Play interactive tour

Edit tour

Analysis Report http://covid19vaccine.hopto.org/march%20OG.exe

Overview

General Information

Sample URL:	http://covid19vaccine.hopto.org/march%20OG.exe
Analysis ID:	365435
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

PE file contains strange resources

Potential browser exploit detected (process start blacklist hit)

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

iexplore.exe (PID: 3476 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5588 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3476 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

march OG.exe (PID: 3652 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe' MD5: B75B990AC5990F1B6B0127540DE4EC30)

march OG.exe (PID: 6092 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe' MD5: B75B990AC5990F1B6B0127540DE4EC30)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: march OG.exe PID: 3652	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: march OG.exe PID: 3652	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: march OG.exe PID: 6092	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: march OG.exe PID: 6092	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: http://covid19vaccine.hopto.org/march%20OG.exe

Avira URL Cloud: detection malicious, Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: covid19vaccine.hopto.org

Virustotal: Detection: 13%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe.0mzlwub.partial	Virustotal: Detection: 76%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe.0mzlwub.partial	Metadefender: Detection: 24%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe.0mzlwub.partial	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\march%20OG[1].exe	Metadefender: Detection: 24%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\march%20OG[1].exe	ReversingLabs: Detection: 82%

Multi AV Scanner detection for submitted file

Show sources

Source: http://covid19vaccine.hopto.org/march%20OG.exe

Virustotal: Detection: 17%

Perma Link

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Jump to behavior

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 09 Mar 2021 14:36:37 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.2Last-Modified: Wed, 03 Mar 2021 00:26:30 GMTETag: "17000-5bc96e70c1a4b"Accept-Ranges: bytesContent-Length: 94208Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8c 5d 2f 4d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 40 01 00 00 30 00 00 00 00 00 00 14 17 00 00 00 10 00 00 00 50 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 80 01 00 00 10 00 00 67 77 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 46 01 00 28 00 00 00 00 70 01 00 ac 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 2c 3d 01 00 00 10 00 00 00 40 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 08 12 00 00 00 50 01 00 00 10 00 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 ac 09 00 00 00 70 01 00 00 10 00 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /march%20OG.exe HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: covid19vaccine.hopto.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: covid19vaccine.hopto.org

Source: march OG.exe, 00000011.00000002.450348913.000000000072A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232721 NtWriteVirtualMemory,	17_2_02232721
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_0223057F EnumWindows,NtSetInformationThread,	17_2_0223057F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022365EB NtProtectVirtualMemory,	17_2_022365EB
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_0223063C NtSetInformationThread,	17_2_0223063C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232A70 NtWriteVirtualMemory,	17_2_02232A70
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02231AB7 NtWriteVirtualMemory,	17_2_02231AB7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_0223068C NtSetInformationThread,	17_2_0223068C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022306E7 NtSetInformationThread,	17_2_022306E7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232739 NtWriteVirtualMemory,	17_2_02232739
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232B04 NtWriteVirtualMemory,	17_2_02232B04
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232B53 NtWriteVirtualMemory,	17_2_02232B53
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022327A1 NtWriteVirtualMemory,	17_2_022327A1
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232BAB NtWriteVirtualMemory,	17_2_02232BAB
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02235FF4 NtWriteVirtualMemory,	17_2_02235FF4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022327DF NtWriteVirtualMemory,	17_2_022327DF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232843 NtWriteVirtualMemory,	17_2_02232843
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022328E1 NtWriteVirtualMemory,	17_2_022328E1
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232949 NtWriteVirtualMemory,	17_2_02232949
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_00566A72 NtProtectVirtualMemory,	26_2_00566A72

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Code function: 17_2_0040A0CB

17_2_0040A0CB

Source: march%20OG[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: march OG.exe.0mzlwub.partial.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.evad.win@7/9@1/2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF9FFFDC171AAF0B67.TMP

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3476 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe'
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3476 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe'	Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: Process Memory Space: march OG.exe PID: 3652, type: MEMORY
Source: Yara match	File source: Process Memory Space: march OG.exe PID: 6092, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match	File source: Process Memory Space: march OG.exe PID: 3652, type: MEMORY
Source: Yara match	File source: Process Memory Space: march OG.exe PID: 6092, type: MEMORY

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_0040A0CB pushfd ; retn 2B2Fh	17_2_0040A0CA
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_004070BF push esi; retf	17_2_004070C0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_00403B43 push cs; retf	17_2_00403B91
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_00409B29 push eax; retf	17_2_00409B34
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_00403B94 push cs; retf	17_2_00403B91

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe.0mzlwub.partial			Jump to dropped file
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\march%20OG[1].exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232721 NtWriteVirtualMemory,		17_2_02232721
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02231AB7 NtWriteVirtualMemory,		17_2_02231AB7

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002235A4C second address: 00000000022359D3 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6750BF8268h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test dx, A4B7h 0x00000022 test bl, FFFFFFE9h 0x00000025 add edi, edx 0x00000027 jmp 00007F6750BF827Eh 0x00000029 pushad 0x0000002a mov edi, 00000097h 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 00000000022359EC second address: 0000000002235A8B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp edi, 00E4E1C0h 0x00000010 jnl 00007F6750BF81F2h 0x00000012 test dh, ch 0x00000014 ret 0x00000015 cmp dx, B20Dh 0x0000001a test dh, ah 0x0000001c mov dword ptr [ebp+0000009Ch], 00000000h 0x00000026 test dl, bl 0x00000028 xor edi, edi 0x0000002a cmp dh, dh 0x0000002c cmp bx, ax 0x0000002f mov ecx, 000186A0h 0x00000034 push ecx 0x00000035 jmp 00007F6750BF827Ah 0x00000037 cmp eax, eax 0x00000039 call 00007F6750BF82F7h 0x0000003e call 00007F6750BF83C4h 0x00000043 lfence 0x00000046 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 000000000223328E second address: 000000000223328E instructions:
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002230785 second address: 0000000002230785 instructions:
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002234DF4 second address: 0000000002232E33 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pop eax 0x0000000b jmp 00007F6750CA9E6Eh 0x0000000d cmp ah, ah 0x0000000f retn 0008h 0x00000012 test bh, ch 0x00000014 cmp ax, 00004630h 0x00000018 cmp cx, bx 0x0000001b cmp dword ptr [ebp+48h], 00000000h 0x0000001f jne 00007F6750CA9E98h 0x00000021 pushad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002232E33 second address: 0000000002232E33 instructions:
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002232A55 second address: 0000000002232A55 instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: march OG.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002235A4C second address: 00000000022359D3 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6750BF8268h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test dx, A4B7h 0x00000022 test bl, FFFFFFE9h 0x00000025 add edi, edx 0x00000027 jmp 00007F6750BF827Eh 0x00000029 pushad 0x0000002a mov edi, 00000097h 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 00000000022359D3 second address: 00000000022359D3 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 dec dword ptr [ebp+000000F8h] 0x00000009 nop 0x0000000a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000011 jne 00007F6750BC977Ch 0x00000013 call 00007F6750BC9864h 0x00000018 call 00007F6750BC97D8h 0x0000001d lfence 0x00000020 mov edx, dword ptr [7FFE0014h] 0x00000026 lfence 0x00000029 ret 0x0000002a mov esi, edx 0x0000002c pushad 0x0000002d nop 0x0000002e nop 0x0000002f xor eax, eax 0x00000031 inc eax 0x00000032 nop 0x00000033 nop 0x00000034 popad 0x00000035 mov edx, 00000001h 0x0000003a nop 0x0000003b nop 0x0000003c ret 0x0000003d test dx, A4B7h 0x00000042 test bl, FFFFFFE9h 0x00000045 add edi, edx 0x00000047 jmp 00007F6750BC97DEh 0x00000049 pushad 0x0000004a mov edi, 00000097h 0x0000004f rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 00000000022359EC second address: 0000000002235A8B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp edi, 00E4E1C0h 0x00000010 jnl 00007F6750BF81F2h 0x00000012 test dh, ch 0x00000014 ret 0x00000015 cmp dx, B20Dh 0x0000001a test dh, ah 0x0000001c mov dword ptr [ebp+0000009Ch], 00000000h 0x00000026 test dl, bl 0x00000028 xor edi, edi 0x0000002a cmp dh, dh 0x0000002c cmp bx, ax 0x0000002f mov ecx, 000186A0h 0x00000034 push ecx 0x00000035 jmp 00007F6750BF827Ah 0x00000037 cmp eax, eax 0x00000039 call 00007F6750BF82F7h 0x0000003e call 00007F6750BF83C4h 0x00000043 lfence 0x00000046 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002235A8B second address: 0000000002235A8B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F6750BC9D4Dh 0x0000001d popad 0x0000001e call 00007F6750BC990Ch 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 000000000223328E second address: 000000000223328E instructions:
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002230785 second address: 0000000002230785 instructions:
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 000000000223099C second address: 00000000022309B8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp eax, 555E1691h 0x00000010 je 00007F6750BFD776h 0x00000016 pushad 0x00000017 mov eax, 0000006Fh 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002230B7B second address: 0000000002230B8E instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push 00000030h 0x0000000d pushad 0x0000000e mov eax, 0000003Ch 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002234DF4 second address: 0000000002232E33 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pop eax 0x0000000b jmp 00007F6750CA9E6Eh 0x0000000d cmp ah, ah 0x0000000f retn 0008h 0x00000012 test bh, ch 0x00000014 cmp ax, 00004630h 0x00000018 cmp cx, bx 0x0000001b cmp dword ptr [ebp+48h], 00000000h 0x0000001f jne 00007F6750CA9E98h 0x00000021 pushad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002232E33 second address: 0000000002232E33 instructions:
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	RDTSC instruction interceptor: First address: 0000000002232A55 second address: 0000000002232A55 instructions:

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Code function: 17_2_02232721 rdtsc

17_2_02232721

Source: march OG.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Code function: 17_2_0223057F NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,02235021,00000000,00000079

17_2_0223057F

Hides threads from debuggers

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Code function: 17_2_02232721 rdtsc

17_2_02232721

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Code function: 17_2_022335C8 LdrInitializeThunk,

17_2_022335C8

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232230 mov eax, dword ptr fs:[00000030h]	17_2_02232230
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232254 mov eax, dword ptr fs:[00000030h]	17_2_02232254
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02231AB7 mov eax, dword ptr fs:[00000030h]	17_2_02231AB7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02232ED0 mov eax, dword ptr fs:[00000030h]	17_2_02232ED0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_0223574D mov eax, dword ptr fs:[00000030h]	17_2_0223574D
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_02236071 mov eax, dword ptr fs:[00000030h]	17_2_02236071
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022360FB mov eax, dword ptr fs:[00000030h]	17_2_022360FB
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022360DD mov eax, dword ptr fs:[00000030h]	17_2_022360DD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 17_2_022351D5 mov eax, dword ptr fs:[00000030h]	17_2_022351D5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_00566071 mov eax, dword ptr fs:[00000030h]	26_2_00566071
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_005660DD mov eax, dword ptr fs:[00000030h]	26_2_005660DD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_00561CDA mov eax, dword ptr fs:[00000030h]	26_2_00561CDA
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_005660FB mov eax, dword ptr fs:[00000030h]	26_2_005660FB
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_005651D5 mov eax, dword ptr fs:[00000030h]	26_2_005651D5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_00562254 mov eax, dword ptr fs:[00000030h]	26_2_00562254
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_00562230 mov eax, dword ptr fs:[00000030h]	26_2_00562230
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_00562ED0 mov eax, dword ptr fs:[00000030h]	26_2_00562ED0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe	Code function: 26_2_0056574D mov eax, dword ptr fs:[00000030h]	26_2_0056574D

