,?,00404F16), ref: 004DF0A9
__vbaNew2.MSVBVM60(00419EE8,00539E00,000000FF,?,?,?,?,?,?,00404F16), ref: 004DF0C8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041993C,00000198), ref: 004DF11C
__vbaObjSet.MSVBVM60(?,?), ref: 004DF141
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419ED8,00000010), ref: 004DF16A
__vbaFreeObj.MSVBVM60(00000000,?,00419ED8,00000010), ref: 004DF181

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$ErrorFree$ListSystem$ChkstkNew2
String ID:
API String ID: 2288399541-0
Opcode ID: b93a44d279f2910487dcbd2ee8e0e559b11360ceb449b91cc06b4d7845e1c4aa
Instruction ID: 17054cd9e9910e9470cb2f68469c4257c5cffd9a3f4ede1b2b45d1ef7be12c98
Opcode Fuzzy Hash: b93a44d279f2910487dcbd2ee8e0e559b11360ceb449b91cc06b4d7845e1c4aa
Instruction Fuzzy Hash: B4A1DF71D00218EFDB10EFA5C859BDDBBB9FF08304F10406AE505AB2A1D7B9A949DF94

Function 005129D0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00512A29
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C1D8,000000A8), ref: 00512A4F
__vbaStrCmp.MSVBVM60(ID Number,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00512A5C
__vbaFreeStr.MSVBVM60(ID Number,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00512A6D
__vbaFreeObj.MSVBVM60(ID Number,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00512A75
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00512AA7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C1D8,000000A8), ref: 00512ACD
__vbaStrCmp.MSVBVM60(Last name,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00512ADA
__vbaFreeStr.MSVBVM60(Last name,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00512AEB
__vbaFreeObj.MSVBVM60(Last name,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00512AF3
__vbaHresultCheckObj.MSVBVM60(00000000,004033D0,0041FB6C,000006F8), ref: 00512B1A
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00512B22

Strings

Last name, xrefs: 00512AD5
ID Number, xrefs: 00512A57

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult
String ID: ID Number$Last name
API String ID: 1630692628-1058132446
Opcode ID: 3cacf2fa0464895abf303b31547473ffc400cfe90b4ca8d2fd59f2b311014f55
Instruction ID: 7b55bd2d085c8c53b9e7bddb53a7286b8d9aa41a99b4a48f2979f6a5cbfb9c2d
Opcode Fuzzy Hash: 3cacf2fa0464895abf303b31547473ffc400cfe90b4ca8d2fd59f2b311014f55
Instruction Fuzzy Hash: CD41B171940606AFCB10EFA5C88AEFF7BB8EF54704F50443AF501A7181EB785985CBA5

Function 0050F083 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 0050F09F
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 0050F0CF
__vbaStrCopy.MSVBVM60(000000FF), ref: 0050F0F3
__vbaOnError.MSVBVM60(000000FF,000000FF), ref: 0050F101

Part of subcall function 00511B3B: __vbaLenBstr.MSVBVM60(?), ref: 00511B92
Part of subcall function 00511B3B: #632.MSVBVM60(00000001,?,?,?,?), ref: 00511BD5
Part of subcall function 00511B3B: __vbaVarMove.MSVBVM60(00000001,?,?,?,?), ref: 00511BE3
Part of subcall function 00511B3B: __vbaFreeVar.MSVBVM60(00000001,?,?,?,?), ref: 00511BEB
Part of subcall function 00511B3B: __vbaVarTstEq.MSVBVM60(00004008,?,00000001,?,?,?,?), ref: 00511C0A
Part of subcall function 00511B3B: __vbaVarTstEq.MSVBVM60(?,?,00004008,?,00000001,00004008,00008008,00000002,?,00004008,?,00000001,?,?,?,?), ref: 00511C2D
Part of subcall function 00511B3B: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00004008,?,00000001,00004008,00008008,00000002,?,00004008,?,00000001,?), ref: 00511C50
Part of subcall function 00511B3B: __vbaVarTstEq.MSVBVM60(?,?,00004008,?,?,?,00004008,?,00000001,00004008,00008008,00000002,?,00004008,?,00000001), ref: 00511C73
Part of subcall function 00511B3B: __vbaVarTstEq.MSVBVM60(?,?,?,?,00004008,?,?,?,00004008,?,00000001,00004008,00008008,00000002,?,00004008), ref: 00511C96

#632.MSVBVM60(?,00004008,00000001,00000002), ref: 0050F14A
__vbaVarMove.MSVBVM60(?,00004008,00000001,00000002), ref: 0050F155
__vbaFreeVar.MSVBVM60(?,00004008,00000001,00000002), ref: 0050F15D
__vbaVarTstEq.MSVBVM60(00008008,?,?,00004008,00000001,00000002), ref: 0050F17F
__vbaObjSet.MSVBVM60(?,00000000,?,00000001,00008008,?,?,00004008,00000001,00000002), ref: 0050F1A3
__vbaVarTstEq.MSVBVM60(00008008,?,00008008,?,?,00004008,00000001,00000002), ref: 0050F1C7
__vbaObjSet.MSVBVM60(?,00000000,?,00000001,00008008,?,00008008,?,?,00004008,00000001,00000002), ref: 0050F1EB
__vbaFreeVar.MSVBVM60(0050F23D,00008008,?,00008008,?,?,00004008,00000001,00000002), ref: 0050F237

Part of subcall function 0050F251: __vbaChkstk.MSVBVM60(00000000,00404F16,000000FF,?,?,?,00000000,00404F16), ref: 0050F26F
Part of subcall function 0050F251: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00404F16,000000FF), ref: 0050F29F
Part of subcall function 0050F251: __vbaNew.MSVBVM60(0041F5BC,000000FF,?,?,?,00000000,00404F16,000000FF), ref: 0050F2B0
Part of subcall function 0050F251: __vbaObjSet.MSVBVM60(?,00000000,0041F5BC,000000FF,?,?,?,00000000,00404F16,000000FF), ref: 0050F2BA
Part of subcall function 0050F251: #632.MSVBVM60(?,00004008,00000000,00000002), ref: 0050F30D
Part of subcall function 0050F251: __vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?,?,00004008,00000000,00000002), ref: 0050F331
Part of subcall function 0050F251: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008008,?,?,?,?,?,?,00004008,00000000,00000002), ref: 0050F347
Part of subcall function 0050F251: __vbaStrCat.MSVBVM60(Invalid Object at position ,?,00000000,00404F16,000000FF), ref: 0050F370
Part of subcall function 0050F251: __vbaStrMove.MSVBVM60(Invalid Object at position ,?,00000000,00404F16,000000FF), ref: 0050F37A
Part of subcall function 0050F251: __vbaStrI4.MSVBVM60(00000000,00000000,Invalid Object at position ,?,00000000,00404F16,000000FF), ref: 0050F385
Part of subcall function 0050F251: __vbaStrMove.MSVBVM60(00000000,00000000,Invalid Object at position ,?,00000000,00404F16,000000FF), ref: 0050F38F
Part of subcall function 0050F251: __vbaStrCat.MSVBVM60(00000000,00000000,00000000,Invalid Object at position ,?,00000000,00404F16,000000FF), ref: 0050F395
Part of subcall function 0050F251: __vbaStrMove.MSVBVM60(00000000,00000000,00000000,Invalid Object at position ,?,00000000,00404F16,000000FF), ref: 0050F39F
Part of subcall function 0050F251: __vbaStrCat.MSVBVM60( : ,00000000,00000000,00000000,00000000,Invalid Object at position ,?,00000000,00404F16,000000FF), ref: 0050F3AA

Strings

Invalid statum, xrefs: 0050F1F9

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$#632Error$Chkstk$BstrCopyList
String ID: Invalid statum
API String ID: 299449248-10909556
Opcode ID: 77b38b409848bee5fa6241e495f3a690010042f7d66f86e70c8c56909dbc1e6c
Instruction ID: 0b63d05025e82acc983c6522930dea8a73269479deaba33db2f980ef414c9ac5
Opcode Fuzzy Hash: 77b38b409848bee5fa6241e495f3a690010042f7d66f86e70c8c56909dbc1e6c
Instruction Fuzzy Hash: 3941F7B180064DEADB10EFD0C949BDEBFB8FF44308F60456AE100BB185D7BA9A498F54

Function 004E79EC Relevance: 24.2, APIs: 16, Instructions: 211COMMON

Download Yara Rule

APIs

__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004E7A42
__vbaHresultCheckObj.MSVBVM60(00000000,00080005,0041A5E0,00000114), ref: 004E7A65
__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 004E7A7C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000018), ref: 004E7AA0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F18,00000080), ref: 004E7AC9
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E7ADC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419EF8,00000070), ref: 004E7AFC
__vbaHresultCheckObj.MSVBVM60(00000000,00080005,0041A5E0,00000084), ref: 004E7B35
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004E7B44
__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 004E7B5E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000018), ref: 004E7B82
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F18,00000088), ref: 004E7BAB
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E7BBE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419EF8,00000078), ref: 004E7BDE
__vbaHresultCheckObj.MSVBVM60(00000000,00080005,0041A5E0,0000008C), ref: 004E7C13
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004E7C22

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeListNew2
String ID:
API String ID: 3237696067-0
Opcode ID: 157393a5911417ff3f20e94be1edd28651c1974708cb3993d163ef261d451b57
Instruction ID: 0c5fa773313a3b80c752c6daa400ea0db822a64ade117797d6d4c0f3cebe7ce7
Opcode Fuzzy Hash: 157393a5911417ff3f20e94be1edd28651c1974708cb3993d163ef261d451b57
Instruction Fuzzy Hash: D361A0B1A40605ABCB10EFA1CC8AEAF77BCFF48705F50452EF141A7290D778A9458BA5

Function 00501087 Relevance: 24.1, APIs: 16, Instructions: 127COMMON

Download Yara Rule

APIs

Part of subcall function 00511DA3: __vbaStrCat.MSVBVM60( FROM tblFee;,SELECT Max([tblFee].[FeeID])+1 AS NewID,00000000,004028C8), ref: 00511DEF
Part of subcall function 00511DA3: __vbaStrMove.MSVBVM60( FROM tblFee;,SELECT Max([tblFee].[FeeID])+1 AS NewID,00000000,004028C8), ref: 00511DF9
Part of subcall function 00511DA3: __vbaNew2.MSVBVM60(0041B2FC,00538028, FROM tblFee;,SELECT Max([tblFee].[FeeID])+1 AS NewID,00000000,004028C8), ref: 00511E14
Part of subcall function 00511DA3: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,00000054), ref: 00511E57
Part of subcall function 00511DA3: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B374,00000028,?,?,?), ref: 00511E94
Part of subcall function 00511DA3: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041B384,00000034,?,?,?), ref: 00511EB7

#520.MSVBVM60(?,?), ref: 0050111B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0050112E
__vbaVarDup.MSVBVM60(?,00000000), ref: 00501152
__vbaLenVar.MSVBVM60(?,?,?,?,?,00000000), ref: 0050117D
__vbaVarSub.MSVBVM60(?,00000000,?,?,?,?,?,00000000), ref: 00501187
__vbaI4Var.MSVBVM60(00000000,?,00000000,?,?,?,?,?,00000000), ref: 0050118D
#606.MSVBVM60(00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 00501193
__vbaStrMove.MSVBVM60(00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 0050119D
__vbaStrI4.MSVBVM60(?,00000000,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 005011A6
__vbaStrMove.MSVBVM60(?,00000000,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 005011B0
__vbaStrCat.MSVBVM60(00000000,?,00000000,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 005011B6
__vbaStrMove.MSVBVM60(00000000,?,00000000,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 005011C0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A4), ref: 005011DF
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 005011F2
__vbaFreeObj.MSVBVM60(000000A4), ref: 005011FD
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0050120C

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresultMove$Free$List$#520#606New2
String ID:
API String ID: 697078737-0
Opcode ID: fc5aedc75e68edf65dbbb00c3a5f4f39afb72013b40cc4dcbbe9ea6da0413223
Instruction ID: 266dbe43636505e3fd28ea869306849ae82b590b591e96ef130b3bdc6f234638
Opcode Fuzzy Hash: fc5aedc75e68edf65dbbb00c3a5f4f39afb72013b40cc4dcbbe9ea6da0413223
Instruction Fuzzy Hash: FE4108B1C00619ABCB10EFA5C885ADEFBBCEF54304F10416BE504F7191DB7856888FA5

Function 0052E908 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040FBFC,0053836C), ref: 0052E971
__vbaStrCopy.MSVBVM60 ref: 0052E987
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00420088,000006F8), ref: 0052E9D5
__vbaStrMove.MSVBVM60 ref: 0052E9E3
__vbaFreeStr.MSVBVM60 ref: 0052E9EB
__vbaFreeVar.MSVBVM60 ref: 0052E9F3
__vbaStrCmp.MSVBVM60(0041A0C4,?), ref: 0052EA00
__vbaObjSet.MSVBVM60(?,00000000), ref: 0052EA17
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A4), ref: 0052EA3C
__vbaFreeObj.MSVBVM60 ref: 0052EA44
__vbaFreeStr.MSVBVM60(0052EA7F,0041A0C4,?), ref: 0052EA79

Strings

0000, xrefs: 0052E97C
E@, xrefs: 0052E931, 0052E941, 0052E98E, 0052EA0B

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$CopyMoveNew2
String ID: 0000$E@
API String ID: 116834155-3441033922
Opcode ID: 743d5a9e945211663d5668171856a3837a31b2bfd247176878698a3eee50d2b3
Instruction ID: 3808e24d76506036ba64970fe1cdee21fb045782627c8661306983721251191a
Opcode Fuzzy Hash: 743d5a9e945211663d5668171856a3837a31b2bfd247176878698a3eee50d2b3
Instruction Fuzzy Hash: 54413BB1D01219AFCB14EF95D885AEEBBB8BF58304F50412EF501B3281DB385A45CFA4

Function 004EDA93 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004EDADA
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004EDAED
__vbaCastObj.MSVBVM60(?,00419B40,?,00000000), ref: 004EDB00
__vbaObjSet.MSVBVM60(?,00000000,?,00419B40,?,00000000), ref: 004EDB0A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F08,00000174), ref: 004EDB2D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004EDB3C
__vbaCastObj.MSVBVM60(?,00419B40,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004EDB4D
__vbaObjSet.MSVBVM60(?,00000000,?,00419B40), ref: 004EDB57
__vbaHresultCheckObj.MSVBVM60(00000000,00080005,0041AA4C,0000024C), ref: 004EDB7A
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004EDB82
__vbaHresultCheckObj.MSVBVM60(00000000,00401D88,0041AA4C,00000390), ref: 004EDBBC
__vbaFreeObj.MSVBVM60(004EDBE4), ref: 004EDBDE

Strings

Font, xrefs: 004EDB8C

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$Cast$AddrefList
String ID: Font
API String ID: 2668128685-1889970156
Opcode ID: ba33fd824db1ef4b7bf39d7677197daed569189c9c22884972040d44a9228ebb
Instruction ID: 9ac0e74a3e609a1dd3e25dad661824e9ad21679c56d3d4d769ea4699cbbb24d1
Opcode Fuzzy Hash: ba33fd824db1ef4b7bf39d7677197daed569189c9c22884972040d44a9228ebb
Instruction Fuzzy Hash: CC313CB1900619BFCB00EFA6C846E9FBBBCFF04704F10402AF505B7192D778A9158BA9

Function 00503B01 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404F16,?,?,?,?,?,?,004FE82C,?,?,?,00000000), ref: 00503B1D
__vbaOnError.MSVBVM60(000000FF,00000000,00000000,004026F0,?,00404F16), ref: 00503B4D
__vbaChkstk.MSVBVM60 ref: 00503B67
__vbaLateMemSt.MSVBVM60(00000000,SelStart), ref: 00503B7F
__vbaLateIdCallLd.MSVBVM60(?,00000000,00000000,00000000,00000000,SelStart), ref: 00503B98
__vbaLenVar.MSVBVM60(?,00000000,00000000,004026F0,?,00404F16), ref: 00503BA5
__vbaChkstk.MSVBVM60(?,00000000,00000000,004026F0,?,00404F16), ref: 00503BAF
__vbaLateMemSt.MSVBVM60(00000000,SelLength,?,00000000,00000000,004026F0,?,00404F16), ref: 00503BC4
__vbaFreeVar.MSVBVM60(00000000,SelLength,?,00000000,00000000,004026F0,?,00404F16), ref: 00503BCC
__vbaLateMemCall.MSVBVM60(00000000,SetFocus,00000000,00000000,SelLength,?,00000000,00000000,004026F0,?,00404F16), ref: 00503BE4

Strings

SelLength, xrefs: 00503BBA
SetFocus, xrefs: 00503BDA
SelStart, xrefs: 00503B75

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Late$Chkstk$Call$ErrorFree
String ID: SelLength$SelStart$SetFocus
API String ID: 654568610-2253684149
Opcode ID: 5c0c12fc042af24b718a586842bb69d9b1d1daab73a1093dede20e83e8de09d9
Instruction ID: bacb2b6df49e79f3bf79fd05c959ac4a7c8695420b7c30882ae478c40899f0b2
Opcode Fuzzy Hash: 5c0c12fc042af24b718a586842bb69d9b1d1daab73a1093dede20e83e8de09d9
Instruction Fuzzy Hash: F1216AB1940708ABDB01EF95CC0AB8E7BB5BF45718F10442AF600BF2D1D7BA5A448B89

Function 00525BC1 Relevance: 22.7, APIs: 15, Instructions: 188COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 00525BDD
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 00525C23
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041BC14,000006F8), ref: 00525C5A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00525C8E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004209D0,000000E0), ref: 00525CC3
__vbaFreeObj.MSVBVM60 ref: 00525CE4
__vbaNew2.MSVBVM60(0040E658,005383E0), ref: 00525D0F
__vbaChkstk.MSVBVM60 ref: 00525D4B
__vbaChkstk.MSVBVM60 ref: 00525D5C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00420798,000002B0), ref: 00525D93
__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 00525DC0
__vbaNew2.MSVBVM60(0040E658,005383E0), ref: 00525DF0
__vbaObjSetAddref.MSVBVM60(?,?), ref: 00525E0E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,0000000C), ref: 00525E37
__vbaFreeObj.MSVBVM60 ref: 00525E4E

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$ChkstkNew2$Free$AddrefError
String ID:
API String ID: 2309420964-0
Opcode ID: e0f18e72d0960329467380dd7dafd7258295d870e17ccc16c8427df848440dac
Instruction ID: 83baee1d9531e4dcda6de8268290c343b6ae0b4ec1bbfe4ad156b2359d97884e
Opcode Fuzzy Hash: e0f18e72d0960329467380dd7dafd7258295d870e17ccc16c8427df848440dac
Instruction Fuzzy Hash: 798120B1D00618EFCB10DFA5D849B9EBBB4BF09704F20846AF401BB2A1D7B95A44DF84

Function 0052F610 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 0052F678
__vbaObjSet.MSVBVM60(?,00000000), ref: 0052F697
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 0052F6A1
__vbaCastObjVar.MSVBVM60(00000000), ref: 0052F6AA
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 0052F6B4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A67C,00000024), ref: 0052F6E2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A68C,00000034), ref: 0052F705
__vbaObjSet.MSVBVM60(?,?), ref: 0052F71A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00428794,0000015C), ref: 0052F739
__vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,?), ref: 0052F754
__vbaFreeVarList.MSVBVM60(00000002,?,00000002,00000005,?,?,?,?,?), ref: 0052F763

Strings

(F@, xrefs: 0052F639, 0052F649, 0052F654, 0052F68B

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeList$CallCastLate
String ID: (F@
API String ID: 478573419-434136921
Opcode ID: 7895d4c4faf188ec116c46c18d5f7fa986759c9da85f41a4f6429437b77ad373
Instruction ID: 5e2a7fda83f3950366277a8bc044bb85f114a9dafbea4a80b7a847f6dc7a3b3e
Opcode Fuzzy Hash: 7895d4c4faf188ec116c46c18d5f7fa986759c9da85f41a4f6429437b77ad373
Instruction Fuzzy Hash: B64108B2D01618ABCB10EFA5C889EDFBBFCEF58300F14412AF511B7281D67899058FA4

Function 00532D49 Relevance: 21.1, APIs: 14, Instructions: 120COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00404F16,000000FF,?,?,?,00000000,00404F16,000000FF), ref: 00532D65
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00404F16,000000FF), ref: 00532D95
__vbaUbound.MSVBVM60(00000001,00000000,000000FF,?,?,?,00000000,00404F16,000000FF), ref: 00532DAF
__vbaLbound.MSVBVM60(00000001,00000000,00000001,00000000,000000FF,?,?,?,00000000,00404F16,000000FF), ref: 00532DBD
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000,00000001,00000000,00000001,00000000,000000FF,?,?,?,00000000), ref: 00532E04
__vbaLbound.MSVBVM60(00000001,00000000,00000000,000000FF,?,?,?,00000000,00404F16,000000FF), ref: 00532E21
__vbaDerefAry1.MSVBVM60(00000000,00000000), ref: 00532E83
__vbaDerefAry1.MSVBVM60(?,00000000,00000000,00000000), ref: 00532E9A
__vbaStrVarCopy.MSVBVM60(00002011), ref: 00532ECB
__vbaStrMove.MSVBVM60(00002011), ref: 00532ED5
__vbaStrCopy.MSVBVM60(00002011), ref: 00532EE7
__vbaAryDestruct.MSVBVM60(00000000,?,00532F10,00002011), ref: 00532F02
__vbaFreeStr.MSVBVM60(00000000,?,00532F10,00002011), ref: 00532F0A
__vbaErrorOverflow.MSVBVM60(00000001,00000000,00000001,00000000,000000FF,?,?,?,00000000,00404F16,000000FF), ref: 00532F24

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Ary1CopyDerefErrorLbound$ChkstkDestructFreeMoveOverflowRedimUbound
String ID:
API String ID: 2953824555-0
Opcode ID: 7d2069c11ee4f8d2a2663586f8a33f72411b3f04b11b4a770a4f3305327d17d5
Instruction ID: c661ad0bb87c1a1a55bbe1edf2a1b1d5c75d9a78011176341afcca335a974a7b
Opcode Fuzzy Hash: 7d2069c11ee4f8d2a2663586f8a33f72411b3f04b11b4a770a4f3305327d17d5
Instruction Fuzzy Hash: B6410FB1900608EFDB10DFA8C946B9DBBB4FB45308F204069F500BB291D3BA9A449F54

Function 004E926A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,0014002E,0041A7CC,000002C8), ref: 004E92E2
__vbaObjSet.MSVBVM60(?,?), ref: 004E92F2
__vbaForEachCollObj.MSVBVM60(0041A8C0,?,?,00000000,?,?), ref: 004E9305
__vbaLateMemCallLd.MSVBVM60(?,?,Top,00000000,0041A8C0,?,?,00000000,?,?), ref: 004E932D
__vbaVarAdd.MSVBVM60(?,00000002,00000000,?), ref: 004E933E
__vbaLateMemSt.MSVBVM60(?,Top), ref: 004E9352
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,Top), ref: 004E9361
__vbaNextEachCollObj.MSVBVM60(0041A8C0,?,?,?,?,Top), ref: 004E9376
__vbaRaiseEvent.MSVBVM60(004019F0,00000002,00000000,0041A8C0,?,?,00000000,?,?), ref: 004E9386
__vbaFreeObjList.MSVBVM60(00000002,?,?,004E93D9), ref: 004E93C8
__vbaFreeObj.MSVBVM60(?,?,004E93D9), ref: 004E93D3

Strings

Top, xrefs: 004E930A, 004E931A, 004E934D

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CollEachLateList$CallCheckEventHresultNextRaise
String ID: Top
API String ID: 12943471-647256362
Opcode ID: 5f6dfe2cac6b40df4d9102e51e7d7afdb3089e015a3b2c9ab92dbc1c9aedd6da
Instruction ID: 4c1a709dbc9d1bc8699bf61da1b2e600a99a556e1f0f56a2003b6c8a73301bc7
Opcode Fuzzy Hash: 5f6dfe2cac6b40df4d9102e51e7d7afdb3089e015a3b2c9ab92dbc1c9aedd6da
Instruction Fuzzy Hash: F741F8B2D00618ABDB11EFA5C845ADEBBBCEF08B10F10412BF510F7281D67599458FE5

Function 00509B02 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041B32C,?), ref: 00509B5E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,00000068,?,?), ref: 00509B7E
__vbaNew2.MSVBVM60(0041B32C,?,?,?), ref: 00509B98
__vbaObjSet.MSVBVM60(?,00000000,?,?), ref: 00509BBA
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000,?,?), ref: 00509BC4
__vbaCastObjVar.MSVBVM60(00000000,?), ref: 00509BCD
__vbaObjSet.MSVBVM60(?,00000000,00000000,?), ref: 00509BD7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C0B0,00000044), ref: 00509BF3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,00000024), ref: 00509C13
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00509C22
__vbaFreeVar.MSVBVM60 ref: 00509C2D

Strings

(.@, xrefs: 00509B2B, 00509B3B, 00509BAE

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeNew2$CallCastLateList
String ID: (.@
API String ID: 1306095422-3032778486
Opcode ID: 93d15c7b116576451455125018ddd5b62db6511a5d0028fce392461e80ccc31e
Instruction ID: a52c9bfd34a14ce5a557dcaec8f4ee28b8d1e5ebf9a939a23f9e7724ce0afb68
Opcode Fuzzy Hash: 93d15c7b116576451455125018ddd5b62db6511a5d0028fce392461e80ccc31e
Instruction Fuzzy Hash: 2E4169B1D40619ABDB10EBA5CC8AF9F7BBCFF08704F50452AF551A7182E73899448BA4

