Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AFCMgr.exe

Overview

General Information

Sample name:AFCMgr.exe
Analysis ID:1530832
MD5:3cbda14f9127caa94ea6bdf039cfc4a4
SHA1:4e4a467925fea70c95cd7e575280ca44f3909c0d
SHA256:67f8779d615bb34cf7d6204d412c984cb680c5ee155b8397b56f3d773b8d538e
Infos:

Detection

Score:3
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • AFCMgr.exe (PID: 7368 cmdline: "C:\Users\user\Desktop\AFCMgr.exe" MD5: 3CBDA14F9127CAA94EA6BDF039CFC4A4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: AFCMgr.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: 4x nop then push ebp0_2_00547170
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: 4x nop then push ebp0_2_005AD220
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: 4x nop then push ebp0_2_005F43E0
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: 4x nop then push ebp0_2_004C7580
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: 4x nop then push ebp0_2_0061F7A0
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: 4x nop then sub esp, 14h0_2_004C6930
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: 0_2_006031300_2_00603130
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: 0_2_005611000_2_00561100
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: 0_2_0059C2C00_2_0059C2C0
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: 0_2_005812900_2_00581290
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: 0_2_0053A3000_2_0053A300
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: 0_2_0053F5100_2_0053F510
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: 0_2_005456400_2_00545640
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: 0_2_005597500_2_00559750
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: 0_2_004FC7700_2_004FC770
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: 0_2_00614AA00_2_00614AA0
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: 0_2_005FDB100_2_005FDB10
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: 0_2_005B3C900_2_005B3C90
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: 0_2_00540D000_2_00540D00
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: 0_2_0055BD000_2_0055BD00
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: String function: 004E7F40 appears 37 times
Source: AFCMgr.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: clean3.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\AFCMgr.exeMutant created: NULL
Source: AFCMgr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\AFCMgr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: AFCMgr.exeString found in binary or memory: --Addr
Source: AFCMgr.exeString found in binary or memory: --Addr
Source: C:\Users\user\Desktop\AFCMgr.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeSection loaded: wintypes.dllJump to behavior
Source: AFCMgr.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: AFCMgr.exeStatic file information: File size 2256896 > 1048576
Source: AFCMgr.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x224000
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: 0_2_00406808 pushad ; retn 0059h0_2_00406A85
Source: C:\Users\user\Desktop\AFCMgr.exeCode function: 0_2_0040680C pushad ; retn 0059h0_2_00406A85
Source: C:\Users\user\Desktop\AFCMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exeAPI coverage: 1.3 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		OS Credential Dumping1
System Information Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
DLL Side-Loading		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
Obfuscated Files or Information		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
AFCMgr.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1530832
Start date and time:2024-10-10 15:36:09 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 10s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:AFCMgr.exe
Detection:CLEAN
Classification:clean3.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 88%
  • Number of executed functions: 4
  • Number of non-executed functions: 237
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • VT rate limit hit for: AFCMgr.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):5.836640262190528
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.15%
  • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:AFCMgr.exe
File size:2'256'896 bytes
MD5:3cbda14f9127caa94ea6bdf039cfc4a4
SHA1:4e4a467925fea70c95cd7e575280ca44f3909c0d
SHA256:67f8779d615bb34cf7d6204d412c984cb680c5ee155b8397b56f3d773b8d538e
SHA512:8fc2fb5d645c986f23f76376679eb82bcb602ecfeeb23fc7aee8c3cf794e2a7581377768372e4cb8e1e41088bad2a0dc682f3b1a2e63ba9c4d7bff244241b88e
SSDEEP:49152:yJqfKk1UDTrCswwrvryU1+2yV/OFO/vAseYyo4XPxqLhVab0WT+4DS5jqfQlBdr7:a7kvAsj37hVm9T+4DS5jqfQlBdrO
TLSH:3CA52A13DB147516ED5384305CBD6A6828692C6B6120EE0F77C1DE9D29722C3ADFA32F
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........SA...A...A.......@...........E...@...RichA...................PE..L......K.................@"..@...............P"...@........

File Icon

Icon Hash:2189313149350909

Static PE Info

General

Entrypoint:0x40aab8
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x4B87F4B5 [Fri Feb 26 16:20:05 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:e8c1ebb42d3e9ffb84fbb67b32cd070d

Entrypoint Preview

Instruction
push 0040B24Ch
call 00007F47CD3519D3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
fld qword ptr [edi]
cmp byte ptr [esi+4Ah], 00000068h
mov ecx, 61288444h
adc dword ptr [edi-19h], esi
sub esp, ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
and byte ptr [eax], ah
and byte ptr [eax], ah
and byte ptr [eax], ah
inc ecx
inc esi
inc ebx
dec ebp
jc 00007F47CD3519E3h
and byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [ecx], al
add byte ptr [00000044h+esi*8], ah
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x2234940x28.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x2480000x698.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2300x20
IMAGE_DIRECTORY_ENTRY_IAT0x10000x308.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x2231e40x224000d795e9326d663feae7d8cf21588a431funknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x2250000x2277c0x1000620f0b67a91f7f74151bc5be745b7110False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x2480000x6980x10002ee96474320b26e58bffc34e7abe5256False0.1689453125data1.9252152645353768IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x2483b00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.3655913978494624
RT_GROUP_ICON0x24839c0x14data1.25
RT_VERSION0x2480f00x2acdataEnglishUnited States0.46637426900584794

Imports

DLLImport
MSVBVM60.DLLEVENT_SINK_GetIDsOfNames, __vbaVarTstGt, __vbaVarSub, __vbaStrI2, _CIcos, _adj_fptan, __vbaStrI4, __vbaVarMove, __vbaVarVargNofree, __vbaFreeVar, __vbaLateIdCall, __vbaLenBstr, __vbaLineInputStr, __vbaStrVarMove, __vbaVarIdiv, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, EVENT_SINK_Invoke, __vbaRaiseEvent, __vbaFreeObjList, __vbaStrErrVarCopy, _adj_fprem1, __vbaRecAnsiToUni, __vbaI2Abs, __vbaResume, __vbaCopyBytes, __vbaVarCmpNe, __vbaStrCat, __vbaBoolErrVar, __vbaRecDestruct, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, Zombie_GetTypeInfo, __vbaAryDestruct, __vbaLateMemSt, __vbaVarForInit, __vbaForEachCollObj, __vbaExitProc, __vbaFileCloseAll, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarIndexLoad, __vbaFpR4, __vbaBoolVar, __vbaFpR8, __vbaBoolVarNull, _CIsin, __vbaErase, __vbaNextEachCollObj, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaR4Str, __vbaPrintObj, __vbaI2I4, DllFunctionCall, __vbaVarLateMemSt, __vbaVarOr, __vbaCastObjVar, __vbaStrR4, __vbaRedimPreserve, _adj_fpatan, __vbaR4Var, __vbaLateIdCallLd, Zombie_GetTypeInfoCount, __vbaRedim, __vbaStrR8, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaNew, _CIsqrt, __vbaLateIdCallSt, __vbaObjIs, EVENT_SINK_QueryInterface, __vbaVarMul, __vbaExceptHandler, __vbaPrintFile, __vbaInputFile, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFailedFriend, __vbaVarDiv, __vbaI2Str, __vbaFPException, __vbaStrCompVar, __vbaInStrVar, __vbaUbound, __vbaStrVarVal, __vbaVarCat, __vbaCheckType, __vbaI2Var, __vbaFileSeek, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaR8Str, __vbaInStr, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaVarCmpLt, __vbaFreeStrList, _adj_fdivr_m32, __vbaR8Var, __vbaPowerR8, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarCmpEq, __vbaVarAdd, __vbaAryLock, __vbaLateMemCall, __vbaStrToAnsi, __vbaVarDup, __vbaFpI2, __vbaVarCopy, __vbaFpI4, __vbaUnkVar, __vbaVarLateMemCallLd, __vbaRecDestructAnsi, __vbaLateMemCallLd, _CIatan, __vbaAryCopy, __vbaCastObj, __vbaI2ErrVar, __vbaStrMove, _allmul, __vbaLateIdSt, __vbaFpCSngR4, __vbaLateMemCallSt, _CItan, __vbaFPInt, __vbaAryUnlock, __vbaFpCSngR8, __vbaVarForNext, _CIexp, __vbaFreeObj, __vbaRecAssign, __vbaI4ErrVar, __vbaFreeStr

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:09:37:09
Start date:10/10/2024
Path:C:\Users\user\Desktop\AFCMgr.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\AFCMgr.exe"
Imagebase:0x400000
File size:2'256'896 bytes
MD5 hash:3CBDA14F9127CAA94EA6BDF039CFC4A4
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:0.8%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:139
    Total number of Limit Nodes:50
    execution_graph 50163 40aab8 #100 50164 40aafb 50163->50164 50165 4de3b0 16 API calls 50233 4dde10 6 API calls 50165->50233 50167 4de4fa __vbaStrMove 50243 4ddfa0 6 API calls 50167->50243 50169 4de508 __vbaStrMove 50253 4de130 6 API calls 50169->50253 50171 4de516 __vbaStrMove 50263 4de2c0 50171->50263 50173 4de524 __vbaStrCopy 50266 506e40 #608 #607 __vbaStrVarMove __vbaStrMove __vbaFreeVarList 50173->50266 50179 4de55d __vbaStrCopy 50180 4de59d 50179->50180 50181 4de58d __vbaNew2 50179->50181 50182 4de5b3 __vbaHresultCheckObj 50180->50182 50183 4de5c2 50180->50183 50181->50180 50182->50183 50184 4de5dd __vbaHresultCheckObj 50183->50184 50185 4de5ef 50183->50185 50184->50185 50186 4de607 50185->50186 50187 4de5f7 __vbaNew2 50185->50187 50188 4de61d __vbaHresultCheckObj 50186->50188 50189 4de62c 50186->50189 50187->50186 50188->50189 50190 4de659 50189->50190 50191 4de647 __vbaHresultCheckObj 50189->50191 50192 4deb81 __vbaErrorOverflow __vbaStrCopy __vbaStrCmp 50190->50192 50193 4de680 __vbaFreeObjList 50190->50193 50191->50190 50194 4debeb __vbaVarDup #645 __vbaStrMove __vbaFreeVar __vbaStrCmp 50192->50194 50195 4dec60 6 API calls 50192->50195 50196 4de6aa 50193->50196 50197 4de69a __vbaNew2 50193->50197 50198 4dec3b #531 50194->50198 50199 4dec46 __vbaStrCat __vbaStrMove 50194->50199 50200 4ded00 50195->50200 50201 4de6cf 50196->50201 50202 4de6c0 __vbaHresultCheckObj 50196->50202 50197->50196 50198->50199 50199->50195 50203 4de6fc 50201->50203 50204 4de6ea __vbaHresultCheckObj 50201->50204 50202->50201 50205 4de714 50203->50205 50206 4de704 __vbaNew2 50203->50206 50204->50203 50207 4de739 50205->50207 50208 4de72a __vbaHresultCheckObj 50205->50208 50206->50205 50209 4de754 __vbaHresultCheckObj 50207->50209 50210 4de766 50207->50210 50208->50207 50209->50210 50211 4de77e 50210->50211 50212 4de76e __vbaNew2 50210->50212 50213 4de794 __vbaHresultCheckObj 50211->50213 50214 4de7a3 50211->50214 50212->50211 50213->50214 50215 4de7be __vbaHresultCheckObj 50214->50215 50216 4de7d0 16 API calls 50214->50216 50215->50216 50217 4de98b 50216->50217 50218 4de97b __vbaNew2 50216->50218 50219 4de9a1 __vbaHresultCheckObj 50217->50219 50220 4de9b0 50217->50220 50218->50217 50219->50220 50221 4de9c5 __vbaHresultCheckObj 50220->50221 50222 4de9d4 11 API calls 50220->50222 50221->50222 50223 4deabc 50222->50223 50224 4dea9e __vbaStrCat __vbaStrMove 50222->50224 50305 4c7140 64 API calls 50223->50305 50224->50223 50230 4deae8 __vbaStrCat __vbaStrMove 50314 4ccce0 12 API calls 50230->50314 50232 4deb04 50315 459fa0 50233->50315 50235 4ddead __vbaSetSystemError __vbaStrToUnicode __vbaFreeStr 50236 4ddf2b 50235->50236 50237 4dded0 #617 __vbaStrVarVal 50235->50237 50239 4ddf2d __vbaStrCopy 50236->50239 50240 4ddf3b __vbaStrCopy 50236->50240 50238 513a50 15 API calls 50237->50238 50241 4ddf00 __vbaStrMove __vbaFreeStr __vbaFreeVar __vbaLenBstr 50238->50241 50239->50240 50242 4ddf7a __vbaFreeStr 50240->50242 50241->50236 50242->50167 50244 459fa0 50243->50244 50245 4de03d __vbaSetSystemError __vbaStrToUnicode __vbaFreeStr 50244->50245 50246 4de0bb 50245->50246 50247 4de060 #617 __vbaStrVarVal 50245->50247 50249 4de0bd __vbaStrCopy 50246->50249 50250 4de0cb __vbaStrCopy 50246->50250 50317 513a50 15 API calls 50247->50317 50249->50250 50252 4de10a __vbaFreeStr 50250->50252 50251 4de090 __vbaStrMove __vbaFreeStr __vbaFreeVar __vbaLenBstr 50251->50246 50252->50169 50254 459fa0 50253->50254 50255 4de1cd __vbaSetSystemError __vbaStrToUnicode __vbaFreeStr 50254->50255 50256 4de24b 50255->50256 50257 4de1f0 #617 __vbaStrVarVal 50255->50257 50258 4de24d __vbaStrCopy 50256->50258 50259 4de25b __vbaStrCopy 50256->50259 50318 513a50 15 API calls 50257->50318 50258->50259 50262 4de29a __vbaFreeStr 50259->50262 50261 4de220 __vbaStrMove __vbaFreeStr __vbaFreeVar __vbaLenBstr 50261->50256 50262->50171 50319 45a548 50263->50319 50265 4de2c6 __vbaSetSystemError 50265->50173 50267 4de553 50266->50267 50268 4c82f0 50267->50268 50269 4c9efd 50268->50269 50270 4c83f6 50268->50270 50269->50269 50270->50269 50271 4c84dd 50270->50271 50272 4c84e5 _adj_fdiv_m32 50270->50272 50271->50269 50273 4c8539 _adj_fdiv_m32 50271->50273 50274 4c8531 50271->50274 50272->50271 50273->50274 50274->50269 50275 4c8568 _adj_fdiv_m32 50274->50275 50276 4c8560 50274->50276 50275->50276 50276->50269 50277 4c8583 48 API calls 50276->50277 50277->50269 50278 4c87e7 7 API calls 50277->50278 50278->50269 50279 4c886e 96 API calls 50278->50279 50279->50269 50280 4c8e25 7 API calls 50279->50280 50280->50269 50281 4c8ea6 7 API calls 50280->50281 50282 4c8f2f _adj_fdiv_m32 50281->50282 50283 4c8f27 50281->50283 50282->50283 50283->50269 50284 4c8f58 6 API calls 50283->50284 50285 4c8fb3 _adj_fdiv_m32 50284->50285 50286 4c8fab 50284->50286 50285->50286 50286->50269 50287 4c90e9 _adj_fdiv_m32 50286->50287 50288 4c90e1 50286->50288 50287->50288 50288->50269 50289 4c91c2 _adj_fdiv_m32 50288->50289 50290 4c91ba 50288->50290 50289->50290 50290->50269 50291 4c91e9 50290->50291 50292 4c91f1 _adj_fdiv_m32 50290->50292 50291->50269 50293 4c920c 42 API calls 50291->50293 50292->50291 50293->50269 50294 4c9429 7 API calls 50293->50294 50294->50269 50295 4c94af 96 API calls 50294->50295 50295->50269 50296 4c9a65 7 API calls 50295->50296 50296->50269 50297 4c9af2 7 API calls 50296->50297 50298 4c9b69 50297->50298 50299 4c9b71 _adj_fdiv_m32 50297->50299 50298->50269 50300 4c9b9c 41 API calls 50298->50300 50299->50298 50301 4c9eeb 50300->50301 50302 4c8210 50301->50302 50303 4c8238 9 API calls 50302->50303 50304 4c82e7 50302->50304 50303->50179 50304->50304 50306 4c755f __vbaStrCat __vbaStrMove 50305->50306 50307 4c80a0 #648 __vbaFreeVar __vbaOnError __vbaFileOpen #571 50306->50307 50308 4c813f 50307->50308 50309 4c814a __vbaFileClose 50307->50309 50308->50309 50310 4c81cd __vbaExitProc 50309->50310 50311 4c815e __vbaVarDup #595 __vbaFreeVarList __vbaEnd 50309->50311 50312 4c81f6 50310->50312 50311->50310 50313 4c9f10 45 API calls 50312->50313 50313->50230 50314->50232 50316 459fa9 50315->50316 50317->50251 50318->50261 50320 45a551 50319->50320

    Executed Functions

    Function 004C82F0 Relevance: 707.2, APIs: 380, Strings: 23, Instructions: 2000COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 4c82f0-4c83f0 1 4c9efd 0->1 2 4c83f6-4c8406 0->2 1->1 2->1 3 4c840c-4c841c 2->3 3->1 4 4c8422-4c84db 3->4 5 4c84dd-4c84e3 4->5 6 4c84e5-4c84eb _adj_fdiv_m32 4->6 7 4c84f0-4c851f 5->7 6->7 7->1 8 4c8525-4c852f 7->8 9 4c8539-4c853f _adj_fdiv_m32 8->9 10 4c8531-4c8537 8->10 11 4c8544-4c854e 9->11 10->11 11->1 12 4c8554-4c855e 11->12 13 4c8568-4c856e _adj_fdiv_m32 12->13 14 4c8560-4c8566 12->14 15 4c8573-4c857d 13->15 14->15 15->1 16 4c8583-4c87e1 __vbaStrCopy * 15 __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrR4 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrR4 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrR4 __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaVarDup 15->16 16->1 17 4c87e7-4c8868 #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup 16->17 17->1 18 4c886e-4c8e1f #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaStrR4 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrR4 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrR4 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrR4 __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaStrR4 __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup 17->18 18->1 19 4c8e25-4c8ea0 #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup 18->19 19->1 20 4c8ea6-4c8f25 #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup 19->20 21 4c8f2f-4c8f35 _adj_fdiv_m32 20->21 22 4c8f27-4c8f2d 20->22 23 4c8f3a-4c8f52 21->23 22->23 23->1 24 4c8f58-4c8fa9 #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList 23->24 25 4c8fab-4c8fb1 24->25 26 4c8fb3-4c8fb9 _adj_fdiv_m32 24->26 27 4c8fbe-4c8fde 25->27 26->27 27->1 28 4c8fe4-4c9073 27->28 28->1 29 4c9079-4c9089 28->29 29->1 30 4c908f-4c90b3 29->30 30->1 31 4c90b9-4c90df 30->31 32 4c90e9-4c90ef _adj_fdiv_m32 31->32 33 4c90e1-4c90e7 31->33 34 4c90f4-4c91a8 32->34 33->34 34->1 35 4c91ae-4c91b8 34->35 36 4c91ba-4c91c0 35->36 37 4c91c2-4c91c8 _adj_fdiv_m32 35->37 38 4c91cd-4c91d7 36->38 37->38 38->1 39 4c91dd-4c91e7 38->39 40 4c91e9-4c91ef 39->40 41 4c91f1-4c91f7 _adj_fdiv_m32 39->41 42 4c91fc-4c9206 40->42 41->42 42->1 43 4c920c-4c9423 __vbaStrCopy * 15 __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrR4 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrR4 __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaVarDup 42->43 43->1 44 4c9429-4c94a9 #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup 43->44 44->1 45 4c94af-4c9a5f #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaStrR4 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrR4 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrR4 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrR4 __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaStrR4 __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup 44->45 45->1 46 4c9a65-4c9aec #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup 45->46 46->1 47 4c9af2-4c9b67 #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup 46->47 48 4c9b69-4c9b6f 47->48 49 4c9b71-4c9b77 _adj_fdiv_m32 47->49 50 4c9b7c-4c9b96 48->50 49->50 50->1 51 4c9b9c-4c9eeb #660 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaFreeVarList __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaFreeVarList __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaFreeVarList __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaFreeVarList __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaFreeVarList __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaFreeVarList __vbaVarDup #660 __vbaStrVarMove __vbaStrMove __vbaFreeVarList 50->51
    APIs
    • _adj_fdiv_m32.MSVBVM60 ref: 004C84EB
    • _adj_fdiv_m32.MSVBVM60 ref: 004C853F
    • _adj_fdiv_m32.MSVBVM60 ref: 004C856E
    • __vbaStrCopy.MSVBVM60 ref: 004C8583
    • __vbaStrCopy.MSVBVM60 ref: 004C8590
    • __vbaStrCopy.MSVBVM60 ref: 004C859D
    • __vbaStrCopy.MSVBVM60 ref: 004C85AA
    • __vbaStrCopy.MSVBVM60 ref: 004C85B7
    • __vbaStrCopy.MSVBVM60 ref: 004C85C4
    • __vbaStrCopy.MSVBVM60 ref: 004C85D1
    • __vbaStrCopy.MSVBVM60 ref: 004C85DE
    • __vbaStrCopy.MSVBVM60 ref: 004C85EB
    • __vbaStrCopy.MSVBVM60 ref: 004C85F8
    • __vbaStrCopy.MSVBVM60 ref: 004C8605
    • __vbaStrCopy.MSVBVM60 ref: 004C8612
    • __vbaStrCopy.MSVBVM60 ref: 004C861F
    • __vbaStrCopy.MSVBVM60 ref: 004C862C
    • __vbaStrCopy.MSVBVM60 ref: 004C863B
    • __vbaStrCat.MSVBVM60(00455CE0), ref: 004C8645
    • __vbaStrMove.MSVBVM60 ref: 004C8656
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 004C8660
    • __vbaStrMove.MSVBVM60 ref: 004C866B
    • __vbaStrCopy.MSVBVM60 ref: 004C8675
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004C8681
    • __vbaStrR4.MSVBVM60(42880000), ref: 004C868E
    • __vbaStrMove.MSVBVM60 ref: 004C8699
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 004C86A3
    • __vbaStrMove.MSVBVM60 ref: 004C86AE
    • __vbaStrCopy.MSVBVM60 ref: 004C86B8
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004C86C4
    • __vbaStrR4.MSVBVM60(?), ref: 004C86D1
    • __vbaStrMove.MSVBVM60 ref: 004C86DC
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 004C86E6
    • __vbaStrMove.MSVBVM60 ref: 004C86F1
    • __vbaStrCopy.MSVBVM60 ref: 004C86FB
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004C8707
    • __vbaStrCat.MSVBVM60(?,00455A98), ref: 004C871C
    • __vbaStrMove.MSVBVM60 ref: 004C8727
    • __vbaStrCat.MSVBVM60(00455CE0,00000000), ref: 004C872F
    • __vbaStrMove.MSVBVM60 ref: 004C873A
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 004C8744
    • __vbaStrMove.MSVBVM60 ref: 004C874F
    • __vbaStrCat.MSVBVM60(00455B54,00000000), ref: 004C8757
    • __vbaStrMove.MSVBVM60 ref: 004C8762
    • __vbaStrCopy.MSVBVM60 ref: 004C876C
    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 004C8780
    • __vbaStrR4.MSVBVM60(?), ref: 004C878D
    • __vbaStrMove.MSVBVM60 ref: 004C8798
    • __vbaStrCopy.MSVBVM60 ref: 004C87A2
    • __vbaFreeStr.MSVBVM60 ref: 004C87A7
    • __vbaVarDup.MSVBVM60 ref: 004C87C1
    • #660.MSVBVM60(?,?,?,00000001,00000001), ref: 004C87F4
    • __vbaStrVarMove.MSVBVM60(?), ref: 004C87FE
    • __vbaStrMove.MSVBVM60 ref: 004C8809
    • __vbaStrCopy.MSVBVM60 ref: 004C8813
    • __vbaFreeStr.MSVBVM60 ref: 004C8818
    • __vbaFreeVarList.MSVBVM60(00000003,00000004,?,?), ref: 004C882C
    • __vbaVarDup.MSVBVM60 ref: 004C8849
    • #660.MSVBVM60(?,00000004,?,00000001,00000001), ref: 004C887C
    • __vbaStrVarMove.MSVBVM60(?), ref: 004C8886
    • __vbaStrMove.MSVBVM60 ref: 004C8891
    • __vbaStrCopy.MSVBVM60 ref: 004C889B
    • __vbaFreeStr.MSVBVM60 ref: 004C88A0
    • __vbaFreeVarList.MSVBVM60(00000003,00000004,?,?), ref: 004C88B4
    • __vbaStrR4.MSVBVM60(?), ref: 004C88C1
    • __vbaStrMove.MSVBVM60 ref: 004C88CC
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 004C88D6
    • __vbaStrMove.MSVBVM60 ref: 004C88E1
    • __vbaStrCopy.MSVBVM60 ref: 004C88EB
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004C88F7
    • __vbaStrR4.MSVBVM60(?), ref: 004C8904
    • __vbaStrMove.MSVBVM60 ref: 004C890F
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 004C8919
    • __vbaStrMove.MSVBVM60 ref: 004C8924
    • __vbaStrCopy.MSVBVM60 ref: 004C892E
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004C893A
    • __vbaStrR4.MSVBVM60(?), ref: 004C8947
    • __vbaStrMove.MSVBVM60 ref: 004C8952
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 004C895C
    • __vbaStrMove.MSVBVM60 ref: 004C8967
    • __vbaStrCopy.MSVBVM60 ref: 004C8971
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004C897D
    • __vbaStrR4.MSVBVM60(?), ref: 004C898A
    • __vbaStrMove.MSVBVM60 ref: 004C8995
    • __vbaStrCopy.MSVBVM60 ref: 004C899F
    • __vbaFreeStr.MSVBVM60 ref: 004C89A4
    • __vbaVarDup.MSVBVM60 ref: 004C89BE
    • #660.MSVBVM60(?,?,00000004,00000001,00000001), ref: 004C89E1
    • __vbaStrVarMove.MSVBVM60(?), ref: 004C89EB
    • __vbaStrMove.MSVBVM60 ref: 004C89F6
    • __vbaStrCopy.MSVBVM60 ref: 004C8A00
    • __vbaFreeStr.MSVBVM60 ref: 004C8A05
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 004C8A15
    • __vbaVarDup.MSVBVM60 ref: 004C8A32
    • #660.MSVBVM60(?,00004004,00000004,00000001,00000001), ref: 004C8A55
    • __vbaStrVarMove.MSVBVM60(?), ref: 004C8A5F
    • __vbaStrMove.MSVBVM60 ref: 004C8A6A
    • __vbaStrCopy.MSVBVM60 ref: 004C8A74
    • __vbaFreeStr.MSVBVM60 ref: 004C8A79
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 004C8A89
    • __vbaVarDup.MSVBVM60 ref: 004C8AA6
    • #660.MSVBVM60(?,00004004,00000004,00000001,00000001), ref: 004C8AC9
    • __vbaStrVarMove.MSVBVM60(?), ref: 004C8AD3
    • __vbaStrMove.MSVBVM60 ref: 004C8ADE
    • __vbaStrCopy.MSVBVM60 ref: 004C8AE8
    • __vbaFreeStr.MSVBVM60 ref: 004C8AED
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 004C8AFD
    • __vbaVarDup.MSVBVM60 ref: 004C8B1A
    • #660.MSVBVM60(?,00004004,00000004,00000001,00000001), ref: 004C8B3D
    • __vbaStrVarMove.MSVBVM60(?), ref: 004C8B47
    • __vbaStrMove.MSVBVM60 ref: 004C8B52
    • __vbaStrCopy.MSVBVM60 ref: 004C8B5C
    • __vbaFreeStr.MSVBVM60 ref: 004C8B61
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 004C8B71
    • __vbaVarDup.MSVBVM60 ref: 004C8B8E
    • #660.MSVBVM60(?,00004004,00000004,00000001,00000001), ref: 004C8BB1
    • __vbaStrVarMove.MSVBVM60(?), ref: 004C8BBB
    • __vbaStrMove.MSVBVM60 ref: 004C8BC6
    • __vbaStrCopy.MSVBVM60 ref: 004C8BD0
    • __vbaFreeStr.MSVBVM60 ref: 004C8BD5
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 004C8BE5
    • __vbaVarDup.MSVBVM60 ref: 004C8C02
    • #660.MSVBVM60(?,00004004,00000004,00000001,00000001), ref: 004C8C25
    • __vbaStrVarMove.MSVBVM60(?), ref: 004C8C2F
    • __vbaStrMove.MSVBVM60 ref: 004C8C3A
    • __vbaStrCopy.MSVBVM60 ref: 004C8C44
    • __vbaFreeStr.MSVBVM60 ref: 004C8C49
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 004C8C59
    • __vbaStrR4.MSVBVM60(?), ref: 004C8C66
    • __vbaStrMove.MSVBVM60 ref: 004C8C71
    • __vbaStrCopy.MSVBVM60 ref: 004C8C7B
    • __vbaFreeStr.MSVBVM60 ref: 004C8C80
    • __vbaVarDup.MSVBVM60 ref: 004C8C9A
    • #660.MSVBVM60(?,00004004,00000004,00000001,00000001), ref: 004C8CBD
    • __vbaStrVarMove.MSVBVM60(?), ref: 004C8CC7
    • __vbaStrMove.MSVBVM60 ref: 004C8CD2
    • __vbaStrCopy.MSVBVM60 ref: 004C8CDC
    • __vbaFreeStr.MSVBVM60 ref: 004C8CE1
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 004C8CF1
    • __vbaVarDup.MSVBVM60 ref: 004C8D0E
    • #660.MSVBVM60(?,00004004,00000004,00000001,00000001), ref: 004C8D34
    • __vbaStrVarMove.MSVBVM60(?), ref: 004C8D3E
    • __vbaStrMove.MSVBVM60 ref: 004C8D49
    • __vbaStrCopy.MSVBVM60 ref: 004C8D53
    • __vbaFreeStr.MSVBVM60 ref: 004C8D58
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 004C8D68
    • __vbaVarDup.MSVBVM60 ref: 004C8D85
    • #660.MSVBVM60(?,00004004,00000004,00000001,00000001), ref: 004C8DAB
    • __vbaStrVarMove.MSVBVM60(?), ref: 004C8DB5
    • __vbaStrMove.MSVBVM60 ref: 004C8DC0
    • __vbaStrCopy.MSVBVM60 ref: 004C8DCA
    • __vbaFreeStr.MSVBVM60 ref: 004C8DCF
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 004C8DDF
    • __vbaVarDup.MSVBVM60 ref: 004C8DFC
    • #660.MSVBVM60(?,00000004,?,00000001,00000001), ref: 004C8E32
    • __vbaStrVarMove.MSVBVM60(?), ref: 004C8E3C
    • __vbaStrMove.MSVBVM60 ref: 004C8E47
    • __vbaStrCopy.MSVBVM60 ref: 004C8E51
    • __vbaFreeStr.MSVBVM60 ref: 004C8E56
    • __vbaFreeVarList.MSVBVM60(00000003,00000004,?,?), ref: 004C8E6A
    • __vbaVarDup.MSVBVM60 ref: 004C8E87
    • #660.MSVBVM60(?,00000004,?,00000001,00000001), ref: 004C8EBD
    • __vbaStrVarMove.MSVBVM60(?), ref: 004C8EC7
    • __vbaStrMove.MSVBVM60 ref: 004C8ED2
    • __vbaStrCopy.MSVBVM60 ref: 004C8EDC
    • __vbaFreeStr.MSVBVM60 ref: 004C8EE1
    • __vbaFreeVarList.MSVBVM60(00000003,00000004,?,?), ref: 004C8EF5
    • __vbaVarDup.MSVBVM60 ref: 004C8F12
    • _adj_fdiv_m32.MSVBVM60 ref: 004C8F35
    • #660.MSVBVM60(?,00000004,?,00000001,00000001), ref: 004C8F5E
    • __vbaStrVarMove.MSVBVM60(?), ref: 004C8F68
    • __vbaStrMove.MSVBVM60 ref: 004C8F73
    • __vbaStrCopy.MSVBVM60 ref: 004C8F7D
    • __vbaFreeStr.MSVBVM60 ref: 004C8F82
    • __vbaFreeVarList.MSVBVM60(00000003,00000004,?,?), ref: 004C8F96
    • _adj_fdiv_m32.MSVBVM60 ref: 004C8FB9
    • _adj_fdiv_m32.MSVBVM60 ref: 004C90EF
    • _adj_fdiv_m32.MSVBVM60 ref: 004C91C8
    • _adj_fdiv_m32.MSVBVM60 ref: 004C91F7
    • __vbaStrCopy.MSVBVM60 ref: 004C920C
    • __vbaStrCopy.MSVBVM60 ref: 004C9219
    • __vbaStrCopy.MSVBVM60 ref: 004C9226
    • __vbaStrCopy.MSVBVM60 ref: 004C9233
    • __vbaStrCopy.MSVBVM60 ref: 004C9240
    • __vbaStrCopy.MSVBVM60 ref: 004C924D
    • __vbaStrCopy.MSVBVM60 ref: 004C925A
    • __vbaStrCopy.MSVBVM60 ref: 004C9267
    • __vbaStrCopy.MSVBVM60 ref: 004C9274
    • __vbaStrCopy.MSVBVM60 ref: 004C9281
    • __vbaStrCopy.MSVBVM60 ref: 004C928E
    • __vbaStrCopy.MSVBVM60 ref: 004C929B
    • __vbaStrCopy.MSVBVM60 ref: 004C92A8
    • __vbaStrCopy.MSVBVM60 ref: 004C92B5
    • __vbaStrCopy.MSVBVM60 ref: 004C92C2
    • __vbaStrCat.MSVBVM60(00455CE0,?), ref: 004C92D0
    • __vbaStrMove.MSVBVM60 ref: 004C92DB
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 004C92E5
    • __vbaStrMove.MSVBVM60 ref: 004C92F0
    • __vbaStrCopy.MSVBVM60 ref: 004C92FA
    • __vbaFreeStrList.MSVBVM60(00000002,378C16FA,373BE7A2), ref: 004C9306
    • __vbaStrR4.MSVBVM60(41700000), ref: 004C9313
    • __vbaStrMove.MSVBVM60 ref: 004C931E
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 004C9328
    • __vbaStrMove.MSVBVM60 ref: 004C9333
    • __vbaStrCopy.MSVBVM60 ref: 004C933D
    • __vbaFreeStrList.MSVBVM60(00000002,378C16FA,373BE7A2), ref: 004C9349
    • __vbaStrCat.MSVBVM60(?,00455A98), ref: 004C935E
    • __vbaStrMove.MSVBVM60 ref: 004C9369
    • __vbaStrCat.MSVBVM60(00455CE0,00000000), ref: 004C9371
    • __vbaStrMove.MSVBVM60 ref: 004C937C
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 004C9386
    • __vbaStrMove.MSVBVM60 ref: 004C9391
    • __vbaStrCat.MSVBVM60(00455B54,00000000), ref: 004C9399
    • __vbaStrMove.MSVBVM60 ref: 004C93A4
    • __vbaStrCopy.MSVBVM60 ref: 004C93AE
    • __vbaFreeStrList.MSVBVM60(00000004,378C16FA,373BE7A2,41A00000,?), ref: 004C93C2
    • __vbaStrR4.MSVBVM60(42CAA666), ref: 004C93CF
    • __vbaStrMove.MSVBVM60 ref: 004C93DA
    • __vbaStrCopy.MSVBVM60 ref: 004C93E4
    • __vbaFreeStr.MSVBVM60 ref: 004C93E9
    • __vbaVarDup.MSVBVM60 ref: 004C9403
    • #660.MSVBVM60(?,43CF0000,44AC8000,00000001,00000001), ref: 004C9436
    • __vbaStrVarMove.MSVBVM60(?), ref: 004C9440
    • __vbaStrMove.MSVBVM60 ref: 004C944B
    • __vbaStrCopy.MSVBVM60 ref: 004C9455
    • __vbaFreeStr.MSVBVM60 ref: 004C945A
    • __vbaFreeVarList.MSVBVM60(00000003,00000004,44AC8000,?), ref: 004C946E
    • __vbaVarDup.MSVBVM60 ref: 004C948B
    • #660.MSVBVM60(?,00000004,44AC8000,00000001,00000001), ref: 004C94BE
    • __vbaStrVarMove.MSVBVM60(?), ref: 004C94C8
    • __vbaStrMove.MSVBVM60 ref: 004C94D3
    • __vbaStrCopy.MSVBVM60 ref: 004C94DD
    • __vbaFreeStr.MSVBVM60 ref: 004C94E2
    • __vbaFreeVarList.MSVBVM60(00000003,00000004,44AC8000,?), ref: 004C94F6
    • __vbaStrR4.MSVBVM60(41A00000), ref: 004C9503
    • __vbaStrMove.MSVBVM60 ref: 004C950E
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 004C9518
    • __vbaStrMove.MSVBVM60 ref: 004C9523
    • __vbaStrCopy.MSVBVM60 ref: 004C952D
    • __vbaFreeStrList.MSVBVM60(00000002,378C16FA,373BE7A2), ref: 004C9539
    • __vbaStrR4.MSVBVM60(?), ref: 004C9546
    • __vbaStrMove.MSVBVM60 ref: 004C9551
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 004C955B
    • __vbaStrMove.MSVBVM60 ref: 004C9566
    • __vbaStrCopy.MSVBVM60 ref: 004C9570
    • __vbaFreeStrList.MSVBVM60(00000002,378C16FA,373BE7A2), ref: 004C957C
    • __vbaStrR4.MSVBVM60(?), ref: 004C9589
    • __vbaStrMove.MSVBVM60 ref: 004C9594
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 004C959E
    • __vbaStrMove.MSVBVM60 ref: 004C95A9
    • __vbaStrCopy.MSVBVM60 ref: 004C95B3
    • __vbaFreeStrList.MSVBVM60(00000002,378C16FA,373BE7A2), ref: 004C95BF
    • __vbaStrR4.MSVBVM60(461C4000), ref: 004C95CC
    • __vbaStrMove.MSVBVM60 ref: 004C95D7
    • __vbaStrCopy.MSVBVM60 ref: 004C95E1
    • __vbaFreeStr.MSVBVM60 ref: 004C95E6
    • __vbaVarDup.MSVBVM60 ref: 004C9600
    • #660.MSVBVM60(44AC8000,4479C666,00000004,00000001,00000001), ref: 004C9623
    • __vbaStrVarMove.MSVBVM60(44AC8000), ref: 004C962D
    • __vbaStrMove.MSVBVM60 ref: 004C9638
    • __vbaStrCopy.MSVBVM60 ref: 004C9642
    • __vbaFreeStr.MSVBVM60 ref: 004C9647
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,44AC8000), ref: 004C9657
    • __vbaVarDup.MSVBVM60 ref: 004C9674
    • #660.MSVBVM60(44AC8000,00004004,00000004,00000001,00000001), ref: 004C9697
    • __vbaStrVarMove.MSVBVM60(44AC8000), ref: 004C96A1
    • __vbaStrMove.MSVBVM60 ref: 004C96AC
    • __vbaStrCopy.MSVBVM60 ref: 004C96B6
    • __vbaFreeStr.MSVBVM60 ref: 004C96BB
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,44AC8000), ref: 004C96CB
    • __vbaVarDup.MSVBVM60 ref: 004C96E8
    • #660.MSVBVM60(44AC8000,00004004,00000004,00000001,00000001), ref: 004C970B
    • __vbaStrVarMove.MSVBVM60(44AC8000), ref: 004C9715
    • __vbaStrMove.MSVBVM60 ref: 004C9720
    • __vbaStrCopy.MSVBVM60 ref: 004C972A
    • __vbaFreeStr.MSVBVM60 ref: 004C972F
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,44AC8000), ref: 004C973F
    • __vbaVarDup.MSVBVM60 ref: 004C975C
    • #660.MSVBVM60(44AC8000,00004004,00000004,00000001,00000001), ref: 004C977F
    • __vbaStrVarMove.MSVBVM60(44AC8000), ref: 004C9789
    • __vbaStrMove.MSVBVM60 ref: 004C9794
    • __vbaStrCopy.MSVBVM60 ref: 004C979E
    • __vbaFreeStr.MSVBVM60 ref: 004C97A3
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,44AC8000), ref: 004C97B3
    • __vbaVarDup.MSVBVM60 ref: 004C97D0
    • #660.MSVBVM60(44AC8000,00004004,00000004,00000001,00000001), ref: 004C97F3
    • __vbaStrVarMove.MSVBVM60(44AC8000), ref: 004C97FD
    • __vbaStrMove.MSVBVM60 ref: 004C9808
    • __vbaStrCopy.MSVBVM60 ref: 004C9812
    • __vbaFreeStr.MSVBVM60 ref: 004C9817
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,44AC8000), ref: 004C9827
    • __vbaVarDup.MSVBVM60 ref: 004C9844
    • #660.MSVBVM60(44AC8000,00004004,00000004,00000001,00000001), ref: 004C9867
    • __vbaStrVarMove.MSVBVM60(44AC8000), ref: 004C9871
    • __vbaStrMove.MSVBVM60 ref: 004C987C
    • __vbaStrCopy.MSVBVM60 ref: 004C9886
    • __vbaFreeStr.MSVBVM60 ref: 004C988B
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,44AC8000), ref: 004C989B
    • __vbaStrR4.MSVBVM60(47C35000), ref: 004C98A8
    • __vbaStrMove.MSVBVM60 ref: 004C98B3
    • __vbaStrCopy.MSVBVM60 ref: 004C98BD
    • __vbaFreeStr.MSVBVM60 ref: 004C98C2
    • __vbaVarDup.MSVBVM60 ref: 004C98DC
    • #660.MSVBVM60(44AC8000,00004004,00000004,00000001,00000001), ref: 004C98FF
    • __vbaStrVarMove.MSVBVM60(44AC8000), ref: 004C9909
    • __vbaStrMove.MSVBVM60 ref: 004C9914
    • __vbaStrCopy.MSVBVM60 ref: 004C991E
    • __vbaFreeStr.MSVBVM60 ref: 004C9923
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,44AC8000), ref: 004C9933
    • __vbaVarDup.MSVBVM60 ref: 004C9950
    • #660.MSVBVM60(44AC8000,00004004,00000004,00000001,00000001), ref: 004C9976
    • __vbaStrVarMove.MSVBVM60(44AC8000), ref: 004C9980
    • __vbaStrMove.MSVBVM60 ref: 004C998B
    • __vbaStrCopy.MSVBVM60 ref: 004C9995
    • __vbaFreeStr.MSVBVM60 ref: 004C999A
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,44AC8000), ref: 004C99AA
    • __vbaVarDup.MSVBVM60 ref: 004C99C7
    • #660.MSVBVM60(44AC8000,00004004,00000004,00000001,00000001), ref: 004C99ED
    • __vbaStrVarMove.MSVBVM60(44AC8000), ref: 004C99F7
    • __vbaStrMove.MSVBVM60 ref: 004C9A02
    • __vbaStrCopy.MSVBVM60 ref: 004C9A0C
    • __vbaFreeStr.MSVBVM60 ref: 004C9A11
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,44AC8000), ref: 004C9A21
    • __vbaVarDup.MSVBVM60 ref: 004C9A3E
    • #660.MSVBVM60(?,00000004,44AC8000,00000001,00000001), ref: 004C9A74
    • __vbaStrVarMove.MSVBVM60(?), ref: 004C9A7E
    • __vbaStrMove.MSVBVM60 ref: 004C9A89
    • __vbaStrCopy.MSVBVM60 ref: 004C9A93
    • __vbaFreeStr.MSVBVM60 ref: 004C9A98
    • __vbaFreeVarList.MSVBVM60(00000003,00000004,44AC8000,?), ref: 004C9AAC
    • __vbaVarDup.MSVBVM60 ref: 004C9AC9
    • #660.MSVBVM60(?,00000004,44AC8000,00000001,00000001), ref: 004C9AFF
    • __vbaStrVarMove.MSVBVM60(?), ref: 004C9B09
    • __vbaStrMove.MSVBVM60 ref: 004C9B14
    • __vbaStrCopy.MSVBVM60 ref: 004C9B1E
    • __vbaFreeStr.MSVBVM60 ref: 004C9B23
    • __vbaFreeVarList.MSVBVM60(00000003,00000004,44AC8000,?), ref: 004C9B37
    • __vbaVarDup.MSVBVM60 ref: 004C9B54
    • _adj_fdiv_m32.MSVBVM60 ref: 004C9B77
    • #660.MSVBVM60(?,00000004,44AC8000,00000001,00000001), ref: 004C9BA0
    • __vbaStrVarMove.MSVBVM60(?), ref: 004C9BAA
    • __vbaStrMove.MSVBVM60 ref: 004C9BB5
    • __vbaStrCopy.MSVBVM60 ref: 004C9BBF
    • __vbaFreeStr.MSVBVM60 ref: 004C9BC4
    • __vbaFreeVarList.MSVBVM60(00000003,00000004,44AC8000,?), ref: 004C9BDE
    • __vbaVarDup.MSVBVM60 ref: 004C9C07
    • #660.MSVBVM60(44AC8000,00004004,00000004,00000001,00000001), ref: 004C9C27
    • __vbaStrVarMove.MSVBVM60(44AC8000), ref: 004C9C31
    • __vbaStrMove.MSVBVM60 ref: 004C9C3E
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,44AC8000), ref: 004C9C4A
    • __vbaVarDup.MSVBVM60 ref: 004C9C6D
    • #660.MSVBVM60(44AC8000,00004004,00000004,00000001,00000001), ref: 004C9C8D
    • __vbaStrVarMove.MSVBVM60(44AC8000), ref: 004C9C97
    • __vbaStrMove.MSVBVM60 ref: 004C9CA4
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,44AC8000), ref: 004C9CB0
    • __vbaVarDup.MSVBVM60 ref: 004C9CD3
    • #660.MSVBVM60(44AC8000,00004004,00000004,00000001,00000001), ref: 004C9CF3
    • __vbaStrVarMove.MSVBVM60(44AC8000), ref: 004C9CFD
    • __vbaStrMove.MSVBVM60 ref: 004C9D0A
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,44AC8000), ref: 004C9D16
    • __vbaVarDup.MSVBVM60 ref: 004C9D39
    • #660.MSVBVM60(44AC8000,00004004,00000004,00000001,00000001), ref: 004C9D59
    • __vbaStrVarMove.MSVBVM60(44AC8000), ref: 004C9D63
    • __vbaStrMove.MSVBVM60 ref: 004C9D70
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,44AC8000), ref: 004C9D7C
    • __vbaVarDup.MSVBVM60 ref: 004C9D9F
    • #660.MSVBVM60(44AC8000,00004004,00000004,00000001,00000001), ref: 004C9DBF
    • __vbaStrVarMove.MSVBVM60(44AC8000), ref: 004C9DC9
    • __vbaStrMove.MSVBVM60 ref: 004C9DD6
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,44AC8000), ref: 004C9DE2
    • __vbaVarDup.MSVBVM60 ref: 004C9E05
    • #660.MSVBVM60(44AC8000,00004004,00000004,00000001,00000001), ref: 004C9E25
    • __vbaStrVarMove.MSVBVM60(44AC8000), ref: 004C9E2F
    • __vbaStrMove.MSVBVM60 ref: 004C9E3C
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,44AC8000), ref: 004C9E48
    • __vbaVarDup.MSVBVM60 ref: 004C9E6B
    • #660.MSVBVM60(44AC8000,00004004,00000004,00000001,00000001), ref: 004C9E8B
    • __vbaStrVarMove.MSVBVM60(44AC8000), ref: 004C9E95
    • __vbaStrMove.MSVBVM60 ref: 004C9EA2
    • __vbaFreeVarList.MSVBVM60(00000002,00000004,44AC8000), ref: 004C9EAE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$Copy$List$#660$_adj_fdiv_m32
    • String ID: ###0.0$##0.0$#0.0$#0.00$#0.000$0.00$0.0000$0.00000000$0.0e+00$0Pb$8Pb$@Pb$H8EM$HPb$MBTU$PPb$XPb$\Pb$`Pb$inches$kPa$kg/m3$psi
    • API String ID: 1932858968-869464826
    • Opcode ID: fed1bbf27f50460740212d6059dfa6423027fa009ce12eab9bb70d1760006af9
    • Instruction ID: 51ff285f6c7a5e35290e29de140a92e0c93c6dfd5ac9144f20b748e4c6440e48
    • Opcode Fuzzy Hash: fed1bbf27f50460740212d6059dfa6423027fa009ce12eab9bb70d1760006af9
    • Instruction Fuzzy Hash: E70336B1900209DFDB14DFA0DD99AEEB7B4FF44305F10852DE646A72A4EB706A09CF94
    Function 004DE3B0 Relevance: 194.9, APIs: 90, Strings: 21, Instructions: 639COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 53 4de3b0-4de58b #608 __vbaStrVarMove __vbaStrMove __vbaFreeVar #608 __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove #608 __vbaStrVarMove __vbaStrMove __vbaFreeVar call 4dde10 __vbaStrMove call 4ddfa0 __vbaStrMove call 4de130 __vbaStrMove call 4de2c0 __vbaStrCopy call 506e40 call 4c82f0 call 4c8210 __vbaStrCopy 68 4de59d-4de5b1 53->68 69 4de58d-4de597 __vbaNew2 53->69 71 4de5b3-4de5bc __vbaHresultCheckObj 68->71 72 4de5c2-4de5db 68->72 69->68 71->72 74 4de5dd-4de5e9 __vbaHresultCheckObj 72->74 75 4de5ef-4de5f5 72->75 74->75 76 4de607-4de61b 75->76 77 4de5f7-4de601 __vbaNew2 75->77 79 4de61d-4de626 __vbaHresultCheckObj 76->79 80 4de62c-4de645 76->80 77->76 79->80 82 4de659-4de668 80->82 83 4de647-4de653 __vbaHresultCheckObj 80->83 84 4de66e-4de67a 82->84 85 4deb81-4debe9 __vbaErrorOverflow __vbaStrCopy __vbaStrCmp 82->85 83->82 84->85 86 4de680-4de698 __vbaFreeObjList 84->86 87 4debeb-4dec39 __vbaVarDup #645 __vbaStrMove __vbaFreeVar __vbaStrCmp 85->87 88 4dec60-4ded00 #617 __vbaStrVarVal #533 __vbaFreeStr __vbaFreeVar #530 85->88 89 4de6aa-4de6be 86->89 90 4de69a-4de6a4 __vbaNew2 86->90 91 4dec3b-4dec40 #531 87->91 92 4dec46-4dec5e __vbaStrCat __vbaStrMove 87->92 95 4de6cf-4de6e8 89->95 96 4de6c0-4de6c9 __vbaHresultCheckObj 89->96 90->89 91->92 92->88 98 4de6fc-4de702 95->98 99 4de6ea-4de6f6 __vbaHresultCheckObj 95->99 96->95 100 4de714-4de728 98->100 101 4de704-4de70e __vbaNew2 98->101 99->98 103 4de739-4de752 100->103 104 4de72a-4de733 __vbaHresultCheckObj 100->104 101->100 106 4de754-4de760 __vbaHresultCheckObj 103->106 107 4de766-4de76c 103->107 104->103 106->107 108 4de77e-4de792 107->108 109 4de76e-4de778 __vbaNew2 107->109 111 4de794-4de79d __vbaHresultCheckObj 108->111 112 4de7a3-4de7bc 108->112 109->108 111->112 114 4de7be-4de7ca __vbaHresultCheckObj 112->114 115 4de7d0-4de979 __vbaStrI2 __vbaStrMove __vbaStrCat __vbaVarDup #660 __vbaVarDup #660 __vbaVarCat * 4 __vbaStrVarMove __vbaStrMove __vbaFreeStr __vbaFreeObjList __vbaFreeVarList 112->115 114->115 116 4de98b-4de99f 115->116 117 4de97b-4de985 __vbaNew2 115->117 119 4de9a1-4de9aa __vbaHresultCheckObj 116->119 120 4de9b0-4de9c3 116->120 117->116 119->120 122 4de9c5-4de9ce __vbaHresultCheckObj 120->122 123 4de9d4-4dea9c __vbaStrMove __vbaFreeObj #617 __vbaStrVarVal #533 __vbaFreeStr __vbaFreeVar #530 #619 __vbaVarTstNe __vbaFreeVar 120->123 122->123 124 4deabc 123->124 125 4dea9e-4deaba __vbaStrCat __vbaStrMove 123->125 126 4deac2-4deade call 4c7140 __vbaStrCat __vbaStrMove call 4c80a0 124->126 125->126 130 4deae3-4deb6f call 4c9f10 __vbaStrCat __vbaStrMove call 4ccce0 126->130
    APIs
    • #608.MSVBVM60(?,0000000D), ref: 004DE456
    • __vbaStrVarMove.MSVBVM60(?), ref: 004DE45C
    • __vbaStrMove.MSVBVM60 ref: 004DE46F
    • __vbaFreeVar.MSVBVM60 ref: 004DE474
    • #608.MSVBVM60(?,0000000A), ref: 004DE480
    • __vbaStrVarMove.MSVBVM60(?), ref: 004DE486
    • __vbaStrMove.MSVBVM60 ref: 004DE493
    • __vbaFreeVar.MSVBVM60 ref: 004DE498
    • __vbaStrCat.MSVBVM60(?,?), ref: 004DE4AC
    • __vbaStrMove.MSVBVM60 ref: 004DE4B9
    • __vbaStrCat.MSVBVM60(?,?), ref: 004DE4C2
    • __vbaStrMove.MSVBVM60 ref: 004DE4CF
    • #608.MSVBVM60(?,00000009), ref: 004DE4D7
    • __vbaStrVarMove.MSVBVM60(?), ref: 004DE4DD
    • __vbaStrMove.MSVBVM60 ref: 004DE4EA
    • __vbaFreeVar.MSVBVM60 ref: 004DE4EF
      • Part of subcall function 004DDE10: #608.MSVBVM60(?,00000000), ref: 004DDE52
      • Part of subcall function 004DDE10: #607.MSVBVM60(?,00000006,?), ref: 004DDE62
      • Part of subcall function 004DDE10: __vbaStrVarMove.MSVBVM60(?), ref: 004DDE6C
      • Part of subcall function 004DDE10: __vbaStrMove.MSVBVM60 ref: 004DDE77
      • Part of subcall function 004DDE10: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004DDE87
      • Part of subcall function 004DDE10: __vbaStrToAnsi.MSVBVM60(?,?,00000006), ref: 004DDE9A
      • Part of subcall function 004DDE10: __vbaSetSystemError.MSVBVM60(00000400,0000000C,00000000), ref: 004DDEAF
      • Part of subcall function 004DDE10: __vbaStrToUnicode.MSVBVM60(?,?), ref: 004DDEBD
      • Part of subcall function 004DDE10: __vbaFreeStr.MSVBVM60 ref: 004DDEC6
      • Part of subcall function 004DDE10: #617.MSVBVM60(?,?,00000000), ref: 004DDEE6
      • Part of subcall function 004DDE10: __vbaStrVarVal.MSVBVM60(?,?), ref: 004DDEF4
      • Part of subcall function 004DDE10: __vbaStrMove.MSVBVM60(00000000), ref: 004DDF05
      • Part of subcall function 004DDE10: __vbaFreeStr.MSVBVM60 ref: 004DDF0E
      • Part of subcall function 004DDE10: __vbaFreeVar.MSVBVM60 ref: 004DDF17
      • Part of subcall function 004DDE10: __vbaLenBstr.MSVBVM60(?), ref: 004DDF21
      • Part of subcall function 004DDE10: __vbaStrCopy.MSVBVM60 ref: 004DDF35
      • Part of subcall function 004DDE10: __vbaStrCopy.MSVBVM60 ref: 004DDF41
    • __vbaStrMove.MSVBVM60 ref: 004DE501
      • Part of subcall function 004DDFA0: #608.MSVBVM60(?,00000000), ref: 004DDFE2
      • Part of subcall function 004DDFA0: #607.MSVBVM60(?,00000006,?), ref: 004DDFF2
      • Part of subcall function 004DDFA0: __vbaStrVarMove.MSVBVM60(?), ref: 004DDFFC
      • Part of subcall function 004DDFA0: __vbaStrMove.MSVBVM60 ref: 004DE007
      • Part of subcall function 004DDFA0: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004DE017
      • Part of subcall function 004DDFA0: __vbaStrToAnsi.MSVBVM60(?,?,00000006), ref: 004DE02A
      • Part of subcall function 004DDFA0: __vbaSetSystemError.MSVBVM60(00000400,0000000E,00000000), ref: 004DE03F
      • Part of subcall function 004DDFA0: __vbaStrToUnicode.MSVBVM60(?,?), ref: 004DE04D
      • Part of subcall function 004DDFA0: __vbaFreeStr.MSVBVM60 ref: 004DE056
      • Part of subcall function 004DDFA0: #617.MSVBVM60(?,?,00000000), ref: 004DE076
      • Part of subcall function 004DDFA0: __vbaStrVarVal.MSVBVM60(?,?), ref: 004DE084
      • Part of subcall function 004DDFA0: __vbaStrMove.MSVBVM60(00000000), ref: 004DE095
      • Part of subcall function 004DDFA0: __vbaFreeStr.MSVBVM60 ref: 004DE09E
      • Part of subcall function 004DDFA0: __vbaFreeVar.MSVBVM60 ref: 004DE0A7
      • Part of subcall function 004DDFA0: __vbaLenBstr.MSVBVM60(?), ref: 004DE0B1
      • Part of subcall function 004DDFA0: __vbaStrCopy.MSVBVM60 ref: 004DE0C5
      • Part of subcall function 004DDFA0: __vbaStrCopy.MSVBVM60 ref: 004DE0D1
    • __vbaStrMove.MSVBVM60 ref: 004DE50F
      • Part of subcall function 004DE130: #608.MSVBVM60(?,00000000), ref: 004DE172
      • Part of subcall function 004DE130: #607.MSVBVM60(?,00000006,?), ref: 004DE182
      • Part of subcall function 004DE130: __vbaStrVarMove.MSVBVM60(?), ref: 004DE18C
      • Part of subcall function 004DE130: __vbaStrMove.MSVBVM60 ref: 004DE197
      • Part of subcall function 004DE130: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004DE1A7
      • Part of subcall function 004DE130: __vbaStrToAnsi.MSVBVM60(?,?,00000006), ref: 004DE1BA
      • Part of subcall function 004DE130: __vbaSetSystemError.MSVBVM60(00000400,0000000F,00000000), ref: 004DE1CF
      • Part of subcall function 004DE130: __vbaStrToUnicode.MSVBVM60(?,?), ref: 004DE1DD
      • Part of subcall function 004DE130: __vbaFreeStr.MSVBVM60 ref: 004DE1E6
      • Part of subcall function 004DE130: #617.MSVBVM60(?,?,00000000), ref: 004DE206
      • Part of subcall function 004DE130: __vbaStrVarVal.MSVBVM60(?,?), ref: 004DE214
      • Part of subcall function 004DE130: __vbaStrMove.MSVBVM60(00000000), ref: 004DE225
      • Part of subcall function 004DE130: __vbaFreeStr.MSVBVM60 ref: 004DE22E
      • Part of subcall function 004DE130: __vbaFreeVar.MSVBVM60 ref: 004DE237
      • Part of subcall function 004DE130: __vbaLenBstr.MSVBVM60(?), ref: 004DE241
      • Part of subcall function 004DE130: __vbaStrCopy.MSVBVM60 ref: 004DE255
      • Part of subcall function 004DE130: __vbaStrCopy.MSVBVM60 ref: 004DE261
    • __vbaStrMove.MSVBVM60 ref: 004DE51D
      • Part of subcall function 004DE2C0: __vbaSetSystemError.MSVBVM60(00000000,004DE524), ref: 004DE2C8
    • __vbaStrCopy.MSVBVM60 ref: 004DE54C
      • Part of subcall function 00506E40: #608.MSVBVM60(?,00000097,6D49D8B1,00000000,6D49D83C,?,?,?,?,?,?,?,00000000,0040A636), ref: 00506E7A
      • Part of subcall function 00506E40: #607.MSVBVM60(?,00000066,?,?,?,?,?,?,?,?,00000000,0040A636), ref: 00506E8A
      • Part of subcall function 00506E40: __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0040A636), ref: 00506E94
      • Part of subcall function 00506E40: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,00000000,0040A636), ref: 00506EA1
      • Part of subcall function 00506E40: __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,00000000,0040A636), ref: 00506EB1
      • Part of subcall function 004C8210: __vbaStrCopy.MSVBVM60(6D49D8B1,00000000,004DE55D), ref: 004C824E
      • Part of subcall function 004C8210: __vbaStrCopy.MSVBVM60 ref: 004C8258
      • Part of subcall function 004C8210: __vbaStrCopy.MSVBVM60 ref: 004C8262
      • Part of subcall function 004C8210: __vbaStrCopy.MSVBVM60 ref: 004C8290
      • Part of subcall function 004C8210: __vbaStrCopy.MSVBVM60 ref: 004C829A
      • Part of subcall function 004C8210: __vbaStrCopy.MSVBVM60 ref: 004C82A4
      • Part of subcall function 004C8210: __vbaStrCopy.MSVBVM60 ref: 004C82CE
      • Part of subcall function 004C8210: __vbaStrCopy.MSVBVM60 ref: 004C82D8
      • Part of subcall function 004C8210: __vbaStrCopy.MSVBVM60 ref: 004C82E2
    • __vbaStrCopy.MSVBVM60 ref: 004DE57B
    • __vbaNew2.MSVBVM60(00459D58,0062B924), ref: 004DE597
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,00000014), ref: 004DE5BC
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0045AD40,000000B8), ref: 004DE5E9
    • __vbaNew2.MSVBVM60(00459D58,0062B924), ref: 004DE601
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,00000014), ref: 004DE626
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0045AD40,000000C0), ref: 004DE653
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004DE688
    • __vbaNew2.MSVBVM60(00459D58,0062B924), ref: 004DE6A4
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,00000014), ref: 004DE6C9
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0045AD40,000000C0), ref: 004DE6F6
    • __vbaNew2.MSVBVM60(00459D58,0062B924), ref: 004DE70E
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,00000014), ref: 004DE733
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0045AD40,000000C8), ref: 004DE760
    • __vbaNew2.MSVBVM60(00459D58,0062B924), ref: 004DE778
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,00000014), ref: 004DE79D
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0045AD40,000000B8), ref: 004DE7CA
    • __vbaStrI2.MSVBVM60(?), ref: 004DE7D7
    • __vbaStrMove.MSVBVM60 ref: 004DE7E2
    • __vbaStrCat.MSVBVM60(0045AD00,00000000), ref: 004DE7EA
    • __vbaVarDup.MSVBVM60 ref: 004DE814
    • #660.MSVBVM60(?,?,?,00000001,00000001), ref: 004DE83C
    • __vbaVarDup.MSVBVM60 ref: 004DE86E
    • #660.MSVBVM60(?,?,?,00000001,00000001), ref: 004DE8A5
    • __vbaVarCat.MSVBVM60(?,?,?), ref: 004DE8CD
    • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 004DE8DB
    • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 004DE8EC
    • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 004DE8FD
    • __vbaStrVarMove.MSVBVM60(00000000), ref: 004DE900
    • __vbaStrMove.MSVBVM60 ref: 004DE90D
    • __vbaFreeStr.MSVBVM60 ref: 004DE912
    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004DE926
    • __vbaFreeVarList.MSVBVM60(0000000B,00000002,?,?,?,?,00000002,?,?,?,?,?), ref: 004DE969
    • __vbaNew2.MSVBVM60(00459D58,0062B924), ref: 004DE985
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,00000014), ref: 004DE9AA
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0045AD40,00000050), ref: 004DE9CE
    • __vbaStrMove.MSVBVM60 ref: 004DE9DF
    • __vbaFreeObj.MSVBVM60 ref: 004DE9E4
    • #617.MSVBVM60(00000002,?,00000002), ref: 004DEA0C
    • __vbaStrVarVal.MSVBVM60(?,00000002), ref: 004DEA1A
    • #533.MSVBVM60(00000000), ref: 004DEA21
    • __vbaFreeStr.MSVBVM60 ref: 004DEA2A
    • __vbaFreeVar.MSVBVM60 ref: 004DEA33
    • #530.MSVBVM60(?), ref: 004DEA40
    • #619.MSVBVM60(00000002,?,00000001), ref: 004DEA63
    • __vbaVarTstNe.MSVBVM60(?,00000002), ref: 004DEA88
    • __vbaFreeVar.MSVBVM60 ref: 004DEA93
    • __vbaStrCat.MSVBVM60(0045AD6C,?), ref: 004DEAAF
    • __vbaStrMove.MSVBVM60 ref: 004DEAB8
    • __vbaStrCat.MSVBVM60(ProcType.dat,?), ref: 004DEAD3
    • __vbaStrMove.MSVBVM60 ref: 004DEADC
    • __vbaStrCat.MSVBVM60(DictMetr.dat,?), ref: 004DEAF4
    • __vbaStrMove.MSVBVM60 ref: 004DEAFD
      • Part of subcall function 004CCCE0: #648.MSVBVM60(0000000A,6D49D8F4,6D49D8B1,00000000), ref: 004CCD3B
      • Part of subcall function 004CCCE0: __vbaFreeVar.MSVBVM60 ref: 004CCD47
      • Part of subcall function 004CCCE0: __vbaOnError.MSVBVM60(00000001), ref: 004CCD4F
      • Part of subcall function 004CCCE0: __vbaRedim.MSVBVM60(00000000,00000038,006250BC,004529BC,00000001,00000000,00000000), ref: 004CCD66
      • Part of subcall function 004CCCE0: __vbaFileOpen.MSVBVM60(00000001,000000FF,?,?), ref: 004CCD8C
      • Part of subcall function 004CCCE0: #571.MSVBVM60(?), ref: 004CCD9C
      • Part of subcall function 004CCCE0: __vbaFileClose.MSVBVM60(?), ref: 004CCDB6
      • Part of subcall function 004CCCE0: __vbaVarDup.MSVBVM60 ref: 004CCE06
      • Part of subcall function 004CCCE0: #595.MSVBVM60(0000000A,00000000,?,?,?), ref: 004CCE1E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$Copy$CheckHresult$#608List$New2$Error$#607#617System$AnsiBstrUnicode$#660File$#530#533#571#595#619#648CloseOpenRedim
    • String ID: $ cb$ cb$ cb$ cb$$cb$(cb$000$8_b$DictMetr.dat$ProcType.dat$Projects$T`b$X`b$\`b$``b$d`b$h`b$l`b$p`b$x`b
    • API String ID: 694574115-2442932075
    • Opcode ID: 8aa0b936e7729aaa8a40e39d4d26a69051276d63a83894aa82a3d964a181185b
    • Instruction ID: a4b55cf1d85507bfd67efdd637efcb9d8ebedb1c6d45656e18823cd547f4b020
    • Opcode Fuzzy Hash: 8aa0b936e7729aaa8a40e39d4d26a69051276d63a83894aa82a3d964a181185b
    • Instruction Fuzzy Hash: 18327F70A00259AFCB10EFA4DD88EEE77B9FB48705F00415AF605B72A0DB745949CF69
    Function 004C80A0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 93COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • #648.MSVBVM60(0000000A,?,?,?), ref: 004C80F8
    • __vbaFreeVar.MSVBVM60 ref: 004C8104
    • __vbaOnError.MSVBVM60(00000001), ref: 004C810C
    • __vbaFileOpen.MSVBVM60(00000001,000000FF,?,?), ref: 004C8128
    • #571.MSVBVM60(?), ref: 004C8138
    • __vbaFileClose.MSVBVM60(?), ref: 004C814E
    • __vbaVarDup.MSVBVM60 ref: 004C818E
    • #595.MSVBVM60(0000000A,00000000,?,?,?), ref: 004C81A6
    • __vbaFreeVarList.MSVBVM60(00000004,0000000A,?,?,?), ref: 004C81BE
    • __vbaEnd.MSVBVM60 ref: 004C81C7
    • __vbaExitProc.MSVBVM60 ref: 004C81CD
      • Part of subcall function 004C80A0: __vbaOnError.MSVBVM60(00000001,?,?,00000000), ref: 004C7AB3
      • Part of subcall function 004C80A0: __vbaInputFile.MSVBVM60(0045588C,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004C7AEC
      • Part of subcall function 004C80A0: #617.MSVBVM60(?,00004008,00000001), ref: 004C7B18
      • Part of subcall function 004C80A0: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 004C7B40
      • Part of subcall function 004C80A0: __vbaFreeVar.MSVBVM60 ref: 004C7B4F
    Strings
    • AFC Manager not installed correctly., xrefs: 004C817A
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$FileFree$Error$#571#595#617#648CloseExitInputListOpenProc
    • String ID: AFC Manager not installed correctly.
    • API String ID: 1153927894-3029208091
    • Opcode ID: 8b744f7fe50d132193413c2e21dc4085d8e9bf19426d38c9af2a22488c3a3930
    • Instruction ID: 590ed62f270f7072170d8486e5f1475cb7adc9ee7869d7a2761d003d7a824252
    • Opcode Fuzzy Hash: 8b744f7fe50d132193413c2e21dc4085d8e9bf19426d38c9af2a22488c3a3930
    • Instruction Fuzzy Hash: 6A41C6B5C10268ABCB10DFD4DD44ADEBBB8BB08700F14422EE505B72A1DB745545CBA5
    Function 0040AAB8 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 143 40aab8-40aaf8 #100 144 40aafb-40ab0a 143->144
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: #100
    • String ID:
    • API String ID: 1341478452-0
    • Opcode ID: 40554d4a9628a7a0ed2b2dbd3ae55dc37bde6689b1f50d6e6b6bd31725068d1a
    • Instruction ID: ab2baef2f77df3251d0bdce0bc1efdf9a79e39a52c76fe45df48b756c102a458
    • Opcode Fuzzy Hash: 40554d4a9628a7a0ed2b2dbd3ae55dc37bde6689b1f50d6e6b6bd31725068d1a
    • Instruction Fuzzy Hash: A1010061A9E3D00FD347133049291157F719E13214B1B81EBC1C2DE0E3D6A90819C77B