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe'

Jump to behavior

Source: march OG.exe, 0000001A.00000002.468433617.0000000000FF0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: march OG.exe, 0000001A.00000002.468433617.0000000000FF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: march OG.exe, 0000001A.00000002.468433617.0000000000FF0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: march OG.exe, 0000001A.00000002.468433617.0000000000FF0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe

Code function: 17_2_02233D0A cpuid

17_2_02233D0A

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution1	Path Interception	Process Injection12	Masquerading1	Input Capture1	Security Software Discovery821	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion21	LSASS Memory	Virtualization/Sandbox Evasion21	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery311	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://covid19vaccine.hopto.org/march%20OG.exe	18%	Virustotal		Browse
http://covid19vaccine.hopto.org/march%20OG.exe	100%	Avira URL Cloud	malware

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe.0mzlwub.partial	76%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe.0mzlwub.partial	24%	Metadefender		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe.0mzlwub.partial	82%	ReversingLabs	Win32.Trojan.VBObfuse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\march%20OG[1].exe	24%	Metadefender		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\march%20OG[1].exe	82%	ReversingLabs	Win32.Trojan.VBObfuse

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
covid19vaccine.hopto.org	13%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
0	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
covid19vaccine.hopto.org	46.183.222.6	true	true	13%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://covid19vaccine.hopto.org/march%20OG.exe	true		unknown
0	true	1%, Virustotal, Browse	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.183.222.6	covid19vaccine.hopto.org	Latvia		52048	DATACLUBLV	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	365435
Start date:	09.03.2021
Start time:	15:35:42
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://covid19vaccine.hopto.org/march%20OG.exe
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.win@7/9@1/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 184.30.21.219, 92.122.145.220, 88.221.62.148, 13.64.90.137, 2.18.68.82, 51.104.144.132, 152.199.19.161, 168.61.161.212, 2.20.142.209, 2.20.142.210, 20.54.26.129, 131.253.33.200, 13.107.22.200, 92.122.213.247, 92.122.213.194, 13.88.21.125, 104.42.151.234 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, www.bing.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ie9comview.vo.msecnd.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, ris.api.iris.microsoft.com, dual-a-0001.dc-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, cs9.wpc.v0cdn.net Execution Graph export aborted for target march OG.exe, PID 6092 because there are no executed function

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{493F8842-8130-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	32344
Entropy (8bit):	1.7991357474314675
Encrypted:	false
SSDEEP:	48:IwQGcprSGwpLZG/ap8XGIpcwMUGvnZpvw/Gohqp9wWGo4xpmw95GWD59wE0GW55t:rUZaZ92JWwwtwwfwRxMw9XwEhdrEgn2
MD5:	E05F8B9026F6AB4A3BCA3481B5A45DF8
SHA1:	3CDF3E87CEFAA47ACB356905D9B92EBCA66C79C0
SHA-256:	9D56214120EEBBEDACE33EA337A717E048EDE3510B29CE26ED7D23CD902C8264
SHA-512:	DDBFFA59A3531388AEDFB558C4F5B805F65F10EFF8248D8E001ECD58D81A66EFE3894DC6B7ACF00702B133505544B0BE9254D34E4E0DB4A6455F7F51757C54D9
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{493F8844-8130-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.5992342785899085
Encrypted:	false
SSDEEP:	48:Iw1GcprIGwpa8G4pQMGrapbS8GQpBKNDGHHpcKD8TGUpQKyYGcpm:rrZQQc6KBSUjKNG2KD06Kvg
MD5:	7CEF46956A143ED51FF3A627748817BA
SHA1:	71672762BE40C842285BA8E03647829B0CF13CD7
SHA-256:	EA349A91319FFED1164CB070B8BEFBE8BE55647B6642C948748740CA48781D08
SHA-512:	1D972E682883EC574ED1ED6CB871C5201BCC642770164233A7F6B6E82EF09C1FD3F279AD1B00E82F9BBEAAAB460FBE016255445B258A3B435CA00FC448AA7533
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe.0mzlwub.partial Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	5.559510350020854
Encrypted:	false
SSDEEP:	1536:61oJy7aGTvIaUZNcddsm3dE+WE2i5JjyI+h91mR4E:6v7aGTUcddaMrjyIA1jE
MD5:	B75B990AC5990F1B6B0127540DE4EC30
SHA1:	66DD5A9D359FAF4ABDFF9B53B8E96280EFF58038
SHA-256:	F7ABA1C5E66938EFC7A722F98344A70A2443391668283F08DA1202BDE6C9B925
SHA-512:	E2009B8E6AD35C60F08EFB6514C18C650929F343B01A14F2AAB8D5EAEC880520C67BCF6795ED21BE8C462A2C32EB31E80A7A3A1C9767776CE18F208B4F89FF45
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 76%, Browse Antivirus: Metadefender, Detection: 24%, Browse Antivirus: ReversingLabs, Detection: 82%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....]/M.................@...0...............P....@.................................gw.......................................F..(....p......................................................................(... ....................................text...,=.......@.................. ..`.data........P.......P..............@....rsrc........p.......`..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe.0mzlwub.partial:Zone.Identifier Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Reputation:	low
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe:Zone.Identifier Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	very short file (no magic)
Category:	modified
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:W:W
MD5:	ECCBC87E4B5CE2FE28308FD9F2A7BAF3
SHA1:	77DE68DAECD823BABBB58EDB1C8E14D7106E83BB
SHA-256:	4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE
SHA-512:	3BAFBF08882A2D10133093A1B8433F50563B93C14ACD05B79028EB1D12799027241450980651994501423A66C276AE26C43B739BC65C4E16B10C3AF6C202AEBB
Malicious:	false
Reputation:	low
Preview:	3

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\march%20OG[1].exe Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	5.559510350020854
Encrypted:	false
SSDEEP:	1536:61oJy7aGTvIaUZNcddsm3dE+WE2i5JjyI+h91mR4E:6v7aGTUcddaMrjyIA1jE
MD5:	B75B990AC5990F1B6B0127540DE4EC30
SHA1:	66DD5A9D359FAF4ABDFF9B53B8E96280EFF58038
SHA-256:	F7ABA1C5E66938EFC7A722F98344A70A2443391668283F08DA1202BDE6C9B925
SHA-512:	E2009B8E6AD35C60F08EFB6514C18C650929F343B01A14F2AAB8D5EAEC880520C67BCF6795ED21BE8C462A2C32EB31E80A7A3A1C9767776CE18F208B4F89FF45
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 24%, Browse Antivirus: ReversingLabs, Detection: 82%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....]/M.................@...0...............P....@.................................gw.......................................F..(....p......................................................................(... ....................................text...,=.......@.................. ..`.data........P.......P..............@....rsrc........p.......`..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	89
Entropy (8bit):	4.530422375380909
Encrypted:	false
SSDEEP:	3:oVXU045U4FqH8JOGXnE045U4Fp+n:o9Ur5iqEr5g
MD5:	817557F2DB45C216F5A59F2376362473
SHA1:	9380C2684926B21BE23A939F4AB2590154DAA9C1
SHA-256:	722CE801E7793DCE8BB9E4B3CC8468F6169BD7E5ACF96262FBA076335BF1BC47
SHA-512:	1A81275CA731EBE765370D9C57157EEB161C6C67DD8559110426E1D02BC2D04E6104E0FB37E9C89D9EA4C40A5C364B2E6E6BE88687AC795C2724B0902E0266DE
Malicious:	false
Reputation:	low
Preview:	[2021/03/09 15:36:37.381] Latest deploy version: ..[2021/03/09 15:36:37.381] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DF9FFFDC171AAF0B67.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12981
Entropy (8bit):	0.4434537083961431
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lofrF9lofR9lWfgy+AhLy+QHG+QqyBe:kBqoIysQUsEA
MD5:	7FE43CF9F07CD890DF825FD8886CF8B5
SHA1:	C5EDA05D06A046A9631260A233344E1CF00E944D
SHA-256:	449A0263467C3F3C2B94FB42B57CF4CE628891893D13EA639B323EB2CF9D7EE5
SHA-512:	BFAC3BCA847E931113FC67BD2F06DEAA20AD90E5ABDD42C19623F1B461E978ACAD801C5D3C5FFB58E911798735F9A6C8067D5F9341E167D8451EC72CE26B78F5
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFB4A747BCDB3C3464.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	29989
Entropy (8bit):	0.33004936311962413
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwKo/9lwKg9l2K2/9l29:kBqoxKAuvScS+KTKtK2+KTKyy
MD5:	8D36A92224CE46D9DA8D1E66E91FF1BB
SHA1:	B0D2DBBE0C2A09BE4F4F0C8F3E655A2AFA70C36D
SHA-256:	9F516C3E632C0E6695FB7C564CF04B8B6A39863A2A0BEA6E31663748BC3E60F0
SHA-512:	FD49C473DE4F7897EC120260E25E628361E521EB7F3C05B2A2B65322E1E5C36CDA729DE8015F7854D54144279B75E0EAC534E7497654D2EE1CFF30800C9A41B6
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 9, 2021 15:36:38.324227095 CET	49701	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.325638056 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.393903971 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.393937111 CET	80	49701	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.394047022 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.394094944 CET	49701	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.394871950 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.466542959 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.466579914 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.467020035 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.534555912 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.534600019 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.534617901 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.534636021 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.534753084 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.534810066 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.605431080 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.605468988 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.605487108 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.605503082 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.605519056 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.605534077 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.605546951 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.605573893 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.605592966 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.605648994 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.677581072 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.677614927 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.677633047 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.677649021 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.677665949 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.677684069 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.677700996 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.677717924 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.677733898 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.677764893 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.677793980 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.677817106 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.677855015 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.677895069 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.677918911 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.677938938 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.677951097 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.677969933 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.677998066 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.678034067 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.747087002 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747153997 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747179985 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747201920 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747225046 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747239113 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.747266054 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.747279882 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747302055 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747324944 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.747334003 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747351885 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.747395992 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.747421980 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747445107 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747474909 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747483015 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.747504950 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.747517109 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747544050 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747554064 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.747572899 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.747586966 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747601032 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.747626066 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747632980 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.747658968 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747675896 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.747694016 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747703075 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.747728109 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747737885 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.747760057 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747770071 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.747795105 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747805119 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.747829914 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747839928 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.747863054 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747874975 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.747894049 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747910976 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.747926950 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747935057 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.747957945 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.747972012 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.747989893 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.748013020 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.748030901 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.816648006 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.816682100 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.816729069 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.816770077 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.817224026 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.817250013 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.817265987 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.817281961 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.817298889 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.817322969 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.817331076 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.817368031 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.817380905 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.817423105 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.817445993 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.817452908 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.817470074 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.817486048 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.817502022 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.817509890 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.817534924 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.817545891 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.817563057 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.817600965 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.817612886 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.817629099 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.817666054 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.817676067 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.817718983 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:38.817728996 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:38.817764997 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:43.965338945 CET	80	49702	46.183.222.6	192.168.2.3
Mar 9, 2021 15:36:43.965483904 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:55.460931063 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:55.520648956 CET	49701	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:55.853310108 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:56.540941000 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:36:57.837960958 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:37:00.353689909 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:37:05.354173899 CET	49702	80	192.168.2.3	46.183.222.6
Mar 9, 2021 15:37:15.151827097 CET	49702	80	192.168.2.3	46.183.222.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 9, 2021 15:36:23.719480038 CET	58643	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:36:23.773894072 CET	53	58643	8.8.8.8	192.168.2.3
Mar 9, 2021 15:36:24.463095903 CET	60985	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:36:24.520833015 CET	53	60985	8.8.8.8	192.168.2.3
Mar 9, 2021 15:36:26.329641104 CET	50200	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:36:26.385292053 CET	53	50200	8.8.8.8	192.168.2.3
Mar 9, 2021 15:36:36.735038042 CET	51281	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:36:36.791449070 CET	53	51281	8.8.8.8	192.168.2.3
Mar 9, 2021 15:36:38.247195005 CET	49199	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:36:38.304399014 CET	53	49199	8.8.8.8	192.168.2.3
Mar 9, 2021 15:36:50.737313032 CET	50620	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:36:50.787389040 CET	53	50620	8.8.8.8	192.168.2.3
Mar 9, 2021 15:36:59.617201090 CET	64938	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:36:59.674304008 CET	53	64938	8.8.8.8	192.168.2.3
Mar 9, 2021 15:37:02.738008022 CET	60152	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:37:02.786905050 CET	53	60152	8.8.8.8	192.168.2.3
Mar 9, 2021 15:37:06.763540983 CET	57544	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:37:06.810987949 CET	53	57544	8.8.8.8	192.168.2.3
Mar 9, 2021 15:37:07.760843992 CET	57544	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:37:07.808106899 CET	53	57544	8.8.8.8	192.168.2.3
Mar 9, 2021 15:37:08.781852961 CET	57544	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:37:08.829157114 CET	53	57544	8.8.8.8	192.168.2.3
Mar 9, 2021 15:37:10.263906956 CET	55984	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:37:10.309812069 CET	53	55984	8.8.8.8	192.168.2.3
Mar 9, 2021 15:37:10.777937889 CET	57544	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:37:10.823820114 CET	53	57544	8.8.8.8	192.168.2.3
Mar 9, 2021 15:37:11.388683081 CET	64185	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:37:11.436532974 CET	53	64185	8.8.8.8	192.168.2.3
Mar 9, 2021 15:37:14.792624950 CET	57544	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:37:14.847003937 CET	53	57544	8.8.8.8	192.168.2.3
Mar 9, 2021 15:37:17.968511105 CET	65110	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:37:18.025552988 CET	53	65110	8.8.8.8	192.168.2.3
Mar 9, 2021 15:37:28.588829994 CET	58361	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:37:28.634722948 CET	53	58361	8.8.8.8	192.168.2.3
Mar 9, 2021 15:37:30.339835882 CET	63492	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:37:30.385863066 CET	53	63492	8.8.8.8	192.168.2.3
Mar 9, 2021 15:37:32.505307913 CET	60831	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:37:32.570585966 CET	53	60831	8.8.8.8	192.168.2.3
Mar 9, 2021 15:37:41.719213009 CET	60100	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:37:41.764954090 CET	53	60100	8.8.8.8	192.168.2.3
Mar 9, 2021 15:37:48.150382996 CET	53195	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:37:48.206485987 CET	53	53195	8.8.8.8	192.168.2.3
Mar 9, 2021 15:37:57.925112009 CET	50141	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:37:57.973954916 CET	53	50141	8.8.8.8	192.168.2.3
Mar 9, 2021 15:38:18.275732040 CET	53023	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:38:18.321680069 CET	53	53023	8.8.8.8	192.168.2.3
Mar 9, 2021 15:38:25.975334883 CET	49563	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:38:26.044024944 CET	53	49563	8.8.8.8	192.168.2.3
Mar 9, 2021 15:38:30.108715057 CET	51352	53	192.168.2.3	8.8.8.8
Mar 9, 2021 15:38:30.157547951 CET	53	51352	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 9, 2021 15:36:38.247195005 CET	192.168.2.3	8.8.8.8	0xc324	Standard query (0)	covid19vaccine.hopto.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 9, 2021 15:36:38.304399014 CET	8.8.8.8	192.168.2.3	0xc324	No error (0)	covid19vaccine.hopto.org		46.183.222.6	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