Function 004E90DE Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,0008000F,0041A7CC,000002C8), ref: 004E9156
__vbaObjSet.MSVBVM60(?,?), ref: 004E9166
__vbaForEachCollObj.MSVBVM60(0041A8C0,?,?,00000000,?,?), ref: 004E9179
__vbaLateMemCallLd.MSVBVM60(?,?,Top,00000000,0041A8C0,?,?,00000000,?,?), ref: 004E91A1
__vbaVarSub.MSVBVM60(?,00000002,00000000,?), ref: 004E91B2
__vbaLateMemSt.MSVBVM60(?,Top), ref: 004E91C6
__vbaFreeVar.MSVBVM60(?,Top), ref: 004E91CE
__vbaNextEachCollObj.MSVBVM60(0041A8C0,?,?,?,Top), ref: 004E91E0
__vbaRaiseEvent.MSVBVM60(004019E0,00000002,00000000,0041A8C0,?,?,00000000,?,?), ref: 004E91F0
__vbaFreeObjList.MSVBVM60(00000002,?,?,004E9243), ref: 004E9232
__vbaFreeObj.MSVBVM60(?,?,004E9243), ref: 004E923D

Strings

Top, xrefs: 004E917E, 004E918E, 004E91C1

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CollEachLate$CallCheckEventHresultListNextRaise
String ID: Top
API String ID: 2886383837-647256362
Opcode ID: 1c653af1a92a298f6526153b3513a9d3d2960db1d6e2b4df3b11cbdac9173752
Instruction ID: 47b826b42405e4527d59b45577401134df723d5b1f817d8f8de79fe63650e5b4
Opcode Fuzzy Hash: 1c653af1a92a298f6526153b3513a9d3d2960db1d6e2b4df3b11cbdac9173752
Instruction Fuzzy Hash: 82410BB2D00618ABDB11EFE5C8459DEBBBCEF08B10F10452BF510B7281D6759A458FE5

Function 00525504 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 00525597
__vbaVarDup.MSVBVM60 ref: 005255AC
#595.MSVBVM60(?,00000044,?,?,?), ref: 005255C3
__vbaVarMove.MSVBVM60(?,00000044,?,?,?), ref: 005255E1
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,00000044,?,?,?), ref: 005255F8
__vbaVarTstEq.MSVBVM60(?,?,?,?), ref: 00525616
__vbaObjSet.MSVBVM60(?,00000000), ref: 0052562E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000054), ref: 0052564F
__vbaFreeObj.MSVBVM60 ref: 00525657
__vbaFreeVar.MSVBVM60(00525692,?,?,?,?), ref: 0052568C

Strings

S u r e, xrefs: 0052558A
Are You Sure You Want To Re-set Timer??? , xrefs: 005255A2

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$#595CheckHresultListMove
String ID: Are You Sure You Want To Re-set Timer??? $S u r e
API String ID: 1739323041-3067105297
Opcode ID: 7b7decd5dd3fc3be1e5ea7e3990f903c2d648cc7940924ac2c7c4bc9d09042da
Instruction ID: 3a75296664ebc83a3d74c4baf29085756d299ebca877e856320f6d0c328d528a
Opcode Fuzzy Hash: 7b7decd5dd3fc3be1e5ea7e3990f903c2d648cc7940924ac2c7c4bc9d09042da
Instruction Fuzzy Hash: 3441E6B1C00619ABDB10DF94C885ADEBFB8FF48704F60416AE109B7281EB785689CF95

Function 00501D06 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00408FEC,00538108), ref: 00501D5A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00501D7E
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 00501D88
__vbaCastObjVar.MSVBVM60(00000000), ref: 00501D91
__vbaObjSet.MSVBVM60(?,00000000,00000000), ref: 00501D9B
__vbaStrMove.MSVBVM60(?,?,00000000,00000000), ref: 00501DAE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B07C,000006F8), ref: 00501DD6
__vbaFreeStr.MSVBVM60(00000000,00000000,0041B07C,000006F8), ref: 00501DEC
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00501DFB
__vbaFreeVar.MSVBVM60(00000000,0041B07C,000006F8), ref: 00501E06
__vbaFreeVar.MSVBVM60 ref: 00501E20

Strings

X)@, xrefs: 00501D5F, 00501D72, 00501E16

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CallCastCheckHresultLateListMoveNew2
String ID: X)@
API String ID: 1490114268-2943645793
Opcode ID: 134347f6e988a7af7e62b4b22bbba829ae29826c466b70daca2d314f064466dc
Instruction ID: 7ca2d0121727dc2786f62bc1ba367d3c466cf49533485928ed5f7b087f476717
Opcode Fuzzy Hash: 134347f6e988a7af7e62b4b22bbba829ae29826c466b70daca2d314f064466dc
Instruction Fuzzy Hash: FC3119B1D00619ABCB10EFA5CD85EEEBBBCBB18704F54052EF505B3181EA7869058BA5

Function 00505AB0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

#535.MSVBVM60(?,00000002,004026F0), ref: 00505AEF
__vbaVarMove.MSVBVM60(?,00000002,004026F0), ref: 00505B04
#535.MSVBVM60(?,00000002,004026F0), ref: 00505B09
__vbaVarVargNofree.MSVBVM60(?,00000002), ref: 00505B26
__vbaVarAdd.MSVBVM60(?,00000000,?,00000002), ref: 00505B30
__vbaVarTstLt.MSVBVM60(00000000,?,00000000,?,00000002), ref: 00505B36
__vbaFreeVar.MSVBVM60(00000000,?,00000000,?,00000002), ref: 00505B40
#598.MSVBVM60(00000000,?,00000000,?,00000002), ref: 00505B4A
__vbaFreeVar.MSVBVM60(00505B85,00000000,?,00000000,?,00000002), ref: 00505B6F
__vbaFreeVar.MSVBVM60(00505B85,00000000,?,00000000,?,00000002), ref: 00505B77
__vbaFreeVar.MSVBVM60(00505B85,00000000,?,00000000,?,00000002), ref: 00505B7F

Strings

{O8,@, xrefs: 00505B11

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$#535$#598MoveNofreeVarg
String ID: {O8,@
API String ID: 617743800-3302571817
Opcode ID: f4f5a10ba9b1d5878fb3746ad6cc24e3d048750da01b50b50cf896a1691dd890
Instruction ID: 5183379db526e317c3e716dab2d3c473609a1dd2c8c05a2a63d5ff4fee7ae891
Opcode Fuzzy Hash: f4f5a10ba9b1d5878fb3746ad6cc24e3d048750da01b50b50cf896a1691dd890
Instruction Fuzzy Hash: 1721B7B1C1062AEACB10EFA6CD45AEEFBB8FF54708F50062FE50177191DBB829058E55

Function 004DF1D6 Relevance: 19.7, APIs: 13, Instructions: 168COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004DF23F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004DF260
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,000001C0), ref: 004DF289
__vbaSetSystemError.MSVBVM60(?,?), ref: 004DF29A
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?), ref: 004DF2A9
__vbaSetSystemError.MSVBVM60(?), ref: 004DF2BA
__vbaObjSet.MSVBVM60(?,00000000), ref: 004DF2EB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BF0,0000005C), ref: 004DF308
__vbaFreeObj.MSVBVM60 ref: 004DF310
__vbaObjSet.MSVBVM60(?,00000000), ref: 004DF323
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004DF345
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,0000009C), ref: 004DF36B
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004DF37A

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$ErrorListSystem
String ID:
API String ID: 2065985295-0
Opcode ID: 8f09a72c2c722a44b01c0f1cde5f97cb106b9f10632c83b23c96d254cf64903c
Instruction ID: 651bed97c964de28eefe77fa92332b453ead0f9f929dadd747d18955e3f9cf3f
Opcode Fuzzy Hash: 8f09a72c2c722a44b01c0f1cde5f97cb106b9f10632c83b23c96d254cf64903c
Instruction Fuzzy Hash: F4515971911608BFDB10EBA5DC9AEDEB7BCFF08704F54042AF501E7181E638A9448BA9

Function 004F3CD8 Relevance: 19.7, APIs: 13, Instructions: 168COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004F3D41
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004F3D62
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,000001C0), ref: 004F3D8B
__vbaSetSystemError.MSVBVM60(?,?), ref: 004F3D9C
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?), ref: 004F3DAB
__vbaSetSystemError.MSVBVM60(?), ref: 004F3DBC
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F3DED
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BF0,0000005C), ref: 004F3E0A
__vbaFreeObj.MSVBVM60 ref: 004F3E12
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F3E25
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004F3E47
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,0000009C), ref: 004F3E6D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004F3E7C

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$ErrorListSystem
String ID:
API String ID: 2065985295-0
Opcode ID: 99c2c3b236ee8e07c46ddf348e865e7bf132c9c836b9c7da63bd4a2ec9fb9ffb
Instruction ID: c5e21a6f062a1d07c3e585234bed426f4b3c9276e667c8ea22cfebe376f81ea9
Opcode Fuzzy Hash: 99c2c3b236ee8e07c46ddf348e865e7bf132c9c836b9c7da63bd4a2ec9fb9ffb
Instruction Fuzzy Hash: 66514D71911608BFDB00EFA5D889EEFB7BCFF08704F54042AF604E7181D678A9448BA9

Function 004FF6F4 Relevance: 19.6, APIs: 13, Instructions: 120COMMON

Download Yara Rule

APIs

__vbaLenBstrB.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FF736
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FF749
#525.MSVBVM60(00080003,004FFA49,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FF76D
__vbaStrMove.MSVBVM60(00080003,004FFA49,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FF777
__vbaStrCat.MSVBVM60(00000000,00080003,004FFA49,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FF77D
__vbaStrMove.MSVBVM60(00000000,00080003,004FFA49,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FF787
__vbaStrCopy.MSVBVM60(00000000,00080003,004FFA49,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FF790
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,00080003,004FFA49,?), ref: 004FF79F
#644.MSVBVM60(004FFA49,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FF7B9
#644.MSVBVM60(?,004FFA49,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FF7C5
__vbaSetSystemError.MSVBVM60(00000000,00000000,00000000,?,004FFA49,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FF7D2

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$#644CopyMove$#525BstrErrorFreeListSystem
String ID:
API String ID: 1519080875-0
Opcode ID: 9015b2d73cc62e9e7125b3f556798e3502e876108af0eff22b9a3762cd773a3f
Instruction ID: f2f4cef09646c46251f7f9d056d5cf72307b47fd69dd1b6b5d092c692109d579
Opcode Fuzzy Hash: 9015b2d73cc62e9e7125b3f556798e3502e876108af0eff22b9a3762cd773a3f
Instruction Fuzzy Hash: 2E416EB1900608AFC710EF6AC985A9FFBF8FF84704B50442FF242A7691D778A9058F54

Function 004F3656 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004F36BB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004F36DD
#681.MSVBVM60(?,?,?,?), ref: 004F3712
__vbaBoolVar.MSVBVM60(?,?,?,?,?), ref: 004F371D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,0000009C), ref: 004F373C
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004F374B
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,00000002,?,?), ref: 004F375E
__vbaObjSet.MSVBVM60(?,00000000), ref: 004F3774
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BF0,0000005C), ref: 004F3792
__vbaFreeObj.MSVBVM60 ref: 004F379A

Strings

P @, xrefs: 004F3682, 004F3692, 004F369D, 004F3768

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$List$#681Bool
String ID: P @
API String ID: 3399963138-1889899152
Opcode ID: b11748681ff88c59716cb6c6f3220b22754216cee164bd835ff7493e5d5c8e5a
Instruction ID: 9639987d8acbfb6cd0c873bf1003a644bb49efd0ca7c3077618647cf798f6f4a
Opcode Fuzzy Hash: b11748681ff88c59716cb6c6f3220b22754216cee164bd835ff7493e5d5c8e5a
Instruction Fuzzy Hash: 5A41F9B1D00609ABDB10EFA5C885EDFBBBCEF08704F50812AF655F7181D678A5058FA5

Function 00529527 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 005295BC
__vbaVarDup.MSVBVM60 ref: 005295D5
#595.MSVBVM60(?,00000044,?,?,?), ref: 005295EC
__vbaVarMove.MSVBVM60(?,00000044,?,?,?), ref: 0052960A
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,00000044,?,?,?), ref: 00529621
__vbaVarTstEq.MSVBVM60(00000008,?,?,?), ref: 0052963F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00529657
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A4), ref: 0052967A
__vbaFreeObj.MSVBVM60 ref: 00529682
__vbaFreeVar.MSVBVM60(005296BD,00000008,?,?,?), ref: 005296B7

Strings

C L R The Log ?, xrefs: 005295C7

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$#595CheckHresultListMove
String ID: C L R The Log ?
API String ID: 1739323041-3235191129
Opcode ID: 29b4de9b42760fd14489b6a8a8d31f1c03454b6f2b0c92a5c992986cf5a52ca0
Instruction ID: 258098cd035e364ce255fe50ca42390898a589185566af869cc202dd39918572
Opcode Fuzzy Hash: 29b4de9b42760fd14489b6a8a8d31f1c03454b6f2b0c92a5c992986cf5a52ca0
Instruction Fuzzy Hash: CC41C6B1C10219AFDB10DF94C885ADEBFB8FF48704F60416AE509B7281EB785689CF95

Function 00529064 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 00529080
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 005290C6
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00404F16), ref: 005290E5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0), ref: 0052911A
__vbaChkstk.MSVBVM60(?,achibat), ref: 00529142
__vbaObjSet.MSVBVM60(?,00000000), ref: 00529167
__vbaLateIdCall.MSVBVM60(00000000,?,00000000), ref: 0052916D
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,00404F16), ref: 00529178
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,00404F16), ref: 00529187
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,00404F16), ref: 00529192

Strings

achibat, xrefs: 00529128

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$Chkstk$CallCheckErrorHresultLateList
String ID: achibat
API String ID: 213877310-2977730899
Opcode ID: 6e5daa8485bf1d1bd581d1cd78f0d8c8a7c9d6591ea01c426bcc7a1e8d81569a
Instruction ID: b8dc03ba1501ae8e44e1bd050cb5d49a2dae8bd0b0934eee7bee1410fa9d52f0
Opcode Fuzzy Hash: 6e5daa8485bf1d1bd581d1cd78f0d8c8a7c9d6591ea01c426bcc7a1e8d81569a
Instruction Fuzzy Hash: 95412BB1D00208AFCB00EF95D84ABCEBBB8FF08314F108566F505BB291D7B99A44CB94

Function 00505836 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60( - ,?,?,00000000,?), ref: 00505898
__vbaStrMove.MSVBVM60( - ,?,?,00000000,?), ref: 005058A2
__vbaStrCat.MSVBVM60(00404F16,00000000, - ,?,?,00000000,?), ref: 005058AD
__vbaStrMove.MSVBVM60(00404F16,00000000, - ,?,?,00000000,?), ref: 005058B7
__vbaStrCat.MSVBVM60( - ,00000000,00404F16,00000000, - ,?,?,00000000,?), ref: 005058BE
__vbaStrMove.MSVBVM60( - ,00000000,00404F16,00000000, - ,?,?,00000000,?), ref: 005058C8
__vbaStrCat.MSVBVM60(?,00000000, - ,00000000,00404F16,00000000, - ,?,?,00000000,?), ref: 005058D3
#595.MSVBVM60(?,00000000,?,?,?,?,00000000, - ,00000000,00404F16,00000000, - ,?,?,00000000,?), ref: 005058F3
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,00000000,?,?,?,?,00000000, - ,00000000,00404F16,00000000, - ), ref: 00505906
__vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?,00000003,?,?,?,?,00000000,?,?,?,?,00000000), ref: 0050591D

Strings

- , xrefs: 0050587A, 0050587F, 005058BD

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Move$FreeList$#595
String ID: -
API String ID: 2694707432-3695764949
Opcode ID: 847badf758f17e64b9878956a1e3fda24b5d1df5e70b985a1a097305f94ac66e
Instruction ID: abad1ea45b0ef5f2db66866fd90e0468fdfdec1ddc2aa8a2495173251f7bb865
Opcode Fuzzy Hash: 847badf758f17e64b9878956a1e3fda24b5d1df5e70b985a1a097305f94ac66e
Instruction Fuzzy Hash: D431A2B2D00218ABDB01DFA9D881ADEBBBDBF48300F14412BF105F7291DB7859098BA5

Function 00503893 Relevance: 18.2, APIs: 12, Instructions: 196COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 005038E8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000018), ref: 0050390C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F18,00000098), ref: 00503935
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041AE88,00000080), ref: 0050395E
__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 00503975
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000018), ref: 00503999
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F18,00000050), ref: 005039BC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041AE88,00000088), ref: 005039E2
_adj_fdiv_m32.MSVBVM60 ref: 00503A61
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041AE88,000002A4), ref: 00503A9E
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00503AAD

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$New2$FreeList_adj_fdiv_m32
String ID:
API String ID: 3887160769-0
Opcode ID: 95a232c6dc891173123114ee0e7f330a518687f8a58e461da223087b234bd698
Instruction ID: 90dc33c98c524f74ffe9c7f1e502eaf52e212b65a61eaa9e8095716df6aa308b
Opcode Fuzzy Hash: 95a232c6dc891173123114ee0e7f330a518687f8a58e461da223087b234bd698
Instruction Fuzzy Hash: 22519DB1A41708AFCB10EFA5C88AA9E7BBCFF14305F54442AF544BB2D1C7B45909CBA5

Function 004FDDB7 Relevance: 18.1, APIs: 12, Instructions: 97COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004FDE16
__vbaLateIdCall.MSVBVM60(00000000,?,00000000), ref: 004FDE1C
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FDE27
__vbaObjSet.MSVBVM60(?,00000000), ref: 004FDE3A
__vbaObjSet.MSVBVM60(?,00000000), ref: 004FDE57
__vbaLateIdCallLd.MSVBVM60(?,00000000,?,00000000), ref: 004FDE61
__vbaStrVarMove.MSVBVM60(00000000), ref: 004FDE6A
__vbaStrMove.MSVBVM60(00000000), ref: 004FDE74
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A4), ref: 004FDE96
__vbaFreeStr.MSVBVM60(00000000,00000000,0041B688,000000A4), ref: 004FDE9E
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004FDEAD
__vbaFreeVar.MSVBVM60(00000000,0041B688,000000A4), ref: 004FDEB8

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CallLateMove$CheckHresultList
String ID:
API String ID: 147075668-0
Opcode ID: fb1a12b37c25fb6cfbdb4520ba1db9495e5092d789a01408c4afa62be7086b28
Instruction ID: 841604d5185ff6f90929a7ea798894b50674b7efcd36e5ee3342b02e8abfac32
Opcode Fuzzy Hash: fb1a12b37c25fb6cfbdb4520ba1db9495e5092d789a01408c4afa62be7086b28
Instruction Fuzzy Hash: 9B311AB1D10618ABCB10EFA5CC4AEEFB7BCEF58704F10452AF541F7191DA789A018BA5

Function 00533014 Relevance: 18.1, APIs: 12, Instructions: 72COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404F16,000000FF,?,?,?,?,00404F16,000000FF), ref: 00533030
__vbaStrCopy.MSVBVM60(?,0000000A,?,?,00404F16,000000FF), ref: 0053305D
__vbaOnError.MSVBVM60(000000FF,?,0000000A,?,?,00404F16,000000FF), ref: 0053306B
__vbaLenBstr.MSVBVM60(00000000,000000FF,?,0000000A,?,?,00404F16,000000FF), ref: 0053307C
__vbaLenBstr.MSVBVM60(000000FF,00000000,000000FF,?,0000000A,?,?,00404F16,000000FF), ref: 0053308E
#619.MSVBVM60(?,00004008,?), ref: 005330B9
__vbaStrVarMove.MSVBVM60(?,?,00004008,?), ref: 005330C2
__vbaStrMove.MSVBVM60(?,?,00004008,?), ref: 005330CC
__vbaFreeVar.MSVBVM60(?,?,00004008,?), ref: 005330D4
__vbaStrComp.MSVBVM60(00000000,00000000,?,?,?,00004008,?), ref: 005330ED
__vbaFreeStr.MSVBVM60(0053311F,00000000,00000000,?,?,?,00004008,?), ref: 00533111
__vbaFreeStr.MSVBVM60(0053311F,00000000,00000000,?,?,?,00004008,?), ref: 00533119

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$BstrMove$#619ChkstkCompCopyError
String ID:
API String ID: 4278582043-0
Opcode ID: 543732f250c086dcdfda94e0e89bec00e4ba0735724610e980afc15db1cd3ca8
Instruction ID: 9343c74d11ef7e4fdb60a01d0e44005234542124562dea40c61eae3ad35958a3
Opcode Fuzzy Hash: 543732f250c086dcdfda94e0e89bec00e4ba0735724610e980afc15db1cd3ca8
Instruction Fuzzy Hash: 6531C7B1800219EACB10EFA5C945BDDBBB4FF44308F10816AE100BB1A1DB795A04DF54

Function 004E29DB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004E2A2D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004E2A4F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,0000009C), ref: 004E2A75
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004E2A84
__vbaObjSet.MSVBVM60(?,00000000), ref: 004E2A9A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004E2ABC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,0000009C), ref: 004E2AE2
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004E2AF1
__vbaHresultCheckObj.MSVBVM60(00000000,00401638,0041993C,00000390,?,00000002,?,?), ref: 004E2B29

Strings

CloseButton, xrefs: 004E2AF9

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeList
String ID: CloseButton
API String ID: 2772417511-454400272
Opcode ID: 2a5d24e02c6d9ab8d596d7ac83dc7f091f8fcc2f0dffe0cdf9e7a44dcb5d81c2
Instruction ID: 8c37e5626e89340d7a1e603daa5136556332f629f70ce8bddd503b6e2f73399d
Opcode Fuzzy Hash: 2a5d24e02c6d9ab8d596d7ac83dc7f091f8fcc2f0dffe0cdf9e7a44dcb5d81c2
Instruction Fuzzy Hash: EA414071910615BBDB10EFA68C89F9F7BFCEF08744F00406AF544EB181D678A9058BA9

Function 005260E3 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 0052614E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000014), ref: 00526172
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B868,00000050), ref: 00526195
#689.MSVBVM60(?,altmeml,altmeml), ref: 005261BD
__vbaStrMove.MSVBVM60(?,altmeml,altmeml), ref: 005261C7
#595.MSVBVM60(?,00000000,?,?,?,?,altmeml,altmeml), ref: 00526206
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,?,?,?,altmeml,altmeml), ref: 00526215
__vbaFreeObj.MSVBVM60(?,altmeml,altmeml), ref: 00526220
__vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?,?,altmeml,altmeml), ref: 00526237

Strings

altmeml, xrefs: 005261B1, 005261B6, 005261B8

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresultList$#595#689MoveNew2
String ID: altmeml
API String ID: 1403749915-3503165325
Opcode ID: e2275ab7ea8ebdd29e7b8d0c06f50f0a48e99ce50419b27a4840d16a7418dde6
Instruction ID: 6e911c61ba902e5a8301d9b647b7212d07037116da2f81ed8bd8a77bb5e216ab
Opcode Fuzzy Hash: e2275ab7ea8ebdd29e7b8d0c06f50f0a48e99ce50419b27a4840d16a7418dde6
Instruction Fuzzy Hash: 3B4103B2D00629ABCB11DF99DC85AEEBBB8FF58300F10412AE505AB291D7785905CBA5

Function 004E60BC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004E6107
__vbaI2I4.MSVBVM60(00000000,00000000), ref: 004E6113
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A510,000000A4), ref: 004E6132
__vbaFreeObj.MSVBVM60 ref: 004E613A
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004E614D
__vbaI2I4.MSVBVM60(00000000,00000000), ref: 004E6159
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A510,000000A4), ref: 004E6178
__vbaFreeObj.MSVBVM60 ref: 004E6180
__vbaHresultCheckObj.MSVBVM60(00000000,004018C0,0041A424,00000390), ref: 004E61BA

Strings

BorderStyle2, xrefs: 004E618A

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: BorderStyle2
API String ID: 3976024557-1971406920
Opcode ID: e726d0fe7b65b29e4d9a7b7776f1fad855e54b91b4136978e76b79dad7c1d01a
Instruction ID: c0eb01a6ca6ae3e1da7705a86801e7c9552410c2125b537fa60aa6f6ed092894
Opcode Fuzzy Hash: e726d0fe7b65b29e4d9a7b7776f1fad855e54b91b4136978e76b79dad7c1d01a
Instruction Fuzzy Hash: 5A318170A00614BFDB01EF66C849FAFBBBCEF05744F00446AB545BB182D778A9148BA9

Function 004FC21E Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FC265
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FC278
__vbaCastObj.MSVBVM60(?,00419B40,?,00000000), ref: 004FC289
__vbaObjSet.MSVBVM60(?,00000000,?,00419B40,?,00000000), ref: 004FC293
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000174), ref: 004FC2B2
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004FC2C1
__vbaHresultCheckObj.MSVBVM60(00000000,@%@,0041AF54,00000390,?,00000002,?,?), ref: 004FC2F9
__vbaFreeObj.MSVBVM60(004FC321,?,00000002,?,?), ref: 004FC31B

Strings

@%@, xrefs: 004FC24C, 004FC251, 004FC26C, 004FC2DF, 004FC2F7
Font, xrefs: 004FC2C9

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$AddrefCastList
String ID: @%@$Font
API String ID: 2876034872-3150049511
Opcode ID: 31216ee3a561d57106c03ad31c5b4553ce3db31139974bb55243dd814efc7673
Instruction ID: 40e1f55336c75f0138be8d052a85e5b11a994f02baa0ccfac5a4eb3f18a38ee8
Opcode Fuzzy Hash: 31216ee3a561d57106c03ad31c5b4553ce3db31139974bb55243dd814efc7673
Instruction Fuzzy Hash: 59210CB1900619BBDB01AFA5C985EEFBBBCEF08744F00412AF605F7191D77899058BA9

Function 004FD3AD Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FD3F4
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FD407
__vbaCastObj.MSVBVM60(?,0041A69C,?,00000000), ref: 004FD418
__vbaObjSet.MSVBVM60(?,00000000,?,0041A69C,?,00000000), ref: 004FD422
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419EF8,0000005C), ref: 004FD43B
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004FD44A
__vbaHresultCheckObj.MSVBVM60(00000000,X&@,0041AF54,00000390,?,00000002,?,?), ref: 004FD482
__vbaFreeObj.MSVBVM60(004FD4AA,?,00000002,?,?), ref: 004FD4A4