    Non-executed Functions

    Function 0059C2C0 Relevance: 1404.7, APIs: 780, Strings: 20, Instructions: 4734COMMON
    Download Yara Rule
    APIs
    • __vbaAryConstruct2.MSVBVM60(?,0046D1FC,00000008), ref: 0059C3EB
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0059C40A
    • __vbaCastObj.MSVBVM60(00000000), ref: 0059C40D
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0059C418
      • Part of subcall function 004C50C0: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C5103
      • Part of subcall function 004C50C0: #598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C510C
      • Part of subcall function 004C50C0: __vbaVarMove.MSVBVM60 ref: 004C512A
    • __vbaBoolVarNull.MSVBVM60(?,?,?), ref: 0059C431
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0059C444
    • __vbaFreeVar.MSVBVM60 ref: 0059C453
    • __vbaNew2.MSVBVM60(0041F4A8,00626040), ref: 0059C474
    • __vbaCastObj.MSVBVM60(00406A88,00454AC4), ref: 0059C486
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0059C491
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554EC,000006F8), ref: 0059C4BD
    • __vbaFreeObj.MSVBVM60 ref: 0059C4CE
    • __vbaVarDup.MSVBVM60 ref: 0059C538
    • #595.MSVBVM60(?,00000000,?,?,?), ref: 0059C55B
    • __vbaNew2.MSVBVM60(0041F4A8,00626040), ref: 0059C594
    • __vbaCastObj.MSVBVM60(00406A88,00454AC4), ref: 0059C5A6
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0059C5B1
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554EC,00000710), ref: 0059C5E7
    • __vbaFreeObj.MSVBVM60 ref: 0059C5F7
    • __vbaCastObj.MSVBVM60(00406A88,00454AC4), ref: 0059C60C
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0059C617
    • __vbaFreeObj.MSVBVM60(?,?,00406ABC), ref: 0059C63E
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0059C664
    • __vbaStrI2.MSVBVM60(00000000), ref: 0059C680
    • __vbaStrMove.MSVBVM60 ref: 0059C691
    • __vbaStrCopy.MSVBVM60 ref: 0059C698
    • __vbaFreeStr.MSVBVM60 ref: 0059C6A1
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0059C6C3
    • __vbaSetSystemError.MSVBVM60(?,0000000F), ref: 0059C6ED
    • __vbaVarDup.MSVBVM60(?,0000000F), ref: 0059C74F
    • #595.MSVBVM60(?,00000000,?,?,?,?,0000000F), ref: 0059C773
    • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,00000008), ref: 005A069F
    • __vbaAryDestruct.MSVBVM60(00000000,?,005A07B0), ref: 005A07A9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$Cast$Error$#595BoundsCheckGenerateHresultListMoveNew2$#598BoolCallConstruct2CopyDestructLateNullSystem
    • String ID: group 1$ group 1a$ group 2$ group 3$ group 4$ group 5$ group 6$0000$Audit did not complete.$Cannot audit a disabled meter.$Function$MemQty$MemStart$No audit scans selected.$Polling for completion ($Reading audit $Reading audit header group $Result$Setting up$View audit details.
    • API String ID: 1976138486-684677779
    • Opcode ID: e023c54a026c643d414a43e8c6d91c1b96ee848426286d4e827aab668000416a
    • Instruction ID: b44d1c8ce1be0f9a6bd562239da3b822eb9d0944d87403b2c8f00ed8f9094c62
    • Opcode Fuzzy Hash: e023c54a026c643d414a43e8c6d91c1b96ee848426286d4e827aab668000416a
    • Instruction Fuzzy Hash: 64934E74900219DFDB14EF64DD88BEEB7B9FF48301F1081AAE50AA7261DB345A85CF58
    Function 00561100 Relevance: 722.2, APIs: 365, Strings: 46, Instructions: 2959COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 5933 561100-561176 __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove 5935 561187-5611bf __vbaFreeStrList __vbaObjSetAddref 5933->5935 5936 561178-561181 __vbaHresultCheckObj 5933->5936 5937 5611c5-561233 __vbaLateIdSt __vbaLateIdCallSt 5935->5937 5938 5613ff-5614fe __vbaErrorOverflow __vbaStrCopy __vbaObjSetAddref __vbaLateIdSt * 3 5935->5938 5936->5935 5940 561235-56123d 5937->5940 5939 561500-561508 5938->5939 5941 561610-561657 __vbaObjSetAddref __vbaFreeObj __vbaFreeStr 5939->5941 5942 56150e-56151a 5939->5942 5943 56123f-56124b 5940->5943 5944 5612ab-56131e __vbaLateIdSt * 3 5940->5944 5946 561520-561607 __vbaLateIdSt call 452eac __vbaSetSystemError __vbaVarDup * 2 #681 __vbaLateIdSt __vbaFreeVarList 5942->5946 5947 56166d-561809 __vbaErrorOverflow __vbaObjSet __vbaVarDup __vbaStrI2 __vbaStrMove __vbaStrCat #681 __vbaVarCat __vbaStrVarMove __vbaStrMove __vbaObjSet __vbaFreeStrList __vbaFreeObjList __vbaFreeVarList 5942->5947 5943->5938 5948 561251-5612a1 __vbaLateIdCallSt 5943->5948 5945 561320-561327 5944->5945 5950 5613b0-5613e9 __vbaObjSetAddref __vbaFreeObj 5945->5950 5951 56132d-561339 5945->5951 5946->5947 5959 561609-56160b 5946->5959 5961 56180e-561815 5947->5961 5948->5938 5953 5612a7-5612a9 5948->5953 5951->5938 5955 56133f-5613a7 __vbaLateIdSt __vbaStrI2 __vbaLateIdSt __vbaFreeVar 5951->5955 5953->5940 5955->5938 5958 5613a9-5613ab 5955->5958 5958->5945 5959->5939 5962 5618fb-561b05 __vbaObjSet __vbaLateIdSt * 2 __vbaLateIdCallLd __vbaI2Var __vbaLateIdSt __vbaFreeVar __vbaLateIdCallLd __vbaI2Var __vbaLateIdSt __vbaFreeVar __vbaLateIdCallLd __vbaI2Var __vbaLateIdSt __vbaFreeVar __vbaLateIdCallLd __vbaI2Var __vbaLateIdSt __vbaFreeVar __vbaObjSetAddref __vbaObjSet 5961->5962 5963 56181b-56183c __vbaObjSet 5961->5963 5973 561b16-561b6e __vbaFreeObj * 2 5962->5973 5974 561b07-561b10 __vbaHresultCheckObj 5962->5974 5966 561844-56184c 5963->5966 5967 56183e __vbaGenerateBoundsError 5963->5967 5969 561854-5618ec __vbaObjSet __vbaStrI2 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList __vbaFreeObjList 5966->5969 5970 56184e __vbaGenerateBoundsError 5966->5970 5967->5966 5975 561b84-561ca7 __vbaErrorOverflow __vbaObjSet __vbaVarDup * 2 #681 5969->5975 5976 5618f2-5618f6 5969->5976 5970->5969 5974->5973 5979 5621c2-562366 __vbaErrorOverflow __vbaCastObj __vbaObjSet call 4e21d0 __vbaFreeObj __vbaObjSet * 2 __vbaCastObj __vbaObjSet call 4e2700 __vbaFreeObjList #681 __vbaI2Var __vbaFreeVarList __vbaErase 5975->5979 5980 561cad-561cc3 5975->5980 5976->5961 5996 56236c-562509 __vbaStrCopy * 15 __vbaVarDup * 2 #681 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList 5979->5996 5997 56250b-562511 5979->5997 5980->5979 5981 561cc9-561d7b __vbaVarCat * 2 __vbaStrVarMove __vbaStrMove __vbaObjSet __vbaFreeStr __vbaFreeObjList __vbaFreeVarList 5980->5981 5985 561d7d-561dc6 __vbaObjSet * 2 __vbaFreeObjList 5981->5985 5986 561dc9-561e00 __vbaObjSet * 2 5981->5986 5985->5986 5986->5979 5991 561e06-561e2f __vbaFreeObjList 5986->5991 5998 561e34-561e3b 5991->5998 5999 562517-562b50 __vbaStrCopy * 15 __vbaVarDup * 2 #681 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaStrCopy * 10 __vbaVarDup * 2 #681 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaStrCopy * 4 __vbaVarDup * 2 #681 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaStrCopy * 3 __vbaVarDup * 2 #681 __vbaVarCat __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaVarDup * 2 #681 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVarList __vbaStrCopy * 11 5996->5999 5997->5999 6000 561f13-561f73 __vbaObjSet __vbaLateIdSt 5998->6000 6001 561e41-561e5e __vbaObjSet 5998->6001 6002 562b56-562b5a 5999->6002 6003 5631bb-5634cb __vbaErrorOverflow __vbaObjSetAddref __vbaLateIdCallLd __vbaI2Var __vbaLateIdSt __vbaFreeVar __vbaLateIdCallLd __vbaI2Var __vbaLateIdSt __vbaFreeVar __vbaLateIdCallLd __vbaI2Var __vbaLateIdSt __vbaFreeVar __vbaLateIdCallLd __vbaI2Var __vbaLateIdSt __vbaFreeVar __vbaLateIdCallLd __vbaI2Var __vbaLateIdSt __vbaFreeVar __vbaLateIdCallLd __vbaI2Var __vbaLateIdSt __vbaFreeVar __vbaLateIdCallLd __vbaI2Var 5999->6003 6000->5979 6011 561f79-56213f __vbaLateIdSt __vbaLateIdCallLd __vbaI2Var __vbaLateIdSt __vbaFreeVar __vbaLateIdCallLd __vbaI2Var __vbaLateIdSt __vbaFreeVar __vbaLateIdCallLd __vbaI2Var __vbaLateIdSt __vbaFreeVar __vbaLateIdCallLd __vbaI2Var __vbaLateIdSt __vbaFreeVar __vbaObjSetAddref __vbaObjSet 6000->6011 6014 561e66-561ebd __vbaObjSet __vbaStrI2 __vbaStrMove __vbaStrCat __vbaStrMove 6001->6014 6015 561e60 __vbaGenerateBoundsError 6001->6015 6002->6003 6006 562b60-562b65 6002->6006 6004 5637d1-56388a __vbaErrorOverflow __vbaObjSet * 2 __vbaFreeObjList 6003->6004 6005 5634d1-563507 __vbaFreeVar __vbaLateIdCallLd * 2 __vbaI2Var 6003->6005 6005->6004 6008 56350d-56351a 6005->6008 6006->6003 6010 562b6b-562bb4 __vbaObjSet __vbaLateIdCallLd __vbaR4Var 6006->6010 6008->6004 6013 563520-563668 __vbaI2Var #681 __vbaI2Var __vbaFreeVarList __vbaObjSetAddref #681 * 2 __vbaObjSet __vbaVarDup __vbaI4Var 6008->6013 6020 5631b6 6010->6020 6021 562bba-562c50 __vbaObjSet __vbaLateIdSt __vbaFreeObjList __vbaFreeVar __vbaObjSet __vbaLateIdCallLd __vbaR4Var 6010->6021 6035 562150-5621ac __vbaFreeObj * 2 6011->6035 6036 562141-56214a __vbaHresultCheckObj 6011->6036 6024 563670-563679 6013->6024 6025 56366a __vbaGenerateBoundsError 6013->6025 6014->5979 6017 561ec3-561ec6 6014->6017 6015->6014 6017->5979 6022 561ecc-561f06 __vbaFreeStrList __vbaFreeObjList 6017->6022 6020->6003 6021->6003 6040 562c56-562c7b 6021->6040 6022->5979 6034 561f0c-561f0e 6022->6034 6027 563684-5636ac 6024->6027 6028 56367b-563681 __vbaGenerateBoundsError 6024->6028 6025->6024 6027->6004 6033 5636b2-5636c2 6027->6033 6028->6027 6033->6004 6038 5636c8-56371e #681 __vbaStrVarVal 6033->6038 6034->5998 6036->6035 6043 563720-563729 __vbaHresultCheckObj 6038->6043 6044 56372f-5637bb __vbaFreeStr __vbaFreeObj __vbaFreeVarList __vbaFreeObj 6038->6044 6040->6020 6042 562c81-562d10 __vbaObjSet __vbaLateIdSt __vbaFreeObjList __vbaFreeVar __vbaObjSet * 2 6040->6042 6050 562d12-562d1b __vbaHresultCheckObj 6042->6050 6051 562d21-562d43 6042->6051 6043->6044 6050->6051 6051->6020 6052 562d49-562d60 6051->6052 6054 562d62-562d6b __vbaHresultCheckObj 6052->6054 6055 562d71-562dbd __vbaFreeObjList __vbaObjSet * 2 6052->6055 6054->6055 6059 562dce-562df0 6055->6059 6060 562dbf-562dc8 __vbaHresultCheckObj 6055->6060 6059->6020 6061 562df6-562e0d 6059->6061 6060->6059 6063 562e1e-562e6a __vbaFreeObjList __vbaObjSet * 2 6061->6063 6064 562e0f-562e18 __vbaHresultCheckObj 6061->6064 6068 562e6c-562e75 __vbaHresultCheckObj 6063->6068 6069 562e7b-562e9d 6063->6069 6064->6063 6068->6069 6069->6020 6070 562ea3-562eba 6069->6070 6072 562ecf 6070->6072 6073 562ebc-562ecd __vbaHresultCheckObj 6070->6073 6074 562ed5-562efc __vbaFreeObjList 6072->6074 6073->6074 6076 562efe-562f0a __vbaHresultCheckObj 6074->6076 6077 562f0c-562f28 6074->6077 6076->6077 6077->6020 6078 562f2e-562f48 6077->6078 6080 562f4a-562f56 __vbaHresultCheckObj 6078->6080 6081 562f58-562fc9 __vbaCastObj __vbaObjSet call 4e3600 __vbaFreeObj __vbaObjSet __vbaStrI2 __vbaStrMove 6078->6081 6080->6081 6086 562fdd-56301c __vbaFreeStr __vbaFreeObj __vbaObjSet 6081->6086 6087 562fcb-562fd7 __vbaHresultCheckObj 6081->6087 6090 563036-56312c __vbaFreeObj __vbaObjSet __vbaLateIdSt __vbaFreeObj __vbaObjSet __vbaLateIdSt __vbaFreeObj __vbaObjSet __vbaLateIdSt __vbaFreeObj __vbaObjSet 6086->6090 6091 56301e-563030 __vbaHresultCheckObj 6086->6091 6087->6086 6097 563140-563196 __vbaFreeObj 6090->6097 6098 56312e-56313a __vbaHresultCheckObj 6090->6098 6091->6090 6098->6097
    APIs
    • __vbaStrCat.MSVBVM60(?,Measurement Configuration Changed (), ref: 0056114D
    • __vbaStrMove.MSVBVM60(?,Measurement Configuration Changed (), ref: 00561154
    • __vbaStrCat.MSVBVM60(00455B54,00000000,?,Measurement Configuration Changed (), ref: 00561160
    • __vbaStrMove.MSVBVM60(?,Measurement Configuration Changed (), ref: 00561167
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00469840,00000054,?,Measurement Configuration Changed (), ref: 00561181
    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,Measurement Configuration Changed (), ref: 00561191
    • __vbaObjSetAddref.MSVBVM60(?), ref: 005611A4
    • __vbaLateIdSt.MSVBVM60(?,00000008), ref: 005611E2
    • __vbaLateIdCallSt.MSVBVM60(?,00000020,00000001), ref: 0056122A
    • __vbaLateIdCallSt.MSVBVM60(?,00000020,00000001), ref: 00561290
    • __vbaLateIdSt.MSVBVM60(?,0000000D), ref: 005612CE
    • __vbaLateIdSt.MSVBVM60(?,0000000C), ref: 005612ED
    • __vbaLateIdSt.MSVBVM60(?,00000001), ref: 00561312
    • __vbaLateIdSt.MSVBVM60(?,0000000D), ref: 0056135C
    • __vbaStrI2.MSVBVM60(0000000F), ref: 00561363
    • __vbaLateIdSt.MSVBVM60(?,00000001), ref: 00561390
    • __vbaFreeVar.MSVBVM60 ref: 00561399
    • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005613B6
    • __vbaFreeObj.MSVBVM60(005613EA), ref: 005613E3
    • __vbaErrorOverflow.MSVBVM60 ref: 005613FF
    • __vbaStrCopy.MSVBVM60(?,?), ref: 00561462
    • __vbaObjSetAddref.MSVBVM60(?), ref: 00561475
    • __vbaLateIdSt.MSVBVM60(?,0000000C), ref: 005614B0
    • __vbaLateIdSt.MSVBVM60(?,0000000D), ref: 005614D5
    • __vbaLateIdSt.MSVBVM60(?,00000001), ref: 005614FE
    • __vbaLateIdSt.MSVBVM60(?,0000000D), ref: 00561543
    • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 00561555
    • __vbaVarDup.MSVBVM60 ref: 00561575
    • __vbaVarDup.MSVBVM60 ref: 0056158F
    • #681.MSVBVM60(?,?,?,?), ref: 005615B7
    • __vbaLateIdSt.MSVBVM60(?,00000001), ref: 005615E2
    • __vbaFreeVarList.MSVBVM60(00000004,00000002,?,?,?), ref: 005615F6
    • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00561619
    • __vbaFreeObj.MSVBVM60(00561658), ref: 00561648
    • __vbaFreeStr.MSVBVM60 ref: 00561651
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Late$Free$Addref$CallErrorListMove$#681CheckCopyHresultOverflowSystem
    • String ID: & meter base$, Ushort$, prover,$Accumulator rollovers$Analysis component selection map$Analysis mole fraction$Analysis mole fraction, Float$Analysis precision, stream assignment$Arbitrary event-logged value$Bits$Densitometer$Input scaling$Measurement Configuration Changed ($Meter $Meter classification$Meter factor curve$Meter options$Meter parameter value$PLC addresses, meter$PLC addresses, prover$PLC addresses, site$Process input alarm$Process input calibration / alarm$Prover$Prover classification$Prover input format codes$Prover options$Prover parameter value$Prover process input scaling$Prover reference conditions$Prover run counts$Prover size characteristics$Prover variation limits$Pulse input rollover$RbXm$Reference conditions$Site$Site options$Site parameter value$Stream options$Stream parameter value$Units$[reserved]$site$stream$P@
    • API String ID: 2229425045-4191113161
    • Opcode ID: 4352ad6bec788150877f30c9830319179777cdfcdfcefbe38c01a9112e677447
    • Instruction ID: a9a9cab6a81636b5b1b649717742a400d3e82f787ee0f8936892fb7449fbe8da
    • Opcode Fuzzy Hash: 4352ad6bec788150877f30c9830319179777cdfcdfcefbe38c01a9112e677447
    • Instruction Fuzzy Hash: 78435DB09002099FDB14DFA4CD84BEEBBB9FF48300F1085ADE54AA7251EB74A945CF65
    Function 00581290 Relevance: 468.2, APIs: 259, Strings: 7, Instructions: 2683COMMON
    Download Yara Rule
    APIs
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0058131F
    • __vbaRedim.MSVBVM60(00000000,0000000C,00625EA4,004533C0,00000001,00000000,00000000), ref: 00581349
    • __vbaAryLock.MSVBVM60(?,?), ref: 0058135F
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00581381
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00581395
    • __vbaSetSystemError.MSVBVM60(0058393E,00000000), ref: 005813B8
    • __vbaStrCopy.MSVBVM60 ref: 005813D4
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005813E7
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00581403
    • __vbaStrCopy.MSVBVM60 ref: 00581423
    • __vbaAryUnlock.MSVBVM60(?), ref: 00581430
    • __vbaRedimPreserve.MSVBVM60(00000000,0000000C,00625EA4,004533C0,00000001,-00000001,00000000), ref: 00581450
    • __vbaAryLock.MSVBVM60(?,?), ref: 00581467
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00581488
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0058149C
    • __vbaSetSystemError.MSVBVM60(0058393E,00000001), ref: 005814C2
    • __vbaStrCopy.MSVBVM60 ref: 005814DE
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005814F4
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00581516
    • __vbaStrCat.MSVBVM60(00456870,?), ref: 0058153D
    • __vbaStrMove.MSVBVM60 ref: 00581548
    • __vbaStrCopy.MSVBVM60 ref: 00581553
    • __vbaFreeStr.MSVBVM60 ref: 0058155C
    • __vbaAryUnlock.MSVBVM60(?), ref: 00581569
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0058157C
    • __vbaRedimPreserve.MSVBVM60(00000000,0000000C,00625EA4,004533C0,00000001,?,00000000), ref: 005815BA
    • __vbaAryLock.MSVBVM60(?,?), ref: 005815D0
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005815F2
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0058162E
    • __vbaSetSystemError.MSVBVM60(0058393E,00000002), ref: 0058165D
    • __vbaStrCopy.MSVBVM60 ref: 00581679
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0058168F
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005816A5
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005816BB
    • __vbaStrMove.MSVBVM60(0062638A,?,?,?), ref: 0058170C
    • __vbaStrCopy.MSVBVM60(?,?,?), ref: 00581717
    • __vbaFreeStr.MSVBVM60(?,?,?), ref: 00581720
    • __vbaSetSystemError.MSVBVM60(0058393E,00000002), ref: 0058173E
    • __vbaStrCopy.MSVBVM60 ref: 0058175A
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00581770
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00581792
    • __vbaStrCopy.MSVBVM60 ref: 005817B5
    • __vbaRedimPreserve.MSVBVM60(00000000,0000000C,00625EA4,004533C0,00000001,?,00000000), ref: 005817F7
    • __vbaAryLock.MSVBVM60(?,?), ref: 0058180E
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00581830
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00581844
    • __vbaSetSystemError.MSVBVM60(0058393E,00000002), ref: 0058186A
    • __vbaStrCopy.MSVBVM60 ref: 00581886
    • __vbaStrCopy.MSVBVM60 ref: 00581894
    • __vbaAryUnlock.MSVBVM60(?), ref: 005818A1
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005818B4
    • __vbaRedimPreserve.MSVBVM60(00000000,0000000C,00625EA4,004533C0,00000001,00000000,00000000), ref: 005818F4
    • __vbaAryLock.MSVBVM60(?,?), ref: 0058190B
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0058192D
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00581941
    • __vbaSetSystemError.MSVBVM60(0058393E,00000003), ref: 00581967
    • __vbaStrCopy.MSVBVM60 ref: 00581983
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00581999
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005819BB
    • __vbaStrCopy.MSVBVM60 ref: 005819DA
    • __vbaAryUnlock.MSVBVM60(?), ref: 005819E7
    • __vbaRedimPreserve.MSVBVM60(00000000,0000000C,00625EA4,004533C0,00000001,-00000001,00000000), ref: 00581A0D
    • __vbaAryLock.MSVBVM60(?,?), ref: 00581A24
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00581A46
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00581A5A
    • __vbaSetSystemError.MSVBVM60(0058393E,00000004), ref: 00581A80
    • __vbaStrCopy.MSVBVM60 ref: 00581A9C
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00581AAF
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00581ACB
    • __vbaStrCopy.MSVBVM60 ref: 00581AEC
    • __vbaAryUnlock.MSVBVM60(?), ref: 00581AF9
    • __vbaUbound.MSVBVM60(00000001,?), ref: 00581B16
    • __vbaI2I4.MSVBVM60 ref: 00581B1E
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00581B52
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 00581B77
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004641F0,0000007C), ref: 00581BB0
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00581BBC
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00581BD3
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 00581BF8
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004641F0,0000009C), ref: 00581C1C
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00581C28
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00581C3F
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 00581C64
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00581C8C
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00581CA3
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464174,00000054), ref: 00581CCC
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00581CD8
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00581CEF
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 00581D14
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00581D3C
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00581D50
    • __vbaStrCat.MSVBVM60(00406108,00455A98), ref: 00581D6E
    • __vbaStrMove.MSVBVM60 ref: 00581D79
    • __vbaStrCat.MSVBVM60(00455B54,00000000), ref: 00581D85
    • __vbaStrMove.MSVBVM60 ref: 00581D90
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464174,00000054), ref: 00581DB9
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00581DC5
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00581DD5
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00581DEC
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 00581E11
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464174,00000080), ref: 00581E37
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00581E72
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00581E90
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 00581EB5
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464174,00000080), ref: 00581EDB
    • __vbaFpI2.MSVBVM60 ref: 00581EE0
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00581EF3
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00581F0A
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 00581F2F
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464174,00000080), ref: 00581F55
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00581F90
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00581FAE
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 00581FD3
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464174,00000080), ref: 00581FF9
    • __vbaFpI2.MSVBVM60 ref: 00581FFE
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00582011
    • __vbaUbound.MSVBVM60(00000001,?), ref: 00582052
    • __vbaUbound.MSVBVM60(00000001,?), ref: 0058206F
    • __vbaI2I4.MSVBVM60 ref: 0058207C
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005820A3
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 005820C8
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004641F0,0000009C), ref: 005820EC
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005820F8
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0058217B
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004641B8,00000078), ref: 005821A0
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005821B0
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004641B8,00000078), ref: 005821D5
    • __vbaFpI2.MSVBVM60 ref: 005821F3
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00582206
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005822A3
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000074), ref: 005822EA
    • __vbaFreeObj.MSVBVM60 ref: 005822EF
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00582303
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000074), ref: 0058234A
    • __vbaFreeObj.MSVBVM60 ref: 0058234F
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00582363
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000080), ref: 0058238A
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0058239A
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000074), ref: 005823F1
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005823FD
    • __vbaUbound.MSVBVM60(00000001,?), ref: 0058240E
    • __vbaI2I4.MSVBVM60 ref: 00582416
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00582448
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 0058246D
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00452A8C,0000006C), ref: 005824A6
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005824B2
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005824C9
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 005824EE
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00452A8C,0000006C), ref: 00582527
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00582533
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0058254A
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 0058256F
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464174,00000074), ref: 005825A8
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005825B4
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005825CB
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 005825F0
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00467488,00000074), ref: 00582629
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00582635
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0058264C
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 00582671
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004641F0,00000084), ref: 005826B0
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005826BC
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005826E7
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004641B8,00000074), ref: 0058272E
    • __vbaFreeObj.MSVBVM60 ref: 00582733
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00582747
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004641B8,00000074), ref: 0058278E
    • __vbaFreeObj.MSVBVM60 ref: 00582793
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005827A7
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004641B8,00000080), ref: 005827CE
    • __vbaHresultCheckObj.MSVBVM60(00000000,00406108,0046B27C,00000088), ref: 005827EF
    • __vbaHresultCheckObj.MSVBVM60(00000000,00406108,0046B27C,00000108), ref: 00582810
    • __vbaHresultCheckObj.MSVBVM60(00000000,00406108,0046B27C,0000008C), ref: 00582875
    • __vbaFreeObj.MSVBVM60 ref: 0058287A
    • __vbaHresultCheckObj.MSVBVM60(00000000,00406108,0046B27C,00000080), ref: 0058289F
    • __vbaHresultCheckObj.MSVBVM60(00000000,00406108,0046B27C,00000100), ref: 005828C0
    • __vbaHresultCheckObj.MSVBVM60(00000000,00406108,0046B27C,00000084), ref: 00582926
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00582936
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004641B8,00000078), ref: 0058295B
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0058296B
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004641B8,0000006C), ref: 005829C4
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005829D0
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005829E7
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004641B8,00000078), ref: 00582A08
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00582A1E
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00582A31
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004641B8,00000068), ref: 00582A4E
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004641B8,0000006C), ref: 00582A82
    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00582A92
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00582AA9
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,0000007C), ref: 00582AF9
    • __vbaFreeObj.MSVBVM60 ref: 00582AFE
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00582B12
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000070), ref: 00582B33
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00582B49
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00582B5C
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004641B8,00000068), ref: 00582B79
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464174,00000084), ref: 00582BB3
    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00582BC3
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00582BD9
    • __vbaUbound.MSVBVM60(00000001,?), ref: 00582C06
    • __vbaI2I4.MSVBVM60 ref: 00582C0E
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00582C4E
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00582C62
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00582C94
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00582CA8
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00582CCC
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 00582CF1
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00582D19
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 00582D3E
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00467488,000000E4), ref: 00582D62
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00582D6E
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00582D85
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 00582DAA
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00582DC2
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00582E0D
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00582E21
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00582E34
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00582E43
    • __vbaStrMove.MSVBVM60(?,0062654D,?,?), ref: 00582EA2
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00452A8C,000000A4), ref: 00582ED4
    • __vbaFreeStr.MSVBVM60 ref: 00582EDD
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00582EED
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00582F04
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 00582F29
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00582F3F
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00582F4E
    • __vbaStrR4.MSVBVM60(?), ref: 00582F7F
    • __vbaStrMove.MSVBVM60 ref: 00582F8A
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00452A8C,000000A4), ref: 00582FB0
    • __vbaFreeStr.MSVBVM60 ref: 00582FB9
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00582FC9
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00582FE0
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 00583005
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00467488,00000094), ref: 0058302D
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0058303D
    • __vbaUbound.MSVBVM60(00000001,?), ref: 0058306B
    • __vbaI2I4.MSVBVM60 ref: 00583073
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005830AB
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 005830D0
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00452A8C,000000A4), ref: 005830F7
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00583103
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0058311A
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 0058313F
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00452A8C,000000A4), ref: 00583166
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00583172
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00583189
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 005831AE
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00467488,00000094), ref: 005831D2
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005831DE
    • __vbaAryUnlock.MSVBVM60(?,0058326D), ref: 0058323D
    • __vbaAryUnlock.MSVBVM60(?), ref: 00583246
    • __vbaAryUnlock.MSVBVM60(?), ref: 0058324F
    • __vbaAryUnlock.MSVBVM60(?), ref: 00583258
    • __vbaAryUnlock.MSVBVM60(?), ref: 00583261
    • __vbaAryUnlock.MSVBVM60(?), ref: 0058326A
    • __vbaErrorOverflow.MSVBVM60(00406108), ref: 00583291
    • __vbaHresultCheckObj.MSVBVM60(00000000,00406118,0046B2AC,000006F8), ref: 005832F6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Error$BoundsGenerate$Free$List$Copy$Unlock$System$LockMoveRedimUbound$Preserve$Overflow
    • String ID: Density$Differential pressure$Flow rate$Pressure$Pulse Frequency$Temperature$Water content
    • API String ID: 3558112189-3436613639
    • Opcode ID: cf791057096629cb63eb73b66f1d149f9bc83a265c007ba3ad3485a13cce8e3d
    • Instruction ID: 2c5d06fc1f8050f72382db893ff6a56abab9dfc1ab6240ba34a4b48c3c3f21a6
    • Opcode Fuzzy Hash: cf791057096629cb63eb73b66f1d149f9bc83a265c007ba3ad3485a13cce8e3d
    • Instruction Fuzzy Hash: E2239574900205AFDB10EFA4CD48EEEBBB9FF88701F104169F946AB291EB749946CF54
    Function 00547170 Relevance: 430.0, APIs: 221, Strings: 24, Instructions: 1297COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 11821 547170-5472ab __vbaStrI2 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStr 11822 5472b1-547400 __vbaVarDup * 2 #681 __vbaVarCat * 2 __vbaStrVarMove __vbaStrMove __vbaFreeVarList __vbaStrCopy * 4 11821->11822 11823 547402-547448 __vbaStrCopy * 5 11821->11823 11824 54744d-547487 __vbaStrCopy __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStr 11822->11824 11823->11824 11825 547489-5474b6 __vbaStrCopy * 3 11824->11825 11826 5474bb-5474bf 11824->11826 11827 54783a-547853 __vbaStrI4 __vbaStrMove __vbaStrCopy 11825->11827 11828 5477b4-547837 __vbaStrCopy * 2 __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrI4 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 11826->11828 11829 5474c5-5474fa __vbaStrCopy * 3 11826->11829 11830 547859-54785e 11827->11830 11828->11827 11831 547b86-547ce9 __vbaErrorOverflow __vbaCastObj __vbaObjSet call 4e21d0 __vbaFreeObj __vbaObjSet __vbaCastObj __vbaObjSet call 4e2700 __vbaFreeObjList __vbaObjSet * 2 __vbaCastObj __vbaObjSet call 4e2050 __vbaFreeObjList call 4cd100 11829->11831 11832 547500-547505 11829->11832 11833 547887-547a50 __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrI2 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList __vbaObjSet 11830->11833 11834 547860-547873 __vbaStrCopy 11830->11834 11855 547d43-547d5e call 4ccfe0 11831->11855 11856 547ceb-547cf1 11831->11856 11832->11831 11835 54750b-547510 11832->11835 11845 547a61-547b70 __vbaFreeObj __vbaFreeStr * 13 11833->11845 11846 547a52-547a5b __vbaHresultCheckObj 11833->11846 11834->11831 11837 547879-547885 __vbaStrI4 __vbaStrMove 11834->11837 11835->11831 11838 547516-547659 __vbaStrI4 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrI4 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrI2 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrI4 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaVarDup 11835->11838 11837->11833 11838->11831 11839 54765f-5477af __vbaStrI4 #681 __vbaVarCat * 3 __vbaStrVarMove __vbaStrMove __vbaFreeStrList __vbaFreeVarList 11838->11839 11839->11830 11846->11845 11862 5481a4-54825b __vbaErrorOverflow __vbaObjSet __vbaCastObj __vbaObjSet call 4c53c0 __vbaFreeObjList 11855->11862 11863 547d64-547d7e call 4f6900 11855->11863 11858 547d03-547d26 __vbaObjSetAddref 11856->11858 11859 547cf3-547cfd __vbaNew2 11856->11859 11864 547d28-547d34 __vbaHresultCheckObj 11858->11864 11865 547d3a-547d3d __vbaFreeObj 11858->11865 11859->11858 11863->11862 11869 547d84-547d88 11863->11869 11864->11865 11865->11855 11869->11862 11870 547d8e-547d93 11869->11870 11870->11862 11872 547d99-547db1 call 4f69f0 11870->11872 11872->11862 11878 547db7-547dbc 11872->11878 11878->11862 11879 547dc2-547dde call 4f6900 11878->11879 11879->11862 11882 547de4-547dea 11879->11882 11882->11862 11883 547df0-547e0f call 4f6a10 11882->11883 11883->11862 11886 547e15-547e1d 11883->11886 11886->11862 11887 547e23-547e81 call 4cce80 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrI2 __vbaStrMove __vbaStrCat __vbaStrMove 11886->11887 11891 547e92-547ecf __vbaFreeStrList __vbaObjSet 11887->11891 11892 547e83-547e8c __vbaHresultCheckObj 11887->11892 11895 547ee0-547f23 __vbaStrI2 __vbaStrMove __vbaStrCat __vbaStrMove 11891->11895 11896 547ed1-547eda __vbaHresultCheckObj 11891->11896 11892->11891 11898 547f34-547f79 __vbaFreeStrList __vbaFreeObjList __vbaObjSet 11895->11898 11899 547f25-547f2e __vbaHresultCheckObj 11895->11899 11896->11895 11902 547f8a-547f9a 11898->11902 11903 547f7b-547f84 __vbaHresultCheckObj 11898->11903 11899->11898 11902->11862 11904 547fa0-548004 __vbaStrI2 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrI2 __vbaStrMove __vbaStrCat __vbaStrMove 11902->11904 11903->11902 11906 548015-548062 __vbaFreeStrList __vbaFreeObjList __vbaObjSet 11904->11906 11907 548006-54800f __vbaHresultCheckObj 11904->11907 11910 548064-54806d __vbaHresultCheckObj 11906->11910 11911 548073-548091 11906->11911 11907->11906 11910->11911 11913 5480a5-548117 __vbaFreeObjList __vbaCastObj __vbaObjSet call 4e3600 __vbaFreeObj __vbaObjSet __vbaStrI2 __vbaStrMove 11911->11913 11914 548093-54809f __vbaHresultCheckObj 11911->11914 11919 548119-548125 __vbaHresultCheckObj 11913->11919 11920 54812b-548184 __vbaFreeStr __vbaFreeObj 11913->11920 11914->11913 11919->11920
    APIs
    • __vbaStrI2.MSVBVM60(?,age ), ref: 0054726E
    • __vbaStrMove.MSVBVM60 ref: 0054727F
    • __vbaStrCat.MSVBVM60(00000000), ref: 00547288
    • __vbaStrMove.MSVBVM60 ref: 0054728F
    • __vbaFreeStr.MSVBVM60 ref: 00547294
    • __vbaVarDup.MSVBVM60 ref: 005472E2
    • __vbaVarDup.MSVBVM60 ref: 00547308
    • #681.MSVBVM60(?,?,?,?), ref: 0054733D
    • __vbaVarCat.MSVBVM60(?,?,?), ref: 0054736C
    • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00547381
    • __vbaStrVarMove.MSVBVM60(00000000), ref: 00547388
    • __vbaStrMove.MSVBVM60 ref: 00547393
    • __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 005473BA
    • __vbaStrCopy.MSVBVM60 ref: 005473CB
    • __vbaStrCopy.MSVBVM60 ref: 005473D9
    • __vbaStrCopy.MSVBVM60 ref: 005473E7
    • __vbaStrCopy.MSVBVM60 ref: 005473F5
    • __vbaStrCopy.MSVBVM60 ref: 0054740A
    • __vbaStrCopy.MSVBVM60 ref: 00547418
    • __vbaStrCopy.MSVBVM60 ref: 00547426
    • __vbaStrCopy.MSVBVM60 ref: 00547434
    • __vbaStrCopy.MSVBVM60 ref: 00547442
    • __vbaStrCopy.MSVBVM60 ref: 00547450
    • __vbaStrCat.MSVBVM60(?,The record having ), ref: 0054745F
    • __vbaStrMove.MSVBVM60 ref: 00547466
    • __vbaStrCat.MSVBVM60( is ,00000000), ref: 0054746E
    • __vbaStrMove.MSVBVM60 ref: 00547475
    • __vbaFreeStr.MSVBVM60 ref: 0054747A
    • __vbaStrCopy.MSVBVM60 ref: 00547491
    • __vbaStrCopy.MSVBVM60 ref: 0054749F
    • __vbaStrCopy.MSVBVM60 ref: 005474AD
    • __vbaStrCopy.MSVBVM60 ref: 005474CD
    • __vbaStrCopy.MSVBVM60 ref: 005474DB
    • __vbaStrCopy.MSVBVM60 ref: 005474E9
    • __vbaStrI4.MSVBVM60(00000000), ref: 0054751A
    • __vbaStrMove.MSVBVM60 ref: 00547525
    • __vbaStrCat.MSVBVM60(?,?), ref: 0054752E
    • __vbaStrMove.MSVBVM60 ref: 00547535
    • __vbaStrCat.MSVBVM60(Alternatively, you may write the ,00000000), ref: 0054753D
    • __vbaStrMove.MSVBVM60 ref: 00547544
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 0054754B
    • __vbaStrMove.MSVBVM60 ref: 00547552
    • __vbaStrCat.MSVBVM60( to Holding Register ,00000000), ref: 0054755A
    • __vbaStrMove.MSVBVM60 ref: 00547561
    • __vbaStrI4.MSVBVM60(?,00000000), ref: 00547568
    • __vbaStrMove.MSVBVM60 ref: 00547573
    • __vbaStrCat.MSVBVM60(00000000), ref: 00547576
    • __vbaStrMove.MSVBVM60 ref: 0054757D
    • __vbaStrCat.MSVBVM60( then read ,00000000), ref: 00547585
    • __vbaStrMove.MSVBVM60 ref: 0054758C
    • __vbaStrI2.MSVBVM60(?,00000000), ref: 00547594
    • __vbaStrMove.MSVBVM60 ref: 0054759F
    • __vbaStrCat.MSVBVM60(00000000), ref: 005475A2
    • __vbaStrMove.MSVBVM60 ref: 005475A9
    • __vbaStrCat.MSVBVM60( registers starting at ,00000000), ref: 005475B1
    • __vbaStrMove.MSVBVM60 ref: 005475B8
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 005475BF
    • __vbaStrMove.MSVBVM60 ref: 005475C6
    • __vbaStrCat.MSVBVM60( Register ,00000000), ref: 005475CE
    • __vbaStrMove.MSVBVM60 ref: 005475D5
    • __vbaStrI4.MSVBVM60(?,00000000), ref: 005475DC
    • __vbaStrMove.MSVBVM60 ref: 005475E7
    • __vbaStrCat.MSVBVM60(00000000), ref: 005475EA
    • __vbaStrMove.MSVBVM60 ref: 005475F4
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 005475FB
    • __vbaStrMove.MSVBVM60 ref: 00547605
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 0054760C
    • __vbaStrMove.MSVBVM60 ref: 00547616
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 0054761D
    • __vbaVarDup.MSVBVM60 ref: 0054764C
    • __vbaStrI4.MSVBVM60(?), ref: 00547660
    • #681.MSVBVM60(?,?,?,?), ref: 005476A5
    • __vbaVarCat.MSVBVM60(?,?,?), ref: 005476E4
    • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 005476F9
    • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 0054770E
    • __vbaStrVarMove.MSVBVM60(00000000), ref: 00547715
    • __vbaStrMove.MSVBVM60 ref: 00547720
    • __vbaFreeStrList.MSVBVM60(00000010,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0054776D
    • __vbaFreeVarList.MSVBVM60(00000007,00000008,?,?,?,?,?,?), ref: 005477A6
    • __vbaStrCopy.MSVBVM60 ref: 005477BC
    • __vbaStrCopy.MSVBVM60 ref: 005477CA
    • __vbaStrCat.MSVBVM60(?,writing the ), ref: 005477D9
    • __vbaStrMove.MSVBVM60 ref: 005477E0
    • __vbaStrCat.MSVBVM60( to Holding Register ,00000000), ref: 005477E8
    • __vbaStrMove.MSVBVM60 ref: 005477EF
    • __vbaStrI4.MSVBVM60(?,00000000), ref: 005477F6
    • __vbaStrMove.MSVBVM60 ref: 00547801
    • __vbaStrCat.MSVBVM60(00000000), ref: 00547804
    • __vbaStrMove.MSVBVM60 ref: 0054780B
    • __vbaStrCat.MSVBVM60( then ,00000000), ref: 00547813
    • __vbaStrMove.MSVBVM60 ref: 0054781A
    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0054782E
    • __vbaStrI4.MSVBVM60(?), ref: 0054783E
    • __vbaStrMove.MSVBVM60 ref: 00547849
    • __vbaStrCopy.MSVBVM60 ref: 00547853
    • __vbaStrCopy.MSVBVM60 ref: 00547866
    • __vbaStrI4.MSVBVM60(?), ref: 0054787A
    • __vbaStrMove.MSVBVM60 ref: 00547885
    • __vbaStrCat.MSVBVM60(?,?), ref: 0054788F
    • __vbaStrMove.MSVBVM60 ref: 00547896
    • __vbaStrCat.MSVBVM60(0045AD00,00000000), ref: 0054789E
    • __vbaStrMove.MSVBVM60 ref: 005478A5
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 005478AE
    • __vbaStrMove.MSVBVM60 ref: 005478B5
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 005478BF
    • __vbaStrMove.MSVBVM60 ref: 005478C6
    • __vbaStrCat.MSVBVM60(Access it by ,00000000), ref: 005478CE
    • __vbaStrMove.MSVBVM60 ref: 005478D5
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 005478DC
    • __vbaStrMove.MSVBVM60 ref: 005478E3
    • __vbaStrCat.MSVBVM60(reading ,00000000), ref: 005478EB
    • __vbaStrMove.MSVBVM60 ref: 005478F2
    • __vbaStrI2.MSVBVM60(?,00000000), ref: 005478FA
    • __vbaStrMove.MSVBVM60 ref: 00547905
    • __vbaStrCat.MSVBVM60(00000000), ref: 00547908
    • __vbaStrMove.MSVBVM60 ref: 0054790F
    • __vbaStrCat.MSVBVM60( registers starting at ,00000000), ref: 00547917
    • __vbaStrMove.MSVBVM60 ref: 0054791E
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 00547925
    • __vbaStrMove.MSVBVM60 ref: 0054792C
    • __vbaStrCat.MSVBVM60( Register ,00000000), ref: 00547934
    • __vbaStrMove.MSVBVM60 ref: 0054793B
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 00547942
    • __vbaStrMove.MSVBVM60 ref: 00547949
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 00547950
    • __vbaStrMove.MSVBVM60 ref: 0054795A
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 00547961
    • __vbaStrMove.MSVBVM60 ref: 0054796B
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 00547972
    • __vbaStrMove.MSVBVM60 ref: 0054797C
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 00547983
    • __vbaStrMove.MSVBVM60 ref: 0054798D
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 00547994
    • __vbaStrMove.MSVBVM60 ref: 0054799E
    • __vbaStrCat.MSVBVM60(0045AD00,00000000), ref: 005479A6
    • __vbaStrMove.MSVBVM60 ref: 005479B0
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 005479B7
    • __vbaStrMove.MSVBVM60 ref: 005479BE
    • __vbaFreeStrList.MSVBVM60(00000013,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00547A20
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00547A3A
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054), ref: 00547A5B
    • __vbaFreeObj.MSVBVM60 ref: 00547A67
    • __vbaFreeStr.MSVBVM60(00547B71), ref: 00547B32
    • __vbaFreeStr.MSVBVM60 ref: 00547B37
    • __vbaFreeStr.MSVBVM60 ref: 00547B3C
    • __vbaFreeStr.MSVBVM60 ref: 00547B41
    • __vbaFreeStr.MSVBVM60 ref: 00547B46
    • __vbaFreeStr.MSVBVM60 ref: 00547B4B
    • __vbaFreeStr.MSVBVM60 ref: 00547B50
    • __vbaFreeStr.MSVBVM60 ref: 00547B55
    • __vbaFreeStr.MSVBVM60 ref: 00547B5A
    • __vbaFreeStr.MSVBVM60 ref: 00547B5F
    • __vbaFreeStr.MSVBVM60 ref: 00547B64
    • __vbaFreeStr.MSVBVM60 ref: 00547B69
    • __vbaFreeStr.MSVBVM60 ref: 00547B6E
    • __vbaErrorOverflow.MSVBVM60 ref: 00547B86
    • __vbaCastObj.MSVBVM60(004044F0,00454AC4), ref: 00547BED
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00547BFE
    • __vbaFreeObj.MSVBVM60(?), ref: 00547C0C
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00547C25
    • __vbaCastObj.MSVBVM60(00000000), ref: 00547C28
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00547C33
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000000), ref: 00547C49
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00547C60
    • __vbaObjSet.MSVBVM60(?,?,0045B140), ref: 00547C72
    • __vbaCastObj.MSVBVM60(00000000), ref: 00547C75
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00547C80
    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,00000000), ref: 00547C9A
    • __vbaNew2.MSVBVM60(00459D58,0062B924,00150054), ref: 00547CFD
    • __vbaObjSetAddref.MSVBVM60(?,004044F0,00150054), ref: 00547D12
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00459D48,00000010), ref: 00547D34
    • __vbaFreeObj.MSVBVM60 ref: 00547D3D
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,00000054,0054845F,00150054), ref: 00547E30
    • __vbaStrCat.MSVBVM60( Archive Modbus Addresses, Meter ,00000000), ref: 00547E3C
    • __vbaStrMove.MSVBVM60 ref: 00547E47
    • __vbaStrI2.MSVBVM60(?,00000000), ref: 00547E55
    • __vbaStrMove.MSVBVM60 ref: 00547E60
    • __vbaStrCat.MSVBVM60(00000000), ref: 00547E67
    • __vbaStrMove.MSVBVM60 ref: 00547E72
    • __vbaHresultCheckObj.MSVBVM60(00000000,004044F0,00468348,00000054), ref: 00547E8C
    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 00547EA4
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00547EBB
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 00547EDA
    • __vbaStrI2.MSVBVM60(00000000,1 thru ), ref: 00547EF2
    • __vbaStrMove.MSVBVM60 ref: 00547EFD
    • __vbaStrCat.MSVBVM60(00000000), ref: 00547F04
    • __vbaStrMove.MSVBVM60 ref: 00547F0F
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464174,00000054), ref: 00547F2E
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00547F3E
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00547F4E
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00547F65
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 00547F84
    • __vbaStrI2.MSVBVM60(-00000001), ref: 00547FA1
    • __vbaStrMove.MSVBVM60 ref: 00547FAC
    • __vbaStrCat.MSVBVM60( thru ,00000000), ref: 00547FB8
    • __vbaStrMove.MSVBVM60 ref: 00547FC3
    • __vbaStrI2.MSVBVM60(86C10000,00000000), ref: 00547FCF
    • __vbaStrMove.MSVBVM60 ref: 00547FDA
    • __vbaStrCat.MSVBVM60(00000000), ref: 00547FE1
    • __vbaStrMove.MSVBVM60 ref: 00547FEC
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464174,00000054), ref: 0054800F
    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 00548027
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00548037
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$Copy$List$CheckHresult$Cast$#681$AddrefErrorNew2Overflow
    • String ID: (the selected item is $ Archive Modbus Addresses, Meter $ Register $ at $ is $ registers starting at $ then $ then read $ thru $ to Holding Register $1 register$1 thru $2 registers$Access it by $Alternatively, you may write the $Holding$Input$The record having $age $for the current period (in progress)$reading $stored locally$stored on Compact Flash$writing the
    • API String ID: 2846732147-2801830373
    • Opcode ID: b14df8047e7eedfd3343b86f869c09508859387afdd7ef1ca0935d12b3074fc4
    • Instruction ID: c367ffe65dfc89cddc944c15b205cfe325b22e5d52512e867d922f6946ba4259
    • Opcode Fuzzy Hash: b14df8047e7eedfd3343b86f869c09508859387afdd7ef1ca0935d12b3074fc4
    • Instruction Fuzzy Hash: 57B23B71D00219AFCB14EFA4DD84EEEBBB8FF58300F10816AE506E7264EA745A45CF64
    Function 00603130 Relevance: 154.9, APIs: 82, Strings: 6, Instructions: 858COMMON
    Download Yara Rule
    APIs
    • __vbaNew2.MSVBVM60(0041F4A8,00626040), ref: 0060318D
    • __vbaCastObj.MSVBVM60(?,00454AC4), ref: 006031A2
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 006031B3
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554EC,000006F8), ref: 006031DB
    • __vbaFreeObj.MSVBVM60 ref: 006031EC
    • __vbaNew2.MSVBVM60(0041F4A8,00626040), ref: 00603232
    • __vbaCastObj.MSVBVM60(?,00454AC4), ref: 00603244
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0060324F
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554EC,00000710), ref: 00603281
    • __vbaFreeObj.MSVBVM60 ref: 00603291
    • __vbaCastObj.MSVBVM60(?,00454AC4), ref: 006032B7
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 006032C2
    • __vbaFreeObj.MSVBVM60(?,?), ref: 006032D9
    • __vbaCastObj.MSVBVM60(?,00454AC4), ref: 006032FC
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00603307
    • __vbaFreeObj.MSVBVM60(?,?), ref: 0060331F
    • __vbaCastObj.MSVBVM60(?,00454AC4), ref: 00603386
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00603391
    • __vbaFreeObj.MSVBVM60(?,?), ref: 006033A9
    • __vbaCastObj.MSVBVM60(?,00454AC4), ref: 006033F3
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 006033FE
    • __vbaFreeObj.MSVBVM60(?,?), ref: 00603416
    • __vbaLateMemSt.MSVBVM60(?,Function), ref: 00603472
    • __vbaStrI4.MSVBVM60(-00000766,?), ref: 0060348D
    • __vbaLateMemSt.MSVBVM60(?,MemStart), ref: 006034BC
    • __vbaFreeVar.MSVBVM60 ref: 006034C1
    • __vbaLateMemSt.MSVBVM60(?,MemQty), ref: 006034F2
    • __vbaNew2.MSVBVM60(0041F4A8,00626040), ref: 0060350C
    • __vbaCastObj.MSVBVM60(?,00454AC4), ref: 0060351E
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00603529
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554EC,00000700), ref: 00603553
    • __vbaFreeObj.MSVBVM60 ref: 0060355C
    • __vbaLateMemCallLd.MSVBVM60(?,?,Result,00000000,?), ref: 00603589
    • __vbaVarTstNe.MSVBVM60(00008002,00000000), ref: 00603597
    • __vbaFreeVar.MSVBVM60 ref: 006035A3
    • __vbaStrR4.MSVBVM60(?,?,00000000), ref: 006035C1
    • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 006035CC
    • __vbaStrCopy.MSVBVM60(?,?,00000000), ref: 006035DA
    • __vbaFreeStr.MSVBVM60(?,?,00000000), ref: 006035E3
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0060361C
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 0060363B
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464210,000000E4), ref: 00603663
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00603673
    • __vbaErrorOverflow.MSVBVM60(?), ref: 006037CA
    • __vbaNew2.MSVBVM60(0041F4A8,00626040,?,?,6D586918), ref: 0060382D
    • __vbaCastObj.MSVBVM60(?,00454AC4,?,?,6D586918), ref: 00603848
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0060384F
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554EC,000006F8), ref: 0060387B
    • __vbaFreeObj.MSVBVM60 ref: 0060388C
    • __vbaNew2.MSVBVM60(0041F4A8,00626040), ref: 006038AE
    • __vbaCastObj.MSVBVM60(?,00454AC4), ref: 006038C0
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 006038C7
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554EC,00000710), ref: 006038FD
    • __vbaFreeObj.MSVBVM60 ref: 0060390C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$Cast$CheckHresult$New2$Late$CallCopyErrorListMoveOverflow
    • String ID: Function$MemQty$MemStart$Reading line meter flow rate$Result$Writing prover instructions
    • API String ID: 2682458626-857973757
    • Opcode ID: b53c4d789b8e8b71dd9b82cf3274f69773ad702fb3eb99be6d6bdba52813d9d8
    • Instruction ID: adc5e30b7fc71adb7e4459ecf98423984e77833fdcb3e8222e124e9c07d10cfe
    • Opcode Fuzzy Hash: b53c4d789b8e8b71dd9b82cf3274f69773ad702fb3eb99be6d6bdba52813d9d8
    • Instruction Fuzzy Hash: 7B726A7494024AAFCB14EFA4DD89AEEBBB9FF48701F10812DF40AB7290D7745A45CB58
    Function 005AD220 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 116COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 005AD2A0
    • __vbaStrI2.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005AD2B2
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005AD2BD
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,0040A636), ref: 005AD2DD
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005AD2E6
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005AD2EF
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00455464,00000700,?,?,?,?,?,?,?,?,0040A636), ref: 005AD310
    • __vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005AD346
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult$ErrorMoveOverflow
    • String ID: xp@
    • API String ID: 2466774281-4232108188
    • Opcode ID: a018edf9a3b3881354612784e40f620e7815e357b1371e68a9b973afa07608db
    • Instruction ID: 311f54660e49e60b19170504f00797136b46413a40767e1e0569e87346428f5c
    • Opcode Fuzzy Hash: a018edf9a3b3881354612784e40f620e7815e357b1371e68a9b973afa07608db
    • Instruction Fuzzy Hash: 4341B474900605EFCB10EF58CA49BAEBFB8FF45701F108069F906E7660D7349946CBA5
    Function 005942B0 Relevance: 166.7, APIs: 74, Strings: 21, Instructions: 438COMMON
    Download Yara Rule
    APIs
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00594331
    • __vbaStrCopy.MSVBVM60(?), ref: 0059437E
    • __vbaStrCopy.MSVBVM60 ref: 0059438F
    • __vbaStrCopy.MSVBVM60 ref: 00594399
    • __vbaStrCopy.MSVBVM60 ref: 005943A3
    • __vbaStrCopy.MSVBVM60 ref: 005943AD
    • __vbaStrMove.MSVBVM60(?,?,00000000,Input out of range: ), ref: 005943CB
    • __vbaStrCat.MSVBVM60(00000000,?,?,00000000,Input out of range: ), ref: 005943CE
    • __vbaStrMove.MSVBVM60(?,?,00000000,Input out of range: ), ref: 005943D9
    • __vbaStrCopy.MSVBVM60(?,?,00000000,Input out of range: ), ref: 005943E0
    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,00000000,Input out of range: ), ref: 005943EC
    • __vbaStrCopy.MSVBVM60 ref: 005943FD
    • __vbaStrCopy.MSVBVM60 ref: 00594407
    • __vbaStrMove.MSVBVM60(?,?,000000FF), ref: 0059441D
    • __vbaStrCat.MSVBVM60( low,00000000), ref: 00594425
    • __vbaStrMove.MSVBVM60 ref: 00594430
    • __vbaStrCopy.MSVBVM60 ref: 00594437
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00594443
    • __vbaStrCopy.MSVBVM60 ref: 00594454
    • __vbaStrCopy.MSVBVM60 ref: 0059445E
    • __vbaStrCopy.MSVBVM60 ref: 00594468
    • __vbaVarDup.MSVBVM60 ref: 00594487
    • __vbaVarDup.MSVBVM60 ref: 005944AA
    • #681.MSVBVM60(?,?,?,?), ref: 005944E4
    • __vbaStrVarMove.MSVBVM60(?), ref: 005944EE
    • __vbaStrMove.MSVBVM60 ref: 005944F9
    • __vbaStrCopy.MSVBVM60 ref: 00594500
    • __vbaFreeStr.MSVBVM60 ref: 00594505
    • __vbaFreeVarList.MSVBVM60(00000004,0000000B,?,?,?), ref: 00594520
    • __vbaVarDup.MSVBVM60 ref: 00594546
    • __vbaVarDup.MSVBVM60 ref: 00594569
    • #681.MSVBVM60(?,0000000B,?,?), ref: 005945A3
    • __vbaStrVarMove.MSVBVM60(?), ref: 005945AD
    • __vbaStrMove.MSVBVM60 ref: 005945B8
    • __vbaStrCopy.MSVBVM60 ref: 005945BF
    • __vbaFreeStr.MSVBVM60 ref: 005945C4
    • __vbaFreeVarList.MSVBVM60(00000004,0000000B,?,?,?), ref: 005945DF
    • __vbaVarDup.MSVBVM60 ref: 00594605
    • __vbaVarDup.MSVBVM60 ref: 00594628
    • #681.MSVBVM60(?,0000000B,?,?), ref: 00594651
    • __vbaVarCat.MSVBVM60(?,?,?), ref: 0059467A
    • __vbaStrVarMove.MSVBVM60(00000000), ref: 00594681
    • __vbaStrMove.MSVBVM60 ref: 0059468C
    • __vbaStrCopy.MSVBVM60 ref: 00594693
    • __vbaFreeStr.MSVBVM60 ref: 00594698
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 005946B0
    • __vbaStrCopy.MSVBVM60 ref: 005946C1
    • __vbaStrCopy.MSVBVM60 ref: 005946CB
      • Part of subcall function 004E1430: __vbaVarDup.MSVBVM60 ref: 004E1488
      • Part of subcall function 004E1430: __vbaVarDup.MSVBVM60 ref: 004E149A
      • Part of subcall function 004E1430: #681.MSVBVM60(?,?,?,?), ref: 004E14BA
      • Part of subcall function 004E1430: __vbaStrVarMove.MSVBVM60(?), ref: 004E14C4
      • Part of subcall function 004E1430: __vbaStrMove.MSVBVM60 ref: 004E14CF
      • Part of subcall function 004E1430: __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 004E14E3
    • __vbaStrMove.MSVBVM60(Vapo), ref: 005946DC
    • __vbaStrCat.MSVBVM60(00000000), ref: 005946DF
    • __vbaStrMove.MSVBVM60 ref: 005946EA
    • __vbaStrCat.MSVBVM60(r pressure error,00000000), ref: 005946F2
    • __vbaStrMove.MSVBVM60 ref: 005946FD
    • __vbaStrCopy.MSVBVM60 ref: 00594704
    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00594714
    • __vbaStrCopy.MSVBVM60 ref: 00594725
    • __vbaCastObj.MSVBVM60(?,00454AC4), ref: 00594773
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0059477E
    • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0059478C
    • __vbaFreeObj.MSVBVM60 ref: 00594795
    • __vbaNew.MSVBVM60(0040E1B0), ref: 005947AB
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005947B6
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0045523C,0000081C), ref: 005947DC
    • __vbaFreeObj.MSVBVM60 ref: 005947E9
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0045523C,00000814), ref: 0059480E
    • __vbaRecAssign.MSVBVM60(00453228,?,?), ref: 0059481D
    • __vbaFreeObj.MSVBVM60(?,00000000), ref: 00594830
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0045520C,00000090), ref: 0059485E
    • #598.MSVBVM60 ref: 0059486A
    • __vbaCastObj.MSVBVM60(00000000,00465304), ref: 00594877
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00594882
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0045523C,0000081C), ref: 005948A2
    • __vbaFreeObj.MSVBVM60 ref: 005948A7
    • __vbaRecDestruct.MSVBVM60(00453228,?,00594903), ref: 005948FC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Copy$Move$Free$List$#681CheckHresult$Cast$#598AddrefAssignBoundsDestructErrorGenerate
    • String ID: error$ low$Accumulation overflow$Analysis characterization error$Analysis total not normalized$Analysis total zero$Compressibility calculation$Cumulative Meter Alarms$High water$Input out of range: $Input out of range: density$Input out of range: pressure$Input out of range: temperature$Input out of range: water content$Orifice characterization error$Orifice pressure exception$Pressure correction error$Reference density error$Temperature correction error$Vapo$r pressure error
    • API String ID: 2146625448-4237776383
    • Opcode ID: 05285037b44d3bddd9e1bc5a331767266befd8b562fc81ded22ae8c083927315
    • Instruction ID: c5f43c6bc3157f599dbd0df4f13aae438e8f44bf7ae3b572151e850d1ce31c28
    • Opcode Fuzzy Hash: 05285037b44d3bddd9e1bc5a331767266befd8b562fc81ded22ae8c083927315
    • Instruction Fuzzy Hash: 750290719002099FDB10DFA4DE84EEEB7B8FF48300F108569E54AB7260EB746A49CF65
    Function 00608370 Relevance: 136.9, APIs: 68, Strings: 10, Instructions: 351COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004E1530: __vbaAryConstruct2.MSVBVM60(?,0045AF38,00000008), ref: 004E1575
      • Part of subcall function 004E1530: __vbaAryConstruct2.MSVBVM60(?,0045AF54,00000008), ref: 004E1582
      • Part of subcall function 004E1530: __vbaAryConstruct2.MSVBVM60(?,0045AF70,00000003), ref: 004E158F
      • Part of subcall function 004E1530: __vbaAryConstruct2.MSVBVM60(?,0045AF70,00000003), ref: 004E159F
      • Part of subcall function 004E1530: __vbaAryConstruct2.MSVBVM60(?,0045AF8C,0000000B), ref: 004E15AF
      • Part of subcall function 004E1530: __vbaAryConstruct2.MSVBVM60(?,0045AFA8,00000003), ref: 004E15BF
      • Part of subcall function 004E1530: __vbaAryConstruct2.MSVBVM60(?,0045AFA8,00000003), ref: 004E15CF
      • Part of subcall function 004E1530: __vbaStrCopy.MSVBVM60 ref: 004E15DB
      • Part of subcall function 004E1530: __vbaErase.MSVBVM60(00000000,?), ref: 004E15FB
      • Part of subcall function 004E1530: __vbaErase.MSVBVM60(00000000,?), ref: 004E160E
      • Part of subcall function 004E1530: __vbaErase.MSVBVM60(00000000,?), ref: 004E1624
      • Part of subcall function 004E1530: __vbaErase.MSVBVM60(00000000,?), ref: 004E163D
      • Part of subcall function 004E1530: __vbaErase.MSVBVM60(00000000,?), ref: 004E1659
    • __vbaStrCopy.MSVBVM60(?), ref: 006083D3
    • __vbaStrCopy.MSVBVM60 ref: 006083E4
    • __vbaStrCopy.MSVBVM60 ref: 006083EE
    • __vbaFpI4.MSVBVM60(temperature,?), ref: 00608401
    • __vbaStrVarMove.MSVBVM60(?), ref: 00608415
    • __vbaStrMove.MSVBVM60 ref: 00608420
    • __vbaStrCopy.MSVBVM60 ref: 00608431
    • __vbaFreeStr.MSVBVM60 ref: 00608436
    • __vbaFreeVar.MSVBVM60 ref: 0060843F
    • __vbaStrVarMove.MSVBVM60(?), ref: 0060845F
    • __vbaStrMove.MSVBVM60 ref: 0060846A
    • __vbaStrCopy.MSVBVM60 ref: 00608475
    • __vbaFreeStr.MSVBVM60 ref: 0060847A
    • __vbaFreeVar.MSVBVM60 ref: 00608483
    • __vbaStrVarMove.MSVBVM60(?), ref: 006084A3
    • __vbaStrMove.MSVBVM60 ref: 006084AE
    • __vbaStrCopy.MSVBVM60 ref: 006084B9
    • __vbaFreeStr.MSVBVM60 ref: 006084BE
    • __vbaFreeVar.MSVBVM60 ref: 006084C7
    • __vbaFpI4.MSVBVM60(pressure,?), ref: 006084DE
    • __vbaStrVarMove.MSVBVM60(?), ref: 006084F2
    • __vbaStrMove.MSVBVM60 ref: 006084FD
    • __vbaStrCopy.MSVBVM60 ref: 0060850E
    • __vbaFreeStr.MSVBVM60 ref: 00608513
    • __vbaFreeVar.MSVBVM60 ref: 0060851C
    • __vbaStrVarMove.MSVBVM60(?), ref: 0060853C
    • __vbaStrMove.MSVBVM60 ref: 00608547
    • __vbaStrCopy.MSVBVM60 ref: 00608552
    • __vbaFreeStr.MSVBVM60 ref: 00608557
    • __vbaFreeVar.MSVBVM60 ref: 00608560
    • __vbaStrVarMove.MSVBVM60(?), ref: 00608580
    • __vbaStrMove.MSVBVM60 ref: 0060858B
    • __vbaStrCopy.MSVBVM60 ref: 00608596
    • __vbaFreeStr.MSVBVM60 ref: 0060859B
    • __vbaFreeVar.MSVBVM60 ref: 006085A4
    • __vbaStrVarMove.MSVBVM60(?), ref: 006085C4
    • __vbaStrMove.MSVBVM60 ref: 006085CF
    • __vbaStrCopy.MSVBVM60 ref: 006085DA
    • __vbaFreeStr.MSVBVM60 ref: 006085DF
    • __vbaFreeVar.MSVBVM60 ref: 006085E8
    • __vbaStrVarMove.MSVBVM60(?), ref: 00608608
    • __vbaStrMove.MSVBVM60 ref: 00608613
    • __vbaStrCopy.MSVBVM60 ref: 0060861E
    • __vbaFreeStr.MSVBVM60 ref: 00608623
    • __vbaFreeVar.MSVBVM60 ref: 0060862C
    • __vbaStrVarMove.MSVBVM60(?), ref: 0060864C
    • __vbaStrMove.MSVBVM60 ref: 00608657
    • __vbaStrCopy.MSVBVM60 ref: 00608662
    • __vbaFreeStr.MSVBVM60 ref: 00608667
    • __vbaFreeVar.MSVBVM60 ref: 00608670
    • __vbaCastObj.MSVBVM60(?,00454AC4), ref: 006086BD
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 006086C8
    • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 006086D6
    • __vbaFreeObj.MSVBVM60 ref: 006086DF
    • __vbaNew.MSVBVM60(0040E1B0), ref: 006086F5
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00608700
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00463734,00000854), ref: 00608726
    • __vbaFreeObj.MSVBVM60 ref: 00608733
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00463734,0000084C), ref: 00608758
    • __vbaRecAssign.MSVBVM60(00453228,?,?), ref: 00608767
    • __vbaFreeObj.MSVBVM60(?,00000000), ref: 0060877A
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00463700,00000090), ref: 006087A5
    • #598.MSVBVM60 ref: 006087AE
    • __vbaCastObj.MSVBVM60(00000000,00465304), ref: 006087BB
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 006087C6
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00463734,00000854), ref: 006087E6
    • __vbaFreeObj.MSVBVM60 ref: 006087EB
    • __vbaRecDestruct.MSVBVM60(00453228,?,00608828), ref: 00608821
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$Move$Copy$Construct2$Erase$CheckHresult$Cast$#598AddrefAssignDestruct
    • String ID: Density$Meter pressure$Meter temperature$Prove Process Input Alarms$Prover outlet pressure$Prover outlet temperature$Switch bar temperature$Water content$pressure$temperature
    • API String ID: 2212387004-498084412
    • Opcode ID: 6c19d2fa5e0768408675bc255bbe5f28bc2bb52b63f229682de6e28ca7b8581f
    • Instruction ID: c271a26648e5b83f1e2e835c510ae7113dabdeb141374912f8f5370ebab4d31f
    • Opcode Fuzzy Hash: 6c19d2fa5e0768408675bc255bbe5f28bc2bb52b63f229682de6e28ca7b8581f
    • Instruction Fuzzy Hash: 73E12E31600106AFDB04DFA0DD89EEEBBB4FF58302F104529E546B71A1EF74A945CBA8
    Function 004C7140 Relevance: 129.8, APIs: 64, Strings: 10, Instructions: 274COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C7181
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C718B
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C7195
    • __vbaFpI2.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C71A1
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C71B7
    • __vbaStrI4.MSVBVM60(0000007D), ref: 004C71CC
    • __vbaStrMove.MSVBVM60 ref: 004C71D7
    • __vbaStrCopy.MSVBVM60 ref: 004C71E2
    • __vbaFreeStr.MSVBVM60 ref: 004C71E7
    • __vbaErase.MSVBVM60(00000000,?), ref: 004C7202
    • __vbaStrCopy.MSVBVM60 ref: 004C7217
    • __vbaStrCopy.MSVBVM60 ref: 004C7221
    • __vbaStrCopy.MSVBVM60 ref: 004C722B
    • __vbaFpI2.MSVBVM60 ref: 004C7237
    • __vbaStrCopy.MSVBVM60 ref: 004C724F
    • __vbaStrI4.MSVBVM60 ref: 004C7266
    • __vbaStrMove.MSVBVM60 ref: 004C7271
    • __vbaStrCopy.MSVBVM60 ref: 004C727C
    • __vbaFreeStr.MSVBVM60 ref: 004C7281
    • __vbaErase.MSVBVM60(00000000,?), ref: 004C729C
    • __vbaStrCopy.MSVBVM60 ref: 004C72B2
    • __vbaStrCopy.MSVBVM60 ref: 004C72BC
    • __vbaStrCopy.MSVBVM60 ref: 004C72C6
    • __vbaFpI2.MSVBVM60 ref: 004C72D2
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0000007D), ref: 004C72EA
    • __vbaStrI4.MSVBVM60(?,?,0000007D,?,?,?,?,?,?,?,?,?,?,?,0000007D), ref: 004C72FF
    • __vbaStrMove.MSVBVM60(?,?,0000007D,?,?,?,?,?,?,?,?,?,?,?,0000007D), ref: 004C730A
    • __vbaStrCopy.MSVBVM60(?,?,0000007D,?,?,?,?,?,?,?,?,?,?,?,0000007D), ref: 004C7315
    • __vbaFreeStr.MSVBVM60(?,?,0000007D,?,?,?,?,?,?,?,?,?,?,?,0000007D), ref: 004C731A
    • __vbaErase.MSVBVM60(00000000,?), ref: 004C7337
    • __vbaStrCopy.MSVBVM60 ref: 004C7350
    • __vbaStrCopy.MSVBVM60 ref: 004C735A
    • __vbaStrCopy.MSVBVM60 ref: 004C7364
    • __vbaFpI2.MSVBVM60 ref: 004C7370
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0000007D), ref: 004C7388
    • __vbaStrI4.MSVBVM60(?,?,00000037,?,?,?,?,?,?,?,?,?,?,?,0000007D), ref: 004C739D
    • __vbaStrMove.MSVBVM60(?,?,00000037,?,?,?,?,?,?,?,?,?,?,?,0000007D), ref: 004C73A8
    • __vbaStrCopy.MSVBVM60(?,?,00000037,?,?,?,?,?,?,?,?,?,?,?,0000007D), ref: 004C73B3
    • __vbaFreeStr.MSVBVM60(?,?,00000037,?,?,?,?,?,?,?,?,?,?,?,0000007D), ref: 004C73B8
    • __vbaErase.MSVBVM60(00000000,?), ref: 004C73D5
    • __vbaStrCopy.MSVBVM60 ref: 004C73ED
    • __vbaStrCopy.MSVBVM60 ref: 004C73F7
    • __vbaStrCopy.MSVBVM60 ref: 004C7401
    • __vbaFpI2.MSVBVM60 ref: 004C7409
    • __vbaFpI2.MSVBVM60 ref: 004C7419
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000037), ref: 004C7431
    • __vbaStrI4.MSVBVM60 ref: 004C7448
    • __vbaStrMove.MSVBVM60 ref: 004C7453
    • __vbaStrCopy.MSVBVM60 ref: 004C745E
    • __vbaFreeStr.MSVBVM60 ref: 004C7463
    • __vbaErase.MSVBVM60(00000000,?), ref: 004C747E
    • __vbaStrCopy.MSVBVM60 ref: 004C7497
    • __vbaStrCopy.MSVBVM60 ref: 004C74A1
    • __vbaStrCopy.MSVBVM60 ref: 004C74AB
    • __vbaFpI4.MSVBVM60 ref: 004C74B9
    • __vbaFpI4.MSVBVM60 ref: 004C74C6
    • __vbaI2I4.MSVBVM60 ref: 004C74CF
    • __vbaFpI2.MSVBVM60 ref: 004C74DF
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0000003A), ref: 004C74F7
    • __vbaStrI4.MSVBVM60(0000007D,?,?,?,?,?,?,?,?,?,?,?,?,?,0000003A), ref: 004C750F
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000003A), ref: 004C751A
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000003A), ref: 004C7525
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000003A), ref: 004C752A
    • __vbaErase.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000003A), ref: 004C7547
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Copy$EraseFreeMove
    • String ID: 1746$1756$1769$1771$MVI46-AFC$MVI56-AFC$MVI69-AFC$MVI71-AFC$PTQ-AFC$QNTM
    • API String ID: 1864867284-3637507954
    • Opcode ID: 4a62b451a7be9d43e04c5b62a8bfa924d90754f9ef459882860d8b9899d1684e
    • Instruction ID: d2d375c17a157d7ec096652b9a590883e3c8916e80caae2b2d90496e87f585a3
    • Opcode Fuzzy Hash: 4a62b451a7be9d43e04c5b62a8bfa924d90754f9ef459882860d8b9899d1684e
    • Instruction Fuzzy Hash: 1BC15234510A06ABC304DF61DD5855ABB75FF5C301720922AD80AA3BB0EB74B659CBDE
    Function 005FB140 Relevance: 128.2, APIs: 56, Strings: 17, Instructions: 494COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005FB1B1
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 005FB1D9
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00452A8C,000000A0), ref: 005FB203
    • #520.MSVBVM60(?,00000008), ref: 005FB221
    • __vbaStrVarMove.MSVBVM60(?), ref: 005FB22B
    • __vbaStrMove.MSVBVM60 ref: 005FB236
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005FB246
    • __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 005FB256
    • __vbaOnError.MSVBVM60(00000001), ref: 005FB261
    • __vbaStrCmp.MSVBVM60(00452580,?), ref: 005FB279
    • __vbaStrCopy.MSVBVM60 ref: 005FB28B
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005FB29F
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464210,000000E0), ref: 005FB2C6
    • __vbaFreeObj.MSVBVM60 ref: 005FB2D2
    • __vbaI4Str.MSVBVM60(?), ref: 005FB2E1
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005FB2FA
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464210,000000E0), ref: 005FB321
    • __vbaFreeObj.MSVBVM60 ref: 005FB32D
    • __vbaR4Str.MSVBVM60(?), ref: 005FB33C
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005FB35A
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0047331C,000000B8), ref: 005FB381
    • __vbaFreeObj.MSVBVM60 ref: 005FB3A4
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005FB3B8
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464210,000000E0), ref: 005FB3DF
    • __vbaFreeObj.MSVBVM60 ref: 005FB3EB
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00463E10,00000708), ref: 005FB418
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00463E10,0000070C), ref: 005FB449
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005FB45A
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005FB47E
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005FB4A0
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464210,000000E0), ref: 005FB4C7
    • __vbaFreeObj.MSVBVM60 ref: 005FB4D3
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00463E10,00000700), ref: 005FB500
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00463E10,00000704), ref: 005FB545
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005FB556
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005FB57A
    • __vbaExitProc.MSVBVM60 ref: 005FB595
    • __vbaFreeStr.MSVBVM60(005FB5DA), ref: 005FB5D3
    Strings
    • Master meter incompatible config, xrefs: 005FB6BD
    • Unknown error , xrefs: 005FB6E7