covid19vaccine.hopto.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49702	46.183.222.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 15:36:38.394871950 CET	958	OUT	GET /march%20OG.exe HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: covid19vaccine.hopto.org Connection: Keep-Alive
Mar 9, 2021 15:36:38.466542959 CET	959	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 14:36:37 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.2 Last-Modified: Wed, 03 Mar 2021 00:26:30 GMT ETag: "17000-5bc96e70c1a4b" Accept-Ranges: bytes Content-Length: 94208 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8c 5d 2f 4d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 40 01 00 00 30 00 00 00 00 00 00 14 17 00 00 00 10 00 00 00 50 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 80 01 00 00 10 00 00 67 77 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 46 01 00 28 00 00 00 00 70 01 00 ac 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 2c 3d 01 00 00 10 00 00 00 40 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 08 12 00 00 00 50 01 00 00 10 00 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 ac 09 00 00 00 70 01 00 00 10 00 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$#BBBL^B`BdBRichBPEL]/M@0P@gwF(p( .text,=@ `.dataPP@.rsrcp`@@IMSVBVM60.DLL
Mar 9, 2021 15:36:38.466579914 CET	961	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mar 9, 2021 15:36:38.534555912 CET	962	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mar 9, 2021 15:36:38.534600019 CET	963	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Mar 9, 2021 15:36:38.534617901 CET	965	IN	Data Raw: 07 00 08 00 e4 2a 41 00 f5 2a 41 00 ec 2a 41 00 04 00 04 00 00 00 00 00 00 00 00 00 91 2c 41 00 06 00 04 00 00 00 00 00 84 2d 41 00 7b 2d 41 00 06 00 04 00 00 00 00 00 b1 2e 41 00 a8 2e 41 00 07 00 08 00 3b 30 41 00 5d 30 41 00 42 30 41 00 07 00 Data Ascii: AAA,A-A{-A.A.A;0A]0AB0A1A1A1A2A2A2A75A>5A";A:A=Ad=A2=A>A>A@A@A@AAABAlCACAtCA(DADA
Mar 9, 2021 15:36:38.534636021 CET	966	IN	Data Raw: af 05 3b 01 0c 08 00 53 75 62 73 74 61 6e 38 00 13 00 00 ff 03 4f 00 00 00 07 05 00 44 61 74 61 31 00 25 02 20 0d 88 0e 74 04 2c 01 12 0c 00 41 00 63 00 63 00 65 00 73 00 73 00 20 00 32 00 30 00 30 00 30 00 3b 00 13 00 00 16 00 17 00 18 00 00 19 Data Ascii: ;Substan8OData1% t,Access 2000;Data1%,-1@(@VB5!6&*~8@0 @@@ @xOPSGT
Mar 9, 2021 15:36:38.605431080 CET	967	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @@&@@T&@PA@@\|'@@@@@&hl8 @lZAhN}bord'@'@@4'@
Mar 9, 2021 15:36:38.605468988 CET	969	IN	Data Raw: 00 00 00 00 00 00 e8 1f 40 00 74 1e 40 00 fa 16 40 00 00 17 40 00 06 17 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @t@@@@ @t@@@@l$l$Gl$Gl$
Mar 9, 2021 15:36:38.605487108 CET	970	IN	Data Raw: 6f 6e 32 00 3a 4f ad 33 99 66 cf 11 b7 0c 00 aa 00 60 d3 93 00 00 00 00 46 6f 72 6d 00 00 00 00 4f 70 74 69 6f 6e 33 00 f2 4e ad 33 99 66 cf 11 b7 0c 00 aa 00 60 d3 93 43 6f 6d 6d 61 6e 64 31 00 00 00 00 09 00 00 00 6b 65 72 6e 65 6c 33 32 00 00 Data Ascii: on2:O3f`FormOption3N3f`Command1kernel32GetEnvironmentVariableA(@(@<SADSAth(@P@GetEnvironmentVarAlgys2udgivelsesdageneGinneyAGNISESbertasequator
Mar 9, 2021 15:36:38.605503082 CET	972	IN	Data Raw: ad 33 99 66 cf 11 b7 0c 00 aa 00 60 d3 93 12 00 00 00 54 00 72 00 69 00 6f 00 72 00 63 00 68 00 69 00 73 00 00 00 49 00 58 00 69 00 65 00 32 00 75 00 74 00 48 00 52 00 78 00 30 00 68 00 53 00 42 00 4c 00 72 00 6e 00 6c 00 32 00 6c 00 4d 00 34 00 Data Ascii: 3f`TriorchisIXie2utHRx0hSBLrnl2lM4fNpqMGsjbukbu73oU84spisestelleneassFuWexospheres Marginalposition1
Mar 9, 2021 15:36:38.605519056 CET	973	IN	Data Raw: 6b 4f 62 6a 00 00 00 00 5f 5f 76 62 61 53 74 72 43 6f 70 79 00 00 00 00 5f 5f 76 62 61 45 72 72 6f 72 4f 76 65 72 66 6c 6f 77 00 00 5f 5f 76 62 61 53 74 72 43 61 74 00 5f 5f 76 62 61 49 6e 53 74 72 00 00 5f 5f 76 62 61 46 72 65 65 53 74 72 4c 69 Data Ascii: kObj__vbaStrCopy__vbaErrorOverflow__vbaStrCat__vbaInStr__vbaFreeStrList__vbaStrToUnicode__vbaSetSystemError__vbaStrToAnsi__vbaFreeVarList__vbaStrVarMove__vbaStrMoveS_0>I*JMPCsKES6#Gc&

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 3476 Parent PID: 792

General

Start time:	15:36:35
Start date:	09/03/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff6a9080000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: iexplore.exe PID: 5588 Parent PID: 3476

General

Start time:	15:36:36
Start date:	09/03/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3476 CREDAT:17410 /prefetch:2
Imagebase:	0x1260000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: march OG.exe PID: 3652 Parent PID: 3476

General

Start time:	15:37:19
Start date:	09/03/2021
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe'
Imagebase:	0x400000
File size:	94208 bytes
MD5 hash:	B75B990AC5990F1B6B0127540DE4EC30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: march OG.exe PID: 6092 Parent PID: 3652

General

Start time:	15:38:25
Start date:	09/03/2021
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\march OG.exe'
Imagebase:	0x400000
File size:	94208 bytes
MD5 hash:	B75B990AC5990F1B6B0127540DE4EC30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: march OG.exe PID: 3652 Parent PID: 3476 march OG.exeCOMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	43.8%
Signature Coverage:	12.4%
Total number of Nodes:	477
Total number of Limit Nodes:	90

Executed Functions

Function 0223057F, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 161
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32(022305DC,?,00000000,?,02235021,00000000,00000079), ref: 022305BF
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,02235021,00000000,00000079), ref: 0223070C