Strings

X&@, xrefs: 004FD3DB, 004FD3E0, 004FD3FB, 004FD468, 004FD480
DisabledPicture, xrefs: 004FD452

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$AddrefCastList
String ID: DisabledPicture$X&@
API String ID: 2876034872-4237450126
Opcode ID: 17d1c12cbf492dd23916d6704063ddbf799a43700fdd0b8e0a2c423fafb910a0
Instruction ID: 9a5aa3659f1e86d3488dadcbc1bb74aab4a5f20e1ac49912ab1e506da3ea548c
Opcode Fuzzy Hash: 17d1c12cbf492dd23916d6704063ddbf799a43700fdd0b8e0a2c423fafb910a0
Instruction Fuzzy Hash: 95212FB1900619AFDB10EF95CC45EEF7BBCEF08744F00412AF605B7181D77895058BA9

Function 00531BEF Relevance: 16.6, APIs: 11, Instructions: 67COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00404F16,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00531C0B
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00404F16), ref: 00531C38
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00404F16), ref: 00531C46
__vbaStrCmp.MSVBVM60(0041A0C4,?,000000FF,?,?,?,00000000,00404F16), ref: 00531C5A
__vbaStrCopy.MSVBVM60(0041A0C4,?,000000FF,?,?,?,00000000,00404F16), ref: 00531C72
__vbaAryMove.MSVBVM60(?,?,?,0041A0C4,?,000000FF,?,?,?,00000000,00404F16), ref: 00531C93
__vbaStrMove.MSVBVM60(?,?,?,?,0041A0C4,?,000000FF,?,?,?,00000000,00404F16), ref: 00531CA6
__vbaErase.MSVBVM60(00000000,?,?,?,?,?,0041A0C4,?,000000FF,?,?,?,00000000,00404F16), ref: 00531CB1
__vbaAryDestruct.MSVBVM60(00000000,000000FF,00531CE5,00000000,?,?,?,?,?,0041A0C4,?,000000FF,?,?,?,00000000), ref: 00531CCC
__vbaAryDestruct.MSVBVM60(00000000,?,00000000,000000FF,00531CE5,00000000,?,?,?,?,?,0041A0C4,?,000000FF), ref: 00531CD7
__vbaFreeStr.MSVBVM60(00000000,?,00000000,000000FF,00531CE5,00000000,?,?,?,?,?,0041A0C4,?,000000FF), ref: 00531CDF

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CopyDestructMove$ChkstkEraseErrorFree
String ID:
API String ID: 3663773035-0
Opcode ID: 7758111a89b74f8d0b7333c57c519a273f91e350ffea50c00d76f37fbde03334
Instruction ID: 266e87dfdc9aab1d64a5baa7cf5dc085cb1efd9e1f43891ddd4737daf3c467c1
Opcode Fuzzy Hash: 7758111a89b74f8d0b7333c57c519a273f91e350ffea50c00d76f37fbde03334
Instruction Fuzzy Hash: 3021FCB1841609EADB00FBE2C946BDEBB78FF44708F50416AF601B71D1DB795A048B65

Function 00531420 Relevance: 16.6, APIs: 11, Instructions: 63COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,00404F16,?,0052AD40,00000000,00000000,?dd=,?,00000000,?,00000000,00000000,?,00000001), ref: 0053143C
__vbaStrCopy.MSVBVM60(?,00000008,?,00000000,00404F16), ref: 00531469
__vbaOnError.MSVBVM60(000000FF,?,00000008,?,00000000,00404F16), ref: 00531477

Part of subcall function 00532AE9: __vbaChkstk.MSVBVM60(00000000,00404F16,000000FF,?,?,?,00000000,00404F16,000000FF), ref: 00532B05
Part of subcall function 00532AE9: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00404F16,000000FF), ref: 00532B32
Part of subcall function 00532AE9: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00404F16,000000FF), ref: 00532B40
Part of subcall function 00532AE9: __vbaStr2Vec.MSVBVM60(?,?,000000FF,?,?,?,00000000,00404F16,000000FF), ref: 00532B5A
Part of subcall function 00532AE9: __vbaAryMove.MSVBVM60(?,?,?,?,000000FF,?,?,?,00000000,00404F16,000000FF), ref: 00532B67
Part of subcall function 00532AE9: __vbaUbound.MSVBVM60(00000001,?,?,?,?,?,000000FF,?,?,?,00000000,00404F16,000000FF), ref: 00532B7F
Part of subcall function 00532AE9: __vbaAryMove.MSVBVM60(000000FF,?,00000001,?,?,?,?,?,000000FF), ref: 00532BB1
Part of subcall function 00532AE9: __vbaAryDestruct.MSVBVM60(00000000,?,00532D30,000000FF,?), ref: 00532D17
Part of subcall function 00532AE9: __vbaAryDestruct.MSVBVM60(00000000,?,00000000,?,00532D30,000000FF,?), ref: 00532D22
Part of subcall function 00532AE9: __vbaFreeStr.MSVBVM60(00000000,?,00000000,?,00532D30,000000FF,?), ref: 00532D2A

__vbaAryMove.MSVBVM60(?,?,00000008,000000FF,?,00000008,?,00000000,00404F16), ref: 00531496

Part of subcall function 00531523: __vbaChkstk.MSVBVM60(?,00404F16,000000FF,?,00000008,?,00000000,00404F16), ref: 0053153F
Part of subcall function 00531523: __vbaOnError.MSVBVM60(000000FF,?,00000008,?,?,00404F16,000000FF), ref: 0053156F
Part of subcall function 00531523: __vbaUbound.MSVBVM60(00000001,00000000,000000FF,?,00000008,?,?,00404F16,000000FF), ref: 00531582
Part of subcall function 00531523: __vbaLbound.MSVBVM60(00000001,00000000,00000001,00000000,000000FF,?,00000008,?,?,00404F16,000000FF), ref: 00531590
Part of subcall function 00531523: __vbaVarMove.MSVBVM60(00000000,-00000001), ref: 005315B7

__vbaStrVarMove.MSVBVM60(?,?,?,?,?,00000008,000000FF,?,00000008,?,00000000,00404F16), ref: 005314AC
__vbaStrMove.MSVBVM60(?,?,?,?,?,00000008,000000FF,?,00000008,?,00000000,00404F16), ref: 005314B6
__vbaFreeVar.MSVBVM60(?,?,?,?,?,00000008,000000FF,?,00000008,?,00000000,00404F16), ref: 005314BE
__vbaErase.MSVBVM60(00000000,?,?,?,?,?,?,00000008,000000FF,?,00000008,?,00000000,00404F16), ref: 005314C9
__vbaAryDestruct.MSVBVM60(00000000,?,0053150F,00000000,?,?,?,?,?,?,00000008,000000FF,?,00000008,?,00000000), ref: 005314F6
__vbaAryDestruct.MSVBVM60(00000000,?,00000000,?,0053150F,00000000,?,?,?,?,?,?,00000008,000000FF,?,00000008), ref: 00531501
__vbaFreeStr.MSVBVM60(00000000,?,00000000,?,0053150F,00000000,?,?,?,?,?,?,00000008,000000FF,?,00000008), ref: 00531509

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Move$Destruct$ChkstkErrorFree$CopyUbound$EraseLboundStr2
String ID:
API String ID: 3968015020-0
Opcode ID: 8d132966c915e1a60c4442feac8967c3e91f5bbc198eb3f8b2b2336826c5efbc
Instruction ID: 25a629b7d61a7201711291cb560dbd7e54869f06161795578ad0e4b04d9a6545
Opcode Fuzzy Hash: 8d132966c915e1a60c4442feac8967c3e91f5bbc198eb3f8b2b2336826c5efbc
Instruction Fuzzy Hash: 7321EDB2C00609AADB00EBE1D946FDEBBBCEF44708F50412AF601B71D1DB786A458F64

Function 0052421E Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 00524286
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0), ref: 005242AC
__vbaStrMove.MSVBVM60(?,achibat), ref: 005242C3
#595.MSVBVM60(?,00000000,?,?,?,?,achibat), ref: 00524303
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,?,?,?,achibat), ref: 00524312
__vbaFreeObj.MSVBVM60 ref: 0052431D
__vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 00524334

Strings

(>@, xrefs: 0052424A, 0052425A, 00524265
achibat, xrefs: 005242B1

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$List$#595CheckHresultMove
String ID: (>@$achibat
API String ID: 640740250-2925284467
Opcode ID: f758d6a4005ceab20ab59d2dfe624dce1baad2e75c84cf127b98ad1a5de3ee06
Instruction ID: f785a642ff9f96059a5e147f14645ff792b3f0aa2e07929bb735c58317a65aad
Opcode Fuzzy Hash: f758d6a4005ceab20ab59d2dfe624dce1baad2e75c84cf127b98ad1a5de3ee06
Instruction Fuzzy Hash: B741D1B2D10229AFCB00DFD9D885AEEBBBCBF48700F14412BF505E7281E77856458BA5

Function 005170BD Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 0051710D
__vbaStrCopy.MSVBVM60(?,00000000), ref: 00517122
__vbaObjSet.MSVBVM60(?,?,?,00000000), ref: 00517132
__vbaNew2.MSVBVM60(0041B32C,?,?,?,?,00000000), ref: 00517145
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,000000FF,000000FF,?,?,?,00000000), ref: 0051716D
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,000000FF,000000FF,?,?,?,00000000), ref: 0051717C
__vbaFreeVar.MSVBVM60 ref: 00517187
__vbaHresultCheckObj.MSVBVM60(00000000,?,00420088,0000071C), ref: 005171A5

Strings

stud, xrefs: 0051711A

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckCopyHresultListNew2
String ID: stud
API String ID: 541543178-329332752
Opcode ID: 0903a36daa5b0d357a68465311997bdde88ae3e32a8a7a46cc5067f43016b6c3
Instruction ID: 804d10750294c444ee9e473ac62e3fb50acce56bc0dbd75ff1f3418c26cd973f
Opcode Fuzzy Hash: 0903a36daa5b0d357a68465311997bdde88ae3e32a8a7a46cc5067f43016b6c3
Instruction Fuzzy Hash: BD3107B1850619BBDB11EF95C885DEFBBBCFF58310F10012AF501A2190D778AA45CBA4

Function 0051D631 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 0051D681
__vbaStrCopy.MSVBVM60(?,00000000), ref: 0051D696
__vbaObjSet.MSVBVM60(?,?,?,00000000), ref: 0051D6A6
__vbaNew2.MSVBVM60(0041B32C,?,?,?,?,00000000), ref: 0051D6B9
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,000000FF,000000FF,?,?,?,00000000), ref: 0051D6E1
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,000000FF,000000FF,?,?,?,00000000), ref: 0051D6F0
__vbaFreeVar.MSVBVM60 ref: 0051D6FB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00420CB8,00000720), ref: 0051D719

Strings

stud, xrefs: 0051D68E

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckCopyHresultListNew2
String ID: stud
API String ID: 541543178-329332752
Opcode ID: 6f42d824d3eee2543a9a9cc0dff26fdb44b556aebd1377fd13a752f1a28643f2
Instruction ID: 7699ba75d7d232a499c578fb1bb83788d1e1668981f57661317a720c112b1c3e
Opcode Fuzzy Hash: 6f42d824d3eee2543a9a9cc0dff26fdb44b556aebd1377fd13a752f1a28643f2
Instruction Fuzzy Hash: 6231F6B1900219ABDB11EF95C886EEFBBBCFF54310F50062AF511B2191D778AA45CBA4

Function 004E02F5 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004E033C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004E034F
__vbaCastObj.MSVBVM60(?,00419B40,?,00000000), ref: 004E0360
__vbaObjSet.MSVBVM60(?,00000000,?,00419B40,?,00000000), ref: 004E036A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000174), ref: 004E0389
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004E0398
__vbaHresultCheckObj.MSVBVM60(00000000,004014F0,0041993C,00000390,?,00000002,?,?), ref: 004E03D0
__vbaFreeObj.MSVBVM60(004E03F8,?,00000002,?,?), ref: 004E03F2

Strings

Font, xrefs: 004E03A0

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$AddrefCastList
String ID: Font
API String ID: 2876034872-1889970156
Opcode ID: c737dfb89a79230ff9a4f26cd92c644a49c773e752a3ab81fb11310dd9ef66b6
Instruction ID: 663944e1e898b13cd4b48cfb749b04256b05b7ac48bdb1682c7f44cbccb75b07
Opcode Fuzzy Hash: c737dfb89a79230ff9a4f26cd92c644a49c773e752a3ab81fb11310dd9ef66b6
Instruction Fuzzy Hash: 82210AB1900619BBCB10AFA5C886EDFBBBCEF08744F00412AF505F7191D7B899458BA9

Function 004F76D1 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F7718
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F772B
__vbaCastObj.MSVBVM60(?,0041A69C,?,00000000), ref: 004F773C
__vbaObjSet.MSVBVM60(?,00000000,?,0041A69C,?,00000000), ref: 004F7746
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419EF8,0000005C), ref: 004F775F
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004F776E
__vbaHresultCheckObj.MSVBVM60(00000000,004022D8,0041AD28,00000390,?,00000002,?,?), ref: 004F77A6
__vbaFreeObj.MSVBVM60(004F77CE,?,00000002,?,?), ref: 004F77C8

Strings

Icon, xrefs: 004F7776

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$AddrefCastList
String ID: Icon
API String ID: 2876034872-3316025061
Opcode ID: c2ef4932faf503de76bb4cff5413592a57a434c5a8ebb69426bb1c88ed4227a5
Instruction ID: eedd62ef5495f20f4600a5bb74096ffa45e4948a8a770f932742bc166df37aab
Opcode Fuzzy Hash: c2ef4932faf503de76bb4cff5413592a57a434c5a8ebb69426bb1c88ed4227a5
Instruction Fuzzy Hash: 432119B1910619ABDB11EFA5CC86EAFBBBCEF08704F10412AF605B7181D77895058BA9

Function 004FC019 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FC05C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FC06F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000054), ref: 004FC08E
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FC096
__vbaHresultCheckObj.MSVBVM60(00000000, %@,0041AF84,00000844), ref: 004FC0B4
__vbaHresultCheckObj.MSVBVM60(00000000, %@,0041AF54,00000390), ref: 004FC0EE
__vbaFreeStr.MSVBVM60(004FC10C), ref: 004FC106

Strings

Caption, xrefs: 004FC0BE
%@, xrefs: 004FC047, 004FC04C, 004FC063, 004FC09D, 004FC0B2, 004FC0D4, 004FC0EC

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$Copy
String ID: %@$Caption
API String ID: 3532489395-1131165315
Opcode ID: 449a65722f9c0297ee7c83bb5a4ce4694b1cfdd2a8d901ba7cc0ea18f412c10f
Instruction ID: 60063e49739dc9e2cebeb3497667fd476efb82fcc52b696810c3698f309cb84c
Opcode Fuzzy Hash: 449a65722f9c0297ee7c83bb5a4ce4694b1cfdd2a8d901ba7cc0ea18f412c10f
Instruction Fuzzy Hash: 8F216270940609AFCB00EFA5C989EAFBBBCFF54704F10406AF505BB181CA7899458F99

Function 005180DC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 005180F8
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 0051813E
__vbaStrCat.MSVBVM60(\st.htm,?,000000FF,?,?,?,?,00404F16), ref: 00518155
#529.MSVBVM60(00000008,\st.htm), ref: 00518168
__vbaFreeVar.MSVBVM60(00000008,\st.htm), ref: 00518170
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051818F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BF0,0000005C), ref: 005181BC
__vbaFreeObj.MSVBVM60(00000000,?,00419BF0,0000005C), ref: 005181CD

Strings

\st.htm, xrefs: 00518150

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$#529CheckChkstkErrorHresult
String ID: \st.htm
API String ID: 1270696441-2256832095
Opcode ID: 99044dac42a0fb221edbe109c28c39fb1ad50a2e713cf2fd1ed4cb5975bce5a2
Instruction ID: 63492f1e93a33221b693c49ac587fcbbee0ce5b16fabecf14fe2e73f5c352cfc
Opcode Fuzzy Hash: 99044dac42a0fb221edbe109c28c39fb1ad50a2e713cf2fd1ed4cb5975bce5a2
Instruction Fuzzy Hash: B83102B1900608BFDB00EFA5C94ABDEBBB4FF04344F10856AF510AB2A1C7799A44CF94

Function 004DECF9 Relevance: 15.1, APIs: 10, Instructions: 126COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004DED5E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004DED80
#681.MSVBVM60(?,?,?,?), ref: 004DEDB5
__vbaBoolVar.MSVBVM60(?,?,?,?,?), ref: 004DEDC0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,0000009C), ref: 004DEDDF
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004DEDEE
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,00000002,?,?), ref: 004DEE01
__vbaObjSet.MSVBVM60(?,00000000), ref: 004DEE17
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BF0,0000005C), ref: 004DEE35
__vbaFreeObj.MSVBVM60(00000000,00000000,00419BF0,0000005C), ref: 004DEE3D

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$List$#681Bool
String ID:
API String ID: 3399963138-0
Opcode ID: 5faf0cde00b77f07adf75ddb21b5aa7a0e1cf70f8eded22565058045f6d311b5
Instruction ID: 6e3c8091b4a12924bf0c06ae4024f6d64e1a123510f6b54eb9c07ce3b656375f
Opcode Fuzzy Hash: 5faf0cde00b77f07adf75ddb21b5aa7a0e1cf70f8eded22565058045f6d311b5
Instruction Fuzzy Hash: DA41F7B1D00609ABDB10EFA6C885EDFBBBCAF08704F50812AF555E7181DA78A5058FA5

Function 0051DCF8 Relevance: 15.1, APIs: 10, Instructions: 122COMMON

Download Yara Rule

APIs

__vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 0051DD3F
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 0051DD78
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 0051DD8B
#598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 0051DD98
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 0051DDA5
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 0051DDB8
__vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 0051DDFA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051DE61
__vbaLateIdCall.MSVBVM60(00000000,?,00000000), ref: 0051DE67
__vbaFreeObj.MSVBVM60 ref: 0051DE72

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Error$System$#598CallFreeLateOverflow
String ID:
API String ID: 2838300404-0
Opcode ID: 2fba2cca4752ffda36cc90bff4b3de9691157af3726b108dff32a60b2fea38a4
Instruction ID: b34f9b91237cfb5f22c526cd1984e4cb175537de02b77ec2ff7db4ae2bc95760
Opcode Fuzzy Hash: 2fba2cca4752ffda36cc90bff4b3de9691157af3726b108dff32a60b2fea38a4
Instruction Fuzzy Hash: 74418E71900A08EFCB10EFA9C549ADEBFB8FF45704F10846AF485AB291D7789940CF95

Function 0040D1CC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,00000000,004046B8), ref: 00530371
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BE0,00000108,?,00000000,004046B8), ref: 00530398
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,004046B8), ref: 005303B2
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,004046B8), ref: 005303C7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BE0,00000108,?,00000000,004046B8), ref: 005303E9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BE0,00000074,?,?,00000000,004046B8), ref: 0053040F
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,?,00000000,004046B8), ref: 00530422

Strings

o, xrefs: 0040D1CC

Memory Dump Source

Source File: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeList
String ID: o
API String ID: 2772417511-252678980
Opcode ID: 28bfdd6afb2396a008f706ba7dcf884cd65f2536a8f67014c3955751f3c4aca0
Instruction ID: 4c0f3a580f9044b44cf6b4dcbbdfcc409fb4c0bbf56e30468c82e6392b91a4f2
Opcode Fuzzy Hash: 28bfdd6afb2396a008f706ba7dcf884cd65f2536a8f67014c3955751f3c4aca0
Instruction Fuzzy Hash: 49317AB1901209ABCB00EBA5C849EEFBBFCFF48300F10456AF581E7181D7789A418BA1

Function 005262FE Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 00526366
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0), ref: 0052638C
__vbaStrMove.MSVBVM60(?,achibat), ref: 005263A3
#595.MSVBVM60(?,00000000,?,?,?,?,achibat), ref: 005263E3
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,?,?,?,achibat), ref: 005263F2
__vbaFreeObj.MSVBVM60 ref: 005263FD
__vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 00526414

Strings

achibat, xrefs: 00526391

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$List$#595CheckHresultMove
String ID: achibat
API String ID: 640740250-2977730899
Opcode ID: e7d9878a0f557cdcd6e2f462afe7206d0279a13c7cb812ba8a75f58e895bb29d
Instruction ID: dd0714b5c9ca45b3cf30c58146f33a6eefc3c8559eb02e7662a2197a324aa5f6
Opcode Fuzzy Hash: e7d9878a0f557cdcd6e2f462afe7206d0279a13c7cb812ba8a75f58e895bb29d
Instruction Fuzzy Hash: 0A41B4B2D10229AFCB10DFD9D885AEEBBBCBF48700F14412BF505E7281D77856458BA5

Function 005031FD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,?,00000000,?), ref: 00503260
__vbaCastObj.MSVBVM60(00000000,0041B31C,00000001,?,00000000,?), ref: 0050326B
__vbaObjSet.MSVBVM60(?,00000000,00000000,0041B31C,00000001,?,00000000,?), ref: 00503275
__vbaNew.MSVBVM60(0041B32C,?,00000000,00000000,0041B31C,00000001,?,00000000,?), ref: 0050327F
__vbaObjSet.MSVBVM60(?,00000000,0041B32C,?,00000000,00000000,0041B31C,00000001,?,00000000,?), ref: 00503286
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,000000A0), ref: 005032F6
__vbaExitProc.MSVBVM60(00000000,?,0041B364,000000A0), ref: 005034C3

Strings

(*@, xrefs: 005032A2

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CastCheckErrorExitHresultProc
String ID: (*@
API String ID: 4028400281-3500688370
Opcode ID: b20e5fab4a899ab548205f7af3b3279dd9eb6acdb011a325929248837d409870
Instruction ID: b2876e047fc38ae72f53acfb35c35947525d17a9d40da9ce4340c875bca0f88e
Opcode Fuzzy Hash: b20e5fab4a899ab548205f7af3b3279dd9eb6acdb011a325929248837d409870
Instruction Fuzzy Hash: C3310AB0D10728AEDB10EF69C846B8EBBB8BB09B14F50415AF954B7281C7B45A008FA5

Function 004E565F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004E56AA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A510,0000005C), ref: 004E56C9
__vbaFreeObj.MSVBVM60 ref: 004E56D1
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004E56E4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A510,0000005C), ref: 004E5703
__vbaFreeObj.MSVBVM60 ref: 004E570B
__vbaHresultCheckObj.MSVBVM60(00000000,00401860,0041A424,00000390), ref: 004E5745

Strings

BorderColor2, xrefs: 004E5715

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: BorderColor2
API String ID: 3976024557-23425314
Opcode ID: 7b53e0878c19d32b371cb1540cf85d4cc6283fd5e0b4beb0a305e2d000cbced2
Instruction ID: 65908fa4edd8b423fdf9ecd0f128bfc78a35c6b61ebbd24ca9c1e1834e6974cf
Opcode Fuzzy Hash: 7b53e0878c19d32b371cb1540cf85d4cc6283fd5e0b4beb0a305e2d000cbced2
Instruction Fuzzy Hash: A4218C70900A04BFCB10AFA6CC89F9F7BBCEF05749F00406AF545BB182D77899548BA9

Function 004E4CC9 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(0041A4CC,b8Line), ref: 004E4D3D
__vbaStrMove.MSVBVM60(0041A4CC,b8Line), ref: 004E4D47
__vbaStrCat.MSVBVM60(Code By: Vincent J. Jamero,00000000,0041A4CC,b8Line), ref: 004E4D52
#595.MSVBVM60(?,00000000,?,?,?,Code By: Vincent J. Jamero,00000000,0041A4CC,b8Line), ref: 004E4D72
__vbaFreeStr.MSVBVM60(?,00000000,?,?,?,Code By: Vincent J. Jamero,00000000,0041A4CC,b8Line), ref: 004E4D7A
__vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?,?,00000000,?,?,?,Code By: Vincent J. Jamero,00000000,0041A4CC,b8Line), ref: 004E4D91

Strings

b8Line, xrefs: 004E4D12
Code By: Vincent J. Jamero, xrefs: 004E4D4D

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$#595ListMove
String ID: Code By: Vincent J. Jamero$b8Line
API String ID: 2404876520-335334380
Opcode ID: 20acef7abc096f5f51f30e6ab3a75912146cf52bb3ff90b0b9017fd3741ba2e4
Instruction ID: 29e69aec96883e7c48878f12ac1383f65fde74974c72156a768298c16fe3a078
Opcode Fuzzy Hash: 20acef7abc096f5f51f30e6ab3a75912146cf52bb3ff90b0b9017fd3741ba2e4
Instruction Fuzzy Hash: BB21E6B2D00259ABCB00EFD5C885ADEBFB8EF48710F20412BF505F7281D77856858BA9

Function 004F5CB8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F5CFB
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F5D0E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000AC), ref: 004F5D33
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F5D3B
__vbaHresultCheckObj.MSVBVM60(00000000, "@,0041AD28,00000390), ref: 004F5D75
__vbaFreeStr.MSVBVM60(004F5D93), ref: 004F5D8D

Strings

"@, xrefs: 004F5CE6, 004F5CEB, 004F5D02, 004F5D5B, 004F5D73
FontName, xrefs: 004F5D45

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$Copy
String ID: "@$FontName
API String ID: 2714663509-2403741417
Opcode ID: a6ede558dda686c7b340b2b986d1d9b6d18143fa5cd88ee97450e322fa9d19ce
Instruction ID: 1575959dd4f02404576a1bd363a3b9165388085bf5e72c229e485096e98861d2
Opcode Fuzzy Hash: a6ede558dda686c7b340b2b986d1d9b6d18143fa5cd88ee97450e322fa9d19ce
Instruction Fuzzy Hash: B2215370901609AFCB00EFA5C889EAFBBBCFF55705F10806AF601B7191C77855058F95