    • Line meter not enabled, xrefs: 005FB6A8
    • Cannot prove master meter, xrefs: 005FB6AF
    • Master meter not liquid pulse, xrefs: 005FB6B6
    • Incompatible measurement standard, xrefs: 005FB683
    • Unimplemented measured quantity, xrefs: 005FB697
    • Line meter not liquid pulse, xrefs: 005FB679
    • Bad meter number, xrefs: 005FB66F
    • None, xrefs: 005FB71D
    • Master meter in calibration, xrefs: 005FB6C4
    • Unimplemented product group, xrefs: 005FB68D
    • Line meter in calibration, xrefs: 005FB6A1
    • Master meter not enabled, xrefs: 005FB6CB
    • Invalid prover controls, xrefs: 005FB6D9
    • Unimplemented configuration, xrefs: 005FB6E0
    • Invalid prover parameter, xrefs: 005FB6D2
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$Error$BoundsGenerate$ListMove$#520CopyExitProc
    • String ID: Bad meter number$Cannot prove master meter$Incompatible measurement standard$Invalid prover controls$Invalid prover parameter$Line meter in calibration$Line meter not enabled$Line meter not liquid pulse$Master meter in calibration$Master meter incompatible config$Master meter not enabled$Master meter not liquid pulse$None$Unimplemented configuration$Unimplemented measured quantity$Unimplemented product group$Unknown error
    • API String ID: 509512568-2550874583
    • Opcode ID: 933d4e04f009ab94261e820af4981d3ee4f3ae659aea384fab6491b542bd35e0
    • Instruction ID: 69778db2eeb232103a1b27a9cb64fbb798ab750b3ac5514edbe9d0ef9001ce07
    • Opcode Fuzzy Hash: 933d4e04f009ab94261e820af4981d3ee4f3ae659aea384fab6491b542bd35e0
    • Instruction Fuzzy Hash: 2902A275900209EBDB00EFA0DD88AFEBBB9FF48701F10852AF646A7265D7789941CF54
    Function 005C8100 Relevance: 121.2, APIs: 65, Strings: 4, Instructions: 422COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 005C8183
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C819D
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 005C81C0
    • __vbaI2Str.MSVBVM60(?), ref: 005C81CA
    • __vbaFreeStr.MSVBVM60 ref: 005C81D5
    • __vbaFreeObj.MSVBVM60 ref: 005C81DE
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C8234
    • __vbaStrI2.MSVBVM60(?), ref: 005C8241
    • __vbaStrMove.MSVBVM60 ref: 005C824C
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 005C826C
    • __vbaFreeStr.MSVBVM60 ref: 005C8275
    • __vbaFreeObj.MSVBVM60 ref: 005C827E
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C82B2
    • __vbaStrI4.MSVBVM60(?), ref: 005C82BE
    • __vbaStrMove.MSVBVM60 ref: 005C82C9
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 005C82E9
    • __vbaFreeStr.MSVBVM60 ref: 005C82F2
    • __vbaFreeObj.MSVBVM60 ref: 005C82FB
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C831A
    • __vbaStrI2.MSVBVM60(?), ref: 005C8327
    • __vbaStrMove.MSVBVM60 ref: 005C8332
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 005C8352
    • __vbaFreeStr.MSVBVM60 ref: 005C835B
    • __vbaFreeObj.MSVBVM60 ref: 005C8364
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C8380
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000050), ref: 005C83A1
    • __vbaStrI2.MSVBVM60(00000002), ref: 005C83A9
    • __vbaStrCat.MSVBVM60(?,00456904), ref: 005C83C8
    • __vbaStrMove.MSVBVM60 ref: 005C83D5
    • __vbaStrCat.MSVBVM60(00456904,00000000), ref: 005C83DD
    • #681.MSVBVM60(?,0000400B,00000008,00000008), ref: 005C8412
    • __vbaStrVarMove.MSVBVM60(?), ref: 005C841C
    • __vbaStrMove.MSVBVM60 ref: 005C8427
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005C8433
    • __vbaFreeObj.MSVBVM60 ref: 005C843F
    • __vbaFreeVarList.MSVBVM60(00000003,00000008,00000008,?), ref: 005C8453
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C848C
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464174,00000050), ref: 005C84B7
    • __vbaStrCat.MSVBVM60(?,Value must lie between ), ref: 005C84C6
    • __vbaStrMove.MSVBVM60 ref: 005C84CD
    • __vbaStrCat.MSVBVM60( and ,00000000), ref: 005C84D5
    • __vbaStrMove.MSVBVM60 ref: 005C84DC
    • __vbaStrI2.MSVBVM60(00000008,00000000), ref: 005C84E1
    • __vbaStrMove.MSVBVM60 ref: 005C84EC
    • __vbaStrCat.MSVBVM60(00000000), ref: 005C84EF
    • __vbaStrMove.MSVBVM60 ref: 005C84F6
    • __vbaStrCat.MSVBVM60(0045AD00,00000000), ref: 005C84FE
    • __vbaStrMove.MSVBVM60 ref: 005C8505
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 005C850E
    • __vbaStrMove.MSVBVM60 ref: 005C8515
    • __vbaStrCat.MSVBVM60(If ",00000000), ref: 005C851D
    • __vbaStrMove.MSVBVM60 ref: 005C8524
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 005C852B
    • __vbaStrMove.MSVBVM60 ref: 005C8532
    • __vbaStrCat.MSVBVM60(" is non-zero, must not exceed that value.,00000000), ref: 005C853A
    • #595.MSVBVM60(00000008,00000000,00000008,?,?), ref: 005C855B
    • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,?), ref: 005C8587
    • __vbaFreeObj.MSVBVM60 ref: 005C8593
    • __vbaFreeVarList.MSVBVM60(00000004,00000008,00000008,?,?), ref: 005C85AE
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C85D0
    • __vbaCastObj.MSVBVM60(00000000), ref: 005C85D3
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C85DE
      • Part of subcall function 004C5390: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,00522AE2,?), ref: 004C53A7
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 005C85F3
    • __vbaExitProc.MSVBVM60 ref: 005C85FC
    • __vbaFreeStr.MSVBVM60(005C866E), ref: 005C8667
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$Move$CheckHresult$List$#595#681CallCastErrorExitLateProc
    • String ID: and $" is non-zero, must not exceed that value.$If "$Value must lie between
    • API String ID: 568957611-2156166879
    • Opcode ID: f58991f25d605d088ca6ed6ec04a15b582333f95b268d0736695d139700b8e8a
    • Instruction ID: 81ab4fb1f689b3dd1d4c1934f08bf7bb06072c74c904e514ce8c46b98332dc2b
    • Opcode Fuzzy Hash: f58991f25d605d088ca6ed6ec04a15b582333f95b268d0736695d139700b8e8a
    • Instruction Fuzzy Hash: 62F138B2900258AFCB14DBA4DD88EEEBBB9FF88701F14412AF506E7161DB709945CF64
    Function 00524160 Relevance: 110.7, APIs: 55, Strings: 8, Instructions: 456COMMON
    Download Yara Rule
    APIs
    • __vbaAryConstruct2.MSVBVM60(?,00464848,00000003), ref: 005241FB
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0052421A
    • __vbaCastObj.MSVBVM60(00000000), ref: 0052421D
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00524228
      • Part of subcall function 004C50C0: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C5103
      • Part of subcall function 004C50C0: #598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C510C
      • Part of subcall function 004C50C0: __vbaVarMove.MSVBVM60 ref: 004C512A
    • __vbaBoolVarNull.MSVBVM60(?,?,?), ref: 0052423B
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0052424E
    • __vbaFreeVar.MSVBVM60 ref: 0052425A
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00524276
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005242B8
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005242EC
    • __vbaStrCat.MSVBVM60( Please disable the target meter first.,Cannot change gross characterization for an enabled meter.), ref: 0052434D
    • #595.MSVBVM60(?,00000000,?,?,?), ref: 00524377
    • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 00524398
    • __vbaStrCat.MSVBVM60(entire configuration,Copying ), ref: 005243B6
    • __vbaStrMove.MSVBVM60 ref: 005243C3
    • __vbaStrCat.MSVBVM60( from Meter ,00000000), ref: 005243CB
    • __vbaStrMove.MSVBVM60 ref: 005243D2
    • __vbaStrI2.MSVBVM60(0052E267,00000000), ref: 005243E0
    • __vbaStrMove.MSVBVM60 ref: 005243EB
    • __vbaStrCat.MSVBVM60(00000000), ref: 005243EE
    • __vbaStrMove.MSVBVM60 ref: 005243F5
    • __vbaStrCat.MSVBVM60( to Meter ,00000000), ref: 005243FD
    • __vbaStrMove.MSVBVM60 ref: 00524404
    • __vbaStrI2.MSVBVM60(?,00000000), ref: 0052440F
    • __vbaStrMove.MSVBVM60 ref: 0052441A
    • __vbaStrCat.MSVBVM60(00000000), ref: 0052441D
    • __vbaStrMove.MSVBVM60 ref: 00524424
    • __vbaStrCat.MSVBVM60(0045AD00,00000000), ref: 0052442C
    • __vbaStrMove.MSVBVM60 ref: 00524433
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 0052443D
    • __vbaStrMove.MSVBVM60 ref: 00524444
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 0052444D
    • __vbaStrMove.MSVBVM60 ref: 00524454
    • __vbaStrCat.MSVBVM60(Continue ?,00000000), ref: 0052445C
    • __vbaStrMove.MSVBVM60 ref: 00524463
    • __vbaFreeStrList.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,?,?), ref: 00524493
    • #595.MSVBVM60(?,00000024,?,?,?), ref: 005244ED
    • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 00524514
    • __vbaStrCopy.MSVBVM60 ref: 0052452C
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00524546
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00524551
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00524583
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00524596
    • __vbaRecAssign.MSVBVM60(0045260C,00000004), ref: 005245CB
    • __vbaStrCopy.MSVBVM60 ref: 005245D7
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00524604
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0052460F
    • __vbaSetSystemError.MSVBVM60(?,0000000F), ref: 00524647
    • __vbaFreeStr.MSVBVM60(00524704), ref: 005246E4
    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 005246F8
    • __vbaFreeStr.MSVBVM60 ref: 00524701
    Strings
    • to Meter , xrefs: 005243F8
    • entire configuration, xrefs: 005243B1
    • Cannot change gross characterization for an enabled meter., xrefs: 0052431F
    • from Meter , xrefs: 005243C6
    • Continue ?, xrefs: 00524457
    • Please disable the target meter first., xrefs: 00524324
    • Read the meter configuration from the Module., xrefs: 0052478B
    • Copying , xrefs: 005243AC
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Error$BoundsGenerate$Free$List$#595Copy$#598AssignBoolCallCastConstruct2DestructLateNullSystem
    • String ID: Please disable the target meter first.$ from Meter $ to Meter $Cannot change gross characterization for an enabled meter.$Continue ?$Copying $Read the meter configuration from the Module.$entire configuration
    • API String ID: 2739065149-2024370622
    • Opcode ID: feb3923f6a4adfb3f18dc0f9b7ee075cf56ec6d1476e26f0aa070381d2cde22f
    • Instruction ID: ad87924b74a1bb2bf5cec9cb0a14b7820ec955cdfae3515b4795ff28bea6a03a
    • Opcode Fuzzy Hash: feb3923f6a4adfb3f18dc0f9b7ee075cf56ec6d1476e26f0aa070381d2cde22f
    • Instruction Fuzzy Hash: 5902A671D00229DFCB14DFA8DD84AEEBBB9FF85700F10416AE546A72A4DB706A45CF90
    Function 004D40A0 Relevance: 108.9, APIs: 57, Strings: 5, Instructions: 377COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60 ref: 004D4110
    • __vbaStrCopy.MSVBVM60 ref: 004D4118
    • __vbaStrCopy.MSVBVM60 ref: 004D4120
    • __vbaStrCopy.MSVBVM60 ref: 004D4128
    • __vbaStrCopy.MSVBVM60 ref: 004D4132
    • #681.MSVBVM60(?,?,?,?), ref: 004D418A
    • __vbaI2Var.MSVBVM60(?), ref: 004D4194
    • __vbaStrMove.MSVBVM60(?,00000000), ref: 004D41A9
    • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 004D41BD
    • __vbaStrCopy.MSVBVM60 ref: 004D41CC
    • __vbaVarDup.MSVBVM60 ref: 004D420F
    • __vbaVarDup.MSVBVM60 ref: 004D422A
    • #681.MSVBVM60(?,?,?,?), ref: 004D4262
    • __vbaStrVarMove.MSVBVM60(?), ref: 004D4272
    • __vbaStrMove.MSVBVM60 ref: 004D427F
    • __vbaFreeVarList.MSVBVM60(00000004,0000000B,?,?,?), ref: 004D429C
    • __vbaVarDup.MSVBVM60 ref: 004D42BE
    • __vbaVarDup.MSVBVM60 ref: 004D42E1
    • #681.MSVBVM60(?,0000000B,?,?), ref: 004D4312
    • __vbaStrVarMove.MSVBVM60(?), ref: 004D431C
    • __vbaStrMove.MSVBVM60 ref: 004D4323
    • __vbaFreeVarList.MSVBVM60(00000004,0000000B,?,?,?), ref: 004D433A
    • __vbaStrCopy.MSVBVM60 ref: 004D4347
    • __vbaVarDup.MSVBVM60 ref: 004D436F
    • #607.MSVBVM60(?,0000000C,?), ref: 004D437F
    • __vbaStrVarMove.MSVBVM60(?), ref: 004D438F
    • __vbaStrMove.MSVBVM60 ref: 004D439C
    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004D43AE
    • __vbaVarDup.MSVBVM60 ref: 004D43D0
    • #607.MSVBVM60(?,0000000C,?), ref: 004D43E0
    • __vbaStrVarMove.MSVBVM60(?), ref: 004D43EA
    • __vbaStrMove.MSVBVM60 ref: 004D43F1
    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004D43FD
    • __vbaVarDup.MSVBVM60 ref: 004D441F
    • #607.MSVBVM60(?,0000000A,?), ref: 004D442F
    • __vbaStrVarMove.MSVBVM60(?), ref: 004D4439
    • __vbaStrMove.MSVBVM60 ref: 004D4440
    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004D444C
    • #526.MSVBVM60(?,00000001,?,000000F4), ref: 004D4480
    • __vbaVarCat.MSVBVM60(?,?,00000008,?,000000F4), ref: 004D44A7
    • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 004D44B6
    • __vbaStrVarMove.MSVBVM60(00000000), ref: 004D44BD
    • __vbaStrMove.MSVBVM60 ref: 004D44C4
    • __vbaFreeVarList.MSVBVM60(00000005,00000008,?,?,00000008,?), ref: 004D44DC
    • #526.MSVBVM60(?,00000001), ref: 004D4501
    • __vbaVarCat.MSVBVM60(00000008,?,00000008,?,000000F6), ref: 004D452B
    • __vbaVarCat.MSVBVM60(00000008,00000008,00000000), ref: 004D453A
    • __vbaStrVarMove.MSVBVM60(00000000), ref: 004D4541
    • __vbaStrMove.MSVBVM60 ref: 004D4548
    • __vbaFreeVarList.MSVBVM60(00000004,?,00000008,00000008,00000008), ref: 004D455C
    • __vbaStrCopy.MSVBVM60 ref: 004D456D
    • __vbaFreeStr.MSVBVM60(004D45CA), ref: 004D45AE
    • __vbaFreeStr.MSVBVM60 ref: 004D45B3
    • __vbaFreeStr.MSVBVM60 ref: 004D45B8
    • __vbaFreeStr.MSVBVM60 ref: 004D45BD
    • __vbaFreeStr.MSVBVM60 ref: 004D45C2
    • __vbaFreeStr.MSVBVM60 ref: 004D45C7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$CopyList$#607#681$#526
    • String ID: Line Meter$Master Meter$Meter$Prover$Switch Bar
    • API String ID: 589700370-2883883311
    • Opcode ID: f12f66b787eef7040ea788440552a53f3304dd45be3b59cccbe885b3a56d9a6c
    • Instruction ID: 8ea38b50fd99c59f1a78cf29c83de3d5152afa5374003d65e8ef4552d39b9332
    • Opcode Fuzzy Hash: f12f66b787eef7040ea788440552a53f3304dd45be3b59cccbe885b3a56d9a6c
    • Instruction Fuzzy Hash: 7CF1D8B180022D9FCB14DFA4DC94AEEB779FF88704F04825AE509B7154EB746A4ACF94
    Function 005450D0 Relevance: 105.3, APIs: 47, Strings: 13, Instructions: 304COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054513E
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 00545164
    • __vbaCastObj.MSVBVM60(?,0045B140), ref: 00545173
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054517E
    • __vbaBoolVarNull.MSVBVM60(?,?,?), ref: 00545195
    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 005451AB
    • __vbaFreeVar.MSVBVM60 ref: 005451B7
    • __vbaStrCopy.MSVBVM60(?), ref: 005451DF
    • __vbaStrCopy.MSVBVM60 ref: 005451F0
    • __vbaStrCopy.MSVBVM60 ref: 005451FA
    • __vbaStrCopy.MSVBVM60 ref: 00545204
    • __vbaStrCopy.MSVBVM60 ref: 0054520E
    • __vbaStrCopy.MSVBVM60 ref: 00545218
    • __vbaStrCopy.MSVBVM60 ref: 00545222
    • __vbaStrCopy.MSVBVM60 ref: 0054522C
    • __vbaStrCopy.MSVBVM60 ref: 00545236
    • __vbaStrCopy.MSVBVM60 ref: 00545240
    • __vbaStrCopy.MSVBVM60 ref: 0054524A
    • __vbaStrCopy.MSVBVM60 ref: 00545254
    • __vbaStrCopy.MSVBVM60 ref: 0054525E
    • __vbaStrCopy.MSVBVM60 ref: 00545268
    • __vbaStrCopy.MSVBVM60 ref: 00545272
    • __vbaStrCopy.MSVBVM60 ref: 0054527C
    • __vbaStrCopy.MSVBVM60 ref: 00545286
    • __vbaStrCopy.MSVBVM60 ref: 00545290
    • __vbaStrCopy.MSVBVM60 ref: 0054529A
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005452E9
    • __vbaCastObj.MSVBVM60(hD@,00454AC4), ref: 0054530F
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054531A
    • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00545328
    • __vbaFreeObj.MSVBVM60 ref: 00545331
    • __vbaHresultCheckObj.MSVBVM60(00000000,hD@,00466AA0,000000A4), ref: 0054535D
    • __vbaNew.MSVBVM60(0040E628), ref: 0054536A
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00545375
    • __vbaHresultCheckObj.MSVBVM60(00000000,hD@,00466AD0,00000764), ref: 00545395
    • __vbaFreeObj.MSVBVM60 ref: 005453A4
    • __vbaHresultCheckObj.MSVBVM60(00000000,hD@,00466AD0,0000075C), ref: 005453C5
    • __vbaRecAssign.MSVBVM60(00453228,?,?), ref: 005453D8
    • __vbaFreeObj.MSVBVM60(?,00000000), ref: 005453EB
    • __vbaCastObj.MSVBVM60(00000000,00468188), ref: 005453F6
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00545401
    • __vbaHresultCheckObj.MSVBVM60(00000000,hD@,00466AD0,00000764), ref: 00545421
    • __vbaFreeObj.MSVBVM60 ref: 0054542A
    • __vbaHresultCheckObj.MSVBVM60(00000000,hD@,00466AA0,000000A4), ref: 0054544D
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0054545C
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00545487
    • __vbaRecDestruct.MSVBVM60(00453228,?,005454E7), ref: 005454E0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Copy$CheckFreeHresult$BoundsCastErrorGenerate$AddrefAssignBoolDestructListNull
    • String ID: Archive Options$Archive upon event$Archive upon period end$Period-select, hourly$Reset accumulator 1 upon event$Reset accumulator 1 upon period-end$Reset accumulator 2 upon event$Reset accumulator 2 upon period-end$Reset accumulator 3 upon event$Reset accumulator 3 upon period-end$Reset accumulator 4 upon event$Reset accumulator 4 upon period-end$hD@
    • API String ID: 1575684247-640797496
    • Opcode ID: 0e864c1e7b101fcc56fee2909983802e310e4c4fb75cb4f299d71185700b377f
    • Instruction ID: 0f4270eba409210ba199c96b55530a1b2af0c19bcfc480bf71627bbd5eba4791
    • Opcode Fuzzy Hash: 0e864c1e7b101fcc56fee2909983802e310e4c4fb75cb4f299d71185700b377f
    • Instruction Fuzzy Hash: 35C1E170600605AFC710EF64CD88EEBB7B9FF94305F10852AF546A76A1EB78A909CF54
    Function 005CB090 Relevance: 103.7, APIs: 52, Strings: 7, Instructions: 432COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CB109
    • __vbaCastObj.MSVBVM60(00000000), ref: 005CB10C
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CB117
      • Part of subcall function 004C50C0: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C5103
      • Part of subcall function 004C50C0: #598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C510C
      • Part of subcall function 004C50C0: __vbaVarMove.MSVBVM60 ref: 004C512A
    • __vbaBoolVarNull.MSVBVM60(?,?,?), ref: 005CB12A
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005CB13D
    • __vbaFreeVar.MSVBVM60 ref: 005CB149
      • Part of subcall function 004CD150: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004CD1B4
      • Part of subcall function 004CD150: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004CD1BC
      • Part of subcall function 004CD150: __vbaFreeStr.MSVBVM60(004CD1D9,?,?,?,?,?,?,0040A636), ref: 004CD1D2
    • __vbaStrMove.MSVBVM60(?), ref: 005CB172
    • __vbaStrCat.MSVBVM60( Unit,00000000), ref: 005CB17E
    • __vbaStrMove.MSVBVM60 ref: 005CB189
    • __vbaStrCopy.MSVBVM60 ref: 005CB193
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005CB1A3
    • __vbaStrCopy.MSVBVM60(00000002,?), ref: 005CB1E5
    • __vbaGenerateBoundsError.MSVBVM60(00000002,?), ref: 005CB24E
    • __vbaStrMove.MSVBVM60(00626086,?,00000002,00000002,?), ref: 005CB26B
    • __vbaStrCopy.MSVBVM60 ref: 005CB27A
    • __vbaFreeStr.MSVBVM60 ref: 005CB283
    • __vbaStrCopy.MSVBVM60(00000002,?), ref: 005CB2A3
    • __vbaRecAssign.MSVBVM60(00453350,00625D90,00625B68), ref: 005CB2B8
    • __vbaHresultCheckObj.MSVBVM60(00000000,(~@,004622C4,000000A4), ref: 005CB2E9
    • __vbaNew2.MSVBVM60(0040B86C,006294EC), ref: 005CB302
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046544C,000002B0), ref: 005CB36F
    • __vbaHresultCheckObj.MSVBVM60(00000000,(~@,004622C4,000000A4), ref: 005CB396
    • __vbaStrMove.MSVBVM60(00626086,006261FA,00000002,?), ref: 005CB3D7
    • __vbaStrCopy.MSVBVM60 ref: 005CB3E4
    • __vbaFreeStr.MSVBVM60 ref: 005CB3ED
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CB40F
    • __vbaStrMove.MSVBVM60(00626086,006261FA,00000002), ref: 005CB438
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 005CB458
    • __vbaFreeStr.MSVBVM60 ref: 005CB45D
    • __vbaFreeObj.MSVBVM60 ref: 005CB466
    • __vbaErrorOverflow.MSVBVM60(00000002,?), ref: 005CB4C5
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CB543
    • __vbaCastObj.MSVBVM60(00000000), ref: 005CB546
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CB551
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 005CB566
    • __vbaStrCat.MSVBVM60(?,A number between ), ref: 005CB581
    • __vbaStrMove.MSVBVM60 ref: 005CB58E
    • __vbaStrCat.MSVBVM60( and ,00000000), ref: 005CB596
    • __vbaStrMove.MSVBVM60 ref: 005CB59D
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 005CB5A6
    • __vbaStrMove.MSVBVM60 ref: 005CB5AD
    • __vbaStrCat.MSVBVM60(0045AD00,00000000), ref: 005CB5B5
    • __vbaStrMove.MSVBVM60 ref: 005CB5BC
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 005CB5C6
    • __vbaStrMove.MSVBVM60 ref: 005CB5CD
    • __vbaStrCat.MSVBVM60(Default is 0.0001.,00000000), ref: 005CB5D5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$Copy$CheckHresult$List$CastError$#598AssignBoolBoundsCallGenerateLateNew2NullOverflow
    • String ID: Unit$ and $(~@$A number between $Default is 0.0001.$h[b$t[b
    • API String ID: 902643542-2954913987
    • Opcode ID: adf844b8f06c3112284618983de2ec3313cbaa224e55256a8ced67f09a73d254
    • Instruction ID: 980ee76e98d77adb4f1f37a277ddf721957bf8c285511ba4c98a4769031b435d
    • Opcode Fuzzy Hash: adf844b8f06c3112284618983de2ec3313cbaa224e55256a8ced67f09a73d254
    • Instruction Fuzzy Hash: 6DF14C75900219AFDB10DFA4DD89AEEBBB9FF48701F10412AF406E72A1EB745905CFA4
    Function 00537030 Relevance: 101.9, APIs: 52, Strings: 6, Instructions: 394COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005370A9
    • __vbaCastObj.MSVBVM60(00000000), ref: 005370AC
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005370B7
      • Part of subcall function 004C50C0: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C5103
      • Part of subcall function 004C50C0: #598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C510C
      • Part of subcall function 004C50C0: __vbaVarMove.MSVBVM60 ref: 004C512A
    • __vbaBoolVarNull.MSVBVM60(?,?,?), ref: 005370CA
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005370DD
    • __vbaFreeVar.MSVBVM60 ref: 005370E9
    • __vbaRecDestruct.MSVBVM60(00453228,?,005375BF), ref: 005375B8
      • Part of subcall function 004E1530: __vbaAryConstruct2.MSVBVM60(?,0045AF38,00000008), ref: 004E1575
      • Part of subcall function 004E1530: __vbaAryConstruct2.MSVBVM60(?,0045AF54,00000008), ref: 004E1582
      • Part of subcall function 004E1530: __vbaAryConstruct2.MSVBVM60(?,0045AF70,00000003), ref: 004E158F
      • Part of subcall function 004E1530: __vbaAryConstruct2.MSVBVM60(?,0045AF70,00000003), ref: 004E159F
      • Part of subcall function 004E1530: __vbaAryConstruct2.MSVBVM60(?,0045AF8C,0000000B), ref: 004E15AF
      • Part of subcall function 004E1530: __vbaAryConstruct2.MSVBVM60(?,0045AFA8,00000003), ref: 004E15BF
      • Part of subcall function 004E1530: __vbaAryConstruct2.MSVBVM60(?,0045AFA8,00000003), ref: 004E15CF
      • Part of subcall function 004E1530: __vbaStrCopy.MSVBVM60 ref: 004E15DB
      • Part of subcall function 004E1530: __vbaErase.MSVBVM60(00000000,?), ref: 004E15FB
      • Part of subcall function 004E1530: __vbaErase.MSVBVM60(00000000,?), ref: 004E160E
      • Part of subcall function 004E1530: __vbaErase.MSVBVM60(00000000,?), ref: 004E1624
      • Part of subcall function 004E1530: __vbaErase.MSVBVM60(00000000,?), ref: 004E163D
      • Part of subcall function 004E1530: __vbaErase.MSVBVM60(00000000,?), ref: 004E1659
    • __vbaStrCopy.MSVBVM60(?), ref: 00537124
    • __vbaStrCopy.MSVBVM60 ref: 00537135
    • __vbaStrCopy.MSVBVM60 ref: 0053713F
    • __vbaStrCopy.MSVBVM60 ref: 00537149
    • __vbaStrCopy.MSVBVM60 ref: 00537153
    • __vbaStrCopy.MSVBVM60 ref: 0053715D
    • __vbaStrCopy.MSVBVM60 ref: 00537167
    • __vbaStrCopy.MSVBVM60 ref: 00537171
    • __vbaStrCopy.MSVBVM60 ref: 0053717B
    • __vbaStrCopy.MSVBVM60 ref: 00537185
    • __vbaStrCopy.MSVBVM60 ref: 0053718F
    • __vbaStrCopy.MSVBVM60 ref: 00537199
    • __vbaStrCopy.MSVBVM60 ref: 005371A3
    • __vbaStrCopy.MSVBVM60 ref: 005371AD
    • __vbaStrCopy.MSVBVM60 ref: 005371B7
    • __vbaStrCopy.MSVBVM60 ref: 005371C1
    • __vbaStrCopy.MSVBVM60 ref: 005371CB
    • __vbaStrCopy.MSVBVM60 ref: 005371D5
    • __vbaStrCopy.MSVBVM60 ref: 005371DF
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00537231
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00537269
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0053730A
    • __vbaSetSystemError.MSVBVM60(00008100,00000007), ref: 00537382
    • __vbaStrCopy.MSVBVM60 ref: 00537399
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005373A8
    • __vbaCastObj.MSVBVM60(x@@,00454AC4), ref: 005373D5
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005373E0
    • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005373EE
    • __vbaFreeObj.MSVBVM60 ref: 005373F7
    • __vbaNew.MSVBVM60(0040E1B0), ref: 0053740D
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00537418
    • __vbaHresultCheckObj.MSVBVM60(00000000,x@@,004541A4,000009CC), ref: 0053743E
    • __vbaFreeObj.MSVBVM60 ref: 0053744B
    • __vbaHresultCheckObj.MSVBVM60(00000000,x@@,004541A4,000009C4), ref: 00537470
    • __vbaRecAssign.MSVBVM60(00453228,?,?), ref: 0053747F
    • __vbaFreeObj.MSVBVM60(?,00000000), ref: 00537492
    • __vbaHresultCheckObj.MSVBVM60(00000000,x@@,00454174,00000090), ref: 005374B7
    • #598.MSVBVM60 ref: 005374C0
    • __vbaCastObj.MSVBVM60(00000000,00465304), ref: 005374D1
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005374DC
    • __vbaHresultCheckObj.MSVBVM60(00000000,x@@,004541A4,000009CC), ref: 005374FC
    • __vbaFreeObj.MSVBVM60 ref: 00537505
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00537518
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0053754E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Copy$Construct2Error$BoundsFreeGenerate$Erase$CheckHresult$Cast$#598$AddrefAssignBoolCallDestructLateListMoveNullSystem
    • String ID: Meter Control Options$Meter enable$Split-double accumulators$Split-double pulse input$Treat analysis as process input$x@@
    • API String ID: 2868526359-3276811392
    • Opcode ID: 3dcb20304123192c454fb5dc1ff8634a3a1f0bcda5273f8b482f4212d6d4d454
    • Instruction ID: 04a6d26b8d0191bde56b931c0a68ad4300a31c9798bcc5fbf4b99d84fc0a283e
    • Opcode Fuzzy Hash: 3dcb20304123192c454fb5dc1ff8634a3a1f0bcda5273f8b482f4212d6d4d454
    • Instruction Fuzzy Hash: 45F1B570900609DFDB24EF68CD88EAEB7B9FF48300F10892DE456976A1DB74A949CF50
    Function 004F1130 Relevance: 98.3, APIs: 48, Strings: 8, Instructions: 335COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004F03D0: __vbaInStr.MSVBVM60(00000000,004568D4,00000000,00000001,00000000,6D49D8B1,6D48E251), ref: 004F0418
      • Part of subcall function 004F03D0: __vbaI2I4.MSVBVM60 ref: 004F0420
      • Part of subcall function 004F03D0: #617.MSVBVM60(?,?,00000000), ref: 004F0445
      • Part of subcall function 004F03D0: #520.MSVBVM60(?,?), ref: 004F0453
      • Part of subcall function 004F03D0: __vbaStrVarMove.MSVBVM60(?), ref: 004F045D
      • Part of subcall function 004F03D0: __vbaStrMove.MSVBVM60 ref: 004F046E
      • Part of subcall function 004F03D0: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004F047A
      • Part of subcall function 004F03D0: __vbaLenBstr.MSVBVM60 ref: 004F0490
      • Part of subcall function 004F03D0: #619.MSVBVM60(?,00004008,00000000), ref: 004F04A7
      • Part of subcall function 004F03D0: #520.MSVBVM60(?,?), ref: 004F04B5
      • Part of subcall function 004F03D0: __vbaStrVarMove.MSVBVM60(?), ref: 004F04BF
      • Part of subcall function 004F03D0: __vbaStrMove.MSVBVM60 ref: 004F04C9
      • Part of subcall function 004F03D0: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004F04D5
      • Part of subcall function 004F03D0: __vbaStrCopy.MSVBVM60 ref: 004F050A
    • __vbaStrMove.MSVBVM60(?,?,?,6D49D8B1), ref: 004F1178
      • Part of subcall function 004F0640: __vbaOnError.MSVBVM60(00000001,6D49D83C,6D49D8B1,6D49D8CD,?,?,00626084,0040A636,00626084), ref: 004F0673
      • Part of subcall function 004F0640: __vbaLenBstr.MSVBVM60(00000000,?,?,00626084,0040A636,00626084), ref: 004F067F
      • Part of subcall function 004F0640: __vbaI2Str.MSVBVM60(?,?,?,00626084,0040A636,00626084), ref: 004F068C
      • Part of subcall function 004F0640: __vbaExitProc.MSVBVM60(?,?,00626084,0040A636,00626084), ref: 004F06BE
      • Part of subcall function 004F03D0: __vbaStrCopy.MSVBVM60 ref: 004F04F1
      • Part of subcall function 004F03D0: __vbaStrCopy.MSVBVM60 ref: 004F04FA
      • Part of subcall function 004F03D0: #528.MSVBVM60(?,?), ref: 004F052A
      • Part of subcall function 004F03D0: __vbaStrVarMove.MSVBVM60(?), ref: 004F0534
      • Part of subcall function 004F03D0: __vbaStrMove.MSVBVM60 ref: 004F053F
      • Part of subcall function 004F03D0: __vbaFreeVar.MSVBVM60 ref: 004F0544
      • Part of subcall function 004F03D0: __vbaFreeStr.MSVBVM60(004F057E), ref: 004F0577
    • __vbaStrMove.MSVBVM60(?,?,?,00000000,00000008,?), ref: 004F11A4
    • __vbaStrCmp.MSVBVM60(ORFC,?), ref: 004F11B5
    • __vbaStrCmp.MSVBVM60(PULS,?), ref: 004F11D0
    • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 004F11E2
    • __vbaI2I4.MSVBVM60(?,00000000), ref: 004F11F0
    • __vbaStrMove.MSVBVM60(?,Invalid meter device type setting), ref: 004F121D
    • __vbaStrCmp.MSVBVM60(?,?), ref: 004F1230
    • __vbaStrCmp.MSVBVM60(?,?), ref: 004F1257
    • __vbaSetSystemError.MSVBVM60(?,00000001), ref: 004F126F
    • __vbaI2I4.MSVBVM60(?,00000001), ref: 004F1278
    • __vbaStrMove.MSVBVM60(?,Invalid meter measurement system setting), ref: 004F129F
    • __vbaStrI2.MSVBVM60(00000000,?), ref: 004F12A7
    • __vbaStrMove.MSVBVM60(?,00000001), ref: 004F12B2
    • __vbaStrCmp.MSVBVM60(00000000), ref: 004F12B5
    • __vbaStrCmp.MSVBVM60(?,?), ref: 004F12D2
    • __vbaFreeStr.MSVBVM60(?,00000001), ref: 004F12E4
    • __vbaSetSystemError.MSVBVM60(00000000,00000002), ref: 004F12FC
    • __vbaI2I4.MSVBVM60(?,00000001), ref: 004F1304
    • __vbaSetSystemError.MSVBVM60(?,00000003), ref: 004F1316
    • __vbaI2I4.MSVBVM60(?,00000003), ref: 004F131E
      • Part of subcall function 004E7F40: __vbaStrCopy.MSVBVM60(6D49D8B1,6D5868D4,6D49D9D4), ref: 004E7F8C
      • Part of subcall function 004E7F40: #648.MSVBVM60(?), ref: 004E7FBA
      • Part of subcall function 004E7F40: __vbaFreeVar.MSVBVM60 ref: 004E7FC9
      • Part of subcall function 004E7F40: __vbaFileOpen.MSVBVM60(00000002,000000FF,00000000,00000000), ref: 004E7FE2
      • Part of subcall function 004E7F40: __vbaStrI2.MSVBVM60(00000000), ref: 004E7FEF
      • Part of subcall function 004E7F40: __vbaStrMove.MSVBVM60 ref: 004E8000
      • Part of subcall function 004E7F40: __vbaStrMove.MSVBVM60(?,000000FB), ref: 004E8012
      • Part of subcall function 004E7F40: __vbaStrMove.MSVBVM60(Line ), ref: 004E8022
      • Part of subcall function 004E7F40: __vbaStrCat.MSVBVM60(00000000), ref: 004E802B
      • Part of subcall function 004E7F40: __vbaStrMove.MSVBVM60 ref: 004E8032
      • Part of subcall function 004E7F40: __vbaStrCat.MSVBVM60(004568C8,00000000), ref: 004E803A
      • Part of subcall function 004E7F40: __vbaStrMove.MSVBVM60 ref: 004E8041
      • Part of subcall function 004E7F40: __vbaStrCat.MSVBVM60(00000000,00000000), ref: 004E804B
      • Part of subcall function 004E7F40: __vbaStrMove.MSVBVM60 ref: 004E8052
      • Part of subcall function 004E7F40: __vbaStrCat.MSVBVM60(?,00000000), ref: 004E805B
      • Part of subcall function 004E7F40: __vbaStrMove.MSVBVM60 ref: 004E8062
      • Part of subcall function 004E7F40: __vbaPrintFile.MSVBVM60(0045B62C,00000000,00000000), ref: 004E8078
    • __vbaStrI2.MSVBVM60(00000001,?), ref: 004F132E
    • __vbaStrMove.MSVBVM60 ref: 004F1339
    • __vbaStrCmp.MSVBVM60(00000000), ref: 004F1340
    • __vbaStrCmp.MSVBVM60(?,?), ref: 004F135D
    • __vbaFreeStr.MSVBVM60 ref: 004F136F
    • __vbaSetSystemError.MSVBVM60(00000000,00000002), ref: 004F138E
    • __vbaI2I4.MSVBVM60 ref: 004F1393
    • __vbaSetSystemError.MSVBVM60(?,00000003), ref: 004F13A6
    • __vbaI2I4.MSVBVM60(?,00000003), ref: 004F13AB
    • __vbaStrI2.MSVBVM60(00000002,?), ref: 004F13BB
    • __vbaStrMove.MSVBVM60 ref: 004F13C6
    • __vbaStrCmp.MSVBVM60(00000000), ref: 004F13CD
    • __vbaStrCmp.MSVBVM60(?,?), ref: 004F13EA
    • __vbaFreeStr.MSVBVM60 ref: 004F13FC
    • __vbaSetSystemError.MSVBVM60(00000000,00000002), ref: 004F141B
    • __vbaI2I4.MSVBVM60 ref: 004F1420
    • __vbaSetSystemError.MSVBVM60(?,00000003), ref: 004F1433
    • __vbaI2I4.MSVBVM60(?,00000003), ref: 004F1438
      • Part of subcall function 004E7F40: __vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 004E8098
      • Part of subcall function 004E7F40: __vbaStrCat.MSVBVM60(00000000, (Section ), ref: 004E80AC
      • Part of subcall function 004E7F40: __vbaStrMove.MSVBVM60 ref: 004E80B3
      • Part of subcall function 004E7F40: __vbaStrCat.MSVBVM60(0045B658,00000000), ref: 004E80BB
      • Part of subcall function 004E7F40: __vbaStrMove.MSVBVM60 ref: 004E80C2
      • Part of subcall function 004E7F40: __vbaStrCat.MSVBVM60(?,00000000), ref: 004E80C9
      • Part of subcall function 004E7F40: __vbaStrMove.MSVBVM60 ref: 004E80D0
      • Part of subcall function 004E7F40: __vbaPrintFile.MSVBVM60(0045B62C,00000000,00000000), ref: 004E80E0
      • Part of subcall function 004E7F40: __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004E80F0
      • Part of subcall function 004E7F40: __vbaStrCat.MSVBVM60(00456904,004568C8), ref: 004E810D
      • Part of subcall function 004E7F40: __vbaStrMove.MSVBVM60 ref: 004E8114
      • Part of subcall function 004E7F40: __vbaStrCat.MSVBVM60(00000000,00000000), ref: 004E811D
      • Part of subcall function 004E7F40: __vbaStrMove.MSVBVM60 ref: 004E8124
      • Part of subcall function 004E7F40: __vbaStrCat.MSVBVM60(00456904,00000000), ref: 004E812C
      • Part of subcall function 004E7F40: __vbaStrMove.MSVBVM60 ref: 004E8133
      • Part of subcall function 004E7F40: __vbaPrintFile.MSVBVM60(0045B62C,00000000,00000000), ref: 004E8143
      • Part of subcall function 004E7F40: __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004E8153
      • Part of subcall function 004E7F40: __vbaPrintFile.MSVBVM60(0045B62C,00000000,?), ref: 004E816F
      • Part of subcall function 004E7F40: __vbaFreeStr.MSVBVM60(004E81BF), ref: 004E81B8
      • Part of subcall function 004DF250: __vbaSetSystemError.MSVBVM60(?,00000001,00000000,?), ref: 004DF2F2
      • Part of subcall function 004DF250: #681.MSVBVM60(?,?,?,?), ref: 004DF327
      • Part of subcall function 004DF250: __vbaI2Var.MSVBVM60(?), ref: 004DF331
      • Part of subcall function 004DF250: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004DF34D
      • Part of subcall function 004DF250: __vbaSetSystemError.MSVBVM60(?,00000000), ref: 004DF366
      • Part of subcall function 004DF250: #681.MSVBVM60(?,?,?,?,?,00000000), ref: 004DF39B
      • Part of subcall function 004DF250: __vbaI2Var.MSVBVM60(?,?,00000000), ref: 004DF3A5
    • __vbaStrCmp.MSVBVM60(00452580,?,Invalid meter density units setting), ref: 004F1462
    • __vbaStrMove.MSVBVM60(?,?,Invalid meter density units setting), ref: 004F147A
    • __vbaStrCmp.MSVBVM60(INTG,?,?,Invalid meter density units setting), ref: 004F1489
    • __vbaSetSystemError.MSVBVM60(?,00000004,?,Invalid meter density units setting), ref: 004F149C
    • __vbaI2I4.MSVBVM60(?,00000004,?,Invalid meter density units setting), ref: 004F14A4
    • __vbaStrCmp.MSVBVM60(STND,?,?,Invalid meter density units setting), ref: 004F14BF
    • __vbaSetSystemError.MSVBVM60(00000000,00000004,?,Invalid meter density units setting), ref: 004F14D2
    • __vbaI2I4.MSVBVM60(?,Invalid meter density units setting), ref: 004F14DA
    • __vbaFreeStr.MSVBVM60(004F151F,?,?,Invalid meter density units setting), ref: 004F1518
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$Error$System$List$File$CopyPrint$#520#681Bstr$#528#617#619#648ExitOpenProc
    • String ID: INTG$Invalid meter density units setting$Invalid meter device type setting$Invalid meter measurement system setting$Invalid meter primary input setting$ORFC$PULS$STND
    • API String ID: 4218153435-3557491459
    • Opcode ID: af9080bcefce96a46b4a80bb34139deca2b3c12ab1919930a3adc2755d4e9c7f
    • Instruction ID: d748fe00da45cd856d0768bdcfc65bb1eef2883800800292cf9080aa1205ef17
    • Opcode Fuzzy Hash: af9080bcefce96a46b4a80bb34139deca2b3c12ab1919930a3adc2755d4e9c7f
    • Instruction Fuzzy Hash: 52B19235600209EBCB14EFB1DD85EBFB3B5BF88701B10451BFA42E7261DA789941CB69
    Function 0050D200 Relevance: 94.8, APIs: 52, Strings: 2, Instructions: 295COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60 ref: 0050D264
      • Part of subcall function 004E3BA0: __vbaChkstk.MSVBVM60(00000000,0040A636,004D144B,?,00000012), ref: 004E3BBE
      • Part of subcall function 004E3BA0: #526.MSVBVM60(?,00000000), ref: 004E3C2F
      • Part of subcall function 004E3BA0: __vbaStrVarMove.MSVBVM60(?), ref: 004E3C39
      • Part of subcall function 004E3BA0: __vbaStrMove.MSVBVM60 ref: 004E3C44
      • Part of subcall function 004E3BA0: __vbaFreeVar.MSVBVM60 ref: 004E3C4D
      • Part of subcall function 004E3BA0: __vbaOnError.MSVBVM60(000000FF), ref: 004E3C5C
      • Part of subcall function 004E3BA0: __vbaStrCat.MSVBVM60(00000000,?), ref: 004E3C82
      • Part of subcall function 004E3BA0: #619.MSVBVM60(?,00000008,00000000), ref: 004E3C9F
      • Part of subcall function 004E3BA0: __vbaStrVarMove.MSVBVM60(?), ref: 004E3CA9
      • Part of subcall function 004E3BA0: __vbaStrMove.MSVBVM60 ref: 004E3CB4
      • Part of subcall function 004E3BA0: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004E3CC4
      • Part of subcall function 004E3BA0: __vbaStrCopy.MSVBVM60(?,00000000,0040A636,004D144B), ref: 004E3D38
      • Part of subcall function 004E3BA0: __vbaFreeStr.MSVBVM60(004E3D76,?,00000000,0040A636,004D144B), ref: 004E3D6F
    • __vbaStrMove.MSVBVM60(?,00000026), ref: 0050D280
    • __vbaStrCopy.MSVBVM60 ref: 0050D2B6
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0050D2C6
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0050D2DC
    • __vbaStrR4.MSVBVM60(?), ref: 0050D324
    • __vbaStrMove.MSVBVM60 ref: 0050D32B
      • Part of subcall function 004E3BA0: __vbaStrCat.MSVBVM60(?,00000000), ref: 004E3CE0
      • Part of subcall function 004E3BA0: #617.MSVBVM60(?,00000008,00000000), ref: 004E3CFD
      • Part of subcall function 004E3BA0: __vbaStrVarMove.MSVBVM60(?), ref: 004E3D07
      • Part of subcall function 004E3BA0: __vbaStrMove.MSVBVM60 ref: 004E3D12
      • Part of subcall function 004E3BA0: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004E3D22
    • __vbaStrR4.MSVBVM60(?), ref: 0050D336
    • __vbaStrMove.MSVBVM60 ref: 0050D33D
    • __vbaStrMove.MSVBVM60(?,0000000E,?), ref: 0050D4DE
    • __vbaStrCat.MSVBVM60(00000000), ref: 0050D4E1
    • __vbaStrMove.MSVBVM60 ref: 0050D4EC
    • __vbaFreeStr.MSVBVM60 ref: 0050D4F1
    • __vbaStrCat.MSVBVM60(?,?), ref: 0050D51B
    • __vbaStrMove.MSVBVM60 ref: 0050D522
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 0050D529
    • __vbaStrMove.MSVBVM60 ref: 0050D530
    • __vbaFreeStrList.MSVBVM60(00000002,?,?,00000000), ref: 0050D542
    • __vbaFreeStr.MSVBVM60(0050D5A0), ref: 0050D593
    • __vbaFreeStr.MSVBVM60 ref: 0050D598
    • __vbaFreeStr.MSVBVM60 ref: 0050D59D
    • __vbaErrorOverflow.MSVBVM60 ref: 0050D5EC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$Error$CopyList$BoundsGenerate$#526#617#619ChkstkOverflow
    • String ID: (KF)$(MF)
    • API String ID: 3823236797-1639685754
    • Opcode ID: b89595aa55ba70e6c05b6ac961f1861ce8d073f8a75b74112f8b4ee720c6dd11
    • Instruction ID: 9577a8cb4195518906e5ec7e323db80c63e18d8760f9d45fa9743de4e0443327
    • Opcode Fuzzy Hash: b89595aa55ba70e6c05b6ac961f1861ce8d073f8a75b74112f8b4ee720c6dd11
    • Instruction Fuzzy Hash: 05B11071D0020DDBCB14EFA4CD959EEBBB5FF48300F108969E506A7294EB74A94ACF64
    Function 005CD030 Relevance: 89.6, APIs: 47, Strings: 4, Instructions: 305COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CD0C1
    • __vbaCastObj.MSVBVM60(00000000), ref: 005CD0C4
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CD0CF
      • Part of subcall function 004C53C0: __vbaCheckType.MSVBVM60(?,00452A8C), ref: 004C53FF
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004C5435
      • Part of subcall function 004C53C0: __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004C5444
      • Part of subcall function 004C53C0: __vbaLenVar.MSVBVM60(?,00000000), ref: 004C5452
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelLength), ref: 004C547B
      • Part of subcall function 004C53C0: __vbaFreeVar.MSVBVM60 ref: 004C5480
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 005CD0E4
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CD0FB
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005CD10E
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005CD123
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005CD138
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005CD14D
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005CD162
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005CD177
    • __vbaStrR4.MSVBVM60(?,A number between ), ref: 005CD19D
    • __vbaStrMove.MSVBVM60 ref: 005CD1AE
    • __vbaStrCat.MSVBVM60(00000000), ref: 005CD1B7
    • __vbaStrMove.MSVBVM60 ref: 005CD1BE
    • __vbaStrCat.MSVBVM60( and ,00000000), ref: 005CD1C6
    • __vbaStrMove.MSVBVM60 ref: 005CD1CD
    • __vbaStrR4.MSVBVM60(?,00000000), ref: 005CD1EC
    • __vbaStrMove.MSVBVM60 ref: 005CD1F7
    • __vbaStrCat.MSVBVM60(00000000), ref: 005CD1FA
    • __vbaStrMove.MSVBVM60 ref: 005CD201
    • __vbaStrCat.MSVBVM60(004568D4,00000000), ref: 005CD209
    • __vbaStrMove.MSVBVM60 ref: 005CD210
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 005CD22F
    • __vbaStrMove.MSVBVM60 ref: 005CD236
    • __vbaStrCat.MSVBVM60(, rounded to the nearest ,00000000), ref: 005CD23E
    • __vbaStrMove.MSVBVM60 ref: 005CD245
    • _adj_fdiv_m32.MSVBVM60(?,?,00000000), ref: 005CD27C
    • __vbaStrR4.MSVBVM60(?,?,00000000), ref: 005CD28E
    • __vbaStrMove.MSVBVM60(?,00000000), ref: 005CD299
    • __vbaStrCat.MSVBVM60(00000000,?,00000000), ref: 005CD29C
    • __vbaStrMove.MSVBVM60(?,00000000), ref: 005CD2A3
    • __vbaStrCat.MSVBVM60(004568D4,00000000,?,00000000), ref: 005CD2AB
    • __vbaStrMove.MSVBVM60(?,00000000), ref: 005CD2B2
    • __vbaStrCat.MSVBVM60(?,00000000,?,00000000), ref: 005CD2D1
    • __vbaStrMove.MSVBVM60(?,00000000), ref: 005CD2D8
    • __vbaStrCat.MSVBVM60(; default is ,00000000,?,00000000), ref: 005CD2E0
    • __vbaStrMove.MSVBVM60(?,00000000), ref: 005CD2E7
    • __vbaStrR4.MSVBVM60(?,00000000,?,00000000), ref: 005CD303
    • __vbaStrMove.MSVBVM60(?,00000000), ref: 005CD30E
    • __vbaStrCat.MSVBVM60(00000000,?,00000000), ref: 005CD311
    • __vbaStrMove.MSVBVM60(?,00000000), ref: 005CD318
    • __vbaStrCat.MSVBVM60(0045AD00,00000000,?,00000000), ref: 005CD320
    • __vbaStrMove.MSVBVM60(?,00000000), ref: 005CD327
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464174,00000054,?,00000000), ref: 005CD340
    • __vbaFreeStrList.MSVBVM60(00000010,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005CD388
    • __vbaFreeObj.MSVBVM60 ref: 005CD394
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$BoundsErrorGenerate$Free$Late$CheckList$CallCastHresultType_adj_fdiv_m32
    • String ID: and $, rounded to the nearest $; default is $A number between
    • API String ID: 759424712-1802429031
    • Opcode ID: c933e08a9f8851d563096ad5ad33f4b2bf72df55a6fe83fe8e78c5f4668e3c02
    • Instruction ID: 57f2264c997e96a03f2729d54eaf26e311252cf0e4438c3f5cc3a1563b24678a
    • Opcode Fuzzy Hash: c933e08a9f8851d563096ad5ad33f4b2bf72df55a6fe83fe8e78c5f4668e3c02
    • Instruction Fuzzy Hash: 64B11E71D002199FCB14DFA4DD88AEEBBB9FF48300F10422AE516E7155EB74A945CFA4
    Function 005930E0 Relevance: 84.5, APIs: 46, Strings: 2, Instructions: 457COMMON
    Download Yara Rule
    APIs
    • __vbaChkstk.MSVBVM60(?,0040A636), ref: 005930FE
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,0040A636), ref: 0059315C
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,0040A636), ref: 00593163
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,0040A636), ref: 0059316E
      • Part of subcall function 004C50C0: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C5103
      • Part of subcall function 004C50C0: #598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C510C
      • Part of subcall function 004C50C0: __vbaVarMove.MSVBVM60 ref: 004C512A
    • __vbaBoolVarNull.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 00593185
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,0040A636), ref: 0059319C
    • __vbaFreeVar.MSVBVM60(?,?,0040A636), ref: 005931A8
    • __vbaOnError.MSVBVM60(000000FF,?,?,0040A636), ref: 005931C7
    • __vbaStrCopy.MSVBVM60(?,?,0040A636), ref: 005931DE
    • __vbaStrCopy.MSVBVM60(?,?,0040A636), ref: 005931F5
    • __vbaStrCat.MSVBVM60(00000000,?), ref: 00593310
    • __vbaStrMove.MSVBVM60 ref: 0059331B
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 00593328
    • __vbaStrMove.MSVBVM60 ref: 00593333
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 00593341
    • __vbaStrMove.MSVBVM60 ref: 0059334C
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 0059335A
    • __vbaStrMove.MSVBVM60 ref: 00593367
    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0059337B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$CopyList$#598BoolCallCastChkstkErrorLateNull
    • String ID: No data has been read.$Print the current data.
    • API String ID: 2660396301-1342315300
    • Opcode ID: 4b6957c0c563018d4ca9962ddb24c0b26f0da82dc2c0dd146b4cdd9a2f669f8c
    • Instruction ID: c5983b5a85597e0fbbcee390a0b6f2414c7a0e9f237c50b6adb1d75773a5d9cc
    • Opcode Fuzzy Hash: 4b6957c0c563018d4ca9962ddb24c0b26f0da82dc2c0dd146b4cdd9a2f669f8c
    • Instruction Fuzzy Hash: C5225D74900209EFDB14DF94D988FEDBBB5FF48304F1085A9E50AAB290D7749A85CF54
    Function 005F8010 Relevance: 84.4, APIs: 44, Strings: 4, Instructions: 420COMMON
    Download Yara Rule
    APIs
    • __vbaNew2.MSVBVM60(0041F4A8,00626040), ref: 005F807E
    • __vbaCastObj.MSVBVM60(?,00454AC4), ref: 005F8090
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005F809B
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554EC,000006F8), ref: 005F80C4
    • __vbaFreeObj.MSVBVM60 ref: 005F80D2
    • __vbaLateMemSt.MSVBVM60(?,Function), ref: 005F8134
    • __vbaStrI4.MSVBVM60(?), ref: 005F813A
    • __vbaLateMemSt.MSVBVM60(?,MemStart), ref: 005F8169
    • __vbaFreeVar.MSVBVM60 ref: 005F816E
    • __vbaLateMemSt.MSVBVM60(?,MemQty), ref: 005F81A5
    • __vbaLateMemCallLd.MSVBVM60(?,?,MemQty,00000000), ref: 005F81CE
    • __vbaVarSub.MSVBVM60(?,00000002,00000000), ref: 005F81E0
    • __vbaI2Var.MSVBVM60(00000000), ref: 005F81E7
    • __vbaFreeVar.MSVBVM60 ref: 005F81F5
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005F820B
    • __vbaNew2.MSVBVM60(0041F4A8,00626040), ref: 005F8250
    • __vbaCastObj.MSVBVM60(?,00454AC4), ref: 005F8262
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005F826D
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554EC,00000700), ref: 005F8297
    • __vbaFreeObj.MSVBVM60 ref: 005F82A0
    • __vbaLateMemCallLd.MSVBVM60(?,?,Result,00000000,?), ref: 005F82D3
    • __vbaVarTstEq.MSVBVM60(00008002,00000000), ref: 005F82DD
    • __vbaFreeVar.MSVBVM60 ref: 005F82EA
    • __vbaLateMemCallLd.MSVBVM60(?,?,MemQty,00000000), ref: 005F8317
    • __vbaVarSub.MSVBVM60(?,00000002,00000000), ref: 005F8325
    • __vbaI2Var.MSVBVM60(00000000), ref: 005F832C
    • __vbaFreeVar.MSVBVM60 ref: 005F8347
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005F8361
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005F837F
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005F83CE
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 005F83F0
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464210,000000E4), ref: 005F8418
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005F8428
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$Late$CheckHresult$BoundsCallErrorGenerate$CastNew2$List
    • String ID: Function$MemQty$MemStart$Result
    • API String ID: 3348680645-2907957672
    • Opcode ID: 44afe4159a6ffc67deebb9b5d4b6f2076e8094adfe6b6b0ac902378469d903da
    • Instruction ID: 5b1b95e3b29cc8f9bfb7eaed3e20acb51fbfaaf46bf88b329f284347fd2f4bc3
    • Opcode Fuzzy Hash: 44afe4159a6ffc67deebb9b5d4b6f2076e8094adfe6b6b0ac902378469d903da
    • Instruction Fuzzy Hash: 5AF17074900209AFCB10DFA4CD88AFEBBB9FF48705F108529F645A7291DB786945CF94
    Function 00533050 Relevance: 82.6, APIs: 45, Strings: 2, Instructions: 328COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 005330C4
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005330D7
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00533102
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 00533129
    • __vbaR4Str.MSVBVM60(?), ref: 00533133
    • __vbaFreeStr.MSVBVM60 ref: 0053313F
    • __vbaFreeObj.MSVBVM60 ref: 00533148
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00533157
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00533187
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005331BB
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005331E5
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053320E
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00533223
    • __vbaStrR4.MSVBVM60(?), ref: 0053323F
    • __vbaStrMove.MSVBVM60 ref: 0053324A
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 00533270
    • __vbaFreeStr.MSVBVM60 ref: 00533279
    • __vbaFreeObj.MSVBVM60 ref: 00533282
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005332A0
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005332E1
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005332F2
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005332FD
    • __vbaStrR4.MSVBVM60(?,Value must lie between ), ref: 00533317
    • __vbaStrMove.MSVBVM60 ref: 00533328
    • __vbaStrCat.MSVBVM60(00000000), ref: 00533331
    • __vbaStrMove.MSVBVM60 ref: 00533338
    • __vbaStrCat.MSVBVM60( and ,00000000), ref: 00533340
    • __vbaStrMove.MSVBVM60 ref: 00533347
    • __vbaStrR4.MSVBVM60(?,00000000), ref: 00533363
    • __vbaStrMove.MSVBVM60 ref: 0053336E
    • __vbaStrCat.MSVBVM60(00000000), ref: 00533371
    • __vbaStrMove.MSVBVM60 ref: 00533378
    • __vbaStrCat.MSVBVM60(004568D4,00000000), ref: 00533380
    • __vbaStrMove.MSVBVM60 ref: 00533387
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 0053339D
    • __vbaStrMove.MSVBVM60 ref: 005333A4
    • __vbaStrCat.MSVBVM60(0045AD00,00000000), ref: 005333AC
    • #595.MSVBVM60(00000008,00000000,?,?,?), ref: 005333CD
    • __vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 005333F1
    • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 0053340C
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00533431
    • __vbaCastObj.MSVBVM60(00000000), ref: 00533434
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053343F
      • Part of subcall function 004C5390: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,00522AE2,?), ref: 004C53A7
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 00533454
    • __vbaExitProc.MSVBVM60 ref: 0053345D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Error$BoundsGenerate$Move$Free$List$CheckHresult$#595CallCastExitLateProc
    • String ID: and $Value must lie between
    • API String ID: 4057718228-2540168761
    • Opcode ID: d740ef90a07bf41d898a26a2e7e1e43652918254637ff59b8617aad5664dd9c8
    • Instruction ID: 094da445bf1efa60d944d3171996b1b9800dfba462eda199192c1e67691d92d3
    • Opcode Fuzzy Hash: d740ef90a07bf41d898a26a2e7e1e43652918254637ff59b8617aad5664dd9c8
    • Instruction Fuzzy Hash: 47D15A72D00219DFCB14DFA4DD88AEEBBB9FF48700F10416AE546A7164DB74AA05CFA4
    Function 005C9180 Relevance: 82.6, APIs: 45, Strings: 2, Instructions: 309COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 005C91EB
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C9205
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 005C9228
    • __vbaI4Str.MSVBVM60(?), ref: 005C9232
    • __vbaFreeStr.MSVBVM60 ref: 005C923D
    • __vbaFreeObj.MSVBVM60 ref: 005C9246
    • __vbaI2I4.MSVBVM60 ref: 005C928E
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C92A8
    • __vbaStrI2.MSVBVM60(?), ref: 005C92B6
    • __vbaStrMove.MSVBVM60 ref: 005C92C1
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 005C92E1
    • __vbaFreeStr.MSVBVM60 ref: 005C92EA
    • __vbaFreeObj.MSVBVM60 ref: 005C92F3
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C9322
    • __vbaStrI2.MSVBVM60(?), ref: 005C9330
    • __vbaStrMove.MSVBVM60 ref: 005C933B
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 005C935B
    • __vbaFreeStr.MSVBVM60 ref: 005C9364
    • __vbaFreeObj.MSVBVM60 ref: 005C936D
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C938C
    • __vbaStrI4.MSVBVM60(?), ref: 005C9399
    • __vbaStrMove.MSVBVM60 ref: 005C93A4
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 005C93C4
    • __vbaFreeStr.MSVBVM60 ref: 005C93CD
    • __vbaFreeObj.MSVBVM60 ref: 005C93D6
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C940E
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000050), ref: 005C942F
    • __vbaStrCat.MSVBVM60(?,Value must lie between "), ref: 005C9444
    • __vbaStrMove.MSVBVM60 ref: 005C9451
    • __vbaStrCat.MSVBVM60(" and ,00000000), ref: 005C9459
    • __vbaStrMove.MSVBVM60 ref: 005C9460
    • __vbaStrI4.MSVBVM60(0000FFFF,00000000), ref: 005C9468
    • __vbaStrMove.MSVBVM60 ref: 005C9473
    • __vbaStrCat.MSVBVM60(00000000), ref: 005C9476
    • __vbaStrMove.MSVBVM60 ref: 005C947D
    • __vbaStrCat.MSVBVM60(0045AD00,00000000), ref: 005C9485
    • #595.MSVBVM60(00000008,00000000,?,?,?), ref: 005C94A3
    • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 005C94BF
    • __vbaFreeObj.MSVBVM60 ref: 005C94CB
    • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 005C94E3
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C9505
    • __vbaCastObj.MSVBVM60(00000000), ref: 005C9508
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C9513
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 005C9528
    • __vbaExitProc.MSVBVM60 ref: 005C9531
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$Move$CheckHresult$List$#595CastErrorExitProc
    • String ID: " and $Value must lie between "
    • API String ID: 2514289942-733879873
    • Opcode ID: 0c427a88a7215b00c24baa5686754df59c103e6eb5399e229f838e0ee4621642
    • Instruction ID: f08491c0ce65d51d1e0cb4d2dd0c688157d20858fcd4242dbff89e9ff1c15367
    • Opcode Fuzzy Hash: 0c427a88a7215b00c24baa5686754df59c103e6eb5399e229f838e0ee4621642
    • Instruction Fuzzy Hash: BAC12776900249AFCB14EBA4DD88EEEBBB9FF48701F10412AF546A3161DB709A45CF64
    Function 005E7290 Relevance: 80.9, APIs: 45, Strings: 1, Instructions: 416COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005E72E7
    • __vbaLateIdCallLd.MSVBVM60(?,?,00000006,00000000), ref: 005E72F8
    • __vbaI4Var.MSVBVM60(00000000), ref: 005E7302
    • __vbaI2I4.MSVBVM60 ref: 005E730A
    • __vbaFreeVar.MSVBVM60 ref: 005E7317
    • __vbaLateIdSt.MSVBVM60(?,00000004), ref: 005E7342
    • __vbaLateIdSt.MSVBVM60(?,00000004), ref: 005E7374
    • __vbaLateIdSt.MSVBVM60(?,00000006), ref: 005E7399
    • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 005E73A5
    • __vbaFreeObj.MSVBVM60(005E73CB), ref: 005E73C4
    • __vbaErrorOverflow.MSVBVM60 ref: 005E73E0
    • __vbaStrCopy.MSVBVM60(?,?,?), ref: 005E7451
    • __vbaStrCopy.MSVBVM60 ref: 005E7459
    • __vbaStrCopy.MSVBVM60 ref: 005E7461
    • __vbaStrCopy.MSVBVM60 ref: 005E7469
    • __vbaStrCopy.MSVBVM60 ref: 005E7471
    • __vbaStrCopy.MSVBVM60 ref: 005E7479
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005E7489
    • __vbaLateIdSt.MSVBVM60(?,00000004), ref: 005E74C7
    • __vbaLateIdSt.MSVBVM60(?,0000000A), ref: 005E74EB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CopyLate$Free$AddrefCallErrorOverflow
    • String ID: Lucida Console
    • API String ID: 1501176134-1741274150
    • Opcode ID: 9e0b2da7b3573b81d99d65466ce4810467ee890a8a2d95b2ce7a4b84530435bc
    • Instruction ID: 4cc0948fc3118f3958e1ef76ad8adc0bc169ddbefdbc4274f2bc35d01efcf4eb
    • Opcode Fuzzy Hash: 9e0b2da7b3573b81d99d65466ce4810467ee890a8a2d95b2ce7a4b84530435bc
    • Instruction Fuzzy Hash: 1AF1FAB19002099FD704EF68C945B9EFBB8FF48700F14C66AE509EB291D774A981CF95
    Function 005E0170 Relevance: 79.1, APIs: 40, Strings: 5, Instructions: 378COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 005E01D2
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005E01EC
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 005E020F
    • __vbaI4Str.MSVBVM60(?), ref: 005E0219
    • __vbaFreeStr.MSVBVM60 ref: 005E0224
    • __vbaFreeObj.MSVBVM60 ref: 005E022D
    • __vbaVarDup.MSVBVM60 ref: 005E02B1
    • #595.MSVBVM60(?,00000000,?,?,?), ref: 005E02C9
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 005E02E1
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005E02FD
    • __vbaCastObj.MSVBVM60(00000000), ref: 005E0300
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005E030B
    • __vbaVarDup.MSVBVM60 ref: 005E0366
    • #595.MSVBVM60(?,00000000,?,?,?), ref: 005E037E
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 005E0396
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005E03B2
    • __vbaCastObj.MSVBVM60(00000000), ref: 005E03B5
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005E03C0
      • Part of subcall function 004C5390: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,00522AE2,?), ref: 004C53A7
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005E03F1
    • __vbaStrI4.MSVBVM60(?), ref: 005E03FE
    • __vbaStrMove.MSVBVM60 ref: 005E0409
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 005E0429
    • __vbaFreeStr.MSVBVM60 ref: 005E0432
    • __vbaFreeObj.MSVBVM60 ref: 005E043B
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 005E04EE
    • __vbaExitProc.MSVBVM60 ref: 005E04F7
    • __vbaErrorOverflow.MSVBVM60 ref: 005E0559
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005E05C1
    • __vbaCastObj.MSVBVM60(00000000), ref: 005E05C4
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005E05CF
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 005E05E4
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005E05FB
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054), ref: 005E0619
    • __vbaFreeObj.MSVBVM60 ref: 005E0622
    Strings
    • Value must equal 0 or lie between 100 and 65535., xrefs: 005E0462
    • The total value of Region size and Region addres must be less equal to 65536, xrefs: 005E0352
    • A number between 0 and 65436., xrefs: 005E05FF
    • d, xrefs: 005E0233
    • You cannot set the value if either Max PLC window size and Region size is 0, xrefs: 005E029D
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$List$CastCheckHresult$#595Error$CallExitLateMoveOverflowProc
    • String ID: A number between 0 and 65436.$The total value of Region size and Region addres must be less equal to 65536$Value must equal 0 or lie between 100 and 65535.$You cannot set the value if either Max PLC window size and Region size is 0$d
    • API String ID: 1206483965-95175908
    • Opcode ID: 84c58b0adb357d0a44f1b63e937e31a8e670db98c16ac811cce56c616948b681
    • Instruction ID: 0fa46500ada61beab0220da07900686d7c7b0648daffdec91d8e46086bc99fd6
    • Opcode Fuzzy Hash: 84c58b0adb357d0a44f1b63e937e31a8e670db98c16ac811cce56c616948b681
    • Instruction Fuzzy Hash: 16E147B2D00249AFCB14DFA5C988EDEBBB8FF48300F10852AF556A71A1DB745545CFA4
    Function 004D32F0 Relevance: 79.0, APIs: 41, Strings: 4, Instructions: 245COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60 ref: 004D3369
    • __vbaStrCopy.MSVBVM60 ref: 004D3371
    • __vbaStrCopy.MSVBVM60 ref: 004D337B
    • __vbaStrCopy.MSVBVM60 ref: 004D3397
    • __vbaStrCopy.MSVBVM60 ref: 004D33A1
    • __vbaStrCopy.MSVBVM60 ref: 004D33AB
    • __vbaVarDup.MSVBVM60 ref: 004D33D5
    • #607.MSVBVM60(?,00000003,?), ref: 004D33E5
    • __vbaStrVarMove.MSVBVM60(?), ref: 004D33F5
    • __vbaStrMove.MSVBVM60 ref: 004D3402
    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004D340E
    • __vbaVarDup.MSVBVM60 ref: 004D3434
    • #607.MSVBVM60(?,0000000F,?), ref: 004D3444
    • __vbaStrVarMove.MSVBVM60(?), ref: 004D344E
    • __vbaStrMove.MSVBVM60 ref: 004D3455
    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004D3461
    • __vbaVarDup.MSVBVM60 ref: 004D3487
    • #607.MSVBVM60(?,0000000F,?), ref: 004D3497
    • __vbaStrVarMove.MSVBVM60(?), ref: 004D34A1
    • __vbaStrMove.MSVBVM60 ref: 004D34A8
    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004D34B4
    • __vbaStrCopy.MSVBVM60 ref: 004D34C9
    • #526.MSVBVM60(?,00000005,?,000000FD), ref: 004D3524
    • #526.MSVBVM60(?,00000005,?,000000F1), ref: 004D3544
    • __vbaVarCat.MSVBVM60(?,?,00000008,?,000000F1), ref: 004D3573
    • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 004D357E
    • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 004D358F
    • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 004D35A0
    • __vbaStrVarMove.MSVBVM60(00000000), ref: 004D35A3
    • __vbaStrMove.MSVBVM60 ref: 004D35AE
    • __vbaFreeVarList.MSVBVM60(00000009,00000008,?,?,00000008,?,?,?,00000008,?), ref: 004D35E2
    • __vbaStrCopy.MSVBVM60 ref: 004D35F1
    • __vbaFreeStr.MSVBVM60(004D3669), ref: 004D3657
    • __vbaFreeStr.MSVBVM60 ref: 004D365C
    • __vbaFreeStr.MSVBVM60 ref: 004D3661
    • __vbaFreeStr.MSVBVM60 ref: 004D3666
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CopyFreeMove$List$#607$#526
    • String ID: Avg$Line meter$Master meter$Run
    • API String ID: 934730035-2955207255
    • Opcode ID: 0fab663fe8192b224ead2ece8a6e3b42694c59951c82c2a8ca40b6d63ead0ec2
    • Instruction ID: 64605904c3f3e5e2cbf9563ea44d00f5822c70e29fe1ccc86c81d52ee1b26cbb
    • Opcode Fuzzy Hash: 0fab663fe8192b224ead2ece8a6e3b42694c59951c82c2a8ca40b6d63ead0ec2
    • Instruction Fuzzy Hash: B3A1F9B1C0021DABDB14DF94DC94EEEBB78FB48700F10815AE516B7264EB746A49CFA4
    Function 004D2200 Relevance: 77.3, APIs: 37, Strings: 7, Instructions: 262COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60 ref: 004D2270
    • __vbaStrCat.MSVBVM60(METER,?,Size,Nominal K-factor,?), ref: 004D2290
    • __vbaStrMove.MSVBVM60 ref: 004D22A1
      • Part of subcall function 004D1F60: __vbaStrCopy.MSVBVM60 ref: 004D1FB5
      • Part of subcall function 004D1F60: __vbaStrCopy.MSVBVM60 ref: 004D1FBD
      • Part of subcall function 004D1F60: __vbaStrCopy.MSVBVM60 ref: 004D1FC5
      • Part of subcall function 004D1F60: __vbaStrCopy.MSVBVM60 ref: 004D1FCD
      • Part of subcall function 004D1F60: __vbaStrCat.MSVBVM60( DATA,?), ref: 004D1FDE
      • Part of subcall function 004D1F60: __vbaStrMove.MSVBVM60 ref: 004D1FEB
      • Part of subcall function 004D1F60: __vbaStrMove.MSVBVM60(?,00000066), ref: 004D1FFD
      • Part of subcall function 004D1F60: __vbaFreeStrList.MSVBVM60(00000002,?,?,00000000), ref: 004D200F
      • Part of subcall function 004D1F60: __vbaStrMove.MSVBVM60(00401970,Manufacturer), ref: 004D2033
      • Part of subcall function 004D1F60: __vbaStrMove.MSVBVM60(?,General type), ref: 004D2047
      • Part of subcall function 004D1F60: __vbaStrCat.MSVBVM60(?,?,?,General type), ref: 004D2051
      • Part of subcall function 004D1F60: #524.MSVBVM60(?,?,?,General type), ref: 004D2065
      • Part of subcall function 004D1F60: __vbaStrVarVal.MSVBVM60(?,?,?,General type), ref: 004D2073
      • Part of subcall function 004D1F60: __vbaFreeStr.MSVBVM60(00000000,?,General type), ref: 004D2082
    • __vbaFreeStr.MSVBVM60(?,00000000), ref: 004D22B6
      • Part of subcall function 004D13D0: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004D141C
      • Part of subcall function 004D13D0: __vbaStrCat.MSVBVM60(004589D8,?), ref: 004D1431
      • Part of subcall function 004D13D0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004D143E
      • Part of subcall function 004D13D0: __vbaStrMove.MSVBVM60(?,00000012), ref: 004D1450
      • Part of subcall function 004D13D0: __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004D145B
      • Part of subcall function 004D13D0: __vbaStrI2.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004D1464
      • Part of subcall function 004D13D0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004D146F
      • Part of subcall function 004D13D0: __vbaStrMove.MSVBVM60(?,000000FE), ref: 004D1481
      • Part of subcall function 004D13D0: __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004D1486
      • Part of subcall function 004D13D0: __vbaStrMove.MSVBVM60(004018BC,00000010, Tag ), ref: 004D14A0
      • Part of subcall function 004D13D0: __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004D14A3
      • Part of subcall function 004D13D0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004D14AA
      • Part of subcall function 004D13D0: __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004D14AF
      • Part of subcall function 004D13D0: __vbaStrI2.MSVBVM60(00000008, Strm ), ref: 004D14BE
      • Part of subcall function 004D13D0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004D14C9
      • Part of subcall function 004D13D0: __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004D14CC
      • Part of subcall function 004D13D0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004D14D3
      • Part of subcall function 004D13D0: __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004D14D8
      • Part of subcall function 004D13D0: __vbaStrCat.MSVBVM60(?,?), ref: 004D14E2
      • Part of subcall function 004D13D0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004D14E9
    • __vbaStrMove.MSVBVM60(?,Meter), ref: 004D22C8
    • __vbaVarDup.MSVBVM60 ref: 004D22F8
    • __vbaVarDup.MSVBVM60 ref: 004D231B
    • #681.MSVBVM60(?,?,?,?), ref: 004D2350
    • __vbaVarCat.MSVBVM60(?,?,?), ref: 004D2379
    • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 004D238B
    • __vbaStrVarVal.MSVBVM60(?,00000000), ref: 004D2396
    • __vbaStrR4.MSVBVM60(0040A636,00000000), ref: 004D23A1
    • __vbaStrMove.MSVBVM60 ref: 004D23AC
      • Part of subcall function 004D1E20: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004D1E60
      • Part of subcall function 004D1E20: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004D1E68
      • Part of subcall function 004D1E20: __vbaStrMove.MSVBVM60(?,00000012,00000032,?,?,?,?,?,?,?,0040A636), ref: 004D1E80
      • Part of subcall function 004D1E20: __vbaFreeStr.MSVBVM60(004D1EA8,?,?,?,?,?,?,0040A636), ref: 004D1EA0
      • Part of subcall function 004D1E20: __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004D1EA5
    • __vbaStrMove.MSVBVM60(00000000), ref: 004D23B9
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004D23C5
    • __vbaFreeVarList.MSVBVM60(00000006,0000000B,?,?,?,?,?), ref: 004D23E8
    • __vbaStrCat.MSVBVM60(?,?), ref: 004D23F9
    • #524.MSVBVM60(?,?), ref: 004D2411
    • __vbaStrVarVal.MSVBVM60(?,?), ref: 004D241F
      • Part of subcall function 00507520: __vbaStrCopy.MSVBVM60(?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 0050755A
      • Part of subcall function 00507520: __vbaNew2.MSVBVM60(00459D58,0062B924,?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 00507572
      • Part of subcall function 00507520: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,00000020,?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 00507597
      • Part of subcall function 00507520: __vbaStrCat.MSVBVM60(?,?,?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 005075A8
      • Part of subcall function 00507520: __vbaStrMove.MSVBVM60(?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 005075B3
      • Part of subcall function 00507520: __vbaPrintObj.MSVBVM60(0045E7F8,?,00000000,?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 005075C3
      • Part of subcall function 00507520: __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,00000000,0040A636), ref: 005075CF
      • Part of subcall function 00507520: __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00000000,0040A636), ref: 005075D8
      • Part of subcall function 00507520: __vbaFreeStr.MSVBVM60(00507602,?,?,?,?,?,?,?,00000000,0040A636), ref: 005075FB
    • __vbaFreeStr.MSVBVM60(00000000), ref: 004D242E
    • __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004D243A
    • __vbaVarDup.MSVBVM60 ref: 004D2460
    • __vbaVarDup.MSVBVM60 ref: 004D2483
    • #681.MSVBVM60(?,00000008,?,?), ref: 004D24AC
    • __vbaStrVarVal.MSVBVM60(?,?,Temperature-compensated), ref: 004D24C5
      • Part of subcall function 004D1EC0: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004D1F00
      • Part of subcall function 004D1EC0: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004D1F08
      • Part of subcall function 004D1EC0: __vbaStrMove.MSVBVM60(?,00000022,00000032,?,?,?,?,?,?,?,0040A636), ref: 004D1F20
      • Part of subcall function 004D1EC0: __vbaFreeStr.MSVBVM60(004D1F48,?,?,?,?,?,?,0040A636), ref: 004D1F40
      • Part of subcall function 004D1EC0: __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004D1F45
    • __vbaStrMove.MSVBVM60(00000000), ref: 004D24D2
    • __vbaFreeStr.MSVBVM60 ref: 004D24D7
    • __vbaFreeVarList.MSVBVM60(00000004,00000003,?,?,?), ref: 004D24EB
    • __vbaStrMove.MSVBVM60(00452580,00452580), ref: 004D2508
    • __vbaStrCat.MSVBVM60(?,?), ref: 004D2512
    • #524.MSVBVM60(?,00000003), ref: 004D252A
    • __vbaStrVarVal.MSVBVM60(?,?), ref: 004D2538
    • __vbaFreeStr.MSVBVM60(00000000), ref: 004D2543
    • __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004D254F
    • __vbaFreeStr.MSVBVM60(004D25B2,00000000), ref: 004D25A5
    • __vbaFreeStr.MSVBVM60 ref: 004D25AA
    • __vbaFreeStr.MSVBVM60 ref: 004D25AF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$Move$Copy$List$#524$#681$CheckHresultNew2Print
    • String ID: METER$Meter$Nominal K-factor$Size$Static $Temperature-compensated$Yes
    • API String ID: 816492191-2870176343
    • Opcode ID: 5a3ceb9057d57f179066a222e56170937b9eccf357c5f9abc484c10a22171343
    • Instruction ID: 9ef8569465ed9a48427235ad108f69674dede93b33eac74d7dd72b98bc6382e1
    • Opcode Fuzzy Hash: 5a3ceb9057d57f179066a222e56170937b9eccf357c5f9abc484c10a22171343