Strings

1.!T, xrefs: 022306BE

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: EnumInformationThreadWindows
String ID: 1.!T
API String ID: 1954852945-3147410236
Opcode ID: f9bf33fca415949833f4a216e48e877b81aa679920932a1cde999c9b53f36653
Instruction ID: f6296720497c3826aa7e6c8ec7f90741433b08d54895bba71667c1bd253a5236
Opcode Fuzzy Hash: f9bf33fca415949833f4a216e48e877b81aa679920932a1cde999c9b53f36653
Instruction Fuzzy Hash: 70418CF47643059FFB125DF48DA07DA2693AF4A370FA08325ED55A72C8D7B0C985CA11

Uniqueness

Uniqueness Score: -1.00%

Function 02232721, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 357
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02235220: LoadLibraryA.KERNELBASE(?,082962C8,?,02230630,00000000,?,02235021,00000000,00000079), ref: 022352CC

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,-00002000,?,00000000,?,00001000,00000040,?,00000000,?,?,00000000,00000000), ref: 02232BFD

Strings

g!xG, xrefs: 02232D93

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: g!xG
API String ID: 3569954152-2976127932
Opcode ID: 040b635305599754018934e075d675d523f4c0346fe963b54137d92c7be41264
Instruction ID: 7289d5368482f31de822158e653ef653039533dbb004d891fa5a86b9329b3223
Opcode Fuzzy Hash: 040b635305599754018934e075d675d523f4c0346fe963b54137d92c7be41264
Instruction Fuzzy Hash: 11B136B036030AABFB261EA0CC55BE93767FF45710FA44229FE45671C8C3B99896CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0223063C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02235220: LoadLibraryA.KERNELBASE(?,082962C8,?,02230630,00000000,?,02235021,00000000,00000079), ref: 022352CC

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,02235021,00000000,00000079), ref: 0223070C

Strings

1.!T, xrefs: 022306BE

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T
API String ID: 543350213-3147410236
Opcode ID: b02589c0947177fd399e6ab62e32807202534fb477e1687c8ad242d722b1d895
Instruction ID: a08f4a09604eeed7b7ff43694f999620eeae269781f0d92bb8dfd34d35adbdbb
Opcode Fuzzy Hash: b02589c0947177fd399e6ab62e32807202534fb477e1687c8ad242d722b1d895
Instruction Fuzzy Hash: 733103F47A0306AAFB115DF08DA1BCE2652DF4A770F900216FD257B2C8E7E1C581C911

Uniqueness

Uniqueness Score: -1.00%

Function 0223068C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02235220: LoadLibraryA.KERNELBASE(?,082962C8,?,02230630,00000000,?,02235021,00000000,00000079), ref: 022352CC

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,02235021,00000000,00000079), ref: 0223070C

Strings

1.!T, xrefs: 022306BE

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T
API String ID: 543350213-3147410236
Opcode ID: 4fe036a2f301463701f7bfec0080b058114a4c3e398e6f9caf489ff3c4862cd2
Instruction ID: d93d1b4bec29a727340389c21d224fb142a925cbba492a09a955829172144796
Opcode Fuzzy Hash: 4fe036a2f301463701f7bfec0080b058114a4c3e398e6f9caf489ff3c4862cd2
Instruction Fuzzy Hash: D921D3F866030699FB015DF49CA0BDD3611EF59370F944216FC297B2C8D7E08A45CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0CB, Relevance: 2.3, APIs: 1, Instructions: 1096COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af999bf652ef452ba6a75e124921a586b504a57ffd848da4c5b764abe152492
Instruction ID: 5ec0887be7f3cc5f52953df30326b3c1168f9988ec1c7f7ff65615b0ce89810f
Opcode Fuzzy Hash: 5af999bf652ef452ba6a75e124921a586b504a57ffd848da4c5b764abe152492
Instruction Fuzzy Hash: F272EADB94E7E20FE3031674ED663D62F658B63365F0B02B7D8449B9D7D01D0B8982A2

Uniqueness

Uniqueness Score: -1.00%

Function 02231AB7, Relevance: 2.2, APIs: 1, Instructions: 738COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3fd46efa28b57c59c8f8025d58dc143cfdde3c788a1afd22430d4b0b0e0ba919
Instruction ID: 9ca1440673b71de4141355975abccb6102102ea7379c123cf22c6e17e48f398d
Opcode Fuzzy Hash: 3fd46efa28b57c59c8f8025d58dc143cfdde3c788a1afd22430d4b0b0e0ba919
Instruction Fuzzy Hash: 9A329DB0760306EFEB264EA4CC90BE573A6FF09750F544329ED8997288D7B4AC95CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02235FF4, Relevance: 1.8, APIs: 1, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48fc0407f4391640f9ea0e7941eaf7eeb22fce053708f3ca08323d125ee4c6d3
Instruction ID: b785133a84455cf4b06eb44b4e15c066de3f796dc851936bffc8b3c729b8f361
Opcode Fuzzy Hash: 48fc0407f4391640f9ea0e7941eaf7eeb22fce053708f3ca08323d125ee4c6d3
Instruction Fuzzy Hash: 89B149B126030AEBFB220EA0CC95BE93766FF45710FA44229FE45671C8D3B99885CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02232739, Relevance: 1.8, APIs: 1, Instructions: 325nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02235220: LoadLibraryA.KERNELBASE(?,082962C8,?,02230630,00000000,?,02235021,00000000,00000079), ref: 022352CC

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,-00002000,?,00000000,?,00001000,00000040,?,00000000,?,?,00000000,00000000), ref: 02232BFD

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID:
API String ID: 3569954152-0
Opcode ID: f8805c38bfef284d70529274a4fc4b394d889068720384ba40393fd5da44ea69
Instruction ID: 1962cff89d21823e3621e88a9ec105e1f4490234be6c0e8e98b44dbeb3dfc346
Opcode Fuzzy Hash: f8805c38bfef284d70529274a4fc4b394d889068720384ba40393fd5da44ea69
Instruction Fuzzy Hash: 90B148B125030AEBFB225EA4CC90BE93767FF45710FA44229FE45A71C8C7B99885CB54

Uniqueness

Uniqueness Score: -1.00%

Function 022327A1, Relevance: 1.8, APIs: 1, Instructions: 293nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02235220: LoadLibraryA.KERNELBASE(?,082962C8,?,02230630,00000000,?,02235021,00000000,00000079), ref: 022352CC

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,-00002000,?,00000000,?,00001000,00000040,?,00000000,?,?,00000000,00000000), ref: 02232BFD

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID:
API String ID: 3569954152-0
Opcode ID: a9e27b026e6921f88b9ed83e24999f2039236b39b2e78a009f3ae76fec3a5bee
Instruction ID: 149423ff74fbe29badccddd098958dc419aeb1702467e6b08857a036b385f824
Opcode Fuzzy Hash: a9e27b026e6921f88b9ed83e24999f2039236b39b2e78a009f3ae76fec3a5bee
Instruction Fuzzy Hash: 3A915AB125030AEFFB225EA4CC91BE93767FF45710F944129ED44AB184C3B998C5CB54

Uniqueness

Uniqueness Score: -1.00%

Function 022327DF, Relevance: 1.8, APIs: 1, Instructions: 281nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02235220: LoadLibraryA.KERNELBASE(?,082962C8,?,02230630,00000000,?,02235021,00000000,00000079), ref: 022352CC

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,-00002000,?,00000000,?,00001000,00000040,?,00000000,?,?,00000000,00000000), ref: 02232BFD

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID:
API String ID: 3569954152-0
Opcode ID: f425317978b17949c4a6d161a39c9e836398d9734869ae981c1848f332ab0f8d
Instruction ID: ea8a29ebb28bb505d32cb5778515793113e4fbd03e74b884a31e639864a0151b
Opcode Fuzzy Hash: f425317978b17949c4a6d161a39c9e836398d9734869ae981c1848f332ab0f8d
Instruction Fuzzy Hash: 489147B125030AEBFB224EA4CC90BE93767FF45710F944229FE45A7188C7B998C6CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02232843, Relevance: 1.8, APIs: 1, Instructions: 257nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,-00002000,?,00000000,?,00001000,00000040,?,00000000,?,?,00000000,00000000), ref: 02232BFD

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: ef33191cc33083c5f49c3765481bc07e16349648af97060df230e2fd3085a49b
Instruction ID: 06b46a30f90867b66916838427cdc1185d5a2879d4f9b26185aa25df5fb34901
Opcode Fuzzy Hash: ef33191cc33083c5f49c3765481bc07e16349648af97060df230e2fd3085a49b
Instruction Fuzzy Hash: 698156B125030AEBFB264EA4CC91BE93766FF55700F944229FE845B1C8C7B998C6CB54

Uniqueness

Uniqueness Score: -1.00%

Function 022328E1, Relevance: 1.7, APIs: 1, Instructions: 225nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,-00002000,?,00000000,?,00001000,00000040,?,00000000,?,?,00000000,00000000), ref: 02232BFD

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 4bd1d923c1017af740d6d14e794d4f365b7676fce6ef4e84984ac623032db859
Instruction ID: a48a19a3fe08e3663c7b193947ff12f9b507e3f3cc600479902ae99e172a16fa
Opcode Fuzzy Hash: 4bd1d923c1017af740d6d14e794d4f365b7676fce6ef4e84984ac623032db859
Instruction Fuzzy Hash: 0B7124B025030AEFFB220EA0CC81BE93666FF48710F644229FE459A188D3B998C5CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02232949, Relevance: 1.7, APIs: 1, Instructions: 206nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,-00002000,?,00000000,?,00001000,00000040,?,00000000,?,?,00000000,00000000), ref: 02232BFD

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 3dbede491cfb1dafcbdf3f25ab6fd79c205e6b224dffd7c915bbd63de8652de1
Instruction ID: 5de5b162df14580fb14092116113135b721c0e86a27eacf4e105cae283e005fc
Opcode Fuzzy Hash: 3dbede491cfb1dafcbdf3f25ab6fd79c205e6b224dffd7c915bbd63de8652de1
Instruction Fuzzy Hash: BA6137B0650309EAFF360EA0CC91BE93667FB59B10FA44115FE859A1D8C7B59CC5CA14

Uniqueness

Uniqueness Score: -1.00%

Function 02232A70, Relevance: 1.6, APIs: 1, Instructions: 139nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,-00002000,?,00000000,?,00001000,00000040,?,00000000,?,?,00000000,00000000), ref: 02232BFD

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: b39d6123f88d69753fd8a9152312ba4a17b73c981e1e04a4487e5e122abb0c4f
Instruction ID: 1d59da8ff4ce70b5b25faba5eb74f343881a2c1effcb44ff43fb7ef3a4b06141
Opcode Fuzzy Hash: b39d6123f88d69753fd8a9152312ba4a17b73c981e1e04a4487e5e122abb0c4f
Instruction Fuzzy Hash: 494126B025030AEAFF270EA0DC80BE93767FB48710FA44215FE9596098D7B998C6CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02232B04, Relevance: 1.6, APIs: 1, Instructions: 110nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,-00002000,?,00000000,?,00001000,00000040,?,00000000,?,?,00000000,00000000), ref: 02232BFD

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 8b00448e6c8ed149c24475aa4f62fb50979f7208669526d586bdd84d6bcd8491
Instruction ID: fe34b8dbeeadd97250d07e035ddf26f57d277e42c9b3aa8196c35a7c30997bd8
Opcode Fuzzy Hash: 8b00448e6c8ed149c24475aa4f62fb50979f7208669526d586bdd84d6bcd8491
Instruction Fuzzy Hash: 1C3126B066030DEBEF274EA0DC907E53767BB09710F944219FE8556188C7B99CC6CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02232B53, Relevance: 1.6, APIs: 1, Instructions: 99nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,-00002000,?,00000000,?,00001000,00000040,?,00000000,?,?,00000000,00000000), ref: 02232BFD