Function 004EB485 Relevance: 13.6, APIs: 9, Instructions: 122COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004EB4FC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BE0,000001C0), ref: 004EB522
__vbaSetSystemError.MSVBVM60(?,?), ref: 004EB533
__vbaFreeObj.MSVBVM60(?,?), ref: 004EB53B
__vbaSetSystemError.MSVBVM60(?,?,?), ref: 004EB549
__vbaFreeVar.MSVBVM60 ref: 004EB58D
__vbaObjSet.MSVBVM60(?,00000000), ref: 004EB5A2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BF0,0000005C), ref: 004EB5BF
__vbaFreeObj.MSVBVM60 ref: 004EB5C7

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckErrorHresultSystem
String ID:
API String ID: 683468449-0
Opcode ID: ba0c110d7bac6d139fb8347b656ec895d7d85fae0f9ed508924bdda9dee841c1
Instruction ID: 5225e4a2ca475427d3f38dccea57e4b42f5bb6e34d06685dba1eeb70ac667b03
Opcode Fuzzy Hash: ba0c110d7bac6d139fb8347b656ec895d7d85fae0f9ed508924bdda9dee841c1
Instruction Fuzzy Hash: B1413971910649BFDB11EFA6C885DEFB7B8FF08308F50446AF141E7191D738A9418BAA

Function 00515202 Relevance: 13.6, APIs: 9, Instructions: 108COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 00515258
__vbaNew2.MSVBVM60(00409BDC,00538348,?,00000000), ref: 00515271
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041FE00,00000080), ref: 0051529B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BE0,00000084), ref: 005152C2
__vbaFreeObj.MSVBVM60 ref: 005152CA
__vbaHresultCheckObj.MSVBVM60(00000000,004034F0,0041FE00,00000080), ref: 005152EE
__vbaObjSet.MSVBVM60(?,00000000), ref: 0051531F
__vbaLateIdSt.MSVBVM60(00000000,?,00000000), ref: 00515325
__vbaFreeObj.MSVBVM60(00000000,?,00000000), ref: 0051532D

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$LateNew2
String ID:
API String ID: 2256232-0
Opcode ID: 56042167ad25375cb09df835e523a711cca9978c7dab0e93015aac6bf47aee5f
Instruction ID: 79f43642e51ac05945191433159bdfb1e1587d7656107d43a835d5e93c6d35df
Opcode Fuzzy Hash: 56042167ad25375cb09df835e523a711cca9978c7dab0e93015aac6bf47aee5f
Instruction Fuzzy Hash: 57318D71900606ABDB14AFA5CC8AFAF7BBCFF04744F10446AF540B7291DB78A9448BA5

Function 00528EE2 Relevance: 13.6, APIs: 9, Instructions: 99COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404F16), ref: 00528EFE
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,00404F16), ref: 00528F44
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00404F16), ref: 00528F63
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00404F16), ref: 00528F7E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,000000A0), ref: 00528FB3
__vbaLenBstr.MSVBVM60(?), ref: 00528FC4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B688,00000114), ref: 00528FF3
__vbaFreeStr.MSVBVM60 ref: 00529004
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00529013

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$BstrChkstkErrorList
String ID:
API String ID: 2637506154-0
Opcode ID: af9ab749dbcadcf33879631fa40fc812dce7a8c42ed9b29564b3a0c9fe7d2ec1
Instruction ID: 8021e930bd867dedb28fcf569b64e63c52355f5e87cdc1102d4f9d75e0610a5f
Opcode Fuzzy Hash: af9ab749dbcadcf33879631fa40fc812dce7a8c42ed9b29564b3a0c9fe7d2ec1
Instruction Fuzzy Hash: DD4102B1900208AFCB01EF94D94AFDDBBB8FF08314F10406AF505BB2A1DB799A448F94

Function 0050016C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

#616.MSVBVM60(?,?), ref: 005001DC
__vbaStrMove.MSVBVM60(?,?), ref: 005001E6
__vbaStrCopy.MSVBVM60(?,?), ref: 005001EF
__vbaFreeStr.MSVBVM60(?,?), ref: 005001F7
__vbaErrorOverflow.MSVBVM60 ref: 0050022D
__vbaErrorOverflow.MSVBVM60 ref: 00500276

Strings

8(@, xrefs: 0050019C, 005002A3, 005002C8, 005001A1, 0050024F, 00500297, 005002B3, 005002CD

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$ErrorOverflow$#616CopyFreeMove
String ID: 8(@
API String ID: 2964097675-4273504768
Opcode ID: 85a1f8bc6ff117eca7a1a58d9ad1c2e69891c6255b96d4034c0770057d151247
Instruction ID: 33650417d5fa2c1dcce37b0fdad0a19aebbdf9e6ece52e0dc84533e98f4bcecf
Opcode Fuzzy Hash: 85a1f8bc6ff117eca7a1a58d9ad1c2e69891c6255b96d4034c0770057d151247
Instruction Fuzzy Hash: 67419D7AA00606ABC714DF69C949BAEBBF5FB84750F10852EF846A77C0D774A9018B50

Function 004E882D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004E887F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004E88A1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,00000094), ref: 004E88C7
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004E88D6
__vbaHresultCheckObj.MSVBVM60(00000000,00401978,0041A5E0,00000390,?,00000002,?,?), ref: 004E890E
__vbaHresultCheckObj.MSVBVM60(00000000,00401978,0041A610,000007A4,?,00000002,?,?), ref: 004E892C

Strings

PreviousEnable, xrefs: 004E88DE

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeList
String ID: PreviousEnable
API String ID: 2772417511-1487446039
Opcode ID: 9b914083e57bda16f0053059ae670ad9476402940f91588042607fcc71dfc105
Instruction ID: b4478bfd57cf5a53f2f0be9256225c7d1839c5f71ca2df315710e44a422f71fc
Opcode Fuzzy Hash: 9b914083e57bda16f0053059ae670ad9476402940f91588042607fcc71dfc105
Instruction Fuzzy Hash: A33143B0A00614BFDB10DFA6C889F9F7BFCEF05744F40406AF544EB191D67899058BA9

Function 004E89D4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004E8A26
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004E8A48
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,00000094), ref: 004E8A6E
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004E8A7D
__vbaHresultCheckObj.MSVBVM60(00000000,00401990,0041A5E0,00000390,?,00000002,?,?), ref: 004E8AB5
__vbaHresultCheckObj.MSVBVM60(00000000,00401990,0041A610,000007A4,?,00000002,?,?), ref: 004E8AD3

Strings

NextEnable, xrefs: 004E8A85

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeList
String ID: NextEnable
API String ID: 2772417511-1464961332
Opcode ID: 51c667c603f26e100f2f94ca724092a430758b73ed13bd21477497a8f50493c9
Instruction ID: 08fd3f7ff65d3c410c17624dc2cc41c4de042f9579382a9f58a4c2de6b6df35e
Opcode Fuzzy Hash: 51c667c603f26e100f2f94ca724092a430758b73ed13bd21477497a8f50493c9
Instruction Fuzzy Hash: 5C315271A01614BFDB00DFA68849F9F7BECEF05744F00406BF548FB181D678A9058BA9

Function 004E8B7B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004E8BCD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004E8BEF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,00000094), ref: 004E8C15
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004E8C24
__vbaHresultCheckObj.MSVBVM60(00000000,004019A8,0041A5E0,00000390,?,00000002,?,?), ref: 004E8C5C
__vbaHresultCheckObj.MSVBVM60(00000000,004019A8,0041A610,000007A4,?,00000002,?,?), ref: 004E8C7A

Strings

LastEnable, xrefs: 004E8C2C

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeList
String ID: LastEnable
API String ID: 2772417511-1394742355
Opcode ID: e4d5cc0533cb2961d6ea9a4c64f05fb0049e9faeee9e34f7835fbb996018c8ef
Instruction ID: 6485d6bf0670c68a498c573e8862b596bd1f3ffd56894fb504a37a1b1d7abc3c
Opcode Fuzzy Hash: e4d5cc0533cb2961d6ea9a4c64f05fb0049e9faeee9e34f7835fbb996018c8ef
Instruction Fuzzy Hash: 81317470A01614BFDB00DFA58889F9F77FCEF09744F10406AF548EB181D678A9058BA9

Function 004E8686 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004E86D8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004E86FA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,00000094), ref: 004E8720
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004E872F
__vbaHresultCheckObj.MSVBVM60(00000000,00401960,0041A5E0,00000390,?,00000002,?,?), ref: 004E8767
__vbaHresultCheckObj.MSVBVM60(00000000,00401960,0041A610,000007A4,?,00000002,?,?), ref: 004E8785

Strings

FirstEnable, xrefs: 004E8737

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeList
String ID: FirstEnable
API String ID: 2772417511-3656099909
Opcode ID: 6b35cab6eed0bff739b8b9005d918579dac6c587822d011a67666f7652ed6211
Instruction ID: 9935b3addb8d137da7566d6aadc380457531455889fe30d3a15d9366b2482514
Opcode Fuzzy Hash: 6b35cab6eed0bff739b8b9005d918579dac6c587822d011a67666f7652ed6211
Instruction Fuzzy Hash: CE314171A10614ABDB00DFA68C89F9F7BECEF09744F10406AF544EB181D778A9058BA9

Function 00506E52 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041B32C,@-@), ref: 00506EB9
__vbaHresultCheckObj.MSVBVM60(00000000,@-@,0041B364,00000068), ref: 00506EDC
__vbaVarDup.MSVBVM60 ref: 00506F17
#595.MSVBVM60(?,00000030,?,?,?), ref: 00506F2E
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,00000030,?,?,?), ref: 00506F45

Strings

@-@, xrefs: 00506E7E, 00506E8E, 00506EB3, 00506EC9, 00506EDA
No payment in the list. Please check it!, xrefs: 00506F09

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$#595CheckFreeHresultListNew2
String ID: @-@$No payment in the list. Please check it!
API String ID: 3527698175-164193244
Opcode ID: f3c2a185357085c5a43d4671a15fe941f7b3cd79f589d52484eea04cbdef7002
Instruction ID: 5ed4c09ef3c7bf2de6e8a4f9d41e308a516061b6a7bd1b3c88e6678aacd40208
Opcode Fuzzy Hash: f3c2a185357085c5a43d4671a15fe941f7b3cd79f589d52484eea04cbdef7002
Instruction Fuzzy Hash: 553117B1D01608AFCB10DF99CA45ADEBBF8EF58300F20806BE549B7290D7785A48CF95

Function 005274B3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00408674,005384B4), ref: 005274FF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00422CA8,000002B0), ref: 00527551
__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 00527569
__vbaObjSetAddref.MSVBVM60(?,@@), ref: 0052757D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000010), ref: 00527596
__vbaFreeObj.MSVBVM60 ref: 0052759E

Strings

@@, xrefs: 005274E1, 0052756E, 005274E6

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresultNew2$AddrefFree
String ID: @@
API String ID: 4015893416-1653905929
Opcode ID: 729dac82726e89b9b39d2404c8a04ddcea1485beb8291f3fb43954316e9d8878
Instruction ID: 2fd29bf5a33563797aa87bfeda39d7ac2d5d324e94ec554720466c5fac6f9108
Opcode Fuzzy Hash: 729dac82726e89b9b39d2404c8a04ddcea1485beb8291f3fb43954316e9d8878
Instruction Fuzzy Hash: 7C21B170A00719ABCB11EF69D94AB9FBFB9FF09704F50002AF800B72C1C7B959048AD9

Function 004E3352 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004E33A8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,0000001C,?,BorderColor), ref: 004E33ED
__vbaI4Var.MSVBVM60(00000000,?,BorderColor), ref: 004E33FB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A2DC,00000064,?,BorderColor), ref: 004E3414
__vbaFreeObj.MSVBVM60(?,BorderColor), ref: 004E341C
__vbaFreeVar.MSVBVM60(?,BorderColor), ref: 004E3424

Strings

BorderColor, xrefs: 004E33D4

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult
String ID: BorderColor
API String ID: 444973724-2976535637
Opcode ID: 5b47bde170181d03bea4c09e3cd66949c0e00faa40323aa33a5753596ca43b7e
Instruction ID: db347c04c8e1b286f4bfccf17d3901bac699f608b179cc96b3371f0fe2e11746
Opcode Fuzzy Hash: 5b47bde170181d03bea4c09e3cd66949c0e00faa40323aa33a5753596ca43b7e
Instruction Fuzzy Hash: 5521A071911608AFCB11EFA5C849FDEBBBCEF04715F50401AF900B72D1C778AA458B95

Function 005003A6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00404F16), ref: 005003FC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C1D8,000000F0,?,?,?,?,?,?,?,?,?,00404F16), ref: 00500422
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00404F16), ref: 00500437
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00404F16), ref: 0050044F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C1D8,000000F4,?,?,?,?,?,?,?,?,?,00404F16), ref: 00500472
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00404F16), ref: 0050047A

Strings

X(@, xrefs: 005003CF, 005003DF, 005003EA, 00500443

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult
String ID: X(@
API String ID: 444973724-3060746528
Opcode ID: ca2ac867fb5984ba84650b83b8b1951e628ab5af075dbc161064af4ff0dfb40a
Instruction ID: 44335066045f14cf42f0df43d9cbd7c7906fc4596cee7d783c0cc74680359a38
Opcode Fuzzy Hash: ca2ac867fb5984ba84650b83b8b1951e628ab5af075dbc161064af4ff0dfb40a
Instruction Fuzzy Hash: 81218D7194050AABCB10EFA8C889EAF7BBCEF08740F54447AB945A3181D67899418FA4

Function 004EE029 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004EE06C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004EE07F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000AC), ref: 004EE0A4
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004EE0AC
__vbaHresultCheckObj.MSVBVM60(00000000,00401DE8,0041AA4C,00000390), ref: 004EE0E6
__vbaFreeStr.MSVBVM60(004EE104), ref: 004EE0FE

Strings

FontName, xrefs: 004EE0B6

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$Copy
String ID: FontName
API String ID: 2714663509-383192590
Opcode ID: ce6975865c9c701c4b217feb9673243d00f49d7f648eebbc13b2da23cf7fbe7d
Instruction ID: 6202df2624f2465326ce43d473016880a6d10655b991a6d4fa38a956970427fb
Opcode Fuzzy Hash: ce6975865c9c701c4b217feb9673243d00f49d7f648eebbc13b2da23cf7fbe7d
Instruction Fuzzy Hash: 72218070900614AFCB00EFAAC889EAFBBFCEF44704F10806AF504B7191C77859058FA9

Function 004E083D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004E0880
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004E0893
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000AC), ref: 004E08B8
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004E08C0
__vbaHresultCheckObj.MSVBVM60(00000000,00401550,0041993C,00000390), ref: 004E08FA
__vbaFreeStr.MSVBVM60(004E0918), ref: 004E0912

Strings

FontName, xrefs: 004E08CA

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$Copy
String ID: FontName
API String ID: 2714663509-383192590
Opcode ID: 39133135371b130f9fe95822f81cc059f8f90669a61d733bcab25e90ca8414ac
Instruction ID: c75771fea77f56ad59be50b47198256b5b1b71366c6aa1b424f1a324045bebd4
Opcode Fuzzy Hash: 39133135371b130f9fe95822f81cc059f8f90669a61d733bcab25e90ca8414ac
Instruction Fuzzy Hash: FB2141B0900605ABCB00EF6AC885E9FBBBCFF55704F10406AF505B7192D7785A458BA5

Function 004E010E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004E0151
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004E0164
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000054), ref: 004E0183
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004E018B
__vbaHresultCheckObj.MSVBVM60(00000000,004014D0,0041993C,00000390), ref: 004E01C5
__vbaFreeStr.MSVBVM60(004E01E3), ref: 004E01DD

Strings

Caption, xrefs: 004E0195

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$Copy
String ID: Caption
API String ID: 2714663509-968978681
Opcode ID: cf7da47123e05e5f479bb1156d8f6ece3a3910ab6c68fe1e0db33b9f310a0ff2
Instruction ID: 08f934e7c56cbe885cd27be6cf66439ac5395911b0b372a04a6c89a31feedace
Opcode Fuzzy Hash: cf7da47123e05e5f479bb1156d8f6ece3a3910ab6c68fe1e0db33b9f310a0ff2
Instruction Fuzzy Hash: 96216570D00605ABCB00EF66C885E9FBBBCFF54705F50405AF515BB191C77899458F99

Function 004ED3B6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004ED3F9
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004ED40C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000054), ref: 004ED42B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004ED433
__vbaHresultCheckObj.MSVBVM60(00000000,00401D08,0041AA4C,00000390), ref: 004ED46D
__vbaFreeStr.MSVBVM60(004ED48B), ref: 004ED485

Strings

Caption, xrefs: 004ED43D

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$Copy
String ID: Caption
API String ID: 2714663509-968978681
Opcode ID: 0a144492da141c70234e6f16e50ceb8a0c9972d321b4672e4e5345bf5d8a26ea
Instruction ID: 0fd07ff5bde4f12b586e8191d010ebc31689834625382456bf8d4af9d2295320
Opcode Fuzzy Hash: 0a144492da141c70234e6f16e50ceb8a0c9972d321b4672e4e5345bf5d8a26ea
Instruction Fuzzy Hash: ED215370D00605ABCB00EFAAC985E9FBBBCEF54745F50806AF505B7191C77859058F99

Function 0050965C Relevance: 12.1, APIs: 8, Instructions: 95COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 005096A1
__vbaHresultCheckObj.MSVBVM60(00000000,00402DF8,0041E024,00000720), ref: 005096C7
__vbaFreeStr.MSVBVM60 ref: 005096CF
__vbaFreeVar.MSVBVM60 ref: 005096D7
__vbaStrCopy.MSVBVM60 ref: 005096E1
__vbaFreeStr.MSVBVM60 ref: 005096F6
__vbaHresultCheckObj.MSVBVM60(00000000,00402DF8,0041E024,00000714), ref: 00509714
__vbaHresultCheckObj.MSVBVM60(00000000,00402DF8,0041DFF4,000002B0), ref: 00509768

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$Copy
String ID:
API String ID: 2714663509-0
Opcode ID: 34c215d0d1f91f4d5b5aa4e4cc86c2b0577353c5bd92709c196275a57974989a
Instruction ID: 8fbd95737f129e05b1efa90dd60fb6f1f89b4d39045f32e65549183264886eb8
Opcode Fuzzy Hash: 34c215d0d1f91f4d5b5aa4e4cc86c2b0577353c5bd92709c196275a57974989a
Instruction Fuzzy Hash: DA3160B1900609ABCB00EF95C8CAEEFBBB8FF55304F140459F601BB1C6D7B869458B95

Function 004F34F7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004F354D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004F356F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,0000009C), ref: 004F3595
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004F35A4
__vbaRaiseEvent.MSVBVM60(@ @,00000001,00000004), ref: 004F360A

Strings

@ @, xrefs: 004F3520, 004F3530, 004F353B, 004F3608

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$EventFreeListRaise
String ID: @ @
API String ID: 950472709-1820537312
Opcode ID: 7d23c3f69c56a0ccda34ed84a5635ea61449a0315ac4c16533b7271c6da88e52
Instruction ID: 101f62b9803e35eafa8f1dc07d17f1a22b9bcf56e7459c8ffc499d135e9f46dd
Opcode Fuzzy Hash: 7d23c3f69c56a0ccda34ed84a5635ea61449a0315ac4c16533b7271c6da88e52
Instruction Fuzzy Hash: 354162B1D00608ABDB11DFA9C885BDFBBB9FF49700F10411AFA14FB281D679A9058F95

Function 00505986 Relevance: 10.6, APIs: 7, Instructions: 114COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B364,000000DC,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 005059E5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B364,000000A4), ref: 00505A16
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B364,00000034), ref: 00505A32
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B364,00000050), ref: 00505A4E
__vbaOnError.MSVBVM60(00000001), ref: 00505A6D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B364,00000098), ref: 00505A8B
__vbaExitProc.MSVBVM60 ref: 00505A97

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$ErrorExitProc
String ID:
API String ID: 341211640-0
Opcode ID: d5ba68a1a2c5269fd1500baa26e0ea487cb42840acf32b482b6d2260a1389b6d
Instruction ID: 9af217c8c3f9847c0f45f728a293c09d43cda788831cf2869d6a9a915a80ee4d
Opcode Fuzzy Hash: d5ba68a1a2c5269fd1500baa26e0ea487cb42840acf32b482b6d2260a1389b6d
Instruction Fuzzy Hash: 2F31B170A00A15ABDB10EB69C889F9FBBBCFF99754F10452AF141B72D1E6749800CEB4

Function 0052DE87 Relevance: 10.6, APIs: 7, Instructions: 114COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 0052DEE6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BE0,00000108), ref: 0052DF0D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0052DF27
__vbaObjSet.MSVBVM60(?,00000000), ref: 0052DF3C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BE0,00000108), ref: 0052DF5E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BE0,00000074), ref: 0052DF84
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0052DF97

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeList
String ID:
API String ID: 2772417511-0
Opcode ID: 119c300bb7bd70e31977d5d91a5371224971e58d89c6f22c0c49fe03cafd1755
Instruction ID: fdc716b5e5645015aca69096108eaa2847943c1f689ef3af14d0bf121c8c2896
Opcode Fuzzy Hash: 119c300bb7bd70e31977d5d91a5371224971e58d89c6f22c0c49fe03cafd1755
Instruction Fuzzy Hash: AB3169B1901219ABCB00DBA5C949EEFBBFCFF49300F10056AF581E7181D77899418FA5

Function 004F78EB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 004F7936
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040), ref: 004F795D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419EF8,0000008C), ref: 004F7986
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004F7995
__vbaHresultCheckObj.MSVBVM60(00000000,004022F8,0041AD28,00000390,?,00000002,?,?), ref: 004F79D1

Strings

ShadowVisible, xrefs: 004F79A1

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeList
String ID: ShadowVisible
API String ID: 2772417511-3507630718
Opcode ID: 60f80e154c6f367a43b584a6f95f8cf1c45ead7fea6db57598292f2bda433f8d
Instruction ID: 381169f7fe7698e77fac37e450636b5bc7802cb4ce04b9c5ee78bc9d8d1aaa0b
Opcode Fuzzy Hash: 60f80e154c6f367a43b584a6f95f8cf1c45ead7fea6db57598292f2bda433f8d
Instruction Fuzzy Hash: 732152B1900614ABDB00DF95C889FAFBBFCFF44744F50816AF505E7181D77899058BA9

Function 004F50DD Relevance: 10.6, APIs: 7, Instructions: 86COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 004F5122
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000018), ref: 004F5146
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F18,00000080), ref: 004F516F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041AD28,00000088), ref: 004F519B
_adj_fdiv_m32.MSVBVM60(?), ref: 004F51B4
__vbaFpI2.MSVBVM60(?), ref: 004F51BF
__vbaFreeObj.MSVBVM60(?), ref: 004F51CA

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeNew2_adj_fdiv_m32
String ID:
API String ID: 2768200346-0
Opcode ID: 9e48dd52264ce68e54c171ad6d4a6ad5dc625e414ac31a421840da1261640cce
Instruction ID: 16088f4d380c07fd9572369aa72345146643de795882398cdb8bdf9e8f66f18b
Opcode Fuzzy Hash: 9e48dd52264ce68e54c171ad6d4a6ad5dc625e414ac31a421840da1261640cce
Instruction Fuzzy Hash: 66219FB0D40A09ABCB10DB91C90ABBFBBB8FB54705F50451AF200B3290C7B86845CBA9

Function 004F80F5 Relevance: 10.6, APIs: 7, Instructions: 86COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 004F813A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000018), ref: 004F815E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F18,00000088), ref: 004F8187
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041AF04,00000080), ref: 004F81B3
_adj_fdiv_m32.MSVBVM60(?), ref: 004F81CC
__vbaFpI2.MSVBVM60(?), ref: 004F81D7
__vbaFreeObj.MSVBVM60(?), ref: 004F81E2

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeNew2_adj_fdiv_m32
String ID:
API String ID: 2768200346-0
Opcode ID: 40dc3ab3aaf5af567c02e0894b60d9c4e964976350b2c72120cdd0b9ca0a46af
Instruction ID: 37a7056c5db73d8348c3a1c84d0b4e0691136eeabfadc1d683a9831c862da418
Opcode Fuzzy Hash: 40dc3ab3aaf5af567c02e0894b60d9c4e964976350b2c72120cdd0b9ca0a46af
Instruction Fuzzy Hash: 2D217FB0940609ABCB10DB91C94AABFBBB8FB54705F14451EF140B7290CB785846DBA9

Function 00531085 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 005310DE
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 005310F3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000080,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00531119
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000084), ref: 0053114C
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 0053115B

Strings

pG@, xrefs: 005310AE, 005310BE, 005310C9, 005310E7

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeList
String ID: pG@
API String ID: 2772417511-1649682704
Opcode ID: c6ea72b56689e3db4b60fee0e12e93b6d554d42036a19a43f2b6eaeeef2adf68
Instruction ID: 190fb0bd5740b3c5b7c7b37e3b548895ec39b330dc0ae5faf5ffa7f0d2d9578f
Opcode Fuzzy Hash: c6ea72b56689e3db4b60fee0e12e93b6d554d42036a19a43f2b6eaeeef2adf68
Instruction Fuzzy Hash: 0C216DB1901615BBCB10AFA4C989EEFBBBCFF48700F10456AF641E3181D73859458FA5

Function 004F0983 Relevance: 10.6, APIs: 7, Instructions: 86COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 004F09C8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000018), ref: 004F09EC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F18,00000088), ref: 004F0A15
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041AA4C,00000080), ref: 004F0A41
_adj_fdiv_m32.MSVBVM60(?), ref: 004F0A5A
__vbaFpI2.MSVBVM60(?), ref: 004F0A65
__vbaFreeObj.MSVBVM60(?), ref: 004F0A70