    • Instruction Fuzzy Hash: E3B1D6B1C00209AFDB04DFA4DD95EEEBBB8FB48305F00855AE516B7250EB746A49CF64
    Function 004FC1C0 Relevance: 73.9, APIs: 36, Strings: 6, Instructions: 408COMMON
    Download Yara Rule
    APIs
    • __vbaLateMemSt.MSVBVM60(?,Function), ref: 004FC23D
    • __vbaStrI4.MSVBVM60(-00000155,?), ref: 004FC286
    • __vbaLateMemSt.MSVBVM60(?,MemStart), ref: 004FC2B5
    • __vbaFreeVar.MSVBVM60 ref: 004FC2BA
    • __vbaLateMemSt.MSVBVM60(?,MemQty), ref: 004FC2EE
      • Part of subcall function 004C5E20: #681.MSVBVM60(?,?,?,?), ref: 004C5E9E
      • Part of subcall function 004C5E20: __vbaVarOr.MSVBVM60(?,?,?), ref: 004C5EB3
      • Part of subcall function 004C5E20: __vbaI2ErrVar.MSVBVM60(00000000), ref: 004C5EBA
      • Part of subcall function 004C5E20: __vbaLateMemCallSt.MSVBVM60(?,DataWord,00000001), ref: 004C5F17
      • Part of subcall function 004C5E20: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,DataWord,00000001), ref: 004C5F2F
    • __vbaStrI4.MSVBVM60(-00000154,?), ref: 004FC331
    • __vbaLateMemSt.MSVBVM60(?,MemStart), ref: 004FC360
    • __vbaFreeVar.MSVBVM60 ref: 004FC36B
    • __vbaLateMemSt.MSVBVM60(?,MemQty), ref: 004FC39B
    • __vbaLateMemCallLd.MSVBVM60(?,?,MemQty,00000000), ref: 004FC3B9
    • __vbaVarSub.MSVBVM60(?,00000002,00000000), ref: 004FC3CB
    • __vbaI2Var.MSVBVM60(00000000), ref: 004FC3D2
    • __vbaFreeVar.MSVBVM60 ref: 004FC3E3
    • __vbaNew2.MSVBVM60(0041F4A8,00626040,?,?,?,00000003,?,?,00000002,?,?,00000001,00402968,?,00000000,00000000), ref: 004FC5B0
    • __vbaStrI2.MSVBVM60(?,Writing meter ,?,?,?,00000003,?,?,00000002,?,?,00000001,00402968,?,00000000,00000000), ref: 004FC5CC
    • __vbaStrMove.MSVBVM60(?,?,?,00000003,?,?,00000002,?,?,00000001,00402968,?,00000000,00000000), ref: 004FC5DD
    • __vbaStrCat.MSVBVM60(00000000,?,?,?,00000003,?,?,00000002,?,?,00000001,00402968,?,00000000,00000000), ref: 004FC5E0
    • __vbaStrMove.MSVBVM60(?,?,?,00000003,?,?,00000002,?,?,00000001,00402968,?,00000000,00000000), ref: 004FC5EB
    • __vbaStrCat.MSVBVM60(004568D4,00000000,?,?,?,00000003,?,?,00000002,?,?,00000001,00402968,?,00000000,00000000), ref: 004FC5F3
    • __vbaStrMove.MSVBVM60(?,?,?,00000003,?,?,00000002,?,?,00000001,00402968,?,00000000,00000000), ref: 004FC5FE
    • __vbaStrMove.MSVBVM60(?,00000000,?,?,?,00000003,?,?,00000002,?,?,00000001,00402968,?,00000000,00000000), ref: 004FC60F
    • __vbaStrCat.MSVBVM60(00000000,?,?,?,00000003,?,?,00000002,?,?,00000001,00402968,?,00000000,00000000), ref: 004FC612
    • __vbaStrMove.MSVBVM60(?,?,?,00000003,?,?,00000002,?,?,00000001,00402968,?,00000000,00000000), ref: 004FC61D
    • __vbaStrCat.MSVBVM60( archive config,00000000,?,?,?,00000003,?,?,00000002,?,?,00000001,00402968,?,00000000,00000000), ref: 004FC625
    • __vbaStrMove.MSVBVM60(?,?,?,00000003,?,?,00000002,?,?,00000001,00402968,?,00000000,00000000), ref: 004FC630
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554EC,00000700,?,?,?,00000003,?,?,00000002,?,?,00000001,00402968,?), ref: 004FC656
    • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?,?,?,?,00000003,?,?,00000002,?,?), ref: 004FC676
    • __vbaLateMemCallLd.MSVBVM60(?,?,Result,00000000,?,?,?,00000001,00402968,?,00000000,00000000), ref: 004FC6A6
    • __vbaVarTstNe.MSVBVM60(00008002,00000000,?,?,?,?,?,?,00000001,00402968,?,00000000,00000000), ref: 004FC6B4
    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00000001,00402968,?,00000000,00000000), ref: 004FC6BF
    • __vbaErrorOverflow.MSVBVM60(?), ref: 004FC723
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Late$FreeMove$Call$List$#681CheckErrorHresultNew2Overflow
    • String ID: archive config$Function$MemQty$MemStart$Result$Writing meter
    • API String ID: 988836017-2978293899
    • Opcode ID: 0db651d75be582688ec51fa0422124e6f5a0d339789ac55b6d748f9e16beb84a
    • Instruction ID: c14f2768e1da71a33af2e71d6a3b08a3fbf34d7ee1d2359931c2950c39cc4ef6
    • Opcode Fuzzy Hash: 0db651d75be582688ec51fa0422124e6f5a0d339789ac55b6d748f9e16beb84a
    • Instruction Fuzzy Hash: D1E173749002099BDB14EFA8D985AEEBBB5FF88301F10812EF505A7351DB789985CF98
    Function 005E5130 Relevance: 70.4, APIs: 38, Strings: 2, Instructions: 378COMMON
    Download Yara Rule
    APIs
    • __vbaErrorOverflow.MSVBVM60(?,?,?,?,?,0040A636), ref: 005E51E0
    • __vbaOnError.MSVBVM60(00000001), ref: 005E5261
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005E5275
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 005E529C
    • __vbaI2Str.MSVBVM60(?), ref: 005E52A6
    • __vbaFreeStr.MSVBVM60 ref: 005E52B1
    • __vbaFreeObj.MSVBVM60 ref: 005E52BA
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005E52EC
      • Part of subcall function 004C5390: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,00522AE2,?), ref: 004C53A7
    • __vbaStrI2.MSVBVM60(?,Value must lie between ), ref: 005E5327
    • __vbaStrMove.MSVBVM60 ref: 005E5338
    • __vbaStrCat.MSVBVM60(00000000), ref: 005E5341
    • __vbaStrMove.MSVBVM60 ref: 005E5348
    • __vbaStrCat.MSVBVM60( and ,00000000), ref: 005E5350
    • __vbaStrMove.MSVBVM60 ref: 005E5357
    • __vbaStrI2.MSVBVM60(?,00000000), ref: 005E536F
    • __vbaStrMove.MSVBVM60 ref: 005E537A
    • __vbaStrCat.MSVBVM60(00000000), ref: 005E537D
    • __vbaStrMove.MSVBVM60 ref: 005E5384
    • __vbaStrCat.MSVBVM60(0045AD00,00000000), ref: 005E538C
    • #595.MSVBVM60(00000008,00000000,?,?,?), ref: 005E53AA
    • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 005E53C6
    • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 005E53DE
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005E5400
    • __vbaCastObj.MSVBVM60(00000000), ref: 005E5403
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005E540E
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 005E5423
    • __vbaExitProc.MSVBVM60 ref: 005E542C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$FreeMove$ErrorList$#595BoundsCallCastCheckExitGenerateHresultLateOverflowProc
    • String ID: and $Value must lie between
    • API String ID: 1441920718-2540168761
    • Opcode ID: d0e9ad8ea210563e76696eb4b0764915b37e389a8be8260545882edf3f027d58
    • Instruction ID: ac317ea52ea2c56b5a62bac20bca4e93d9d0855f71a1a15bf8a249fd2081fdaa
    • Opcode Fuzzy Hash: d0e9ad8ea210563e76696eb4b0764915b37e389a8be8260545882edf3f027d58
    • Instruction Fuzzy Hash: 86D14BB2D00248AFCB14DFA5CD88ADEBBB9FF48700F10816AF546A7251EB745945CFA4
    Function 005C2060 Relevance: 68.6, APIs: 38, Strings: 1, Instructions: 345COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 005C20C5
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005C20D8
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005C20E8
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C2128
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040,?,?), ref: 005C2150
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00452A8C,000000A0,?,?), ref: 005C217A
    • __vbaR4Str.MSVBVM60(?,?,?), ref: 005C2184
    • __vbaFreeStr.MSVBVM60(?,?), ref: 005C2190
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?), ref: 005C21A0
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005C21DF
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005C2205
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005C2220
    • __vbaFpI4.MSVBVM60 ref: 005C2239
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005C2253
    • __vbaFpI4.MSVBVM60 ref: 005C226C
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005C228A
    • __vbaFpI4.MSVBVM60 ref: 005C22A3
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005C22BB
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005C22CF
    • __vbaFpCSngR4.MSVBVM60 ref: 005C22EB
    • _adj_fdiv_m32.MSVBVM60 ref: 005C2308
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C233A
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040,?,?), ref: 005C235F
    • __vbaGenerateBoundsError.MSVBVM60(?,?), ref: 005C2370
    • __vbaStrR4.MSVBVM60(?,?,?), ref: 005C2383
    • __vbaStrMove.MSVBVM60(?,?), ref: 005C238E
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00452A8C,000000A4,?,?), ref: 005C23AE
    • __vbaFreeStr.MSVBVM60(?,?), ref: 005C23B7
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?), ref: 005C23C7
    • __vbaVarDup.MSVBVM60 ref: 005C2405
    • #595.MSVBVM60(?,00000000,?,?,?), ref: 005C241D
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 005C2435
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C2455
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 005C2479
    • __vbaCastObj.MSVBVM60(?,0045B140), ref: 005C2488
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C2493
      • Part of subcall function 004C5390: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,00522AE2,?), ref: 004C53A7
    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?,?), ref: 005C24AC
    • __vbaExitProc.MSVBVM60 ref: 005C24B5
    Strings
    • Value must lie between 0 and 1., xrefs: 005C23F1
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Error$BoundsGenerate$Free$CheckHresult$List$#595CallCastExitLateMoveProc_adj_fdiv_m32
    • String ID: Value must lie between 0 and 1.
    • API String ID: 1513512264-4144494969
    • Opcode ID: 943eac8fb2c12020e62ed9367168ada5e747cca5186c7b740e41ce7b6e9d54a6
    • Instruction ID: 70c7557874fc3cae2429a3b6a114875fcc5cebf91b401c3e5e9fece490897576
    • Opcode Fuzzy Hash: 943eac8fb2c12020e62ed9367168ada5e747cca5186c7b740e41ce7b6e9d54a6
    • Instruction Fuzzy Hash: 75D15671900229AFDB149FA8CD88ADEBBB8FF48700F004269E546B71A1D7749945CFA9
    Function 005E2190 Relevance: 65.1, APIs: 29, Strings: 8, Instructions: 301COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005E21FD
    • __vbaCastObj.MSVBVM60(00000000), ref: 005E2200
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005E220B
      • Part of subcall function 004C50C0: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C5103
      • Part of subcall function 004C50C0: #598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C510C
      • Part of subcall function 004C50C0: __vbaVarMove.MSVBVM60 ref: 004C512A
    • __vbaBoolVarNull.MSVBVM60(?,?,?), ref: 005E221E
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005E2231
    • __vbaFreeVar.MSVBVM60 ref: 005E223D
    • __vbaHresultCheckObj.MSVBVM60(00000000,00408C20,00462108,00000050), ref: 005E2265
    • __vbaStrCopy.MSVBVM60 ref: 005E2279
    • __vbaFreeStr.MSVBVM60 ref: 005E227E
    • __vbaStrCopy.MSVBVM60 ref: 005E228E
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005E22AD
    • __vbaStrMove.MSVBVM60(00000000), ref: 005E22CA
    • __vbaStrCopy.MSVBVM60 ref: 005E22D4
    • __vbaFreeStr.MSVBVM60 ref: 005E22DD
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005E22E8
    • __vbaStrCopy.MSVBVM60 ref: 005E232F
    • __vbaHresultCheckObj.MSVBVM60(00000000,00408C20,00462108,000000A4), ref: 005E2352
    • __vbaNew2.MSVBVM60(00413DD0,0062958C), ref: 005E236A
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00466F4C,000002B0), ref: 005E23D1
    • __vbaHresultCheckObj.MSVBVM60(00000000,00408C20,00462108,000000A4), ref: 005E23F4
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005E241C
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005E2433
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005E244C
    • __vbaStrCmp.MSVBVM60(?,?), ref: 005E2482
    • __vbaStrCopy.MSVBVM60 ref: 005E2494
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$BoundsCopyErrorGenerate$CheckFreeHresult$Move$#598BoolCallCastLateListNew2Null
    • String ID: (ab$<Qb$<Qb$<Qb$<Qb$@Qb$DQb$Site PLC images
    • API String ID: 1635183679-4026359341
    • Opcode ID: 24bb379e5e9cedaa9a731c3087dd9e70596c509b8cff4e3d98c8da1b6f750258
    • Instruction ID: 5433fef9e88c87316d1501b4eb0b0c9f8d876678c1d21248d3fcf251a3907ae1
    • Opcode Fuzzy Hash: 24bb379e5e9cedaa9a731c3087dd9e70596c509b8cff4e3d98c8da1b6f750258
    • Instruction Fuzzy Hash: 75B1E375A00244AFCB14DFA9D988ADEBBB9FF48300F108429F946E72A4D7749905CFA4
    Function 004F8070 Relevance: 65.0, APIs: 28, Strings: 9, Instructions: 293COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID:
    • String ID: K-$ meter $ stream $Function$MemQty$MemStart$Reading meter $Result$factor linearization curve
    • API String ID: 0-1741403462
    • Opcode ID: e740f0c60b04ce0c3b2cf31c65ae59da2986a3486a18fe3cfd8e7d2078772fd6
    • Instruction ID: 1f83baa1506ccbf3fb2956df73c6a43fe22e347c8b7ee6fe3cf507029700a120
    • Opcode Fuzzy Hash: e740f0c60b04ce0c3b2cf31c65ae59da2986a3486a18fe3cfd8e7d2078772fd6
    • Instruction Fuzzy Hash: A8D10BB19002199FDB11DFA4CD84BEEB7B9FF48304F0086AEE509A7251EB745A85CF94
    Function 0054F0F0 Relevance: 63.3, APIs: 35, Strings: 1, Instructions: 347COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 0054F155
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054F169
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 0054F191
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00452A8C,000000A0), ref: 0054F1BB
    • __vbaR4Str.MSVBVM60(?), ref: 0054F1C5
    • __vbaFreeStr.MSVBVM60 ref: 0054F1D1
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0054F1E1
    • __vbaFpR4.MSVBVM60 ref: 0054F1F0
    • __vbaFpR4.MSVBVM60 ref: 0054F20F
    • __vbaFpR4.MSVBVM60 ref: 0054F22E
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0054F260
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0054F273
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0054F285
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0054F2C9
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0054F2DC
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0054F2EE
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054F333
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 0054F35B
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0054F371
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0054F384
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0054F39C
    • __vbaStrR4.MSVBVM60(?), ref: 0054F3D8
    • __vbaStrMove.MSVBVM60 ref: 0054F3E3
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00452A8C,000000A4), ref: 0054F409
    • __vbaFreeStr.MSVBVM60 ref: 0054F412
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0054F422
    • __vbaVarDup.MSVBVM60 ref: 0054F460
    • #595.MSVBVM60(?,00000000,?,?,?), ref: 0054F478
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0054F490
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054F4B0
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 0054F4D4
    • __vbaCastObj.MSVBVM60(?,0045B140), ref: 0054F4E3
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054F4EE
    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?,?), ref: 0054F507
    • __vbaExitProc.MSVBVM60 ref: 0054F510
    Strings
    • Value must be 0 or between 0.1 and 1.0e8., xrefs: 0054F44C
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Error$BoundsGenerate$Free$CheckHresult$List$#595CastExitMoveProc
    • String ID: Value must be 0 or between 0.1 and 1.0e8.
    • API String ID: 1557289183-2123827696
    • Opcode ID: f1ad1dad5406287299c9128707ffb25c50de719304c29837b6d0b9233eb8789c
    • Instruction ID: 43e275743016c1a4fbdd435dc575e0b79479629b54c8a44cdb67b4f8e1012b63
    • Opcode Fuzzy Hash: f1ad1dad5406287299c9128707ffb25c50de719304c29837b6d0b9233eb8789c
    • Instruction Fuzzy Hash: 22D19A75900229DFDB14DFA8CD88AEEBBB8FF48304F104629F546A71A4D770A945CFA4
    Function 00505080 Relevance: 61.9, APIs: 41, Instructions: 382COMMON
    Download Yara Rule
    APIs
    • __vbaGenerateBoundsError.MSVBVM60(-00000001,00000001,00000001,00505883,00000001), ref: 00505094
    • __vbaGenerateBoundsError.MSVBVM60(-00000001,00000001,00000001,00505883,00000001), ref: 005050CE
    • __vbaStrCopy.MSVBVM60(-00000001,00000001,00000001,00505883,00000001), ref: 005050EA
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005050F5
    • __vbaCopyBytes.MSVBVM60(00000018,0000000F,00000000), ref: 0050511C
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00505123
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0050514C
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00505175
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0050519D
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005051C6
    • __vbaCopyBytes.MSVBVM60(00000010,00000037,?), ref: 005051EB
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005051F2
    • __vbaCopyBytes.MSVBVM60(00000010,-00000029,?), ref: 00505217
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00505224
    • __vbaCopyBytes.MSVBVM60(00000010,00000057,?), ref: 00505245
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0050524C
    • __vbaCopyBytes.MSVBVM60(00000010,00000067,?), ref: 0050526D
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00505274
    • __vbaCopyBytes.MSVBVM60(00000010,00000077,?), ref: 00505297
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0050529E
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005052D6
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00505300
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0050532A
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00505353
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0050537D
    • __vbaRecAssign.MSVBVM60(00452414,000000A3,?), ref: 005053A7
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005053B2
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005053E6
    • __vbaCopyBytes.MSVBVM60(00000058,000000EF,?), ref: 0050540D
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00505414
    • __vbaCopyBytes.MSVBVM60(00000012,0000019F,?), ref: 0050543B
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00505442
    • __vbaCopyBytes.MSVBVM60(00000058,00000147,?), ref: 00505468
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0050546F
    • __vbaCopyBytes.MSVBVM60(00000012,000001B1,?), ref: 00505496
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005054B3
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005054CA
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005054D5
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00505506
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00505511
    • __vbaErrorOverflow.MSVBVM60 ref: 00505560
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Error$BoundsGenerate$Copy$Bytes$AssignOverflow
    • String ID:
    • API String ID: 1280664585-0
    • Opcode ID: 7c2124b48c90b5249a741bc143a5aefa7ef482ce5138736a23acecaa00762629
    • Instruction ID: 907f168a54051f734bfcba50ede2b3351f30c1907db98bc4ce233078daec67a6
    • Opcode Fuzzy Hash: 7c2124b48c90b5249a741bc143a5aefa7ef482ce5138736a23acecaa00762629
    • Instruction Fuzzy Hash: D4F1D635100A2ADFDB24DF1CD888DEEB7A9FB84304F81452CD592471A6EB31B669CF91
    Function 0052B1C0 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 260COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 0052B225
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0052B238
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0052B263
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 0052B28A
    • __vbaR4Str.MSVBVM60(?), ref: 0052B294
    • __vbaFreeStr.MSVBVM60 ref: 0052B2A0
    • __vbaFreeObj.MSVBVM60 ref: 0052B2A9
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0052B2CC
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0052B324
    • __vbaStrR4.MSVBVM60(?), ref: 0052B335
    • __vbaStrMove.MSVBVM60 ref: 0052B340
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 0052B360
    • __vbaFreeStr.MSVBVM60 ref: 0052B369
    • __vbaFreeObj.MSVBVM60 ref: 0052B372
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0052B390
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0052B3CD
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0052B3D8
    • __vbaStrCat.MSVBVM60(?,Value must lie between 0 and ), ref: 0052B3FE
    • __vbaStrMove.MSVBVM60 ref: 0052B40B
    • __vbaStrCat.MSVBVM60(004568D4,00000000), ref: 0052B413
    • __vbaStrMove.MSVBVM60 ref: 0052B41A
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 0052B436
    • __vbaStrMove.MSVBVM60 ref: 0052B43D
    • __vbaStrCat.MSVBVM60(0045AD00,00000000), ref: 0052B445
    • #595.MSVBVM60(00000008,00000000,?,?,?), ref: 0052B463
    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0052B477
    • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 0052B48F
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0052B4B4
    • __vbaCastObj.MSVBVM60(00000000), ref: 0052B4B7
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0052B4C2
      • Part of subcall function 004C5390: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,00522AE2,?), ref: 004C53A7
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 0052B4D7
    • __vbaExitProc.MSVBVM60 ref: 0052B4E0
    Strings
    • Value must lie between 0 and , xrefs: 0052B3DA
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$Error$BoundsGenerate$Move$List$CheckHresult$#595CallCastExitLateProc
    • String ID: Value must lie between 0 and
    • API String ID: 1041632592-2065571334
    • Opcode ID: 69602333ac12b652f715255c8ece4157ffe99872331a741745b21f85bf7d018f
    • Instruction ID: 46cac3518d3c2e6b61e0c673ee4a4f6f8ff864dd2a0132afc04b91454906d37f
    • Opcode Fuzzy Hash: 69602333ac12b652f715255c8ece4157ffe99872331a741745b21f85bf7d018f
    • Instruction Fuzzy Hash: AFA17072900219DFDB14DFA4DE88AEEBBB9FF48700F10422AE542A7195D7746A05CFA4
    Function 004E21D0 Relevance: 58.0, APIs: 27, Strings: 6, Instructions: 206COMMON
    Download Yara Rule
    APIs
    • __vbaChkstk.MSVBVM60(?,0040A636), ref: 004E21EE
    • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,0040A636), ref: 004E221E
    • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004E2235
    • __vbaNew2.MSVBVM60(0041F4A8,00626040,?,?,?,?,?,0040A636), ref: 004E2255
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554BC,00000160), ref: 004E22AC
    • __vbaObjSet.MSVBVM60(?,?), ref: 004E22D9
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00454AC4,00000164), ref: 004E230C
    • __vbaFreeObj.MSVBVM60 ref: 004E2327
    • __vbaChkstk.MSVBVM60 ref: 004E2347
    • __vbaLateMemCallLd.MSVBVM60(?,?,lblMbusStat,00000000,BackColor), ref: 004E2379
    • __vbaVarLateMemSt.MSVBVM60(00000000), ref: 004E2383
    • __vbaFreeVar.MSVBVM60 ref: 004E238C
    • __vbaChkstk.MSVBVM60 ref: 004E23AC
    • __vbaLateMemCallLd.MSVBVM60(?,?,lblMbusStat,00000000,ForeColor), ref: 004E23DE
    • __vbaVarLateMemSt.MSVBVM60(00000000), ref: 004E23E8
    • __vbaFreeVar.MSVBVM60 ref: 004E23F1
    • __vbaChkstk.MSVBVM60 ref: 004E2411
    • __vbaLateMemCallLd.MSVBVM60(?,?,lblMbusStat,00000000,FontBold), ref: 004E2443
    • __vbaVarLateMemSt.MSVBVM60(00000000), ref: 004E244D
    • __vbaFreeVar.MSVBVM60 ref: 004E2456
    • __vbaLateMemCallLd.MSVBVM60(?,?,lblNote,00000000), ref: 004E2472
    • __vbaCastObjVar.MSVBVM60(?,0045B140), ref: 004E2484
    • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 004E248F
      • Part of subcall function 004E2050: __vbaChkstk.MSVBVM60(?,0040A636), ref: 004E206E
      • Part of subcall function 004E2050: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,0040A636), ref: 004E209E
      • Part of subcall function 004E2050: __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004E20B5
      • Part of subcall function 004E2050: __vbaChkstk.MSVBVM60 ref: 004E20D5
      • Part of subcall function 004E2050: __vbaLateMemSt.MSVBVM60(?,BackColor), ref: 004E20FC
      • Part of subcall function 004E2050: __vbaChkstk.MSVBVM60 ref: 004E211C
      • Part of subcall function 004E2050: __vbaLateMemSt.MSVBVM60(?,ForeColor), ref: 004E2143
      • Part of subcall function 004E2050: __vbaChkstk.MSVBVM60 ref: 004E2164
      • Part of subcall function 004E2050: __vbaLateMemSt.MSVBVM60(?,FontBold), ref: 004E218B
      • Part of subcall function 004E2050: __vbaFreeVar.MSVBVM60 ref: 004E2194
      • Part of subcall function 004E2050: __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004E21A7
      • Part of subcall function 004E2050: __vbaFreeObj.MSVBVM60(004E21BC), ref: 004E21B5
    • __vbaFreeObj.MSVBVM60(00000000,000000FF), ref: 004E24A3
    • __vbaFreeVar.MSVBVM60 ref: 004E24AC
    • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004E24BF
    • __vbaFreeObj.MSVBVM60(004E24F3), ref: 004E24EC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Late$Free$Chkstk$AddrefCall$CheckErrorHresult$CastNew2
    • String ID: @`b$BackColor$FontBold$ForeColor$lblMbusStat$lblNote
    • API String ID: 3555745603-502104022
    • Opcode ID: 1919319f321aa28cd0aa3cc8bcc5efc6903b03e9482c8bc2de28904b2adab4f3
    • Instruction ID: d5e23681b63f4270347915eab2e8af5ab995fe7a0ad8607ac909c743b4386f5e
    • Opcode Fuzzy Hash: 1919319f321aa28cd0aa3cc8bcc5efc6903b03e9482c8bc2de28904b2adab4f3
    • Instruction Fuzzy Hash: 649105B4900248EFCB04DF94CA48BDEBBB4FF48305F108169E506BB2A1CBB96945CF58
    Function 005CC0F0 Relevance: 56.2, APIs: 28, Strings: 4, Instructions: 190COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CC169
    • __vbaCastObj.MSVBVM60(00000000), ref: 005CC16C
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CC177
      • Part of subcall function 004C53C0: __vbaCheckType.MSVBVM60(?,00452A8C), ref: 004C53FF
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004C5435
      • Part of subcall function 004C53C0: __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004C5444
      • Part of subcall function 004C53C0: __vbaLenVar.MSVBVM60(?,00000000), ref: 004C5452
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelLength), ref: 004C547B
      • Part of subcall function 004C53C0: __vbaFreeVar.MSVBVM60 ref: 004C5480
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 005CC18C
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005CC1A7
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005CC1B8
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005CC1C9
    • __vbaStrCat.MSVBVM60(?,A number between 0 and ), ref: 005CC1EE
    • __vbaStrMove.MSVBVM60 ref: 005CC1FB
    • __vbaStrCat.MSVBVM60( millionths per ,00000000), ref: 005CC203
    • __vbaStrMove.MSVBVM60 ref: 005CC20A
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 005CC228
    • __vbaStrMove.MSVBVM60 ref: 005CC22F
    • __vbaStrCat.MSVBVM60(0045AD00,00000000), ref: 005CC237
    • __vbaStrMove.MSVBVM60 ref: 005CC23E
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 005CC248
    • __vbaStrMove.MSVBVM60 ref: 005CC24F
    • __vbaStrCat.MSVBVM60(Default is ,00000000), ref: 005CC257
    • __vbaStrMove.MSVBVM60 ref: 005CC25E
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 005CC27D
    • __vbaStrMove.MSVBVM60 ref: 005CC284
    • __vbaStrCat.MSVBVM60( millionths (carbon steel).,00000000), ref: 005CC28C
    • __vbaStrMove.MSVBVM60 ref: 005CC293
    • __vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 005CC2B3
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CC2CA
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054), ref: 005CC2EB
    • __vbaFreeObj.MSVBVM60 ref: 005CC2F4
    • __vbaFreeStr.MSVBVM60(005CC34A), ref: 005CC343
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$BoundsErrorGenerateLate$CheckList$CallCastHresultType
    • String ID: millionths (carbon steel).$ millionths per $A number between 0 and $Default is
    • API String ID: 3121234188-2850203173
    • Opcode ID: 57b7b4d8d7964a2cc4c1861d2a34e4713015310b33259a459f6f0b9678bb1bf6
    • Instruction ID: 49f440836f0edc266c7cccc7c21d603beedea98748fad74537e7c69e953aee0e
    • Opcode Fuzzy Hash: 57b7b4d8d7964a2cc4c1861d2a34e4713015310b33259a459f6f0b9678bb1bf6
    • Instruction Fuzzy Hash: 3E613F71D00219AFDB14DFA8DD84EEEBBB9FF48300F10812AE506E7154EA74A945CFA4
    Function 005302E0 Relevance: 54.5, APIs: 30, Strings: 1, Instructions: 296COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 00530351
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00530364
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00530395
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 005303BD
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00452A8C,000000A0), ref: 005303E7
    • __vbaI4Str.MSVBVM60(?), ref: 005303F1
    • __vbaFreeStr.MSVBVM60 ref: 005303FC
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0053040C
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00530428
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00530448
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053046E
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040,?,?), ref: 00530496
    • __vbaGenerateBoundsError.MSVBVM60(?,?), ref: 005304A7
    • __vbaStrI4.MSVBVM60(?,?,?), ref: 005304BD
    • __vbaStrMove.MSVBVM60(?,?), ref: 005304C8
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00452A8C,000000A4,?,?), ref: 005304E8
    • __vbaFreeStr.MSVBVM60(?,?), ref: 005304F1
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?), ref: 00530501
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00530584
    • __vbaLateIdSt.MSVBVM60(00000000), ref: 00530587
    • __vbaFreeObj.MSVBVM60 ref: 00530590
    • __vbaVarDup.MSVBVM60 ref: 005305C6
    • #595.MSVBVM60(?,00000000,?,?,?), ref: 005305DE
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 005305F6
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053060D
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 0053062E
    • __vbaCastObj.MSVBVM60(?,0045B140), ref: 0053063D
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00530648
    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?,?), ref: 00530661
    • __vbaExitProc.MSVBVM60 ref: 0053066A
    Strings
    • Value must be greater than or equal to 0., xrefs: 005305B2
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$CheckErrorHresult$BoundsGenerateList$#595CastExitLateMoveProc
    • String ID: Value must be greater than or equal to 0.
    • API String ID: 444589281-3437573232
    • Opcode ID: 8c30c7d601d2395cb6f9d67fd0d76211c1af25cd75cedab8ba0b3da3cec63a0d
    • Instruction ID: a0d5759327881e0d9779127a594f53d2c554ae95b63e623f2fd48f7aa873d33d
    • Opcode Fuzzy Hash: 8c30c7d601d2395cb6f9d67fd0d76211c1af25cd75cedab8ba0b3da3cec63a0d
    • Instruction Fuzzy Hash: 06C15CB1900219AFDB10DFA4CD88EEEBBB9FF48300F148169F649A7251E7349945CFA4
    Function 005D0070 Relevance: 54.5, APIs: 30, Strings: 1, Instructions: 236COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 005D00D5
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005D00E9
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 005D0110
    • __vbaR4Str.MSVBVM60(?), ref: 005D011A
    • __vbaFreeStr.MSVBVM60 ref: 005D0126
    • __vbaFreeObj.MSVBVM60 ref: 005D012F
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005D0155
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005D01A9
    • __vbaStrR4.MSVBVM60(?), ref: 005D01B9
    • __vbaStrMove.MSVBVM60 ref: 005D01C4
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 005D01E4
    • __vbaFreeStr.MSVBVM60 ref: 005D01ED
    • __vbaFreeObj.MSVBVM60 ref: 005D01F6
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005D022C
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005D023E
    • __vbaStrCat.MSVBVM60(?,Value must lie between 0 and ), ref: 005D0268
    • __vbaStrMove.MSVBVM60 ref: 005D0275
    • __vbaStrCat.MSVBVM60(004568D4,00000000), ref: 005D027D
    • __vbaStrMove.MSVBVM60 ref: 005D0284
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 005D02A0
    • __vbaStrMove.MSVBVM60 ref: 005D02A7
    • __vbaStrCat.MSVBVM60(0045AD00,00000000), ref: 005D02AF
    • #595.MSVBVM60(00000008,00000000,?,?,?), ref: 005D02CD
    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 005D02E1
    • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 005D02F9
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005D031E
    • __vbaCastObj.MSVBVM60(00000000), ref: 005D0321
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005D032C
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 005D0341
    • __vbaExitProc.MSVBVM60 ref: 005D034A
    Strings
    • Value must lie between 0 and , xrefs: 005D0244
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$ErrorMove$BoundsGenerateList$CheckHresult$#595CastExitProc
    • String ID: Value must lie between 0 and
    • API String ID: 3075472984-2065571334
    • Opcode ID: 1bc8106c586f9a16cd20d45c626f8e074fec7211d620f875742097592940db08
    • Instruction ID: 043e85e91d0b07d597ffc4b149fe239a3d6f7af5e451ea72f04d38bdfb5be821
    • Opcode Fuzzy Hash: 1bc8106c586f9a16cd20d45c626f8e074fec7211d620f875742097592940db08
    • Instruction Fuzzy Hash: 34913B71900219AFDB14DFA4DE88ADEBBB9FF48300F10422AF546A7294DB746905CFA4
    Function 00503160 Relevance: 52.9, APIs: 35, Instructions: 420COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004C5D70: __vbaLateMemCallLd.MSVBVM60(00000000,?,DataWord,00000001), ref: 004C5DCF
      • Part of subcall function 004C5D70: __vbaI4ErrVar.MSVBVM60(00000000), ref: 004C5DD9
      • Part of subcall function 004C5D70: __vbaFreeVar.MSVBVM60 ref: 004C5DEA
    • __vbaI2I4.MSVBVM60(?,?,00000000,?,?), ref: 005031C3
    • #681.MSVBVM60(?,?,?,?), ref: 00503220
    • #681.MSVBVM60(?,?,?,?), ref: 00503250
    • __vbaI2Var.MSVBVM60(?), ref: 00503256
    • __vbaFreeVarList.MSVBVM60(00000007,0000000B,?,?,00000003,?,00000002,?), ref: 00503281
    • #681.MSVBVM60(00000003,?,?,?), ref: 005032C2
    • __vbaI2Var.MSVBVM60(00000003), ref: 005032C8
    • __vbaFreeVarList.MSVBVM60(00000004,00000003,?,?,00000003), ref: 005032E4
    • #681.MSVBVM60(00000003,00000003,?,?), ref: 00503325
    • __vbaI2Var.MSVBVM60(00000003), ref: 0050332B
    • __vbaFreeVarList.MSVBVM60(00000004,00000003,?,?,00000003), ref: 00503347
    • #681.MSVBVM60(00000003,00000003,?,?), ref: 0050338B
    • __vbaI2Var.MSVBVM60(00000003), ref: 00503391
    • __vbaFreeVarList.MSVBVM60(00000004,00000003,?,?,00000003), ref: 005033AD
    • #681.MSVBVM60(00000003,00000003,?,?), ref: 005033F1
    • __vbaI2Var.MSVBVM60(00000003), ref: 005033F7
    • __vbaFreeVarList.MSVBVM60(00000004,00000003,?,?,00000003), ref: 00503413
    • #681.MSVBVM60(00000003,00000003,?,?), ref: 00503456
    • __vbaI2Var.MSVBVM60(00000003), ref: 0050345C
    • __vbaFreeVarList.MSVBVM60(00000004,00000003,?,?,00000003), ref: 00503478
    • #681.MSVBVM60(00000003,00000003,?,?), ref: 005034BC
    • __vbaI2Var.MSVBVM60(00000003), ref: 005034C2
    • __vbaFreeVarList.MSVBVM60(00000004,00000003,?,?,00000003), ref: 005034DE
    • #681.MSVBVM60(00000003,00000003,?,?), ref: 00503522
    • __vbaI2Var.MSVBVM60(00000003), ref: 00503528
    • __vbaFreeVarList.MSVBVM60(00000004,00000003,?,?,00000003), ref: 00503544
    • #681.MSVBVM60(00000003,00000003,?,?), ref: 00503586
    • __vbaI2Var.MSVBVM60(00000003), ref: 0050358C
    • __vbaFreeVarList.MSVBVM60(00000004,00000003,?,?,00000003), ref: 005035A8
    • __vbaI2I4.MSVBVM60(?,?), ref: 005035DC
    • __vbaI2I4.MSVBVM60 ref: 005035F9
    • __vbaI2I4.MSVBVM60(?,?), ref: 00503621
    • __vbaI2I4.MSVBVM60 ref: 00503642
    • __vbaI2I4.MSVBVM60(?,?), ref: 00503661
    • __vbaErrorOverflow.MSVBVM60(?,?,00000000,?,?), ref: 005036A6
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$#681Free$List$CallErrorLateOverflow
    • String ID:
    • API String ID: 1434552398-0
    • Opcode ID: 7852b27591c41cd1d8eece52eab9a3176a7cd92f2961368fc906dfb1698b8b96
    • Instruction ID: 7298e1b1314f8f382c5b4510e33c625c6ae39bd33f35ede173f3a29dd0013c83
    • Opcode Fuzzy Hash: 7852b27591c41cd1d8eece52eab9a3176a7cd92f2961368fc906dfb1698b8b96
    • Instruction Fuzzy Hash: 22F10AB6810249AFDB15DFD4C894BDEBBB8FF48304F04452EE506BB254E774A688CB64
    Function 005F4060 Relevance: 52.7, APIs: 24, Strings: 6, Instructions: 248COMMON
    Download Yara Rule
    APIs
    • __vbaNew2.MSVBVM60(0041F4A8,00626040), ref: 005F40D1
    • __vbaCastObj.MSVBVM60(00409328,00454AC4), ref: 005F40E9
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005F40F0
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554EC,000006F8), ref: 005F411C
    • __vbaFreeObj.MSVBVM60 ref: 005F412D
    • __vbaNew2.MSVBVM60(0041F4A8,00626040), ref: 005F414F
    • __vbaCastObj.MSVBVM60(00409328,00454AC4), ref: 005F4161
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005F4168
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554EC,00000710), ref: 005F4198
    • __vbaFreeObj.MSVBVM60 ref: 005F41A7
    • __vbaVarDup.MSVBVM60 ref: 005F41E6
    • #595.MSVBVM60(?,00000004,?,?,?), ref: 005F41FE
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 005F4223
    • __vbaLateMemSt.MSVBVM60(?,Function), ref: 005F426C
    • __vbaStrI2.MSVBVM60(000000C8), ref: 005F4273
    • __vbaLateMemSt.MSVBVM60(?,MemStart), ref: 005F42A2
    • __vbaFreeVar.MSVBVM60 ref: 005F42A7
    • __vbaLateMemSt.MSVBVM60(?,MemQty), ref: 005F42DB
      • Part of subcall function 004C6030: __vbaLateMemCallSt.MSVBVM60(?,DataWord,00000001,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 004C608F
    • __vbaNew2.MSVBVM60(0041F4A8,00626040,gH_,00000000,00000002), ref: 005F42FF
    • __vbaCastObj.MSVBVM60(00409328,00454AC4,gH_,00000000,00000002), ref: 005F4311
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005F431C
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554EC,00000700), ref: 005F4346
    • __vbaFreeObj.MSVBVM60 ref: 005F434F
    • __vbaHresultCheckObj.MSVBVM60(00000000,00409328,00463CC4,00000718), ref: 005F4379
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$CheckHresultLate$CastNew2$#595CallList
    • String ID: Clearing checksum alarms$Do you want to clear all checksum alarms?$Function$MemQty$MemStart$gH_
    • API String ID: 2695145741-4004997740
    • Opcode ID: d4f134f02cf2e150d8278c9535b916f26a4edd7c5e52b26e0e14313fade1981c
    • Instruction ID: 9bf19cfbbdab4d51e96845b6c5e5e17969895a9d6f701be7babc08f9cd93fd44
    • Opcode Fuzzy Hash: d4f134f02cf2e150d8278c9535b916f26a4edd7c5e52b26e0e14313fade1981c
    • Instruction Fuzzy Hash: DAA159B4900209ABDB10DFA4D989BAEBBB9FB48700F108569F509BB291D7785885CF58
    Function 00552180 Relevance: 52.7, APIs: 29, Strings: 1, Instructions: 217COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 005521E5
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005521F8
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00552224
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 0055224B
    • #520.MSVBVM60(?,00000008), ref: 0055226D
    • __vbaStrVarMove.MSVBVM60(?), ref: 00552277
    • __vbaStrMove.MSVBVM60 ref: 00552282
    • __vbaFreeObj.MSVBVM60 ref: 0055228B
    • __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0055229B
    • __vbaLenBstr.MSVBVM60(?), ref: 005522A8
    • __vbaStrCmp.MSVBVM60(?,?), ref: 005522BA
    • __vbaStrCopy.MSVBVM60(?,?), ref: 005522C9
    • __vbaObjSet.MSVBVM60(?,00000000,?,?), ref: 005522E2
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?), ref: 00552308
    • __vbaFreeObj.MSVBVM60(?,?,?), ref: 00552311
    • __vbaStrI2.MSVBVM60(0000000A,Length must not exceed ), ref: 0055233E
    • __vbaStrMove.MSVBVM60 ref: 0055234F
    • __vbaStrCat.MSVBVM60(00000000), ref: 00552358
    • __vbaStrMove.MSVBVM60 ref: 0055235F
    • __vbaStrCat.MSVBVM60(0045AD00,00000000), ref: 00552367
    • #595.MSVBVM60(00000008,00000000,?,?,?), ref: 00552385
    • __vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 00552395
    • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 005523AD
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005523D2
    • __vbaCastObj.MSVBVM60(00000000), ref: 005523D5
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005523E0
      • Part of subcall function 004C5390: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,00522AE2,?), ref: 004C53A7
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 005523F5
    • __vbaExitProc.MSVBVM60 ref: 005523FE
    • __vbaFreeStr.MSVBVM60(00552451), ref: 0055244A
    Strings
    • Length must not exceed , xrefs: 00552338
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$ListMove$CheckErrorHresult$#520#595BoundsBstrCallCastCopyExitGenerateLateProc
    • String ID: Length must not exceed
    • API String ID: 4145205934-1347276867
    • Opcode ID: 0049d236b5f1bcd51d8c8da7ee16da4837d43820a6f49784fd01205b2dbcc4a4
    • Instruction ID: 7079a432f7985b0a6ed584f7a39c70c7473ab6a0e414818a1800bc87781ebc60
    • Opcode Fuzzy Hash: 0049d236b5f1bcd51d8c8da7ee16da4837d43820a6f49784fd01205b2dbcc4a4
    • Instruction Fuzzy Hash: AB812B71900218AFCB14DFA4DD88AEEBBB8FF48701F14412AF546B7165DB745905CFA4
    Function 005BB060 Relevance: 51.3, APIs: 34, Instructions: 311COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB0A9
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464200,000000F4,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB0D3
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB0DC
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB0F0
    • __vbaStrI2.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB101
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB10C
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB12C
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB135
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB13E
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB152
    • __vbaStrI2.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB163
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB16E
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB194
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB1A1
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB1AA
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB1BE
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464200,000000F4,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB1E9
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB1EE
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB202
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB22A
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464210,000000E4,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB24E
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB25A
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB271
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB29A
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464210,000000E4,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB2BE
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB2CA
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BB2E1
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 005BB30A
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464210,000000E4), ref: 005BB32E
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005BB33A
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005BB351
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 005BB37A
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464210,000000E4), ref: 005BB39E
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005BB3AA
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$List$Move
    • String ID:
    • API String ID: 1113576876-0
    • Opcode ID: 214e8d88b232a24a0ec77acba91edd06bd9bbb823e87164162b682aff8034da1
    • Instruction ID: ff6441689e0a9aaeb38db95b10defd5098b11f359c2022276749a7d19f464e09
    • Opcode Fuzzy Hash: 214e8d88b232a24a0ec77acba91edd06bd9bbb823e87164162b682aff8034da1
    • Instruction Fuzzy Hash: 7CB14E74500206AFD7109B64CD89EBF7BBCFF89B01F104529FA06E71A1EB745946CB64
    Function 0050C350 Relevance: 51.2, APIs: 34, Instructions: 199COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60 ref: 0050C3C0
    • __vbaStrCopy.MSVBVM60 ref: 0050C3C8
    • __vbaStrCat.MSVBVM60(00453D38,?), ref: 0050C3D9
    • __vbaStrMove.MSVBVM60 ref: 0050C3E6
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 0050C3ED
    • __vbaStrMove.MSVBVM60 ref: 0050C3F4
    • __vbaStrCat.MSVBVM60(00455B54,00000000), ref: 0050C3FC
    • __vbaStrMove.MSVBVM60 ref: 0050C403
    • __vbaStrR4.MSVBVM60 ref: 0050C40B
    • __vbaStrMove.MSVBVM60 ref: 0050C416
    • __vbaStrR4.MSVBVM60(00402E60), ref: 0050C41C
    • __vbaStrMove.MSVBVM60 ref: 0050C427
    • __vbaStrR4.MSVBVM60(?), ref: 0050C42D
    • __vbaStrMove.MSVBVM60 ref: 0050C438
    • __vbaStrCat.MSVBVM60(?,?), ref: 0050C441
    • __vbaStrMove.MSVBVM60 ref: 0050C448
      • Part of subcall function 004E3BA0: __vbaChkstk.MSVBVM60(00000000,0040A636,004D144B,?,00000012), ref: 004E3BBE
      • Part of subcall function 004E3BA0: #526.MSVBVM60(?,00000000), ref: 004E3C2F
      • Part of subcall function 004E3BA0: __vbaStrVarMove.MSVBVM60(?), ref: 004E3C39
      • Part of subcall function 004E3BA0: __vbaStrMove.MSVBVM60 ref: 004E3C44
      • Part of subcall function 004E3BA0: __vbaFreeVar.MSVBVM60 ref: 004E3C4D
      • Part of subcall function 004E3BA0: __vbaOnError.MSVBVM60(000000FF), ref: 004E3C5C
      • Part of subcall function 004E3BA0: __vbaStrCat.MSVBVM60(00000000,?), ref: 004E3C82
      • Part of subcall function 004E3BA0: #619.MSVBVM60(?,00000008,00000000), ref: 004E3C9F
      • Part of subcall function 004E3BA0: __vbaStrVarMove.MSVBVM60(?), ref: 004E3CA9
      • Part of subcall function 004E3BA0: __vbaStrMove.MSVBVM60 ref: 004E3CB4
      • Part of subcall function 004E3BA0: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004E3CC4
      • Part of subcall function 004E3BA0: __vbaStrCopy.MSVBVM60(?,00000000,0040A636,004D144B), ref: 004E3D38
      • Part of subcall function 004E3BA0: __vbaFreeStr.MSVBVM60(004E3D76,?,00000000,0040A636,004D144B), ref: 004E3D6F
    • __vbaStrMove.MSVBVM60(?,00000020,00000000), ref: 0050C45B
    • __vbaStrCat.MSVBVM60(00000000), ref: 0050C45E
    • __vbaStrMove.MSVBVM60 ref: 0050C465
      • Part of subcall function 004E3BA0: __vbaStrCat.MSVBVM60(?,00000000), ref: 004E3CE0
      • Part of subcall function 004E3BA0: #617.MSVBVM60(?,00000008,00000000), ref: 004E3CFD
      • Part of subcall function 004E3BA0: __vbaStrVarMove.MSVBVM60(?), ref: 004E3D07
      • Part of subcall function 004E3BA0: __vbaStrMove.MSVBVM60 ref: 004E3D12
      • Part of subcall function 004E3BA0: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004E3D22
    • __vbaStrMove.MSVBVM60(?,0000000E,00000000), ref: 0050C478
    • __vbaStrCat.MSVBVM60(00000000), ref: 0050C47B
    • __vbaStrMove.MSVBVM60 ref: 0050C482
    • __vbaStrMove.MSVBVM60(?,0000000E,00000000), ref: 0050C495
    • __vbaStrCat.MSVBVM60(00000000), ref: 0050C498
    • __vbaStrMove.MSVBVM60 ref: 0050C49F
    • __vbaStrMove.MSVBVM60(?,0000000E,00000000), ref: 0050C4B2
    • __vbaStrCat.MSVBVM60(00000000), ref: 0050C4B5
    • __vbaStrMove.MSVBVM60 ref: 0050C4BC
      • Part of subcall function 004CF6C0: __vbaStrMove.MSVBVM60(?), ref: 004CF701
    • __vbaStrMove.MSVBVM60(?,00000000), ref: 0050C4CA
    • __vbaStrCat.MSVBVM60(00000000), ref: 0050C4CD
    • __vbaStrMove.MSVBVM60 ref: 0050C4D4
      • Part of subcall function 00507520: __vbaStrCopy.MSVBVM60(?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 0050755A
      • Part of subcall function 00507520: __vbaNew2.MSVBVM60(00459D58,0062B924,?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 00507572
      • Part of subcall function 00507520: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,00000020,?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 00507597
      • Part of subcall function 00507520: __vbaStrCat.MSVBVM60(?,?,?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 005075A8
      • Part of subcall function 00507520: __vbaStrMove.MSVBVM60(?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 005075B3
      • Part of subcall function 00507520: __vbaPrintObj.MSVBVM60(0045E7F8,?,00000000,?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 005075C3
      • Part of subcall function 00507520: __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,00000000,0040A636), ref: 005075CF
      • Part of subcall function 00507520: __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00000000,0040A636), ref: 005075D8
      • Part of subcall function 00507520: __vbaFreeStr.MSVBVM60(00507602,?,?,?,?,?,?,?,00000000,0040A636), ref: 005075FB
    • __vbaFreeStrList.MSVBVM60(00000011,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0050C522
    • __vbaFreeStr.MSVBVM60(0050C594), ref: 0050C58C
    • __vbaFreeStr.MSVBVM60 ref: 0050C591
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$Copy$List$#526#617#619CheckChkstkErrorHresultNew2Print
    • String ID:
    • API String ID: 2510133313-0
    • Opcode ID: 1737937697afb422826b1fb1700a69ad4bf0a96e83416cc4f486810d9d6c6147
    • Instruction ID: 8d3d63f34e1e93b3290aac478ba61c66e1610ea2cd694fe8e645ffe3de080a62
    • Opcode Fuzzy Hash: 1737937697afb422826b1fb1700a69ad4bf0a96e83416cc4f486810d9d6c6147
    • Instruction Fuzzy Hash: 2C61ABB2D0011CABCB05DBE5DD959DFBBB9AF58300F10852AE506E7154EE74AA05CFA0
    Function 00514090 Relevance: 51.0, APIs: 24, Strings: 5, Instructions: 215COMMON
    Download Yara Rule
    APIs
    • __vbaChkstk.MSVBVM60(?,0040A636), ref: 005140AE
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,0040A636), ref: 005140FC
    • __vbaObjSet.MSVBVM60(?,?,0045B140), ref: 00514122
    • __vbaCastObj.MSVBVM60(00000000), ref: 00514129
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00514134
      • Part of subcall function 004C6930: __vbaLateMemSt.MSVBVM60(?,Adapter), ref: 004C69EC
      • Part of subcall function 004C6930: __vbaPowerR8.MSVBVM60(00000000,40000000,?,?,?), ref: 004C6A22
      • Part of subcall function 004C6930: __vbaStrR8.MSVBVM60 ref: 004C6A3E
      • Part of subcall function 004C6930: __vbaStrMove.MSVBVM60 ref: 004C6A49
      • Part of subcall function 004C6930: __vbaStrCat.MSVBVM60(00453438,00000000), ref: 004C6A55
      • Part of subcall function 004C6930: __vbaVarDup.MSVBVM60 ref: 004C6A8D
      • Part of subcall function 004C6930: #632.MSVBVM60(?,?,00000000,00000002), ref: 004C6AB1
    • __vbaFreeObjList.MSVBVM60(00000003,?,?,00000000,?,006250F0), ref: 0051415A
    • __vbaObjIs.MSVBVM60(?,00000000,?,?,?,0040A636), ref: 00514172
    • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,?,0040A636), ref: 0051418C
    • __vbaChkstk.MSVBVM60 ref: 005141AF
    • __vbaLateMemCallLd.MSVBVM60(?,00455DA8,lblMbusTime,00000000,Caption), ref: 005141E6
    • __vbaVarLateMemSt.MSVBVM60(00000000,?,?,?,00000000,?,?,?,0040A636), ref: 005141F0
    • __vbaFreeVar.MSVBVM60(?,?,?,00000000,?,?,?,0040A636), ref: 005141F9
    • #681.MSVBVM60(?,0000400B,00000003,00000003), ref: 00514245
    • __vbaChkstk.MSVBVM60 ref: 00514250
    • __vbaLateMemCallLd.MSVBVM60(?,?,lblMbusStat,00000000,ForeColor), ref: 00514284
    • __vbaVarLateMemSt.MSVBVM60(00000000), ref: 0051428E
    • __vbaFreeVarList.MSVBVM60(00000004,00000003,?,?,?), ref: 005142A6
    • __vbaVarDup.MSVBVM60 ref: 005142D3
    • __vbaVarDup.MSVBVM60 ref: 005142F6
    • #681.MSVBVM60(?,0000400B,?,?), ref: 0051431F
    • __vbaChkstk.MSVBVM60 ref: 0051432A
    • __vbaLateMemCallLd.MSVBVM60(?,?,lblMbusStat,00000000,Caption), ref: 0051435E
    • __vbaVarLateMemSt.MSVBVM60(00000000), ref: 00514368
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00514380
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Late$ChkstkFree$CallList$#681$#632CastErrorMovePower
    • String ID: Caption$Comm port is unavailable$ForeColor$lblMbusStat$lblMbusTime
    • API String ID: 2592314702-333640497
    • Opcode ID: 69eedc4ce887e89d61d9692050638b5dc133826caec15341ad14cd67d3afd72f
    • Instruction ID: 4112272927202490a81ade706e31eb1d153db480ab2a8cf0eddeae9eb8ebe404
    • Opcode Fuzzy Hash: 69eedc4ce887e89d61d9692050638b5dc133826caec15341ad14cd67d3afd72f
    • Instruction Fuzzy Hash: 08A11AB5900208EFDB14DF94CA48FDEBBB4FF48704F208559E506AB291DB74AA49CF94
    Function 006050C0 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 217COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 00605122
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0060513C
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 0060515F
    • __vbaR4Str.MSVBVM60(?), ref: 00605169
    • __vbaFreeStr.MSVBVM60 ref: 00605175
    • __vbaFreeObj.MSVBVM60 ref: 0060517E
    • __vbaFpR4.MSVBVM60 ref: 0060518A
    • __vbaFpR4.MSVBVM60 ref: 006051A9
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 006051F1
    • __vbaFpI4.MSVBVM60 ref: 0060520D
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046208C,00000064), ref: 00605227
    • __vbaFreeObj.MSVBVM60 ref: 00605230
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0060524A
    • __vbaStrR4.MSVBVM60(?), ref: 00605257
    • __vbaStrMove.MSVBVM60 ref: 00605262
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 00605282
    • __vbaFreeStr.MSVBVM60 ref: 0060528B
    • __vbaFreeObj.MSVBVM60 ref: 00605294
    • __vbaVarDup.MSVBVM60 ref: 006052CF
    • #595.MSVBVM60(?,00000000,?,?,?), ref: 006052E7
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 006052FF
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00605324
    • __vbaCastObj.MSVBVM60(00000000), ref: 00605327
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00605332
      • Part of subcall function 004C5390: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,00522AE2,?), ref: 004C53A7
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 00605347
    • __vbaExitProc.MSVBVM60 ref: 00605350
    Strings
    • Value must lie between 0.001 and 32.000., xrefs: 006052BB
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$CheckHresult$List$#595CallCastErrorExitLateMoveProc
    • String ID: Value must lie between 0.001 and 32.000.
    • API String ID: 1681325597-523070491
    • Opcode ID: 45ed27441271628273af937aaf19e9f9b7f6a757637cf0bd86762fa85e3928fc
    • Instruction ID: a4673ed9ab21fd8741ba948aadbedf8726059cfb519e33fe1b16e5fb6c86648a
    • Opcode Fuzzy Hash: 45ed27441271628273af937aaf19e9f9b7f6a757637cf0bd86762fa85e3928fc
    • Instruction Fuzzy Hash: 398158B1900209AFCB04DFA4DE48ADEBBB8FF88340F108529E546B72A0DB745906CF64
    Function 004E3090 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 212COMMON
    Download Yara Rule
    APIs
    • __vbaChkstk.MSVBVM60(?,0040A636), ref: 004E30AE
    • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,0040A636), ref: 004E30DE
    • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004E30F8
    • #681.MSVBVM60(?,0000400B,00000003,00000003), ref: 004E313E
    • #681.MSVBVM60(?,0000400B,?,00000003), ref: 004E3178
    • __vbaChkstk.MSVBVM60 ref: 004E3183
    • __vbaLateMemSt.MSVBVM60(?,BackColor), ref: 004E31AD
    • __vbaFreeVarList.MSVBVM60(00000005,00000003,00000003,?,00000003,?), ref: 004E31C9
    • #681.MSVBVM60(?,0000400B,00000003,00000003), ref: 004E3212
    • #681.MSVBVM60(?,0000400B,00000003,?), ref: 004E324C
    • __vbaChkstk.MSVBVM60 ref: 004E3257
    • __vbaLateMemSt.MSVBVM60(?,ForeColor), ref: 004E3281
    • __vbaFreeVarList.MSVBVM60(00000005,00000003,00000003,00000003,?,?), ref: 004E329D
    • __vbaChkstk.MSVBVM60 ref: 004E32C0
    • __vbaLateMemSt.MSVBVM60(?,FontBold), ref: 004E32EA
    • __vbaChkstk.MSVBVM60 ref: 004E330A
    • __vbaLateMemSt.MSVBVM60(?,Locked), ref: 004E3334
    • __vbaChkstk.MSVBVM60 ref: 004E3355
    • __vbaLateMemSt.MSVBVM60(?,TabStop), ref: 004E337F
    • __vbaFreeVar.MSVBVM60 ref: 004E3388
    • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004E339E
    • __vbaFreeObj.MSVBVM60(004E33D8), ref: 004E33D1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Chkstk$Late$#681Free$AddrefList$Error
    • String ID: BackColor$FontBold$ForeColor$Locked$TabStop
    • API String ID: 593274882-60129138
    • Opcode ID: 8378023b78ab547a1b3d049096a5b3f2483a6cbb62293a5773bdebbce99b5da5
    • Instruction ID: 0dbe15a157b974f92335301b13cf89fe881316243d7407abeb0fffc1e2a54b02
    • Opcode Fuzzy Hash: 8378023b78ab547a1b3d049096a5b3f2483a6cbb62293a5773bdebbce99b5da5
    • Instruction Fuzzy Hash: 55A1F3B5900218DFDB10DF94C988BDEBBB4FF48304F24826EE509AB291D7746A49CF95
    Function 00607210 Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 192COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 00607272
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00607286
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 006072AD
    • #520.MSVBVM60(?,00000008), ref: 006072CB
    • __vbaStrVarMove.MSVBVM60(?), ref: 006072D5
    • __vbaStrMove.MSVBVM60 ref: 006072E0
    • __vbaFreeObj.MSVBVM60 ref: 006072E9
    • __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 006072F9
    • __vbaLenBstr.MSVBVM60(?), ref: 00607306
    • __vbaStrCmp.MSVBVM60(?,?), ref: 0060731E
    • __vbaStrCopy.MSVBVM60(?,?), ref: 0060732D
    • __vbaObjSet.MSVBVM60(?,00000000,?,?), ref: 00607341
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?), ref: 00607367
    • __vbaFreeObj.MSVBVM60(?,?,?), ref: 00607370
    • __vbaStrI2.MSVBVM60(00000020,Length must not exceed ), ref: 0060739E
    • __vbaStrMove.MSVBVM60 ref: 006073A9
    • __vbaStrCat.MSVBVM60(00000000), ref: 006073B0
    • #595.MSVBVM60(00000008,00000000,?,?,?), ref: 006073D2
    • __vbaFreeStr.MSVBVM60 ref: 006073DB
    • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 006073F3
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00607418
    • __vbaCastObj.MSVBVM60(00000000), ref: 0060741B
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00607426
      • Part of subcall function 004C5390: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,00522AE2,?), ref: 004C53A7
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 0060743B
    • __vbaExitProc.MSVBVM60 ref: 00607444
    • __vbaFreeStr.MSVBVM60(00607490), ref: 00607489
    Strings
    • Length must not exceed , xrefs: 00607397
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$ListMove$CheckHresult$#520#595BstrCallCastCopyErrorExitLateProc
    • String ID: Length must not exceed
    • API String ID: 3124752648-1347276867
    • Opcode ID: 65d29a1312728bc6191c228dae63b8b9564136956d0dfd8f1eb9a2934a632393
    • Instruction ID: 879d36e88dfe289b849eb92c039d999a59c4f8b43a5664b55be2c0c3c09c2f46
    • Opcode Fuzzy Hash: 65d29a1312728bc6191c228dae63b8b9564136956d0dfd8f1eb9a2934a632393
    • Instruction Fuzzy Hash: B771E8B2D00248AFDB04DFA4D988ADEBBB9FF48300F108529F556B7261DB746945CFA4
    Function 004EA0F0 Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 160COMMON
    Download Yara Rule
    APIs
    • __vbaStrI2.MSVBVM60(?,6D48A323,6D49D8B1,6D49D8F4), ref: 004EA13B
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004EA14C
    • __vbaStrCat.MSVBVM60(004568D4,00000000), ref: 004EA15A
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004EA161
    • __vbaStrI2.MSVBVM60(?,00000000), ref: 004EA169
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004EA174
    • __vbaStrCat.MSVBVM60(00000000), ref: 004EA177
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004EA17E
    • __vbaStrCat.MSVBVM60(004568D4,00000000), ref: 004EA186
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004EA18D
    • __vbaStrI2.MSVBVM60(?,00000000), ref: 004EA194
    • __vbaStrMove.MSVBVM60(?,00000000), ref: 004EA19F
    • __vbaStrCat.MSVBVM60(00000000,?,00000000), ref: 004EA1A2
    • __vbaStrMove.MSVBVM60(?,00000000), ref: 004EA1A9
    • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?,?,00000000), ref: 004EA1C5
    • __vbaGenerateBoundsError.MSVBVM60(?,00000000), ref: 004EA219
    • __vbaStrCat.MSVBVM60(004568D4,?,?,00000000), ref: 004EA228
    • __vbaStrMove.MSVBVM60(?,00000000), ref: 004EA22F
    • __vbaStrI2.MSVBVM60(?,00000000,?,00000000), ref: 004EA23B
    • __vbaStrMove.MSVBVM60(?,00000000), ref: 004EA246
    • __vbaStrCat.MSVBVM60(00000000,?,00000000), ref: 004EA249
    • __vbaStrMove.MSVBVM60(?,00000000), ref: 004EA250
    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 004EA25C
    • __vbaStrCopy.MSVBVM60(?,00000000), ref: 004EA27D
    • __vbaFreeStr.MSVBVM60(004EA2C7,?,00000000), ref: 004EA2C0
    • __vbaErrorOverflow.MSVBVM60(?,00000000), ref: 004EA2DD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$ErrorList$BoundsCopyGenerateOverflow
    • String ID: h&@
    • API String ID: 2823644198-210207038
    • Opcode ID: 80979d2d190ba2633024fc895b13b4c74fd16f88fe4c21a2fda188a3bc15576b
    • Instruction ID: 6d7bd8e13ffd38a3bd65c8c3fe54841cea055aac0a2e74c597dd313c86ddfbee
    • Opcode Fuzzy Hash: 80979d2d190ba2633024fc895b13b4c74fd16f88fe4c21a2fda188a3bc15576b
    • Instruction Fuzzy Hash: 0C513AB5D00119AFCB04EFA5DD84AEEBBB8FF48701F10816AE502F7260EA745945CFA5
    Function 005CA1D0 Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 153COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CA249
    • __vbaCastObj.MSVBVM60(00000000), ref: 005CA24C
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CA257
      • Part of subcall function 004C53C0: __vbaCheckType.MSVBVM60(?,00452A8C), ref: 004C53FF
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004C5435
      • Part of subcall function 004C53C0: __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004C5444
      • Part of subcall function 004C53C0: __vbaLenVar.MSVBVM60(?,00000000), ref: 004C5452
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelLength), ref: 004C547B
      • Part of subcall function 004C53C0: __vbaFreeVar.MSVBVM60 ref: 004C5480
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 005CA26C
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CA283
    • __vbaStrI2.MSVBVM60(00000000,A number between ), ref: 005CA290
    • __vbaStrMove.MSVBVM60 ref: 005CA2A1
    • __vbaStrCat.MSVBVM60(00000000), ref: 005CA2AA
    • __vbaStrMove.MSVBVM60 ref: 005CA2B1
    • __vbaStrCat.MSVBVM60( and ,00000000), ref: 005CA2B9
    • __vbaStrMove.MSVBVM60 ref: 005CA2C0
    • __vbaStrI2.MSVBVM60(00002710,00000000), ref: 005CA2C8
    • __vbaStrMove.MSVBVM60 ref: 005CA2D3
    • __vbaStrCat.MSVBVM60(00000000), ref: 005CA2D6
    • __vbaStrMove.MSVBVM60 ref: 005CA2DD
    • __vbaStrCat.MSVBVM60(0045AD00,00000000), ref: 005CA2E5
    • __vbaStrMove.MSVBVM60 ref: 005CA2EC
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 005CA2F6
    • __vbaStrMove.MSVBVM60 ref: 005CA2FD
    • __vbaStrCat.MSVBVM60(If zero, no limit is imposed.,00000000), ref: 005CA305
    • __vbaStrMove.MSVBVM60 ref: 005CA30C
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464174,00000054), ref: 005CA325
    • __vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,?,?), ref: 005CA34D
    • __vbaFreeObj.MSVBVM60 ref: 005CA359
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$Late$CheckList$CallCastHresultType
    • String ID: and $A number between $If zero, no limit is imposed.
    • API String ID: 1211845585-3264020050
    • Opcode ID: efe83d46d8772af63b92621322e8430a1b7012bd1c482e93e51df56fc18d5e4c
    • Instruction ID: 2ea9329c7be3dd1da16712b5f9eb344ac14c2760f43c3c37c66f32f87d8e5d97
    • Opcode Fuzzy Hash: efe83d46d8772af63b92621322e8430a1b7012bd1c482e93e51df56fc18d5e4c
    • Instruction Fuzzy Hash: AE51D972D00218ABDB04EBA5DD85DEEFBBCEF58700F10852AF505A3160EA7459458BA5
    Function 005320A0 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 213COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 00532102
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00532115
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00532140
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 00532167
    • __vbaR4Str.MSVBVM60(?), ref: 00532171
    • __vbaFreeStr.MSVBVM60 ref: 0053217D
    • __vbaFreeObj.MSVBVM60 ref: 00532186
    • __vbaFpR4.MSVBVM60 ref: 00532192
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005321C7
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005321F1
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053221A
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0053222F
    • __vbaStrR4.MSVBVM60(?), ref: 0053224B
    • __vbaStrMove.MSVBVM60 ref: 00532256
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 0053227C
    • __vbaFreeStr.MSVBVM60 ref: 00532285
    • __vbaFreeObj.MSVBVM60 ref: 0053228E
    • __vbaExitProc.MSVBVM60 ref: 0053234A
    Strings
    • Value must lie between 0.5 and 2.0., xrefs: 005322B5
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Error$BoundsFreeGenerate$CheckHresult$ExitMoveProc
    • String ID: Value must lie between 0.5 and 2.0.
    • API String ID: 3186628660-3252755221
    • Opcode ID: 25e387c25900d2fd61c0d87bd4c67355de25d922dcca4541b3548840fea5d2c5
    • Instruction ID: 8bbf18052f9ba6850c5b5f0d3017c108219733efa8309a149ea50876290001f5
    • Opcode Fuzzy Hash: 25e387c25900d2fd61c0d87bd4c67355de25d922dcca4541b3548840fea5d2c5
    • Instruction Fuzzy Hash: 4B914772800619DFCB14DFA4D988ADEBBB8FF48701F00812AF546B7165DB74AA45CFA4
    Function 004C60B0 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 188COMMON
    Download Yara Rule
    APIs
    • __vbaRedim.MSVBVM60(00000080,00000002,?,00000002,00000001,0040A635,00000000), ref: 004C6127
    • __vbaGenerateBoundsError.MSVBVM60 ref: 004C616F
    • __vbaGenerateBoundsError.MSVBVM60 ref: 004C6179
    • __vbaLateMemCallLd.MSVBVM60(?,?,DataWord,00000001), ref: 004C61AE
    • __vbaI2Var.MSVBVM60(00000000), ref: 004C61B8
    • __vbaFreeVar.MSVBVM60 ref: 004C61CB
    • #526.MSVBVM60(?,00000000), ref: 004C61F3
    • __vbaStrVarMove.MSVBVM60(?), ref: 004C61FD
    • __vbaStrMove.MSVBVM60 ref: 004C6208
    • __vbaFreeVar.MSVBVM60 ref: 004C6211
    • __vbaAryLock.MSVBVM60(?,?), ref: 004C621F
    • __vbaGenerateBoundsError.MSVBVM60 ref: 004C623E
    • __vbaGenerateBoundsError.MSVBVM60 ref: 004C624C
    • __vbaStrToAnsi.MSVBVM60(?,?,?,0040A636), ref: 004C6264
    • __vbaSetSystemError.MSVBVM60(00000000), ref: 004C6272
    • __vbaStrToUnicode.MSVBVM60(?,?), ref: 004C6280
    • __vbaAryUnlock.MSVBVM60(?), ref: 004C628A
    • __vbaFreeStr.MSVBVM60 ref: 004C6293
    • #617.MSVBVM60(?,?,00000000), ref: 004C62B2
    • __vbaStrVarMove.MSVBVM60(?), ref: 004C62BC
    • __vbaStrMove.MSVBVM60 ref: 004C62C7
    • __vbaFreeVar.MSVBVM60 ref: 004C62D0
    • __vbaFreeStr.MSVBVM60(004C631F), ref: 004C630C
    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004C6318
    • __vbaErrorOverflow.MSVBVM60(00000000), ref: 004C6335
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Error$Free$BoundsGenerateMove$#526#617AnsiCallDestructLateLockOverflowRedimSystemUnicodeUnlock
    • String ID: DataWord
    • API String ID: 694857449-2471641142
    • Opcode ID: 54a23c1c311d6387c94e264ddf409e4bf76ffa4bd5910199e1a588416fcdf1e6
    • Instruction ID: e15e939a8d1aadfe78a6ee284074addde1109cceda227f6d90a34fc0c132bddc
    • Opcode Fuzzy Hash: 54a23c1c311d6387c94e264ddf409e4bf76ffa4bd5910199e1a588416fcdf1e6
    • Instruction Fuzzy Hash: 09715E75900209DFCB04DFA4D988EEEBBB9FF48305F15816AE901B7260DB759846CB64
    Function 00591120 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 186COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 00591182
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00591196
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 005911BD
    • __vbaI2Str.MSVBVM60(?), ref: 005911C7
    • __vbaFreeStr.MSVBVM60 ref: 005911D2
    • __vbaFreeObj.MSVBVM60 ref: 005911DB
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00591208
    • __vbaStrI2.MSVBVM60(?), ref: 0059121A
    • __vbaStrMove.MSVBVM60 ref: 00591225
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 00591245
    • __vbaFreeStr.MSVBVM60 ref: 0059124E
    • __vbaFreeObj.MSVBVM60 ref: 00591257
    • __vbaStrI2.MSVBVM60(?,Value must lie between 0 and ), ref: 00591297
    • __vbaStrMove.MSVBVM60 ref: 005912A8
    • __vbaStrCat.MSVBVM60(00000000), ref: 005912B1
    • __vbaStrMove.MSVBVM60 ref: 005912B8
    • __vbaStrCat.MSVBVM60(0045AD00,00000000), ref: 005912C0
    • #595.MSVBVM60(00000008,00000000,?,?,?), ref: 005912DE
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005912EE
    • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 00591306
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00591328
    • __vbaCastObj.MSVBVM60(00000000), ref: 0059132B
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00591336
      • Part of subcall function 004C5390: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,00522AE2,?), ref: 004C53A7
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 0059134B
    • __vbaExitProc.MSVBVM60 ref: 00591354
    Strings
    • Value must lie between 0 and , xrefs: 00591287
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$ListMove$CheckHresult$#595CallCastErrorExitLateProc
    • String ID: Value must lie between 0 and
    • API String ID: 2296155638-2065571334
    • Opcode ID: 4927d7a80f74dee09251bdb6eda7679ce2998813ddf48380203ef0cf5b0bd2f7
    • Instruction ID: 6de8de6318c3131d17118011054815ff0b757baf4c3067bb7021ba05592624f6
    • Opcode Fuzzy Hash: 4927d7a80f74dee09251bdb6eda7679ce2998813ddf48380203ef0cf5b0bd2f7
    • Instruction Fuzzy Hash: 28711872900259ABCB00DFA4DD88AEEBBB8FF48700F14452EF546A7251DB746945CB64
    Function 004E00C0 Relevance: 45.4, APIs: 30, Instructions: 428COMMON
    Download Yara Rule
    APIs
    • __vbaAryConstruct2.MSVBVM60(?,0045AE44,00000004), ref: 004E012C
    • __vbaGenerateBoundsError.MSVBVM60 ref: 004E013E
      • Part of subcall function 004DEE60: #681.MSVBVM60(?,?,?,?), ref: 004DEED4
      • Part of subcall function 004DEE60: __vbaI2Var.MSVBVM60(?), ref: 004DEEDE
      • Part of subcall function 004DEE60: __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 004DEEF6
    • __vbaStrI2.MSVBVM60(?,00455DA8), ref: 004E017D
    • __vbaStrMove.MSVBVM60(?,00455DA8), ref: 004E018E
    • __vbaStrCat.MSVBVM60(00000000,?,00455DA8), ref: 004E0191
    • #619.MSVBVM60(?,?,00000002,?,00455DA8), ref: 004E01AB
    • __vbaVarCat.MSVBVM60(?,?,00000008,?,00455DA8), ref: 004E01BD
    • __vbaStrVarMove.MSVBVM60(00000000,?,00455DA8), ref: 004E01C4
    • __vbaStrMove.MSVBVM60(?,00455DA8), ref: 004E01CF
    • __vbaStrCopy.MSVBVM60(?,00455DA8), ref: 004E01DC
    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00455DA8), ref: 004E01E8
    • __vbaFreeVarList.MSVBVM60(00000003,00000008,?,?,?,00455DA8), ref: 004E01FC
    • __vbaStrCopy.MSVBVM60(?), ref: 004E0216
    • __vbaGenerateBoundsError.MSVBVM60 ref: 004E022C
    • __vbaGenerateBoundsError.MSVBVM60 ref: 004E025A
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,00457510,?,?,?,?,?,?,00000008,?), ref: 004E032B
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,00457510,?,?,?,?,?,?,00000008,?), ref: 004E0357
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,00457510,?,?,?,?,?,?,00000008,?), ref: 004E037D
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,00457510,?,?,?,?,?,?,00000008,?), ref: 004E03A9
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,00457510,?,?,?,?,?,?,00000008,?), ref: 004E03CF
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,00457510,?,?,?,?,?,?,00000008,?), ref: 004E03F5
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,00457510,?,?,?,?,?,?,00000008,?), ref: 004E0428
    • #681.MSVBVM60(00000008,00000008,00004004,00004004,?,?,?,?,?,?,00457510,?,?,?,?,?), ref: 004E047F
    • __vbaR4Var.MSVBVM60(00000008), ref: 004E0489
    • __vbaFreeVarList.MSVBVM60(00000002,0000000B,00000008), ref: 004E049F
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?), ref: 004E0537
    • __vbaGenerateBoundsError.MSVBVM60(00000000,?,00000000,?,?,?,?), ref: 004E05C6