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 0db3c719f016730abd2f6bb44dc4142fcfd85e2f44e3b10371217a2e2e30e432
Instruction ID: da569696a8e065e96a119b51f1fdabce223043ecb72dd22a01674d81d1548b16
Opcode Fuzzy Hash: 0db3c719f016730abd2f6bb44dc4142fcfd85e2f44e3b10371217a2e2e30e432
Instruction Fuzzy Hash: 773145B061430AEFEB170EA0DC907E43B7BFF45310F984159ED5596088DB759C86DB64

Uniqueness

Uniqueness Score: -1.00%

Function 02232BAB, Relevance: 1.6, APIs: 1, Instructions: 77nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,-00002000,?,00000000,?,00001000,00000040,?,00000000,?,?,00000000,00000000), ref: 02232BFD

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: ab25c3e8f28b941e798ec08e69671150c3fa71163dd00e94fecef8358f0dd4fb
Instruction ID: 71b447448dbf407301ecb11a74b1397038cfd56aee3e01be08ce45ac8bc13bed
Opcode Fuzzy Hash: ab25c3e8f28b941e798ec08e69671150c3fa71163dd00e94fecef8358f0dd4fb
Instruction Fuzzy Hash: 7A2104B4510209EBEF261EE0DC80BE93A2BFF89710F984218EE5456088DBB598D2DF54

Uniqueness

Uniqueness Score: -1.00%

Function 022306E7, Relevance: 1.6, APIs: 1, Instructions: 61nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,02235021,00000000,00000079), ref: 0223070C

Part of subcall function 02235220: LoadLibraryA.KERNELBASE(?,082962C8,?,02230630,00000000,?,02235021,00000000,00000079), ref: 022352CC

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: InformationLibraryLoadThread
String ID:
API String ID: 543350213-0
Opcode ID: 84dfbcdb182d05944ff728ed8e3f93c03d6abfcdcf286873fce002d32cad7509
Instruction ID: 708d102c12af464afd4f59e566e5552270be82995212c5436eaa243baf655f39
Opcode Fuzzy Hash: 84dfbcdb182d05944ff728ed8e3f93c03d6abfcdcf286873fce002d32cad7509
Instruction Fuzzy Hash: C211C2F962030599FB019EE08D90BDD2A11DFAD3B0F844211FC29772CCD7A18E41C9A1

Uniqueness

Uniqueness Score: -1.00%

Function 022335C8, Relevance: 1.5, APIs: 1, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,?,?,0223131D,00000000,00000000,00000000,00000000,00000050,00000367,?,0223336D,?,?,00000004), ref: 02233E7C

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3d9a22607899644c05a701ed7f5fe8cba477835655dedde1e0175f82ec5a5d3d
Instruction ID: b2c81b9775241385c1e5af49336073c18953b8f51d435275510748b8a89c4eb9
Opcode Fuzzy Hash: 3d9a22607899644c05a701ed7f5fe8cba477835655dedde1e0175f82ec5a5d3d
Instruction Fuzzy Hash: 7EE0ECA3654385CEE703A9F2418174D7B78DFE2310B5CC08BC5109F155D9505714DBE5

Uniqueness

Uniqueness Score: -1.00%

Function 022365EB, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,022361DD,00000040,0223068A,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02236606

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 68b256b1839d534eaf3c4fa0e5f33873ca5d85a8cfd3f2541565efed6830cc1c
Instruction ID: 09bb8978e6d38e5e55d581e7f09002e7aac356b7493ee1a033daa0d9112a9ee0
Opcode Fuzzy Hash: 68b256b1839d534eaf3c4fa0e5f33873ca5d85a8cfd3f2541565efed6830cc1c
Instruction Fuzzy Hash: E0C012E02240002E69048E28CD48D2BB2AA87D9A28B10C32CB872222CCCA30EC048232

Uniqueness

Uniqueness Score: -1.00%

Function 0040F2CA, Relevance: 274.8, APIs: 143, Strings: 13, Instructions: 1811COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(?,?,00402ABC,00000068), ref: 0040F2DD
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,00402ABC,00000068), ref: 0040F304
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F33D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402ABC,00000168), ref: 0040F38A
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040F3B1
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F3ED
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AF8,00000068), ref: 0040F434
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040279C,00000720,?,?,?,BF8D7BB0,00005B03,00795422,0019C96F,?,00000003,32BFFE00,00005B04,?), ref: 0040F4FC
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,?,?,BF8D7BB0,00005B03,00795422,0019C96F,?,00000003,32BFFE00,00005B04), ref: 0040F525
__vbaFreeVar.MSVBVM60 ref: 0040F533
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040F54B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F584
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000068), ref: 0040F5CB
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040F5F2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F62B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AF8,00000158), ref: 0040F678
__vbaChkstk.MSVBVM60(?,?), ref: 0040F6B2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040279C,00000724), ref: 0040F6F3
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040F71C
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040F737
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F770
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A8C,00000158), ref: 0040F7BD
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040F7E4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F81D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,000000F8), ref: 0040F867
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040F88E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F8CA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000138), ref: 0040F917
__vbaChkstk.MSVBVM60(0077A407,?), ref: 0040F987
__vbaChkstk.MSVBVM60(?,6EB06DA0,00005AFA,00000009,0077A407,?), ref: 0040F9B2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040279C,00000728), ref: 0040F9F3
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0040FA23
__vbaFreeVar.MSVBVM60 ref: 0040FA31
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040FA49
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FA82
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000178), ref: 0040FACF
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040FAF6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FB2F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000188), ref: 0040FB7C
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040FBA3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FBDC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000138), ref: 0040FC29
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040FC50
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FC8C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000088), ref: 0040FCD9
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040FD00
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FD3C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A8C,00000058), ref: 0040FD83
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040FDAA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FDE6

Strings

UNSQUEAMISHNESS, xrefs: 0041007B
Fregatternes5, xrefs: 004104A4
BRODDENES, xrefs: 00410877
Rideable7, xrefs: 00410623
pizzarestaurant, xrefs: 00410035
dmrings, xrefs: 00410CA7
symmetriegenskabernes, xrefs: 0040F964
Pidgins, xrefs: 00410056
diskless, xrefs: 00410084
p:, xrefs: 00410042
Britskas, xrefs: 00410C18
If, xrefs: 004110C3
TILBAGESENDTES, xrefs: 004108B8

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$CheckHresult$New2$Free$ChkstkList
String ID: BRODDENES$Britskas$Fregatternes5$If$Pidgins$Rideable7$TILBAGESENDTES$UNSQUEAMISHNESS$diskless$dmrings$pizzarestaurant$p:$symmetriegenskabernes
API String ID: 335668265-4230584830
Opcode ID: 641f40870c6376b4afe055af6e06c49f333c8d78e4992794b83fc62f3d5c8de0
Instruction ID: cb1fe708451b9b0f0296a1835d5ebb1cef097ceba4c5fd5db3c5e4a38acf3413
Opcode Fuzzy Hash: 641f40870c6376b4afe055af6e06c49f333c8d78e4992794b83fc62f3d5c8de0
Instruction Fuzzy Hash: D9030870900628DFDB21DFA0CC89BD9B7B8BB08304F1045EAE509BB2A1DB795AC5DF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD8F, Relevance: 190.2, APIs: 96, Strings: 12, Instructions: 1221COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040FDAA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FDE6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AF8,00000198), ref: 0040FE33
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0040FE5A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FE96
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AF8,00000070), ref: 0040FEDD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040279C,0000072C,?,00000003,004DE577,?,?,?), ref: 0040FFC0
__vbaVarMove.MSVBVM60(?,00000003,004DE577,?,?,?), ref: 0040FFDD
__vbaFreeObjList.MSVBVM60(00000007,?,?,?,?,?,?,?,?,00000003,004DE577,?,?,?), ref: 0041000C
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00410024
__vbaStrCopy.MSVBVM60 ref: 0041003D
__vbaChkstk.MSVBVM60(?,?,3AE8E970,diskless,?,UNSQUEAMISHNESS,000060CE,035926C0,00005AFD), ref: 0041009E
__vbaFreeStr.MSVBVM60(?,?,3AE8E970,diskless,?,UNSQUEAMISHNESS,000060CE,035926C0,00005AFD), ref: 004100C0
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,3AE8E970,diskless,?,UNSQUEAMISHNESS,000060CE,035926C0,00005AFD), ref: 004100D8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410111
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A8C,00000160), ref: 0041015E
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 00410185
__vbaObjSet.MSVBVM60(?,00000000), ref: 004101BE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402ABC,00000150), ref: 00410208
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041022A
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 00410245
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410281
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A8C,00000110), ref: 004102CE
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004102F3
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0041030E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041034A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AAC,00000160), ref: 00410397
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004103BC
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 004103D7
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410413
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AAC,00000140), ref: 00410460
__vbaI4Var.MSVBVM60(?), ref: 00410489
__vbaI4Var.MSVBVM60(?,Fregatternes5,?,?), ref: 004104B0
__vbaStrVarMove.MSVBVM60(?,00002DA8,?,?,?,4B16F6C0,00005AFA,00000000,?,Fregatternes5,?,?), ref: 004104E0
__vbaStrMove.MSVBVM60(?,00002DA8,?,?,?,4B16F6C0,00005AFA,00000000,?,Fregatternes5,?,?), ref: 004104EA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040279C,00000730,?,?,00000000,?,00002DA8,?,?,?,4B16F6C0,00005AFA,00000000,?), ref: 00410531
__vbaFreeStr.MSVBVM60(?,?,00000000,?,00002DA8,?,?,?,4B16F6C0,00005AFA,00000000,?,Fregatternes5,?,?), ref: 00410548
__vbaFreeObjList.MSVBVM60(00000008,?,?,?,?,?,?,?,?,?,?,00000000,?,00002DA8), ref: 0041057E
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0041059D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040279C,00000740), ref: 004105DC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040276C,000002B4), ref: 00410678
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 004106DA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410713
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402A8C,00000218), ref: 0041075D
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 00410784
__vbaObjSet.MSVBVM60(?,00000000), ref: 004107BD

Strings

Pidgins, xrefs: 00410056
UNSQUEAMISHNESS, xrefs: 0041007B
Fregatternes5, xrefs: 004104A4
diskless, xrefs: 00410084
BRODDENES, xrefs: 00410877
p:, xrefs: 00410042
Rideable7, xrefs: 00410623
Britskas, xrefs: 00410C18
If, xrefs: 004110C3
pizzarestaurant, xrefs: 00410035
dmrings, xrefs: 00410CA7
TILBAGESENDTES, xrefs: 004108B8

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$CheckHresult$New2$Free$List$CallLateMove$ChkstkCopy
String ID: BRODDENES$Britskas$Fregatternes5$If$Pidgins$Rideable7$TILBAGESENDTES$UNSQUEAMISHNESS$diskless$dmrings$pizzarestaurant$p:
API String ID: 509946452-3977931801
Opcode ID: ff14f9794626594913155d9e9e10155addd991d68529996314f651acf93662e2
Instruction ID: 4b5bf704dcc98bbc6b9f295d43f8bec579e800b4a25319a3208693eaa3c36b83
Opcode Fuzzy Hash: ff14f9794626594913155d9e9e10155addd991d68529996314f651acf93662e2
Instruction Fuzzy Hash: 2FC21971900628EFDB21DF50CC89BD9B7B8BB08304F1045EAE609BB2A1DB795AC4DF55