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeNew2_adj_fdiv_m32
String ID:
API String ID: 2768200346-0
Opcode ID: 0a020c86d5b6e8c2621e1b2f1aecaf906a89fffa3ac1d9b40ce20adbd4188e82
Instruction ID: 61a1161eba03ba3a6f64fcfb5bf48ac9e495a698703539e09c8b2c3b62b3f995
Opcode Fuzzy Hash: 0a020c86d5b6e8c2621e1b2f1aecaf906a89fffa3ac1d9b40ce20adbd4188e82
Instruction Fuzzy Hash: 63216DB0940709ABCB10DB91C84AFBFBBB8FBA4745F10441AF140B3291D7B858458BA9

Function 004F821B Relevance: 10.6, APIs: 7, Instructions: 86COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 004F8260
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000018), ref: 004F8284
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F18,00000080), ref: 004F82AD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041AF04,00000088), ref: 004F82D9
_adj_fdiv_m32.MSVBVM60(?), ref: 004F82F2
__vbaFpI2.MSVBVM60(?), ref: 004F82FD
__vbaFreeObj.MSVBVM60(?), ref: 004F8308

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeNew2_adj_fdiv_m32
String ID:
API String ID: 2768200346-0
Opcode ID: 95b7de005c544401a2388057b01c352bf21a04587c462cdf2be5a0c3905afefb
Instruction ID: d3791cbd86be27e3f22b3d5e115be8e962b0feec62411710ac07be390095bd64
Opcode Fuzzy Hash: 95b7de005c544401a2388057b01c352bf21a04587c462cdf2be5a0c3905afefb
Instruction Fuzzy Hash: DF219FB0940A09ABCB10DB91CC0AABFBBB8FB54705F50445EF540B7290CB7868458BA9

Function 004F0AA9 Relevance: 10.6, APIs: 7, Instructions: 86COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 004F0AEE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000018), ref: 004F0B12
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F18,00000080), ref: 004F0B3B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041AA4C,00000088), ref: 004F0B67
_adj_fdiv_m32.MSVBVM60(?), ref: 004F0B80
__vbaFpI2.MSVBVM60(?), ref: 004F0B8B
__vbaFreeObj.MSVBVM60(?), ref: 004F0B96

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeNew2_adj_fdiv_m32
String ID:
API String ID: 2768200346-0
Opcode ID: 200511bdbeb2af6abf1257b6ce5322abcf67b9ae3680ef594024d73a1e74cbe4
Instruction ID: 5d08a2398e0a4e2101b9869756e90fb6813b7bd7f89151ba7d8e057c85592873
Opcode Fuzzy Hash: 200511bdbeb2af6abf1257b6ce5322abcf67b9ae3680ef594024d73a1e74cbe4
Instruction Fuzzy Hash: 782180B0940609ABCB10DB91CC4AFBFBBB8FF94705F50451AF140B3291C7B86845CBA9

Function 004E2B66 Relevance: 10.6, APIs: 7, Instructions: 86COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 004E2BAB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000018), ref: 004E2BCF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F18,00000088), ref: 004E2BF8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A254,00000080), ref: 004E2C24
_adj_fdiv_m32.MSVBVM60(?), ref: 004E2C3D
__vbaFpI2.MSVBVM60(?), ref: 004E2C48
__vbaFreeObj.MSVBVM60(?), ref: 004E2C53

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeNew2_adj_fdiv_m32
String ID:
API String ID: 2768200346-0
Opcode ID: 26080c9284d361f30fa0cf7be7b4ce4f01feb5f454d67ed556faa8722bb927ca
Instruction ID: 33de791854d1abdb9b886eb60ec0937c02749081f691dbc8ddbf4929e5988a73
Opcode Fuzzy Hash: 26080c9284d361f30fa0cf7be7b4ce4f01feb5f454d67ed556faa8722bb927ca
Instruction Fuzzy Hash: B72180B0940605ABCB14DF92CD4AFAFB7BCFF54705F64441AF000B7290CBB869458BA9

Function 004E3B2F Relevance: 10.6, APIs: 7, Instructions: 86COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 004E3B74
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000018), ref: 004E3B98
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F18,00000088), ref: 004E3BC1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A318,00000088), ref: 004E3BED
_adj_fdiv_m32.MSVBVM60(?), ref: 004E3C06
__vbaFpI2.MSVBVM60(?), ref: 004E3C11
__vbaFreeObj.MSVBVM60(?), ref: 004E3C1C

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeNew2_adj_fdiv_m32
String ID:
API String ID: 2768200346-0
Opcode ID: 61bf6a7c1883d87cc35af9f32081222ac486caf2f8b241602dc5c72aca37e5c2
Instruction ID: f116f723b4cda0daefac613715c8c0ab57e907dfcf16321fc6b682ed6f42504f
Opcode Fuzzy Hash: 61bf6a7c1883d87cc35af9f32081222ac486caf2f8b241602dc5c72aca37e5c2
Instruction Fuzzy Hash: DD21A0B1940745ABCF11DF92CC0AEAFBBB8FF54706F60441AF001B3291C77859458BA9

Function 004FA3F4 Relevance: 10.6, APIs: 7, Instructions: 86COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 004FA439
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000018), ref: 004FA45D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F18,00000088), ref: 004FA486
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041AF54,00000088), ref: 004FA4B2
_adj_fdiv_m32.MSVBVM60(?), ref: 004FA4CB
__vbaFpI2.MSVBVM60(?), ref: 004FA4D6
__vbaFreeObj.MSVBVM60(?), ref: 004FA4E1

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeNew2_adj_fdiv_m32
String ID:
API String ID: 2768200346-0
Opcode ID: 244fb85260de1efa5da2530f89aead253132e595d7425cb676993244224f57fc
Instruction ID: 0833926069b0acffaec08fc43616115e2bd2ec7242d07b279005f817adacb2a5
Opcode Fuzzy Hash: 244fb85260de1efa5da2530f89aead253132e595d7425cb676993244224f57fc
Instruction Fuzzy Hash: 942180B0940709ABCF10DB91CC4AEBFBBB8FB64705F54851AF504B3290C7BC58459BAA

Function 004DFC2D Relevance: 10.6, APIs: 7, Instructions: 86COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 004DFC72
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000018), ref: 004DFC96
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F18,00000088), ref: 004DFCBF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041993C,00000088), ref: 004DFCEB
_adj_fdiv_m32.MSVBVM60(?), ref: 004DFD04
__vbaFpI2.MSVBVM60(?), ref: 004DFD0F
__vbaFreeObj.MSVBVM60(?), ref: 004DFD1A

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeNew2_adj_fdiv_m32
String ID:
API String ID: 2768200346-0
Opcode ID: 5b14aa8609b7b5b6abe716af631d27e69eb0b41720dd0b34423cee9fc8264865
Instruction ID: 5fc12c75595b6c7d17c97ee652592c69da2fdc55686e9006bf94112e5b1281e4
Opcode Fuzzy Hash: 5b14aa8609b7b5b6abe716af631d27e69eb0b41720dd0b34423cee9fc8264865
Instruction Fuzzy Hash: D6219FB0940609ABCF10DB91CC1AAAFBBB9FF64705F50442BF401B3290D7785849CBA9

Function 004E2C8C Relevance: 10.6, APIs: 7, Instructions: 86COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 004E2CD1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000018), ref: 004E2CF5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F18,00000080), ref: 004E2D1E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A254,00000088), ref: 004E2D4A
_adj_fdiv_m32.MSVBVM60(?), ref: 004E2D63
__vbaFpI2.MSVBVM60(?), ref: 004E2D6E
__vbaFreeObj.MSVBVM60(?), ref: 004E2D79

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeNew2_adj_fdiv_m32
String ID:
API String ID: 2768200346-0
Opcode ID: 5b2db2587bda5f631f5aad0214265052d638ecd7c7e066fa15d8587a0160a0d5
Instruction ID: 07b174aba18684abf5f6c8c8e67450aba6cb09410007b9d773b8b0470b6d1e4e
Opcode Fuzzy Hash: 5b2db2587bda5f631f5aad0214265052d638ecd7c7e066fa15d8587a0160a0d5
Instruction Fuzzy Hash: 9B21A0B0940609ABCB10DB92CD09FAFB7BCFF94706F64441AF100B3290C7B85945CBA9

Function 004FA51A Relevance: 10.6, APIs: 7, Instructions: 86COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 004FA55F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000018), ref: 004FA583
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F18,00000080), ref: 004FA5AC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041AF54,00000080), ref: 004FA5D8
_adj_fdiv_m32.MSVBVM60(?), ref: 004FA5F1
__vbaFpI2.MSVBVM60(?), ref: 004FA5FC
__vbaFreeObj.MSVBVM60(?), ref: 004FA607

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeNew2_adj_fdiv_m32
String ID:
API String ID: 2768200346-0
Opcode ID: bd533d82a0275eb2b09e363431e83474c3f1e183b868092e7eeaeb7bcea19729
Instruction ID: c19ff36e9294462d2314a67f06208c2844f03453e1153dd4b8da06307e0c633b
Opcode Fuzzy Hash: bd533d82a0275eb2b09e363431e83474c3f1e183b868092e7eeaeb7bcea19729
Instruction Fuzzy Hash: 82217CB0940609ABCB10DB91CC4AFBFBBB8FF54705F14441AF144B3290C7B859458BAA

Function 004FE2C6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 004FE347
#595.MSVBVM60(?,00000024,?,?,?), ref: 004FE35E
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,00000024,?,?,?), ref: 004FE381
__vbaEnd.MSVBVM60(?,?), ref: 004FE38E

Strings

&@, xrefs: 004FE2F2
Are you sure to Exit?, xrefs: 004FE339

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$#595FreeList
String ID: Are you sure to Exit?$&@
API String ID: 319278861-3038579661
Opcode ID: 3522452198e079281401d5fbcca4a6d25cac82595afd961840cf5e073ebffaf1
Instruction ID: f2f255574df94875cb5890ff57d8f36c7e584d9862248693e78f8f6e717e762a
Opcode Fuzzy Hash: 3522452198e079281401d5fbcca4a6d25cac82595afd961840cf5e073ebffaf1
Instruction Fuzzy Hash: FA21D9B1C01208ABCB10DFD9CA45ADEBBF8EF48704F20812AE505FB290D7785A09CF95

Function 004F5E6E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004F5EB9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000B4,?,00000000,00000000), ref: 004F5EE2
__vbaFreeObj.MSVBVM60(?,00000000,00000000), ref: 004F5EEA
__vbaHresultCheckObj.MSVBVM60(00000000,@"@,0041AD28,00000390), ref: 004F5F24

Strings

@"@, xrefs: 004F5E9E, 004F5EA3, 004F5EAD, 004F5F0A, 004F5F22
FontSize, xrefs: 004F5EF4

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: @"@$FontSize
API String ID: 3976024557-251074701
Opcode ID: 01a1ed660844594c1000fedd0703100143c4bc4ff15b78e38962531874aeb56c
Instruction ID: 748d78b4e53b63a74a5a8ccdf51060c18b4c0ce628de61a0a53af1a80b726f81
Opcode Fuzzy Hash: 01a1ed660844594c1000fedd0703100143c4bc4ff15b78e38962531874aeb56c
Instruction Fuzzy Hash: 7F114271510605BBDB00EFA5C989FAF7BFCFF05704F104469F645AB181C77896448BA9

Function 00515368 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,00403500,0041FE00,00000048), ref: 005153CC
__vbaObjVar.MSVBVM60(?,RemoveChild,00000001), ref: 005153F8
__vbaLateMemCall.MSVBVM60(00000000,?,RemoveChild,00000001), ref: 005153FE
__vbaFreeVar.MSVBVM60 ref: 00515409
__vbaFreeVar.MSVBVM60(00515432), ref: 0051542C

Strings

RemoveChild, xrefs: 005153EB

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CallCheckHresultLate
String ID: RemoveChild
API String ID: 1821223823-715995409
Opcode ID: 9dde0bee6dceb808de131b3119e8891287117783c474787db4b1ce3135784371
Instruction ID: bfb0d6502c06424ea5624805768b0718128d0f421eec04a09c2d3de5047c4e26
Opcode Fuzzy Hash: 9dde0bee6dceb808de131b3119e8891287117783c474787db4b1ce3135784371
Instruction Fuzzy Hash: 7B215EB1D00608ABCB00EF99C986BCEBFB8FF08714F50456EF504B7291D7B869858B94

Function 004F6017 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004F6062
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000CC), ref: 004F6087
__vbaFreeObj.MSVBVM60 ref: 004F608F
__vbaHresultCheckObj.MSVBVM60(00000000,`"@,0041AD28,00000390), ref: 004F60C9

Strings

FontStrikethru, xrefs: 004F6099
`"@, xrefs: 004F6047, 004F604C, 004F6056, 004F60AF, 004F60C7

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: FontStrikethru$`"@
API String ID: 3976024557-1595964698
Opcode ID: 03a40ce40bc06fbd15f0a762760c14abcdeb1dcfab7e218a99e5239a51d6b497
Instruction ID: 2bb84751282c2dcd09d3c6e4da6fda57c384ad18c1b4ab6efa62d8e9577dd9fa
Opcode Fuzzy Hash: 03a40ce40bc06fbd15f0a762760c14abcdeb1dcfab7e218a99e5239a51d6b497
Instruction Fuzzy Hash: 68113D70900618AFDB10EFA5C889F9F7BBCFF05704F11416AF505AB181CBB899448BA9

Function 004F594F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004F599A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000BC), ref: 004F59BF
__vbaFreeObj.MSVBVM60 ref: 004F59C7
__vbaHresultCheckObj.MSVBVM60(00000000,!@,0041AD28,00000390), ref: 004F5A01

Strings

FontBold, xrefs: 004F59D1
!@, xrefs: 004F597F, 004F5984, 004F598E, 004F59E7, 004F59FF

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: FontBold$!@
API String ID: 3976024557-1805541556
Opcode ID: 683c0372e1da87821625c7e747fe859e7a149ead7539e5db12d3d0bcdde9e1f3
Instruction ID: 9172b16c86d53cdcb58c4ff86f67a84eb93de59181b16b088849d23d9b61b32a
Opcode Fuzzy Hash: 683c0372e1da87821625c7e747fe859e7a149ead7539e5db12d3d0bcdde9e1f3
Instruction Fuzzy Hash: C0114270900A04BBDB10EF55CC89F9F7BBCEF05744F104169F605BB181C77899448BA5

Function 004FCAC5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004FCB10
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000CC), ref: 004FCB35
__vbaFreeObj.MSVBVM60 ref: 004FCB3D
__vbaHresultCheckObj.MSVBVM60(00000000,%@,0041AF54,00000390), ref: 004FCB77

Strings

%@, xrefs: 004FCAF5, 004FCAFA, 004FCB04, 004FCB5D, 004FCB75
FontStrikethru, xrefs: 004FCB47

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: FontStrikethru$%@
API String ID: 3976024557-2163201355
Opcode ID: 786b477e50926b1719728066f986ad5ca35b8ff182d5dd4c61f571414804924a
Instruction ID: 2d1bd20799759cdd6727000b474e2a9de0ab91435b598be8a35a873a75758bd1
Opcode Fuzzy Hash: 786b477e50926b1719728066f986ad5ca35b8ff182d5dd4c61f571414804924a
Instruction Fuzzy Hash: EA113D70900608BBDB00EFA5CD8AFAF7BACFF05744F10416AF505BB181C778A9458BA9

Function 004FC3FD Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004FC448
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000BC), ref: 004FC46D
__vbaFreeObj.MSVBVM60 ref: 004FC475
__vbaHresultCheckObj.MSVBVM60(00000000,`%@,0041AF54,00000390), ref: 004FC4AF

Strings

FontBold, xrefs: 004FC47F
`%@, xrefs: 004FC42D, 004FC432, 004FC43C, 004FC495, 004FC4AD

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: FontBold$`%@
API String ID: 3976024557-4188837269
Opcode ID: 93cdfa8f35ac1df57adcb505993f740806adba98ffd11f369132bef58ad4e8da
Instruction ID: 65de728d87505649703a6a9436697cd36c51a5aa4acd4ccdc888245e8ed09c77
Opcode Fuzzy Hash: 93cdfa8f35ac1df57adcb505993f740806adba98ffd11f369132bef58ad4e8da
Instruction Fuzzy Hash: 1F116A70900608ABDB00EFA5CD89FAF7BBCEF05704F40406AF904AB182C77899048BA9

Function 004FCE03 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004FCE4E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000D4), ref: 004FCE73
__vbaFreeObj.MSVBVM60 ref: 004FCE7B
__vbaHresultCheckObj.MSVBVM60(00000000, &@,0041AF54,00000390), ref: 004FCEB5

Strings

FontUnderline, xrefs: 004FCE85
&@, xrefs: 004FCE33, 004FCE38, 004FCE42, 004FCE9B, 004FCEB3

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: &@$FontUnderline
API String ID: 3976024557-2925125721
Opcode ID: 8ba6e0b13710607a2452ccf6854ed3102c16bec26be47709d1b8a1f872317129
Instruction ID: 98cb252b0462ad5ff1b2708b8f9bc1f14ce83289ae849d5d6a11fc5eafe421bc
Opcode Fuzzy Hash: 8ba6e0b13710607a2452ccf6854ed3102c16bec26be47709d1b8a1f872317129
Instruction Fuzzy Hash: 80118171900608ABDB10EFA5C989FAF7BBCFF05705F00406AF605BB181C77895088BA9

Function 004FC129 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FC17C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000170,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FC1A2
__vbaCastObj.MSVBVM60(?,00419B40,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FC1AF
__vbaObjSet.MSVBVM60(?,00000000,?,00419B40,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FC1B9
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000000,?,00419B40), ref: 004FC1C8

Strings

0%@, xrefs: 004FC157, 004FC15C, 004FC167

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CastCheckFreeHresultList
String ID: 0%@
API String ID: 2024406958-1158000117
Opcode ID: 1bf7293304bde5786ba9d76af6f28c940d7036e7326edc4ce2012036aa19259e
Instruction ID: 3c2c639a9cd22e49ac067edc920b718b305a6c3cbe9cd27bafc281e65a88eb4e
Opcode Fuzzy Hash: 1bf7293304bde5786ba9d76af6f28c940d7036e7326edc4ce2012036aa19259e
Instruction Fuzzy Hash: CF11FC71900618BBCB01AF95C94AEEFBBFCEF58700F14416BF504B3191D67855458EA5

Function 004FD2BE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FD311
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419EF8,00000058,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FD331
__vbaCastObj.MSVBVM60(?,0041A69C,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FD33E
__vbaObjSet.MSVBVM60(?,00000000,?,0041A69C,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FD348
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000000,?,0041A69C), ref: 004FD357

Strings

H&@, xrefs: 004FD2EC, 004FD2F1, 004FD2FC

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CastCheckFreeHresultList
String ID: H&@
API String ID: 2024406958-885704670
Opcode ID: 67fa29cdceaebcdf114a38470426a7a4eabc06a3bf0006cde8dd89a0ce3d6b8a
Instruction ID: a380ca159fe6cc14d7dd744bcc1efdf5d611d3c532d129bd82fe540bc0b1d499
Opcode Fuzzy Hash: 67fa29cdceaebcdf114a38470426a7a4eabc06a3bf0006cde8dd89a0ce3d6b8a
Instruction Fuzzy Hash: 95111AB1940618ABCB11EF95C849EEFBBFCAF58700F10412BF900B3191D77859458AA5

Function 00505619 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

#617.MSVBVM60(?,?,00000004,?,00000003,x)@), ref: 00505667
__vbaVarCat.MSVBVM60(?,?,?,?,?,00000004,?,00000003,x)@), ref: 00505687
__vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,?,00000004,?,00000003,x)@), ref: 0050568D
__vbaStrMove.MSVBVM60(00000000,?,?,?,?,?,00000004,?,00000003,x)@), ref: 00505697
__vbaFreeVarList.MSVBVM60(00000002,?,?,00000000,?,?,?,?,?,00000004,?,00000003,x)@), ref: 005056A6

Strings

x)@, xrefs: 00505635

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Move$#617FreeList
String ID: x)@
API String ID: 4086060888-2537111169
Opcode ID: b527ac2cc9922f0e9c7ee791ea88afb1aa4759da37b2164c13b35b337d0f07f7
Instruction ID: 52d0acbaca665d7a01fc7708f9093880b90c122b4e058ecd284a29837d3c63ab
Opcode Fuzzy Hash: b527ac2cc9922f0e9c7ee791ea88afb1aa4759da37b2164c13b35b337d0f07f7
Instruction Fuzzy Hash: 1D11B6B1D00648AFCB40EFE9C885ADFBFBCEB08704F50412AF605F6281E77495488BA5

Function 00409A39 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00419EE8,00539E00,?,00000002), ref: 004DFB4C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000018,?,00000002), ref: 004DFB70
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F18,00000080,?,00000002), ref: 004DFB99
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041993C,00000080,?,00000002), ref: 004DFBC5
__vbaFpI2.MSVBVM60(?,?,00000002), ref: 004DFBE9
__vbaFreeObj.MSVBVM60(?,?,00000002), ref: 004DFBF4

Memory Dump Source

Source File: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID:
API String ID: 4261391273-0
Opcode ID: a234cd9bff09498a0f40eed100b7a8fc8733b15c5ee71bb3503984c2c7a87b6e
Instruction ID: d3f60491e3f1bafcf806d5a04935f58c7dde98c46e95b0e3fe53443beba1a9ea
Opcode Fuzzy Hash: a234cd9bff09498a0f40eed100b7a8fc8733b15c5ee71bb3503984c2c7a87b6e
Instruction Fuzzy Hash: 88219FB0940705ABCB20DB51C86AFAFBBB8FF54704F10442BF441A7290D7786849CBA9

Function 0040BE1A Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00419EE8,00539E00,?,00000002), ref: 004F4FFC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000018,?,00000002), ref: 004F5020
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419F18,00000088,?,00000002), ref: 004F5049
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041AD28,00000080,?,00000002), ref: 004F5075
__vbaFpI2.MSVBVM60(?,?,00000002), ref: 004F5099
__vbaFreeObj.MSVBVM60(?,?,00000002), ref: 004F50A4

Memory Dump Source

Source File: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID:
API String ID: 4261391273-0
Opcode ID: bbc0e718065296ca0cf02814d2b4d9b0fe6ca4bdfe8a5542116a94e3a93641c5
Instruction ID: 817adf06367f6a5040b4798b1ea784d2173fee401a1ba3c7ec61741adccf7b27
Opcode Fuzzy Hash: bbc0e718065296ca0cf02814d2b4d9b0fe6ca4bdfe8a5542116a94e3a93641c5
Instruction Fuzzy Hash: DE217CB0940A09AFCB10DB55C84AABFB7B9FF64705F20441AF240B7290CBB85845CBE9

Function 005258AD Relevance: 9.1, APIs: 6, Instructions: 58COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00404F16), ref: 00525903
__vbaStrI2.MSVBVM60(00000027,?,00000000,?,?,?,?,?,?,?,?,00404F16), ref: 0052590E
__vbaStrMove.MSVBVM60(00000027,?,00000000,?,?,?,?,?,?,?,?,00404F16), ref: 00525918
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000054,?,?,?,?,?,?,?,?,00404F16), ref: 00525931
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00404F16), ref: 00525939
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00404F16), ref: 00525941

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresultMove
String ID:
API String ID: 162419962-0
Opcode ID: 0c4a31e8946ee31be7be995a323493e78b887e0f69ccd34fe7605677b4ee5ff9
Instruction ID: 00b8914b1fb58d86d5906d416ab249049b083040cbe721cb850bbf9a79f2ebdd
Opcode Fuzzy Hash: 0c4a31e8946ee31be7be995a323493e78b887e0f69ccd34fe7605677b4ee5ff9
Instruction Fuzzy Hash: 9B119D71D00615ABCB10EFA5C84AEAFBFB8EF44704F10406AF940B71C1D6385A458FD4

Function 00531523 Relevance: 9.0, APIs: 6, Instructions: 47COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00404F16,000000FF,?,00000008,?,00000000,00404F16), ref: 0053153F
__vbaOnError.MSVBVM60(000000FF,?,00000008,?,?,00404F16,000000FF), ref: 0053156F
__vbaUbound.MSVBVM60(00000001,00000000,000000FF,?,00000008,?,?,00404F16,000000FF), ref: 00531582
__vbaLbound.MSVBVM60(00000001,00000000,00000001,00000000,000000FF,?,00000008,?,?,00404F16,000000FF), ref: 00531590
__vbaErrorOverflow.MSVBVM60(00000001,00000000,00000001,00000000,000000FF,?,00000008,?,?,00404F16,000000FF), ref: 005315FD

Part of subcall function 00531602: __vbaChkstk.MSVBVM60(00000000,00404F16,?,?,00000008,?,?,00404F16,000000FF), ref: 00531620
Part of subcall function 00531602: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00404F16), ref: 00531650
Part of subcall function 00531602: __vbaStrCopy.MSVBVM60(000000FF,?,00000000,?,00000000,00404F16), ref: 0053168F
Part of subcall function 00531602: __vbaAryDestruct.MSVBVM60(00000000,?,00531BD6,?,00000001,?,?,000000FF,?,00000000,?,00000000,00404F16), ref: 00531BD0

__vbaVarMove.MSVBVM60(00000000,-00000001), ref: 005315B7

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Error$Chkstk$CopyDestructLboundMoveOverflowUbound
String ID:
API String ID: 838520424-0
Opcode ID: 7a65704a5d5029d5ff0f0eec8c1ede73c27fa2db2b14032e40574bf48f7357a4
Instruction ID: e2e8ed0b5aa4a5f5fb5dfcc3dc5f3701835d053b507b1d21baada66ee37b8398
Opcode Fuzzy Hash: 7a65704a5d5029d5ff0f0eec8c1ede73c27fa2db2b14032e40574bf48f7357a4
Instruction Fuzzy Hash: 5F1139B1840609EFDB00EFA5C806B8E7BB4FF80758F104569F514BB2D1D7BA1A048F94

Function 004E3466 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004E34BC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A2DC,00000060), ref: 004E34DC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,00000020,?,BorderColor), ref: 004E352E
__vbaFreeObj.MSVBVM60(?,BorderColor), ref: 004E3536