    • __vbaGenerateBoundsError.MSVBVM60(00000001,?,?), ref: 004E05E9
    • __vbaGenerateBoundsError.MSVBVM60(?,?), ref: 004E0629
      • Part of subcall function 004DEF40: __vbaGenerateBoundsError.MSVBVM60 ref: 004DEF86
      • Part of subcall function 004DEF40: __vbaGenerateBoundsError.MSVBVM60 ref: 004DEFB3
      • Part of subcall function 004DEF40: #681.MSVBVM60(?,?,?,00000002), ref: 004DF01F
      • Part of subcall function 004DEF40: __vbaI4Var.MSVBVM60(?), ref: 004DF029
      • Part of subcall function 004DEF40: __vbaFreeVarList.MSVBVM60(00000004,0000000B,00000003,00000002,?), ref: 004DF044
      • Part of subcall function 004DEF40: __vbaGenerateBoundsError.MSVBVM60 ref: 004DF05F
      • Part of subcall function 004DEF40: __vbaGenerateBoundsError.MSVBVM60 ref: 004DF07E
    • __vbaErrorOverflow.MSVBVM60(?,?), ref: 004E0789
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Error$BoundsGenerate$FreeList$#681Move$Copy$#619Construct2Overflow
    • String ID:
    • API String ID: 2076875587-0
    • Opcode ID: e6d2d61ea8820242c2235589863825cefcfeb46e23eb27b9fd641422a3c9f7e2
    • Instruction ID: c802644f8d8c26d22315e7b4b620de997ac7a0e6b240b426b43c9e865d018af4
    • Opcode Fuzzy Hash: e6d2d61ea8820242c2235589863825cefcfeb46e23eb27b9fd641422a3c9f7e2
    • Instruction Fuzzy Hash: 5A02C07090070ADBDB24DF65C984BEAB3F5FF48305F00466EE15AA7211E774AA89CF64
    Function 00535220 Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 212COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 00535282
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00535295
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005352C0
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 005352E7
    • __vbaR4Str.MSVBVM60(?), ref: 005352F1
    • __vbaFreeStr.MSVBVM60 ref: 005352FD
    • __vbaFreeObj.MSVBVM60 ref: 00535306
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00535341
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0053536B
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00535394
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005353A9
    • __vbaStrR4.MSVBVM60(?), ref: 005353C5
    • __vbaStrMove.MSVBVM60 ref: 005353D0
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 005353F6
    • __vbaFreeStr.MSVBVM60 ref: 005353FF
    • __vbaFreeObj.MSVBVM60 ref: 00535408
    • __vbaExitProc.MSVBVM60 ref: 005354C4
    Strings
    • Value must lie between 0 and 1.0., xrefs: 0053542F
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Error$BoundsFreeGenerate$CheckHresult$ExitMoveProc
    • String ID: Value must lie between 0 and 1.0.
    • API String ID: 3186628660-2027247299
    • Opcode ID: 4dc4b44df8142d5b5408e0ac0a135dc9ee99e25ce63d004a5a4e85a58d8dccfa
    • Instruction ID: 454088b0f89b06363e77ac59529dde164b86b8a73b6b10eee230d7a8633064e6
    • Opcode Fuzzy Hash: 4dc4b44df8142d5b5408e0ac0a135dc9ee99e25ce63d004a5a4e85a58d8dccfa
    • Instruction Fuzzy Hash: 25816772C00619DFCB14DFA4D988ADEBBB8FB48701F00412AF546B7165EB74AA05CFA4
    Function 005572D0 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 184COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 00557332
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00557346
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 0055736D
    • __vbaI2Str.MSVBVM60(?), ref: 00557377
    • __vbaFreeStr.MSVBVM60 ref: 00557382
    • __vbaFreeObj.MSVBVM60 ref: 0055738B
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005573B1
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005573D3
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005573FA
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0055740E
    • __vbaStrI2.MSVBVM60(00000000), ref: 00557425
    • __vbaStrMove.MSVBVM60 ref: 00557430
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 00557450
    • __vbaFreeStr.MSVBVM60 ref: 00557459
    • __vbaFreeObj.MSVBVM60 ref: 00557462
    • __vbaVarDup.MSVBVM60 ref: 0055749D
    • #595.MSVBVM60(?,00000000,?,?,?), ref: 005574B5
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 005574CD
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005574F2
    • __vbaCastObj.MSVBVM60(00000000), ref: 005574F5
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00557500
      • Part of subcall function 004C5390: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,00522AE2,?), ref: 004C53A7
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 00557515
    • __vbaExitProc.MSVBVM60 ref: 0055751E
    Strings
    • Value must lie between 0 and 255, xrefs: 00557489
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$Error$BoundsGenerate$CheckHresultList$#595CallCastExitLateMoveProc
    • String ID: Value must lie between 0 and 255
    • API String ID: 1306855640-116363276
    • Opcode ID: b37de3c7d7ad6060a5cb6acc88dc03aa216573e2fddc6c9916950387d3019c25
    • Instruction ID: 828cad0c5626730e85c9c5c1ca85ce95ce399f1dff1f7a6c1405581236af97e8
    • Opcode Fuzzy Hash: b37de3c7d7ad6060a5cb6acc88dc03aa216573e2fddc6c9916950387d3019c25
    • Instruction Fuzzy Hash: B1715972D00209DFCB14DFA5D988AEEBBB8FF48301F14452AF956A7161EB345905CFA4
    Function 00556290 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 184COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 005562F2
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00556306
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 0055632D
    • __vbaI2Str.MSVBVM60(?), ref: 00556337
    • __vbaFreeStr.MSVBVM60 ref: 00556342
    • __vbaFreeObj.MSVBVM60 ref: 0055634B
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00556371
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00556393
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005563BA
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005563CE
    • __vbaStrI2.MSVBVM60(00000000), ref: 005563E5
    • __vbaStrMove.MSVBVM60 ref: 005563F0
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 00556410
    • __vbaFreeStr.MSVBVM60 ref: 00556419
    • __vbaFreeObj.MSVBVM60 ref: 00556422
    • __vbaVarDup.MSVBVM60 ref: 0055645D
    • #595.MSVBVM60(?,00000000,?,?,?), ref: 00556475
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0055648D
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005564B2
    • __vbaCastObj.MSVBVM60(00000000), ref: 005564B5
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005564C0
      • Part of subcall function 004C5390: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,00522AE2,?), ref: 004C53A7
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 005564D5
    • __vbaExitProc.MSVBVM60 ref: 005564DE
    Strings
    • Value must lie between 0 and 255, xrefs: 00556449
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$Error$BoundsGenerate$CheckHresultList$#595CallCastExitLateMoveProc
    • String ID: Value must lie between 0 and 255
    • API String ID: 1306855640-116363276
    • Opcode ID: efb096d14bbac1876ab8aadf8cae2cd00c9d08b736832e3f9355cfd3b2879bc7
    • Instruction ID: 429c543cb3b45ee5528e109ce888b95a001b8f4e3dd8c7c25bc359ece75cabce
    • Opcode Fuzzy Hash: efb096d14bbac1876ab8aadf8cae2cd00c9d08b736832e3f9355cfd3b2879bc7
    • Instruction Fuzzy Hash: A27159B2D00249DFCB14DFA4D988ADEBBB8FF48301F54812AF556A7161DB305909CFA4
    Function 005AF2E0 Relevance: 42.1, APIs: 21, Strings: 3, Instructions: 147COMMON
    Download Yara Rule
    APIs
    • __vbaCastObj.MSVBVM60(00407200,00454AC4), ref: 005AF340
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005AF34D
      • Part of subcall function 004E21D0: __vbaChkstk.MSVBVM60(?,0040A636), ref: 004E21EE
      • Part of subcall function 004E21D0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,0040A636), ref: 004E221E
      • Part of subcall function 004E21D0: __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004E2235
      • Part of subcall function 004E21D0: __vbaNew2.MSVBVM60(0041F4A8,00626040,?,?,?,?,?,0040A636), ref: 004E2255
      • Part of subcall function 004E21D0: __vbaHresultCheckObj.MSVBVM60(00000000,?,004554BC,00000160), ref: 004E22AC
      • Part of subcall function 004E21D0: __vbaObjSet.MSVBVM60(?,?), ref: 004E22D9
      • Part of subcall function 004E21D0: __vbaHresultCheckObj.MSVBVM60(00000000,?,00454AC4,00000164), ref: 004E230C
      • Part of subcall function 004E21D0: __vbaFreeObj.MSVBVM60 ref: 004E2327
      • Part of subcall function 004E21D0: __vbaChkstk.MSVBVM60 ref: 004E2347
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005AF35B
    • __vbaCastObj.MSVBVM60(00407200,00454AC4), ref: 005AF367
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005AF36E
      • Part of subcall function 004E3600: __vbaHresultCheckObj.MSVBVM60(00000000,6D49D94B,00454AC4,000001C8,?,6D58622C,?,?,?,?,?,005222A6,?,00000000,00000000), ref: 004E3641
      • Part of subcall function 004E3600: __vbaHresultCheckObj.MSVBVM60(00000000,?,00454AC4,00000080,?,6D58622C,?,?,?,?,?,005222A6,?,00000000,00000000), ref: 004E372D
      • Part of subcall function 004E3600: __vbaNew2.MSVBVM60(0041F4A8,00626040,?,6D58622C,?,?,?,?,?,005222A6,?,00000000,00000000), ref: 004E3742
      • Part of subcall function 004E3600: __vbaHresultCheckObj.MSVBVM60(00000000,?,004554BC,00000100,?,6D58622C,?,?,?,?,?,005222A6,?,00000000,00000000), ref: 004E376A
    • __vbaFreeObj.MSVBVM60(?,0000000A,000000F6), ref: 005AF380
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005AF38E
    • __vbaStrCat.MSVBVM60(?,?), ref: 005AF3A5
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005AF3B2
    • __vbaStrCat.MSVBVM60(0045AD00,00000000), ref: 005AF3BA
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005AF3C1
    • __vbaStrCat.MSVBVM60(AFC,00000000), ref: 005AF3C9
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005AF3D0
    • __vbaStrCat.MSVBVM60( is the default (and required) extension of the project file.,00000000), ref: 005AF3D8
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005AF3DF
    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 005AF3EF
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005AF406
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 005AF429
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464174,00000054), ref: 005AF44D
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005AF45D
    • __vbaFreeStr.MSVBVM60(005AF4A6), ref: 005AF49F
    Strings
    • is the default (and required) extension of the project file., xrefs: 005AF3D3
    • AFC, xrefs: 005AF3C4
    • To save the files, select Save from the File menu., xrefs: 005AF386
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$Move$CastChkstkListNew2$AddrefCopyError
    • String ID: is the default (and required) extension of the project file.$AFC$To save the files, select Save from the File menu.
    • API String ID: 853440912-3586914469
    • Opcode ID: 61d5b2c705b16da6150dac4951f72f1ace5613837fb88ce3698345b83f800e92
    • Instruction ID: f00d0f6851047e54c49397128ff19754ca7ebd69c194c153fbd9057744a68d11
    • Opcode Fuzzy Hash: 61d5b2c705b16da6150dac4951f72f1ace5613837fb88ce3698345b83f800e92
    • Instruction Fuzzy Hash: 17510E75900209AFDB00EBA4CD45EEEBBB8FF48715F108529F501F31A1EB749945CBA5
    Function 0050C190 Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 135COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60 ref: 0050C1F0
    • __vbaStrCopy.MSVBVM60 ref: 0050C1FA
    • __vbaStrCopy.MSVBVM60 ref: 0050C204
    • __vbaStrCopy.MSVBVM60 ref: 0050C20E
      • Part of subcall function 004E3BA0: __vbaChkstk.MSVBVM60(00000000,0040A636,004D144B,?,00000012), ref: 004E3BBE
      • Part of subcall function 004E3BA0: #526.MSVBVM60(?,00000000), ref: 004E3C2F
      • Part of subcall function 004E3BA0: __vbaStrVarMove.MSVBVM60(?), ref: 004E3C39
      • Part of subcall function 004E3BA0: __vbaStrMove.MSVBVM60 ref: 004E3C44
      • Part of subcall function 004E3BA0: __vbaFreeVar.MSVBVM60 ref: 004E3C4D
      • Part of subcall function 004E3BA0: __vbaOnError.MSVBVM60(000000FF), ref: 004E3C5C
      • Part of subcall function 004E3BA0: __vbaStrCat.MSVBVM60(00000000,?), ref: 004E3C82
      • Part of subcall function 004E3BA0: #619.MSVBVM60(?,00000008,00000000), ref: 004E3C9F
      • Part of subcall function 004E3BA0: __vbaStrVarMove.MSVBVM60(?), ref: 004E3CA9
      • Part of subcall function 004E3BA0: __vbaStrMove.MSVBVM60 ref: 004E3CB4
      • Part of subcall function 004E3BA0: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004E3CC4
      • Part of subcall function 004E3BA0: __vbaStrCopy.MSVBVM60(?,00000000,0040A636,004D144B), ref: 004E3D38
      • Part of subcall function 004E3BA0: __vbaFreeStr.MSVBVM60(004E3D76,?,00000000,0040A636,004D144B), ref: 004E3D6F
    • __vbaStrMove.MSVBVM60(?,00000024,?), ref: 0050C22C
    • __vbaStrCat.MSVBVM60(00000000), ref: 0050C235
    • __vbaStrMove.MSVBVM60 ref: 0050C23C
      • Part of subcall function 004E3BA0: __vbaStrCat.MSVBVM60(?,00000000), ref: 004E3CE0
      • Part of subcall function 004E3BA0: #617.MSVBVM60(?,00000008,00000000), ref: 004E3CFD
      • Part of subcall function 004E3BA0: __vbaStrVarMove.MSVBVM60(?), ref: 004E3D07
      • Part of subcall function 004E3BA0: __vbaStrMove.MSVBVM60 ref: 004E3D12
      • Part of subcall function 004E3BA0: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004E3D22
    • __vbaStrMove.MSVBVM60(?,0000000E,00000000), ref: 0050C24F
    • __vbaStrCat.MSVBVM60(00000000), ref: 0050C252
    • __vbaStrMove.MSVBVM60 ref: 0050C259
    • __vbaStrMove.MSVBVM60(?,0000000E,00000000), ref: 0050C26C
    • __vbaStrCat.MSVBVM60(00000000), ref: 0050C26F
    • __vbaStrMove.MSVBVM60 ref: 0050C276
    • __vbaStrMove.MSVBVM60(?,0000000E,00000000), ref: 0050C289
    • __vbaStrCat.MSVBVM60(00000000), ref: 0050C28C
    • __vbaStrMove.MSVBVM60 ref: 0050C293
    • __vbaStrCat.MSVBVM60(Raw input,00000000), ref: 0050C29B
    • __vbaStrMove.MSVBVM60 ref: 0050C2A2
      • Part of subcall function 00507520: __vbaStrCopy.MSVBVM60(?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 0050755A
      • Part of subcall function 00507520: __vbaNew2.MSVBVM60(00459D58,0062B924,?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 00507572
      • Part of subcall function 00507520: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,00000020,?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 00507597
      • Part of subcall function 00507520: __vbaStrCat.MSVBVM60(?,?,?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 005075A8
      • Part of subcall function 00507520: __vbaStrMove.MSVBVM60(?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 005075B3
      • Part of subcall function 00507520: __vbaPrintObj.MSVBVM60(0045E7F8,?,00000000,?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 005075C3
      • Part of subcall function 00507520: __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,00000000,0040A636), ref: 005075CF
      • Part of subcall function 00507520: __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00000000,0040A636), ref: 005075D8
      • Part of subcall function 00507520: __vbaFreeStr.MSVBVM60(00507602,?,?,?,?,?,?,?,00000000,0040A636), ref: 005075FB
    • __vbaFreeStrList.MSVBVM60(0000000D,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0050C2E0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$Copy$List$#526#617#619CheckChkstkErrorHresultNew2Print
    • String ID: Default$Full scale$Process input:$Raw input$Zero scale
    • API String ID: 2510133313-1992115636
    • Opcode ID: 0c142ae24589466fbcbf6c2a03048dbd82666d1d8055c59e1839741eebef7f86
    • Instruction ID: c9c7924468c7cdb4580c19aca460371af376ff9ce14a3f24c7af5faf3e9dbb51
    • Opcode Fuzzy Hash: 0c142ae24589466fbcbf6c2a03048dbd82666d1d8055c59e1839741eebef7f86
    • Instruction Fuzzy Hash: C741ECB2D1011CABCB05DBA5DD45EDFBBB9AF58700F10852BE506B3150EA746A09CBA0
    Function 004DF250 Relevance: 40.9, APIs: 27, Instructions: 355COMMON
    Download Yara Rule
    APIs
    • __vbaSetSystemError.MSVBVM60(?,00000001,00000000,?), ref: 004DF2F2
    • #681.MSVBVM60(?,?,?,?), ref: 004DF327
    • __vbaI2Var.MSVBVM60(?), ref: 004DF331
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004DF34D
    • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 004DF366
    • #681.MSVBVM60(?,?,?,?,?,00000000), ref: 004DF39B
    • __vbaI2Var.MSVBVM60(?,?,00000000), ref: 004DF3A5
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,00000000), ref: 004DF3C1
    • __vbaSetSystemError.MSVBVM60(?,00000002), ref: 004DF3DB
    • __vbaSetSystemError.MSVBVM60(00000000,00000003,?,00000002), ref: 004DF406
    • __vbaSetSystemError.MSVBVM60(?,00000000,?,00000002), ref: 004DF43B
    • __vbaSetSystemError.MSVBVM60(?,00000004,?,00000000,?,00000002), ref: 004DF44E
    • __vbaSetSystemError.MSVBVM60(?,00000000,?,00000004,?,00000000,?,00000002), ref: 004DF481
    • __vbaSetSystemError.MSVBVM60(00000000,00000004,?,00000000,?,00000004,?,00000000,?,00000002), ref: 004DF494
    • __vbaSetSystemError.MSVBVM60(00000000,00000004,?,00000000,?,00000004,?,00000000,?,00000002), ref: 004DF4D5
    • #681.MSVBVM60(?,?,?,?,?,00000000,?,00000004,?,00000000,?,00000002), ref: 004DF50A
    • __vbaI2Var.MSVBVM60(?,?,00000000,?,00000004,?,00000000,?,00000002), ref: 004DF517
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,00000000,?,00000004,?,00000000,?,00000002), ref: 004DF532
    • #681.MSVBVM60(?,?,?,?,?,?,00000000,?,00000002), ref: 004DF5F7
    • #681.MSVBVM60(?,?,?,?,?,?,00000000,?,00000002), ref: 004DF63D
    • #681.MSVBVM60(?,?,?,?,?,?,00000000,?,00000002), ref: 004DF68E
    • __vbaVarOr.MSVBVM60(?,?,?,?,?,00000000,?,00000002), ref: 004DF6B4
    • __vbaVarOr.MSVBVM60(?,?,00000000,?,?,00000000,?,00000002), ref: 004DF6C5
    • __vbaVarOr.MSVBVM60(?,?,00000000,?,?,00000000,?,00000002), ref: 004DF6D6
    • __vbaVarOr.MSVBVM60(?,?,00000000,?,?,00000000,?,00000002), ref: 004DF6E7
    • __vbaI4Var.MSVBVM60(00000000,?,?,00000000,?,00000002), ref: 004DF6EA
    • __vbaFreeVarList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000002), ref: 004DF725
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$ErrorSystem$#681$FreeList
    • String ID:
    • API String ID: 2355099508-0
    • Opcode ID: 40862f2c8f6d6b47c9addfbb43dec8919e1124ea62aa0b88f07105cfbad88951
    • Instruction ID: 1f00f779a81090c110e2a6ed237a2377a5ed355bbb225060bbf60df4795012c2
    • Opcode Fuzzy Hash: 40862f2c8f6d6b47c9addfbb43dec8919e1124ea62aa0b88f07105cfbad88951
    • Instruction Fuzzy Hash: ADF109B1C012199BCB20DFA5CA55ADEF7F8FF44304F10859FE24AA6250E7B46A88CF54
    Function 0058B0F0 Relevance: 40.8, APIs: 27, Instructions: 250COMMON
    Download Yara Rule
    APIs
    • __vbaCastObj.MSVBVM60(00406398,00454AC4,?,?,?,?,?,?,?,?,?,0040A636), ref: 0058B147
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 0058B154
      • Part of subcall function 004E21D0: __vbaChkstk.MSVBVM60(?,0040A636), ref: 004E21EE
      • Part of subcall function 004E21D0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,0040A636), ref: 004E221E
      • Part of subcall function 004E21D0: __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004E2235
      • Part of subcall function 004E21D0: __vbaNew2.MSVBVM60(0041F4A8,00626040,?,?,?,?,?,0040A636), ref: 004E2255
      • Part of subcall function 004E21D0: __vbaHresultCheckObj.MSVBVM60(00000000,?,004554BC,00000160), ref: 004E22AC
      • Part of subcall function 004E21D0: __vbaObjSet.MSVBVM60(?,?), ref: 004E22D9
      • Part of subcall function 004E21D0: __vbaHresultCheckObj.MSVBVM60(00000000,?,00454AC4,00000164), ref: 004E230C
      • Part of subcall function 004E21D0: __vbaFreeObj.MSVBVM60 ref: 004E2327
      • Part of subcall function 004E21D0: __vbaChkstk.MSVBVM60 ref: 004E2347
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0058B162
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 0058B176
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0046207C,00000040,?,?,?,?,?,?,?,?,?,0040A636), ref: 0058B199
      • Part of subcall function 004E3090: __vbaChkstk.MSVBVM60(?,0040A636), ref: 004E30AE
      • Part of subcall function 004E3090: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,0040A636), ref: 004E30DE
      • Part of subcall function 004E3090: __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004E30F8
      • Part of subcall function 004E3090: #681.MSVBVM60(?,0000400B,00000003,00000003), ref: 004E313E
      • Part of subcall function 004E3090: #681.MSVBVM60(?,0000400B,?,00000003), ref: 004E3178
      • Part of subcall function 004E3090: __vbaChkstk.MSVBVM60 ref: 004E3183
      • Part of subcall function 004E3090: __vbaLateMemSt.MSVBVM60(?,BackColor), ref: 004E31AD
      • Part of subcall function 004E3090: __vbaFreeVarList.MSVBVM60(00000005,00000003,00000003,?,00000003,?), ref: 004E31C9
    • __vbaCastObj.MSVBVM60(?,0045B140,?,?,?,?,?,?,?,?,?,0040A636), ref: 0058B1A8
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 0058B1AF
    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,00000000,00000000), ref: 0058B1CC
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0058B1E3
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0046207C,00000040,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0058B206
    • __vbaCastObj.MSVBVM60(?,0045B140,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0058B215
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0058B21C
    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,00000000,00000000), ref: 0058B239
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0058B250
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0046207C,00000040), ref: 0058B273
    • __vbaCastObj.MSVBVM60(?,0045B140), ref: 0058B282
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0058B289
    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,00000000,00000000), ref: 0058B2A6
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0058B2BD
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0046207C,00000040), ref: 0058B2E0
    • __vbaCastObj.MSVBVM60(?,0045B140), ref: 0058B2EF
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0058B2F6
    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,00000000,00000000), ref: 0058B313
    • __vbaHresultCheckObj.MSVBVM60(00000000,00406398,0046AC5C,000006F8), ref: 0058B33D
    • __vbaCastObj.MSVBVM60(00406398,00454AC4), ref: 0058B349
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0058B350
    • __vbaFreeObj.MSVBVM60(?,000000F6,0000000A), ref: 0058B362
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$CheckHresult$Cast$List$Chkstk$#681AddrefError$LateNew2
    • String ID:
    • API String ID: 4182066915-0
    • Opcode ID: efac179db07629c4ae8535c944b329e1f43d517f5a4f3f805207d9dd614163f8
    • Instruction ID: c379f5692ac1d58f49858b42575c0475fdcfc10c3b7f4f5228234e2fabdd0313
    • Opcode Fuzzy Hash: efac179db07629c4ae8535c944b329e1f43d517f5a4f3f805207d9dd614163f8
    • Instruction Fuzzy Hash: 9C810D71900209ABDB00EFA5CD49FEFB7BCFF48704F104519F601B7191EA78A6458BA8
    Function 004CC030 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 161COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60(6D49D83C,6D49D8B1,?), ref: 004CC07B
    • #632.MSVBVM60(?,?,?,?), ref: 004CC0BB
    • __vbaStrVarMove.MSVBVM60(?,?,?), ref: 004CC0C5
    • __vbaStrMove.MSVBVM60(?,?), ref: 004CC0D0
    • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?), ref: 004CC0E0
    • __vbaStrCmp.MSVBVM60(00452580,?), ref: 004CC0F2
    • __vbaInStr.MSVBVM60(00000000,?, ,00000001), ref: 004CC117
    • __vbaStrCopy.MSVBVM60 ref: 004CC12E
    • __vbaStrCopy.MSVBVM60 ref: 004CC148
    • __vbaStrCmp.MSVBVM60(00456904,?), ref: 004CC163
    • __vbaStrCopy.MSVBVM60 ref: 004CC17B
    • __vbaStrCat.MSVBVM60(?,?), ref: 004CC1B6
    • __vbaStrMove.MSVBVM60 ref: 004CC1C1
    • #632.MSVBVM60(?,00004008,?,00000002), ref: 004CC1FE
    • __vbaStrVarMove.MSVBVM60(?,?,00000002), ref: 004CC208
    • __vbaStrMove.MSVBVM60(?,00000002), ref: 004CC212
    • __vbaFreeVarList.MSVBVM60(00000002,0000000A,?,?,00000002), ref: 004CC222
    • __vbaStrCopy.MSVBVM60 ref: 004CC231
    • __vbaFreeStr.MSVBVM60(004CC282), ref: 004CC27A
    • __vbaFreeStr.MSVBVM60 ref: 004CC27F
    • __vbaErrorOverflow.MSVBVM60(?), ref: 004CC298
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CopyMove$Free$#632List$ErrorOverflow
    • String ID:
    • API String ID: 2188610964-178107231
    • Opcode ID: 40afc3187fd9df5aefa32dde7a83b97c6302e5002bd675f8a1bafdc6895248c8
    • Instruction ID: 3ddb55bc463415cf846f641df6f87f5d7a3aff18c41dd7fb0e544eed38ef1daf
    • Opcode Fuzzy Hash: 40afc3187fd9df5aefa32dde7a83b97c6302e5002bd675f8a1bafdc6895248c8
    • Instruction Fuzzy Hash: 0B514AB5D00219ABDB00DFE0DD88AEEB779FB48701F14812EE506B7261DBB85846CF58
    Function 005CF030 Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 139COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CF0A3
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005CF0A6
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CF0B1
      • Part of subcall function 004C53C0: __vbaCheckType.MSVBVM60(?,00452A8C), ref: 004C53FF
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004C5435
      • Part of subcall function 004C53C0: __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004C5444
      • Part of subcall function 004C53C0: __vbaLenVar.MSVBVM60(?,00000000), ref: 004C5452
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelLength), ref: 004C547B
      • Part of subcall function 004C53C0: __vbaFreeVar.MSVBVM60 ref: 004C5480
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 005CF0C6
    • __vbaStrCat.MSVBVM60(?,A number between 0 and ), ref: 005CF0E1
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005CF0EE
    • __vbaStrCat.MSVBVM60(004568D4,00000000), ref: 005CF0F6
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005CF0FD
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 005CF106
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005CF10D
    • __vbaStrCat.MSVBVM60(0045AD00,00000000), ref: 005CF115
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005CF11C
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 005CF126
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005CF12D
    • __vbaStrCat.MSVBVM60(Value must be non-zero for proving; default is 0.,00000000), ref: 005CF135
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005CF13C
    • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 005CF154
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005CF16B
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054), ref: 005CF18C
    • __vbaFreeObj.MSVBVM60 ref: 005CF195
    • __vbaFreeStr.MSVBVM60(005CF1E3), ref: 005CF1DC
    Strings
    • Value must be non-zero for proving; default is 0., xrefs: 005CF130
    • A number between 0 and , xrefs: 005CF0DB
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$Late$CheckList$CallCastHresultType
    • String ID: A number between 0 and $Value must be non-zero for proving; default is 0.
    • API String ID: 1211845585-102621379
    • Opcode ID: cb040d8e2fc677855dbb5b5f64b07971d65752c4416bc60db9cf4f91c5bd1e29
    • Instruction ID: eacc2600e59ecf195993cb844fef1cc7d67123e857b7b237d9ec7e7fa57c1bb2
    • Opcode Fuzzy Hash: cb040d8e2fc677855dbb5b5f64b07971d65752c4416bc60db9cf4f91c5bd1e29
    • Instruction Fuzzy Hash: 1341FF75900209AFDB00EFA4DD85EEEBBB9FF58700F14852AF505F3250EA749905CBA4
    Function 00569140 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 185COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 005691E2
    • __vbaStrI2.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005691F1
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005691FC
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,0040A636), ref: 0056921C
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 00569225
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 0056922E
    • __vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 0056926D
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005692DF
    • __vbaStrCat.MSVBVM60(?,Manual: Each time Read is clicked, the meters are polled once.), ref: 005692FC
    • __vbaStrMove.MSVBVM60 ref: 00569309
    • __vbaStrCat.MSVBVM60(Auto: After Read is clicked, the meters are polled automatically,00000000), ref: 00569311
    • __vbaStrMove.MSVBVM60 ref: 00569318
    • __vbaStrCat.MSVBVM60(?,00000000), ref: 00569322
    • __vbaStrMove.MSVBVM60 ref: 00569329
    • __vbaStrCat.MSVBVM60( every X seconds, where X is the update time.,00000000), ref: 00569331
    • __vbaStrMove.MSVBVM60 ref: 00569338
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464174,00000054), ref: 00569351
    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 00569369
    • __vbaFreeObj.MSVBVM60 ref: 00569375
    Strings
    • Manual: Each time Read is clicked, the meters are polled once., xrefs: 005692F3
    • Auto: After Read is clicked, the meters are polled automatically, xrefs: 0056930C
    • every X seconds, where X is the update time., xrefs: 0056932C
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$CheckHresult$ErrorListOverflow
    • String ID: every X seconds, where X is the update time.$Auto: After Read is clicked, the meters are polled automatically$Manual: Each time Read is clicked, the meters are polled once.
    • API String ID: 3916703635-354077450
    • Opcode ID: 7ece486ac20f68db57586ff91bb516a93b258a5043dbdae748d3c3f04e71706b
    • Instruction ID: cf308b4833a56cd662f94775b22f7e33d39678632bc49d170890a33be70372ca
    • Opcode Fuzzy Hash: 7ece486ac20f68db57586ff91bb516a93b258a5043dbdae748d3c3f04e71706b
    • Instruction Fuzzy Hash: 3F515F75900609EFCB10EFA4CD49AEEBBBCFF48701F10816AE945E3290D6785946CFA5
    Function 0052D370 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 176COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 0052D3D2
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0052D3E5
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0052D410
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 0052D437
    • __vbaI4Str.MSVBVM60(?), ref: 0052D441
    • __vbaFreeStr.MSVBVM60 ref: 0052D44C
    • __vbaFreeObj.MSVBVM60 ref: 0052D455
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0052D480
    • __vbaStrI4.MSVBVM60(?), ref: 0052D491
    • __vbaStrMove.MSVBVM60 ref: 0052D49C
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 0052D4BC
    • __vbaFreeStr.MSVBVM60 ref: 0052D4C5
    • __vbaFreeObj.MSVBVM60 ref: 0052D4CE
    • __vbaVarDup.MSVBVM60 ref: 0052D509
    • #595.MSVBVM60(?,00000000,?,?,?), ref: 0052D521
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0052D539
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0052D55E
    • __vbaCastObj.MSVBVM60(00000000), ref: 0052D561
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0052D56C
      • Part of subcall function 004C5390: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,00522AE2,?), ref: 004C53A7
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 0052D581
    • __vbaExitProc.MSVBVM60 ref: 0052D58A
    Strings
    • Value must be greater than or equal to 0., xrefs: 0052D4F5
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$CheckErrorHresultList$#595BoundsCallCastExitGenerateLateMoveProc
    • String ID: Value must be greater than or equal to 0.
    • API String ID: 2001290958-3437573232
    • Opcode ID: a4d51e11032f0007d31db4de86523264ea804fcb9ea0344ea5ebe77e333bc82a
    • Instruction ID: 700f00b5a0eaec7abc39d0516275d35235b5c86e69de3adceba50cdfab1e88c9
    • Opcode Fuzzy Hash: a4d51e11032f0007d31db4de86523264ea804fcb9ea0344ea5ebe77e333bc82a
    • Instruction Fuzzy Hash: 3C616BB2D00218AFCB14DFA4D988ADEBBB8FF48700F10812AF556B71A1DB745905CFA4
    Function 005F9180 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 173COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 005F91E2
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005F91F6
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 005F921D
    • __vbaI4Str.MSVBVM60(?), ref: 005F9227
    • __vbaFreeStr.MSVBVM60 ref: 005F9232
    • __vbaFreeObj.MSVBVM60 ref: 005F923B
    • __vbaI2I4.MSVBVM60 ref: 005F9260
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005F9281
    • __vbaStrI2.MSVBVM60(?), ref: 005F9296
    • __vbaStrMove.MSVBVM60 ref: 005F92A1
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 005F92C7
    • __vbaFreeStr.MSVBVM60 ref: 005F92D0
    • __vbaFreeObj.MSVBVM60 ref: 005F92D9
    • __vbaVarDup.MSVBVM60 ref: 005F9314
    • #595.MSVBVM60(?,00000000,?,?,?), ref: 005F932C
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 005F9344
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005F9369
    • __vbaCastObj.MSVBVM60(00000000), ref: 005F936C
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005F9377
      • Part of subcall function 004C5390: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,00522AE2,?), ref: 004C53A7
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 005F938C
    • __vbaExitProc.MSVBVM60 ref: 005F9395
    Strings
    • Value must lie between 100 and 32767, xrefs: 005F9300
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$CheckHresultList$#595CallCastErrorExitLateMoveProc
    • String ID: Value must lie between 100 and 32767
    • API String ID: 480910435-4004530972
    • Opcode ID: 6e78337143bab38b442c3e89b0fbdd48f5bd96d9b59cc741f81d2a331895e56b
    • Instruction ID: 0634d36923f005b131ebef77a9f0f9af086d0da4383bd9f7aad5b47623666d68
    • Opcode Fuzzy Hash: 6e78337143bab38b442c3e89b0fbdd48f5bd96d9b59cc741f81d2a331895e56b
    • Instruction Fuzzy Hash: F16109B6D00209AFCB14DFA4C988ADEBBB8FF48300F10852AE556A7260DB745945CFA5
    Function 004EA2F0 Relevance: 38.6, APIs: 21, Strings: 1, Instructions: 124COMMON
    Download Yara Rule
    APIs
    • __vbaStrMove.MSVBVM60(00000000,6D48A323,6D49D8B1,6D49D8F4,?,?,?,?,?,?,?,?,00000000,0040A636,004EE4B8), ref: 004EA341
    • __vbaStrCat.MSVBVM60(004568D4,?,?,?,?,?,?,?,?,?,00000000,0040A636,004EE4B8), ref: 004EA364
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0040A636,004EE4B8), ref: 004EA36B
    • __vbaStrI2.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,0040A636,004EE4B8), ref: 004EA373
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0040A636,004EE4B8), ref: 004EA37E
    • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00000000,0040A636,004EE4B8), ref: 004EA381
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0040A636,004EE4B8), ref: 004EA388
    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,00000000,0040A636,004EE4B8), ref: 004EA394
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0040A636,004EE4B8), ref: 004EA3AE
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0040A636,004EE4B8), ref: 004EA3C3
    • __vbaStrCat.MSVBVM60(004568D4,?,?,?,?,?,?,?,?,?,00000000,0040A636,004EE4B8), ref: 004EA3D2
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0040A636,004EE4B8), ref: 004EA3D9
    • __vbaStrCat.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,0040A636,004EE4B8), ref: 004EA3F5
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0040A636,004EE4B8), ref: 004EA3FC
    • __vbaStrCat.MSVBVM60(004568D4,00000000,?,?,?,?,?,?,?,?,00000000,0040A636,004EE4B8), ref: 004EA404
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0040A636,004EE4B8), ref: 004EA40B
    • __vbaStrCat.MSVBVM60(004024D8,00000000,?,?,?,?,?,?,?,?,00000000,0040A636,004EE4B8), ref: 004EA425
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0040A636,004EE4B8), ref: 004EA42C
    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,00000000,0040A636,004EE4B8), ref: 004EA43C
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0040A636,004EE4B8), ref: 004EA44B
    • __vbaFreeStr.MSVBVM60(004EA489,?,?,?,?,?,?,?,?,00000000,0040A636,004EE4B8), ref: 004EA482
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$BoundsErrorGenerateList$Copy
    • String ID: x&@
    • API String ID: 3068961724-278995534
    • Opcode ID: cec422eb9b01a7f1206483e4fcb2529f676222569a63eb67e9ca8e0d0a2e4334
    • Instruction ID: 4dffb7903ab7cfa1f25783a8a44dc5aabbb7c8c50693effe028a52647aafdff6
    • Opcode Fuzzy Hash: cec422eb9b01a7f1206483e4fcb2529f676222569a63eb67e9ca8e0d0a2e4334
    • Instruction Fuzzy Hash: 26418C71D001199FCB04EFA5DD85DEEBBB9FF58300F10412AE902A7264EB74A946CFA5
    Function 005DC2A0 Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 166COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 005DC302
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005DC316
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 005DC33D
    • __vbaI2Str.MSVBVM60(?), ref: 005DC347
    • __vbaFreeStr.MSVBVM60 ref: 005DC352
    • __vbaFreeObj.MSVBVM60 ref: 005DC35B
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005DC394
    • __vbaStrI2.MSVBVM60(?), ref: 005DC3A5
    • __vbaStrMove.MSVBVM60 ref: 005DC3B0
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 005DC3D0
    • __vbaFreeStr.MSVBVM60 ref: 005DC3D9
    • __vbaFreeObj.MSVBVM60 ref: 005DC3E2
    • __vbaVarDup.MSVBVM60 ref: 005DC41D
    • #595.MSVBVM60(?,00000000,?,?,?), ref: 005DC435
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 005DC44D
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005DC472
    • __vbaCastObj.MSVBVM60(00000000), ref: 005DC475
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005DC480
      • Part of subcall function 004C5390: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,00522AE2,?), ref: 004C53A7
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 005DC495
    • __vbaExitProc.MSVBVM60 ref: 005DC49E
    Strings
    • Value must lie between 0 and 1439., xrefs: 005DC409
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$CheckHresultList$#595CallCastErrorExitLateMoveProc
    • String ID: Value must lie between 0 and 1439.
    • API String ID: 480910435-882911530
    • Opcode ID: 2b06d725466495ca293317e2bbd4e205f856bb28114996a6fb6c9b33941b1b66
    • Instruction ID: 29fa18892d98a5bd1787f82cd34721e9ece69a0295beabdb5e818f35c88f71c7
    • Opcode Fuzzy Hash: 2b06d725466495ca293317e2bbd4e205f856bb28114996a6fb6c9b33941b1b66
    • Instruction Fuzzy Hash: 12514AB2C00209ABCB14DFA4D988ADEBBB8FF48301F10852AF556F7261DB745905CFA4
    Function 005641F0 Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 163COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 00564252
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00564266
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 0056428D
    • __vbaI2Str.MSVBVM60(?), ref: 00564297
    • __vbaFreeStr.MSVBVM60 ref: 005642A2
    • __vbaFreeObj.MSVBVM60 ref: 005642AB
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00469870,000006F8), ref: 005642DE
    • __vbaStrI2.MSVBVM60(?,Value must lie between 1 and ), ref: 00564312
    • __vbaStrMove.MSVBVM60 ref: 00564323
    • __vbaStrCat.MSVBVM60(00000000), ref: 0056432C
    • __vbaStrMove.MSVBVM60 ref: 00564333
    • __vbaStrCat.MSVBVM60(0045AD00,00000000), ref: 0056433B
    • #595.MSVBVM60(00000008,00000000,?,?,?), ref: 00564359
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00564369
    • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 00564381
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005643A6
    • __vbaCastObj.MSVBVM60(00000000), ref: 005643A9
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005643B4
      • Part of subcall function 004C5390: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,00522AE2,?), ref: 004C53A7
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 005643C9
    • __vbaExitProc.MSVBVM60 ref: 005643D2
    Strings
    • Value must lie between 1 and , xrefs: 00564305
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$List$CheckHresultMove$#595CallCastErrorExitLateProc
    • String ID: Value must lie between 1 and
    • API String ID: 3423604463-2957168035
    • Opcode ID: 3d70c731e6f748351a18b66582b5241af10b1a42cd0ce3af681358d0bad044b7
    • Instruction ID: 21a07a89d06a0b4c27d7351893fbd6f7ee5b2eaa42b8e9769c64e1b4e69a5b00
    • Opcode Fuzzy Hash: 3d70c731e6f748351a18b66582b5241af10b1a42cd0ce3af681358d0bad044b7
    • Instruction Fuzzy Hash: 105105B2900218ABCB10DFA4DD88AEEBBB9FB48700F14452EF506E7261DB755945CFA4
    Function 0052D050 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 118COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052D0BD
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052D0C0
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052D0CB
      • Part of subcall function 004C53C0: __vbaCheckType.MSVBVM60(?,00452A8C), ref: 004C53FF
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004C5435
      • Part of subcall function 004C53C0: __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004C5444
      • Part of subcall function 004C53C0: __vbaLenVar.MSVBVM60(?,00000000), ref: 004C5452
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelLength), ref: 004C547B
      • Part of subcall function 004C53C0: __vbaFreeVar.MSVBVM60 ref: 004C5480
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 0052D0E0
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052D0F7
    • __vbaStrCat.MSVBVM60( than the highest value that the pulse input card will return.,A number whose value is 1 greater,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052D10E
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052D11B
    • __vbaStrCat.MSVBVM60( Enter 0 for a free-running pulse input, which rolls over to 0 from,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052D123
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052D12A
    • __vbaStrCat.MSVBVM60( 655359999 (split) or 4294967295 (32-bit).,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052D132
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052D139
    • __vbaStrCat.MSVBVM60( Enter 16777216 for a 24-bit pulse input.,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052D141
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052D148
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464174,00000054), ref: 0052D161
    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0052D179
    • __vbaFreeObj.MSVBVM60 ref: 0052D185
    Strings
    • Enter 0 for a free-running pulse input, which rolls over to 0 from, xrefs: 0052D11E
    • 655359999 (split) or 4294967295 (32-bit)., xrefs: 0052D12D
    • than the highest value that the pulse input card will return., xrefs: 0052D106
    • A number whose value is 1 greater, xrefs: 0052D101
    • Enter 16777216 for a 24-bit pulse input., xrefs: 0052D13C
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$FreeMove$Late$CheckList$CallCastHresultType
    • String ID: Enter 0 for a free-running pulse input, which rolls over to 0 from$ Enter 16777216 for a 24-bit pulse input.$ 655359999 (split) or 4294967295 (32-bit).$ than the highest value that the pulse input card will return.$A number whose value is 1 greater
    • API String ID: 475149453-1668325178
    • Opcode ID: 5f96f44ec87eb9dc417ae7fb3f2c18441c171903fd067a0a0cbe072211f8b548
    • Instruction ID: a0a47722a44d168e5a87854f5a01631cbf15140166457349770e37fbe7ac4672
    • Opcode Fuzzy Hash: 5f96f44ec87eb9dc417ae7fb3f2c18441c171903fd067a0a0cbe072211f8b548
    • Instruction Fuzzy Hash: 1D41FBB5D00259ABCB00EFA4CD45EEEBBBCEF48700F14416AE945F3190EA74A945CFA5
    Function 005390C0 Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 269COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053913C
    • __vbaCastObj.MSVBVM60(00000000), ref: 0053913F
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053914A
      • Part of subcall function 004C50C0: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C5103
      • Part of subcall function 004C50C0: #598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C510C
      • Part of subcall function 004C50C0: __vbaVarMove.MSVBVM60 ref: 004C512A
    • __vbaBoolVarNull.MSVBVM60(?,?,?), ref: 0053915D
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00539170
    • __vbaFreeVar.MSVBVM60 ref: 0053917C
    • __vbaHresultCheckObj.MSVBVM60(00000000,00404188,00454174,000000A4), ref: 005391AE
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005391C5
    • __vbaNew2.MSVBVM60(004223A8,00629550), ref: 00539209
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004645E0,000002B0), ref: 00539280
    • __vbaVarDup.MSVBVM60 ref: 005392CE
    • #595.MSVBVM60(?,00000000,?,?,?), ref: 005392E6
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 005392FE
    • __vbaHresultCheckObj.MSVBVM60(00000000,00404188,00454174,000000A4), ref: 00539324
    • __vbaHresultCheckObj.MSVBVM60(00000000,00404188,00454174,00000094), ref: 00539352
    • __vbaNew2.MSVBVM60(0041C848,006295B4), ref: 00539367
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00467224,000002B0), ref: 005393D6
    • __vbaHresultCheckObj.MSVBVM60(00000000,00404188,00454174,00000090), ref: 00539408
    • #598.MSVBVM60 ref: 00539418
    Strings
    • No components selected; cannot enter analysis., xrefs: 005392C0
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$#598ListNew2$#595BoolBoundsCallCastErrorGenerateLateMoveNull
    • String ID: No components selected; cannot enter analysis.
    • API String ID: 1392317113-1648291564
    • Opcode ID: 85c6857fa4384f36566a8ac92b70d597b7329a343f1a3b11674fd23a31cc2a7f
    • Instruction ID: 220f94068dc36e98c9b8671ef8d3efe4c7eb7ba0cdadd81a4e1ed4b85defab0d
    • Opcode Fuzzy Hash: 85c6857fa4384f36566a8ac92b70d597b7329a343f1a3b11674fd23a31cc2a7f
    • Instruction Fuzzy Hash: D2B14FB1E00305AFDB10DFA8C988BAEBBB8FF49704F108569E509EB291D7749945CF94
    Function 0054E1A0 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 162COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054E207
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0054E20A
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054E215
      • Part of subcall function 004C50C0: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C5103
      • Part of subcall function 004C50C0: #598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C510C
      • Part of subcall function 004C50C0: __vbaVarMove.MSVBVM60 ref: 004C512A
    • __vbaBoolVarNull.MSVBVM60(?,?,?), ref: 0054E228
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0054E23A
    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0054E246
    • __vbaNew2.MSVBVM60(0041F4A8,00626040), ref: 0054E268
    • __vbaCastObj.MSVBVM60(PG@,00454AC4), ref: 0054E27A
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054E285
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554EC,000006F8), ref: 0054E2AA
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0054E2B8
    • __vbaNew2.MSVBVM60(0041F4A8,00626040), ref: 0054E2DA
    • __vbaCastObj.MSVBVM60(PG@,00454AC4), ref: 0054E2EC
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054E2F7
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554EC,00000710), ref: 0054E326
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0054E332
    • __vbaCastObj.MSVBVM60(PG@,00454AC4), ref: 0054E343
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054E34E
    • __vbaFreeObj.MSVBVM60(?,?,?,?), ref: 0054E371
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$Cast$CheckHresultNew2$#598BoolCallLateListMoveNull
    • String ID: PG@
    • API String ID: 2197697564-1511616496
    • Opcode ID: dfda0e295fecda73d5a814c0eee91ae335a24f331fc1478bf7fa3deef600c675
    • Instruction ID: 8024eb5a8a013eab33b2380250167184b1f2dd072f9ab21032693fd51c3475fd
    • Opcode Fuzzy Hash: dfda0e295fecda73d5a814c0eee91ae335a24f331fc1478bf7fa3deef600c675
    • Instruction Fuzzy Hash: CE515E7590024AAFCB10DFA4DD8AEFE7BBDFB48704F004529F505B3190D774A9468BA8
    Function 004E11C0 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 161COMMON
    Download Yara Rule
    APIs
    • __vbaVarDup.MSVBVM60 ref: 004E123C
    • __vbaVarDup.MSVBVM60 ref: 004E1257
    • #681.MSVBVM60(?,?,?,?), ref: 004E1286
    • __vbaVarDup.MSVBVM60 ref: 004E12A5
    • #681.MSVBVM60(?,?,?,?), ref: 004E12D7
    • __vbaStrVarMove.MSVBVM60(?), ref: 004E12E3
    • __vbaStrMove.MSVBVM60 ref: 004E12F0
    • __vbaFreeVarList.MSVBVM60(00000007,0000000B,?,?,0000000B,?,?,?), ref: 004E1313
    • #617.MSVBVM60(?,0000000B,00000001), ref: 004E133E
    • #528.MSVBVM60(?,?), ref: 004E134C
    • #632.MSVBVM60(?,?,00000002,?), ref: 004E1380
    • __vbaVarCat.MSVBVM60(?,?,?), ref: 004E1392
    • __vbaStrVarMove.MSVBVM60(00000000), ref: 004E1399
    • __vbaStrMove.MSVBVM60 ref: 004E13A0
    • __vbaFreeVarList.MSVBVM60(00000005,?,0000000A,?,?,?), ref: 004E13B8
    • __vbaStrCopy.MSVBVM60 ref: 004E13C7
    • __vbaFreeStr.MSVBVM60(004E140D), ref: 004E1406
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$#681List$#528#617#632Copy
    • String ID: differential pressure$flow rate$pulse frequency
    • API String ID: 318377274-3631630241
    • Opcode ID: ed0f7e137a7726fa9432fcf492338d1bc1ab817d9be5609c16012d8bcc9c5361
    • Instruction ID: 47b34d3b2549966c3c831654168ce4a279b9abc7dfc0c29bf26bf86499cde5d9
    • Opcode Fuzzy Hash: ed0f7e137a7726fa9432fcf492338d1bc1ab817d9be5609c16012d8bcc9c5361
    • Instruction Fuzzy Hash: 8261E5B1C0021D9FDB14DFA5C884ADEB7B8FB48704F00C15AE525B7251EBB4664ACFA5
    Function 005C7030 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 160COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 005C70A0
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C70B4
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 005C70DB
    • __vbaI2Str.MSVBVM60(?), ref: 005C70E5
    • __vbaFreeStr.MSVBVM60 ref: 005C70F0
    • __vbaFreeObj.MSVBVM60 ref: 005C70F9
    • __vbaStrI2.MSVBVM60(?,Value must lie between 1 and ), ref: 005C7153
    • __vbaStrMove.MSVBVM60 ref: 005C7164
    • __vbaStrCat.MSVBVM60(00000000), ref: 005C716D
    • __vbaStrMove.MSVBVM60 ref: 005C7174
    • __vbaStrCat.MSVBVM60(0045AD00,00000000), ref: 005C717C
    • #595.MSVBVM60(00000008,00000000,?,?,?), ref: 005C719A
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005C71AA
    • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 005C71C2
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C71E7
    • __vbaCastObj.MSVBVM60(00000000), ref: 005C71EA
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C71F5
      • Part of subcall function 004C5390: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,00522AE2,?), ref: 004C53A7
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 005C720A
    • __vbaExitProc.MSVBVM60 ref: 005C7213
    Strings
    • Value must lie between 1 and , xrefs: 005C7146
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$List$Move$#595CallCastCheckErrorExitHresultLateProc
    • String ID: Value must lie between 1 and
    • API String ID: 3759094878-2957168035
    • Opcode ID: 000a655898ecb393ea715edbcc1042232bf11d90e307e74e33abcd7b909e7017
    • Instruction ID: 675f73dfb2a41a66d0fedaa0e84d9c6326ea058ac5d23392a8995e3f8c5be650
    • Opcode Fuzzy Hash: 000a655898ecb393ea715edbcc1042232bf11d90e307e74e33abcd7b909e7017
    • Instruction Fuzzy Hash: 895105B2900218ABCB10DFE4DD88AEEBBB9FB48700F14452EF506A7651DB745945CFA4
    Function 00523220 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 157COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 00523285
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00523299
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 005232C0
    • __vbaI2Str.MSVBVM60(?), ref: 005232CA
    • __vbaFreeStr.MSVBVM60 ref: 005232D6
    • __vbaFreeObj.MSVBVM60 ref: 005232DF
    • __vbaStrI2.MSVBVM60(?,Value must lie between 1 and ), ref: 0052332E
    • __vbaStrMove.MSVBVM60 ref: 0052333F
    • __vbaStrCat.MSVBVM60(00000000), ref: 00523348
    • __vbaStrMove.MSVBVM60 ref: 0052334F
    • __vbaStrCat.MSVBVM60(0045AD00,00000000), ref: 00523357
    • #595.MSVBVM60(00000008,00000000,?,?,?), ref: 00523375
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00523385
    • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 0052339D
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005233C2
    • __vbaCastObj.MSVBVM60(00000000), ref: 005233C5
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005233D0
      • Part of subcall function 004C5390: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,00522AE2,?), ref: 004C53A7
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 005233E5
    • __vbaExitProc.MSVBVM60 ref: 005233EE
    Strings
    • Value must lie between 1 and , xrefs: 00523321
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$List$Move$#595CallCastCheckErrorExitHresultLateProc
    • String ID: Value must lie between 1 and
    • API String ID: 3759094878-2957168035
    • Opcode ID: 0940e3f97cd697172ca9ecaf3a2502f71c9535be010f65ecf2a43f265e8bb212
    • Instruction ID: b46bcaa95c31509eb087a9872b58dab266c8f2ebf2572bb93aed1709cb71b785
    • Opcode Fuzzy Hash: 0940e3f97cd697172ca9ecaf3a2502f71c9535be010f65ecf2a43f265e8bb212
    • Instruction Fuzzy Hash: E451F6B2900258ABDB10DFA4DD48AEEBBB8FF48700F14452AF506B72A0DB745945CFA4
    Function 0059B1C0 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 155COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 0059B222
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0059B236
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 0059B25D
    • __vbaI2Str.MSVBVM60(?), ref: 0059B267
    • __vbaFreeStr.MSVBVM60 ref: 0059B272
    • __vbaFreeObj.MSVBVM60 ref: 0059B27B
    • __vbaStrI2.MSVBVM60(?,Value must lie between 1 and ), ref: 0059B2C5
    • __vbaStrMove.MSVBVM60 ref: 0059B2D6
    • __vbaStrCat.MSVBVM60(00000000), ref: 0059B2DF
    • __vbaStrMove.MSVBVM60 ref: 0059B2E6
    • __vbaStrCat.MSVBVM60(0045AD00,00000000), ref: 0059B2EE
    • #595.MSVBVM60(00000008,00000000,?,?,?), ref: 0059B30C
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0059B31C
    • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 0059B334
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0059B359
    • __vbaCastObj.MSVBVM60(00000000), ref: 0059B35C
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0059B367
      • Part of subcall function 004C5390: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,00522AE2,?), ref: 004C53A7
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 0059B37C
    • __vbaExitProc.MSVBVM60 ref: 0059B385
    Strings
    • Value must lie between 1 and , xrefs: 0059B2B8
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$List$Move$#595CallCastCheckErrorExitHresultLateProc
    • String ID: Value must lie between 1 and
    • API String ID: 3759094878-2957168035
    • Opcode ID: 1b1926564bd92f15325cc400dfe95769c5cd3de717b2ac83a834935b4a4ce0a5
    • Instruction ID: f82dd35e8727bd3f9a56b18c0a2c2e84d9a6acf063678f2c1214a401a5d64e36
    • Opcode Fuzzy Hash: 1b1926564bd92f15325cc400dfe95769c5cd3de717b2ac83a834935b4a4ce0a5
    • Instruction Fuzzy Hash: 295106B6C00218ABDB10DFA4DD48AEEBBB8FF48700F14452AF506B7261DB745945CFA5
    Function 005B21C0 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 155COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001), ref: 005B2222
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005B2236
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 005B225D
    • __vbaI2Str.MSVBVM60(?), ref: 005B2267
    • __vbaFreeStr.MSVBVM60 ref: 005B2272
    • __vbaFreeObj.MSVBVM60 ref: 005B227B
    • __vbaStrI2.MSVBVM60(?,Value must lie between 1 and ), ref: 005B22C5
    • __vbaStrMove.MSVBVM60 ref: 005B22D6
    • __vbaStrCat.MSVBVM60(00000000), ref: 005B22DF
    • __vbaStrMove.MSVBVM60 ref: 005B22E6
    • __vbaStrCat.MSVBVM60(0045AD00,00000000), ref: 005B22EE
    • #595.MSVBVM60(00000008,00000000,?,?,?), ref: 005B230C
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 005B231C
    • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 005B2334
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005B2359
    • __vbaCastObj.MSVBVM60(00000000), ref: 005B235C
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005B2367
      • Part of subcall function 004C5390: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,00522AE2,?), ref: 004C53A7
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 005B237C
    • __vbaExitProc.MSVBVM60 ref: 005B2385
    Strings
    • Value must lie between 1 and , xrefs: 005B22B8
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$List$Move$#595CallCastCheckErrorExitHresultLateProc
    • String ID: Value must lie between 1 and
    • API String ID: 3759094878-2957168035
    • Opcode ID: a4e68485c24bdde1d850eb86d5c054fa1b3e4cd5cd3a036070db5e1857e25051
    • Instruction ID: 2d1d1d036cb77aa7bcc4f29f4c83a4a2c613b1fa4bec190c87df1fc37f419d51
    • Opcode Fuzzy Hash: a4e68485c24bdde1d850eb86d5c054fa1b3e4cd5cd3a036070db5e1857e25051
    • Instruction Fuzzy Hash: 2051F6B2900258ABCB10DFA4DD48AEEBBB8FF48700F14452AF506F7261DB746945CFA5
    Function 0052C1D0 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 145COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0052C240
    • __vbaCastObj.MSVBVM60(00000000), ref: 0052C243
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0052C24E
      • Part of subcall function 004C53C0: __vbaCheckType.MSVBVM60(?,00452A8C), ref: 004C53FF
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004C5435
      • Part of subcall function 004C53C0: __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004C5444
      • Part of subcall function 004C53C0: __vbaLenVar.MSVBVM60(?,00000000), ref: 004C5452
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelLength), ref: 004C547B
      • Part of subcall function 004C53C0: __vbaFreeVar.MSVBVM60 ref: 004C5480
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 0052C263
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052C279
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0052C2A4
    • __vbaStrCat.MSVBVM60(?,A number between 0 and ), ref: 0052C2BB
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052C2CC
    • __vbaStrCat.MSVBVM60(004568D4,00000000), ref: 0052C2D4
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052C2DF
    • __vbaStrMove.MSVBVM60(00626086,?,?,?,00000000), ref: 0052C306
    • __vbaStrCat.MSVBVM60(00000000,?,?,?,00000000), ref: 0052C30F
    • __vbaStrMove.MSVBVM60(?,?,?,00000000), ref: 0052C316
    • __vbaStrCat.MSVBVM60(; default is 0.0.,00000000,?,?,?,00000000), ref: 0052C31E
    • __vbaStrMove.MSVBVM60(?,?,?,00000000), ref: 0052C325
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464174,00000054,?,?,?,00000000), ref: 0052C33E
    • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?,?,?,?,00000000), ref: 0052C35A
    • __vbaFreeObj.MSVBVM60 ref: 0052C366
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$Late$CheckList$BoundsCallCastErrorGenerateHresultType
    • String ID: ; default is 0.0.$A number between 0 and
    • API String ID: 1467507537-3334381351
    • Opcode ID: aa9e2941f751c70f243ea8cd9203c889d537a3ed6ac151ead48b773a6c9b4685
    • Instruction ID: 8094cd6258ad5b1970d8b531b542f8b2d0bbd4bd0c23a85750630c7e965c1f4c
    • Opcode Fuzzy Hash: aa9e2941f751c70f243ea8cd9203c889d537a3ed6ac151ead48b773a6c9b4685
    • Instruction Fuzzy Hash: 74512D71D00659AFCB00DFA4DD89EEEBBB9FB48300F10852AF506B3194DA746945CFA4
    Function 004CB120 Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 130COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60 ref: 004CB187
    • __vbaStrCopy.MSVBVM60 ref: 004CB18F
    • __vbaStrCopy.MSVBVM60 ref: 004CB197
    • __vbaInStr.MSVBVM60(00000000,?,?,00000001), ref: 004CB1A4
    • #617.MSVBVM60(?,?,-00000001), ref: 004CB1DA
    • __vbaLenBstr.MSVBVM60(?,?), ref: 004CB218
    • #632.MSVBVM60(?,?,00000000), ref: 004CB232
    • __vbaVarCat.MSVBVM60(?,00000008,?), ref: 004CB24D
    • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 004CB258
    • __vbaStrVarMove.MSVBVM60(00000000), ref: 004CB25B
    • __vbaStrMove.MSVBVM60 ref: 004CB266
    • __vbaFreeVarList.MSVBVM60(00000005,?,0000000A,?,?,?), ref: 004CB282
    • __vbaStrCopy.MSVBVM60 ref: 004CB291
    • __vbaFreeStr.MSVBVM60(004CB2DF), ref: 004CB2D2
    • __vbaFreeStr.MSVBVM60 ref: 004CB2D7
    • __vbaFreeStr.MSVBVM60 ref: 004CB2DC
    • __vbaErrorOverflow.MSVBVM60 ref: 004CB2F5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CopyFree$Move$#617#632BstrErrorListOverflow
    • String ID: K/Meter $Meter $Meter/K-
    • API String ID: 2805110104-2489732259
    • Opcode ID: 88a7bb242674615ee7d12f46ce0f95a25025defb0a13c6f19c29ba2fca8a1e20
    • Instruction ID: 99c8ff096fe287c0a601b7fbf2dfdedf7d400717a6ad666da6cbc0c8be4432ca
    • Opcode Fuzzy Hash: 88a7bb242674615ee7d12f46ce0f95a25025defb0a13c6f19c29ba2fca8a1e20
    • Instruction Fuzzy Hash: 9851D7B5C00229AFDB14DF94DC85AEEBB78FF48700F10815AE509B7254DB746A89CF94
    Function 00606290 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 128COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00606300
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00606303
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0060630E
      • Part of subcall function 004C53C0: __vbaCheckType.MSVBVM60(?,00452A8C), ref: 004C53FF
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004C5435
      • Part of subcall function 004C53C0: __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004C5444
      • Part of subcall function 004C53C0: __vbaLenVar.MSVBVM60(?,00000000), ref: 004C5452
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelLength), ref: 004C547B
      • Part of subcall function 004C53C0: __vbaFreeVar.MSVBVM60 ref: 004C5480
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?), ref: 00606323
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0060633A
    • __vbaStrI2.MSVBVM60(?,The line meter to be proved, between 0 and ,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0060634E
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0060635F
    • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00606368
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0060636F
    • __vbaStrCat.MSVBVM60(0045AD00,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00606377
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0060637E
    • __vbaStrCat.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00606388
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0060638F
    • __vbaStrCat.MSVBVM60(Must be non-zero and a liquid pulse meter to be effective.,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00606397
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0060639E
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464174,00000054), ref: 006063B7
    • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 006063D3
    • __vbaFreeObj.MSVBVM60 ref: 006063DF
    Strings
    • Must be non-zero and a liquid pulse meter to be effective., xrefs: 00606392
    • The line meter to be proved, between 0 and , xrefs: 00606345
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$Late$CheckList$CallCastHresultType
    • String ID: Must be non-zero and a liquid pulse meter to be effective.$The line meter to be proved, between 0 and
    • API String ID: 1211845585-4006392975
    • Opcode ID: 71819f39aef6019791bf06b33db85faf36bfce41c46b86c984e0af2578cc29f6
    • Instruction ID: 4f3eee2d617979e75bbec4e01fbfb472ca3e8cdf9f89abb69a84ed6365f63796
    • Opcode Fuzzy Hash: 71819f39aef6019791bf06b33db85faf36bfce41c46b86c984e0af2578cc29f6
    • Instruction Fuzzy Hash: DC41E975D10219ABCB04EFA4DD45EEFBBBDEF48700F10816AF505F3190EA74A9458BA4
    Function 004CF090 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 125COMMON
    Download Yara Rule
    APIs
    • __vbaVarDup.MSVBVM60 ref: 004CF160
    • __vbaVarDup.MSVBVM60 ref: 004CF17B
    • #681.MSVBVM60(?,0000000B,?,?), ref: 004CF1B6
    • __vbaVarCat.MSVBVM60(?,?,?), ref: 004CF1E1
    • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 004CF1EF
    • __vbaStrVarMove.MSVBVM60(00000000), ref: 004CF1F2
    • __vbaStrMove.MSVBVM60 ref: 004CF1FD
    • __vbaFreeVarList.MSVBVM60(00000006,0000000B,?,?,?,?,?), ref: 004CF21D
    • __vbaStrCopy.MSVBVM60 ref: 004CF237
    • __vbaStrCopy.MSVBVM60 ref: 004CF243
    • __vbaFreeStr.MSVBVM60(004CF289), ref: 004CF282
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CopyFreeMove$#681List
    • String ID: volume$Energy$Gross $Gross volume$Mass$Net volume$Water volume$clean oil$standard
    • API String ID: 2030687021-137130162
    • Opcode ID: 95324ce5c33d84c51991402c1d2c5f7ed1b96d45b889dfd0a93a831940b82410
    • Instruction ID: cfa81f1d73161780f3b32a3eedcf065fbdf28baea5393275c78ab6a098c102a6
    • Opcode Fuzzy Hash: 95324ce5c33d84c51991402c1d2c5f7ed1b96d45b889dfd0a93a831940b82410
    • Instruction Fuzzy Hash: 95513CB9C00209DFDB54CFA5D844BEEBBB9EB48300F50C0ABD519A7254E7385A0ACF56
    Function 005892C0 Relevance: 34.7, APIs: 23, Instructions: 173COMMON
    Download Yara Rule
    APIs
    • __vbaCastObj.MSVBVM60(00406300,00454AC4,?,?,?,?,?,?,?,0040A636), ref: 00589314
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 00589321
      • Part of subcall function 004E21D0: __vbaChkstk.MSVBVM60(?,0040A636), ref: 004E21EE
      • Part of subcall function 004E21D0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,0040A636), ref: 004E221E
      • Part of subcall function 004E21D0: __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004E2235
      • Part of subcall function 004E21D0: __vbaNew2.MSVBVM60(0041F4A8,00626040,?,?,?,?,?,0040A636), ref: 004E2255
      • Part of subcall function 004E21D0: __vbaHresultCheckObj.MSVBVM60(00000000,?,004554BC,00000160), ref: 004E22AC
      • Part of subcall function 004E21D0: __vbaObjSet.MSVBVM60(?,?), ref: 004E22D9
      • Part of subcall function 004E21D0: __vbaHresultCheckObj.MSVBVM60(00000000,?,00454AC4,00000164), ref: 004E230C
      • Part of subcall function 004E21D0: __vbaFreeObj.MSVBVM60 ref: 004E2327
      • Part of subcall function 004E21D0: __vbaChkstk.MSVBVM60 ref: 004E2347
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 0058932F
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 00589348
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,0040A636), ref: 0058934B
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 00589352
      • Part of subcall function 004E3090: __vbaChkstk.MSVBVM60(?,0040A636), ref: 004E30AE
      • Part of subcall function 004E3090: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,0040A636), ref: 004E30DE
      • Part of subcall function 004E3090: __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004E30F8
      • Part of subcall function 004E3090: #681.MSVBVM60(?,0000400B,00000003,00000003), ref: 004E313E
      • Part of subcall function 004E3090: #681.MSVBVM60(?,0000400B,?,00000003), ref: 004E3178
      • Part of subcall function 004E3090: __vbaChkstk.MSVBVM60 ref: 004E3183
      • Part of subcall function 004E3090: __vbaLateMemSt.MSVBVM60(?,BackColor), ref: 004E31AD
      • Part of subcall function 004E3090: __vbaFreeVarList.MSVBVM60(00000005,00000003,00000003,?,00000003,?), ref: 004E31C9
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000000,00000000,?,?,?,?,?,?,?,0040A636), ref: 0058936B
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 00589387
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,0040A636), ref: 0058938A
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 00589391
      • Part of subcall function 004E3090: #681.MSVBVM60(?,0000400B,00000003,00000003), ref: 004E3212
      • Part of subcall function 004E3090: #681.MSVBVM60(?,0000400B,00000003,?), ref: 004E324C
      • Part of subcall function 004E3090: __vbaChkstk.MSVBVM60 ref: 004E3257
      • Part of subcall function 004E3090: __vbaLateMemSt.MSVBVM60(?,ForeColor), ref: 004E3281
      • Part of subcall function 004E3090: __vbaFreeVarList.MSVBVM60(00000005,00000003,00000003,00000003,?,?), ref: 004E329D
      • Part of subcall function 004E3090: __vbaChkstk.MSVBVM60 ref: 004E32C0
      • Part of subcall function 004E3090: __vbaLateMemSt.MSVBVM60(?,FontBold), ref: 004E32EA
      • Part of subcall function 004E3090: __vbaChkstk.MSVBVM60 ref: 004E330A
      • Part of subcall function 004E3090: __vbaLateMemSt.MSVBVM60(?,Locked), ref: 004E3334
      • Part of subcall function 004E3090: __vbaChkstk.MSVBVM60 ref: 004E3355
      • Part of subcall function 004E3090: __vbaLateMemSt.MSVBVM60(?,TabStop), ref: 004E337F
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000000,00000000,?,?,?,?,?,?,?,0040A636), ref: 005893AA
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005893C6
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005893C9
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005893D0
      • Part of subcall function 004E3090: __vbaFreeVar.MSVBVM60 ref: 004E3388
      • Part of subcall function 004E3090: __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004E339E
      • Part of subcall function 004E3090: __vbaFreeObj.MSVBVM60(004E33D8), ref: 004E33D1
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000000,00000000), ref: 005893E9
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00589405
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00589408
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0058940F
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000000,00000000), ref: 00589428
    • __vbaHresultCheckObj.MSVBVM60(00000000,00406300,0046AAE0,000006F8), ref: 00589452
    • __vbaCastObj.MSVBVM60(00406300,00454AC4), ref: 0058945E
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00589465
    • __vbaFreeObj.MSVBVM60(?,00000001,0000000A), ref: 00589477
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$Chkstk$CastList$Late$#681$AddrefCheckHresult$Error$New2
    • String ID:
    • API String ID: 501721900-0
    • Opcode ID: 2c37f0f9c9391b02717948be08e41221f8f250ef5b82c22554f7642a2dd14b2c
    • Instruction ID: f788c184dc9f569e715820b9694269a603ec620d61a7fe8e3d88a0a81001268d
    • Opcode Fuzzy Hash: 2c37f0f9c9391b02717948be08e41221f8f250ef5b82c22554f7642a2dd14b2c
    • Instruction Fuzzy Hash: E651217194024ABBDB10EBA1CC8AFFF7B7CEF84705F104519F601A6181EB789646CBA5
    Function 0055B200 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 249COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0055B271
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 0055B29F
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00467488,00000090), ref: 0055B2D0
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0055B2E3
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0055B303
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 0055B32B
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00467488,000001BC), ref: 0055B34D
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0055B359
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0055B370
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 0055B398
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00467488,000000E0), ref: 0055B3C1
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0055B3D1
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 0055B3F9
    • #681.MSVBVM60(?,?,?,?), ref: 0055B435
    • __vbaI2Var.MSVBVM60(?), ref: 0055B441
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00467488,000000E4), ref: 0055B461
    • __vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0055B475