Uniqueness

Uniqueness Score: -1.00%

Function 004106A6, Relevance: 119.7, APIs: 62, Strings: 6, Instructions: 723
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaNew2.MSVBVM60(00401E74,00415010), ref: 004106DA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410713
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402A8C,00000218), ref: 0041075D
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 00410784
__vbaObjSet.MSVBVM60(?,00000000), ref: 004107BD
__vbaHresultCheckObj.MSVBVM60(?,?,00402A8C,000001A0,00408161), ref: 0041080A
__vbaVarDup.MSVBVM60(00000000,?,00402A8C,000001A0), ref: 00410897
__vbaFreeVar.MSVBVM60(00411337), ref: 00411331
__vbaErrorOverflow.MSVBVM60 ref: 00411356
__vbaChkstk.MSVBVM60(?,004014C6), ref: 00411377
__vbaI4Str.MSVBVM60(00402D70,?,?,?,?,004014C6), ref: 004113A0
#697.MSVBVM60(00000000,00402D70,?,?,?,?,004014C6), ref: 004113A6
__vbaStrMove.MSVBVM60(00000000,00402D70,?,?,?,?,004014C6), ref: 004113B0
__vbaStrCmp.MSVBVM60(00402D7C,00000000,00000000,00402D70,?,?,?,?,004014C6), ref: 004113BB
__vbaFreeStr.MSVBVM60(00402D7C,00000000,00000000,00402D70,?,?,?,?,004014C6), ref: 004113CF
#580.MSVBVM60(HJDE,00000001,00402D7C,00000000,00000000,00402D70,?,?,?,?,004014C6), ref: 004113E3

Strings

BRODDENES, xrefs: 00410877
Britskas, xrefs: 00410C18
If, xrefs: 004110C3
dmrings, xrefs: 00410CA7
HJDE, xrefs: 004113DE
TILBAGESENDTES, xrefs: 004108B8

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$CheckFreeHresultNew2$#580#697ChkstkErrorMoveOverflow
String ID: BRODDENES$Britskas$HJDE$If$TILBAGESENDTES$dmrings
API String ID: 2705637564-1969145881
Opcode ID: f14d4cd94f79623259cac24463c8c615014540e173036e35def236904aca4a87
Instruction ID: 09187d55962f989a4aaaf0f2b7058c11881010cbe5f6498cba40d882f44503fd
Opcode Fuzzy Hash: f14d4cd94f79623259cac24463c8c615014540e173036e35def236904aca4a87
Instruction Fuzzy Hash: C6621970900618DFDB21DFA0CC89BD9B7B8BB09304F1045EAE509BB2A1DB795AC5CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004107EA, Relevance: 95.1, APIs: 49, Strings: 5, Instructions: 629
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaHresultCheckObj.MSVBVM60(?,?,00402A8C,000001A0,00408161), ref: 0041080A
__vbaVarDup.MSVBVM60(00000000,?,00402A8C,000001A0), ref: 00410897
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004108DC
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 004108FB
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 00410916
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041094F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000130), ref: 00410999
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004109BB
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 004109D6
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410A0F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,000000F8), ref: 00410A5C
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00410A81
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 00410A9C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410AD8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AAC,00000130), ref: 00410B25
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 00410B4C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410B88
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AAC,00000060), ref: 00410BCF
__vbaStrVarMove.MSVBVM60(?), ref: 00410C33
__vbaStrMove.MSVBVM60(?), ref: 00410C3D
__vbaI4Var.MSVBVM60(?,00000009,?,00003A7A,?), ref: 00410C70
__vbaChkstk.MSVBVM60(00000000,?,00000009,?,00003A7A,?), ref: 00410C79
__vbaChkstk.MSVBVM60(003AD305,?,00000000,?,00000009,?,00003A7A,?), ref: 00410C96
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040279C,00000734), ref: 00410CDC
__vbaFreeStr.MSVBVM60(00000000,?,0040279C,00000734), ref: 00410CF3
__vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 00410D1B
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 00410D3A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040279C,00000738), ref: 00410D82
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 00410DA9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410DE2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402AF8,00000080), ref: 00410E2F
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 00410E56
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410E8F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AAC,00000170), ref: 00410ED9
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 00410F00
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410F39
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000158), ref: 00410F83
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 00410FAA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410FE6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000138), ref: 00411033
__vbaChkstk.MSVBVM60(4C805220,?,00000008,?), ref: 004110EA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040279C,0000073C), ref: 00411145
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0041116E
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00411186
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 004111A1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004111DA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402ABC,00000070), ref: 00411221
__vbaFreeObj.MSVBVM60(?,?,00000003,?,?,D18F62D0,00005B01), ref: 00411294
__vbaFreeVar.MSVBVM60(?,?,00000003,?,?,D18F62D0,00005B01), ref: 0041129F

Strings

BRODDENES, xrefs: 00410877
Britskas, xrefs: 00410C18
If, xrefs: 004110C3
dmrings, xrefs: 00410CA7
TILBAGESENDTES, xrefs: 004108B8

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$CheckHresult$FreeNew2$List$Chkstk$CallLateMove
String ID: BRODDENES$Britskas$If$TILBAGESENDTES$dmrings
API String ID: 3604166182-1692888291
Opcode ID: 54ef1f018802b19c984a47ce9cb66c42b1b2a75c776f8ac2aa50383b8001863a
Instruction ID: ab1f8e69898914df29d759dcb10daa11fc0fb502cf2ea95188d2280444960f4a
Opcode Fuzzy Hash: 54ef1f018802b19c984a47ce9cb66c42b1b2a75c776f8ac2aa50383b8001863a
Instruction Fuzzy Hash: 6B521AB1900628DFDB21DF50CC89BD9B7B8BB08304F1045EAE649BB2A1DB755AC4CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004135A5, Relevance: 94.9, APIs: 45, Strings: 9, Instructions: 355
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 004135C2
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 004135DA
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 004135E5
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 004135F0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040276C,00000218), ref: 0041364D
__vbaChkstk.MSVBVM60(00000000,?,0040276C,00000218), ref: 00413664
__vbaChkstk.MSVBVM60(00000000,?,0040276C,00000218), ref: 00413675
__vbaLateMemCallLd.MSVBVM60(?,?,Add,00000002), ref: 00413694
__vbaObjVar.MSVBVM60(00000000), ref: 0041369D
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000), ref: 004136A7
__vbaFreeObj.MSVBVM60(?,00000000,00000000), ref: 004136AF
__vbaFreeVar.MSVBVM60(?,00000000,00000000), ref: 004136B7
__vbaNew2.MSVBVM60(00401E74,00415010,?,00000000,00000000), ref: 004136CF
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00413708
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000108), ref: 00413752
__vbaChkstk.MSVBVM60(00000000,?,00402A9C,00000108), ref: 00413786
__vbaLateMemSt.MSVBVM60(?,Text), ref: 0041379C
__vbaFreeObj.MSVBVM60(?,Text), ref: 004137A4
__vbaFreeVar.MSVBVM60(?,Text), ref: 004137AC
__vbaNew2.MSVBVM60(00401E74,00415010,?,Text), ref: 004137C4
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004137FD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A8C,000001D8), ref: 0041384A
__vbaChkstk.MSVBVM60(00000000,?,00402A8C,000001D8), ref: 00413873
__vbaLateMemSt.MSVBVM60(?,Left), ref: 00413889
__vbaFreeObj.MSVBVM60(?,Left), ref: 00413891
__vbaChkstk.MSVBVM60(?,Left), ref: 004138A7
__vbaLateMemSt.MSVBVM60(?,Top,?,Left), ref: 004138BD
__vbaChkstk.MSVBVM60(?,Top,?,Left), ref: 004138D0
__vbaLateMemSt.MSVBVM60(?,Visible,?,Top,?,Left), ref: 004138E6
__vbaLateMemCallLd.MSVBVM60(00000008,?,Text,00000000,?,Visible,?,Top,?,Left), ref: 00413907
__vbaVarTstEq.MSVBVM60(?,00000000,?,?,00000000,00000000), ref: 00413914
__vbaFreeVar.MSVBVM60(?,00000000,?,?,00000000,00000000), ref: 00413923
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040276C,00000160), ref: 0041396D
__vbaNew2.MSVBVM60(00402DB0,00415348), ref: 00413994
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 004139D0
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00413A09
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402ABC,00000110), ref: 00413A53
__vbaObjSet.MSVBVM60(?,?,00000000), ref: 00413A81
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,00000040), ref: 00413ABC
__vbaFreeStr.MSVBVM60(00000000,?,00402DA0,00000040), ref: 00413AD3
__vbaFreeObjList.MSVBVM60(00000002,00000000,?), ref: 00413AE2
__vbaFreeStr.MSVBVM60(00413B43,?,00000000,?,?,00000000,00000000), ref: 00413B25
__vbaFreeVar.MSVBVM60(00413B43,?,00000000,?,?,00000000,00000000), ref: 00413B2D
__vbaFreeObj.MSVBVM60(00413B43,?,00000000,?,?,00000000,00000000), ref: 00413B35
__vbaFreeStr.MSVBVM60(00413B43,?,00000000,?,?,00000000,00000000), ref: 00413B3D

Strings

Visible, xrefs: 004138DE
markgreve, xrefs: 00413603
SVIGERSNNEN, xrefs: 004138EB
HSA, xrefs: 004139AF
Add, xrefs: 00413688
Text, xrefs: 00413794, 004138FB
Top, xrefs: 004138B5
Left, xrefs: 00413881
VB.TextBox, xrefs: 004135F5