Strings

BorderColor, xrefs: 004E3515

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: BorderColor
API String ID: 3976024557-2976535637
Opcode ID: fd2ff37945b56d8f617fd56a1062d3d12f8c62642565d971a25899ec7de2d32a
Instruction ID: 7d64d2329310996bed9c56f71c4fa9e5e3eecafc3624e63c559c8f69d01caa13
Opcode Fuzzy Hash: fd2ff37945b56d8f617fd56a1062d3d12f8c62642565d971a25899ec7de2d32a
Instruction Fuzzy Hash: A0219171900A18BFCB11EFA9C849B9EBBB8FF09711F10405AF841BB291D7786A448B95

Function 00506D51 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 00506DD9
#595.MSVBVM60(?,00000030,?,?,?), ref: 00506DF0
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,00000030,?,?,?), ref: 00506E07

Strings

No record found., xrefs: 00506DCB
0-@, xrefs: 00506D7D, 00506D8D

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$#595FreeList
String ID: 0-@$No record found.
API String ID: 319278861-379716996
Opcode ID: 0d94e614cc5849e4955c6c2bd3dcb18f3eaa23a73d6074756022649281bea985
Instruction ID: 5fb1e9bbcdee64349a36e76470e3102d824b6c19ae271f7846f93e55c03da859
Opcode Fuzzy Hash: 0d94e614cc5849e4955c6c2bd3dcb18f3eaa23a73d6074756022649281bea985
Instruction Fuzzy Hash: 5421C9B1C01648ABCB11DFD5CA45ADEBBF8FF48700F60812BE505A7280D7746A098F95

Function 004FC91C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004FC967
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000B4,?,00000000,00000000), ref: 004FC990
__vbaFreeObj.MSVBVM60(?,00000000,00000000), ref: 004FC998
__vbaHresultCheckObj.MSVBVM60(00000000,004025C0,0041AF54,00000390), ref: 004FC9D2

Strings

FontSize, xrefs: 004FC9A2

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: FontSize
API String ID: 3976024557-3207877730
Opcode ID: ce5a63d131ff72d69baf8bda9d12a41cae1debc2094f851d5c8c4d3286f84224
Instruction ID: 2e2bd70acdc4e8da87ff4ada832c5a51db9bb10e2250afc59043e0b6b2265f0c
Opcode Fuzzy Hash: ce5a63d131ff72d69baf8bda9d12a41cae1debc2094f851d5c8c4d3286f84224
Instruction Fuzzy Hash: 111160B0900608BBDB00AFA5C989FAF7BBCEF05704F10456AF644AB181D7B895448BA9

Function 004EE1DF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004EE22A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000B4,?,00000000,00000000), ref: 004EE253
__vbaFreeObj.MSVBVM60(?,00000000,00000000), ref: 004EE25B
__vbaHresultCheckObj.MSVBVM60(00000000,00401E08,0041AA4C,00000390), ref: 004EE295

Strings

FontSize, xrefs: 004EE265

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: FontSize
API String ID: 3976024557-3207877730
Opcode ID: 3acfa2a8cbf8eb718ff7b13538c6cbf4ce9de6d7ec2c890349fb2d85868b2dd8
Instruction ID: 17c45d03b8822753d38d134096f66c559f7bafb7c1cb63ccbcc3c6b01a240074
Opcode Fuzzy Hash: 3acfa2a8cbf8eb718ff7b13538c6cbf4ce9de6d7ec2c890349fb2d85868b2dd8
Instruction Fuzzy Hash: 80116D71900604BBCB00AF66C989F9F7BBCFF09705F0044A9F645AB181C77895448BA9

Function 004E09F3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004E0A3E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000B4,?,00000000,00000000), ref: 004E0A67
__vbaFreeObj.MSVBVM60(?,00000000,00000000), ref: 004E0A6F
__vbaHresultCheckObj.MSVBVM60(00000000,00401570,0041993C,00000390), ref: 004E0AA9

Strings

FontSize, xrefs: 004E0A79

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: FontSize
API String ID: 3976024557-3207877730
Opcode ID: 833ce8a4e61daa496963dffe81ada30a4d7cf03c989dbf7914d4c2da763342a1
Instruction ID: e276f65e5424a7b52908e8d53979d0de69b017daf106e69afbfcc3206c6ca4cb
Opcode Fuzzy Hash: 833ce8a4e61daa496963dffe81ada30a4d7cf03c989dbf7914d4c2da763342a1
Instruction Fuzzy Hash: C6113D71900708BBCB00EFA5C989F9F7BBCEF05705F104469F545AB192D7B89A448BA9

Function 004FCC61 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004FCCB2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,0000006C), ref: 004FCCCF
__vbaFreeObj.MSVBVM60 ref: 004FCCD7
__vbaHresultCheckObj.MSVBVM60(00000000,00402600,0041AF54,00000390), ref: 004FCD11

Strings

ForeColor, xrefs: 004FCCE1

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: ForeColor
API String ID: 3976024557-3216175
Opcode ID: ef753977ffc865fe9cf57ffcd8db1a23e97905e376aa3741fbaf7944cbab90de
Instruction ID: 83cbdcc9002cd4ead45a0e487358e64cadd6857f68d8a01f00e627e9dcb332e7
Opcode Fuzzy Hash: ef753977ffc865fe9cf57ffcd8db1a23e97905e376aa3741fbaf7944cbab90de
Instruction Fuzzy Hash: 85116D70900608ABDB00EF95C989FAF7BBCFF05704F50406AF504AB181C77995458BA9

Function 004ED067 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004ED0B2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A510,0000005C), ref: 004ED0D1
__vbaFreeObj.MSVBVM60 ref: 004ED0D9
__vbaHresultCheckObj.MSVBVM60(00000000,00401CC8,0041A7CC,00000390), ref: 004ED113

Strings

BorderColor4, xrefs: 004ED0E3

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: BorderColor4
API String ID: 3976024557-3892761623
Opcode ID: 891f06ad137db07f463f7d99b18cfa0df79116b8ee18ad5e9e794510fcda45ac
Instruction ID: 0fcc6d1c7cbbc3a55393a97bbb79da50e6ffc6f4537a1a6acc217c056f8ec6f0
Opcode Fuzzy Hash: 891f06ad137db07f463f7d99b18cfa0df79116b8ee18ad5e9e794510fcda45ac
Instruction Fuzzy Hash: 92114C70900704ABDB10EFA9C88AF9FBBBCEF05745F50446AF501BB192D77899448BA9

Function 004E48BE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004E4909
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A2DC,00000064), ref: 004E4928
__vbaFreeObj.MSVBVM60 ref: 004E4930
__vbaHresultCheckObj.MSVBVM60(00000000,004017B8,0041A318,00000390), ref: 004E496A

Strings

InsideBorderColor, xrefs: 004E493A

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: InsideBorderColor
API String ID: 3976024557-2099307885
Opcode ID: 3e45d9765f52fc96f20959fb59ac235fabd0fe69671780aa963249569919d236
Instruction ID: 6636ab4a3461f848983f8aff01e162aab8ca379a845db4460264fe9b0626be7f
Opcode Fuzzy Hash: 3e45d9765f52fc96f20959fb59ac235fabd0fe69671780aa963249569919d236
Instruction Fuzzy Hash: F6114FB0900604AFCB00EF65C889F9F7BFCEF05705F504466F541BB182C77895448BA9

Function 004ED1FD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004ED248
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A510,0000005C), ref: 004ED267
__vbaFreeObj.MSVBVM60 ref: 004ED26F
__vbaHresultCheckObj.MSVBVM60(00000000,00401CE8,0041A7CC,00000390), ref: 004ED2A9

Strings

BorderColor5, xrefs: 004ED279

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: BorderColor5
API String ID: 3976024557-2667701377
Opcode ID: 99d491539e748763532bae228de44608328028befa4094550b7eeecfed189efc
Instruction ID: bbdac42ef785deff47f96253e3f153e7770327242b917f04dac5ac39dc53d1a5
Opcode Fuzzy Hash: 99d491539e748763532bae228de44608328028befa4094550b7eeecfed189efc
Instruction Fuzzy Hash: 10113A70900604ABDB00AFA5C88AF9F7BBCEF05715F10446AB945BB182C77895448BA9

Function 004F61B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004F61FE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,0000006C), ref: 004F621D
__vbaFreeObj.MSVBVM60 ref: 004F6225
__vbaHresultCheckObj.MSVBVM60(00000000,00402280,0041AD28,00000390), ref: 004F625F

Strings

ForeColor, xrefs: 004F622F

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: ForeColor
API String ID: 3976024557-3216175
Opcode ID: a16ba7559ef0110f84a126a8b49cac76fa65bc931d64c0a98c6373571e183ee9
Instruction ID: 4b6eccb6615a6ba7eb5be48b5802841a43a9302993543e9d03d0767d897e2636
Opcode Fuzzy Hash: a16ba7559ef0110f84a126a8b49cac76fa65bc931d64c0a98c6373571e183ee9
Instruction Fuzzy Hash: E1114C70901608ABDB00EFA5C88AFAF7BBCEF09704F51406AF541BB181C77999448BA9

Function 004E4A54 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004E4A9F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A2DC,00000064), ref: 004E4ABE
__vbaFreeObj.MSVBVM60 ref: 004E4AC6
__vbaHresultCheckObj.MSVBVM60(00000000,004017D8,0041A318,00000390), ref: 004E4B00

Strings

ShadowColor1, xrefs: 004E4AD0

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: ShadowColor1
API String ID: 3976024557-697015564
Opcode ID: c7e2958ad9bbf228f117a334183b4d21854393146fac244f8d87670c951d611a
Instruction ID: caaa3b827257fbac0dcea8df8e93b3d6f79a7c800ffa9d92420afc4b00cabaed
Opcode Fuzzy Hash: c7e2958ad9bbf228f117a334183b4d21854393146fac244f8d87670c951d611a
Instruction Fuzzy Hash: A7115170900708AFCB11EFA5C889F9F7BBCEF45705F50416AF501BB192D77895448BA9

Function 004E3273 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004E32BE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A2DC,00000064), ref: 004E32DD
__vbaFreeObj.MSVBVM60 ref: 004E32E5
__vbaHresultCheckObj.MSVBVM60(00000000,004016B8,0041A254,00000390), ref: 004E331F

Strings

BorderColor, xrefs: 004E32EF

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: BorderColor
API String ID: 3976024557-2976535637
Opcode ID: 87cd89a6b34ffefcd3b01977581f38035f1bb9288f5bd4b3e8ab451f7c77876c
Instruction ID: a8c40062dbe28d15fc88a5345578b9eb1845be685a78b347e60a2ccb3fbb91ce
Opcode Fuzzy Hash: 87cd89a6b34ffefcd3b01977581f38035f1bb9288f5bd4b3e8ab451f7c77876c
Instruction Fuzzy Hash: D9117F70900644AFDB01EFA5CC89F9FBBBCEF05705F504065B941BB281C77995448BA9

Function 004F5AF3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004F5B3E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000C4), ref: 004F5B63
__vbaFreeObj.MSVBVM60 ref: 004F5B6B
__vbaHresultCheckObj.MSVBVM60(00000000,00402200,0041AD28,00000390), ref: 004F5BA5

Strings

FontItalic, xrefs: 004F5B75

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: FontItalic
API String ID: 3976024557-2825144528
Opcode ID: 2419d985431c43b6bf1625f3cfdb68969473135ea93a43ab7d36d552114872a3
Instruction ID: 5b2187973bc343ca0b0c01dfd2a4269de003a7d69a05ef03e515e8e50c62f308
Opcode Fuzzy Hash: 2419d985431c43b6bf1625f3cfdb68969473135ea93a43ab7d36d552114872a3
Instruction Fuzzy Hash: 7C113D70900A08BBDB10AFA5C989F9F7BACFF05705F10406AF605BB181C778A9458BA9

Function 004F1BEC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004F1C37
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A2DC,00000064), ref: 004F1C56
__vbaFreeObj.MSVBVM60 ref: 004F1C5E
__vbaHresultCheckObj.MSVBVM60(00000000,00401F58,0041AA4C,00000390), ref: 004F1C98

Strings

BorderColor, xrefs: 004F1C68

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: BorderColor
API String ID: 3976024557-2976535637
Opcode ID: ebfffeab23b31ff9c9db1f356ee3be035148ff3f43aa3b6dc656830e6531cac3
Instruction ID: 30b7bc8de25c370348c2ab00b46886068a899cdc235b434b425c59b0d1acf303
Opcode Fuzzy Hash: ebfffeab23b31ff9c9db1f356ee3be035148ff3f43aa3b6dc656830e6531cac3
Instruction Fuzzy Hash: B6114C70900608AFCB01EFA9C989FAF7FBCEF05744F50406AF505BB192C77895448BA9

Function 004E4BEA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004E4C35
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A2DC,00000064), ref: 004E4C54
__vbaFreeObj.MSVBVM60 ref: 004E4C5C
__vbaHresultCheckObj.MSVBVM60(00000000,004017F8,0041A318,00000390), ref: 004E4C96

Strings

ShadowColor2, xrefs: 004E4C66

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: ShadowColor2
API String ID: 3976024557-2961362102
Opcode ID: 4f6d076ec0aad6d71c0a4fb0a732d5d08710a5659406467e354b9d874ea879b2
Instruction ID: ca6a1a7b8b6b521f24a9b56bdf10413699c4f2334c92e5baaa2f6fd7980e4791
Opcode Fuzzy Hash: 4f6d076ec0aad6d71c0a4fb0a732d5d08710a5659406467e354b9d874ea879b2
Instruction Fuzzy Hash: 4E117C70901604ABCB00EFA9C989F9F7BBCFF05704F50406AF941BB182C77895048BA9

Function 004EE388 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004EE3D3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000CC), ref: 004EE3F8
__vbaFreeObj.MSVBVM60 ref: 004EE400
__vbaHresultCheckObj.MSVBVM60(00000000,00401E28,0041AA4C,00000390), ref: 004EE43A

Strings

FontStrikethru, xrefs: 004EE40A

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: FontStrikethru
API String ID: 3976024557-1844596981
Opcode ID: 10581780490180c127993e44fd04b808b7ce1ea4e287734c1ad2c6d262d519a0
Instruction ID: f1d68fb684c8738b35c7e78152bf24a9778fa2d63fdafb83093eda741752db51
Opcode Fuzzy Hash: 10581780490180c127993e44fd04b808b7ce1ea4e287734c1ad2c6d262d519a0
Instruction Fuzzy Hash: 18114C71900614ABDB00EFA6C889F9F7BFCFF05705F50446AF905BB192C77899448BA9

Function 004E0B9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004E0BE7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000CC), ref: 004E0C0C
__vbaFreeObj.MSVBVM60 ref: 004E0C14
__vbaHresultCheckObj.MSVBVM60(00000000,00401590,0041993C,00000390), ref: 004E0C4E

Strings

FontStrikethru, xrefs: 004E0C1E

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: FontStrikethru
API String ID: 3976024557-1844596981
Opcode ID: 2318067b36023f2c304426113438bbd1715bdc01e35e34ab012e8fe0681f6f65
Instruction ID: 34f7f0c7d93bcecb727b34e7f03ae52f6dc92b730354ec1a7d91b26b9c6a0a2d
Opcode Fuzzy Hash: 2318067b36023f2c304426113438bbd1715bdc01e35e34ab012e8fe0681f6f65
Instruction Fuzzy Hash: FB116A70900604BBDB10EFA6CD89F9F7BBCEF04704F10456AF905AB182C7B899458BA9

Function 004ECBA5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004ECBF0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A510,0000005C), ref: 004ECC0F
__vbaFreeObj.MSVBVM60 ref: 004ECC17
__vbaHresultCheckObj.MSVBVM60(00000000,00401C68,0041A7CC,00000390), ref: 004ECC51

Strings

BorderColor1, xrefs: 004ECC21

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: BorderColor1
API String ID: 3976024557-2557223064
Opcode ID: 49bd5d6d4ae6c22bab8ca35834b848cb76afe81098c24513e9a83a2ac11c7eb6
Instruction ID: b91ca27589da570695e9b91504a833171620434545c7d6bf0ced37427ee78c24
Opcode Fuzzy Hash: 49bd5d6d4ae6c22bab8ca35834b848cb76afe81098c24513e9a83a2ac11c7eb6
Instruction Fuzzy Hash: 3C118170900604AFDB00EFA5CD89F9F7BBCEF05B45F504469F505BB181C77895458BA9

Function 004E54C9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004E5514
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A510,0000005C), ref: 004E5533
__vbaFreeObj.MSVBVM60 ref: 004E553B
__vbaHresultCheckObj.MSVBVM60(00000000,00401840,0041A424,00000390), ref: 004E5575

Strings

BorderColor1, xrefs: 004E5545

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: BorderColor1
API String ID: 3976024557-2557223064
Opcode ID: 9b4e113beefdcd2a3791ca176639811e1576be074ffea5e8acedd6ee4a6c4779
Instruction ID: 8ab2e6ba74e3f19ba862621a5c11f166a7e4c2f3106bbe93a350e432e9a62337
Opcode Fuzzy Hash: 9b4e113beefdcd2a3791ca176639811e1576be074ffea5e8acedd6ee4a6c4779
Instruction Fuzzy Hash: 74116A70900A04BFCB00AFA5CC89F9F7BBCEF09759F40446AB501BB182C77896448BA9

Function 004EDCC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004EDD0B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000BC), ref: 004EDD30
__vbaFreeObj.MSVBVM60 ref: 004EDD38
__vbaHresultCheckObj.MSVBVM60(00000000,00401DA8,0041AA4C,00000390), ref: 004EDD72

Strings

FontBold, xrefs: 004EDD42

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: FontBold
API String ID: 3976024557-948149611
Opcode ID: c548a1dc1d376336eca7d86b92461d48aeb98c5ec8ed6ac01208207f65fb23cd
Instruction ID: 0183372b002de17048d582a8822f0ef3c2575e1fd931f81844f9631867a7ad62
Opcode Fuzzy Hash: c548a1dc1d376336eca7d86b92461d48aeb98c5ec8ed6ac01208207f65fb23cd
Instruction Fuzzy Hash: F1114C70900604BBDB01EFA5CC8AF9F7BBCEF05745F50446AF905BB181D77899448BA9

Function 004E04D4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004E051F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000BC), ref: 004E0544
__vbaFreeObj.MSVBVM60 ref: 004E054C
__vbaHresultCheckObj.MSVBVM60(00000000,00401510,0041993C,00000390), ref: 004E0586

Strings

FontBold, xrefs: 004E0556

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: FontBold
API String ID: 3976024557-948149611
Opcode ID: 0a5a498492846a5c3d635c78f8937b100bdff603c19092a46aef71fce350f74e
Instruction ID: ecbff3d8f2b059216926db40f16f7c09331a357245d1f45897886e26f0c0a729
Opcode Fuzzy Hash: 0a5a498492846a5c3d635c78f8937b100bdff603c19092a46aef71fce350f74e
Instruction Fuzzy Hash: BE117F70900604BBDB10EF65C889F9F7BBCEF04704F404469F905AB181D7B899448FA9

Function 004E0D40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004E0D8B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000D4), ref: 004E0DB0
__vbaFreeObj.MSVBVM60 ref: 004E0DB8
__vbaHresultCheckObj.MSVBVM60(00000000,004015B0,0041993C,00000390), ref: 004E0DF2

Strings

FontUnderline, xrefs: 004E0DC2

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: FontUnderline
API String ID: 3976024557-486341563
Opcode ID: ba3f8fb7f05fcaf49b2cf73d5d10289d7052c3c764e76da06c3e1ffc27638705
Instruction ID: 9778bf9602c99202e0a7fd441d7ab608f31065d5ab1eb2e558fd760dab5cf161
Opcode Fuzzy Hash: ba3f8fb7f05fcaf49b2cf73d5d10289d7052c3c764e76da06c3e1ffc27638705
Instruction Fuzzy Hash: D0117C70900604BBCB00EFAACD89F9F7BBCEF05705F40406AF941BB181D7B899448BA9

Function 004E3D0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004E3D57
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A2DC,00000064), ref: 004E3D76
__vbaFreeObj.MSVBVM60 ref: 004E3D7E
__vbaHresultCheckObj.MSVBVM60(00000000,00401758,0041A318,00000390), ref: 004E3DB8

Strings

BorderColor, xrefs: 004E3D88

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: BorderColor
API String ID: 3976024557-2976535637
Opcode ID: dbc74fae4b21535cd4e2a8d79810bb58efe37c6a04915e577a2bfefa8883b981
Instruction ID: 6bd8cd116cf4f26be3787f675d5c8a9b1df4a8f00867c8a48b5af011cdc9dcd8
Opcode Fuzzy Hash: dbc74fae4b21535cd4e2a8d79810bb58efe37c6a04915e577a2bfefa8883b981
Instruction Fuzzy Hash: F4113A70900604AFCB01AFAACC89F9F7BACEF05705F50406AF945BB182C77896448BA9

Function 004FBD1D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004FBD68
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000EC), ref: 004FBD8D
__vbaFreeObj.MSVBVM60 ref: 004FBD95
__vbaHresultCheckObj.MSVBVM60(00000000,004024F0,0041AF54,00000390), ref: 004FBDCF

Strings

Alignment, xrefs: 004FBD9F

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: Alignment
API String ID: 3976024557-2923404543
Opcode ID: 0f894544f6c9c09b675677028833547d0b2e42131a1d18c0ab1d641d3c471e45
Instruction ID: ffa51047badc42ed9d6a9fac5bb91af989ccf47c6ba5570b783833597852dd7a
Opcode Fuzzy Hash: 0f894544f6c9c09b675677028833547d0b2e42131a1d18c0ab1d641d3c471e45
Instruction Fuzzy Hash: 59114F70900618ABDB04EFA5CC89F9F7BBCFF05704F10446AF505BB181C77899458BA9

Function 004EE52C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004EE577
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000D4), ref: 004EE59C
__vbaFreeObj.MSVBVM60 ref: 004EE5A4
__vbaHresultCheckObj.MSVBVM60(00000000,00401E48,0041AA4C,00000390), ref: 004EE5DE

Strings

FontUnderline, xrefs: 004EE5AE

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: FontUnderline
API String ID: 3976024557-486341563
Opcode ID: 7ccba80f60fdd6138f7cbc7c75184279a64ebda9eaf4abd52fb30f7c3d9cccd8
Instruction ID: cc0f0928fb837e5cf57504f7f2bc09c58d4fbde0bef87c5d1316aeec347f7760
Opcode Fuzzy Hash: 7ccba80f60fdd6138f7cbc7c75184279a64ebda9eaf4abd52fb30f7c3d9cccd8
Instruction Fuzzy Hash: C5117F70900614BBCB01EFA6C989F9F7BBCFF05708F00406AF504BB181D77895048BA9

Function 004ECD3B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004ECD86
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A510,0000005C), ref: 004ECDA5
__vbaFreeObj.MSVBVM60 ref: 004ECDAD
__vbaHresultCheckObj.MSVBVM60(00000000,00401C88,0041A7CC,00000390), ref: 004ECDE7

Strings

BorderColor2, xrefs: 004ECDB7

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: BorderColor2
API String ID: 3976024557-23425314
Opcode ID: 5d48e738694b499539f1acafdf71757fcc91f3c3c7928fbb066f3ee28bada1c4
Instruction ID: 5b28967f4e9c900c6bc584ad1d567eca15307c4e93d59bc42e1e5d57421fbb3f
Opcode Fuzzy Hash: 5d48e738694b499539f1acafdf71757fcc91f3c3c7928fbb066f3ee28bada1c4
Instruction Fuzzy Hash: F0115970900604ABDB00AFA9CC89F9F7BBCFF05705F40406AB405BB182C77899458BA9

Function 004FC5A1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004FC5EC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000C4), ref: 004FC611
__vbaFreeObj.MSVBVM60 ref: 004FC619
__vbaHresultCheckObj.MSVBVM60(00000000,00402580,0041AF54,00000390), ref: 004FC653

Strings

FontItalic, xrefs: 004FC623

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: FontItalic
API String ID: 3976024557-2825144528
Opcode ID: dfcdcc6cf63efc3779e3c210caa3f21900f8c9af2da888cba57331ab7406aaad
Instruction ID: 23c0a0d49a1ba6db2acc1eb6cfd8df38879080be6f6740d6714d4ef90730ae8c
Opcode Fuzzy Hash: dfcdcc6cf63efc3779e3c210caa3f21900f8c9af2da888cba57331ab7406aaad
Instruction Fuzzy Hash: 69116D70901608BBDB10AFA5C989F9F7BACFF09704F10446AF504BB181C77899088BA9

Function 004EDE64 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004EDEAF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000C4), ref: 004EDED4
__vbaFreeObj.MSVBVM60 ref: 004EDEDC
__vbaHresultCheckObj.MSVBVM60(00000000,00401DC8,0041AA4C,00000390), ref: 004EDF16

Strings

FontItalic, xrefs: 004EDEE6

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: FontItalic
API String ID: 3976024557-2825144528
Opcode ID: b613f7d62c31e75afb082284f19bf246b13d46fbbb19de095fffc4a24114cda9
Instruction ID: b9c6b38606129b5a78c76d27a74c1cafc57b40aeaea5572885e42a4677f119a2
Opcode Fuzzy Hash: b613f7d62c31e75afb082284f19bf246b13d46fbbb19de095fffc4a24114cda9
Instruction Fuzzy Hash: D9113A70900604ABDB10EFA9CC89F9F7BECEF05745F50456AF905BB182C77899448BA9

Function 004E0678 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004E06C3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000C4), ref: 004E06E8
__vbaFreeObj.MSVBVM60 ref: 004E06F0
__vbaHresultCheckObj.MSVBVM60(00000000,00401530,0041993C,00000390), ref: 004E072A

Strings

FontItalic, xrefs: 004E06FA

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: FontItalic
API String ID: 3976024557-2825144528
Opcode ID: 76a904094623b0810db3d2a03a2550317051f14f702fc55d4243e6b60fc12c9f
Instruction ID: 6d25b37d30cbf44a5c6537f378666cabfe89a8cd33ea4e39062da1c589e50e6a
Opcode Fuzzy Hash: 76a904094623b0810db3d2a03a2550317051f14f702fc55d4243e6b60fc12c9f
Instruction Fuzzy Hash: 2D116A70900604BBDB00AFA6C889F9F7BACFF05744F40406AF505BB181D7B8A9458BA9