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0055B48D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$FreeList$#681
    • String ID: @N@
    • API String ID: 2323866559-2549970889
    • Opcode ID: b00226c4517c49b8ba7f3b9471df046007bc38a6a23a4773a0dae3a692bfca9f
    • Instruction ID: 07c3f4e7796ed5034e4071379ff2ebf2fbb82d330e533e3f102c83964d136c3f
    • Opcode Fuzzy Hash: b00226c4517c49b8ba7f3b9471df046007bc38a6a23a4773a0dae3a692bfca9f
    • Instruction Fuzzy Hash: B0913E71900209AFDB10DFA4CD89FEEBBB8FF49701F108529F609A7291E7749949CB64
    Function 0056A270 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 195COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0056A2E6
    • __vbaCastObj.MSVBVM60(00000000), ref: 0056A2E9
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0056A2F4
      • Part of subcall function 004C50C0: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C5103
      • Part of subcall function 004C50C0: #598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C510C
      • Part of subcall function 004C50C0: __vbaVarMove.MSVBVM60 ref: 004C512A
    • __vbaBoolVarNull.MSVBVM60(?,?,?), ref: 0056A307
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0056A31E
    • __vbaFreeVar.MSVBVM60 ref: 0056A32A
    • __vbaStrCmp.MSVBVM60(00452580,?), ref: 0056A349
    • __vbaCastObj.MSVBVM60(XS@,00454AC4), ref: 0056A35D
    • __vbaObjSet.MSVBVM60(00625EE8,00000000), ref: 0056A369
    • __vbaHresultCheckObj.MSVBVM60(00000000,XS@,00454AD4,000000A4), ref: 0056A388
    • __vbaNew2.MSVBVM60(00415B18,0062962C), ref: 0056A3A0
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046A318,000002B0), ref: 0056A419
    • __vbaHresultCheckObj.MSVBVM60(00000000,XS@,00454AD4,000000A4), ref: 0056A43F
    • __vbaHresultCheckObj.MSVBVM60(00000000,XS@,00454AD4,000002A8), ref: 0056A45C
    • __vbaVarDup.MSVBVM60 ref: 0056A490
    • #595.MSVBVM60(?,00000030,?,?,?), ref: 0056A4A8
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0056A4C0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$CastList$#595#598BoolCallLateMoveNew2Null
    • String ID: No polled data available.$XS@
    • API String ID: 446216038-1636551334
    • Opcode ID: 3d4d8d13b6be4fe1352d0f3afc56edd7a59493b74802fa7f19222724a0af875f
    • Instruction ID: 5d88c3f78b80b4bf7e822bf303d3ed58ae6974d463f2dc8561ec2c352ed5fd5c
    • Opcode Fuzzy Hash: 3d4d8d13b6be4fe1352d0f3afc56edd7a59493b74802fa7f19222724a0af875f
    • Instruction Fuzzy Hash: E3715DB0D00309AFCB00DFA8D888ADEBBB9FF48304F10812AE519BB291D7B45945CF95
    Function 004C5180 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 116COMMON
    Download Yara Rule
    APIs
    • __vbaLateMemCallLd.MSVBVM60(?,?,Parent,00000000,ActiveControl,00000000), ref: 004C51D5
    • __vbaVarLateMemCallLd.MSVBVM60(?,00000000), ref: 004C51E3
    • __vbaUnkVar.MSVBVM60(00000000), ref: 004C51ED
    • __vbaObjIs.MSVBVM60(00000000), ref: 004C51F4
    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004C5209
    • __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000), ref: 004C5220
    • #598.MSVBVM60 ref: 004C5229
    • __vbaLateMemCallLd.MSVBVM60(?,00000000,Parent,00000000,ActiveControl,00000000,00000000), ref: 004C5250
    • __vbaVarLateMemCallLd.MSVBVM60(?,00000000), ref: 004C525E
    • __vbaUnkVar.MSVBVM60(00000000), ref: 004C5268
    • __vbaObjIs.MSVBVM60(00000000), ref: 004C526F
    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004C5281
    • __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000), ref: 004C52A1
    • #598.MSVBVM60 ref: 004C52A6
    • __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000), ref: 004C52BE
    • __vbaVarMove.MSVBVM60 ref: 004C52DA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CallLate$#598FreeList$Move
    • String ID: ActiveControl$Parent$SetFocus
    • API String ID: 796201231-1400243772
    • Opcode ID: ae3724671eedfd82fee4ad5be0dfe2175606b59ffd4b2252068ccaea31757a19
    • Instruction ID: cbadc522af8f70eb2eeb598331a2ad109508cebc4fe340a57f761dfe130a5836
    • Opcode Fuzzy Hash: ae3724671eedfd82fee4ad5be0dfe2175606b59ffd4b2252068ccaea31757a19
    • Instruction Fuzzy Hash: A84192B4C00248AFDB10DFA4DE89EAE777CFB04705B50451AF806B3261D7786E55CBA9
    Function 004C6340 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 171COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60(00000000), ref: 004C6386
    • __vbaRedim.MSVBVM60(00000080,00000002,?,00000002,00000001,?,00000000), ref: 004C63C6
    • __vbaAryLock.MSVBVM60(?,?), ref: 004C63D7
    • __vbaGenerateBoundsError.MSVBVM60 ref: 004C63F6
    • __vbaGenerateBoundsError.MSVBVM60 ref: 004C6400
    • __vbaStrToAnsi.MSVBVM60(?,?,?), ref: 004C6414
    • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 004C6429
    • __vbaAryUnlock.MSVBVM60(?), ref: 004C6433
    • __vbaStrToUnicode.MSVBVM60(?,?), ref: 004C6441
    • __vbaFreeStr.MSVBVM60 ref: 004C644A
    • __vbaGenerateBoundsError.MSVBVM60 ref: 004C648B
    • __vbaGenerateBoundsError.MSVBVM60 ref: 004C649C
    • __vbaLateMemCallSt.MSVBVM60(?,DataWord,00000001), ref: 004C64F4
    • __vbaStrCopy.MSVBVM60 ref: 004C6514
    • __vbaAryDestruct.MSVBVM60(00000000,?,004C655A), ref: 004C654A
    • __vbaFreeStr.MSVBVM60 ref: 004C6553
    • __vbaErrorOverflow.MSVBVM60(00000000), ref: 004C6570
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Error$BoundsGenerate$CopyFree$AnsiCallDestructLateLockOverflowRedimSystemUnicodeUnlock
    • String ID: DataWord
    • API String ID: 6966545-2471641142
    • Opcode ID: 62995810a82e2e4fc063978ab2a7134e3e8abd24a8bb6627ccf6b3f77577578f
    • Instruction ID: 0f97517ef2205787e3bb1c02271a979000515c05a0db978d6ce6755957cb8af6
    • Opcode Fuzzy Hash: 62995810a82e2e4fc063978ab2a7134e3e8abd24a8bb6627ccf6b3f77577578f
    • Instruction Fuzzy Hash: 65516E78900209AFCB04DFA4D988ADEBBB5FF4C701F24815AE805B7365D7759846CBA8
    Function 004F0200 Relevance: 30.1, APIs: 20, Instructions: 124COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60(6D49D83C,00000000,00000000), ref: 004F0248
    • __vbaFileSeek.MSVBVM60(00000001,00000000), ref: 004F025E
    • __vbaStrCat.MSVBVM60(?,0045C724), ref: 004F027C
    • __vbaStrMove.MSVBVM60(?,0045C724), ref: 004F0289
    • __vbaStrCat.MSVBVM60(0045BEE4,00000000,?,0045C724), ref: 004F0291
    • __vbaStrMove.MSVBVM60(?,0045C724), ref: 004F0298
      • Part of subcall function 004F00B0: __vbaStrCopy.MSVBVM60(00000000,6D49D8B1,6D48A323), ref: 004EFE48
      • Part of subcall function 004F00B0: #571.MSVBVM60(00000000), ref: 004EFE64
      • Part of subcall function 004F00B0: __vbaLineInputStr.MSVBVM60(?,00000000), ref: 004EFE7F
      • Part of subcall function 004F00B0: #520.MSVBVM60(?,?), ref: 004EFE9A
      • Part of subcall function 004F00B0: __vbaStrVarMove.MSVBVM60(?), ref: 004EFEA4
      • Part of subcall function 004F00B0: __vbaStrMove.MSVBVM60 ref: 004EFEAF
      • Part of subcall function 004F00B0: __vbaFreeVar.MSVBVM60 ref: 004EFEB8
      • Part of subcall function 004F00B0: __vbaStrCopy.MSVBVM60 ref: 004EFEC2
      • Part of subcall function 004F00B0: #617.MSVBVM60(?,00004008,00000001), ref: 004EFEF4
      • Part of subcall function 004F00B0: __vbaVarTstEq.MSVBVM60(?,?), ref: 004EFF0C
      • Part of subcall function 004F00B0: __vbaFreeVar.MSVBVM60 ref: 004EFF18
      • Part of subcall function 004F00B0: __vbaLenBstr.MSVBVM60 ref: 004EFF31
      • Part of subcall function 004F00B0: #617.MSVBVM60(?,00004008,00000000), ref: 004EFF40
      • Part of subcall function 004F00B0: #528.MSVBVM60(?,?), ref: 004EFF4A
      • Part of subcall function 004F00B0: __vbaStrVarMove.MSVBVM60(?), ref: 004EFF54
    • __vbaStrMove.MSVBVM60(?,?,0045C724), ref: 004F02A8
    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,0045C724), ref: 004F02B4
    • __vbaLenBstr.MSVBVM60(?), ref: 004F02C7
    • __vbaStrMove.MSVBVM60(?), ref: 004F02DF
    • __vbaLenBstr.MSVBVM60(?), ref: 004F02E5
    • __vbaInStr.MSVBVM60(00000000,0045BC70,?,00000001), ref: 004F0300
    • __vbaI2I4.MSVBVM60 ref: 004F0308
    • __vbaLenBstr.MSVBVM60(?), ref: 004F0321
    • #619.MSVBVM60(?,00004008,00000000), ref: 004F0337
    • #520.MSVBVM60(?,?), ref: 004F0345
    • __vbaStrVarMove.MSVBVM60(?), ref: 004F034F
    • __vbaStrMove.MSVBVM60 ref: 004F035A
    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004F0366
    • __vbaFreeStr.MSVBVM60(004F03B3), ref: 004F03AC
      • Part of subcall function 004F00B0: __vbaStrMove.MSVBVM60 ref: 004EFF5F
      • Part of subcall function 004F00B0: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004EFF6F
      • Part of subcall function 004F00B0: __vbaStrCmp.MSVBVM60(?,?), ref: 004EFF7F
      • Part of subcall function 004F00B0: __vbaStrCmp.MSVBVM60([RMAP],?,?,?), ref: 004EFF96
      • Part of subcall function 004F00B0: #617.MSVBVM60(?,00004008,00000001), ref: 004EFFB3
      • Part of subcall function 004F00B0: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 004EFFCB
      • Part of subcall function 004F00B0: __vbaFreeVar.MSVBVM60 ref: 004EFFD7
      • Part of subcall function 004F00B0: __vbaLenBstr.MSVBVM60(00000000), ref: 004EFFF0
      • Part of subcall function 004F00B0: #617.MSVBVM60(?,00004008,00000000), ref: 004EFFFF
      • Part of subcall function 004F00B0: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 004F0015
      • Part of subcall function 004F00B0: __vbaFreeVar.MSVBVM60 ref: 004F0021
      • Part of subcall function 004F00B0: __vbaStrCopy.MSVBVM60(?,?), ref: 004F003A
      • Part of subcall function 004F00B0: __vbaStrCopy.MSVBVM60(?,?), ref: 004F0042
      • Part of subcall function 004F00B0: __vbaFreeStr.MSVBVM60(004F0092), ref: 004F008A
      • Part of subcall function 004F00B0: __vbaFreeStr.MSVBVM60 ref: 004F008F
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$FreeMove$BstrCopy$#617$List$#520$#528#571#619FileInputLineSeek
    • String ID:
    • API String ID: 1265841900-0
    • Opcode ID: c5a5277953d45951a0ceba8e48a3d4d58d7cd0761299c6592d599d0a9335b984
    • Instruction ID: 9fb89e920c2a890b5f05f72c1c640e67c6a28e226414746bda261df331ba92b3
    • Opcode Fuzzy Hash: c5a5277953d45951a0ceba8e48a3d4d58d7cd0761299c6592d599d0a9335b984
    • Instruction Fuzzy Hash: 35413075D00209AFCB00DFA5DD89DEEBBB9FF88700F10812AE901B7265DB745946CB68
    Function 005541D0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 127COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00554238
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 0055425C
    • __vbaCastObj.MSVBVM60(?,0045B140,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0055426B
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00554276
    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?,?), ref: 0055428F
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005542A6
    • __vbaStrI2.MSVBVM60(0000000A,Up to ,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005542B3
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005542C4
    • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005542C7
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005542D2
    • __vbaStrCat.MSVBVM60( characters.,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005542DA
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005542E5
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054), ref: 005542FB
    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0055430F
    • __vbaFreeObj.MSVBVM60 ref: 0055431B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$FreeMove$CheckHresultList$Cast
    • String ID: characters.$Up to
    • API String ID: 235632993-2586778379
    • Opcode ID: 73121ce2a36b36fb1122ff0822ba3376e28314dedd000b301ff31f21e5a1693e
    • Instruction ID: 7acd4553cb0b88138a78db0c0fcd5f3fd9e15617ace05fcd6ce508e8d5fa76d1
    • Opcode Fuzzy Hash: 73121ce2a36b36fb1122ff0822ba3376e28314dedd000b301ff31f21e5a1693e
    • Instruction Fuzzy Hash: 4E411F75900209AFDB00EFA4CD49EEEBBBCFF48705F108569F905F72A0E674A9458B64
    Function 00553030 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 106COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0055309A
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0055309D
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005530A8
      • Part of subcall function 004C53C0: __vbaCheckType.MSVBVM60(?,00452A8C), ref: 004C53FF
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004C5435
      • Part of subcall function 004C53C0: __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004C5444
      • Part of subcall function 004C53C0: __vbaLenVar.MSVBVM60(?,00000000), ref: 004C5452
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelLength), ref: 004C547B
      • Part of subcall function 004C53C0: __vbaFreeVar.MSVBVM60 ref: 004C5480
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005530BD
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005530D4
    • __vbaStrI2.MSVBVM60(0000000A,Up to ,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005530E1
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005530F2
    • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005530F5
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00553100
    • __vbaStrCat.MSVBVM60( characters.,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00553108
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00553113
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00553129
    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0055313D
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00553149
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$LateMove$CheckList$CallCastHresultType
    • String ID: characters.$@J@$Up to
    • API String ID: 3506394873-3664104517
    • Opcode ID: 986dc8d663430c88efa1062aafc1c7a86f57d3cbd9b9fc84e24222e3964892ab
    • Instruction ID: 8fc1d7fa495972b982dcadc097d7d2d188b0424a0c1317520fbbfe3f7432f2ae
    • Opcode Fuzzy Hash: 986dc8d663430c88efa1062aafc1c7a86f57d3cbd9b9fc84e24222e3964892ab
    • Instruction Fuzzy Hash: 89310E75900249ABDB00EFA4CD49EEFBBB8EF48701F10416AE945F3190DA749A45CBA4
    Function 005261A0 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 106COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052620A
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052620D
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00526218
      • Part of subcall function 004C53C0: __vbaCheckType.MSVBVM60(?,00452A8C), ref: 004C53FF
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004C5435
      • Part of subcall function 004C53C0: __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004C5444
      • Part of subcall function 004C53C0: __vbaLenVar.MSVBVM60(?,00000000), ref: 004C5452
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelLength), ref: 004C547B
      • Part of subcall function 004C53C0: __vbaFreeVar.MSVBVM60 ref: 004C5480
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052622D
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00526244
    • __vbaStrI2.MSVBVM60(00000010,Between 1 and ,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00526251
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00526262
    • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00526265
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00526270
    • __vbaStrCat.MSVBVM60( characters.,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00526278
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00526283
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00526299
    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005262AD
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005262B9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$LateMove$CheckList$CallCastHresultType
    • String ID: characters.$(6@$Between 1 and
    • API String ID: 3506394873-3847226840
    • Opcode ID: 734367d79376a8c90600db1c79048fea9f37e275cb47b27730ba644a0241da0b
    • Instruction ID: 44e10417a5298f9869544ff0a322b2ad457e6e520ed7e9184c1c27ed369f177d
    • Opcode Fuzzy Hash: 734367d79376a8c90600db1c79048fea9f37e275cb47b27730ba644a0241da0b
    • Instruction Fuzzy Hash: 02312C75900249AFDB00EFA4CD49EEFBBBCEF48701F104569E941F3190E674A9458BA4
    Function 004C8210 Relevance: 29.8, APIs: 9, Strings: 8, Instructions: 55COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: Copy__vba
    • String ID: 0.0$0.00$0.0000$APIG$KGM3$RD60$Rd/60$kg/m3
    • API String ID: 3702988478-3791388956
    • Opcode ID: 452193ea04ccb4dc78c67b7a3c8895b6df59a6198ac4221919b9919ca308be08
    • Instruction ID: 30fb15366324ccde3e8b593b4a25612e7015b4f439044c5c4220a0ae766f4989
    • Opcode Fuzzy Hash: 452193ea04ccb4dc78c67b7a3c8895b6df59a6198ac4221919b9919ca308be08
    • Instruction Fuzzy Hash: E5216770500B06ABC304CF00E860A65B771FF58306F20C66AC8119BAA5DB78F86BCFD9
    Function 0054B080 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 180COMMON
    Download Yara Rule
    APIs
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0054B10B
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0054B127
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0054B14B
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0054B16E
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0054B17C
    • __vbaCopyBytes.MSVBVM60(00000010,?,?), ref: 0054B1A6
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0054B1BA
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 0054B1E2
    • __vbaStrR4.MSVBVM60(?), ref: 0054B1F1
    • __vbaStrMove.MSVBVM60 ref: 0054B1FC
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00452A8C,000000A4), ref: 0054B21C
    • __vbaFreeStr.MSVBVM60 ref: 0054B225
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0054B235
    • __vbaHresultCheckObj.MSVBVM60(00000000,@F@,00466624,00000720), ref: 0054B270
    • __vbaHresultCheckObj.MSVBVM60(00000000,@F@,00466624,00000718), ref: 0054B290
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$BoundsErrorGenerate$CheckHresult$Free$BytesCopyListMove
    • String ID: @F@
    • API String ID: 2718494234-1596259777
    • Opcode ID: 4726e73a51b1dbf58847abdf1fd71f90a991c7624f97973ca3eab93d5ff016fb
    • Instruction ID: 5274d352b044a9b3fee36621c993ed6951d15e99591e63d5c42d0490dca6fc9c
    • Opcode Fuzzy Hash: 4726e73a51b1dbf58847abdf1fd71f90a991c7624f97973ca3eab93d5ff016fb
    • Instruction Fuzzy Hash: F661F835A00605EFDB14DF68DD88AEEBBBAFF88345F108129F545A7260D7709942CFA4
    Function 004D1110 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 152COMMON
    Download Yara Rule
    APIs
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 004D115E
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 004D1195
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 004D11C0
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 004D11F7
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 004D1222
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 004D124E
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 004D127A
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 004D12A0
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 004D12C4
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 004D12E8
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 004D1331
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 004D1339
    • __vbaFreeStr.MSVBVM60(004D1356,?,?,?,?,?,?,?,0040A636), ref: 004D134F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$BoundsErrorGenerate$Copy$Free
    • String ID: Mmeter units$fraction$meter units
    • API String ID: 3733819906-3720384318
    • Opcode ID: f3e939162b5f285a7f3a1dc701306513ae8690e3b9bcf3d40cfa117deb0171a7
    • Instruction ID: 7c0af941b9529c2cf096c5481858470f24cbab7cb20cd38a2db7238f73d999f5
    • Opcode Fuzzy Hash: f3e939162b5f285a7f3a1dc701306513ae8690e3b9bcf3d40cfa117deb0171a7
    • Instruction Fuzzy Hash: F351F331A00625DBDB24DF14DA989AE77A2FB49301F918667DC027B638D734ED02CBD9
    Function 00608120 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 136COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60 ref: 0060818D
    • __vbaStrCmp.MSVBVM60(00452580,?), ref: 0060819D
    • __vbaSetSystemError.MSVBVM60(00616A83,?), ref: 006081BC
    • __vbaStrCopy.MSVBVM60 ref: 006081CF
    • __vbaVarCopy.MSVBVM60 ref: 006081EB
    • __vbaVarDup.MSVBVM60 ref: 00608236
    • __vbaVarDup.MSVBVM60 ref: 00608251
    • #681.MSVBVM60(?,0000000B,?,?), ref: 00608287
    • __vbaVarCat.MSVBVM60(?,?,?), ref: 006082B1
    • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 006082BF
    • __vbaStrVarMove.MSVBVM60(00000000), ref: 006082C2
    • __vbaStrMove.MSVBVM60 ref: 006082CD
    • __vbaFreeVarList.MSVBVM60(00000006,0000000B,?,?,?,?,?), ref: 006082F0
    • __vbaFreeStr.MSVBVM60(00608337), ref: 00608330
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Copy$FreeMove$#681ErrorListSystem
    • String ID: Prover $inlet
    • API String ID: 2400919395-226361622
    • Opcode ID: 8a79a00b535b182172eccde10169399029a2b7731e56090ae6ffdce86c0a7b4a
    • Instruction ID: f0cfc1e1d1dcd3ce98466e654cb345d6261ef3cdc7e6526e13a45bcf7208ed68
    • Opcode Fuzzy Hash: 8a79a00b535b182172eccde10169399029a2b7731e56090ae6ffdce86c0a7b4a
    • Instruction Fuzzy Hash: DB5108B190021DAFCB54CF94CC84ADEBBB9FF48700F14819AE449B7250DB745A89CF94
    Function 005DB0C0 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 106COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DB12A
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DB12D
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DB138
      • Part of subcall function 004C53C0: __vbaCheckType.MSVBVM60(?,00452A8C), ref: 004C53FF
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004C5435
      • Part of subcall function 004C53C0: __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004C5444
      • Part of subcall function 004C53C0: __vbaLenVar.MSVBVM60(?,00000000), ref: 004C5452
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelLength), ref: 004C547B
      • Part of subcall function 004C53C0: __vbaFreeVar.MSVBVM60 ref: 004C5480
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DB14D
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DB164
    • __vbaStrI2.MSVBVM60(00000014,Between 1 and ,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DB171
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DB182
    • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DB185
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DB190
    • __vbaStrCat.MSVBVM60( characters.,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DB198
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DB1A3
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DB1B9
    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DB1CD
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DB1D9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$LateMove$CheckList$CallCastHresultType
    • String ID: characters.$Between 1 and
    • API String ID: 3506394873-1076189681
    • Opcode ID: 8ebb587bc516efb792c555c1e0fc00a93d0fd433c8cbb73d236758a6662887ec
    • Instruction ID: faf9a5ceb71333fcd3e75cc8ae4e5e46cb1b0ea00403b3fb2179ae08ad421218
    • Opcode Fuzzy Hash: 8ebb587bc516efb792c555c1e0fc00a93d0fd433c8cbb73d236758a6662887ec
    • Instruction Fuzzy Hash: EA312C75900249ABDB10EFA4CD49EEEBBB8EF48700F10416AE941F3290EB749945CBA4
    Function 005D6160 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 106COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D61CA
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D61CD
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D61D8
      • Part of subcall function 004C53C0: __vbaCheckType.MSVBVM60(?,00452A8C), ref: 004C53FF
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004C5435
      • Part of subcall function 004C53C0: __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004C5444
      • Part of subcall function 004C53C0: __vbaLenVar.MSVBVM60(?,00000000), ref: 004C5452
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelLength), ref: 004C547B
      • Part of subcall function 004C53C0: __vbaFreeVar.MSVBVM60 ref: 004C5480
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D61ED
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D6204
    • __vbaStrI2.MSVBVM60(00000014,Up to ,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D6211
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D6222
    • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D6225
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D6230
    • __vbaStrCat.MSVBVM60( characters.,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D6238
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D6243
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D6259
    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D626D
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D6279
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$LateMove$CheckList$CallCastHresultType
    • String ID: characters.$Up to
    • API String ID: 3506394873-2586778379
    • Opcode ID: a9a1b5f49adb1d3c744caf436a71dd4ee2b89a5fa70d01c79715c8988c0557c4
    • Instruction ID: 7ddb5431b298e88e00b8f7e69821aef382252d5d8f8b231b18d350ed099baa20
    • Opcode Fuzzy Hash: a9a1b5f49adb1d3c744caf436a71dd4ee2b89a5fa70d01c79715c8988c0557c4
    • Instruction Fuzzy Hash: FC31FC75900249AFDB10EFA4CD49EEFBBB8EF48700F10456AF941F3294EA749945CBA4
    Function 005D71B0 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 106COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D721A
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D721D
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D7228
      • Part of subcall function 004C53C0: __vbaCheckType.MSVBVM60(?,00452A8C), ref: 004C53FF
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004C5435
      • Part of subcall function 004C53C0: __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004C5444
      • Part of subcall function 004C53C0: __vbaLenVar.MSVBVM60(?,00000000), ref: 004C5452
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelLength), ref: 004C547B
      • Part of subcall function 004C53C0: __vbaFreeVar.MSVBVM60 ref: 004C5480
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D723D
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D7254
    • __vbaStrI2.MSVBVM60(0000000A,Up to ,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D7261
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D7272
    • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D7275
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D7280
    • __vbaStrCat.MSVBVM60( characters.,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D7288
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D7293
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D72A9
    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D72BD
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D72C9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$LateMove$CheckList$CallCastHresultType
    • String ID: characters.$Up to
    • API String ID: 3506394873-2586778379
    • Opcode ID: a803749c7dadf03f98305f932728536281a2c1084e4307b1cdbb575116fae0e9
    • Instruction ID: 827d1e0cf6414d4b5ed5c5699d0e4a5865e4b39a5a93ce99ef8d45c8a1d09bed
    • Opcode Fuzzy Hash: a803749c7dadf03f98305f932728536281a2c1084e4307b1cdbb575116fae0e9
    • Instruction Fuzzy Hash: 15310D75900249ABDB10EFA4CD49EEEBBB8EB48700F10456AE941F3290EA749945CBA4
    Function 005C6280 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 106COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005C62EA
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005C62ED
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005C62F8
      • Part of subcall function 004C53C0: __vbaCheckType.MSVBVM60(?,00452A8C), ref: 004C53FF
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004C5435
      • Part of subcall function 004C53C0: __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004C5444
      • Part of subcall function 004C53C0: __vbaLenVar.MSVBVM60(?,00000000), ref: 004C5452
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelLength), ref: 004C547B
      • Part of subcall function 004C53C0: __vbaFreeVar.MSVBVM60 ref: 004C5480
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005C630D
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005C6324
    • __vbaStrI2.MSVBVM60(00000010,Between 1 and ,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005C6331
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005C6342
    • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005C6345
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005C6350
    • __vbaStrCat.MSVBVM60( characters.,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005C6358
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005C6363
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005C6379
    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005C638D
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005C6399
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$LateMove$CheckList$CallCastHresultType
    • String ID: characters.$Between 1 and
    • API String ID: 3506394873-1076189681
    • Opcode ID: da110f83ffa2f463a49391ba17f99b61db856692ff1ff940be758f3eacea0c9b
    • Instruction ID: 449f02e877cce636c39b295ebb2a77b07d3f5d8143935ab77c6f9820704faddf
    • Opcode Fuzzy Hash: da110f83ffa2f463a49391ba17f99b61db856692ff1ff940be758f3eacea0c9b
    • Instruction Fuzzy Hash: 55311D75900249AFDB00EFA4CD49EEFBBB8FF48700F104569E945F3190E678AA45CBA5
    Function 00527200 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 98COMMON
    Download Yara Rule
    APIs
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00527258
    • __vbaStrCat.MSVBVM60(?,Select "Differential Pres" for an orifice (or v-cone/wedge) meter.,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052728C
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00527299
    • __vbaStrCat.MSVBVM60(?,Select "Pulse Count" when you are supplying an actual pulse count to the Module.,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005272B4
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005272C1
    • __vbaStrCat.MSVBVM60(Select "Pulse Frequency" if you have only a pulse rate available.,00000000,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005272C9
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005272D0
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005272D5
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005272E9
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052730A
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00527313
    • __vbaFreeStr.MSVBVM60(00527344,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052733D
    Strings
    • Select "Pulse Count" when you are supplying an actual pulse count to the Module., xrefs: 005272AE
    • Select "Flow Rate" if your primary input is a flow rate., xrefs: 0052729C
    • Select "Pulse Frequency" if you have only a pulse rate available., xrefs: 005272C4
    • Select "Differential Pres" for an orifice (or v-cone/wedge) meter., xrefs: 00527286
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$FreeMove$BoundsCheckErrorGenerateHresult
    • String ID: Select "Differential Pres" for an orifice (or v-cone/wedge) meter.$Select "Flow Rate" if your primary input is a flow rate.$Select "Pulse Count" when you are supplying an actual pulse count to the Module.$Select "Pulse Frequency" if you have only a pulse rate available.
    • API String ID: 2821959842-512101544
    • Opcode ID: cdfa9e5e814e958afc976778d8c2c375d71f09b63e7cafce5342d185e11672e9
    • Instruction ID: 9eef4442cc9b1c09fc9f2ebe146d089ecfd2ef946d9acdc6a26fb8f317b4233b
    • Opcode Fuzzy Hash: cdfa9e5e814e958afc976778d8c2c375d71f09b63e7cafce5342d185e11672e9
    • Instruction Fuzzy Hash: B2319375D00619EFDB10DF64DD88AAEBBB9FF48701F10852AF801A72A0DB75A905CF94
    Function 005E2040 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 94COMMON
    Download Yara Rule
    APIs
    • __vbaStrCat.MSVBVM60(?,Locations in the PLC of image files --,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E20A3
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E20B0
    • __vbaStrCat.MSVBVM60( 0 => not defined (file will not be scanned),00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E20B8
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E20BF
    • __vbaStrCat.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E20C8
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E20CF
    • __vbaStrCat.MSVBVM60( else must lie between 400001 and 465535.,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E20D7
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E20DE
    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E20EE
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E2105
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054), ref: 005E2126
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E212F
    • __vbaFreeStr.MSVBVM60(005E216E,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E2167
    Strings
    • Locations in the PLC of image files --, xrefs: 005E208E
    • 0 => not defined (file will not be scanned), xrefs: 005E20B3
    • else must lie between 400001 and 465535., xrefs: 005E20D2
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$CheckHresultList
    • String ID: 0 => not defined (file will not be scanned)$ else must lie between 400001 and 465535.$Locations in the PLC of image files --
    • API String ID: 1500622497-1006892280
    • Opcode ID: 6083203f21a362ce109bce4594529651f424d495b8b2fa71fdbde31884f73be0
    • Instruction ID: b5cb1f1470c1973313e5c73ea4dc7fbc80f77502aa0e65131571a11f93853cec
    • Opcode Fuzzy Hash: 6083203f21a362ce109bce4594529651f424d495b8b2fa71fdbde31884f73be0
    • Instruction Fuzzy Hash: C2310E75900209AFDB04DFA4CD85AEEBBB9FF48704F108129F545F32A0EA755D45CBA4
    Function 005D32F0 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 94COMMON
    Download Yara Rule
    APIs
    • __vbaStrCat.MSVBVM60(?,Locations in the PLC of image files --,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D3353
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D3360
    • __vbaStrCat.MSVBVM60( 0 => not defined (file will not be scanned),00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D3368
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D336F
    • __vbaStrCat.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D3378
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D337F
    • __vbaStrCat.MSVBVM60( else must lie between 400001 and 465535.,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D3387
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D338E
    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D339E
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D33B5
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054), ref: 005D33D6
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D33DF
    • __vbaFreeStr.MSVBVM60(005D341E,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005D3417
    Strings
    • Locations in the PLC of image files --, xrefs: 005D333E
    • 0 => not defined (file will not be scanned), xrefs: 005D3363
    • else must lie between 400001 and 465535., xrefs: 005D3382
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$CheckHresultList
    • String ID: 0 => not defined (file will not be scanned)$ else must lie between 400001 and 465535.$Locations in the PLC of image files --
    • API String ID: 1500622497-1006892280
    • Opcode ID: ad013982707834bb414ee3c311786f127d806f55553f245144e5f9e055faaa94
    • Instruction ID: 386f5fd79b63dda7c6fddda947684f37e0582b3c5fa3bb44ba0cb66777562f9e
    • Opcode Fuzzy Hash: ad013982707834bb414ee3c311786f127d806f55553f245144e5f9e055faaa94
    • Instruction Fuzzy Hash: 87311E75A00609AFDB00DFA4CD45AEEBBB8FF48700F10412AE405F32A0EA759945CBA5
    Function 0053D100 Relevance: 27.2, APIs: 18, Instructions: 249COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053D171
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 0053D19F
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00467488,00000090), ref: 0053D1D0
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0053D1E3
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053D203
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 0053D22B
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00467488,000001BC), ref: 0053D24D
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0053D259
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053D270
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 0053D298
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00467488,000000E0), ref: 0053D2C1
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053D2D1
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 0053D2F9
    • #681.MSVBVM60(?,?,?,?), ref: 0053D335
    • __vbaI2Var.MSVBVM60(?), ref: 0053D341
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00467488,000000E4), ref: 0053D361
    • __vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0053D375
    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0053D38D
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$FreeList$#681
    • String ID:
    • API String ID: 2323866559-0
    • Opcode ID: b87407e094c2a6a8a882cb7faeda86fee672b25175ba31a62fe0624b3d9f4960
    • Instruction ID: 50274352203b1e68298dbe0fd60d2c19448a545d49613973944c93b7ca314f6d
    • Opcode Fuzzy Hash: b87407e094c2a6a8a882cb7faeda86fee672b25175ba31a62fe0624b3d9f4960
    • Instruction Fuzzy Hash: 25910EB1900209AFDB00DFA5CD89FEEBBB8FF49704F108529F609A7291E6749945CB64
    Function 0050D080 Relevance: 27.1, APIs: 18, Instructions: 115COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0050D0C9
      • Part of subcall function 00508290: __vbaStrI2.MSVBVM60(00402D90,6D48A323,6D49D8B1,?), ref: 005082CB
      • Part of subcall function 00508290: __vbaStrMove.MSVBVM60 ref: 005082DC
      • Part of subcall function 00508290: __vbaStrMove.MSVBVM60(?,000000FE,bit ), ref: 005082F3
      • Part of subcall function 00508290: __vbaStrCat.MSVBVM60(00000000), ref: 005082FC
      • Part of subcall function 00508290: __vbaStrMove.MSVBVM60 ref: 00508303
      • Part of subcall function 00508290: __vbaStrCat.MSVBVM60(0045E888,00000000), ref: 0050830B
      • Part of subcall function 00508290: __vbaStrMove.MSVBVM60 ref: 00508312
      • Part of subcall function 00508290: __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00508322
    • __vbaStrMove.MSVBVM60(0040A636,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0050D0E3
    • __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0050D0F3
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0050D0FA
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0050D106
    • __vbaSetSystemError.MSVBVM60(?,0040A636,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0050D132
    • __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0050D13F
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0050D146
    • __vbaStrMove.MSVBVM60(?,00000046,00000000), ref: 0050D159
    • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0050D15C
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0050D163
    • __vbaStrI2.MSVBVM60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0050D167
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0050D172
    • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0050D175
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0050D17C
    • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?,00000000), ref: 0050D19E
    • __vbaFreeStr.MSVBVM60(0050D1E3), ref: 0050D1DB
    • __vbaFreeStr.MSVBVM60 ref: 0050D1E0
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$ErrorList$BoundsCopyGenerateSystem
    • String ID:
    • API String ID: 1781165678-0
    • Opcode ID: 60cfbe4edc0a516901dad27ca3221b8e23af7a98d6d2e0741da86c73a3a75d5e
    • Instruction ID: 6e0a1cf50940b368e6941555476f7dfc31e87a7023f69adfcc78d40e71db6473
    • Opcode Fuzzy Hash: 60cfbe4edc0a516901dad27ca3221b8e23af7a98d6d2e0741da86c73a3a75d5e
    • Instruction Fuzzy Hash: 8341E075D002199BCB15EFA5DD85DEFBBB9FF48300F10452AE506B3254EA34AA05CFA4
    Function 004DE130 Relevance: 27.1, APIs: 18, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • #608.MSVBVM60(?,00000000), ref: 004DE172
    • #607.MSVBVM60(?,00000006,?), ref: 004DE182
    • __vbaStrVarMove.MSVBVM60(?), ref: 004DE18C
    • __vbaStrMove.MSVBVM60 ref: 004DE197
    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004DE1A7
    • __vbaStrToAnsi.MSVBVM60(?,?,00000006), ref: 004DE1BA
    • __vbaSetSystemError.MSVBVM60(00000400,0000000F,00000000), ref: 004DE1CF
    • __vbaStrToUnicode.MSVBVM60(?,?), ref: 004DE1DD
    • __vbaFreeStr.MSVBVM60 ref: 004DE1E6
    • #617.MSVBVM60(?,?,00000000), ref: 004DE206
    • __vbaStrVarVal.MSVBVM60(?,?), ref: 004DE214
      • Part of subcall function 00513A50: __vbaStrCopy.MSVBVM60(00000000,00000000,?,?,00000000,0040A636,004DDF00), ref: 00513A8D
      • Part of subcall function 00513A50: __vbaStrCopy.MSVBVM60(?), ref: 00513A9E
      • Part of subcall function 00513A50: __vbaFreeStr.MSVBVM60(00513ABB), ref: 00513AB4
    • __vbaStrMove.MSVBVM60(00000000), ref: 004DE225
    • __vbaFreeStr.MSVBVM60 ref: 004DE22E
    • __vbaFreeVar.MSVBVM60 ref: 004DE237
    • __vbaLenBstr.MSVBVM60(?), ref: 004DE241
    • __vbaStrCopy.MSVBVM60 ref: 004DE255
    • __vbaStrCopy.MSVBVM60 ref: 004DE261
    • __vbaFreeStr.MSVBVM60(004DE2A4), ref: 004DE29D
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$Copy$Move$#607#608#617AnsiBstrErrorListSystemUnicode
    • String ID:
    • API String ID: 189627791-0
    • Opcode ID: 5a8bdc95f94bcd6094522c650e643da936b5069ad118d612534ad27d76e16b44
    • Instruction ID: d1ed99ef9548f40fb77bf4011af653329784f187fcefc2bf562b000ccb5d9284
    • Opcode Fuzzy Hash: 5a8bdc95f94bcd6094522c650e643da936b5069ad118d612534ad27d76e16b44
    • Instruction Fuzzy Hash: 78411D71D0024AEFDB04EFA4DA899EEBBB8FF48305F10812AF502B7160DB745A06CB54
    Function 00517290 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 241COMMON
    Download Yara Rule
    APIs
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554BC,000000A4), ref: 005172F4
    • __vbaNew2.MSVBVM60(0040F3B8,00629410), ref: 0051730D
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046209C,000002B0), ref: 00517374
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554BC,000000A4), ref: 00517397
    • __vbaOnError.MSVBVM60(00000001), ref: 005173AC
    • __vbaSetSystemError.MSVBVM60(?,00000000,000000FF), ref: 005173E2
    • __vbaSetSystemError.MSVBVM60(?,00000001), ref: 005173FD
    • __vbaSetSystemError.MSVBVM60(?,-00000004), ref: 00517443
    • __vbaSetSystemError.MSVBVM60(?,00000002), ref: 0051746B
    • __vbaSetSystemError.MSVBVM60(?,00000003), ref: 00517487
    • __vbaExitProc.MSVBVM60 ref: 0051749F
    • __vbaErrorOverflow.MSVBVM60 ref: 005174C4
    • __vbaStrCopy.MSVBVM60 ref: 00517529
    • __vbaFreeStr.MSVBVM60 ref: 00517546
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Error$System$CheckHresult$CopyExitFreeNew2OverflowProc
    • String ID: 2@
    • API String ID: 4241771837-1554024979
    • Opcode ID: c5518ff86e25fd52ebe4d05aeca59db0dc239eb9fed893ff2a09974f2e594f26
    • Instruction ID: 10521e75c27740e88724a83296320a627139ed452450aa2295bff90f570190ca
    • Opcode Fuzzy Hash: c5518ff86e25fd52ebe4d05aeca59db0dc239eb9fed893ff2a09974f2e594f26
    • Instruction Fuzzy Hash: 4881D375900705ABDB10EFB8CD49B9EBFB8FF48704F10852AF845A7291D7B89C418BA5
    Function 00520290 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 005202DE
    • __vbaStrI2.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005202EF
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005202FA
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052031A
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 00520323
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 0052032C
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 00520340
    • __vbaStrI2.MSVBVM60(?,Meter ,?,?,?,?,?,?,?,?,?,0040A636), ref: 00520356
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 00520361
    • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 00520368
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 00520373
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052038D
    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052039D
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005203A9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$Move$CheckHresult$List
    • String ID: Meter
    • API String ID: 1187231344-3757065616
    • Opcode ID: 17e5f0dfc91383940631720a2185c29458dfee2a52edaafaf61b5aaa187bd001
    • Instruction ID: 398cf5ddd9173817f2a02de8e16de2704f7aeffdaa8b87637830a43a79b0b96c
    • Opcode Fuzzy Hash: 17e5f0dfc91383940631720a2185c29458dfee2a52edaafaf61b5aaa187bd001
    • Instruction Fuzzy Hash: 46415B75900205AFDB00AFA4DD88EEEBBB8FF58701F104129F946E32A1DB745946CFA4
    Function 004E2050 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 93COMMON
    Download Yara Rule
    APIs
    • __vbaChkstk.MSVBVM60(?,0040A636), ref: 004E206E
    • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,0040A636), ref: 004E209E
    • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004E20B5
    • __vbaChkstk.MSVBVM60 ref: 004E20D5
    • __vbaLateMemSt.MSVBVM60(?,BackColor), ref: 004E20FC
    • __vbaChkstk.MSVBVM60 ref: 004E211C
    • __vbaLateMemSt.MSVBVM60(?,ForeColor), ref: 004E2143
    • __vbaChkstk.MSVBVM60 ref: 004E2164
    • __vbaLateMemSt.MSVBVM60(?,FontBold), ref: 004E218B
    • __vbaFreeVar.MSVBVM60 ref: 004E2194
    • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004E21A7
    • __vbaFreeObj.MSVBVM60(004E21BC), ref: 004E21B5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Chkstk$Late$AddrefFree$Error
    • String ID: BackColor$FontBold$ForeColor
    • API String ID: 2377593748-149421768
    • Opcode ID: 32114f8cf9d652fb3c43dbe7ed70ff128f23b0042d95469268bb1a9921424d54
    • Instruction ID: d715099739130963f3a3398c5da853090f156fd761815eddd7c3cab81115ebad
    • Opcode Fuzzy Hash: 32114f8cf9d652fb3c43dbe7ed70ff128f23b0042d95469268bb1a9921424d54
    • Instruction Fuzzy Hash: 1A41E6B4910208DFCB04DF94CA48B9DBBF4FF48714F248169E405AB3A1C7B9AA45CF94
    Function 0050B220 Relevance: 25.6, APIs: 17, Instructions: 103COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60(00000000,6D586783,0040A635), ref: 0050B269
      • Part of subcall function 00508290: __vbaStrI2.MSVBVM60(00402D90,6D48A323,6D49D8B1,?), ref: 005082CB
      • Part of subcall function 00508290: __vbaStrMove.MSVBVM60 ref: 005082DC
      • Part of subcall function 00508290: __vbaStrMove.MSVBVM60(?,000000FE,bit ), ref: 005082F3
      • Part of subcall function 00508290: __vbaStrCat.MSVBVM60(00000000), ref: 005082FC
      • Part of subcall function 00508290: __vbaStrMove.MSVBVM60 ref: 00508303
      • Part of subcall function 00508290: __vbaStrCat.MSVBVM60(0045E888,00000000), ref: 0050830B
      • Part of subcall function 00508290: __vbaStrMove.MSVBVM60 ref: 00508312
      • Part of subcall function 00508290: __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00508322
    • __vbaStrMove.MSVBVM60(?), ref: 0050B283
    • __vbaStrCat.MSVBVM60(?,?), ref: 0050B293
    • __vbaStrMove.MSVBVM60 ref: 0050B29A
    • __vbaSetSystemError.MSVBVM60(?,?), ref: 0050B2AB
    • __vbaStrCat.MSVBVM60(?,?), ref: 0050B2B8
    • __vbaStrMove.MSVBVM60 ref: 0050B2BF
      • Part of subcall function 004E3BA0: __vbaChkstk.MSVBVM60(00000000,0040A636,004D144B,?,00000012), ref: 004E3BBE
      • Part of subcall function 004E3BA0: #526.MSVBVM60(?,00000000), ref: 004E3C2F
      • Part of subcall function 004E3BA0: __vbaStrVarMove.MSVBVM60(?), ref: 004E3C39
      • Part of subcall function 004E3BA0: __vbaStrMove.MSVBVM60 ref: 004E3C44
      • Part of subcall function 004E3BA0: __vbaFreeVar.MSVBVM60 ref: 004E3C4D
      • Part of subcall function 004E3BA0: __vbaOnError.MSVBVM60(000000FF), ref: 004E3C5C
      • Part of subcall function 004E3BA0: __vbaStrCat.MSVBVM60(00000000,?), ref: 004E3C82
      • Part of subcall function 004E3BA0: #619.MSVBVM60(?,00000008,00000000), ref: 004E3C9F
      • Part of subcall function 004E3BA0: __vbaStrVarMove.MSVBVM60(?), ref: 004E3CA9
      • Part of subcall function 004E3BA0: __vbaStrMove.MSVBVM60 ref: 004E3CB4
      • Part of subcall function 004E3BA0: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004E3CC4
      • Part of subcall function 004E3BA0: __vbaStrCopy.MSVBVM60(?,00000000,0040A636,004D144B), ref: 004E3D38
      • Part of subcall function 004E3BA0: __vbaFreeStr.MSVBVM60(004E3D76,?,00000000,0040A636,004D144B), ref: 004E3D6F
    • __vbaStrMove.MSVBVM60(?,00000048,00000000), ref: 0050B2D2
    • __vbaStrCat.MSVBVM60(00000000), ref: 0050B2D5
    • __vbaStrMove.MSVBVM60 ref: 0050B2DC
    • __vbaStrI2.MSVBVM60(00000000,00000000), ref: 0050B2E0
    • __vbaStrMove.MSVBVM60 ref: 0050B2EB
    • __vbaStrCat.MSVBVM60(00000000), ref: 0050B2EE
    • __vbaStrMove.MSVBVM60 ref: 0050B2F5
      • Part of subcall function 00507520: __vbaStrCopy.MSVBVM60(?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 0050755A
      • Part of subcall function 00507520: __vbaNew2.MSVBVM60(00459D58,0062B924,?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 00507572
      • Part of subcall function 00507520: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,00000020,?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 00507597
      • Part of subcall function 00507520: __vbaStrCat.MSVBVM60(?,?,?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 005075A8
      • Part of subcall function 00507520: __vbaStrMove.MSVBVM60(?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 005075B3
      • Part of subcall function 00507520: __vbaPrintObj.MSVBVM60(0045E7F8,?,00000000,?,6D49D8B1,6D48A323,?,?,?,?,00000000,0040A636), ref: 005075C3
      • Part of subcall function 00507520: __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,00000000,0040A636), ref: 005075CF
      • Part of subcall function 00507520: __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00000000,0040A636), ref: 005075D8
      • Part of subcall function 00507520: __vbaFreeStr.MSVBVM60(00507602,?,?,?,?,?,?,?,00000000,0040A636), ref: 005075FB
    • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?,00000000), ref: 0050B317
    • __vbaFreeStr.MSVBVM60(0050B35C), ref: 0050B354
    • __vbaFreeStr.MSVBVM60 ref: 0050B359
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$CopyList$Error$#526#619CheckChkstkHresultNew2PrintSystem
    • String ID:
    • API String ID: 2979364526-0
    • Opcode ID: 6a547001f8134d145538e2850ac8c410a948f1e7c421e301ef47c22e8ebd5d82
    • Instruction ID: f873aefd9b19d15c779ee8ec5952a727392027dd51258a6ef335ff75fc3193bf
    • Opcode Fuzzy Hash: 6a547001f8134d145538e2850ac8c410a948f1e7c421e301ef47c22e8ebd5d82
    • Instruction Fuzzy Hash: 9531EDB5D00219ABDB01DBB4DD85DEFBBB8EF58300F10852AE506F3250EA74A905CFA4
    Function 0053A0D0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 164COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053A13D
    • __vbaCastObj.MSVBVM60(00000000), ref: 0053A140
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053A14B
      • Part of subcall function 004C50C0: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C5103
      • Part of subcall function 004C50C0: #598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C510C
      • Part of subcall function 004C50C0: __vbaVarMove.MSVBVM60 ref: 004C512A
    • __vbaBoolVarNull.MSVBVM60(?,?,?), ref: 0053A15E
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0053A171
    • __vbaFreeVar.MSVBVM60 ref: 0053A17D
    • __vbaHresultCheckObj.MSVBVM60(00000000,A@,00454174,000000A4), ref: 0053A1A9
    • __vbaHresultCheckObj.MSVBVM60(00000000,A@,00454174,00000094), ref: 0053A1CB
    • __vbaNew2.MSVBVM60(00416620,006295C8), ref: 0053A1E3
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004673D4,000002B0), ref: 0053A254
    • __vbaHresultCheckObj.MSVBVM60(00000000,A@,00454174,00000090), ref: 0053A27D
    • #598.MSVBVM60 ref: 0053A285
    • __vbaHresultCheckObj.MSVBVM60(00000000,A@,00454174,000000A4), ref: 0053A2A9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$#598Free$BoolCallCastLateListMoveNew2Null
    • String ID: A@
    • API String ID: 859811873-2073013064
    • Opcode ID: 9785d82e6e4dfe77b8d95cac6d5e4b5226c4d675224fd59449b0b59b2a2e8f5b
    • Instruction ID: aefafda88c9e7351d1127b8dc2363009937fba06ba04c868b65e3f533c05e6b5
    • Opcode Fuzzy Hash: 9785d82e6e4dfe77b8d95cac6d5e4b5226c4d675224fd59449b0b59b2a2e8f5b
    • Instruction Fuzzy Hash: 08516DB4A00204AFCB10DFA4CD89AAEBBB9FF88704F208529F545E7295D7749845CFA5
    Function 004F00B0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 92COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60(6D5860EF,004026A0,6D4B8890), ref: 004F00F2
      • Part of subcall function 004F00B0: __vbaStrCopy.MSVBVM60(00000000,6D49D8B1,6D48A323), ref: 004EFE48
      • Part of subcall function 004F00B0: #571.MSVBVM60(00000000), ref: 004EFE64
      • Part of subcall function 004F00B0: __vbaLineInputStr.MSVBVM60(?,00000000), ref: 004EFE7F
      • Part of subcall function 004F00B0: #520.MSVBVM60(?,?), ref: 004EFE9A
      • Part of subcall function 004F00B0: __vbaStrVarMove.MSVBVM60(?), ref: 004EFEA4
      • Part of subcall function 004F00B0: __vbaStrMove.MSVBVM60 ref: 004EFEAF
      • Part of subcall function 004F00B0: __vbaFreeVar.MSVBVM60 ref: 004EFEB8
      • Part of subcall function 004F00B0: __vbaStrCopy.MSVBVM60 ref: 004EFEC2
      • Part of subcall function 004F00B0: #617.MSVBVM60(?,00004008,00000001), ref: 004EFEF4
      • Part of subcall function 004F00B0: __vbaVarTstEq.MSVBVM60(?,?), ref: 004EFF0C
      • Part of subcall function 004F00B0: __vbaFreeVar.MSVBVM60 ref: 004EFF18
      • Part of subcall function 004F00B0: __vbaLenBstr.MSVBVM60 ref: 004EFF31
      • Part of subcall function 004F00B0: #617.MSVBVM60(?,00004008,00000000), ref: 004EFF40
      • Part of subcall function 004F00B0: #528.MSVBVM60(?,?), ref: 004EFF4A
      • Part of subcall function 004F00B0: __vbaStrVarMove.MSVBVM60(?), ref: 004EFF54
    • __vbaStrMove.MSVBVM60(004026B0), ref: 004F0113
    • __vbaLenBstr.MSVBVM60(?), ref: 004F011F
    • __vbaInStr.MSVBVM60(00000000,0045BC70,?,00000001), ref: 004F013A
    • __vbaI2I4.MSVBVM60 ref: 004F0142
    • __vbaLenBstr.MSVBVM60(?), ref: 004F015B
    • #619.MSVBVM60(?,00004008,00000000), ref: 004F0171
    • #520.MSVBVM60(?,?), ref: 004F017F
    • __vbaStrVarMove.MSVBVM60(?), ref: 004F0189
    • __vbaStrMove.MSVBVM60 ref: 004F0194
    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004F01A0
    • __vbaFreeStr.MSVBVM60(004F01DD), ref: 004F01D6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$BstrCopy$#520#617$#528#571#619InputLineList
    • String ID: [RMAP]
    • API String ID: 1318988613-572510774
    • Opcode ID: bcb8c962be10d1dc1f431a3fa5008c58e56a46852d3e25b3040847a305984408
    • Instruction ID: 06f5f22b067c1c59c98cd2975f319e5259543de440b279d1f13cee5a704cd94e
    • Opcode Fuzzy Hash: bcb8c962be10d1dc1f431a3fa5008c58e56a46852d3e25b3040847a305984408
    • Instruction Fuzzy Hash: 5831FEB5D10219EBCB14DFA4DE489EEBBB9FF48701F00812AF901B3665D7785505CBA8
    Function 0052E2B0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 144COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0052E30C
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 0052E33A
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004641F0,00000094), ref: 0052E366
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0052E372
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0052E389
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0052E3AC
    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0052E3B7
    • __vbaI2Var.MSVBVM60(00000000), ref: 0052E3C1
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 0052E3DE
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004641F0,00000094), ref: 0052E402
    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0052E412
    • __vbaFreeVar.MSVBVM60 ref: 0052E41E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$List$CallLate
    • String ID: p;@
    • API String ID: 218016265-3789430762
    • Opcode ID: be52060b96a52922179005a41b121b856d0ed64fe843198f28be9a6abad5358b
    • Instruction ID: a77709af728fb2c1e396482f28e317dcbca1bff65a68de28231b4fb6be87805b
    • Opcode Fuzzy Hash: be52060b96a52922179005a41b121b856d0ed64fe843198f28be9a6abad5358b
    • Instruction Fuzzy Hash: A6514B71900215AFDB00DFA4CD89FAEBBBCFF49705F108529F605E7291E674A906CBA4
    Function 005DD230 Relevance: 22.6, APIs: 15, Instructions: 133COMMON
    Download Yara Rule
    APIs
    • __vbaStrMove.MSVBVM60(?,00000004,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DD2B9
    • __vbaStrCat.MSVBVM60(0045F144,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DD2C1
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005DD2CC
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DD2E8
    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DD2F8
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005DD304
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DD296
      • Part of subcall function 004E40A0: __vbaVarDup.MSVBVM60(6D48A323,6D49D8B1,00401420), ref: 004E4103
      • Part of subcall function 004E40A0: #607.MSVBVM60(?,?,?), ref: 004E4116
      • Part of subcall function 004E40A0: #573.MSVBVM60(?,?), ref: 004E413A
      • Part of subcall function 004E40A0: #520.MSVBVM60(?,?), ref: 004E4148
      • Part of subcall function 004E40A0: __vbaVarCat.MSVBVM60(?,?,?,?), ref: 004E415B
      • Part of subcall function 004E40A0: #619.MSVBVM60(?,00000000), ref: 004E4166
      • Part of subcall function 004E40A0: __vbaStrVarMove.MSVBVM60(?), ref: 004E4170
      • Part of subcall function 004E40A0: __vbaStrMove.MSVBVM60 ref: 004E417B
      • Part of subcall function 004E40A0: __vbaFreeVarList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 004E419B
    • __vbaHresultCheckObj.MSVBVM60(00000000,004088B0,00462138,000007A0,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DD333
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DD347
    • __vbaStrMove.MSVBVM60(?,00000004,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DD36A
    • __vbaStrCat.MSVBVM60(0045F144,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DD372
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005DD37D
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DD399
    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DD3A9
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005DD3B5
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$CheckHresultList$#520#573#607#619
    • String ID:
    • API String ID: 1567110447-0
    • Opcode ID: 3de8e8fab6095df09d355126da1cf002f1742c61a5243d9b25cf7144fa234f49
    • Instruction ID: 45e466317620a701e30b05a63c3d648865f0b37cfae999c26796146e806ef4fa
    • Opcode Fuzzy Hash: 3de8e8fab6095df09d355126da1cf002f1742c61a5243d9b25cf7144fa234f49
    • Instruction Fuzzy Hash: DE418D75A00209EFDB10AF64CD49EAFBBB8FF85301F10412AF945E72A1DB745906CBA5
    Function 004E4200 Relevance: 22.6, APIs: 15, Instructions: 117COMMON
    Download Yara Rule
    APIs
    • __vbaFPInt.MSVBVM60(6D49D9D4,6D49D8B1,6D5868D4), ref: 004E425D
    • __vbaStrR4.MSVBVM60 ref: 004E4267
    • __vbaStrMove.MSVBVM60 ref: 004E4278
    • __vbaLenBstr.MSVBVM60(00000000), ref: 004E427B
    • __vbaI2I4.MSVBVM60 ref: 004E4283
    • __vbaFreeStr.MSVBVM60 ref: 004E428E
    • __vbaVarDup.MSVBVM60 ref: 004E42BF
    • #607.MSVBVM60(?,?,?), ref: 004E42DC
    • __vbaVarDup.MSVBVM60 ref: 004E42FF
    • __vbaVarCat.MSVBVM60(?,?,?), ref: 004E432E
    • #681.MSVBVM60(?,0000000B,?,00000000), ref: 004E4344
    • __vbaStrVarMove.MSVBVM60(?), ref: 004E434E
    • __vbaStrMove.MSVBVM60 ref: 004E4359
    • __vbaFreeVarList.MSVBVM60(00000006,?,?,0000000B,?,?,?), ref: 004E4378
    • __vbaErrorOverflow.MSVBVM60(?), ref: 004E43D8
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$#607#681BstrErrorListOverflow
    • String ID:
    • API String ID: 4223699147-0
    • Opcode ID: ec2eebe082f656eae362b6e41afe1271badef79b478d91fe2023d646c92e2c32
    • Instruction ID: cd71f91198eb11b10888e6100f508b265473386e21a5ebfc2d7dd16426544df2
    • Opcode Fuzzy Hash: ec2eebe082f656eae362b6e41afe1271badef79b478d91fe2023d646c92e2c32
    • Instruction Fuzzy Hash: B04107B5900219DFCB54DFA4CD88BEEBBB4FB48300F0086AAE509E7250EB745A49CF55
    Function 0059A2C0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101COMMON
    Download Yara Rule
    APIs
    • __vbaNew2.MSVBVM60(0041F4A8,00626040,?,?,?,?,?,?,?,?,?,0040A636), ref: 0059A31F
    • __vbaCastObj.MSVBVM60(Pi@,00454AC4,?,?,?,?,?,?,?,?,?,0040A636), ref: 0059A331
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 0059A342
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554EC,000006FC,?,?,?,?,?,?,?,?,?,0040A636), ref: 0059A367
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 0059A370
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0059A38B
    • __vbaStrI2.MSVBVM60(?), ref: 0059A399
    • __vbaStrMove.MSVBVM60 ref: 0059A3A4
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 0059A3C4
    • __vbaFreeStr.MSVBVM60 ref: 0059A3CD
    • __vbaFreeObj.MSVBVM60 ref: 0059A3D6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$CheckHresult$CastMoveNew2
    • String ID: Pi@
    • API String ID: 1324927033-1360946908
    • Opcode ID: a7765c43f6c211a3badc4c7aff42e1293dc3be84715403a2e8d925909f7dbe40
    • Instruction ID: 14576f30cea2622ca393043dac2d251d7635f8af6f591afaa55d65fa95710b06
    • Opcode Fuzzy Hash: a7765c43f6c211a3badc4c7aff42e1293dc3be84715403a2e8d925909f7dbe40
    • Instruction Fuzzy Hash: 72319070900606EFCB10EF64CE88EAE7BB8FF48705F104129F846A71A1D7785942CFA5
    Function 0053F340 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 149COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053F3A2
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 0053F3D0
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053F3EE
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 0053F416
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464200,000000F0), ref: 0053F43C
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00464200,00000150), ref: 0053F464
    • __vbaI2I4.MSVBVM60 ref: 0053F469
    • __vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0053F483
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0053F498
    • __vbaGenerateBoundsError.MSVBVM60 ref: 0053F4B1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$BoundsErrorGenerate$FreeList
    • String ID: PC@
    • API String ID: 3864926614-1047898868
    • Opcode ID: 2ebb719f38a4434a41d55e61aa1c395f93dffce4c700f2ecdc9ffd5c1c796125
    • Instruction ID: 2f5221a6c076ae1da271c4d3c21557492405d7d75b185c775c0746566fd35022
    • Opcode Fuzzy Hash: 2ebb719f38a4434a41d55e61aa1c395f93dffce4c700f2ecdc9ffd5c1c796125
    • Instruction Fuzzy Hash: 1E515E71900205EFCB00DFA4CC88EAEBBB9FF8D701F108129F505A7291D774A945CB64
    Function 00538080 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 130COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005380EA
    • __vbaCastObj.MSVBVM60(00000000), ref: 005380ED
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005380F8
      • Part of subcall function 004C50C0: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C5103
      • Part of subcall function 004C50C0: #598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C510C
      • Part of subcall function 004C50C0: __vbaVarMove.MSVBVM60 ref: 004C512A
    • __vbaBoolVarNull.MSVBVM60(?,?,?), ref: 0053810B
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0053811E
    • __vbaFreeVar.MSVBVM60 ref: 0053812A
    • __vbaHresultCheckObj.MSVBVM60(00000000,@@,00454174,000000A4), ref: 00538156
    • __vbaNew2.MSVBVM60(004223A8,00629550), ref: 0053816E
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004645E0,000002B0), ref: 005381DC
    • __vbaHresultCheckObj.MSVBVM60(00000000,@@,00454174,000000A4), ref: 005381FE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$#598BoolCallCastLateListMoveNew2Null
    • String ID: @@
    • API String ID: 753687219-1653905929
    • Opcode ID: 810e2df569537e097f30007e505ba1d7285c367eac608a7b8a662edca8872682
    • Instruction ID: 68739e17ef9f3f6a3289faf1fe3a6991e92f8069c32b62b3ac0283ab69bcd626
    • Opcode Fuzzy Hash: 810e2df569537e097f30007e505ba1d7285c367eac608a7b8a662edca8872682
    • Instruction Fuzzy Hash: 6941AFB4A00308AFCB00DFA8D989AAEBBB9FF48704F10812DF545E7291D7749946CF94
    Function 00536210 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 130COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0053627A
    • __vbaCastObj.MSVBVM60(00000000), ref: 0053627D
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00536288
      • Part of subcall function 004C50C0: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C5103
      • Part of subcall function 004C50C0: #598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C510C
      • Part of subcall function 004C50C0: __vbaVarMove.MSVBVM60 ref: 004C512A
    • __vbaBoolVarNull.MSVBVM60(?,?,?), ref: 0053629B
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005362AE
    • __vbaFreeVar.MSVBVM60 ref: 005362BA
    • __vbaHresultCheckObj.MSVBVM60(00000000,8@@,00454174,000000A4), ref: 005362E6
    • __vbaNew2.MSVBVM60(004103F4,00629514), ref: 005362FE
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00466510,000002B0), ref: 0053636C
    • __vbaHresultCheckObj.MSVBVM60(00000000,8@@,00454174,000000A4), ref: 0053638E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$#598BoolCallCastLateListMoveNew2Null
    • String ID: 8@@
    • API String ID: 753687219-1402758063
    • Opcode ID: 91d2030cb48221794559646533f80d1e2f51298dfdef4541dd77f6011cb95c8d
    • Instruction ID: 82ad404b43534f698a1ef32d56896a59a730ec1ca468e81622d2ce6eff28b3f7
    • Opcode Fuzzy Hash: 91d2030cb48221794559646533f80d1e2f51298dfdef4541dd77f6011cb95c8d
    • Instruction Fuzzy Hash: D5417DB4A00304AFCB00DFA8C989A9EBBB9FF49704F10842DF545E7291D7759945CFA5
    Function 005AD0C0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005AD128
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005AD13D
    • __vbaCastObj.MSVBVM60(00000000), ref: 005AD140
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005AD14B
    • __vbaObjSet.MSVBVM60(?,?,0045B140), ref: 005AD15D
    • __vbaCastObj.MSVBVM60(00000000), ref: 005AD160
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005AD16B
      • Part of subcall function 004C5180: __vbaLateMemCallLd.MSVBVM60(?,?,Parent,00000000,ActiveControl,00000000), ref: 004C51D5
      • Part of subcall function 004C5180: __vbaVarLateMemCallLd.MSVBVM60(?,00000000), ref: 004C51E3
      • Part of subcall function 004C5180: __vbaUnkVar.MSVBVM60(00000000), ref: 004C51ED
      • Part of subcall function 004C5180: __vbaObjIs.MSVBVM60(00000000), ref: 004C51F4
      • Part of subcall function 004C5180: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004C5209
      • Part of subcall function 004C5180: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000), ref: 004C5220
      • Part of subcall function 004C5180: #598.MSVBVM60 ref: 004C5229
      • Part of subcall function 004C5180: __vbaLateMemCallLd.MSVBVM60(?,00000000,Parent,00000000,ActiveControl,00000000,00000000), ref: 004C5250
      • Part of subcall function 004C5180: __vbaVarLateMemCallLd.MSVBVM60(?,00000000), ref: 004C525E
      • Part of subcall function 004C5180: __vbaUnkVar.MSVBVM60(00000000), ref: 004C5268
      • Part of subcall function 004C5180: __vbaObjIs.MSVBVM60(00000000), ref: 004C526F
      • Part of subcall function 004C5180: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004C5281
      • Part of subcall function 004C5180: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000), ref: 004C52A1
      • Part of subcall function 004C5180: #598.MSVBVM60 ref: 004C52A6
    • __vbaBoolVarNull.MSVBVM60(?,?,?,?), ref: 005AD182
    • __vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,?), ref: 005AD1A0
    • __vbaFreeVar.MSVBVM60 ref: 005AD1AC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CallLate$Free$List$#598Cast$BoolNull
    • String ID: Xp@
    • API String ID: 884622350-3289226876
    • Opcode ID: 638c93cce04c8f07c1656fa78e566af54506fd44673ce6880d9945bc671d5491
    • Instruction ID: df1098c07ab131a7b24edc2db14192f8e05f8637b5af996a8a47d16f5439c0f8
    • Opcode Fuzzy Hash: 638c93cce04c8f07c1656fa78e566af54506fd44673ce6880d9945bc671d5491
    • Instruction Fuzzy Hash: B4310DB1800209ABCB00EFA4CD85DEEBBBCFF48700F14452AF546A3150D7746945CFA4
    Function 00577150 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005771B8
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005771CD
    • __vbaCastObj.MSVBVM60(00000000), ref: 005771D0
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005771DB
    • __vbaObjSet.MSVBVM60(?,?,0045B140), ref: 005771ED
    • __vbaCastObj.MSVBVM60(00000000), ref: 005771F0
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005771FB
      • Part of subcall function 004C5180: __vbaLateMemCallLd.MSVBVM60(?,?,Parent,00000000,ActiveControl,00000000), ref: 004C51D5
      • Part of subcall function 004C5180: __vbaVarLateMemCallLd.MSVBVM60(?,00000000), ref: 004C51E3
      • Part of subcall function 004C5180: __vbaUnkVar.MSVBVM60(00000000), ref: 004C51ED
      • Part of subcall function 004C5180: __vbaObjIs.MSVBVM60(00000000), ref: 004C51F4
      • Part of subcall function 004C5180: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004C5209
      • Part of subcall function 004C5180: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000), ref: 004C5220
      • Part of subcall function 004C5180: #598.MSVBVM60 ref: 004C5229
      • Part of subcall function 004C5180: __vbaLateMemCallLd.MSVBVM60(?,00000000,Parent,00000000,ActiveControl,00000000,00000000), ref: 004C5250
      • Part of subcall function 004C5180: __vbaVarLateMemCallLd.MSVBVM60(?,00000000), ref: 004C525E
      • Part of subcall function 004C5180: __vbaUnkVar.MSVBVM60(00000000), ref: 004C5268
      • Part of subcall function 004C5180: __vbaObjIs.MSVBVM60(00000000), ref: 004C526F
      • Part of subcall function 004C5180: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004C5281
      • Part of subcall function 004C5180: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000), ref: 004C52A1
      • Part of subcall function 004C5180: #598.MSVBVM60 ref: 004C52A6
    • __vbaBoolVarNull.MSVBVM60(?,?,?,?), ref: 00577212
    • __vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,?), ref: 00577230
    • __vbaFreeVar.MSVBVM60 ref: 0057723C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CallLate$Free$List$#598Cast$BoolNull
    • String ID: Z@
    • API String ID: 884622350-3535364306
    • Opcode ID: 3efefe1cd61b65de4d7f390e7d327b9c4bef86a832bc87e72e272db6a9ed61f3