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$Chkstk$CheckHresultLate$New2$CallCopy$AddrefList
String ID: Add$HSA$Left$SVIGERSNNEN$Text$Top$VB.TextBox$Visible$markgreve
API String ID: 2480442511-4046506366
Opcode ID: de72c1650f230a0aee99d5c18e78e0f77014958a48ed26159c05417a0b84c354
Instruction ID: a69d5e83040a22f6baccc720c669d2476e6f1031d89c652fa090be399f7f65f3
Opcode Fuzzy Hash: de72c1650f230a0aee99d5c18e78e0f77014958a48ed26159c05417a0b84c354
Instruction Fuzzy Hash: FBE12870A01218EFDB10EF90CC45BDDBBB5AF09305F1044AAF549BB2A1CBB95A85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040C314, Relevance: 57.9, APIs: 32, Strings: 1, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 0040C330
#607.MSVBVM60(?,000000FF,00000002), ref: 0040C372
__vbaStrVarMove.MSVBVM60(?,?,000000FF,00000002), ref: 0040C37B
__vbaStrMove.MSVBVM60(?,?,000000FF,00000002), ref: 0040C385
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,000000FF,00000002), ref: 0040C394
__vbaLenBstr.MSVBVM60(?,?,?,004014C6), ref: 0040C39F
__vbaStrToAnsi.MSVBVM60(00000000,?,00000000,?,?,?,004014C6), ref: 0040C3AC
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,?,00000000,?,?,?,004014C6), ref: 0040C3BB
__vbaSetSystemError.MSVBVM60(00000000,?,?,00000000,00000000,?,00000000,?,?,?,004014C6), ref: 0040C3C6
__vbaStrToUnicode.MSVBVM60(?,?,00000000,?,?,00000000,00000000,?,00000000,?,?,?,004014C6), ref: 0040C3D1
__vbaStrToUnicode.MSVBVM60(?,00000000,?,?,00000000,?,?,00000000,00000000,?,00000000,?,?,?,004014C6), ref: 0040C3DD
__vbaFreeStrList.MSVBVM60(00000002,?,00000000,?,00000000,?,?,00000000,?,?,00000000,00000000,?,00000000,?), ref: 0040C3EC
#537.MSVBVM60(00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C3FB
__vbaStrMove.MSVBVM60(00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C405
__vbaInStr.MSVBVM60(00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C40D
__vbaFreeStr.MSVBVM60(00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C422
#537.MSVBVM60(00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C436
__vbaStrMove.MSVBVM60(00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C440
__vbaInStr.MSVBVM60(00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C448
#616.MSVBVM60(?,-00000001,00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?), ref: 0040C45A
__vbaStrMove.MSVBVM60(?,-00000001,00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?), ref: 0040C464
__vbaFreeStr.MSVBVM60(?,-00000001,00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?), ref: 0040C46C
__vbaStrCat.MSVBVM60(00402A50,?,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C47B
__vbaStrMove.MSVBVM60(00402A50,?,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C485
__vbaStrCat.MSVBVM60(?,00000000,00402A50,?,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C48E
__vbaStrMove.MSVBVM60(?,00000000,00402A50,?,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C498
__vbaFreeStr.MSVBVM60(?,00000000,00402A50,?,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C4A0
__vbaErrorOverflow.MSVBVM60(00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C50B
__vbaChkstk.MSVBVM60(00000000,004014C6,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C52C
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004014C6,00000000), ref: 0040C563
__vbaHresultCheckObj.MSVBVM60(00000000,004011A0,0040279C,000006F8), ref: 0040C597
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040C5AF

Strings

USERNAME, xrefs: 0040C55B

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Move$Free$List$#537AnsiChkstkErrorUnicode$#607#616BstrCheckCopyHresultOverflowSystem
String ID: USERNAME
API String ID: 1401190187-1047370299
Opcode ID: 81d8ea3eacccc889fa38942028c023c7d609be47b29976974265f14a2066c110
Instruction ID: 43f9ebd694a6e34167ded0a25cf51c16c46c1cf94341b2ca8444a5c0773e21fe
Opcode Fuzzy Hash: 81d8ea3eacccc889fa38942028c023c7d609be47b29976974265f14a2066c110
Instruction Fuzzy Hash: 4A610A71900209AFDB01EFA1CC86FEE7BB8AF04704F14853AF515B71E1DB7999458B98

Uniqueness

Uniqueness Score: -1.00%

Function 00411F61, Relevance: 38.6, APIs: 19, Strings: 3, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00411F7E
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00411F96
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00411FA1
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00411FAC
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00411FB7
__vbaVarDup.MSVBVM60 ref: 00411FD0
#543.MSVBVM60(?,?), ref: 00411FDD
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 00412001
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 00412017
__vbaNew2.MSVBVM60(00402DB0,00415348), ref: 00412041
__vbaCastObj.MSVBVM60(?,00402EE0,Homoplasy), ref: 00412077
__vbaObjSet.MSVBVM60(?,00000000,?,00402EE0,Homoplasy), ref: 00412081
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,00000040), ref: 004120BC
__vbaFreeObj.MSVBVM60(00000000,?,00402DA0,00000040), ref: 004120D3
__vbaFreeObj.MSVBVM60(00412127), ref: 00412101
__vbaFreeStr.MSVBVM60(00412127), ref: 00412109
__vbaFreeVar.MSVBVM60(00412127), ref: 00412111
__vbaFreeStr.MSVBVM60(00412127), ref: 00412119
__vbaFreeVar.MSVBVM60(00412127), ref: 00412121

Strings

14:14:14, xrefs: 00411FBC
HSA, xrefs: 0041205C
Homoplasy, xrefs: 0041206A

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$Copy$#543CastCheckChkstkHresultListNew2
String ID: 14:14:14$HSA$Homoplasy
API String ID: 2559661485-3487747675
Opcode ID: 41478cb700f60b29f6471828fc27585e42762e766cc98e2e47ceacbf02cc5430
Instruction ID: e484cfba8a4e81124a40dcde2717f9d014197f4040bb8fba99ea8b2e8966670f
Opcode Fuzzy Hash: 41478cb700f60b29f6471828fc27585e42762e766cc98e2e47ceacbf02cc5430
Instruction Fuzzy Hash: 61411D7090021C9FCB10DBA1CD46FEEB7B8BF14304F54456AE109B71A1DBB95A89CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411836, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00411852
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 0041187C
#692.MSVBVM60(?,exospheres,Marginalposition,?,?,?,?,004014C6), ref: 0041188F
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 004118A7
__vbaFreeVar.MSVBVM60(00008008,?), ref: 004118B3
#571.MSVBVM60(000000D3,00008008,?), ref: 004118C5
__vbaFreeStr.MSVBVM60(004118F3,00008008,?), ref: 004118ED

Strings

exospheres, xrefs: 00411886
Marginalposition, xrefs: 00411881

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$#571#692ChkstkCopy
String ID: Marginalposition$exospheres
API String ID: 3621861193-2891326796
Opcode ID: aefe0329804d131029e785a7ff6b982b269221e1b4108a7647cf26c567d78ce6
Instruction ID: 62ee4990a67bcc75ea5b8ee160afd48da7059f49fcbc34a0bd79d1efe4ee82c7
Opcode Fuzzy Hash: aefe0329804d131029e785a7ff6b982b269221e1b4108a7647cf26c567d78ce6
Instruction Fuzzy Hash: 62114C74901248ABDB00EFD1C946FEEBBB8AF00B04F10842AF501B71E0D77D9A45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004143B5, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 004143D0
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004014C6), ref: 004143F6
#645.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00414401
__vbaStrMove.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 0041440B
__vbaFreeVar.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00414413
__vbaFreeStr.MSVBVM60(00414431,?,00000000,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 0041442B

Strings

RESPONDER, xrefs: 004143E2

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$#645ChkstkMove
String ID: RESPONDER
API String ID: 769593574-468911128
Opcode ID: e3df1314072516b17679cfdaf96e696ec864ac636f28d76576c0831631c43160
Instruction ID: 623a2e9b44232dd63997e88e693712c8ce0067b854bce3e221dec5aad6ff09f6
Opcode Fuzzy Hash: e3df1314072516b17679cfdaf96e696ec864ac636f28d76576c0831631c43160
Instruction Fuzzy Hash: 9AF03171901208ABDB00EB91CD56FDEB7B8EB54708F60892EF001775E0DB796E04CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040241D, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,004014C6,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C52C
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004014C6,00000000), ref: 0040C563
__vbaHresultCheckObj.MSVBVM60(00000000,004011A0,0040279C,000006F8), ref: 0040C597
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040C5AF

Strings

USERNAME, xrefs: 0040C55B
G, xrefs: 0040241D

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$CheckChkstkCopyFreeHresultList
String ID: G$USERNAME
API String ID: 3070489859-465494610
Opcode ID: 3077c11547f5f0d3d7c2db014c4cf2d4f8c93d40167859c243ac57e2044c823c
Instruction ID: a866738bb26e572f9d2f0443212f154c423d73a6f910d0efb92d6ad17d685401
Opcode Fuzzy Hash: 3077c11547f5f0d3d7c2db014c4cf2d4f8c93d40167859c243ac57e2044c823c
Instruction Fuzzy Hash: 2D213875940208FFCB00DF95CC86BDE7BB8AB08744F108136F509AB2A0D778A6418B98

Uniqueness

Uniqueness Score: -1.00%

Function 02230EEA, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 192
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,02230630,00000000,?,02235021,00000000,00000079), ref: 022352CC

Strings

\filename1.exe, xrefs: 02234103
W.E, xrefs: 0223403A
ftware\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 022340A4

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: LibraryLoad
String ID: W.E$\filename1.exe$ftware\Microsoft\Windows\CurrentVersion\RunOnce
API String ID: 1029625771-1701636808
Opcode ID: d93c7ff86c22c1ff0aa45d44765c86360a45cfa05588a2b4cae786514b232551
Instruction ID: d775101f2e1275296848e5c23cd052e9d68b36bd9a53722c2654aba5cc238ccf
Opcode Fuzzy Hash: d93c7ff86c22c1ff0aa45d44765c86360a45cfa05588a2b4cae786514b232551
Instruction Fuzzy Hash: E0517CF1B20346AAEF333AE049447E92256EF46364FE9016AFC4A670D9D7F48490CB06

Uniqueness

Uniqueness Score: -1.00%

Function 0223529C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,02230630,00000000,?,02235021,00000000,00000079), ref: 022352CC

Strings

_D, xrefs: 022352B8

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: LibraryLoad
String ID: _D
API String ID: 1029625771-480580152
Opcode ID: 46adac6edd7a94c761513008dd8fc9d7e5b446f28aa6c37b061ee24db70b1bb8
Instruction ID: 68d32a1394ba6c0acb9ab55d1a2ecb371e6826512f7ea83839311422e76d66c9
Opcode Fuzzy Hash: 46adac6edd7a94c761513008dd8fc9d7e5b446f28aa6c37b061ee24db70b1bb8
Instruction Fuzzy Hash: DDE02663E04302DE9F022AE651903CC7B25ED923B0BDD8056CC266F842D7748202CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401714, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401719

Strings

VB5!6&*, xrefs: 00401714

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 1ebfa7cea9b78e9819895b1e379a45de5423944a1e15eb1bc593f88b1c4642cd
Instruction ID: fcf28688819d7af4624bc1326912388632d7491fd93b70435748f7e10a3165c3
Opcode Fuzzy Hash: 1ebfa7cea9b78e9819895b1e379a45de5423944a1e15eb1bc593f88b1c4642cd
Instruction Fuzzy Hash: A4D09BA594E3D15ED7272375082250A2F309C4364532F45E7D091EB4F3D5298809D7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0FB, Relevance: 2.3, APIs: 1, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e5336acb9d27bb8715b184a83e315ed92e50f5d9a50ed947bd5d6ef2ec70028
Instruction ID: 74fc88bdf8f110d95e0f2c1a6a86e28da7ef9fc0ec45090476b6deb5aa66567c
Opcode Fuzzy Hash: 7e5336acb9d27bb8715b184a83e315ed92e50f5d9a50ed947bd5d6ef2ec70028
Instruction Fuzzy Hash: 0C72AADB94E7E10FE3031674ED663E62FA58B63365F0B02F7D8449A9D7D01D0B898292

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1CB, Relevance: 2.3, APIs: 1, Instructions: 1020memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,0000C000,00001000,00000040), ref: 0040AA81

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ebcb4cf11cced5ed508bbf8c6fbd3bd6ff05167eb289bddf0d578dd5e171f4eb
Instruction ID: e252c782743f26cbad6073e4c949e9d5248cfb67d323fff3ba520539c152fffe
Opcode Fuzzy Hash: ebcb4cf11cced5ed508bbf8c6fbd3bd6ff05167eb289bddf0d578dd5e171f4eb
Instruction Fuzzy Hash: 236298DB94E7E10FE3031674ED263E62FA58B53365F1B02F7D8849A9D7D01D0B898292