Function 004DFE12 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004DFE5D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000EC), ref: 004DFE82
__vbaFreeObj.MSVBVM60 ref: 004DFE8A
__vbaHresultCheckObj.MSVBVM60(00000000,004014A0,0041993C,00000390), ref: 004DFEC4

Strings

Alignment, xrefs: 004DFE94

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: Alignment
API String ID: 3976024557-2923404543
Opcode ID: e98960e18b7e3675f12411fd5401742b0c525c3b6e0b68e969c2b8bf1aa72fd2
Instruction ID: b996f1c2780dc0862021f30e70fc58f9c4bdec51e09cbbd3578e711d433013ca
Opcode Fuzzy Hash: e98960e18b7e3675f12411fd5401742b0c525c3b6e0b68e969c2b8bf1aa72fd2
Instruction Fuzzy Hash: B0118E70900604BBDB10EFA5CC8AF9F7BBCEF04704F40406AF501BB292C77899098BA9

Function 004EE6C8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004EE713
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,0000006C), ref: 004EE732
__vbaFreeObj.MSVBVM60 ref: 004EE73A
__vbaHresultCheckObj.MSVBVM60(00000000,00401E68,0041AA4C,00000390), ref: 004EE774

Strings

ForeColor, xrefs: 004EE744

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: ForeColor
API String ID: 3976024557-3216175
Opcode ID: 2e38a6e7e5a766e47484bdb3ce6a8f18ee08b7e6c4a6fd4ccf419e1d0ed93f91
Instruction ID: 866f38a2db72868106b7a67b38bc3e5965d2026470e66f1c150a3c108edd4727
Opcode Fuzzy Hash: 2e38a6e7e5a766e47484bdb3ce6a8f18ee08b7e6c4a6fd4ccf419e1d0ed93f91
Instruction Fuzzy Hash: 1B117C70900614ABCB00EFA6C889F9F7BBCEF09745F40406AF545BB182C77899058BA9

Function 004E0EDC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004E0F27
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,0000006C), ref: 004E0F46
__vbaFreeObj.MSVBVM60 ref: 004E0F4E
__vbaHresultCheckObj.MSVBVM60(00000000,004015D0,0041993C,00000390), ref: 004E0F88

Strings

ForeColor, xrefs: 004E0F58

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: ForeColor
API String ID: 3976024557-3216175
Opcode ID: 406bbcda7814d0a1cefe8480faa4ba4b11a4a32cf76565c4ff24b4ed90eaf98e
Instruction ID: af350e4f9705edb47ebb9b6b20b19d1c230feb6c06d58c3c5e33721fb658d60e
Opcode Fuzzy Hash: 406bbcda7814d0a1cefe8480faa4ba4b11a4a32cf76565c4ff24b4ed90eaf98e
Instruction Fuzzy Hash: 5D117C70900604BFCB10EFA6CC89F9F7BBCEF04705F50406AF941AB182C7B899448BA9

Function 004ECED1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004ECF1C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A510,0000005C), ref: 004ECF3B
__vbaFreeObj.MSVBVM60 ref: 004ECF43
__vbaHresultCheckObj.MSVBVM60(00000000,00401CA8,0041A7CC,00000390), ref: 004ECF7D

Strings

BorderColor3, xrefs: 004ECF4D

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID: BorderColor3
API String ID: 3976024557-1986150836
Opcode ID: 16ed2e2936ec6b9663b935d59d4433c75ed3dfbe86239eeecd1044ae7cdd3b60
Instruction ID: c45510195e61f37f94bbee8202f0d4355baf8e9a7712f77017f9c1ce3927faae
Opcode Fuzzy Hash: 16ed2e2936ec6b9663b935d59d4433c75ed3dfbe86239eeecd1044ae7cdd3b60
Instruction Fuzzy Hash: B7114C70900604AFDB11EFAACC89F9F7BBCEF05749F50406AF501BB192C77899458BA9

Function 00518211 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00419EE8,00539E00,?,?,?,?,?,?,?,?,00404F16), ref: 00518268
__vbaObjSetAddref.MSVBVM60(?,h6@,?,?,?,?,?,?,?,?,00404F16), ref: 0051827D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000010,?,?,?,?,?,?,?,?,00404F16), ref: 00518299
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00404F16), ref: 005182A1

Strings

h6@, xrefs: 0051823A, 0051824A, 00518275

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$AddrefCheckFreeHresultNew2
String ID: h6@
API String ID: 1649212984-1178964847
Opcode ID: 239c662730269d4b1db575c06dc440703440ed0988b96c7f757bff555d7d2f87
Instruction ID: e6fd44d5e45fe02f1ede8b4280021bf91cd4011f195a8bdf1388dfdf80541122
Opcode Fuzzy Hash: 239c662730269d4b1db575c06dc440703440ed0988b96c7f757bff555d7d2f87
Instruction Fuzzy Hash: 8C1173B5901609AFC710EFA9C886EDEBFB8FF48705F50802AF510B7281D7B85540DB95

Function 004F5203 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F5256
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000050,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F5276
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F5284
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F528C

Strings

x!@, xrefs: 004F5231, 004F5236, 004F5241

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultMove
String ID: x!@
API String ID: 2435256576-1608561801
Opcode ID: cf266041ea5a909c6c10e08460f0157bc2c1b7a6b3fbd0ed2e6755fd12fdd283
Instruction ID: e5220e91403f782d9b4ebd7a92a1650f6eb6bda94df60ac1787d75eb32c4fb00
Opcode Fuzzy Hash: cf266041ea5a909c6c10e08460f0157bc2c1b7a6b3fbd0ed2e6755fd12fdd283
Instruction Fuzzy Hash: 7E112B70800619ABCB10DF96C849EAEFBFCFF58300F11415BF500A3290D7785A418FA5

Function 005004B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00419EE8,00539E00,?,?,?,?,?,?,?,?,00404F16), ref: 00500507
__vbaObjSetAddref.MSVBVM60(?,h(@,?,?,?,?,?,?,?,?,00404F16), ref: 0050051C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000010,?,?,?,?,?,?,?,?,00404F16), ref: 00500538
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00404F16), ref: 00500540

Strings

h(@, xrefs: 005004D9, 005004E9, 00500514

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$AddrefCheckFreeHresultNew2
String ID: h(@
API String ID: 1649212984-2449779888
Opcode ID: b21aaca1e47063aaa13c6a98ae09f10b277d0f22f1e12d252d63585438b1d461
Instruction ID: 58b56f0dbcbee14896f65a12afd1b35362113535aaacf9aee64a5290e181aaa1
Opcode Fuzzy Hash: b21aaca1e47063aaa13c6a98ae09f10b277d0f22f1e12d252d63585438b1d461
Instruction Fuzzy Hash: 421151B1900605ABC710EF99CC86B9EBFB8FB44705F50816AF500B72C1D3785544DF95

Function 00530E97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00419EE8,00539E00,?,?,?,?,?,?,?,?,00404F16), ref: 00530EEE
__vbaObjSetAddref.MSVBVM60(?,@G@,?,?,?,?,?,?,?,?,00404F16), ref: 00530F03
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000010,?,?,?,?,?,?,?,?,00404F16), ref: 00530F1F
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00404F16), ref: 00530F27

Strings

@G@, xrefs: 00530EC0, 00530ED0, 00530EFB

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$AddrefCheckFreeHresultNew2
String ID: @G@
API String ID: 1649212984-1178586240
Opcode ID: 156a1d2ae02b9594d1fba5b588c6f6a5336b89b3199501c5a50fac4e94b5b5a4
Instruction ID: 4d252de5ba878ba93be17169ebd8517a7d26f93a267c4f9285fe4c4bf0c32cea
Opcode Fuzzy Hash: 156a1d2ae02b9594d1fba5b588c6f6a5336b89b3199501c5a50fac4e94b5b5a4
Instruction Fuzzy Hash: B21173B5940705ABC710EF99C896A9EBFBCFF48704F50806AF504A72C1D3B85544DB95

Function 004FE212 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FE265
__vbaLateIdSt.MSVBVM60(?,00000003), ref: 004FE289
__vbaObjSetAddref.MSVBVM60(?,00000000,?,00000003), ref: 004FE293
__vbaFreeObj.MSVBVM60(004FE2A9,?,00000000,?,00000003), ref: 004FE2A3

Strings

All Files (*.*)|*.*| MS Access Files (*.mdb)|*.mdb|, xrefs: 004FE26F

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$AddrefFreeLate
String ID: All Files (*.*)|*.*| MS Access Files (*.mdb)|*.mdb|
API String ID: 3122603911-1233936591
Opcode ID: 8e71b08feadc04f9d38c52f84e1cbcf2218d0a8a80577252de3fd8856e383075
Instruction ID: af9ad084b75973d24032173062b5938f34727269ddaf23163ef183613df909cd
Opcode Fuzzy Hash: 8e71b08feadc04f9d38c52f84e1cbcf2218d0a8a80577252de3fd8856e383075
Instruction Fuzzy Hash: 97113071C00608AFCB10EFA9C985ACEBBB8EF08714F10446AF940BB191D7785A448F95

Function 0051515D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__vbaObjVar.MSVBVM60(00000000,ActivateChild,00000001), ref: 005151C2
__vbaLateMemCall.MSVBVM60(00000000,00000000,ActivateChild,00000001), ref: 005151C8
__vbaFreeVar.MSVBVM60(005151E5), ref: 005151DF

Strings

ActivateChild, xrefs: 005151B8
4@, xrefs: 00515186, 00515196

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CallFreeLate
String ID: ActivateChild$4@
API String ID: 1495027727-3084841106
Opcode ID: 202e86e2cafd25f97e8028d110a7093e8cad73154f8be019811b25015275e972
Instruction ID: 7bc8cc0bd6cdb7a2b35294cda74c747721a95d7b784dde36d736ce46ac8d2013
Opcode Fuzzy Hash: 202e86e2cafd25f97e8028d110a7093e8cad73154f8be019811b25015275e972
Instruction Fuzzy Hash: EF012571C51608ABCB00EF59CA46BCEBBF8EB05714F54415AF9407B181D3B96A448B95

Function 0052F246 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 0052F29F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 0052F2C5
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 0052F2D3
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 0052F2E8
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 0052F2F0

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresultMove
String ID:
API String ID: 162419962-0
Opcode ID: bcf4818c9430a7de09a201f467ad81de30d29266fc66f49ef1fa883c380d1057
Instruction ID: 0bfd0a162346dcd6892376213f6b3c446bf3109dc1d1739e4553a973bd81fbc1
Opcode Fuzzy Hash: bcf4818c9430a7de09a201f467ad81de30d29266fc66f49ef1fa883c380d1057
Instruction Fuzzy Hash: FD217CB1900219AFCB00EF95C889EEEBBB8FF09304F50457EF541A7281D7386A018FA5

Function 00530473 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 005304CC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A0,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 005304F2
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00530500
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 00530515
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 0053051D

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresultMove
String ID:
API String ID: 162419962-0
Opcode ID: c9cda3835f1ea6a89d64737104a8422b9bc5e267b608005c13dea89fe5f859a7
Instruction ID: f12f7b9355ee36709411a75d39becede462832a3d99e57a3d8635d5fc46fac95
Opcode Fuzzy Hash: c9cda3835f1ea6a89d64737104a8422b9bc5e267b608005c13dea89fe5f859a7
Instruction Fuzzy Hash: E12141B1D00209AFCB10EF95C889EEEBBB8FF48704F50456EF545A7281D77869058F95

Function 004ED99E Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00404F16), ref: 004ED9F1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000170,?,?,?,?,?,?,?,?,?,00404F16), ref: 004EDA17
__vbaCastObj.MSVBVM60(?,00419B40,?,?,?,?,?,?,?,?,?,00404F16), ref: 004EDA24
__vbaObjSet.MSVBVM60(?,00000000,?,00419B40,?,?,?,?,?,?,?,?,?,00404F16), ref: 004EDA2E
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000000,?,00419B40), ref: 004EDA3D

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CastCheckFreeHresultList
String ID:
API String ID: 2024406958-0
Opcode ID: 434ce393f2221c1aaa0b6aaadbe2c6dd699cb37eb4624b9f29d004ed45aa43c1
Instruction ID: 1e70baf95fd453155bb5d7778930cc139d31d96c06919e4f2c0359bd3f17ef2f
Opcode Fuzzy Hash: 434ce393f2221c1aaa0b6aaadbe2c6dd699cb37eb4624b9f29d004ed45aa43c1
Instruction Fuzzy Hash: 4911FCB1900618ABCB01EF96CC49EDFBBFCEF58700F10456BF504B3151D7786A418AA5

Function 004E0200 Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00404F16), ref: 004E0253
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000170,?,?,?,?,?,?,?,?,?,00404F16), ref: 004E0279
__vbaCastObj.MSVBVM60(?,00419B40,?,?,?,?,?,?,?,?,?,00404F16), ref: 004E0286
__vbaObjSet.MSVBVM60(?,00000000,?,00419B40,?,?,?,?,?,?,?,?,?,00404F16), ref: 004E0290
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000000,?,00419B40), ref: 004E029F

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CastCheckFreeHresultList
String ID:
API String ID: 2024406958-0
Opcode ID: f08e071b95ddb9bdb274ef3ca1c677e34d11c7e3148d2297550d04fbe8ace13c
Instruction ID: 27955c87857317e8c704d558b0a49c344e7570ced3288574a4699d59cee3e06e
Opcode Fuzzy Hash: f08e071b95ddb9bdb274ef3ca1c677e34d11c7e3148d2297550d04fbe8ace13c
Instruction Fuzzy Hash: F011FC71900618ABCB11AF96C84AEDFBBFCEF58700F14416BF504B3151D77859418AA9

Function 004F75E2 Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F7635
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419EF8,00000058,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F7655
__vbaCastObj.MSVBVM60(?,0041A69C,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F7662
__vbaObjSet.MSVBVM60(?,00000000,?,0041A69C,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F766C
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000000,?,0041A69C), ref: 004F767B

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CastCheckFreeHresultList
String ID:
API String ID: 2024406958-0
Opcode ID: 7a954a868aad102bf042998618e0789d89bbe564fcdc1a4a772cc297a314ce62
Instruction ID: 47a07bc77194bec7ce842bcf94019d730f2b7cad6f5a0602454ae036c8da2f27
Opcode Fuzzy Hash: 7a954a868aad102bf042998618e0789d89bbe564fcdc1a4a772cc297a314ce62
Instruction Fuzzy Hash: E21117B1900618ABCB01EF99C84AEAFBBBCAF58700F10415BF505B3291D67859058EA5

Function 004FA640 Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FA693
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419EF8,00000058,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FA6B3
__vbaCastObj.MSVBVM60(?,0041A69C,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FA6C0
__vbaObjSet.MSVBVM60(?,00000000,?,0041A69C,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FA6CA
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000000,?,0041A69C), ref: 004FA6D9

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CastCheckFreeHresultList
String ID:
API String ID: 2024406958-0
Opcode ID: e38c57e92a5fdaf2fdee209d95f9ac2cf084d89e0a73addaf3ba4bd97d81a66b
Instruction ID: 99221c954f0a80d98ab2fc2f696527ebd514bc6de0696a83682e2a38f585ec1e
Opcode Fuzzy Hash: e38c57e92a5fdaf2fdee209d95f9ac2cf084d89e0a73addaf3ba4bd97d81a66b
Instruction Fuzzy Hash: E61129B1900618ABCB11EF95C84AEEFBBFCEF58700F10405BF904B3291D77899058EA6

Function 004F567B Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F56CE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000170,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F56F4
__vbaCastObj.MSVBVM60(?,00419B40,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F5701
__vbaObjSet.MSVBVM60(?,00000000,?,00419B40,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F570B
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000000,?,00419B40), ref: 004F571A

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CastCheckFreeHresultList
String ID:
API String ID: 2024406958-0
Opcode ID: a88b47ebbe873fb88487135527533b87884afb7af4b8cfd168312a68f4660696
Instruction ID: f4c9dcd9e20ae710b151340c2cc937bfc6dc9f33bfbb676b3c69b051de3d6954
Opcode Fuzzy Hash: a88b47ebbe873fb88487135527533b87884afb7af4b8cfd168312a68f4660696
Instruction Fuzzy Hash: 0911FC71900618ABCB01AF95C84AEEFBBFCEF58700F14416BF604A3251D77859418AA5

Function 00500624 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

__vbaStrCmp.MSVBVM60(0041A0C4,00000000,?,?,?,?,?,?,?,?,00404F16), ref: 00500672
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00404F16), ref: 00500689
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A4,?,?,?,?,?,?,?,?,00404F16), ref: 005006AE
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00404F16), ref: 005006B6
__vbaFreeStr.MSVBVM60(005006D7,0041A0C4,00000000,?,?,?,?,?,?,?,?,00404F16), ref: 005006D1

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult
String ID:
API String ID: 1630692628-0
Opcode ID: 237ab86cbeb4756accc68f4f6aef27bb933f555e6c9230234585de5d0c66e46f
Instruction ID: 9204289a7b33c0624be6cd3a7c8c0bbd56dd7d85f08ff39aba4455496b030632
Opcode Fuzzy Hash: 237ab86cbeb4756accc68f4f6aef27bb933f555e6c9230234585de5d0c66e46f
Instruction Fuzzy Hash: 81116A71D01615ABCB10EFA6C94AEAFBFB8EF84700F50406AF940A72D1D7785A418BD5

Function 005219B0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041B32C,?), ref: 005219E7

Part of subcall function 00521A55: __vbaStrCopy.MSVBVM60(00000000), ref: 00521A8D
Part of subcall function 00521A55: __vbaNew2.MSVBVM60(0041B2FC,00538028,00000000), ref: 00521AA5
Part of subcall function 00521A55: __vbaFreeStr.MSVBVM60(00538028,?,00000000,000000FF,00000000), ref: 00521AC4

__vbaNew2.MSVBVM60(0041B32C,?,?,0041B32C,?), ref: 00521A04
__vbaCastObj.MSVBVM60(00000000,0041B31C,?,0041B32C,?), ref: 00521A25
__vbaObjSet.MSVBVM60(?,00000000,00000000,0041B31C,?,0041B32C,?), ref: 00521A2F
__vbaFreeObj.MSVBVM60(00521A42,?,00000000,00000000,0041B31C,?,0041B32C,?), ref: 00521A3C

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$New2$Free$CastCopy
String ID:
API String ID: 2638285390-0
Opcode ID: 0ee644230dd1ad49ab248db6ad7c9aeebb2a2c9d706d87f5ec4d80595d9cfd17
Instruction ID: 852cf83f5f355bf65b36aab629da9f45fac7c03f605ef473c69e619bb92c22a4
Opcode Fuzzy Hash: 0ee644230dd1ad49ab248db6ad7c9aeebb2a2c9d706d87f5ec4d80595d9cfd17
Instruction Fuzzy Hash: 200121B1C01659AACB10EBA5C846EFFBFBCEF55700F90042AB200F2181D73855458AE5

Function 00500576 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

__vbaStrCmp.MSVBVM60(0041A0C4,00000000), ref: 005005AC
__vbaObjSet.MSVBVM60(?,00000000), ref: 005005C6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041B688,000000A4), ref: 005005EB
__vbaFreeObj.MSVBVM60 ref: 005005F3
__vbaFreeStr.MSVBVM60(00500611,0041A0C4,00000000), ref: 0050060B

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult
String ID:
API String ID: 1630692628-0
Opcode ID: dcc62d86bbb7597419c2df5ca355e5694e34ddc61a238f20df386b20c23a24c6
Instruction ID: 3902edc84c1a4b55625d56f89ddda921c9f0b0a87db1de11774749450d18e35f
Opcode Fuzzy Hash: dcc62d86bbb7597419c2df5ca355e5694e34ddc61a238f20df386b20c23a24c6
Instruction Fuzzy Hash: 880180B0941605ABCB10EF96CD4AFAF7EBCEF85740F50042AB100B71C1DA789A01CAA6

Function 0051C0DF Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0051C116
__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 0051C12E
__vbaObjSetAddref.MSVBVM60(00000000,?), ref: 0051C140
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000010), ref: 0051C159
__vbaFreeObj.MSVBVM60 ref: 0051C161

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$AddrefCheckCopyFreeHresultNew2
String ID:
API String ID: 540507047-0
Opcode ID: 0daff6f14f4ccc7b0071c35feb95f388bb269f7e0b1580b941adc0112949a09c
Instruction ID: 71746f7c3750a82a9ba069b07a8b6c8a73500c9c2d6e978d3fcbcca0e9262e5c
Opcode Fuzzy Hash: 0daff6f14f4ccc7b0071c35feb95f388bb269f7e0b1580b941adc0112949a09c
Instruction Fuzzy Hash: 1C0192B1580305BBE710EB56CC0AF9B7B6CFB40705F50441AF500732C2D3B96944DAEA

Function 00515BE2 Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00515C19
__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 00515C31
__vbaObjSetAddref.MSVBVM60(00000000,?), ref: 00515C43
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000010), ref: 00515C5C
__vbaFreeObj.MSVBVM60 ref: 00515C64

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$AddrefCheckCopyFreeHresultNew2
String ID:
API String ID: 540507047-0
Opcode ID: 6494bb6e53357f2a8fdc5712276c0285e9346c4a647f08a6ef084d4f7bc0e3ef
Instruction ID: 197ed07d881e998d140fda315f0a4241a0625671706e18ca835a3abbdcf97354
Opcode Fuzzy Hash: 6494bb6e53357f2a8fdc5712276c0285e9346c4a647f08a6ef084d4f7bc0e3ef
Instruction Fuzzy Hash: 580180B0500705ABE710EF56CD4AF9B7A6CFB80709F50001AB500731C1E3B86D44DAEA

Function 00530C84 Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00530CBB
__vbaNew2.MSVBVM60(00419EE8,00539E00), ref: 00530CD3
__vbaObjSetAddref.MSVBVM60(00000000,?), ref: 00530CE5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000010), ref: 00530CFE
__vbaFreeObj.MSVBVM60 ref: 00530D06

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$AddrefCheckCopyFreeHresultNew2
String ID:
API String ID: 540507047-0
Opcode ID: 2f957190e178d66f553501036753481c54c7c856f562d9607499216d8096e6fc
Instruction ID: 0c2984f3d166ea98271013cacc4adcaa6cd8ced29a1d5dbd621f01a09f3c20cb
Opcode Fuzzy Hash: 2f957190e178d66f553501036753481c54c7c856f562d9607499216d8096e6fc
Instruction Fuzzy Hash: 4E01B1B0500709BBD710EB96CD1AFAB7BACFB40705FA0442AF500735C1D7B86D14CAAA

Function 004F8018 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,00404F16,0041AF04,00000060), ref: 004F807A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041A048,00000020,?,BackColor), ref: 004F80CC

Strings

BackColor, xrefs: 004F80B3
8#@, xrefs: 004F8041, 004F80D8, 004F8051, 004F80DD

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: CheckHresult__vba
String ID: 8#@$BackColor
API String ID: 2812612143-4171397432
Opcode ID: 107cac6dd1d5699fc0bc8ff9f1775b17d848117a81ad2b0cb13387eca28ade8a
Instruction ID: a0079a1a19d41d76de485244102ad74cd7faa03a02b3432558f6795aed72bf98
Opcode Fuzzy Hash: 107cac6dd1d5699fc0bc8ff9f1775b17d848117a81ad2b0cb13387eca28ade8a
Instruction Fuzzy Hash: F4217171A00708AFCB10DF68C945B9EBBF9FF49714F10445AF941AB281C779A905CB94

Function 004E3E7D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,00404F16), ref: 004E3EBE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A318,00000114,?,?,?,?,?,?,?,?,?,00404F16), ref: 004E3EE1
__vbaHresultCheckObj.MSVBVM60(00000000,00401770,0041A318,00000390), ref: 004E3F1B

Strings

ScaleMode, xrefs: 004E3EEB

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult
String ID: ScaleMode
API String ID: 713191129-3861612929
Opcode ID: 4a6443acd0e021f909123f7264ac13fa609fe4bffd66e8ce02dc84f2d727d40e
Instruction ID: b6ca8cd86e0de14779a4ccaed57f6324f954a0013eea16d80a5ccd5627b57fe2
Opcode Fuzzy Hash: 4a6443acd0e021f909123f7264ac13fa609fe4bffd66e8ce02dc84f2d727d40e
Instruction Fuzzy Hash: 89116D71900708AFDB01EF59C989F9F7BB8FF45704F00446AF805AB292C77999148BA5

Function 004F3364 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,00404F16,0041AA4C,00000064,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F33BA
__vbaHresultCheckObj.MSVBVM60(00000000,0 @,0041AA4C,00000390), ref: 004F33F4

Strings

0 @, xrefs: 004F3394, 004F33F9, 004F3399, 004F33DA, 004F33F2, 004F33FE
BackColor, xrefs: 004F33C4

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: CheckHresult__vba
String ID: 0 @$BackColor
API String ID: 2812612143-3577706661
Opcode ID: d265e262495f45e4efda967ddfd43afb7213431afadff31ade5c64bdf9fa871a
Instruction ID: 062aca6a0b8b479fdb93e5beac6349a56d5fe26359a0656297e0807893e29d3f
Opcode Fuzzy Hash: d265e262495f45e4efda967ddfd43afb7213431afadff31ade5c64bdf9fa871a
Instruction Fuzzy Hash: F0114C71A00704AFCB00EF99C989F9B7BF8FF45704F10849AF905AB282C7799915CBA4

Function 004F7E73 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,00404F16,0041AF04,00000064,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F7EC9
__vbaHresultCheckObj.MSVBVM60(00000000, #@,0041AF04,00000390), ref: 004F7F03

Strings

BackColor, xrefs: 004F7ED3
#@, xrefs: 004F7EA3, 004F7F08, 004F7EA8, 004F7EE9, 004F7F01, 004F7F0D