    • Instruction ID: 5e0fc816f1f275de2e366107c1520aa34ec1a24cd5589ba8b6bd6e15b656e7a6
    • Opcode Fuzzy Hash: 3efefe1cd61b65de4d7f390e7d327b9c4bef86a832bc87e72e272db6a9ed61f3
    • Instruction Fuzzy Hash: E03119B6800209ABCB00DFA4CD88DEEBBBCFF48710F14452AF545A3151D778A945CFA4
    Function 005C01D0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C0238
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C024D
    • __vbaCastObj.MSVBVM60(00000000), ref: 005C0250
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C025B
    • __vbaObjSet.MSVBVM60(?,?,0045B140), ref: 005C026D
    • __vbaCastObj.MSVBVM60(00000000), ref: 005C0270
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C027B
      • Part of subcall function 004C5180: __vbaLateMemCallLd.MSVBVM60(?,?,Parent,00000000,ActiveControl,00000000), ref: 004C51D5
      • Part of subcall function 004C5180: __vbaVarLateMemCallLd.MSVBVM60(?,00000000), ref: 004C51E3
      • Part of subcall function 004C5180: __vbaUnkVar.MSVBVM60(00000000), ref: 004C51ED
      • Part of subcall function 004C5180: __vbaObjIs.MSVBVM60(00000000), ref: 004C51F4
      • Part of subcall function 004C5180: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004C5209
      • Part of subcall function 004C5180: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000), ref: 004C5220
      • Part of subcall function 004C5180: #598.MSVBVM60 ref: 004C5229
      • Part of subcall function 004C5180: __vbaLateMemCallLd.MSVBVM60(?,00000000,Parent,00000000,ActiveControl,00000000,00000000), ref: 004C5250
      • Part of subcall function 004C5180: __vbaVarLateMemCallLd.MSVBVM60(?,00000000), ref: 004C525E
      • Part of subcall function 004C5180: __vbaUnkVar.MSVBVM60(00000000), ref: 004C5268
      • Part of subcall function 004C5180: __vbaObjIs.MSVBVM60(00000000), ref: 004C526F
      • Part of subcall function 004C5180: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004C5281
      • Part of subcall function 004C5180: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000), ref: 004C52A1
      • Part of subcall function 004C5180: #598.MSVBVM60 ref: 004C52A6
    • __vbaBoolVarNull.MSVBVM60(?,?,?,?), ref: 005C0292
    • __vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,?), ref: 005C02B0
    • __vbaFreeVar.MSVBVM60 ref: 005C02BC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CallLate$Free$List$#598Cast$BoolNull
    • String ID: xy@
    • API String ID: 884622350-763519957
    • Opcode ID: ff1c7f6f3b75411611b36293ad8dcb0051c5f819b36aabab5c178e44ecdb21fa
    • Instruction ID: aaef71db9b697baf85ffb622fa893893d392828e270a77190919471465fa7a77
    • Opcode Fuzzy Hash: ff1c7f6f3b75411611b36293ad8dcb0051c5f819b36aabab5c178e44ecdb21fa
    • Instruction Fuzzy Hash: 9531E6B2800249ABCB00DFA4C989DEEBBBCFF48710F14452AE545A3150D778AA45CBA4
    Function 00516280 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 96COMMON
    Download Yara Rule
    APIs
    • __vbaStrCat.MSVBVM60(80020004,Project has been changed - save it), ref: 005162F7
    • __vbaStrMove.MSVBVM60 ref: 005162FE
    • __vbaStrCat.MSVBVM60(00462078,00000000), ref: 0051630A
    • #595.MSVBVM60(?,00000003,?,?,?), ref: 00516328
    • __vbaI2I4.MSVBVM60 ref: 00516336
    • __vbaFreeStr.MSVBVM60 ref: 0051633D
    • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 00516355
    • __vbaI2I4.MSVBVM60 ref: 00516363
    • __vbaI2I4.MSVBVM60 ref: 00516381
      • Part of subcall function 004E71D0: __vbaChkstk.MSVBVM60(?,0040A636), ref: 004E71EE
      • Part of subcall function 004E71D0: __vbaOnError.MSVBVM60(00000001,?,?,?,?,0040A636), ref: 004E721E
      • Part of subcall function 004E71D0: __vbaNew2.MSVBVM60(0041F4A8,00626040), ref: 004E7252
      • Part of subcall function 004E71D0: __vbaChkstk.MSVBVM60 ref: 004E7273
      • Part of subcall function 004E71D0: __vbaObjSet.MSVBVM60(?,00000000), ref: 004E72BD
      • Part of subcall function 004E71D0: __vbaLateIdSt.MSVBVM60(00000000), ref: 004E72C4
      • Part of subcall function 004E71D0: __vbaFreeObj.MSVBVM60 ref: 004E72CD
      • Part of subcall function 004E71D0: __vbaStrCat.MSVBVM60(AFC,Config Script (*.), ref: 004E72E4
      • Part of subcall function 004E71D0: __vbaStrMove.MSVBVM60 ref: 004E72EF
      • Part of subcall function 004E71D0: __vbaStrCat.MSVBVM60()|*.,00000000), ref: 004E72FB
      • Part of subcall function 004E71D0: __vbaStrMove.MSVBVM60 ref: 004E7306
      • Part of subcall function 004E71D0: __vbaStrCat.MSVBVM60(AFC,00000000), ref: 004E7312
      • Part of subcall function 004E71D0: __vbaNew2.MSVBVM60(0041F4A8,00626040), ref: 004E7335
      • Part of subcall function 004E71D0: __vbaChkstk.MSVBVM60 ref: 004E7356
    Strings
    • Project has been changed - save it, xrefs: 005162E6
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$ChkstkFreeMove$New2$#595ErrorLateList
    • String ID: Project has been changed - save it
    • API String ID: 2498685327-2763081510
    • Opcode ID: 52af9c769f80c2f4b316fee0b45d0eb0fb2295090b65528c6dad118f052698d5
    • Instruction ID: bd57df40466850ceed31ec688954e8c9e74886722a252e736fe89f0604ec803b
    • Opcode Fuzzy Hash: 52af9c769f80c2f4b316fee0b45d0eb0fb2295090b65528c6dad118f052698d5
    • Instruction Fuzzy Hash: E5316AB5D0022CAFDB10DFE4DD80AEEBBB9FB48310F40462EE615A7290D7B41944CBA5
    Function 005B7110 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 91COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005B7174
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005B7177
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005B7182
      • Part of subcall function 004C50C0: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C5103
      • Part of subcall function 004C50C0: #598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C510C
      • Part of subcall function 004C50C0: __vbaVarMove.MSVBVM60 ref: 004C512A
    • __vbaBoolVarNull.MSVBVM60(?,?,?), ref: 005B7195
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005B71A8
    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005B71B4
    • __vbaNew2.MSVBVM60(00459D58,0062B924,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005B71D1
    • __vbaObjSetAddref.MSVBVM60(?,Xt@,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005B71E7
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,00000010), ref: 005B7204
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005B720D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$#598AddrefBoolCallCastCheckHresultLateListMoveNew2Null
    • String ID: Xt@
    • API String ID: 469253076-2690734968
    • Opcode ID: a82499d7cc16393451a9d84aad78b8d845745a969eaca5d48aa1beec89804d24
    • Instruction ID: 4bc3915a417554815cedc885b5f66ce209ecc560f736c9089e3f5f491d2dae10
    • Opcode Fuzzy Hash: a82499d7cc16393451a9d84aad78b8d845745a969eaca5d48aa1beec89804d24
    • Instruction Fuzzy Hash: EB315C75C00249EFCB10DFA4DD899EEBBB9FB89700F108529F645B3290D774A946CBA4
    Function 005502A0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 91COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00550304
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00550307
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00550312
      • Part of subcall function 004C50C0: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C5103
      • Part of subcall function 004C50C0: #598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C510C
      • Part of subcall function 004C50C0: __vbaVarMove.MSVBVM60 ref: 004C512A
    • __vbaBoolVarNull.MSVBVM60(?,?,?), ref: 00550325
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00550338
    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00550344
    • __vbaNew2.MSVBVM60(00459D58,0062B924,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00550361
    • __vbaObjSetAddref.MSVBVM60(?,hH@,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00550377
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,00000010), ref: 00550394
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0055039D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$#598AddrefBoolCallCastCheckHresultLateListMoveNew2Null
    • String ID: hH@
    • API String ID: 469253076-4160341783
    • Opcode ID: 52a88cd1420cc2905730ad91936fa39c257614b88f27a97996694abf0d1b9c24
    • Instruction ID: b758b56da7cd8ab933a72447547d0b7e3b5a762c94cbb7215721c62e72abd15d
    • Opcode Fuzzy Hash: 52a88cd1420cc2905730ad91936fa39c257614b88f27a97996694abf0d1b9c24
    • Instruction Fuzzy Hash: C5315E75C00249EBCB10DFA4DD899EEBBB8FF48701F108529FA45B3290D7749949CBA4
    Function 005901A0 Relevance: 18.1, APIs: 12, Instructions: 115COMMON
    Download Yara Rule
    APIs
    • __vbaOnError.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005901E5
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005901FC
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 00590223
    • __vbaI2Str.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00590233
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0059023B
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00590244
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00590269
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A0), ref: 00590290
    • __vbaI2Str.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0059029A
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005902A2
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005902AB
    • __vbaExitProc.MSVBVM60 ref: 005902F1
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$CheckHresult$ErrorExitProc
    • String ID:
    • API String ID: 120088924-0
    • Opcode ID: d5ec5d71c405590ebed2fc2c09b2162a3390fe1cdee26b049d4fb4553c9fd7c9
    • Instruction ID: 5fdc4c0c50f93283e75d1cd8318d775be20be9b3eeb07f1fa00f74f64e6992e7
    • Opcode Fuzzy Hash: d5ec5d71c405590ebed2fc2c09b2162a3390fe1cdee26b049d4fb4553c9fd7c9
    • Instruction Fuzzy Hash: 06413575900249AFCF00DFA8C988AEEBBB8FF4C700F54456AF545B3290D774A945CBA4
    Function 0052B040 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052B0A6
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052B0BB
    • __vbaStrR4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052B0E2
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052B0ED
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052B110
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052B119
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052B122
    • __vbaHresultCheckObj.MSVBVM60(00000000,09@,004541A4,00000818,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052B153
    • __vbaHresultCheckObj.MSVBVM60(00000000,09@,004541A4,00000810,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052B172
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$BoundsErrorGenerateMove
    • String ID: 09@
    • API String ID: 4294095422-2742218920
    • Opcode ID: e58019d83c5dcef19ac1ad8f6a33686e470cc26736f806cf3407ca15fcff7da2
    • Instruction ID: 7519845a99b29c2b24f7ea02fb6c2d82f728ac0c6d58e5c8874768cd256b71ab
    • Opcode Fuzzy Hash: e58019d83c5dcef19ac1ad8f6a33686e470cc26736f806cf3407ca15fcff7da2
    • Instruction Fuzzy Hash: 5C41E235900615EBDB10DF64CD8CAAEBBBCFF49701F10812AF582A72E0CB745942CB94
    Function 0057B1D0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 95COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0057B238
    • __vbaVarDup.MSVBVM60 ref: 0057B254
    • __vbaVarDup.MSVBVM60 ref: 0057B26E
    • #681.MSVBVM60(?,?,?,?), ref: 0057B294
    • __vbaStrVarVal.MSVBVM60(?,?), ref: 0057B2A4
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054), ref: 0057B2BE
    • __vbaFreeStr.MSVBVM60 ref: 0057B2C7
    • __vbaFreeObj.MSVBVM60 ref: 0057B2D0
    • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0057B2E4
    Strings
    • Click the box or press any key for details., xrefs: 0057B260
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$#681CheckHresultList
    • String ID: Click the box or press any key for details.
    • API String ID: 3140502675-1862394547
    • Opcode ID: 0c17fa9cfe1a872171bd9a4b4ecde04d43baaee222ada2e905b9b6d81637db91
    • Instruction ID: 849ebc1cf8decb2e62cef2a88dbc75006ad44d4541806f46831dd0db58f22eb0
    • Opcode Fuzzy Hash: 0c17fa9cfe1a872171bd9a4b4ecde04d43baaee222ada2e905b9b6d81637db91
    • Instruction Fuzzy Hash: 1B4107B1C0020AAFDB00DFE5C948AEEBBB8FF58705F10851AE525B72A1D7B4550ACF94
    Function 005DE030 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DE089
    • __vbaStrCat.MSVBVM60(?,Read-only.,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DE0A5
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005DE0AC
    • __vbaStrCat.MSVBVM60(0 PLC on-line, 1 PLC off-line.,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DE0B8
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005DE0BF
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DE0D9
    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DE0E9
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005DE0F5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$FreeMove$CheckHresultList
    • String ID: 0 PLC on-line, 1 PLC off-line.$Read-only.
    • API String ID: 1301103077-2311684056
    • Opcode ID: 07f5c8b98ecc9680c39ecb0cb3f148356299c09bd1fe3d36ccfd196506d1453d
    • Instruction ID: d14cf792c14b052f56420a6d1cc1dfeaae2494f97bb212d5c505eedcc3374edc
    • Opcode Fuzzy Hash: 07f5c8b98ecc9680c39ecb0cb3f148356299c09bd1fe3d36ccfd196506d1453d
    • Instruction Fuzzy Hash: C4215175900205EFDB10AFA4CD49AEEBBB8FF48700F10816AF945F32A0D7745945CBA4
    Function 005DE150 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DE1A9
    • __vbaStrCat.MSVBVM60(?,Read-only.,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DE1C5
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005DE1CC
    • __vbaStrCat.MSVBVM60(Click the box or press any key to view.,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DE1D8
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005DE1DF
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DE1F9
    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DE209
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005DE215
    Strings
    • Read-only., xrefs: 005DE1BD
    • Click the box or press any key to view., xrefs: 005DE1D3
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$FreeMove$CheckHresultList
    • String ID: Click the box or press any key to view.$Read-only.
    • API String ID: 1301103077-3410613766
    • Opcode ID: 61a2b244aa8c1ccca26b0b095ad111bdb3931bf6fa2fbe3b3711e0d0e453985c
    • Instruction ID: 5128cb629e14ac32b1bc24a29f29d5c5a471c587f455ca2780559248ca9482a7
    • Opcode Fuzzy Hash: 61a2b244aa8c1ccca26b0b095ad111bdb3931bf6fa2fbe3b3711e0d0e453985c
    • Instruction Fuzzy Hash: EB213B75900215EFDB10AFA4CE49AEEBBB8FB48700F10816AF945F32A0D77859058BA4
    Function 004D0200 Relevance: 17.5, APIs: 3, Strings: 7, Instructions: 46COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004D0280
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004D0288
    • __vbaFreeStr.MSVBVM60(004D02A5,?,?,?,?,?,?,0040A636), ref: 004D029E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Copy$Free
    • String ID: Modbus gateway$Modbus master$Modbus pass-thru$Quantum time-of-day clock$Supervisory input to PLC from AFC$Supervisory output from PLC to AFC$Wallclock
    • API String ID: 2739001702-3926795770
    • Opcode ID: 5ea2bcd8f76c1bb7aa9bdd0b6d8013d4c7143b53378004ce92a29b8555f45dcf
    • Instruction ID: 60adcb2dba67712f21139ea9e386be264404762aafab291838ee83b4783f5f14
    • Opcode Fuzzy Hash: 5ea2bcd8f76c1bb7aa9bdd0b6d8013d4c7143b53378004ce92a29b8555f45dcf
    • Instruction Fuzzy Hash: DC013930906149DBCB04DA949A29B7B7A74EB84745F30C0BBD80263BA5D7B85D4AC78A
    Function 00530110 Relevance: 16.6, APIs: 11, Instructions: 133COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00530179
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040), ref: 005301A1
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005301B7
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005301C5
    • __vbaStrI4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005301EE
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005301F9
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00452A8C,000000A4), ref: 0053021C
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00530225
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00530235
    • __vbaHresultCheckObj.MSVBVM60(00000000,00403C08,004541A4,000008A4), ref: 0053026E
    • __vbaHresultCheckObj.MSVBVM60(00000000,00403C08,004541A4,0000089C), ref: 0053028E
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$BoundsErrorFreeGenerate$ListMove
    • String ID:
    • API String ID: 1135899227-0
    • Opcode ID: b243ce79202e3d7b688cc8ce9d6cfa492c37ed755b292e73fdabc2b98ceeb6fa
    • Instruction ID: b40481c02e6490f84159ef96caf20e3f549bdd6100ecaea220d87f5f7d272053
    • Opcode Fuzzy Hash: b243ce79202e3d7b688cc8ce9d6cfa492c37ed755b292e73fdabc2b98ceeb6fa
    • Instruction Fuzzy Hash: 12419E35900315ABDB10DF64CD5CAAFBBB8FF89704F10412AF985A72A0D7745946CB94
    Function 005FA2D0 Relevance: 16.6, APIs: 11, Instructions: 124COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005FA345
    • __vbaVarDup.MSVBVM60 ref: 005FA361
    • __vbaStrI2.MSVBVM60(00000001), ref: 005FA36F
    • #681.MSVBVM60(?,?,?,?), ref: 005FA399
    • __vbaStrVarVal.MSVBVM60(?,?), ref: 005FA3A9
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 005FA3C9
    • __vbaFreeStr.MSVBVM60 ref: 005FA3D2
    • __vbaFreeObj.MSVBVM60 ref: 005FA3DB
    • __vbaFreeVarList.MSVBVM60(00000003,00000008,?,?), ref: 005FA3EF
    • __vbaHresultCheckObj.MSVBVM60(00000000,00409660,00463E10,000007D0), ref: 005FA422
    • __vbaHresultCheckObj.MSVBVM60(00000000,00409660,00463E10,000007C8), ref: 005FA441
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult$#681List
    • String ID:
    • API String ID: 1489615832-0
    • Opcode ID: ffa94e01be235b06979eebb3228b9106d57fd0c21e4a4bb2f300079a23dc6cfc
    • Instruction ID: 5bcfd2c0d8907dce4edd2d9673bdffebc3dc47b0c90a28b43ef8f986ac32f889
    • Opcode Fuzzy Hash: ffa94e01be235b06979eebb3228b9106d57fd0c21e4a4bb2f300079a23dc6cfc
    • Instruction Fuzzy Hash: 67413FB5C01209ABCB00DFA4C988AEEBBB8FF48705F10852DF959B7250D7745946CFA5
    Function 0055E220 Relevance: 16.6, APIs: 11, Instructions: 108COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0055E287
    • __vbaCastObj.MSVBVM60(00000000), ref: 0055E28A
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0055E295
      • Part of subcall function 004C50C0: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C5103
      • Part of subcall function 004C50C0: #598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C510C
      • Part of subcall function 004C50C0: __vbaVarMove.MSVBVM60 ref: 004C512A
    • __vbaBoolVarNull.MSVBVM60(?,?,?), ref: 0055E2A8
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0055E2BB
    • __vbaFreeVar.MSVBVM60 ref: 0055E2C7
    • __vbaRaiseEvent.MSVBVM60(00404F10,00000001,00000001), ref: 0055E2FC
    • __vbaNew2.MSVBVM60(00459D58,0062B924), ref: 0055E318
    • __vbaObjSetAddref.MSVBVM60(?,00404F10), ref: 0055E32E
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,00000010), ref: 0055E34B
    • __vbaFreeObj.MSVBVM60 ref: 0055E354
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$#598AddrefBoolCallCastCheckEventHresultLateListMoveNew2NullRaise
    • String ID:
    • API String ID: 2398776187-0
    • Opcode ID: 770c9ea645c3c1ae4369a2af0d09a920932fb3255e619bb4a42a9cbde642340b
    • Instruction ID: d07e2f95c1ddfb4e638a8bec974758ec58acba311e0b0620d3977c935a887eb6
    • Opcode Fuzzy Hash: 770c9ea645c3c1ae4369a2af0d09a920932fb3255e619bb4a42a9cbde642340b
    • Instruction Fuzzy Hash: 48416F71D00209AFCB04DFA4DD89AEEBBB9FB48701F10852AF905E3291D774A945CF94
    Function 00594160 Relevance: 16.6, APIs: 11, Instructions: 97COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005941C6
    • __vbaLateIdCallLd.MSVBVM60(?,?,0000000A,00000000), ref: 005941DD
    • __vbaI4Var.MSVBVM60(00000000), ref: 005941E9
    • __vbaLateIdSt.MSVBVM60(?,0000000C), ref: 0059420C
    • __vbaFreeVar.MSVBVM60 ref: 00594215
    • __vbaLateIdCallLd.MSVBVM60(?,?,0000000B,00000000), ref: 00594227
    • __vbaI4Var.MSVBVM60(00000000), ref: 0059422D
    • __vbaLateIdSt.MSVBVM60(?,0000000D), ref: 0059424D
    • __vbaFreeVar.MSVBVM60 ref: 00594256
    • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00594262
    • __vbaFreeObj.MSVBVM60(00594288), ref: 00594281
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Late$Free$Call$Addref
    • String ID:
    • API String ID: 1906524922-0
    • Opcode ID: 673bbfbadb0f96bb696f56d9e4419baf5bb387b613d571a4e349694f4f4486c3
    • Instruction ID: 36f04f167930e73e93e4353fc0e65f0e1f5f3baba8672cb4613a17873c56b62e
    • Opcode Fuzzy Hash: 673bbfbadb0f96bb696f56d9e4419baf5bb387b613d571a4e349694f4f4486c3
    • Instruction Fuzzy Hash: CB311C71D00209ABDB00DFA8CD49A9EFFB8FF88700F148669E505BB291D774A981CF94
    Function 005E6350 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E63AF
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E63D3
    • __vbaCastObj.MSVBVM60(?,0045B140,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E63E2
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E63ED
    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E6406
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E642D
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E644B
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E6454
    Strings
    • Enter the address in the Primary Slave to remap., xrefs: 005E6431
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult$CastList
    • String ID: Enter the address in the Primary Slave to remap.
    • API String ID: 2614944204-3967374770
    • Opcode ID: 013432d53705c7d85bb4444ffcb230f6ec226470a8a14cb9294afa75399c7fa1
    • Instruction ID: ef8267de2a38629398ff971d91dfd53b09f66fc9289a10e1c118b55bc1428363
    • Opcode Fuzzy Hash: 013432d53705c7d85bb4444ffcb230f6ec226470a8a14cb9294afa75399c7fa1
    • Instruction Fuzzy Hash: 84315C71900209ABCB00DFA4CD89EEEBBB8FF48740F108569F945E7290E7789945CBA4
    Function 00564000 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 00564062
    • __vbaStrI2.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00564074
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 0056407F
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,?,0040A636), ref: 005640A2
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005640AB
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005640B4
    • __vbaHresultCheckObj.MSVBVM60(00000000,PQ@,00469870,0000073C,?,?,?,?,?,?,?,?,?,0040A636), ref: 005640E5
    • __vbaHresultCheckObj.MSVBVM60(00000000,PQ@,00469870,00000730,?,?,?,?,?,?,?,?,?,0040A636), ref: 00564104
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$Move
    • String ID: PQ@
    • API String ID: 1879641673-1182915111
    • Opcode ID: b049987727a486ce960b61fef3bab1afb68838759f32686c1a36a606239643a1
    • Instruction ID: 51ae50abd72c169b8bcb833a3586808803b02bf3c9287d5c1205520b7a7f182e
    • Opcode Fuzzy Hash: b049987727a486ce960b61fef3bab1afb68838759f32686c1a36a606239643a1
    • Instruction Fuzzy Hash: B0319E34900215EBCB10AF64CD48AAFBFB8FF55741F20812AF946A7290DB785982CF95
    Function 005342F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 76COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 00534351
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,0040A636), ref: 00534354
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 0053435F
      • Part of subcall function 004C53C0: __vbaCheckType.MSVBVM60(?,00452A8C), ref: 004C53FF
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004C5435
      • Part of subcall function 004C53C0: __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004C5444
      • Part of subcall function 004C53C0: __vbaLenVar.MSVBVM60(?,00000000), ref: 004C5452
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelLength), ref: 004C547B
      • Part of subcall function 004C53C0: __vbaFreeVar.MSVBVM60 ref: 004C5480
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00534374
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 0053438B
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,?,0040A636), ref: 005343A9
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005343B2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$FreeLate$Check$CallCastHresultListType
    • String ID: A number between 0.5 and 2.0; default is 1.0.$>@
    • API String ID: 2919248683-3846370368
    • Opcode ID: 6014427ff283afe26b74780d982e5ae50fe24025755e5e80ec4081e8ab3e42dc
    • Instruction ID: 2c23ea669ad23ee128bfd9a125c5e29364ff462d93aa9879fcb9ecc138733eee
    • Opcode Fuzzy Hash: 6014427ff283afe26b74780d982e5ae50fe24025755e5e80ec4081e8ab3e42dc
    • Instruction Fuzzy Hash: 84213D75900209ABC700AFA4CD89EEFBBBCFF44700F104529F941A3191D778A9468FD0
    Function 0055F1A0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 0055F1F9
    • __vbaStrCat.MSVBVM60(?,Discard changes and return to ,?,?,?,?,?,?,?,?,?,0040A636), ref: 0055F215
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 0055F21C
    • __vbaStrCat.MSVBVM60(0045AD00,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 0055F228
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 0055F22F
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,?,?,0040A636), ref: 0055F249
    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0055F259
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 0055F265
    Strings
    • Discard changes and return to , xrefs: 0055F20D
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$FreeMove$CheckHresultList
    • String ID: Discard changes and return to
    • API String ID: 1301103077-2967150034
    • Opcode ID: 6b95818923284c6e931ab4165541846187b13ac2620e5648af9f6b8661d3dae2
    • Instruction ID: 8e7230f6a7f38369d2c5ba46b16dd8de3381664313628b044b9fd5c786c7b20f
    • Opcode Fuzzy Hash: 6b95818923284c6e931ab4165541846187b13ac2620e5648af9f6b8661d3dae2
    • Instruction Fuzzy Hash: F8214F75900215AFDB009F64DD49AAEBBBCFF48701F10816AF941F32A0D77459458B94
    Function 0055B050 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 67COMMON
    Download Yara Rule
    APIs
    • __vbaObjIs.MSVBVM60(?,00000000,?,?,?,?,?,?,0040A636), ref: 0055B0A3
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00454AC4,00000094,?,?,?,?,?,?,0040A636), ref: 0055B0CF
    • __vbaCastObj.MSVBVM60(00000000,00454AC4,?,?,?,?,?,?,0040A636), ref: 0055B0DB
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,0040A636), ref: 0055B0E6
    • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,?,?,0040A636), ref: 0055B0EE
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 0055B0F7
    • __vbaRaiseEvent.MSVBVM60( N@,00000002,00000000,?,?,?,?,?,?,0040A636), ref: 0055B101
    • #598.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 0055B10A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$#598AddrefCastCheckEventFreeHresultRaise
    • String ID: N@
    • API String ID: 2300630523-3744120041
    • Opcode ID: f3e3dd5d7f727453c8f0fc08c73039798d0026f62268ba4a969b525d6266e432
    • Instruction ID: b1be9a9071a4b874905c858007470f4b7693e01ce4561b6e8aeaf0d89eaf0fd4
    • Opcode Fuzzy Hash: f3e3dd5d7f727453c8f0fc08c73039798d0026f62268ba4a969b525d6266e432
    • Instruction Fuzzy Hash: 592190B1500245BFD7009FA4CD8DEAABBBCFF44705F20822AF955A71E1C7345946CB94
    Function 004CD1F0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 66COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004CD150: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004CD1B4
      • Part of subcall function 004CD150: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004CD1BC
      • Part of subcall function 004CD150: __vbaFreeStr.MSVBVM60(004CD1D9,?,?,?,?,?,?,0040A636), ref: 004CD1D2
    • __vbaStrMove.MSVBVM60(00401690), ref: 004CD241
    • #518.MSVBVM60(?,?), ref: 004CD26C
    • __vbaVarCat.MSVBVM60(?,?,00000008), ref: 004CD27E
    • __vbaStrVarMove.MSVBVM60(00000000), ref: 004CD285
    • __vbaStrMove.MSVBVM60 ref: 004CD290
    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004CD29C
    • __vbaStrCopy.MSVBVM60 ref: 004CD2AB
    • __vbaFreeStr.MSVBVM60(004CD2E5), ref: 004CD2DE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CopyFreeMove$#518List
    • String ID: Gross
    • API String ID: 1660877321-704844665
    • Opcode ID: fe2cb66bbbfe88d804a2dcbc5921644133004f39276184439b641e473a0e0190
    • Instruction ID: 21588acdbd3dff1d5c12d8d62f4dfac0e9e2e693271d81645df38c7b170a0086
    • Opcode Fuzzy Hash: fe2cb66bbbfe88d804a2dcbc5921644133004f39276184439b641e473a0e0190
    • Instruction Fuzzy Hash: AF21EDB5C00209AFCB04DFE4D945AEEBBB8FB48304F10C12AE515B7254EB785506CF54
    Function 00508290 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57COMMON
    Download Yara Rule
    APIs
    • __vbaStrI2.MSVBVM60(00402D90,6D48A323,6D49D8B1,?), ref: 005082CB
    • __vbaStrMove.MSVBVM60 ref: 005082DC
      • Part of subcall function 004E3BA0: __vbaChkstk.MSVBVM60(00000000,0040A636,004D144B,?,00000012), ref: 004E3BBE
      • Part of subcall function 004E3BA0: #526.MSVBVM60(?,00000000), ref: 004E3C2F
      • Part of subcall function 004E3BA0: __vbaStrVarMove.MSVBVM60(?), ref: 004E3C39
      • Part of subcall function 004E3BA0: __vbaStrMove.MSVBVM60 ref: 004E3C44
      • Part of subcall function 004E3BA0: __vbaFreeVar.MSVBVM60 ref: 004E3C4D
      • Part of subcall function 004E3BA0: __vbaOnError.MSVBVM60(000000FF), ref: 004E3C5C
      • Part of subcall function 004E3BA0: __vbaStrCat.MSVBVM60(00000000,?), ref: 004E3C82
      • Part of subcall function 004E3BA0: #619.MSVBVM60(?,00000008,00000000), ref: 004E3C9F
      • Part of subcall function 004E3BA0: __vbaStrVarMove.MSVBVM60(?), ref: 004E3CA9
      • Part of subcall function 004E3BA0: __vbaStrMove.MSVBVM60 ref: 004E3CB4
      • Part of subcall function 004E3BA0: __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004E3CC4
      • Part of subcall function 004E3BA0: __vbaStrCopy.MSVBVM60(?,00000000,0040A636,004D144B), ref: 004E3D38
      • Part of subcall function 004E3BA0: __vbaFreeStr.MSVBVM60(004E3D76,?,00000000,0040A636,004D144B), ref: 004E3D6F
    • __vbaStrMove.MSVBVM60(?,000000FE,bit ), ref: 005082F3
    • __vbaStrCat.MSVBVM60(00000000), ref: 005082FC
    • __vbaStrMove.MSVBVM60 ref: 00508303
    • __vbaStrCat.MSVBVM60(0045E888,00000000), ref: 0050830B
    • __vbaStrMove.MSVBVM60 ref: 00508312
    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00508322
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$Free$List$#526#619ChkstkCopyError
    • String ID: bit
    • API String ID: 401722390-2270202881
    • Opcode ID: 75980435675477a00adf247932aaa0524d66031208d0425ca73e3088a0c51ce8
    • Instruction ID: f6a29730d90bda5f18477d563c840e8085be5412d7e2a26bbbca3556ae4281c6
    • Opcode Fuzzy Hash: 75980435675477a00adf247932aaa0524d66031208d0425ca73e3088a0c51ce8
    • Instruction Fuzzy Hash: 7F114675D00118AFDB00EFA9CD45EEFBBB8EB48700F10456AE405F3190EA745A05CFA4
    Function 004E1120 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 18COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004C76B0: __vbaAryLock.MSVBVM60(?,?), ref: 004C76F7
      • Part of subcall function 004C76B0: __vbaGenerateBoundsError.MSVBVM60 ref: 004C7719
      • Part of subcall function 004C76B0: __vbaStrCopy.MSVBVM60 ref: 004C777E
      • Part of subcall function 004C76B0: __vbaStrCopy.MSVBVM60 ref: 004C779D
      • Part of subcall function 004C76B0: __vbaStrCopy.MSVBVM60 ref: 004C77A7
      • Part of subcall function 004C76B0: __vbaStrCopy.MSVBVM60 ref: 004C77B1
      • Part of subcall function 004C76B0: __vbaGenerateBoundsError.MSVBVM60 ref: 004C77CA
      • Part of subcall function 004C76B0: __vbaStrCopy.MSVBVM60 ref: 004C7803
      • Part of subcall function 004E1120: __vbaSetSystemError.MSVBVM60 ref: 004E0DF3
      • Part of subcall function 004E1120: __vbaStrMove.MSVBVM60(006260A0), ref: 004E0E10
      • Part of subcall function 004E1120: __vbaGenerateBoundsError.MSVBVM60 ref: 004E0E2A
      • Part of subcall function 004E1120: #681.MSVBVM60(?,?,?,?,00626100,006260E2,006260C4), ref: 004E0EE0
      • Part of subcall function 004E1120: __vbaVarOr.MSVBVM60(?,?,?), ref: 004E0EFB
      • Part of subcall function 004E1120: __vbaI4Var.MSVBVM60(00000000), ref: 004E0EFE
    • __vbaStrCopy.MSVBVM60(?,00626083), ref: 004E1140
    • __vbaStrCopy.MSVBVM60 ref: 004E114C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Copy$Error$BoundsGenerate$#681LockMoveSystem
    • String ID: $(new file)$,cb$0cb$AFC$AFC Flow Station$Dcb
    • API String ID: 2754973559-3848152221
    • Opcode ID: 3737676075f7dee2d05031aee3db18af96a864b2931bc7bc85f98408d0e5d221
    • Instruction ID: 3a9ee14b7d48c9a9101c56258af438b2bd437c5828c98333ecc790b8dd9a59db
    • Opcode Fuzzy Hash: 3737676075f7dee2d05031aee3db18af96a864b2931bc7bc85f98408d0e5d221
    • Instruction Fuzzy Hash: 2BE01239626564978310EFF5ED4458B2E56DF99311710B42FF504D3221DB7498218BEE
    Function 00527070 Relevance: 15.1, APIs: 10, Instructions: 130COMMON
    Download Yara Rule
    APIs
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005270BC
    • __vbaSetSystemError.MSVBVM60(?,0000000F,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005270F0
    • __vbaSetSystemError.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00527124
    • __vbaI2I4.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052712E
    • __vbaSetSystemError.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00527146
    • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00527150
    • __vbaSetSystemError.MSVBVM60(?,00000003,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052718C
    • __vbaI2I4.MSVBVM60(?,00000003,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00527191
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Error$System$BoundsGenerate
    • String ID:
    • API String ID: 2682966246-0
    • Opcode ID: c0c5d2de03e6b80785dc7e2ce255143369beb7c1a2a2fd545901bb8efeddbb67
    • Instruction ID: 8704b48d01b7622ed63e3bf3a0da6704177ef36ab6be3fd25314804a0f072243
    • Opcode Fuzzy Hash: c0c5d2de03e6b80785dc7e2ce255143369beb7c1a2a2fd545901bb8efeddbb67
    • Instruction Fuzzy Hash: 61410334A00619ABC714EF69DC85ABEB7F8FF48700F00442FF9819B2A1DA789D51CB94
    Function 004F70A0 Relevance: 15.1, APIs: 10, Instructions: 119COMMON
    Download Yara Rule
    APIs
    • __vbaAryConstruct2.MSVBVM60(?,0045DB78,00000008,?,?,00000001), ref: 004F70E2
    • __vbaErase.MSVBVM60(00000000,?), ref: 004F70FC
      • Part of subcall function 004CDE80: __vbaStrMove.MSVBVM60(?,0040A636,0040A636,FFFFFFFF,?,?), ref: 004CDED8
      • Part of subcall function 004CDE80: __vbaStrCat.MSVBVM60(?,pul/), ref: 004CDEEC
      • Part of subcall function 004CDE80: __vbaStrMove.MSVBVM60 ref: 004CDEF7
      • Part of subcall function 004CDE80: __vbaStrCopy.MSVBVM60 ref: 004CDEFF
      • Part of subcall function 004CDE80: __vbaFreeStr.MSVBVM60(004CDF20), ref: 004CDF19
    • __vbaStrMove.MSVBVM60(0040A636,00000000,?,0040A636), ref: 004F7119
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004F7129
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004F712E
      • Part of subcall function 004CDD70: __vbaStrCopy.MSVBVM60(?,?,00000000,?,?,?,?,?,0040A636,?), ref: 004CDDBC
      • Part of subcall function 004CDD70: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,0040A636,?), ref: 004CDDD4
      • Part of subcall function 004CDD70: __vbaFreeStr.MSVBVM60(?,?,?,?,?,0040A636,?), ref: 004CDDDD
      • Part of subcall function 004CDD70: __vbaStrCopy.MSVBVM60(?,?,?,?,?,0040A636,?), ref: 004CDE2D
      • Part of subcall function 004CDD70: __vbaFreeStr.MSVBVM60(004CDE5D,?,?,?,?,?,0040A636,?), ref: 004CDE56
    • __vbaStrMove.MSVBVM60(0040A636,00000000,?,?), ref: 004F7148
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004F7153
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004F7158
    • __vbaGenerateBoundsError.MSVBVM60(?,00000000,?,0040A636,?,00000002,000000FF,?,0040A636,?,00000001,00000000,?,?), ref: 004F718E
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CopyFreeMove$BoundsConstruct2EraseErrorGenerate
    • String ID:
    • API String ID: 277904802-0
    • Opcode ID: 4508125d965252fa1e2ab9e85e58c814e997a13780fc3acb3337a6e351622be1
    • Instruction ID: 9fbb0aa2d8e5a1a0de47ffec739b41a2ae54101d0ac8909665ec56dcdc6d6152
    • Opcode Fuzzy Hash: 4508125d965252fa1e2ab9e85e58c814e997a13780fc3acb3337a6e351622be1
    • Instruction Fuzzy Hash: AF412175900209AFDB14DF95CD45EFFB7B8FB48305F10852AF902A7250D7786A06CBA5
    Function 00535080 Relevance: 15.1, APIs: 10, Instructions: 112COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005350E6
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005350FB
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0053510E
    • __vbaStrR4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0053513E
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00535149
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0053516C
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00535175
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0053517E
    • __vbaHresultCheckObj.MSVBVM60(00000000,00403F88,004541A4,00000934,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005351B2
    • __vbaHresultCheckObj.MSVBVM60(00000000,00403F88,004541A4,0000092C,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005351D1
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$BoundsErrorFreeGenerate$Move
    • String ID:
    • API String ID: 2929038300-0
    • Opcode ID: 733167083545bf0221b04e475d3208d53ec252de29a9bcfcc9061d9d82764ea4
    • Instruction ID: 6cb9146e94fc19b3e80df8d5c512fb5d30b742cf7d0920a8c7e3c7fd1c120d0d
    • Opcode Fuzzy Hash: 733167083545bf0221b04e475d3208d53ec252de29a9bcfcc9061d9d82764ea4
    • Instruction Fuzzy Hash: E641C335901A05EFCB14EF64CD48AAEBBB9FF58305F10412AF982A72A1D7745942CF94
    Function 005C7280 Relevance: 15.1, APIs: 10, Instructions: 102COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C72E8
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C72FD
    • __vbaCastObj.MSVBVM60(00000000), ref: 005C7300
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C730B
    • __vbaObjSet.MSVBVM60(?,?,0045B140), ref: 005C731D
    • __vbaCastObj.MSVBVM60(00000000), ref: 005C7320
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005C732B
      • Part of subcall function 004C5180: __vbaLateMemCallLd.MSVBVM60(?,?,Parent,00000000,ActiveControl,00000000), ref: 004C51D5
      • Part of subcall function 004C5180: __vbaVarLateMemCallLd.MSVBVM60(?,00000000), ref: 004C51E3
      • Part of subcall function 004C5180: __vbaUnkVar.MSVBVM60(00000000), ref: 004C51ED
      • Part of subcall function 004C5180: __vbaObjIs.MSVBVM60(00000000), ref: 004C51F4
      • Part of subcall function 004C5180: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004C5209
      • Part of subcall function 004C5180: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000), ref: 004C5220
      • Part of subcall function 004C5180: #598.MSVBVM60 ref: 004C5229
      • Part of subcall function 004C5180: __vbaLateMemCallLd.MSVBVM60(?,00000000,Parent,00000000,ActiveControl,00000000,00000000), ref: 004C5250
      • Part of subcall function 004C5180: __vbaVarLateMemCallLd.MSVBVM60(?,00000000), ref: 004C525E
      • Part of subcall function 004C5180: __vbaUnkVar.MSVBVM60(00000000), ref: 004C5268
      • Part of subcall function 004C5180: __vbaObjIs.MSVBVM60(00000000), ref: 004C526F
      • Part of subcall function 004C5180: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004C5281
      • Part of subcall function 004C5180: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000), ref: 004C52A1
      • Part of subcall function 004C5180: #598.MSVBVM60 ref: 004C52A6
    • __vbaBoolVarNull.MSVBVM60(?,?,?,?), ref: 005C7342
    • __vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,?), ref: 005C7360
    • __vbaFreeVar.MSVBVM60 ref: 005C736C
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CallLate$Free$List$#598Cast$BoolNull
    • String ID:
    • API String ID: 884622350-0
    • Opcode ID: bc2809bacb36411cd8df471bc7b7ef44a27aebfb555afe56d4860119b83ee976
    • Instruction ID: 11806b711920777ffcf36a470e277acd1072f483af7eea9429a4faed06bcfd24
    • Opcode Fuzzy Hash: bc2809bacb36411cd8df471bc7b7ef44a27aebfb555afe56d4860119b83ee976
    • Instruction Fuzzy Hash: 4F31D8B2800249AFCB00EFA4CD89DEEBBB8FF48714F14456EF555A3150D678A9458FA4
    Function 00588090 Relevance: 15.1, APIs: 10, Instructions: 100COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005880F8
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0058810D
    • __vbaCastObj.MSVBVM60(00000000), ref: 00588110
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0058811B
    • __vbaObjSet.MSVBVM60(?,?,0045B140), ref: 0058812D
    • __vbaCastObj.MSVBVM60(00000000), ref: 00588130
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0058813B
      • Part of subcall function 004C5180: __vbaLateMemCallLd.MSVBVM60(?,?,Parent,00000000,ActiveControl,00000000), ref: 004C51D5
      • Part of subcall function 004C5180: __vbaVarLateMemCallLd.MSVBVM60(?,00000000), ref: 004C51E3
      • Part of subcall function 004C5180: __vbaUnkVar.MSVBVM60(00000000), ref: 004C51ED
      • Part of subcall function 004C5180: __vbaObjIs.MSVBVM60(00000000), ref: 004C51F4
      • Part of subcall function 004C5180: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004C5209
      • Part of subcall function 004C5180: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000), ref: 004C5220
      • Part of subcall function 004C5180: #598.MSVBVM60 ref: 004C5229
      • Part of subcall function 004C5180: __vbaLateMemCallLd.MSVBVM60(?,00000000,Parent,00000000,ActiveControl,00000000,00000000), ref: 004C5250
      • Part of subcall function 004C5180: __vbaVarLateMemCallLd.MSVBVM60(?,00000000), ref: 004C525E
      • Part of subcall function 004C5180: __vbaUnkVar.MSVBVM60(00000000), ref: 004C5268
      • Part of subcall function 004C5180: __vbaObjIs.MSVBVM60(00000000), ref: 004C526F
      • Part of subcall function 004C5180: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004C5281
      • Part of subcall function 004C5180: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000), ref: 004C52A1
      • Part of subcall function 004C5180: #598.MSVBVM60 ref: 004C52A6
    • __vbaBoolVarNull.MSVBVM60(?,?,?,?), ref: 00588152
    • __vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,?), ref: 00588170
    • __vbaFreeVar.MSVBVM60 ref: 0058817C
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CallLate$Free$List$#598Cast$BoolNull
    • String ID:
    • API String ID: 884622350-0
    • Opcode ID: 6364b3f15f84377da979adbb1b0e05bc3350c510de900d3b304f3aa1e9d74451
    • Instruction ID: f26234278de5ba6e606b2afa58b93fef747b2622326f01cbd8fe48420804ab89
    • Opcode Fuzzy Hash: 6364b3f15f84377da979adbb1b0e05bc3350c510de900d3b304f3aa1e9d74451
    • Instruction Fuzzy Hash: F631EAB2800209ABCB00EFA4CD89DEEBBBDFF48700F54456AF545B7150DA74AA45CFA4
    Function 005F2210 Relevance: 15.1, APIs: 10, Instructions: 100COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005F2278
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005F228D
    • __vbaCastObj.MSVBVM60(00000000), ref: 005F2290
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005F229B
    • __vbaObjSet.MSVBVM60(?,?,0045B140), ref: 005F22AD
    • __vbaCastObj.MSVBVM60(00000000), ref: 005F22B0
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 005F22BB
      • Part of subcall function 004C5180: __vbaLateMemCallLd.MSVBVM60(?,?,Parent,00000000,ActiveControl,00000000), ref: 004C51D5
      • Part of subcall function 004C5180: __vbaVarLateMemCallLd.MSVBVM60(?,00000000), ref: 004C51E3
      • Part of subcall function 004C5180: __vbaUnkVar.MSVBVM60(00000000), ref: 004C51ED
      • Part of subcall function 004C5180: __vbaObjIs.MSVBVM60(00000000), ref: 004C51F4
      • Part of subcall function 004C5180: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004C5209
      • Part of subcall function 004C5180: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000), ref: 004C5220
      • Part of subcall function 004C5180: #598.MSVBVM60 ref: 004C5229
      • Part of subcall function 004C5180: __vbaLateMemCallLd.MSVBVM60(?,00000000,Parent,00000000,ActiveControl,00000000,00000000), ref: 004C5250
      • Part of subcall function 004C5180: __vbaVarLateMemCallLd.MSVBVM60(?,00000000), ref: 004C525E
      • Part of subcall function 004C5180: __vbaUnkVar.MSVBVM60(00000000), ref: 004C5268
      • Part of subcall function 004C5180: __vbaObjIs.MSVBVM60(00000000), ref: 004C526F
      • Part of subcall function 004C5180: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004C5281
      • Part of subcall function 004C5180: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000), ref: 004C52A1
      • Part of subcall function 004C5180: #598.MSVBVM60 ref: 004C52A6
    • __vbaBoolVarNull.MSVBVM60(?,?,?,?), ref: 005F22D2
    • __vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,?), ref: 005F22F0
    • __vbaFreeVar.MSVBVM60 ref: 005F22FC
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CallLate$Free$List$#598Cast$BoolNull
    • String ID:
    • API String ID: 884622350-0
    • Opcode ID: d69ede5067aa5db0f8404875298054d1d18281135c5d1a8fe426633ac228453d
    • Instruction ID: 9d8ad5cf4b361bce0857f9b045df97f5af6912543299b3db521d8be782ece727
    • Opcode Fuzzy Hash: d69ede5067aa5db0f8404875298054d1d18281135c5d1a8fe426633ac228453d
    • Instruction Fuzzy Hash: 7B31E9B2800249ABCB00DFA5CD89DEEBBBCFF48710F14456AF545A3150D778AA45CFA4
    Function 005772B0 Relevance: 15.1, APIs: 10, Instructions: 100COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00577318
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0057732D
    • __vbaCastObj.MSVBVM60(00000000), ref: 00577330
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0057733B
    • __vbaObjSet.MSVBVM60(?,?,0045B140), ref: 0057734D
    • __vbaCastObj.MSVBVM60(00000000), ref: 00577350
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0057735B
      • Part of subcall function 004C5180: __vbaLateMemCallLd.MSVBVM60(?,?,Parent,00000000,ActiveControl,00000000), ref: 004C51D5
      • Part of subcall function 004C5180: __vbaVarLateMemCallLd.MSVBVM60(?,00000000), ref: 004C51E3
      • Part of subcall function 004C5180: __vbaUnkVar.MSVBVM60(00000000), ref: 004C51ED
      • Part of subcall function 004C5180: __vbaObjIs.MSVBVM60(00000000), ref: 004C51F4
      • Part of subcall function 004C5180: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004C5209
      • Part of subcall function 004C5180: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000), ref: 004C5220
      • Part of subcall function 004C5180: #598.MSVBVM60 ref: 004C5229
      • Part of subcall function 004C5180: __vbaLateMemCallLd.MSVBVM60(?,00000000,Parent,00000000,ActiveControl,00000000,00000000), ref: 004C5250
      • Part of subcall function 004C5180: __vbaVarLateMemCallLd.MSVBVM60(?,00000000), ref: 004C525E
      • Part of subcall function 004C5180: __vbaUnkVar.MSVBVM60(00000000), ref: 004C5268
      • Part of subcall function 004C5180: __vbaObjIs.MSVBVM60(00000000), ref: 004C526F
      • Part of subcall function 004C5180: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004C5281
      • Part of subcall function 004C5180: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000), ref: 004C52A1
      • Part of subcall function 004C5180: #598.MSVBVM60 ref: 004C52A6
    • __vbaBoolVarNull.MSVBVM60(?,?,?,?), ref: 00577372
    • __vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,?), ref: 00577390
    • __vbaFreeVar.MSVBVM60 ref: 0057739C
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CallLate$Free$List$#598Cast$BoolNull
    • String ID:
    • API String ID: 884622350-0
    • Opcode ID: 83894f6410345cd4621547eccfaba3b0a5625df8e7097168b1ed736fb612c4a9
    • Instruction ID: 1d609eabf45d565cc477404e1b66b87939643fd287b805c2d620702f05b8d011
    • Opcode Fuzzy Hash: 83894f6410345cd4621547eccfaba3b0a5625df8e7097168b1ed736fb612c4a9
    • Instruction Fuzzy Hash: 5331E9B2900249ABCB00DFA4DD89DEEBBBCFF48700F14456AF545A7150D778A9458FA4
    Function 00526050 Relevance: 15.1, APIs: 10, Instructions: 91COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005260B4
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005260B7
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005260C2
      • Part of subcall function 004C50C0: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C5103
      • Part of subcall function 004C50C0: #598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C510C
      • Part of subcall function 004C50C0: __vbaVarMove.MSVBVM60 ref: 004C512A
    • __vbaBoolVarNull.MSVBVM60(?,?,?), ref: 005260D5
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005260E8
    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005260F4
    • __vbaNew2.MSVBVM60(00459D58,0062B924,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00526111
    • __vbaObjSetAddref.MSVBVM60(?,00403618,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00526127
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,00000010), ref: 00526144
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052614D
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$#598AddrefBoolCallCastCheckHresultLateListMoveNew2Null
    • String ID:
    • API String ID: 469253076-0
    • Opcode ID: 4075f01ba780e58cbdd9903eb1448d4d36aee1db919c41390b5f53d50d8e95af
    • Instruction ID: 974ee0302cc04b7435efbcedbe8350964de90d6e50d7e4768f434de89fdae1c7
    • Opcode Fuzzy Hash: 4075f01ba780e58cbdd9903eb1448d4d36aee1db919c41390b5f53d50d8e95af
    • Instruction Fuzzy Hash: 2F316B71C0020AABCB10DFA4DD89AEEBBB8FF49700F108529F501A3291D774A946CBA4
    Function 0055E0D0 Relevance: 15.1, APIs: 10, Instructions: 91COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0055E134
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0055E137
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0055E142
      • Part of subcall function 004C50C0: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C5103
      • Part of subcall function 004C50C0: #598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C510C
      • Part of subcall function 004C50C0: __vbaVarMove.MSVBVM60 ref: 004C512A
    • __vbaBoolVarNull.MSVBVM60(?,?,?), ref: 0055E155
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0055E168
    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0055E174
    • __vbaNew2.MSVBVM60(00459D58,0062B924,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0055E191
    • __vbaObjSetAddref.MSVBVM60(?,00404F00,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0055E1A7
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,00000010), ref: 0055E1C4
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0055E1CD
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$#598AddrefBoolCallCastCheckHresultLateListMoveNew2Null
    • String ID:
    • API String ID: 469253076-0
    • Opcode ID: 48312ec78c3f98912fb35ea1b3faff43916e728e57637dd5b45cf1f252c2ceeb
    • Instruction ID: b1fb738c993c469e5cc7480dd46985cb694daa3c416eed2db31d473f9bafea84
    • Opcode Fuzzy Hash: 48312ec78c3f98912fb35ea1b3faff43916e728e57637dd5b45cf1f252c2ceeb
    • Instruction Fuzzy Hash: 9D315E75C0024AEFCB14DFA4DD899EEBB79FB48701F108129FA45B3290D774594ACBA4
    Function 005C6130 Relevance: 15.1, APIs: 10, Instructions: 91COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005C6194
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005C6197
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005C61A2
      • Part of subcall function 004C50C0: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C5103
      • Part of subcall function 004C50C0: #598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C510C
      • Part of subcall function 004C50C0: __vbaVarMove.MSVBVM60 ref: 004C512A
    • __vbaBoolVarNull.MSVBVM60(?,?,?), ref: 005C61B5
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005C61C8
    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005C61D4
    • __vbaNew2.MSVBVM60(00459D58,0062B924,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005C61F1
    • __vbaObjSetAddref.MSVBVM60(?,00407AF8,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005C6207
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,00000010), ref: 005C6224
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005C622D
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$#598AddrefBoolCallCastCheckHresultLateListMoveNew2Null
    • String ID:
    • API String ID: 469253076-0
    • Opcode ID: 30996fd3e007d67a0ef2b8d871bce78b8cf7b4a8ac6bd00103007abb13e15758
    • Instruction ID: 10b1578d6e7b34b0b07cb340656a059a000ce2668cac7aa7d1bd863acfc6af21
    • Opcode Fuzzy Hash: 30996fd3e007d67a0ef2b8d871bce78b8cf7b4a8ac6bd00103007abb13e15758
    • Instruction Fuzzy Hash: EE316D75C0024AAFCB109FA4DD89EEEBB79FB48700F10812DF641A3290D7745945CBA4
    Function 00614150 Relevance: 15.1, APIs: 10, Instructions: 84COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60 ref: 00614190
    • __vbaI2Var.MSVBVM60(?), ref: 006141B7
    • __vbaFreeVar.MSVBVM60 ref: 006141C2
    • __vbaAryLock.MSVBVM60(?,00000000), ref: 006141D5
    • __vbaGenerateBoundsError.MSVBVM60 ref: 006141F7
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00614208
    • __vbaAryUnlock.MSVBVM60(?), ref: 00614221
    • __vbaVarMove.MSVBVM60 ref: 00614238
    • __vbaAryUnlock.MSVBVM60(?,00614272), ref: 00614262
    • __vbaFreeStr.MSVBVM60 ref: 0061426B
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$BoundsErrorFreeGenerateUnlock$CopyLockMove
    • String ID:
    • API String ID: 1145349367-0
    • Opcode ID: ce34567eb144f61e0b6a789598cd99222c8f05a333bba59949c8928fb6f24dfb
    • Instruction ID: 803a2e0c75bd00fa7f4be281ff6cc897c401e0adb1c904660c5a142ecf288a5f
    • Opcode Fuzzy Hash: ce34567eb144f61e0b6a789598cd99222c8f05a333bba59949c8928fb6f24dfb
    • Instruction Fuzzy Hash: 60316A75D00209DBCB04DFA4DA888EEBBB9FF48304B108119E812A7224DB74AA46CF64
    Function 0051B070 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
    Download Yara Rule
    APIs
    • __vbaNew2.MSVBVM60(00459D58,0062B924), ref: 0051B0D4
    • __vbaNew2.MSVBVM60(0043F774,0062949C), ref: 0051B0F7
    • __vbaObjSetAddref.MSVBVM60(00000000,00000000), ref: 0051B105
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,0000000C), ref: 0051B11F
    • __vbaFreeObj.MSVBVM60 ref: 0051B128
    • __vbaNew2.MSVBVM60(0043F774,0062949C), ref: 0051B141
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00463700,000002A8), ref: 0051B164
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$New2$CheckHresult$AddrefFree
    • String ID: (3@
    • API String ID: 2792052285-1269361386
    • Opcode ID: d24fca5abadd7ce6a51071ef73b78369133d4013b220aec030466872c5c209ca
    • Instruction ID: 214585e64312ef59128417e2a47190d3e6cc814ba51c35c39ec5442e9ef3a309
    • Opcode Fuzzy Hash: d24fca5abadd7ce6a51071ef73b78369133d4013b220aec030466872c5c209ca
    • Instruction Fuzzy Hash: BB21B174640605FBEB10AF65DD49BAABBF8FB44701F108029F908E32A0D77499458BA4
    Function 0051B1B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
    Download Yara Rule
    APIs
    • __vbaNew2.MSVBVM60(00459D58,0062B924), ref: 0051B214
    • __vbaNew2.MSVBVM60(0040EAA0,006294B0), ref: 0051B237
    • __vbaObjSetAddref.MSVBVM60(00000000,00000000), ref: 0051B245
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,0000000C), ref: 0051B25F
    • __vbaFreeObj.MSVBVM60 ref: 0051B268
    • __vbaNew2.MSVBVM60(0040EAA0,006294B0), ref: 0051B281
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00463C94,000002A8), ref: 0051B2A4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$New2$CheckHresult$AddrefFree
    • String ID: 83@
    • API String ID: 2792052285-1468942746
    • Opcode ID: 2c8bd579a36d3ecdaa092c8b2433f9ee7df643f986330b2180a63fc1fcff0802
    • Instruction ID: e260c28bf602b73eecc896dad2c58fa9d91da929a2a67d858d0f1e1a11f0d23b
    • Opcode Fuzzy Hash: 2c8bd579a36d3ecdaa092c8b2433f9ee7df643f986330b2180a63fc1fcff0802
    • Instruction Fuzzy Hash: 4621DD34A40601ABE710AF64CD4AFAE7BF8FF45B05F104529F905F72A4C778A846CBA4
    Function 005DD120 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 005DD181
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,0040A636), ref: 005DD184
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 005DD18F
      • Part of subcall function 004C53C0: __vbaCheckType.MSVBVM60(?,00452A8C), ref: 004C53FF
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004C5435
      • Part of subcall function 004C53C0: __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004C5444
      • Part of subcall function 004C53C0: __vbaLenVar.MSVBVM60(?,00000000), ref: 004C5452
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelLength), ref: 004C547B
      • Part of subcall function 004C53C0: __vbaFreeVar.MSVBVM60 ref: 004C5480
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DD1A4
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 005DD1BB
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,?,0040A636), ref: 005DD1D9
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005DD1E2
    Strings
    • Click the box or press any key to edit., xrefs: 005DD1BF
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$FreeLate$Check$CallCastHresultListType
    • String ID: Click the box or press any key to edit.
    • API String ID: 2919248683-1148145582
    • Opcode ID: 93b615ba4aac410b06d895cba971ffe3c1c5606b9c0938ea88cde07241359d3d
    • Instruction ID: 25e2033704b676eb3aef4be12263a1215217b63c8aba8cdc2548e6728b841c1d
    • Opcode Fuzzy Hash: 93b615ba4aac410b06d895cba971ffe3c1c5606b9c0938ea88cde07241359d3d
    • Instruction Fuzzy Hash: 8F215EB5900649ABCB10AFA4CD89EEFBBBCFF44704F10452AF941A3291D7789945CBE0
    Function 00531270 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 005312D1
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,0040A636), ref: 005312D4
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 005312DF
      • Part of subcall function 004C53C0: __vbaCheckType.MSVBVM60(?,00452A8C), ref: 004C53FF
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004C5435
      • Part of subcall function 004C53C0: __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004C5444
      • Part of subcall function 004C53C0: __vbaLenVar.MSVBVM60(?,00000000), ref: 004C5452
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelLength), ref: 004C547B
      • Part of subcall function 004C53C0: __vbaFreeVar.MSVBVM60 ref: 004C5480
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005312F4
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 0053130B
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,?,0040A636), ref: 00531329
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 00531332
    Strings
    • A number between 1.01 and 5.0; default is 1.319800., xrefs: 0053130F
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$FreeLate$Check$CallCastHresultListType
    • String ID: A number between 1.01 and 5.0; default is 1.319800.
    • API String ID: 2919248683-2455431433
    • Opcode ID: 753ef76b63c6a9bf17d11c39f9510c6b8ef29fd21361f02ba68a76d77afa15cb
    • Instruction ID: e12e8df734b47e63567073818cf31ac216cd5cc459cc7dbed0c4a6826c3d37b1
    • Opcode Fuzzy Hash: 753ef76b63c6a9bf17d11c39f9510c6b8ef29fd21361f02ba68a76d77afa15cb
    • Instruction Fuzzy Hash: A0217CB1900609ABCB00AFA4CD89EEFBBBCFF44700F108529F941A3191D778A9468B94
    Function 005DF2F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 005DF351
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,0040A636), ref: 005DF354
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 005DF35F
      • Part of subcall function 004C53C0: __vbaCheckType.MSVBVM60(?,00452A8C), ref: 004C53FF
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004C5435
      • Part of subcall function 004C53C0: __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004C5444
      • Part of subcall function 004C53C0: __vbaLenVar.MSVBVM60(?,00000000), ref: 004C5452
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelLength), ref: 004C547B
      • Part of subcall function 004C53C0: __vbaFreeVar.MSVBVM60 ref: 004C5480
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005DF374
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 005DF38B
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,?,0040A636), ref: 005DF3A9
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005DF3B2
    Strings
    • 0, or a number between 100 and 65420., xrefs: 005DF38F
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$FreeLate$Check$CallCastHresultListType
    • String ID: 0, or a number between 100 and 65420.
    • API String ID: 2919248683-1804524334
    • Opcode ID: 3907c62aaacc07b05567e3b245262bd060a936b2a941d54b08589e65d9f92f60
    • Instruction ID: 2a34b35ae6cdd93df23871b4065ef2b72eb89086b32e77b3f7927fb62c089f77
    • Opcode Fuzzy Hash: 3907c62aaacc07b05567e3b245262bd060a936b2a941d54b08589e65d9f92f60
    • Instruction Fuzzy Hash: 0F214F75900249ABC710AFA4CD89EEFBBBCFF44704F10852AF942A3291D7789945CBD4
    Function 005F1230 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 005F1286
    • __vbaStrCat.MSVBVM60( 1 greater than the latest event on file.,The next event to be written;,?,?,?,?,?,?,?,?,0040A636), ref: 005F129A
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005F12A5
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,?,0040A636), ref: 005F12BF
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005F12C8
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005F12D1
    Strings
    • The next event to be written;, xrefs: 005F128E
    • 1 greater than the latest event on file., xrefs: 005F1293
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$CheckHresultMove
    • String ID: 1 greater than the latest event on file.$The next event to be written;
    • API String ID: 162419962-2854017595
    • Opcode ID: d3ec2396e7f1cff61703b66fd34049530ec4b684d4ae93bc42e125ca143157ac
    • Instruction ID: 6370ccc30168d9b9bc92c2944c6b306b11e5ae263b096af76373d824e578a0c2
    • Opcode Fuzzy Hash: d3ec2396e7f1cff61703b66fd34049530ec4b684d4ae93bc42e125ca143157ac
    • Instruction Fuzzy Hash: 55116A75900609EBCB00AFA5CD49AAEBFB8FB44700F10816AF945A72A0D7785942CF94
    Function 004DE2E0 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60(?,00000000,?,?,?,?,00000000,0040A636,?), ref: 004DE322
    • __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,00000000,0040A636,?), ref: 004DE32C
    • __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,00000000,0040A636,?), ref: 004DE33E
    • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,0040A636,?), ref: 004DE34C
    • __vbaFreeStr.MSVBVM60(?,?,?,00000000,0040A636,?), ref: 004DE355
    • __vbaStrCopy.MSVBVM60(?,?,?,00000000,0040A636,?), ref: 004DE361
    • __vbaFreeStr.MSVBVM60(004DE38D,?,?,?,00000000,0040A636,?), ref: 004DE386
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CopyFree$AnsiErrorSystemUnicode
    • String ID: 1996-01-01.00:00:00
    • API String ID: 2120611612-639963866
    • Opcode ID: c00cbc35c3a161239a9a6a801e07efd1cfe1756b7e5ed3fed32c620e2fb015c8
    • Instruction ID: 041468fb6e8d920fc236654be6673e4a1e18f5aa4c3634f567dec62021454107
    • Opcode Fuzzy Hash: c00cbc35c3a161239a9a6a801e07efd1cfe1756b7e5ed3fed32c620e2fb015c8
    • Instruction Fuzzy Hash: AB11EF74D00109AFCF04EFA4D955AAEBBB8FB08741F10852AE801F3650E7385506CFA5
    Function 004D01B0 Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 15COMMON
    Download Yara Rule
    APIs
    • __vbaErrorOverflow.MSVBVM60(004F9B6F,00000000,?,00000001,00000001,00000000), ref: 004D01C2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: ErrorOverflow__vba
    • String ID: Modbus gateway$Modbus master$Modbus pass-thru$Quantum time-of-day clock$Supervisory input to PLC from AFC$Supervisory output from PLC to AFC$Wallclock
    • API String ID: 2582359951-3926795770
    • Opcode ID: eb25ed1ee78a98ed6c5781ce7f6a67cf251d9e5251042676fab47b2afbbcc09b
    • Instruction ID: c3162fd5b6623fcaf3745530285d907c9f9264450453553551a9e1f01d6e228f
    • Opcode Fuzzy Hash: eb25ed1ee78a98ed6c5781ce7f6a67cf251d9e5251042676fab47b2afbbcc09b
    • Instruction Fuzzy Hash: EEB09B713012014783105761C61474A61565751742B0C506BD109D2311D735C400852D
    Function 0052D1F0 Relevance: 13.6, APIs: 9, Instructions: 102COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052D256
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052D26B
    • __vbaStrI4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052D292
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052D29D
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052D2C0
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052D2C9
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052D2D2
    • __vbaHresultCheckObj.MSVBVM60(00000000,00403A98,004541A4,00000854,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052D303
    • __vbaHresultCheckObj.MSVBVM60(00000000,00403A98,004541A4,0000084C,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0052D322
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$BoundsErrorGenerateMove
    • String ID:
    • API String ID: 4294095422-0
    • Opcode ID: 58768fbe78a072b7d55573c0cf7317aa0bb3ab59f969be64898b6a90094766c5
    • Instruction ID: eb59d5cf8175798a8030bd737ef4315862ae569e99bbf9896d6f109562731b2b
    • Opcode Fuzzy Hash: 58768fbe78a072b7d55573c0cf7317aa0bb3ab59f969be64898b6a90094766c5
    • Instruction Fuzzy Hash: 7531F335900615EBCB10DF64DD4CAAEBFBCFF95301F10852AF982A72A0CB745942CBA5
    Function 006232A0 Relevance: 13.6, APIs: 9, Instructions: 98COMMON
    Download Yara Rule
    APIs
    • __vbaHresultCheckObj.MSVBVM60(00000000,0040A610,0045BD40,000002B4,?,?,?,?,?,?,?,0040A636), ref: 006232F5
    • __vbaNew2.MSVBVM60(0041F4A8,00626040,?,?,?,?,?,?,?,0040A636), ref: 00623313
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554BC,00000094,?,?,?,?,?,?,?,0040A636), ref: 00623340
    • __vbaNew2.MSVBVM60(0041F4A8,00626040,?,?,?,?,?,?,?,0040A636), ref: 00623359
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554BC,000002A8,?,?,?,?,?,?,?,0040A636), ref: 0062337C
    • __vbaNew2.MSVBVM60(00459D58,0062B924,?,?,?,?,?,?,?,0040A636), ref: 00623395
    • __vbaObjSetAddref.MSVBVM60(?,0040A610,?,?,?,?,?,?,?,0040A636), ref: 006233A4
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,00000010,?,?,?,?,?,?,?,0040A636), ref: 006233BE
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 006233C7
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$New2$AddrefFree
    • String ID:
    • API String ID: 3650084398-0
    • Opcode ID: a46f8e90b2dffc6bcb6d30513491b6b4349313851f5d886427bde2307ae0f25f
    • Instruction ID: 2b18576c3de91fbb5df32494e32c25b83b852476c2bd562815915b853fbaf6d6
    • Opcode Fuzzy Hash: a46f8e90b2dffc6bcb6d30513491b6b4349313851f5d886427bde2307ae0f25f
    • Instruction Fuzzy Hash: C031A230640661ABC7209F65DD49FAA7BB9FB15B01B100029F645F32A1CBB899458FA4
    Function 00557160 Relevance: 13.6, APIs: 9, Instructions: 97COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005571C6
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005571DA
    • __vbaStrI2.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005571F4
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005571FF
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00557222
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0055722B
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00557234
    • __vbaHresultCheckObj.MSVBVM60(00000000,00404CC0,00468E50,0000074C,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00557265
    • __vbaHresultCheckObj.MSVBVM60(00000000,00404CC0,00468E50,00000744,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00557284
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$BoundsErrorGenerateMove
    • String ID:
    • API String ID: 4294095422-0
    • Opcode ID: 2be04582ace1a021bf6ac4b774629ae9465bfd875f064d0137cd526295a3b43d
    • Instruction ID: 7fba18680513b4ceb6cbef89839feb654cb975c2076e93c391721cf01d2d5cfc
    • Opcode Fuzzy Hash: 2be04582ace1a021bf6ac4b774629ae9465bfd875f064d0137cd526295a3b43d
    • Instruction Fuzzy Hash: 9D31A139900609EBCB109FA4DD48BAFBFB9FF48701F20412AF945A72A0DB745942CF95
    Function 00556120 Relevance: 13.6, APIs: 9, Instructions: 97COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00556186
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0055619A
    • __vbaStrI2.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005561B4
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005561BF
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005561E2
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005561EB
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005561F4
    • __vbaHresultCheckObj.MSVBVM60(00000000,00404BD8,00468E50,00000724,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00556225
    • __vbaHresultCheckObj.MSVBVM60(00000000,00404BD8,00468E50,0000071C,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00556244
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$BoundsErrorGenerateMove
    • String ID:
    • API String ID: 4294095422-0
    • Opcode ID: c256d73928f8c22f0857e7ce0b992bbd4ee1bccc8e493f255760d08c26a1ede0
    • Instruction ID: 7cd8f6efacdffac5be183ec72e95b607827c793583268bd90ebd09e933768441
    • Opcode Fuzzy Hash: c256d73928f8c22f0857e7ce0b992bbd4ee1bccc8e493f255760d08c26a1ede0
    • Instruction Fuzzy Hash: 2D31C339900245EBCB109F94CD88AAEBFB9FF48702F50412AF841A72A0DB745942CF95
    Function 004E40A0 Relevance: 13.6, APIs: 9, Instructions: 83COMMON
    Download Yara Rule
    APIs
    • __vbaVarDup.MSVBVM60(6D48A323,6D49D8B1,00401420), ref: 004E4103
    • #607.MSVBVM60(?,?,?), ref: 004E4116
    • #573.MSVBVM60(?,?), ref: 004E413A
    • #520.MSVBVM60(?,?), ref: 004E4148
    • __vbaVarCat.MSVBVM60(?,?,?,?), ref: 004E415B
    • #619.MSVBVM60(?,00000000), ref: 004E4166
    • __vbaStrVarMove.MSVBVM60(?), ref: 004E4170
    • __vbaStrMove.MSVBVM60 ref: 004E417B
    • __vbaFreeVarList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 004E419B
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Move$#520#573#607#619FreeList
    • String ID:
    • API String ID: 3101195479-0
    • Opcode ID: 655032b180373884fe88ab28a4511717930e8b29a97d96c5e1706619b8652112
    • Instruction ID: a3264e56a385a7b6021e312368036a7c17e0118ba79ac4d3079a889967660c45
    • Opcode Fuzzy Hash: 655032b180373884fe88ab28a4511717930e8b29a97d96c5e1706619b8652112
    • Instruction Fuzzy Hash: 1331E7B180020DAFDB50DFE4D988EEEBFB8FB48705F10816AE509B6154EB745689CF64
    Function 00552030 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 00552091
    • __vbaGenerateBoundsError.MSVBVM60 ref: 005520A6