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: CheckHresult__vba
String ID: #@$BackColor
API String ID: 2812612143-379980943
Opcode ID: 1919661b576739e176f4b9c4363dfacd211a0200eee2be168d96b0adf3acda27
Instruction ID: 4d39d1324a3e5502c06f9854be199ca94fe16ae9e5f95dd0d532198de671cc24
Opcode Fuzzy Hash: 1919661b576739e176f4b9c4363dfacd211a0200eee2be168d96b0adf3acda27
Instruction Fuzzy Hash: 12115E71A00704AFCB00EF99C989F9B7BF9FF45704F10849AF901AB282C7799915CBA4

Function 005028E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 00502941
#595.MSVBVM60(00000000,00000040,?,?,?), ref: 00502958
__vbaFreeVarList.MSVBVM60(00000004,00000000,?,?,?,00000000,00000040,?,?,?), ref: 0050296F

Strings

No record found., xrefs: 00502933

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$#595FreeList
String ID: No record found.
API String ID: 319278861-4185894156
Opcode ID: 3a5d27559125199f11ffd65013765be00b55772862244132afb2313856b47c9d
Instruction ID: 424fee51522c75f4ed5493438c8ea16e37c8601f25e07261c1125f2b4cb77f25
Opcode Fuzzy Hash: 3a5d27559125199f11ffd65013765be00b55772862244132afb2313856b47c9d
Instruction Fuzzy Hash: D11193B291025CAADB51DBC4DC85FEEBBBCFB08704F54452EE205B6280E7B855088BA5

Function 00501C31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00411D70,005381EC), ref: 00501C7C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C0F0,000006F8), ref: 00501CA6
__vbaFreeVar.MSVBVM60 ref: 00501CC5

Strings

H)@, xrefs: 00501CB2, 00501CBB

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: H)@
API String ID: 1645334062-3008551697
Opcode ID: c530c018f6c21fc10e3195adfe89896760b51f9a9f2bebddf56b6fee3d43b8b7
Instruction ID: f9d94759748f7a70d6750c327346e75d36be92f3300f31a6567fceaa35df2ddd
Opcode Fuzzy Hash: c530c018f6c21fc10e3195adfe89896760b51f9a9f2bebddf56b6fee3d43b8b7
Instruction Fuzzy Hash: 34117070981A09AFCB00EF95DD89AAEBFB8FF95704F10406AF000A7290DAB46941CB59

Function 004F5DB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F5DFE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000B0,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F5E24
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00404F16), ref: 004F5E32

Strings

0"@, xrefs: 004F5DDE, 004F5DE3, 004F5DE9

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult
String ID: 0"@
API String ID: 444973724-172243762
Opcode ID: 1343ffc5317c6ad3f0758a40f75581ba6c042ff3e90104e73d6d159e014d8e60
Instruction ID: 533800e79ee4b57f9953f7c451be15a2cc263c114b663114879046d95be37bf2
Opcode Fuzzy Hash: 1343ffc5317c6ad3f0758a40f75581ba6c042ff3e90104e73d6d159e014d8e60
Instruction Fuzzy Hash: 78112775900619ABCB00AF99C849AAFFBFCEF58700F10405AF540A3291C77856418EA9

Function 004F60FC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F614A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000068,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F616A
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00404F16), ref: 004F6178

Strings

p"@, xrefs: 004F612A, 004F612F, 004F6135

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult
String ID: p"@
API String ID: 444973724-2061416178
Opcode ID: 9cc3724ac94d520775543d24d196b433462b10ea77c9a3da4da8e23876022733
Instruction ID: 51867222cf59be2bd8d0a00f0d6809b5be915e45ffc8615500401ae80854eb9c
Opcode Fuzzy Hash: 9cc3724ac94d520775543d24d196b433462b10ea77c9a3da4da8e23876022733
Instruction Fuzzy Hash: 40112770D00619ABCB10EFA9C949EAFBBFCEF58700F10405BF504A3291D77859058FA5

Function 004FC33E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FC38C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000B8,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FC3B2
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00404F16), ref: 004FC3C0

Strings

P%@, xrefs: 004FC36C, 004FC371, 004FC377

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult
String ID: P%@
API String ID: 444973724-231892693
Opcode ID: f7f923a4fb9ea7359aff81e821db6a4c5e89b1e2612ff22222329cf3692693d4
Instruction ID: bb8edfe9b23dbed9831b86d3d2f934a933d1e86328541a523dc02dd00abb6aa9
Opcode Fuzzy Hash: f7f923a4fb9ea7359aff81e821db6a4c5e89b1e2612ff22222329cf3692693d4
Instruction Fuzzy Hash: 91111870C40619ABCB10EF998989EAEBBFCEF58700F10805BF944E3291D77855018FA5

Function 004FBC5E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FBCAC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000E8,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FBCD2
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00404F16), ref: 004FBCE0

Strings

$@, xrefs: 004FBC8C, 004FBC91, 004FBC97

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult
String ID: $@
API String ID: 444973724-1661285546
Opcode ID: 504d153f7969db65700099dbd2ac67bc4663abf3f21056eefa2b0879a0948bef
Instruction ID: eb5a2be4558d59cadf8250bd0ab475540c5dbdb9d04ad63163830674470f5aba
Opcode Fuzzy Hash: 504d153f7969db65700099dbd2ac67bc4663abf3f21056eefa2b0879a0948bef
Instruction Fuzzy Hash: 54111870800659ABCB10EF9AC949AAFBBFCEF58700F14445BF945B3241D77855018FA5

Function 004FC4E2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FC530
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000C0,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FC556
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00404F16), ref: 004FC564

Strings

p%@, xrefs: 004FC510, 004FC515, 004FC51B

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult
String ID: p%@
API String ID: 444973724-899620917
Opcode ID: aa34260bcd1ff7febeb950851441570397a112621a445c13bd1cd7efe5ca3c6b
Instruction ID: 6257e1a818c0c3c2de2e5c99b2dc932b38b6ee79638342b007ea1db39342c753
Opcode Fuzzy Hash: aa34260bcd1ff7febeb950851441570397a112621a445c13bd1cd7efe5ca3c6b
Instruction Fuzzy Hash: 3E1127B0C40619ABCB10EF99C989EAEBBFCEF58700F10455BF500A3291D77869418FA9

Function 00407089 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00404F16), ref: 005000D1
__vbaInStr.MSVBVM60(?,?,?,?), ref: 005000E7
__vbaI4Str.MSVBVM60(?), ref: 005000F3
__vbaStrI4.MSVBVM60(?,?,00000000,?), ref: 005000FF
__vbaStrMove.MSVBVM60(?,?,00000000,?), ref: 00500109
__vbaInStr.MSVBVM60(00000000,00000000,?,?,00000000,?), ref: 00500110
__vbaFreeStr.MSVBVM60(00000000,00000000,?,?,00000000,?), ref: 0050011A
__vbaFreeStr.MSVBVM60(00500147,00000000,00000000,?,?,00000000,?), ref: 00500141

Strings

((@, xrefs: 005000B9, 005000BE

Memory Dump Source

Source File: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Free$CopyMove
String ID: ((@
API String ID: 2699951647-3802014064
Opcode ID: 930c39fa7e960b2c389c818471b7e82adbb61b47b824a0cee5d9424fbbe923fd
Instruction ID: 9e4676f4ead64293d60bc971e4ca418a7769a72e94ef41c2493fbd08f9750ede
Opcode Fuzzy Hash: 930c39fa7e960b2c389c818471b7e82adbb61b47b824a0cee5d9424fbbe923fd
Instruction Fuzzy Hash: CE11577480020AEBCB10EF59C946AAEBFF9FF84304F50952AE901A32D0C774AA45DB91

Function 005150C4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__vbaObjVar.MSVBVM60(00000000,Show,00000001), ref: 00515124
__vbaLateMemCall.MSVBVM60(00000000,00000000,Show,00000001), ref: 0051512A
__vbaFreeVar.MSVBVM60(00515140), ref: 0051513A

Strings

Show, xrefs: 0051511A

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CallFreeLate
String ID: Show
API String ID: 1495027727-2453435967
Opcode ID: b76e976cda6d0b0d2090b4149372d5b9796b8df961f86cb205fdc729c9a59e9a
Instruction ID: 4ae96ccf300e44e7a4f6e323d291836a4ece3e809a5865f1abaa0b9bff6292b7
Opcode Fuzzy Hash: b76e976cda6d0b0d2090b4149372d5b9796b8df961f86cb205fdc729c9a59e9a
Instruction Fuzzy Hash: 370186B1C01608BFCB00EFA9CA46BCFBBBCEB49704F504059F500BB181D3B96A048BA5

Function 00521A55 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(00000000), ref: 00521A8D
__vbaNew2.MSVBVM60(0041B2FC,00538028,00000000), ref: 00521AA5
__vbaFreeStr.MSVBVM60(00538028,?,00000000,000000FF,00000000), ref: 00521AC4

Strings

SELECT * FROM tblYearLevel, xrefs: 00521A85

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CopyFreeNew2
String ID: SELECT * FROM tblYearLevel
API String ID: 2743986834-2915690607
Opcode ID: fbe73b78ec1e7ec38f2a514728e577355fb5d439d1d8bfb3df63ed828b924150
Instruction ID: b1fd208b2b8bfb152de84772b448b39bba6cb5722b24ba845e4b3ec6d93c632f
Opcode Fuzzy Hash: fbe73b78ec1e7ec38f2a514728e577355fb5d439d1d8bfb3df63ed828b924150
Instruction Fuzzy Hash: 390171B6C00619ABC714DB95C84ABAF7F78EB55B24F50422AF511621C0D7B81A488BE9

Function 00407055 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004FFAC2
__vbaHresultCheckObj.MSVBVM60(00000000,'@,0041BF08,0000003C), ref: 004FFADE
__vbaFreeStr.MSVBVM60(004FFAF1), ref: 004FFAEB

Strings

'@, xrefs: 004FFAAF, 004FFAB4, 004FFACD, 004FFADC

Memory Dump Source

Source File: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckCopyFreeHresult
String ID: '@
API String ID: 1296052212-1210607465
Opcode ID: dcfd8b1ea5ebd96a2a5c2ff9a29f34537cff20d6ec721f710034e272860f41ed
Instruction ID: 5945375082b7e3007e07d8dbadfc924c3f6975a95c73e2248f208f1fee234f9b
Opcode Fuzzy Hash: dcfd8b1ea5ebd96a2a5c2ff9a29f34537cff20d6ec721f710034e272860f41ed
Instruction Fuzzy Hash: 95012C74900609ABDB10EF56C94AFAFBBB8EF10704F50806AF644B71C1D7B86A45CBD9

Function 004DEC04 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004DEC5A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419BD0,00000040,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004DEC7C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00419BE0,0000009C,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004DECA2
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004DECB1

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$FreeList
String ID:
API String ID: 2772417511-0
Opcode ID: 1df26e2c93d4729d88a5983b05ac0f9014efeeb61cdff4dabcab968e32200a33
Instruction ID: bf83431d8225d1704ccb257823c0d9e5d6805d69b17f25231c77320fba7420eb
Opcode Fuzzy Hash: 1df26e2c93d4729d88a5983b05ac0f9014efeeb61cdff4dabcab968e32200a33
Instruction Fuzzy Hash: 162162B1910605BFD710EFA5C88AFAF7BBCEF08B44F10452AF545E7281D778A9418BA4

Function 004F2A0C Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,00080001,0041AA4C,000002C8,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F2A75
__vbaObjSet.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F2A87
__vbaHresultCheckObj.MSVBVM60(00000000,00401FD0,0041AA4C,0000021C,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F2AA6
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F2AAE

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free
String ID:
API String ID: 3976024557-0
Opcode ID: ccee592430d6c2d7aaea663e57da62d9c4861d315a12a1cfa7d66bd42cfa00cb
Instruction ID: ab29264d62a8b991de75565afef3168f1c60706a0f4a451b2c42c5bc10e09555
Opcode Fuzzy Hash: ccee592430d6c2d7aaea663e57da62d9c4861d315a12a1cfa7d66bd42cfa00cb
Instruction Fuzzy Hash: 3F112970941608ABCB10EF9AC949EAFFBFCEF58700F54841BF504A7291C7B855418FA5

Function 004E0034 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004E0087
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000050,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004E00A7
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004E00B5
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004E00BD

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultMove
String ID:
API String ID: 2435256576-0
Opcode ID: 7d32a8fb4297b2089fa5508ffca8880facd0d61d571f287b87893260a46cc4c7
Instruction ID: 8ac5be47412d2257e690b38323e816c0cb590b113b3385f0850d85b5f87e5c42
Opcode Fuzzy Hash: 7d32a8fb4297b2089fa5508ffca8880facd0d61d571f287b87893260a46cc4c7
Instruction Fuzzy Hash: 0A111974900619ABCB10EF96C845EAEFBF8EF58300F10405BF550B3291D77859418FA5

Function 00501A4F Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00419EE8,00539E00,?,?,?,?,?,?,?,?,00404F16), ref: 00501AA6
__vbaObjSetAddref.MSVBVM60(?,00402918,?,?,?,?,?,?,?,?,00404F16), ref: 00501ABB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000010,?,?,?,?,?,?,?,?,00404F16), ref: 00501AD7
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00404F16), ref: 00501ADF

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$AddrefCheckFreeHresultNew2
String ID:
API String ID: 1649212984-0
Opcode ID: d41b3d350969ffc97ba8a967756cee3887752b29e2d0fbda6d659fe7c4a60226
Instruction ID: cc8aa187468602427ce9282dcd5591103f18bace6d6bdaaa463e5921cd491f38
Opcode Fuzzy Hash: d41b3d350969ffc97ba8a967756cee3887752b29e2d0fbda6d659fe7c4a60226
Instruction Fuzzy Hash: F31173B1A01605AFC700EF99C886A9EBFB8FF44714F50806AF500B72C1D3B85940DBD5

Function 004FDA61 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00419EE8,00539E00,?,?,?,?,?,?,?,?,00404F16), ref: 004FDAB8
__vbaObjSetAddref.MSVBVM60(?,00402680,?,?,?,?,?,?,?,?,00404F16), ref: 004FDACD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419ED8,00000010,?,?,?,?,?,?,?,?,00404F16), ref: 004FDAE9
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00404F16), ref: 004FDAF1

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$AddrefCheckFreeHresultNew2
String ID:
API String ID: 1649212984-0
Opcode ID: 50daa9642495ed20633c0e8b250024df387ad28e209eb5d90ffe4a7d79dcbf48
Instruction ID: 97f9362cd9d389e5aeb3799cba44a843187e5a753a30bb7c033e357002da340f
Opcode Fuzzy Hash: 50daa9642495ed20633c0e8b250024df387ad28e209eb5d90ffe4a7d79dcbf48
Instruction Fuzzy Hash: 641173B1D00609ABCB10EF99CC86A9FBBB9FF44704F50842AF500A7281D3B85544DBD9

Function 004ED2DC Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004ED32F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,00000050,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004ED34F
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004ED35D
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004ED365

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultMove
String ID:
API String ID: 2435256576-0
Opcode ID: 5b9e83ff7a4326fc7555537f62b3930ea831d9bd80a3cc65ec3dac3de1cd4d1f
Instruction ID: 82ea111ce2f85d81b6a3c5e97935a60bd2e8291f7b5260e284d7d6308b83858f
Opcode Fuzzy Hash: 5b9e83ff7a4326fc7555537f62b3930ea831d9bd80a3cc65ec3dac3de1cd4d1f
Instruction Fuzzy Hash: 4B11E975D00619ABCB10DF9AC845AAEFBB8EF58700F50405AE941A3291D77899418FA5

Function 004F5BD8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F5C2B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000A8,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F5C51
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F5C5F
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F5C67

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultMove
String ID:
API String ID: 2435256576-0
Opcode ID: fd2e1606dc2076d341bc9e052d44f0d6f808af66fca4756aed3a7219c86369ed
Instruction ID: 4df68bdf1970c63ed3c4cbdab2a8d7cddfcfb6607efe9e76e4953d9c0a7dcd44
Opcode Fuzzy Hash: fd2e1606dc2076d341bc9e052d44f0d6f808af66fca4756aed3a7219c86369ed
Instruction Fuzzy Hash: 6C1119B4900619ABCB10DF96C845EAEFBF8EF58700F10805BF541A3290D77859418FA5

Function 004FC686 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FC6D9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00419F08,000000A8,?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FC6FF
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FC70D
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FC715

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultMove
String ID:
API String ID: 2435256576-0
Opcode ID: 59c66e76e100b765011110b2039c2e1a84502dfa167f325e932460d5dce49205
Instruction ID: df202c76463d86e5a388c5c736c27de8a965b144c2924e1b17620657869d7b15
Opcode Fuzzy Hash: 59c66e76e100b765011110b2039c2e1a84502dfa167f325e932460d5dce49205
Instruction Fuzzy Hash: 27112B70900619AFCB10EF9AC985EAEFBFCEF58300F10405BF540A3290D77859018FA5

Function 004FF87D Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,004027C8,0041BF08,0000003C), ref: 004FF8D0
__vbaStrCopy.MSVBVM60 ref: 004FF8DD
__vbaHresultCheckObj.MSVBVM60(00000000,004027C8,0041BF08,0000003C), ref: 004FF8F9
__vbaFreeStr.MSVBVM60 ref: 004FF901

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$CopyFree
String ID:
API String ID: 339450102-0
Opcode ID: 43216a68281ca614cdfac9fbd5dec337e5229fc3d77e4559c902ff9b98b462a2
Instruction ID: 827b865e8d0549c434df92ffd129d055f328895d67e549c22d51371719cfce74
Opcode Fuzzy Hash: 43216a68281ca614cdfac9fbd5dec337e5229fc3d77e4559c902ff9b98b462a2
Instruction Fuzzy Hash: 32015E70541609BBDB10AF66C94AFAF7BACEF10744F50402AB600B71D1D7B8A6058B99

Function 0051E475 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

__vbaCastObj.MSVBVM60(00000000,0041B31C,?,?,?,?,?,00404F16), ref: 0051E4C0
__vbaObjSet.MSVBVM60(?,00000000,00000000,0041B31C,?,?,?,?,?,00404F16), ref: 0051E4CA
__vbaObjSetAddref.MSVBVM60(004039A4,00000000,?,00000000,00000000,0041B31C,?,?,?,?,?,00404F16), ref: 0051E4D4
__vbaFreeObj.MSVBVM60(004039A4,00000000,?,00000000,00000000,0041B31C,?,?,?,?,?,00404F16), ref: 0051E4DC

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$AddrefCastFree
String ID:
API String ID: 247606873-0
Opcode ID: 30a5548f999f97f552314ab897affd03a700e03ac1191ccb79f8162b517f37b9
Instruction ID: b11b8ae86bd7a930f8c3d1155ba72ee8c678ce14930814eec562567290415ba0
Opcode Fuzzy Hash: 30a5548f999f97f552314ab897affd03a700e03ac1191ccb79f8162b517f37b9
Instruction Fuzzy Hash: 8B014BB1800619BBCB10EF998846A9FBFBCEF84B14F50412AF940B7282C77C5A418AD5

Function 004FD4C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004FD50C
__vbaHresultCheckObj.MSVBVM60(00000000,h&@,0041B04C,000002B0), ref: 004FD560

Strings

h&@, xrefs: 004FD4F7, 004FD56E, 004FD4FC, 004FD546, 004FD55E, 004FD573

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$CheckCopyHresult
String ID: h&@
API String ID: 1958823900-210207038
Opcode ID: 2e6d64317039d984bbc1988fc042078128e7b4226cfe2e8054e03375b129dfc6
Instruction ID: c116e437751b12a5c13b2e4d4db52929793bc0987d9ecaba1daf73253a42f858
Opcode Fuzzy Hash: 2e6d64317039d984bbc1988fc042078128e7b4226cfe2e8054e03375b129dfc6
Instruction Fuzzy Hash: 95214C75900708EFDB01EFA8C989B9FBBB8FF09714F104459F901AB281D3B9A944CB95

Function 004ECA3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041A7CC,00000064,?,?,?,?,?,?,?,?,?,00404F16), ref: 004ECA92
__vbaHresultCheckObj.MSVBVM60(00000000,00401C50,0041A7CC,00000390), ref: 004ECACC

Strings

BackColor, xrefs: 004ECA9C

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: CheckHresult__vba
String ID: BackColor
API String ID: 2812612143-3019154971
Opcode ID: fccad246d074a122d390750f2f790e0baab7885b41f2b37225a49bbdbe9a4ed9
Instruction ID: 63ab9972acb87e6233965f2f5af5b0e763293274b86a940fd8f57aea2008d961
Opcode Fuzzy Hash: fccad246d074a122d390750f2f790e0baab7885b41f2b37225a49bbdbe9a4ed9
Instruction Fuzzy Hash: 39115E71A00704AFDB00EF99C989F9B7BF8FF45704F10846AF805AB282C779D9158BA4

Function 004F55C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041AD28,00000094,?,?,?,?,?,?,?,?,?,00404F16), ref: 004F561F
__vbaHresultCheckObj.MSVBVM60(00000000,004021A8,0041AD28,00000390), ref: 004F5659

Strings

Enabled, xrefs: 004F5629

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: CheckHresult__vba
String ID: Enabled
API String ID: 2812612143-2672067096
Opcode ID: ab06e0dbf55db1c875c911ee8999fbf572198549fd20ed7797c7c7cc8739a98f
Instruction ID: 4e4cc9fa19902808ff404df52b1c76ff59509e6f6f11295f73051ff78f44220b
Opcode Fuzzy Hash: ab06e0dbf55db1c875c911ee8999fbf572198549fd20ed7797c7c7cc8739a98f
Instruction Fuzzy Hash: 97118171900608AFDB00EF58C989F9F7BF8FF49704F10406AF905AB282C7799905CB94

Function 004FBE8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041AF54,00000064,?,?,?,?,?,?,?,?,?,00404F16), ref: 004FBEE3
__vbaHresultCheckObj.MSVBVM60(00000000,00402508,0041AF54,00000390), ref: 004FBF1D

Strings

BackColor, xrefs: 004FBEED

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: CheckHresult__vba
String ID: BackColor
API String ID: 2812612143-3019154971
Opcode ID: 7725c2e9ad5aeeb3a62f94ad563c13f2259f449ebead7aa54886ca40650fcb06
Instruction ID: 3f4cfea3b95983d97cae580a0816e39afc75fa003c8fd4cee1ec91b07ba8e123
Opcode Fuzzy Hash: 7725c2e9ad5aeeb3a62f94ad563c13f2259f449ebead7aa54886ca40650fcb06
Instruction Fuzzy Hash: 8D114F71A00604AFDB00EF59C989F9B7BB8FB45704F10845AF905AB281C77999158BA4

Function 0052D2DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

__vbaCastObj.MSVBVM60(00000000,y,?,?,?,?,?,?,00404F16), ref: 0052D324
__vbaObjSet.MSVBVM60(00538538,00000000,00000000,y,?,?,?,?,?,?,00404F16), ref: 0052D32F

Strings

y, xrefs: 0052D31D

Memory Dump Source

Source File: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: __vba$Cast
String ID: y
API String ID: 340746784-1407423915
Opcode ID: 516465ec601c2d0560803ec70a55312e9a59da3d0ba670f8a615500d433f8fe2
Instruction ID: 3b1ca8f3e47a70aedc8c75ca0140f499af69aaed6dcf04dc50e8d0b3cf708a47
Opcode Fuzzy Hash: 516465ec601c2d0560803ec70a55312e9a59da3d0ba670f8a615500d433f8fe2
Instruction Fuzzy Hash: A7014FB1600704FFC700EF98D946F9EBBB8FB85754F10816AF405AB281D779A900CBA1

Function 0040D986 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

__vbaFreeVar.MSVBVM60 ref: 004F922E

Strings

c, xrefs: 0040D986
#@, xrefs: 004F91F7

Memory Dump Source

Source File: 00000000.00000002.2188510959.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2188483825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.000000000047E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004B8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004BB000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188510959.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188739358.0000000000538000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188768786.0000000000548000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment Challan.jbxd

Yara matches

Similarity

API ID: Free__vba
String ID: c$#@
API String ID: 812387970-1365875542
Opcode ID: 5151de7f7a858e1ff19ec402fb5cf44d97d1609a4ed1c767164b612124d92562
Instruction ID: 8cc54859aadb5765ff1feeb3f468266d5983a74538b830fbdcd612c463c23e9a
Opcode Fuzzy Hash: 5151de7f7a858e1ff19ec402fb5cf44d97d1609a4ed1c767164b612124d92562
Instruction Fuzzy Hash: DE016D71800608EBC700DF58CA49BDEBBF8FF04714F2081AAF841A7281D7786E059B96

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment Challan.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Kutaki

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\NewErrorPageTemplate[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\errorPageStrings[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\httpErrorPagesScripts[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\NewErrorPageTemplate[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\dnserrordiagoff[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\errorPageStrings[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\httpErrorPagesScripts[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\dnserrordiagoff[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\NewErrorPageTemplate[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\dnserrordiagoff[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\errorPageStrings[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\httpErrorPagesScripts[1]

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkkmpxfk.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

Windows Analysis Report
Payment Challan.exe

Function 00405494 Relevance: 1.9, APIs: 1, Instructions: 434
COMMON

Function 005296DA Relevance: 500.7, APIs: 270, Strings: 15, Instructions: 1992
COMMON

Function 00527E85 Relevance: 131.7, APIs: 69, Strings: 6, Instructions: 490
COMMON

Function 005368AF Relevance: 87.8, APIs: 47, Strings: 3, Instructions: 278
COMMON

Function 005365A2 Relevance: 82.4, APIs: 43, Strings: 4, Instructions: 200
COMMON

Function 0052876C Relevance: 54.5, APIs: 36, Instructions: 509
COMMON

Function 00527266 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 155
COMMON

Function 004FF2BD Relevance: 18.2, APIs: 12, Instructions: 164
COMMON

Function 0052B695 Relevance: 4.5, APIs: 3, Instructions: 40
COMMON

Function 0041EF44 Relevance: .0, Instructions: 8
COMMON