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 005520E0
    • __vbaFreeObj.MSVBVM60 ref: 005520E9
    • __vbaHresultCheckObj.MSVBVM60(00000000,xI@,004670A8,00000710), ref: 0055211A
    • __vbaHresultCheckObj.MSVBVM60(00000000,xI@,004670A8,00000708), ref: 00552139
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$BoundsErrorFreeGenerate
    • String ID: xI@
    • API String ID: 2320126899-4072953126
    • Opcode ID: 3c52f4cec032358b6b08cb79f50c90968a56f7b06ed2e1e2d73dd9a7b8613b23
    • Instruction ID: 06c8a4298cc90164ce6291dca5281f6e5e80e45458d7d6b12652df1ba00630a6
    • Opcode Fuzzy Hash: 3c52f4cec032358b6b08cb79f50c90968a56f7b06ed2e1e2d73dd9a7b8613b23
    • Instruction Fuzzy Hash: B6310134A00615EBCB209F24CC4CB9B7FB8FF45702F10412AFA81A7295D778A946CF95
    Function 005531B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 00553211
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00553226
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 00553260
    • __vbaFreeObj.MSVBVM60 ref: 00553269
    • __vbaHresultCheckObj.MSVBVM60(00000000,PJ@,004670A8,00000734), ref: 0055329A
    • __vbaHresultCheckObj.MSVBVM60(00000000,PJ@,004670A8,0000072C), ref: 005532B9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$BoundsErrorFreeGenerate
    • String ID: PJ@
    • API String ID: 2320126899-4021752253
    • Opcode ID: c9a9de42f144f23e2fe9d7c0046e2116198a29a7fa80fdc38001c6f3046221bd
    • Instruction ID: fedbf8d331d293341440ca73e04f3800223aab666e97291f3c00c8438f69456e
    • Opcode Fuzzy Hash: c9a9de42f144f23e2fe9d7c0046e2116198a29a7fa80fdc38001c6f3046221bd
    • Instruction Fuzzy Hash: 3031D234A00611EBCB109F64CD48B9A7FB8FF45741F104126F949A7294D778AA46CB95
    Function 0059A1D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 0059A21B
    • __vbaStrI2.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 0059A22C
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 0059A237
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,0040A636), ref: 0059A257
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 0059A260
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 0059A269
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$CheckHresultMove
    • String ID: @i@
    • API String ID: 162419962-1295566252
    • Opcode ID: 4bf61113dcf958d2cd118c14f8dfe5c8f96a25ab3b6cfbda66ddeff38d9d95d4
    • Instruction ID: 73b89d15606434ee3134dfef6aff036eaf089ad808eef96464485e9a9d345ce6
    • Opcode Fuzzy Hash: 4bf61113dcf958d2cd118c14f8dfe5c8f96a25ab3b6cfbda66ddeff38d9d95d4
    • Instruction Fuzzy Hash: 67113079900205EFCB10AF64CA49EAEBBB8FF89701F10416AF945A7161CB745942CFA5
    Function 00536130 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 00536180
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 00536194
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,?,0040A636), ref: 005361B5
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005361BE
    • __vbaFreeStr.MSVBVM60(005361E2,?,?,?,?,?,?,?,?,0040A636), ref: 005361DB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$CheckCopyHresult
    • String ID: (@@$Configure the densitometer to be used for this meter.
    • API String ID: 4185434182-3185601053
    • Opcode ID: aa743b72d82aacef64d6627dc3891cc287caa38912eed6d08cf743b5653a498d
    • Instruction ID: bd0bbea4b172694d52d006098ac36912e25a87e469f14d73fcca267f92ad42d8
    • Opcode Fuzzy Hash: aa743b72d82aacef64d6627dc3891cc287caa38912eed6d08cf743b5653a498d
    • Instruction Fuzzy Hash: F1113A75900205ABCB00DF64CD49AAFBFB8FF84741F20856AF941A32A1D7785946CF94
    Function 0052E1D0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 0052E220
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 0052E234
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,?,0040A636), ref: 0052E255
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 0052E25E
    • __vbaFreeStr.MSVBVM60(0052E282,?,?,?,?,?,?,?,?,0040A636), ref: 0052E27B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$CheckCopyHresult
    • String ID: Configure accumulator and flow rate units, and accumulator rollovers.$`;@
    • API String ID: 4185434182-1342772754
    • Opcode ID: b40ad4b3cbacca9957ab013022ab280b69e92deb57c05c910cf7eb225e1dafcc
    • Instruction ID: 79ef2beeea98b2f7739a2651919f63aaa033ba9766d192884c97a7bc1021eb19
    • Opcode Fuzzy Hash: b40ad4b3cbacca9957ab013022ab280b69e92deb57c05c910cf7eb225e1dafcc
    • Instruction Fuzzy Hash: 4E1129B5900215EBCB00DF64C949AAEBFB8FF44701F10856AE942A3290D7785946CF90
    Function 005AF130 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • __vbaCastObj.MSVBVM60(q@,00454AC4), ref: 005AF183
    • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 005AF190
      • Part of subcall function 004E21D0: __vbaChkstk.MSVBVM60(?,0040A636), ref: 004E21EE
      • Part of subcall function 004E21D0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,0040A636), ref: 004E221E
      • Part of subcall function 004E21D0: __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004E2235
      • Part of subcall function 004E21D0: __vbaNew2.MSVBVM60(0041F4A8,00626040,?,?,?,?,?,0040A636), ref: 004E2255
      • Part of subcall function 004E21D0: __vbaHresultCheckObj.MSVBVM60(00000000,?,004554BC,00000160), ref: 004E22AC
      • Part of subcall function 004E21D0: __vbaObjSet.MSVBVM60(?,?), ref: 004E22D9
      • Part of subcall function 004E21D0: __vbaHresultCheckObj.MSVBVM60(00000000,?,00454AC4,00000164), ref: 004E230C
      • Part of subcall function 004E21D0: __vbaFreeObj.MSVBVM60 ref: 004E2327
      • Part of subcall function 004E21D0: __vbaChkstk.MSVBVM60 ref: 004E2347
    • __vbaFreeObj.MSVBVM60(00000000), ref: 005AF19E
    • __vbaCastObj.MSVBVM60(q@,00454AC4), ref: 005AF1AA
    • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 005AF1B1
      • Part of subcall function 004E3600: __vbaHresultCheckObj.MSVBVM60(00000000,6D49D94B,00454AC4,000001C8,?,6D58622C,?,?,?,?,?,005222A6,?,00000000,00000000), ref: 004E3641
      • Part of subcall function 004E3600: __vbaHresultCheckObj.MSVBVM60(00000000,?,00454AC4,00000080,?,6D58622C,?,?,?,?,?,005222A6,?,00000000,00000000), ref: 004E372D
      • Part of subcall function 004E3600: __vbaNew2.MSVBVM60(0041F4A8,00626040,?,6D58622C,?,?,?,?,?,005222A6,?,00000000,00000000), ref: 004E3742
      • Part of subcall function 004E3600: __vbaHresultCheckObj.MSVBVM60(00000000,?,004554BC,00000100,?,6D58622C,?,?,?,?,?,005222A6,?,00000000,00000000), ref: 004E376A
    • __vbaFreeObj.MSVBVM60(00000000,0000000A,000000F6), ref: 005AF1C3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$CastChkstkNew2$AddrefError
    • String ID: q@
    • API String ID: 1187003971-2764676539
    • Opcode ID: 584b1d7f8c62f8a7311aaea1dc05bac65bb9f3a8fb1f40317d7e97cc93129779
    • Instruction ID: 94535600edc4122957f17d6f68e95ad63b5500b798da086002673a5c44dc6209
    • Opcode Fuzzy Hash: 584b1d7f8c62f8a7311aaea1dc05bac65bb9f3a8fb1f40317d7e97cc93129779
    • Instruction Fuzzy Hash: BD113D75900249BBC700EFA4CD86AEEBBB8EB44704F104669F501B7190D7B86A45CB95
    Function 006160E0 Relevance: 12.1, APIs: 8, Instructions: 138COMMON
    Download Yara Rule
    APIs
    • #681.MSVBVM60(?,?,?,?), ref: 006161BB
    • #681.MSVBVM60(?,?,?,?), ref: 00616211
    • __vbaVarMul.MSVBVM60(?,?,?,?), ref: 00616235
    • __vbaVarAdd.MSVBVM60(?,00000000), ref: 00616246
    • __vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00616257
    • __vbaVarAdd.MSVBVM60(?,?,00000000), ref: 00616268
    • __vbaI2Var.MSVBVM60(00000000), ref: 0061626B
    • __vbaFreeVarList.MSVBVM60(0000000B,0000000B,?,?,?,0000000B,?,?,?,?,?,?), ref: 006162B4
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$#681$FreeList
    • String ID:
    • API String ID: 2425714797-0
    • Opcode ID: e041439838e4306da04b93603f587a33378be05537cbc3ac7aa33067aeb46679
    • Instruction ID: b220ff4257dc4fa9b57cfbf46bec857668a55a765600aa1465e6cf1557f310dd
    • Opcode Fuzzy Hash: e041439838e4306da04b93603f587a33378be05537cbc3ac7aa33067aeb46679
    • Instruction Fuzzy Hash: 1E5188B1C10229AADB65CF94CC84BDEBBBCBF58700F14819BE109A7150DBB05AC9CF91
    Function 005E3260 Relevance: 12.1, APIs: 8, Instructions: 122COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E32B5
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E32E1
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004641F0,00000064,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E330A
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E3316
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E3342
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E3368
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004641F0,00000064,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E3389
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005E3395
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$FreeList
    • String ID:
    • API String ID: 2772417511-0
    • Opcode ID: 32efc74530f7e628db73447f7bcf0a2ca4e473852327b957625ae6fa1eee62a1
    • Instruction ID: a69b2799297b255f1c4bf061ef16e262b3bca5cfb23a8aad8a210f9f85430496
    • Opcode Fuzzy Hash: 32efc74530f7e628db73447f7bcf0a2ca4e473852327b957625ae6fa1eee62a1
    • Instruction Fuzzy Hash: 0141A374600246ABC710DF95CD49FAB7BBCFF49700F104429F685E7291EA70A945CBA5
    Function 005F9030 Relevance: 12.1, APIs: 8, Instructions: 91COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 005F9092
    • __vbaStrI2.MSVBVM60(948B0008,?,?,?,?,?,?,?,?,?,0040A636), ref: 005F90A4
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005F90AF
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,?,0040A636), ref: 005F90D2
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005F90DB
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005F90E4
    • __vbaHresultCheckObj.MSVBVM60(00000000,00409548,00463E10,00000784,?,?,?,?,?,?,?,?,?,0040A636), ref: 005F9115
    • __vbaHresultCheckObj.MSVBVM60(00000000,00409548,00463E10,0000077C,?,?,?,?,?,?,?,?,?,0040A636), ref: 005F9134
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$Move
    • String ID:
    • API String ID: 1879641673-0
    • Opcode ID: 6f6bf76bb3378ffe608da2aaa9ff408a2c0abd5b8734ad2f94f217bf4a1f0f0e
    • Instruction ID: c29755163a575363e9259d0056b026ea58aca18194dfa7f847a219aa35886455
    • Opcode Fuzzy Hash: 6f6bf76bb3378ffe608da2aaa9ff408a2c0abd5b8734ad2f94f217bf4a1f0f0e
    • Instruction Fuzzy Hash: A631AF34940606EBCB10AF64CD4CFABBFB8FF59741F10812AF945A7290DB785942CB94
    Function 00548280 Relevance: 12.1, APIs: 8, Instructions: 91COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 005482E2
    • __vbaStrI2.MSVBVM60(00548985,?,?,?,?,?,?,?,?,?,0040A636), ref: 005482F4
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005482FF
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,?,0040A636), ref: 00548322
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 0054832B
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 00548334
    • __vbaHresultCheckObj.MSVBVM60(00000000,00404510,00468378,0000070C,?,?,?,?,?,?,?,?,?,0040A636), ref: 00548365
    • __vbaHresultCheckObj.MSVBVM60(00000000,00404510,00468378,00000700,?,?,?,?,?,?,?,?,?,0040A636), ref: 00548384
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$Move
    • String ID:
    • API String ID: 1879641673-0
    • Opcode ID: 307d2cffaf5fd06f7c09525679fdbdfa9f34bf9b0fd4677d50538b1b14f56665
    • Instruction ID: 8fba9f9dcdcf23f0206838e0cbf56561cd453173f9ae8353d7a5a77253007a24
    • Opcode Fuzzy Hash: 307d2cffaf5fd06f7c09525679fdbdfa9f34bf9b0fd4677d50538b1b14f56665
    • Instruction Fuzzy Hash: 28318F34940205EBCB109F64CD48AAFBFB8FF54B05F20866AF945A7290DB785942CF95
    Function 005CF210 Relevance: 12.1, APIs: 8, Instructions: 90COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 005CF272
    • __vbaStrR4.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005CF283
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005CF28E
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,0040A636), ref: 005CF2B0
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005CF2B9
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005CF2C2
    • __vbaHresultCheckObj.MSVBVM60(00000000,00408128,004622F4,0000081C,?,?,?,?,?,?,?,?,0040A636), ref: 005CF2EF
    • __vbaHresultCheckObj.MSVBVM60(00000000,00408128,004622F4,00000814,?,?,?,?,?,?,?,?,0040A636), ref: 005CF30E
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$Move
    • String ID:
    • API String ID: 1879641673-0
    • Opcode ID: 200b2d8e7ee63a6acb22e7876fe3e904594d142ba9e443f63cb5bb442ccdfc91
    • Instruction ID: bce653dbef9df7dd4fc208525ccbafbe41375a80fd37a9dd38e632f649e69d82
    • Opcode Fuzzy Hash: 200b2d8e7ee63a6acb22e7876fe3e904594d142ba9e443f63cb5bb442ccdfc91
    • Instruction Fuzzy Hash: 91318178900206EFC7109FA4CD88E9A7FB9FF08704F608539F985A7291DB745946CBA4
    Function 00523030 Relevance: 12.1, APIs: 8, Instructions: 89COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 00523092
    • __vbaStrI2.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005230A4
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005230AF
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,0040A636), ref: 005230D1
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005230DA
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005230E3
    • __vbaHresultCheckObj.MSVBVM60(00000000,004034B8,004541A4,0000074C,?,?,?,?,?,?,?,?,0040A636), ref: 00523110
    • __vbaHresultCheckObj.MSVBVM60(00000000,004034B8,004541A4,00000740,?,?,?,?,?,?,?,?,0040A636), ref: 0052312F
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$Move
    • String ID:
    • API String ID: 1879641673-0
    • Opcode ID: 3c2be654d88fdcfbaeed416fd82bde5f2ccf4e3bb4d8454b48b7419eb5cfacfa
    • Instruction ID: ce6c7f48178ae482537cccd9a1cdb045998e8036a3f33c99f735b77fd7db2fbf
    • Opcode Fuzzy Hash: 3c2be654d88fdcfbaeed416fd82bde5f2ccf4e3bb4d8454b48b7419eb5cfacfa
    • Instruction Fuzzy Hash: 4C31B174900216EBC7109F64CD8CAAABFB8FF09705F608139F985E7290C7785946CFA4
    Function 005C9030 Relevance: 12.1, APIs: 8, Instructions: 89COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 005C9092
    • __vbaStrI4.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005C90A3
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005C90AE
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,0040A636), ref: 005C90D0
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005C90D9
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005C90E2
    • __vbaHresultCheckObj.MSVBVM60(00000000,00407CC0,004622F4,00000788,?,?,?,?,?,?,?,?,0040A636), ref: 005C910F
    • __vbaHresultCheckObj.MSVBVM60(00000000,00407CC0,004622F4,00000780,?,?,?,?,?,?,?,?,0040A636), ref: 005C912E
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$Move
    • String ID:
    • API String ID: 1879641673-0
    • Opcode ID: 1bd3c65c7e7afc3018673aa0e1de439d15dc3e9396101d67e43a70b1eb5a5ca8
    • Instruction ID: 52289c7a9fc7e847fd597c763518cc4645157d42edec01f3ca80b14ab9ba7249
    • Opcode Fuzzy Hash: 1bd3c65c7e7afc3018673aa0e1de439d15dc3e9396101d67e43a70b1eb5a5ca8
    • Instruction Fuzzy Hash: 1F319C74940206AFC7109FA4CD8DEAABFB8FF08300F608139F985A3290DB785946CF95
    Function 005E0020 Relevance: 12.1, APIs: 8, Instructions: 89COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 005E0082
    • __vbaStrI4.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005E0093
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005E009E
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,0040A636), ref: 005E00C0
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005E00C9
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005E00D2
    • __vbaHresultCheckObj.MSVBVM60(00000000,00408AA0,00462138,00000814,?,?,?,?,?,?,?,?,0040A636), ref: 005E00FF
    • __vbaHresultCheckObj.MSVBVM60(00000000,00408AA0,00462138,0000080C,?,?,?,?,?,?,?,?,0040A636), ref: 005E011E
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$Move
    • String ID:
    • API String ID: 1879641673-0
    • Opcode ID: ed074700024659192c6ccb4fab7fc316f5f91dfe3e1eb9074e705d715728c81f
    • Instruction ID: 42095f255198725686af5a6991b1f756bf2276b251aa64df7df777b7895f564a
    • Opcode Fuzzy Hash: ed074700024659192c6ccb4fab7fc316f5f91dfe3e1eb9074e705d715728c81f
    • Instruction Fuzzy Hash: E231B174901206EBC7149F64CD88AABBFB8FF08340F608139F985E72A0D7B45982CB94
    Function 005DC150 Relevance: 12.1, APIs: 8, Instructions: 89COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 005DC1B2
    • __vbaStrI2.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005DC1C4
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005DC1CF
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,0040A636), ref: 005DC1F1
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005DC1FA
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005DC203
    • __vbaHresultCheckObj.MSVBVM60(00000000,004087D8,00462138,0000077C,?,?,?,?,?,?,?,?,0040A636), ref: 005DC230
    • __vbaHresultCheckObj.MSVBVM60(00000000,004087D8,00462138,00000774,?,?,?,?,?,?,?,?,0040A636), ref: 005DC24F
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$Move
    • String ID:
    • API String ID: 1879641673-0
    • Opcode ID: 2af2fcbce62b7967050a76781be451094562a1b33b45ffa694c5875de5d48f36
    • Instruction ID: c541df31abb63b461780fa273c6336f55fce0caaceb1beb803068af7b7f6bc88
    • Opcode Fuzzy Hash: 2af2fcbce62b7967050a76781be451094562a1b33b45ffa694c5875de5d48f36
    • Instruction Fuzzy Hash: 49319378900206EBC7109FA4CD88AABBFB8FF09741F60413AF985E7290D7745941CF95
    Function 005E1220 Relevance: 12.1, APIs: 8, Instructions: 89COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 005E1282
    • __vbaStrI4.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005E1293
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005E129E
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,0040A636), ref: 005E12C0
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005E12C9
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005E12D2
    • __vbaHresultCheckObj.MSVBVM60(00000000,00408B78,00462138,00000838,?,?,?,?,?,?,?,?,0040A636), ref: 005E12FF
    • __vbaHresultCheckObj.MSVBVM60(00000000,00408B78,00462138,00000830,?,?,?,?,?,?,?,?,0040A636), ref: 005E131E
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free$Move
    • String ID:
    • API String ID: 1879641673-0
    • Opcode ID: 8ed78d0d0e19f19da97ee84dce2f1b9817e9fa668e17741d2680e068849b68e7
    • Instruction ID: f3fdd038b1ddd047ce0c40b3094bc0eaf683d266bc6192b4a89052342fff4d82
    • Opcode Fuzzy Hash: 8ed78d0d0e19f19da97ee84dce2f1b9817e9fa668e17741d2680e068849b68e7
    • Instruction Fuzzy Hash: 8331D174900646EBC710AFA5CD88AAEBFB8FF08741F508439F985E7290CB745942CB98
    Function 00588270 Relevance: 12.1, APIs: 8, Instructions: 85COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005882D4
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005882D7
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005882E2
      • Part of subcall function 004C50C0: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C5103
      • Part of subcall function 004C50C0: #598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C510C
      • Part of subcall function 004C50C0: __vbaVarMove.MSVBVM60 ref: 004C512A
    • __vbaBoolVarNull.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005882F5
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00588308
    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00588314
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0058832C
    • __vbaHresultCheckObj.MSVBVM60(00000000,004062A0,0046B20C,000006FC), ref: 0058835D
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$#598BoolBoundsCallCastCheckErrorGenerateHresultLateListMoveNull
    • String ID:
    • API String ID: 3755496765-0
    • Opcode ID: 5c7d398f55f8a745f306098e3a23374ed1f6cae723788f97d9634b7594cb4d05
    • Instruction ID: ae257a2d1bd83c44e62aba458aad619a50a1b50209bc34dd4073c6e51a36ce44
    • Opcode Fuzzy Hash: 5c7d398f55f8a745f306098e3a23374ed1f6cae723788f97d9634b7594cb4d05
    • Instruction Fuzzy Hash: 1B317E7180020AAFCB10EFA4DD89AEE7BBDFB48B04F508529F941A3150DB749945CB94
    Function 006142B0 Relevance: 12.1, APIs: 8, Instructions: 76COMMON
    Download Yara Rule
    APIs
    • __vbaI2Var.MSVBVM60(?), ref: 00614307
    • __vbaFreeVar.MSVBVM60 ref: 00614312
    • __vbaAryLock.MSVBVM60(?,00000000), ref: 00614325
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00614347
    • __vbaGenerateBoundsError.MSVBVM60 ref: 00614358
    • __vbaAryUnlock.MSVBVM60(?), ref: 00614372
    • __vbaVarMove.MSVBVM60 ref: 00614389
    • __vbaAryUnlock.MSVBVM60(?,006143BA), ref: 006143B3
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$BoundsErrorGenerateUnlock$FreeLockMove
    • String ID:
    • API String ID: 2412145811-0
    • Opcode ID: 7c4431d85432bad5ab48326724ed98c968877596932d5d93482adf528f78ca6b
    • Instruction ID: fba1828965de9565e3529eacb01fb9cb32b3cf057b78fdc662356d7849df766f
    • Opcode Fuzzy Hash: 7c4431d85432bad5ab48326724ed98c968877596932d5d93482adf528f78ca6b
    • Instruction Fuzzy Hash: 38317C70900219EBCF14DFE5C988AEEBBB9FF48305F14451AE416AB260D7B4A486CF54
    Function 005AE040 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • __vbaNew2.MSVBVM60(00459D58,0062B924,?,?,?,?,?,?,?,0040A636), ref: 005AE097
    • __vbaNew2.MSVBVM60(0040D1A0,00629744,?,?,?,?,?,?,?,0040A636), ref: 005AE0B6
    • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 005AE0C8
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,0000000C,?,?,?,?,?,?,?,0040A636), ref: 005AE0E2
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 005AE0EB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$New2$AddrefCheckFreeHresult
    • String ID: q@
    • API String ID: 1804898356-2280953557
    • Opcode ID: 6379bb2e3937baf3ff540008048e383050f84c8e83e5178aadb66b44bbe55132
    • Instruction ID: 1f92c9911c22e8fc2cb8a405c3c1e4e943903032f6ad4aceaefb667cf8012473
    • Opcode Fuzzy Hash: 6379bb2e3937baf3ff540008048e383050f84c8e83e5178aadb66b44bbe55132
    • Instruction Fuzzy Hash: F5118E70A40605EBCB20EF54CE8AAAE7FF9FB89700F144029F905E72A1C7785845CBA5
    Function 005AE130 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • __vbaNew2.MSVBVM60(00459D58,0062B924,?,?,?,?,?,?,?,0040A636), ref: 005AE187
    • __vbaNew2.MSVBVM60(0040BBF8,00629758,?,?,?,?,?,?,?,0040A636), ref: 005AE1A6
    • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 005AE1B8
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,0000000C,?,?,?,?,?,?,?,0040A636), ref: 005AE1D2
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 005AE1DB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$New2$AddrefCheckFreeHresult
    • String ID: 0q@
    • API String ID: 1804898356-2614244773
    • Opcode ID: fc09236eec1e5e06e74f19066a93d6679133e0afbaa360921aa0db84c30d303f
    • Instruction ID: 519b358c0295300f39be029e89657dabe2b759ae18214403bc51edfc0f8190c9
    • Opcode Fuzzy Hash: fc09236eec1e5e06e74f19066a93d6679133e0afbaa360921aa0db84c30d303f
    • Instruction Fuzzy Hash: 5F11BE70A40605EBC710EF54CE8AAAE7FF9FB89700F104029F905E32A0C3749846CBA0
    Function 005AE220 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • __vbaNew2.MSVBVM60(00459D58,0062B924,?,?,?,?,?,?,?,0040A636), ref: 005AE277
    • __vbaNew2.MSVBVM60(0040C330,0062976C,?,?,?,?,?,?,?,0040A636), ref: 005AE296
    • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 005AE2A8
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,0000000C,?,?,?,?,?,?,?,0040A636), ref: 005AE2C2
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 005AE2CB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$New2$AddrefCheckFreeHresult
    • String ID: @q@
    • API String ID: 1804898356-3475201525
    • Opcode ID: 9d558a5d9e61532f179a3c2bf2c835d435930fb3a15ffcf4cefc14864016a70c
    • Instruction ID: a1d17af80f9b8e23e069cdb69874a1741c60285ada964072cf4a77b14e7d229e
    • Opcode Fuzzy Hash: 9d558a5d9e61532f179a3c2bf2c835d435930fb3a15ffcf4cefc14864016a70c
    • Instruction Fuzzy Hash: 68118174940605EBCB10EF54CE8AAAEBFB9FF95700F148059F905E32A0C7745841CBA5
    Function 00524080 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005240D0
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 005240E4
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,?,0040A636), ref: 00524105
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 0052410E
    • __vbaFreeStr.MSVBVM60(00524132,?,?,?,?,?,?,?,?,0040A636), ref: 0052412B
    Strings
    • Copy all configuration from the selected meter., xrefs: 005240C2
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$CheckCopyHresult
    • String ID: Copy all configuration from the selected meter.
    • API String ID: 4185434182-1313980968
    • Opcode ID: 2427b861f3333b95d8d5b18b91de1101210deea2b7d2faccbc58f00d3e4211c8
    • Instruction ID: 7a5fd0e247b4aed9d100849536d86afa49b05f22d30e249cf4f40556b5962c65
    • Opcode Fuzzy Hash: 2427b861f3333b95d8d5b18b91de1101210deea2b7d2faccbc58f00d3e4211c8
    • Instruction Fuzzy Hash: D9113775900215ABCB00DFA4CD49AAEBFB9FF99701F20856AF941A32A0D7785942CFD0
    Function 00538250 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005382A0
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0040A636), ref: 005382B4
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,?,0040A636), ref: 005382D5
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005382DE
    • __vbaFreeStr.MSVBVM60(00538302,?,?,?,?,?,?,?,?,0040A636), ref: 005382FB
    Strings
    • Configure sizes and contents of meter archive files., xrefs: 00538292
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$CheckCopyHresult
    • String ID: Configure sizes and contents of meter archive files.
    • API String ID: 4185434182-3814424567
    • Opcode ID: a53c85dfa6a38165721d2e3fc600759badb90a92f1d935b8ad2ac88181c392f8
    • Instruction ID: d88881e3d649fcd34adb4e9cefdb7605b6b103e528222283dfa06db3ac216cdf
    • Opcode Fuzzy Hash: a53c85dfa6a38165721d2e3fc600759badb90a92f1d935b8ad2ac88181c392f8
    • Instruction Fuzzy Hash: D7113775900605ABCB00DFA4CD49AAFBFB8FF84741F20856AF951B32A0DB785946CF90
    Function 006061B0 Relevance: 10.6, APIs: 7, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • __vbaStrI2.MSVBVM60(0040A636,?,?,?,?,?,?,?,0040A636), ref: 006061F5
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 00606200
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 0060620A
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 00606213
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 00606227
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,0040A636), ref: 0060624D
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 00606256
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$CheckCopyHresultMove
    • String ID:
    • API String ID: 94317113-0
    • Opcode ID: 8cbe3c35155fa0a4ab87ff5d6df1c515e412c0215f7a4b00aa5125d89c22e6c4
    • Instruction ID: cd59f0d3356efcdde17cdf82bd82ae2bfd91507d3b76a1cff9eb3b9a1d5fcbe0
    • Opcode Fuzzy Hash: 8cbe3c35155fa0a4ab87ff5d6df1c515e412c0215f7a4b00aa5125d89c22e6c4
    • Instruction Fuzzy Hash: E8114974900205EFCB14DF64CA89AAFBBB9FF48701F104569F946F32A0DB705A458BA5
    Function 004CD150 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004CD1B4
    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 004CD1BC
    • __vbaFreeStr.MSVBVM60(004CD1D9,?,?,?,?,?,?,0040A636), ref: 004CD1D2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Copy$Free
    • String ID: Energy$Mass$Volume
    • API String ID: 2739001702-3576160253
    • Opcode ID: fa09bd46d752f1446d941129dd435253dcee1eb2b6e57aeee05f2f1f55a77702
    • Instruction ID: 90e214c975ac504cb63b5116179381b324a63187d24b90181a3b88d4fe98521e
    • Opcode Fuzzy Hash: fa09bd46d752f1446d941129dd435253dcee1eb2b6e57aeee05f2f1f55a77702
    • Instruction Fuzzy Hash: 3D015E74D0050AABCB00DB54CA41B7F7BB4FB44741F68813FE406A7694DB385E06879A
    Function 0056F0E0 Relevance: 9.1, APIs: 6, Instructions: 82COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0056F13F
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0056F151
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046A87C,000000B8,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0056F174
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0056F199
    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0056F1A2
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 0056F1B2
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult$List
    • String ID:
    • API String ID: 2830907855-0
    • Opcode ID: 50b55237186844fc143f7956d6eb5bfb9d2a04d122fc465c05e291bba608d843
    • Instruction ID: 04c577f853a98fe4addced631dbe56798c14d751a321cfd5d32264174a79aa32
    • Opcode Fuzzy Hash: 50b55237186844fc143f7956d6eb5bfb9d2a04d122fc465c05e291bba608d843
    • Instruction Fuzzy Hash: BB214871900205ABDB009FA4CD49EAFBBBCFF49740F108529F945E7291E7789945CBA0
    Function 00578220 Relevance: 9.1, APIs: 6, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • __vbaNew2.MSVBVM60(0041F4A8,00626040,?,?,?,?,?,?,?,?,?,0040A636), ref: 0057828E
    • __vbaCastObj.MSVBVM60(00405BA0,00454AC4,?,?,?,?,?,?,?,?,?,0040A636), ref: 005782A0
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,0040A636), ref: 005782AB
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554EC,000006F8,?,?,?,?,?,?,?,?,?,0040A636), ref: 005782D0
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005782DC
    • #598.MSVBVM60(?,?,?,?,?,?,?,?,?,0040A636), ref: 005782E7
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$#598CastCheckFreeHresultNew2
    • String ID:
    • API String ID: 3727967712-0
    • Opcode ID: b088b99b5dae6c85ff8c12197292edd41081b34f6b83d844a52ffa0cb4eb34fe
    • Instruction ID: c2a2a268a5559a5bc719de894141603a690603c3518610cbb5a60bdc4b9441e0
    • Opcode Fuzzy Hash: b088b99b5dae6c85ff8c12197292edd41081b34f6b83d844a52ffa0cb4eb34fe
    • Instruction Fuzzy Hash: 76217C74940646AFCB109F64DE4DBBABBB8FB54B01F108069F419A31A1DB7868419BA4
    Function 00592160 Relevance: 9.1, APIs: 6, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005921C4
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005921C7
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005921D2
      • Part of subcall function 004C50C0: __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C5103
      • Part of subcall function 004C50C0: #598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C510C
      • Part of subcall function 004C50C0: __vbaVarMove.MSVBVM60 ref: 004C512A
    • __vbaBoolVarNull.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005921E5
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005921F7
    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00592203
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Free$#598BoolCallCastLateListMoveNull
    • String ID:
    • API String ID: 138357799-0
    • Opcode ID: 2a81e0a8a94d3aa7883cc545e9d6d0eae74bf50d662f8345e8dc5c409675b052
    • Instruction ID: 1a0c68d1a5d949f26c0d0b16fe758008a72d012a7581abf34d3fd00348c620f5
    • Opcode Fuzzy Hash: 2a81e0a8a94d3aa7883cc545e9d6d0eae74bf50d662f8345e8dc5c409675b052
    • Instruction Fuzzy Hash: D1211DB5C00249AFCB00DFA5C9899EEBBBCFF48704F108529E955A7250D778A945CFA4
    Function 0051B2F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99COMMON
    Download Yara Rule
    APIs
    • __vbaHresultCheckObj.MSVBVM60(00000000,H3@,004554BC,000000A4), ref: 0051B34D
    • __vbaNew2.MSVBVM60(0041BAE8,006293FC), ref: 0051B366
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00461CB0,000002B0), ref: 0051B3D2
    • __vbaHresultCheckObj.MSVBVM60(00000000,H3@,004554BC,000000A4), ref: 0051B3F5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$New2
    • String ID: H3@
    • API String ID: 3185277043-58663370
    • Opcode ID: 98398a9ce35f82bd1afb15d2707a64aa471a53937ec859063b3197ea2cb5d6ee
    • Instruction ID: 7d5c9d3b9f219c1786677f9c05eed90b880b58e286227e87621facb72f8edef3
    • Opcode Fuzzy Hash: 98398a9ce35f82bd1afb15d2707a64aa471a53937ec859063b3197ea2cb5d6ee
    • Instruction Fuzzy Hash: 6F316D74A40305AFDB00DF69C989B9ABBF8FF89714F108169F908EB391D77998418B91
    Function 00527370 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94COMMON
    Download Yara Rule
    APIs
    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005273BC
    • __vbaSetSystemError.MSVBVM60(?,0000000F,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005273F0
    • __vbaSetSystemError.MSVBVM60(?,00000004,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00527424
    • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040A636), ref: 00527428
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Error$System$BoundsGenerate
    • String ID: 6@
    • API String ID: 2682966246-468796537
    • Opcode ID: 30124f099766d84b12133186ca88dce551a028b095b9e9a05865b76f9a560e9a
    • Instruction ID: 240232d3b849fc54fe73d83540b09fee2ece563a1a9c5726a4dc958b5c5d282b
    • Opcode Fuzzy Hash: 30124f099766d84b12133186ca88dce551a028b095b9e9a05865b76f9a560e9a
    • Instruction Fuzzy Hash: 8D31E135500615EBCB20FF68D885AAEBBF8FF48701F10452AF8419B291DB39AD55CBD4
    Function 005BE150 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMON
    Download Yara Rule
    APIs
    • __vbaNew2.MSVBVM60(0041F4A8,00626040,?,?,?,?,?,?,?,0040A636), ref: 005BE1D5
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554EC,00000704,?,?,?,?,?,?,?,0040A636), ref: 005BE1FC
    • __vbaNew2.MSVBVM60(00449210,00625FDC,?,?,?,?,?,?,?,0040A636), ref: 005BE214
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00454174,00000094,?,?,?,?,?,?,?,0040A636), ref: 005BE23D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresultNew2
    • String ID: Return to correct it
    • API String ID: 1998677070-509962480
    • Opcode ID: f377c455b606ead95618dd6a17d83e31a59f644e28975737dd40fff66291fc17
    • Instruction ID: 37e085e2b41e3c475ce564a419568cbe9c355cb8bc8f7b896322a20dcc006053
    • Opcode Fuzzy Hash: f377c455b606ead95618dd6a17d83e31a59f644e28975737dd40fff66291fc17
    • Instruction Fuzzy Hash: EE31BE35940604EBCB20DF58C94AEDABBBAFF54721F248266F849A72D1C3746D41CB90
    Function 0056A1A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 0056A1FC
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,0040A636), ref: 0056A21E
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 0056A227
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult
    • String ID: HS@$Log data into a file.
    • API String ID: 444973724-915314539
    • Opcode ID: 44dd569046b469683aa7aa66671c85afb30f315fdf027c882d6b08ff21ce4e1d
    • Instruction ID: 289d38a7333c061d36b3f0f01c9153521012c02769816760b059ef2525a2bd02
    • Opcode Fuzzy Hash: 44dd569046b469683aa7aa66671c85afb30f315fdf027c882d6b08ff21ce4e1d
    • Instruction Fuzzy Hash: 0F1197B5940604ABCB109FA4CD09A9BBFB8FF48744F20416AF982B3290D67959828FD1
    Function 005501E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 00550233
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,0040A636), ref: 00550255
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 0055025E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult
    • String ID: Return to Meter Configuration.$XH@
    • API String ID: 444973724-1405347865
    • Opcode ID: 10e1792cc5013850dc694047ac2e3830c44aca6386394f4dfc7886cc4bbdb600
    • Instruction ID: a468fde308d69d2af6db05b313cea2cb0624143cefa5d28884540c40ae2cf462
    • Opcode Fuzzy Hash: 10e1792cc5013850dc694047ac2e3830c44aca6386394f4dfc7886cc4bbdb600
    • Instruction Fuzzy Hash: A1117C75900248BBCB10AF64CD49A9EBFB8FB44700F10466AF941A32D0C67459458BD4
    Function 0055B150 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
    Download Yara Rule
    APIs
    • __vbaCastObj.MSVBVM60(00000000,00454AC4,?,?,?,?,?,0040A636), ref: 0055B19B
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,0040A636), ref: 0055B1A6
    • __vbaObjSetAddref.MSVBVM60(0N@,00000000,?,?,?,?,?,0040A636), ref: 0055B1B4
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,0040A636), ref: 0055B1BD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$AddrefCastFree
    • String ID: 0N@
    • API String ID: 247606873-3272351641
    • Opcode ID: 8f8e47cc0acf089a8474ea967f6536a6931f7d2ffc8d46571b86c25474f2f5a1
    • Instruction ID: e62dcc94e340a1cf3cbc6a1060ba9db4fa565cfeb84170b0ed96cb623d12e659
    • Opcode Fuzzy Hash: 8f8e47cc0acf089a8474ea967f6536a6931f7d2ffc8d46571b86c25474f2f5a1
    • Instruction Fuzzy Hash: 9F0178B5800649FBC700AF64CE49AABBFB8FB84B04F10812AF845B3291C7781946CBD4
    Function 00623150 Relevance: 7.6, APIs: 5, Instructions: 113COMMON
    Download Yara Rule
    APIs
    • __vbaHresultCheckObj.MSVBVM60(00000000,0040A608,0045BD40,00000054), ref: 006231A8
    • __vbaHresultCheckObj.MSVBVM60(00000000,0040A608,0045CEF0,000006F8), ref: 006231CF
    • __vbaNew2.MSVBVM60(0041F4A8,00626040), ref: 006231EB
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004554BC,00000094), ref: 00623214
    • __vbaHresultCheckObj.MSVBVM60(00000000,0040A608,0045BD40,000002B0), ref: 0062326F
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$New2
    • String ID:
    • API String ID: 3185277043-0
    • Opcode ID: 241cb567fb680fdd92f01e4c8d3659e6cef2e3f783bf5efe4c005b9508c003dd
    • Instruction ID: a4cdd66bde2caa5485197d076a3a5bb83577ad37f1f5a979811dffd5a07c2192
    • Opcode Fuzzy Hash: 241cb567fb680fdd92f01e4c8d3659e6cef2e3f783bf5efe4c005b9508c003dd
    • Instruction Fuzzy Hash: 66416C74640614ABC710DF68D989FAABBF9FF59700F208069F909E7391C775A806CFA4
    Function 005DB240 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 005DB29F
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,0040A636), ref: 005DB2C9
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 005DB2D2
    • __vbaHresultCheckObj.MSVBVM60(00000000,00408700,00462138,00000758,?,?,?,?,?,?,?,0040A636), ref: 005DB2FF
    • __vbaHresultCheckObj.MSVBVM60(00000000,00408700,00462138,00000750,?,?,?,?,?,?,?,0040A636), ref: 005DB31E
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free
    • String ID:
    • API String ID: 3976024557-0
    • Opcode ID: d993c822a0e6bc6d5fe90d8ad520c14d1bc9d9110c3c1f84967b612e19f29ad7
    • Instruction ID: 2e147b3befe0c15f348e55a98579590e232f1700615531debbb799b678282e37
    • Opcode Fuzzy Hash: d993c822a0e6bc6d5fe90d8ad520c14d1bc9d9110c3c1f84967b612e19f29ad7
    • Instruction Fuzzy Hash: 5F21EF34901605EBDB209FA8CD88AEABFB9FF05700F60452AF985E7290C7785842CB95
    Function 005D62E0 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 005D633F
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4,?,?,?,?,?,?,?,0040A636), ref: 005D6369
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 005D6372
    • __vbaHresultCheckObj.MSVBVM60(00000000,004083F8,00471D98,0000071C,?,?,?,?,?,?,?,0040A636), ref: 005D639F
    • __vbaHresultCheckObj.MSVBVM60(00000000,004083F8,00471D98,00000714,?,?,?,?,?,?,?,0040A636), ref: 005D63BE
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free
    • String ID:
    • API String ID: 3976024557-0
    • Opcode ID: f1953f7721a6967d85a7e7674938d26c2119fd52e8377b2d6c895068ab2bbc13
    • Instruction ID: a1f3fa9769b82c12d71e9b21b43453eac9cff43c3ee148f8658b807cd2d9dedd
    • Opcode Fuzzy Hash: f1953f7721a6967d85a7e7674938d26c2119fd52e8377b2d6c895068ab2bbc13
    • Instruction Fuzzy Hash: 93218D74900205EBC7209FA8C989AAA7FB8FF05744F60483AF989E72D1C77859468F95
    Function 006070E0 Relevance: 7.6, APIs: 5, Instructions: 79COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 00607141
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00452A8C,000000A4), ref: 0060716B
    • __vbaFreeObj.MSVBVM60 ref: 00607174
    • __vbaHresultCheckObj.MSVBVM60(00000000,00409D48,00463734,000007F4), ref: 006071A5
    • __vbaHresultCheckObj.MSVBVM60(00000000,00409D48,00463734,000007EC), ref: 006071C4
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresult$Free
    • String ID:
    • API String ID: 3976024557-0
    • Opcode ID: 6f99c37ce6dfcba9325232201ca7b926c30f166489398278c84c87effd169d41
    • Instruction ID: 6913ae76eb0ea272c34c8add4f96b26f273bb958e25819a56f29c60ed98236ad
    • Opcode Fuzzy Hash: 6f99c37ce6dfcba9325232201ca7b926c30f166489398278c84c87effd169d41
    • Instruction Fuzzy Hash: 2621AD74A40205FBDB109F64CD48BAB7BBDFF05705F1480A9F845AB2D0D7786942CB95
    Function 004DF1B0 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • __vbaGenerateBoundsError.MSVBVM60(-00000001,?,?,00000001), ref: 004DF1C1
    • __vbaGenerateBoundsError.MSVBVM60(-00000001,?,?,00000001), ref: 004DF1EA
    • __vbaGenerateBoundsError.MSVBVM60(-00000001,?,?,00000001), ref: 004DF210
    • __vbaGenerateBoundsError.MSVBVM60(-00000001,?,?,00000001), ref: 004DF21F
    • __vbaErrorOverflow.MSVBVM60(-00000001,?,?,00000001), ref: 004DF23C
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: Error__vba$BoundsGenerate$Overflow
    • String ID:
    • API String ID: 760495285-0
    • Opcode ID: 0266972452e2780f5ee4375efa8c5188605475c0d98cdab48fe4b88163f0b818
    • Instruction ID: 27d978107f54e0b556d5a7d9dc4cca15877140880696eaba9757ac33171d523e
    • Opcode Fuzzy Hash: 0266972452e2780f5ee4375efa8c5188605475c0d98cdab48fe4b88163f0b818
    • Instruction Fuzzy Hash: 8A1108374016298BCB20EF58D98846EB7A5FF8A346701427FE543AB135D7317818C7E9
    Function 004CC2A0 Relevance: 7.5, APIs: 5, Instructions: 32COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60(00000000,00000000,00401588), ref: 004CC2E0
    • __vbaOnError.MSVBVM60(00000001), ref: 004CC2E4
    • __vbaStrCopy.MSVBVM60 ref: 004CC2F0
    • __vbaExitProc.MSVBVM60 ref: 004CC2FC
    • __vbaFreeStr.MSVBVM60(004CC311), ref: 004CC30A
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Copy$ErrorExitFreeProc
    • String ID:
    • API String ID: 3932992923-0
    • Opcode ID: c942c5fde3ffb333740b2421ecfb8f344fb6f9369e172efd9ea564c04345687a
    • Instruction ID: f97dfbb167b9d046c3f90e9fa9a9912c27c0b84463a3be72611f7345a3e55888
    • Opcode Fuzzy Hash: c942c5fde3ffb333740b2421ecfb8f344fb6f9369e172efd9ea564c04345687a
    • Instruction Fuzzy Hash: 1FF0C975D00258AFCB40DFA8DE45BDEBBB4FB08740F104569E406B36A1D7785905CFA5
    Function 004E0070 Relevance: 7.5, APIs: 5, Instructions: 22COMMON
    Download Yara Rule
    APIs
    • __vbaStrCopy.MSVBVM60(6D49D83C,?,004E020E,?), ref: 004E0083
    • __vbaStrCopy.MSVBVM60(?,004E020E,?), ref: 004E008D
    • __vbaStrCopy.MSVBVM60(?,004E020E,?), ref: 004E0097
    • __vbaStrCopy.MSVBVM60(?,004E020E,?), ref: 004E00A1
    • __vbaStrCopy.MSVBVM60(?,004E020E,?), ref: 004E00AB
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: Copy__vba
    • String ID:
    • API String ID: 3702988478-0
    • Opcode ID: b378e73808fb5a8ceea31bbaabf1748b617c16c085cd7875ddc51efd0929ebda
    • Instruction ID: f6fbbcc5b2e1e8b228fed392645c7abaad1ed4a81f91a80ad1947abf8ec5975b
    • Opcode Fuzzy Hash: b378e73808fb5a8ceea31bbaabf1748b617c16c085cd7875ddc51efd0929ebda
    • Instruction Fuzzy Hash: 4EE01A35210509678314E61AD92089BF3A9DFE1351322CC3BC84293E75FBF4AD0A8E68
    Function 00578340 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 0057839C
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,0040A636), ref: 005783BE
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 005783C7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult
    • String ID: Log data into a file.
    • API String ID: 444973724-3644743794
    • Opcode ID: dd91584392d9bfe4b90f3c6142870ca531efbbafe79df05f6106cba3eeeadaac
    • Instruction ID: 901cf8fb8acb68f2de2767dc1073c319010a5e527813d5845df51cdae50cedde
    • Opcode Fuzzy Hash: dd91584392d9bfe4b90f3c6142870ca531efbbafe79df05f6106cba3eeeadaac
    • Instruction Fuzzy Hash: F7115A71940604BBC7109F68CD49AABBFB8FF48B44F20856AF585A7290DB7459428FD1
    Function 005C6070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 005C60C3
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,0040A636), ref: 005C60E5
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 005C60EE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult
    • String ID: z@
    • API String ID: 444973724-1195197552
    • Opcode ID: 886c2cfe3b29d188963467ad1b88fededa8e4c5b665c099c167a7396dee902d4
    • Instruction ID: 25b881ee19c7b38cd41e0a32ce4d82780b0f3e2493408145dfc2c9a535077f0f
    • Opcode Fuzzy Hash: 886c2cfe3b29d188963467ad1b88fededa8e4c5b665c099c167a7396dee902d4
    • Instruction Fuzzy Hash: 76117975900209BBCB109FA4CD49A9FBFB8FB44700F24856AF981A3291D7789941CBD0
    Function 00606020 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 00606073
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,0040A636), ref: 00606095
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 0060609E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult
    • String ID: Close this window.
    • API String ID: 444973724-1908909423
    • Opcode ID: ef2777be10ce4927594a76ebb1a7da1aa7f58de63cd19809965517a644ff2852
    • Instruction ID: b69318d9269f00e646dd2cd14bec8570f0caa29b81c78a96b336cbd46acdcbb3
    • Opcode Fuzzy Hash: ef2777be10ce4927594a76ebb1a7da1aa7f58de63cd19809965517a644ff2852
    • Instruction Fuzzy Hash: EF117975940205FBC7109F64CE49AABBFBDEB45704F20816AF946A3290C77858428BD0
    Function 005A2020 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 005A2073
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,0040A636), ref: 005A2095
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 005A209E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult
    • String ID: 8l@
    • API String ID: 444973724-1789724673
    • Opcode ID: 89716028e693ad23d469e252cc38abf9f2f8b9241e5328d0e1ffd3db54b23464
    • Instruction ID: c23b63fb2f7a8efa45e0a028b8518a225d25d5989cbcf88b30372f331883a39b
    • Opcode Fuzzy Hash: 89716028e693ad23d469e252cc38abf9f2f8b9241e5328d0e1ffd3db54b23464
    • Instruction Fuzzy Hash: B2118E75900209FBC7109F68CE4AA9FBFB8FB45704F20456AF981A3290D7745941CBD0
    Function 005790F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 00579143
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,0040A636), ref: 00579165
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 0057916E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult
    • String ID: p\@
    • API String ID: 444973724-3412255370
    • Opcode ID: 28518f5267f7c01cf5e1080e6d3265b67b6db524c6f3644c5a31e4d85abfe03b
    • Instruction ID: 42d92768c21f0a765010f13187bb04d23700513b3c6cb2c8865c1f07e9ded1cd
    • Opcode Fuzzy Hash: 28518f5267f7c01cf5e1080e6d3265b67b6db524c6f3644c5a31e4d85abfe03b
    • Instruction Fuzzy Hash: E2117975900649BBC7109F64CD49ADBBFB8FB89740F20856AF885A3290D6789941DFE0
    Function 005A20E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 005A2133
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,0040A636), ref: 005A2155
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 005A215E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult
    • String ID: Hl@
    • API String ID: 444973724-1046241361
    • Opcode ID: f0c49cb8272b0fd9fa1da47008577a37dba5dac263841b0db126e9238e76ebdd
    • Instruction ID: cdfeeaded0bc00302138c65efda4dc236ea7288fc2f1d3415c3d2a90e0f7af86
    • Opcode Fuzzy Hash: f0c49cb8272b0fd9fa1da47008577a37dba5dac263841b0db126e9238e76ebdd
    • Instruction Fuzzy Hash: 68118E75900205FBC7109F68CD4AA9EBFB8FB45704F20466AF981A3290D7745941CBD0
    Function 005F10B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 005F1103
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,0040A636), ref: 005F1125
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 005F112E
    Strings
    • Changes made here will appear in the log and report only., xrefs: 005F110B
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult
    • String ID: Changes made here will appear in the log and report only.
    • API String ID: 444973724-3480561785
    • Opcode ID: 7c2c5b66382abdaf209fae0134095ea07eff05a05173e394f8a61246158f73b6
    • Instruction ID: 2eba1a9141b3dfdfdbe2dbc538390207f03a2cd6017e71b80f5c3ff8ac43f127
    • Opcode Fuzzy Hash: 7c2c5b66382abdaf209fae0134095ea07eff05a05173e394f8a61246158f73b6
    • Instruction Fuzzy Hash: 59118B75900649FBC7109F64CD49EABBFBCFB48B04F20816AFA81A3291C7785942CBD4
    Function 005F1170 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 005F11C3
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,0040A636), ref: 005F11E5
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 005F11EE
    Strings
    • The module's current wallclock., xrefs: 005F11CB
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult
    • String ID: The module's current wallclock.
    • API String ID: 444973724-3486530905
    • Opcode ID: 734313ccf7f6b6d46ee679dcc91caa016e25a5eadbaaf63f81319ea13c5c404a
    • Instruction ID: 55e86c1151efe1ca12c8020c1b73141a2d374e81d35be07b14c58911e37b5856
    • Opcode Fuzzy Hash: 734313ccf7f6b6d46ee679dcc91caa016e25a5eadbaaf63f81319ea13c5c404a
    • Instruction Fuzzy Hash: 83118B75900609FBCB109FA5CD49AAFBFBCFB48704F20426AFA46A3291C7785941CBD4
    Function 0056B110 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 0056B163
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,0040A636), ref: 0056B185
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 0056B18E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult
    • String ID: 8T@
    • API String ID: 444973724-2100475130
    • Opcode ID: 4c0b30fefb3351226e68e30aaae242d45dc83a157cbde6415cbc4de5f240b88e
    • Instruction ID: 8adcbc1ab48d4761becf9881ea13985a117f57849630cf36ae56cda4e629c9b5
    • Opcode Fuzzy Hash: 4c0b30fefb3351226e68e30aaae242d45dc83a157cbde6415cbc4de5f240b88e
    • Instruction Fuzzy Hash: 3C117C75900245BBD7109F64CD49ADBBFB8FF45700F20456AF981A3291D7745982CBD0
    Function 0057A110 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 0057A163
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,0040A636), ref: 0057A185
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 0057A18E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult
    • String ID: h]@
    • API String ID: 444973724-3226214659
    • Opcode ID: ce629ec70eba6ce52414040bb5929510dfa6e3f9697e159077ef9fee54793c00
    • Instruction ID: da509df2478fec1ec3882710a073a73f5408dac9dc4bddccf2bf53bafdab7c03
    • Opcode Fuzzy Hash: ce629ec70eba6ce52414040bb5929510dfa6e3f9697e159077ef9fee54793c00
    • Instruction Fuzzy Hash: 0F117975900209BBD7109F64CD49A9FBFB8FF89700F20866AF885A3290D7789942CBD1
    Function 0056B240 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 0056B293
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,0040A636), ref: 0056B2B5
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 0056B2BE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult
    • String ID: PT@
    • API String ID: 444973724-1005989474
    • Opcode ID: 111cac3b1262359ca413665c097468551ded90ef7698b1c418f23535badfc4e4
    • Instruction ID: da6a8eddb8235aed36097b5e7ba4ba85a87549a20b3f668979a9ce6ccc724dac
    • Opcode Fuzzy Hash: 111cac3b1262359ca413665c097468551ded90ef7698b1c418f23535badfc4e4
    • Instruction Fuzzy Hash: A7117975900249BBD7109F64CD49A9FBFB8FB44704F20466AF985A3291D77859818BD0
    Function 005BE270 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 005BE2C3
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,0040A636), ref: 005BE2E5
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 005BE2EE
    Strings
    • Return to Meter Configuration., xrefs: 005BE2CB
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult
    • String ID: Return to Meter Configuration.
    • API String ID: 444973724-2378516119
    • Opcode ID: 240ed491057a46f17228a723485ee01df4b3596b9464de78b1a7f1a1d2cc50ab
    • Instruction ID: 78661e803fdde03bf6e134b6c24eaf6060f477258eca0df460597a3b20e824f6
    • Opcode Fuzzy Hash: 240ed491057a46f17228a723485ee01df4b3596b9464de78b1a7f1a1d2cc50ab
    • Instruction Fuzzy Hash: 08117975900208FBCB109F64CD4AADEBFBCFB44740F24456AF841A3290D6786941CBD1
    Function 00592260 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 005922B3
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,0040A636), ref: 005922D5
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 005922DE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult
    • String ID: Plot archive values.
    • API String ID: 444973724-3365767035
    • Opcode ID: 032b44392fd7174127ab09cee65d911d32d5d3a8628881cdb2a38c373ca04d03
    • Instruction ID: 2dbeff20002cdd03ca2306f9260f36435caa17911c90e80e9225ce9e9ed5239a
    • Opcode Fuzzy Hash: 032b44392fd7174127ab09cee65d911d32d5d3a8628881cdb2a38c373ca04d03
    • Instruction Fuzzy Hash: AF115B75901245FBCB10AF64CD49ADFBFB8FB44704F20456AF982A3290D7785942CBD1
    Function 00579350 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 005793A3
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,0040A636), ref: 005793C5
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,0040A636), ref: 005793CE
    Strings
    • Click the box or press any key for details., xrefs: 005793AB
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresult
    • String ID: Click the box or press any key for details.
    • API String ID: 444973724-1862394547
    • Opcode ID: 2bd9f9187afa96f6dc78ed04ff228513efd08faf422c16f5434b620542139920
    • Instruction ID: 0af1e686c34f8cb8a6e5c718ab357f459c9b9edc6266bb7e11ee16c1a089459c
    • Opcode Fuzzy Hash: 2bd9f9187afa96f6dc78ed04ff228513efd08faf422c16f5434b620542139920
    • Instruction Fuzzy Hash: D9117975900644BBC7109F64CE49A9BBFB8FB48744F20856AF845A32D0C7789842CBE0
    Function 004C50C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
    Download Yara Rule
    APIs
    • __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C5103
    • #598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 004C510C
    • __vbaVarMove.MSVBVM60 ref: 004C512A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$#598CallLateMove
    • String ID: SetFocus
    • API String ID: 657305127-2459276585
    • Opcode ID: 8978bec14ffd5187704169d833f6918ecd322a600f16af87523ded685a90008d
    • Instruction ID: d26680a83bced5cb5a9982ea51b444762dbebac109c62dc7a07628e5c6932a4a
    • Opcode Fuzzy Hash: 8978bec14ffd5187704169d833f6918ecd322a600f16af87523ded685a90008d
    • Instruction Fuzzy Hash: FD018178810648EFCB10DFA8DE49F9EBBB4FB08700F50412AE806A3250D7785545CB69
    Function 004C5340 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
    Download Yara Rule
    APIs
    • __vbaObjIs.MSVBVM60(?,?,?,?,0052817C,?,?), ref: 004C5350
    • __vbaLateMemCall.MSVBVM60(?,SetFocus,00000000,?,?,0052817C,?,?), ref: 004C536B
    • __vbaLateMemCall.MSVBVM60(00000000,SetFocus,00000000,?,SetFocus,00000000,?,?,0052817C,?,?), ref: 004C5377
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CallLate
    • String ID: SetFocus
    • API String ID: 3948079969-2459276585
    • Opcode ID: 57269fe9dae0527d1e43c6121f8a5bce2b8c0d6184d62b1a38bb54e33c515b3f
    • Instruction ID: 08dd66e5bdbd99850d3a6ea22b021014b7a31d5e00818d99fd2e0f783ee15b2f
    • Opcode Fuzzy Hash: 57269fe9dae0527d1e43c6121f8a5bce2b8c0d6184d62b1a38bb54e33c515b3f
    • Instruction Fuzzy Hash: 83E092396402106BC610DB5CCD84F5FB3A8AFAC711F20440BBD80B3250D2B4B844CBA4
    Function 00613280 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
    Download Yara Rule
    APIs
    • __vbaNew2.MSVBVM60(00424494,006297F8), ref: 006132D2
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004777C8,000002B0), ref: 00613337
    • __vbaNew2.MSVBVM60(00424494,006297F8), ref: 00613350
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004777C8,000002A8), ref: 00613377
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckHresultNew2
    • String ID:
    • API String ID: 1998677070-0
    • Opcode ID: ce10e8633d539de09b3204f0c7cff47bda5ca74cf5db575ba316048249ec5896
    • Instruction ID: 09fa25bf9d5457a905878e0c0feed93cebae047d2712189c13c6459b1a1b8428
    • Opcode Fuzzy Hash: ce10e8633d539de09b3204f0c7cff47bda5ca74cf5db575ba316048249ec5896
    • Instruction Fuzzy Hash: AD315B75A40314AFC710DF68D989BDABBF9FF48704F248069E809E7390D735A941CBA5
    Function 005FB030 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005FB098
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0046207C,00000040,?,?,?,?,?,?,?,?,?,?,0040A636), ref: 005FB0BC
    • __vbaObjSet.MSVBVM60(?,?), ref: 005FB0D1
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 005FB0EA
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresultList
    • String ID:
    • API String ID: 986832480-0
    • Opcode ID: b3e0f3b5c4f86898071470cc544400a4c0dab11888e06aba9f8f090e5515d1aa
    • Instruction ID: b3f23e51caf922de4216d02b380f0077c75f5fcfa5ef49a7666f9c513feb2138
    • Opcode Fuzzy Hash: b3e0f3b5c4f86898071470cc544400a4c0dab11888e06aba9f8f090e5515d1aa
    • Instruction Fuzzy Hash: 6D211C7490020AEFDB10DFA4C849EEEBBB8FF48704F108529E955E7281E7789945CBA4
    Function 005AF060 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • __vbaNew2.MSVBVM60(00459D58,0062B924,?,?,?,?,?,?,?,?,0040A636), ref: 005AF0B8
    • __vbaObjSetAddref.MSVBVM60(?,004071D0,?,?,?,?,?,?,?,?,0040A636), ref: 005AF0CE
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,00000010,?,?,?,?,?,?,?,?,0040A636), ref: 005AF0EB
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005AF0F4
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$AddrefCheckFreeHresultNew2
    • String ID:
    • API String ID: 1649212984-0
    • Opcode ID: 5ce64ebd1355aec2aaf53a6089c2641d67c96cd98b6bc55fc771411e8bf01b3f
    • Instruction ID: b61e7f0d7fbada3fd24932af8127fdc56c65911dd09a9fd259b3baec23064c23
    • Opcode Fuzzy Hash: 5ce64ebd1355aec2aaf53a6089c2641d67c96cd98b6bc55fc771411e8bf01b3f
    • Instruction Fuzzy Hash: 3D118F75900209EBCB10DFA8CD89AAEBFB9FB59704F208069F905A3291C7749945CB90
    Function 006060E0 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • __vbaNew2.MSVBVM60(00459D58,0062B924,?,?,?,?,?,?,?,?,0040A636), ref: 00606138
    • __vbaObjSetAddref.MSVBVM60(?,00409C88,?,?,?,?,?,?,?,?,0040A636), ref: 0060614E
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,00000010,?,?,?,?,?,?,?,?,0040A636), ref: 0060616B
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 00606174
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$AddrefCheckFreeHresultNew2
    • String ID:
    • API String ID: 1649212984-0
    • Opcode ID: 2f74787783e8381a6f0cdf254c56e987480b19a12a16b4ff84555f9e672d2e20
    • Instruction ID: 9a677e6410cfe50d279a208a948aab160cec2801648f4d2e1fec69c2319d7f70
    • Opcode Fuzzy Hash: 2f74787783e8381a6f0cdf254c56e987480b19a12a16b4ff84555f9e672d2e20
    • Instruction Fuzzy Hash: 57118F74940209BFCB009F68CD85AEEBBB9FB59704F208069F505B32A1C77458468B94
    Function 005AF210 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • __vbaNew2.MSVBVM60(00459D58,0062B924,?,?,?,?,?,?,?,?,0040A636), ref: 005AF268
    • __vbaObjSetAddref.MSVBVM60(?,004071F0,?,?,?,?,?,?,?,?,0040A636), ref: 005AF27E
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,00000010,?,?,?,?,?,?,?,?,0040A636), ref: 005AF29B
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 005AF2A4
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$AddrefCheckFreeHresultNew2
    • String ID:
    • API String ID: 1649212984-0
    • Opcode ID: ec77e1fd3bc85969888e49a116ed44997e212d6f7c6ff96f5f09025e9840f4ba
    • Instruction ID: 66d099205d6caee9346b7e594cd8e811540af0a1bf62084dbaf63dc095423a21
    • Opcode Fuzzy Hash: ec77e1fd3bc85969888e49a116ed44997e212d6f7c6ff96f5f09025e9840f4ba
    • Instruction Fuzzy Hash: 2E118F79D00609AFCB009FA8CD89AAEBFB9FF59704F208029F905B3291C77458458BA4
    Function 0055F2C0 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • __vbaNew2.MSVBVM60(00459D58,0062B924,?,?,?,?,?,?,?,?,0040A636), ref: 0055F318
    • __vbaObjSetAddref.MSVBVM60(?,00404F90,?,?,?,?,?,?,?,?,0040A636), ref: 0055F32E
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,00000010,?,?,?,?,?,?,?,?,0040A636), ref: 0055F34B
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 0055F354
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$AddrefCheckFreeHresultNew2
    • String ID:
    • API String ID: 1649212984-0
    • Opcode ID: 08ed802bc258931f2aa6ceac809d3030795d2e765f206628e3e9f5c9151b44e1
    • Instruction ID: a10a8a4dc38a9b2c3c1d801d31e1d45c55dd4e393fe6c53bf0909615b94a170b
    • Opcode Fuzzy Hash: 08ed802bc258931f2aa6ceac809d3030795d2e765f206628e3e9f5c9151b44e1
    • Instruction Fuzzy Hash: 25118275900209AFCB009FA4CD85AAEBFB9FB89705F208429F905A3291C77498498B94
    Function 00556050 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,0040A636), ref: 005560B1
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,0040A636), ref: 005560B4
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,0040A636), ref: 005560BF
      • Part of subcall function 004C53C0: __vbaCheckType.MSVBVM60(?,00452A8C), ref: 004C53FF
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004C5435
      • Part of subcall function 004C53C0: __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004C5444
      • Part of subcall function 004C53C0: __vbaLenVar.MSVBVM60(?,00000000), ref: 004C5452
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelLength), ref: 004C547B
      • Part of subcall function 004C53C0: __vbaFreeVar.MSVBVM60 ref: 004C5480
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,0040A636), ref: 005560D4
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Late$Free$CallCastCheckListType
    • String ID:
    • API String ID: 1389407206-0
    • Opcode ID: 4c8fcf302f821ee483004fad6e65a55e15dc4c239ca79d7291dfbc564a03317d
    • Instruction ID: abe3cb709a3334e72d6099a3ac85c23a469be157e8f920e17c6f6c37150f9190
    • Opcode Fuzzy Hash: 4c8fcf302f821ee483004fad6e65a55e15dc4c239ca79d7291dfbc564a03317d
    • Instruction Fuzzy Hash: 57113DB5C10249ABCB009FA5CD49AAFBFBCFB44700F10856AF951A3291D6786645CB94
    Function 00557090 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,0040A636), ref: 005570F1
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,0040A636), ref: 005570F4
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,0040A636), ref: 005570FF
      • Part of subcall function 004C53C0: __vbaCheckType.MSVBVM60(?,00452A8C), ref: 004C53FF
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004C5435
      • Part of subcall function 004C53C0: __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004C5444
      • Part of subcall function 004C53C0: __vbaLenVar.MSVBVM60(?,00000000), ref: 004C5452
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelLength), ref: 004C547B
      • Part of subcall function 004C53C0: __vbaFreeVar.MSVBVM60 ref: 004C5480
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,0040A636), ref: 00557114
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Late$Free$CallCastCheckListType
    • String ID:
    • API String ID: 1389407206-0
    • Opcode ID: 64cf02865e2c9d7e4cfb367de3b0b1281b1b5c315b113991a0b358430fed49ad
    • Instruction ID: 453bbb723f43dc2d683b8abb14731c38bbf420b42ff62c293ad853e1fb65005f
    • Opcode Fuzzy Hash: 64cf02865e2c9d7e4cfb367de3b0b1281b1b5c315b113991a0b358430fed49ad
    • Instruction Fuzzy Hash: 64113AB6C00649ABCB009FA5CD49AAFBFBCEB48700F10855AB945A3291D6786945CBD4
    Function 005FA200 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,0040A636), ref: 005FA261
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,0040A636), ref: 005FA264
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,0040A636), ref: 005FA26F
      • Part of subcall function 004C53C0: __vbaCheckType.MSVBVM60(?,00452A8C), ref: 004C53FF
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004C5435
      • Part of subcall function 004C53C0: __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004C5444
      • Part of subcall function 004C53C0: __vbaLenVar.MSVBVM60(?,00000000), ref: 004C5452
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelLength), ref: 004C547B
      • Part of subcall function 004C53C0: __vbaFreeVar.MSVBVM60 ref: 004C5480
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,0040A636), ref: 005FA284
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Late$Free$CallCastCheckListType
    • String ID:
    • API String ID: 1389407206-0
    • Opcode ID: 0e523bf956a73f53547bf127055fabd942c52571e2366ff0926fc39210225725
    • Instruction ID: 0b38bd42d787816b76a46f68940d9bf9e01ce9b5f4a4be03311f45296cea4aff
    • Opcode Fuzzy Hash: 0e523bf956a73f53547bf127055fabd942c52571e2366ff0926fc39210225725
    • Instruction Fuzzy Hash: E2116AB6C00249ABCB009FA5CD49AAFBFBCEB44700F10851AB945A3281D6786901CB91
    Function 005BA2C0 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,0040A636), ref: 005BA321
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,0040A636), ref: 005BA324
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,0040A636), ref: 005BA32F
      • Part of subcall function 004C53C0: __vbaCheckType.MSVBVM60(?,00452A8C), ref: 004C53FF
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004C5435
      • Part of subcall function 004C53C0: __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004C5444
      • Part of subcall function 004C53C0: __vbaLenVar.MSVBVM60(?,00000000), ref: 004C5452
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelLength), ref: 004C547B
      • Part of subcall function 004C53C0: __vbaFreeVar.MSVBVM60 ref: 004C5480
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,0040A636), ref: 005BA344
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Late$Free$CallCastCheckListType
    • String ID:
    • API String ID: 1389407206-0
    • Opcode ID: dccd9dd07ca4d7ef9dfefcb1151278a69801808f031772738d16460a1601a5ca
    • Instruction ID: 540b27298abd7667e370101771de8ae0e9f78e483c6020f2e57c6e6fd802af1e
    • Opcode Fuzzy Hash: dccd9dd07ca4d7ef9dfefcb1151278a69801808f031772738d16460a1601a5ca
    • Instruction Fuzzy Hash: E7114CB6C00249ABCB00DFA5CD49EEFBFBCFB44700F10855AB945A3281D678AA45CBD5
    Function 0056F2A0 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,0040A636), ref: 0056F301
    • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,?,?,0040A636), ref: 0056F304
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,0040A636), ref: 0056F30F
      • Part of subcall function 004C53C0: __vbaCheckType.MSVBVM60(?,00452A8C), ref: 004C53FF
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004C5435
      • Part of subcall function 004C53C0: __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004C5444
      • Part of subcall function 004C53C0: __vbaLenVar.MSVBVM60(?,00000000), ref: 004C5452
      • Part of subcall function 004C53C0: __vbaLateMemSt.MSVBVM60(?,SelLength), ref: 004C547B
      • Part of subcall function 004C53C0: __vbaFreeVar.MSVBVM60 ref: 004C5480
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,0040A636), ref: 0056F324
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$Late$Free$CallCastCheckListType
    • String ID:
    • API String ID: 1389407206-0
    • Opcode ID: 82a43e7042f14db8eaa37c516703514368ec2838fea34aa09f86a0c99badc839
    • Instruction ID: 89edb38ed8c29c54acfd73d6209c1a3253872418fab470ebba3eb3d582d0a35c
    • Opcode Fuzzy Hash: 82a43e7042f14db8eaa37c516703514368ec2838fea34aa09f86a0c99badc839
    • Instruction Fuzzy Hash: 3E113AB6D00249ABCB009FA5CD49AAFBFBCEB44700F50856AB945A3281D6786A458B94
    Function 00508370 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • __vbaNew2.MSVBVM60(00459D58,0062B924,00000000,6D49D8B1,6D49D83C), ref: 005083BD
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00459D48,00000020), ref: 005083E2
    • __vbaLateIdSt.MSVBVM60(00000000,0001000B), ref: 00508407
    • __vbaFreeObj.MSVBVM60 ref: 00508410
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CheckFreeHresultLateNew2
    • String ID:
    • API String ID: 760104272-0
    • Opcode ID: b45e7bb83b2d128ea41b2cab20713f2b081c0546722456c8821f37f50bafb644
    • Instruction ID: 88503684a7e598bc338d6e7e302a24f0f475c828d979b3b0e8e8f3c8c63cae2e
    • Opcode Fuzzy Hash: b45e7bb83b2d128ea41b2cab20713f2b081c0546722456c8821f37f50bafb644
    • Instruction Fuzzy Hash: 04118F70A40206ABD700DF58CE49FAEBFF8FB48B01F108569E645B72A0C7749845CBA5
    Function 0060A240 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • __vbaCastObj.MSVBVM60(00000000,00465304,?,?,?,?,?,?,0040A636), ref: 0060A28D
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,0040A636), ref: 0060A298
    • __vbaHresultCheckObj.MSVBVM60(00000000,00409EA0,00463734,0000086C,?,?,?,?,?,?,0040A636), ref: 0060A2B8
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 0060A2C1
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CastCheckFreeHresult
    • String ID:
    • API String ID: 2379982908-0
    • Opcode ID: 293ea09b5d183ecb735459606841fa540892236ad7366e9d7dc9895675a95c84
    • Instruction ID: a0d046bfdaa74a0519e5e28a1fede547b85746a8d6e160da939630c032f47b03
    • Opcode Fuzzy Hash: 293ea09b5d183ecb735459606841fa540892236ad7366e9d7dc9895675a95c84
    • Instruction Fuzzy Hash: E8018B75940249FBC7009F64CE89AABBFB9FB44B40F148069F881A7291C7795A01CBE5
    Function 005D3230 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • __vbaCastObj.MSVBVM60(00000000,00465304,?,?,?,?,?,?,0040A636), ref: 005D327D
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,0040A636), ref: 005D3288
    • __vbaHresultCheckObj.MSVBVM60(00000000,004082C0,004622F4,0000087C,?,?,?,?,?,?,0040A636), ref: 005D32A8
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,0040A636), ref: 005D32B1
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$CastCheckFreeHresult
    • String ID:
    • API String ID: 2379982908-0
    • Opcode ID: 43c22e78a27605b9f4e117205bcbff7286342a20876b7717786c753457963137
    • Instruction ID: e89cb32b65f61e0bf804563d6b724c2b5696494e7164f0088831ab94fbd636a3
    • Opcode Fuzzy Hash: 43c22e78a27605b9f4e117205bcbff7286342a20876b7717786c753457963137
    • Instruction Fuzzy Hash: 0001A175900645FBC7109F64CE49EAE7FB8FB44B00F10846AF985A3290C7745901CBD1
    Function 00623090 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,0040A636), ref: 006230D8
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00464174,00000054,?,?,?,?,?,?,?,?,0040A636), ref: 006230FB
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 00623104
    • #598.MSVBVM60(?,?,?,?,?,?,?,?,0040A636), ref: 0062310A
    Memory Dump Source
    • Source File: 00000000.00000002.1441725168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1441701717.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441895488.0000000000629000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1441914804.0000000000648000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_AFCMgr.jbxd
    Similarity
    • API ID: __vba$#598CheckFreeHresult
    • String ID:
    • API String ID: 1974155947-0
    • Opcode ID: 5ed171869b28409ef63afff4226cb24ce6f4209e48d48da2fe53ff82b4747e16
    • Instruction ID: fd21c44580876aa331834dcc339591b078ad2c26d30baa58c17e5efb12e61740
    • Opcode Fuzzy Hash: 5ed171869b28409ef63afff4226cb24ce6f4209e48d48da2fe53ff82b4747e16
    • Instruction Fuzzy Hash: 54015B74500655EFC700DF68CE49AAABFB9FF45700F108069F945A32A0C7785942CF91