Uniqueness

Uniqueness Score: -1.00%

Function 022308AF, Relevance: 1.9, APIs: 1, Instructions: 372COMMON

Download Yara Rule

APIs

Part of subcall function 02235220: LoadLibraryA.KERNELBASE(?,082962C8,?,02230630,00000000,?,02235021,00000000,00000079), ref: 022352CC

TerminateProcess.KERNELBASE(000000FF,00000000,-00000053,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004), ref: 02232EC0

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: 8d6fbf1a83c5a7ba951cbf271d1f42b11407f8a2afaaa11b0e2641b7a566e51a
Instruction ID: e04261a0328a0725ec7737f24404a3f424082c422e6e76100495abd2e0268675
Opcode Fuzzy Hash: 8d6fbf1a83c5a7ba951cbf271d1f42b11407f8a2afaaa11b0e2641b7a566e51a
Instruction Fuzzy Hash: 45A19CF1B343069AEB3729E449D17FE22979F46754FE4412ADC868308DC7BAC6C6C522

Uniqueness

Uniqueness Score: -1.00%

Function 0223081B, Relevance: 1.8, APIs: 1, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 040e5bd16cd9ba3f59d4b86cb0293d7bd3d2b1f7da3044d37fd0102f21a89592
Instruction ID: 74362eed970abeb4815940693c2ed9a2206d487fada828144dcecd2198ad7c98
Opcode Fuzzy Hash: 040e5bd16cd9ba3f59d4b86cb0293d7bd3d2b1f7da3044d37fd0102f21a89592
Instruction Fuzzy Hash: 50A1AFF1B343065AEB3729E449E07FE22979F46750FE4412ADC8A9708CC7B9C6C6C562

Uniqueness

Uniqueness Score: -1.00%

Function 022307D8, Relevance: 1.8, APIs: 1, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82eb28c8b37ab48a335732b33393244d062e15c5d4d820339f828336fd6240c2
Instruction ID: 6a0a41d36cc8b2163bb8c1a356586d1af28434557e05203363857b7d847a0faf
Opcode Fuzzy Hash: 82eb28c8b37ab48a335732b33393244d062e15c5d4d820339f828336fd6240c2
Instruction Fuzzy Hash: AC91BFF1B343065AEB3729E449E07FE22979F46750FE4412ADC869308DC7B9CAC6C562

Uniqueness

Uniqueness Score: -1.00%

Function 02230852, Relevance: 1.8, APIs: 1, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9561f831d61845fd29b9dea4f5c55b5adfdf7c66baca1cb7ab28630d0a378e8f
Instruction ID: 903da056cb68c454b682e94627aa92e9cb9ecd2e9fbd295797892d1484ddf302
Opcode Fuzzy Hash: 9561f831d61845fd29b9dea4f5c55b5adfdf7c66baca1cb7ab28630d0a378e8f
Instruction Fuzzy Hash: 8D91BEF1B303065AEB3725E449E07FE22979F46750FE44129DC869308CC7B9C6C6C562

Uniqueness

Uniqueness Score: -1.00%

Function 02230908, Relevance: 1.8, APIs: 1, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142ebba90a23adc6935cfb77a6e2407d18350b9706ce3119c20f743d34eab6e7
Instruction ID: b7b9cdab79e0138d9d8ce5b69bde9c666c0f44a4becea097cdcf488bf5569eac
Opcode Fuzzy Hash: 142ebba90a23adc6935cfb77a6e2407d18350b9706ce3119c20f743d34eab6e7
Instruction Fuzzy Hash: BC91CEE1B343065AEB3729E449E03FE26D79F46750FE4452EDD868308DC7A6C6C6C522

Uniqueness

Uniqueness Score: -1.00%

Function 02230875, Relevance: 1.8, APIs: 1, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdbd6d6f7efabe5e8c9b2db204fd5f5e88b72ba185357895799d18ed8eba58a
Instruction ID: fbaa7a846375fc2e10f62259fa81e9bbc94026b26d4cff151219dabebdf9260d
Opcode Fuzzy Hash: ffdbd6d6f7efabe5e8c9b2db204fd5f5e88b72ba185357895799d18ed8eba58a
Instruction Fuzzy Hash: A8919DF1B303069AEB3725E449E07FE22979F46750FE4412ADD869308DC7B9C6C6C562

Uniqueness

Uniqueness Score: -1.00%

Function 022308BC, Relevance: 1.8, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

Part of subcall function 02235220: LoadLibraryA.KERNELBASE(?,082962C8,?,02230630,00000000,?,02235021,00000000,00000079), ref: 022352CC

TerminateProcess.KERNELBASE(000000FF,00000000,-00000053,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004), ref: 02232EC0

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: 76fe978a3f520782bb9fc5123b9bd57e3c73c9a06a9dc930b3f5ea8dbc0f10cb
Instruction ID: 6270e7cba00d97a1c39fd9e79c3616a26b0ab585695b9fe6c4ab213c927d70e7
Opcode Fuzzy Hash: 76fe978a3f520782bb9fc5123b9bd57e3c73c9a06a9dc930b3f5ea8dbc0f10cb
Instruction Fuzzy Hash: BF819FE1B3030659EB3725E449E47FE22979F86750FE4412ADD8A9308DC7BAC6C6C522

Uniqueness

Uniqueness Score: -1.00%

Function 022309CC, Relevance: 1.8, APIs: 1, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d632abf30a3f5fd9cf94b9dd7705d1db9c2aad6289d3fd52f0f89892310837
Instruction ID: 9ef7435e265299f4755cd36075592b216d5112a514aa2eb00ab3235bbd6cad12
Opcode Fuzzy Hash: a3d632abf30a3f5fd9cf94b9dd7705d1db9c2aad6289d3fd52f0f89892310837
Instruction Fuzzy Hash: 007190E5B3430699EB3725E449E07FE12979F86750FE4412EDD469308CC7B9C9C6C522

Uniqueness

Uniqueness Score: -1.00%

Function 02230A67, Relevance: 1.7, APIs: 1, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 02235220: LoadLibraryA.KERNELBASE(?,082962C8,?,02230630,00000000,?,02235021,00000000,00000079), ref: 022352CC

TerminateProcess.KERNELBASE(000000FF,00000000,-00000053,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004), ref: 02232EC0

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: 366d4d6da4352fc59811cf9789d1430ab74aa2159699ac479afebf893906f12c
Instruction ID: 606c4c62c9f756071ef64cb0699d98d72793cee376548d0180f9255cc9a5d584
Opcode Fuzzy Hash: 366d4d6da4352fc59811cf9789d1430ab74aa2159699ac479afebf893906f12c
Instruction Fuzzy Hash: D0619EB4B343069AEB3729E489D57FE22979F86350FE4412ADC8A870CCC775C9C6C522

Uniqueness

Uniqueness Score: -1.00%

Function 02230AB3, Relevance: 1.7, APIs: 1, Instructions: 213COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,-00000053,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004), ref: 02232EC0

Part of subcall function 02235220: LoadLibraryA.KERNELBASE(?,082962C8,?,02230630,00000000,?,02235021,00000000,00000079), ref: 022352CC

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: 74d36d6055a7abc98a56bb599cac8936d8b238a2e5c29dbd0700ece873b84f7d
Instruction ID: 04e783be5f80a19714f32ac5df29617689acb4246c731b37f5eb8f0cc5fcb105
Opcode Fuzzy Hash: 74d36d6055a7abc98a56bb599cac8936d8b238a2e5c29dbd0700ece873b84f7d
Instruction Fuzzy Hash: E351C0B5B343069AEF3329E489D07FE22979F86350FE4411ADC8A9308CC7B5C5C6C522

Uniqueness

Uniqueness Score: -1.00%

Function 02230B07, Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,-00000053,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004), ref: 02232EC0

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 4941150aec30a45c93d13348b11c4496e1df679898580702603e8eded34846fc
Instruction ID: d859d357923a4ac70a9c62dba5441f7a9ffbccb2ef207160ad26ef294fb1af7f
Opcode Fuzzy Hash: 4941150aec30a45c93d13348b11c4496e1df679898580702603e8eded34846fc
Instruction Fuzzy Hash: 55519AB5B3430699EB3729E489D57FA2697DF46310FE4412ADC8A8308CC7B6D5C6C922

Uniqueness

Uniqueness Score: -1.00%

Function 02230B4F, Relevance: 1.7, APIs: 1, Instructions: 179COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,-00000053,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004), ref: 02232EC0

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 618179662c066439c9977694fc67ba255d8c35f1115508aa063606791ec36423
Instruction ID: c84d6052145ea3a1a8c813895647a270712eb6e7cfa8cd5c32eee925003d4d04
Opcode Fuzzy Hash: 618179662c066439c9977694fc67ba255d8c35f1115508aa063606791ec36423
Instruction Fuzzy Hash: 23519DB4B3430699EB3729E449D47FE2697DF46310FD4451ADC8A9308CC7BAD5C6C522

Uniqueness

Uniqueness Score: -1.00%

Function 02230BA7, Relevance: 1.7, APIs: 1, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b01387ccca0cf0c27736f75196485511fd7cda2fcfb84abb1120390272e6f9fc
Instruction ID: 219257b2d150efc542563d1c36698e09303df0e2df0175a905712eeb8492237f
Opcode Fuzzy Hash: b01387ccca0cf0c27736f75196485511fd7cda2fcfb84abb1120390272e6f9fc
Instruction Fuzzy Hash: 1E419EB5B343469AEB3329E448D03FD27A2DF46314FD8451ADC868308CC77AD5C6CA12

Uniqueness

Uniqueness Score: -1.00%

Function 02230BFB, Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8386ca8011f3c59fadbbdb5a4438e09c08044ceb8185a5051e479e09077a7c2
Instruction ID: 2a88645a923b27910012e6ce52667cee0e641ec7f876bcd2bd09d4f437e0d5f4
Opcode Fuzzy Hash: b8386ca8011f3c59fadbbdb5a4438e09c08044ceb8185a5051e479e09077a7c2
Instruction Fuzzy Hash: 58418BB5B3430699EF3329E849D47FE26929F46310FD8451ACC8AC709CC7B6D5C6C522

Uniqueness

Uniqueness Score: -1.00%

Function 02236B1B, Relevance: 1.6, APIs: 1, Instructions: 120processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,?,?), ref: 02236ED9

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 2446d2c164400b00eb4472658872c32b98ff0e01b29f2daa63b55849246cf522
Instruction ID: ca57221dfa2306f9984e8f0e4772d1e7bed557ae57288ea2d3d044b8c386a4ab
Opcode Fuzzy Hash: 2446d2c164400b00eb4472658872c32b98ff0e01b29f2daa63b55849246cf522
Instruction Fuzzy Hash: 2141F6F0A3820AEEDF2B4ED4C5987F8239EAB52350F54451AC916CB09CD7B584C9C65A

Uniqueness

Uniqueness Score: -1.00%

Function 02230C5B, Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81515ba15df38317213def2d777038d92083777ac33a3b31e97dbb5dbedfc3c
Instruction ID: 1ebd605f5181698302fda35f3593df1ec36b3117905a8560fdc500a236a27f56
Opcode Fuzzy Hash: e81515ba15df38317213def2d777038d92083777ac33a3b31e97dbb5dbedfc3c
Instruction Fuzzy Hash: 5F3168B4A3434A99EF3369E489D07FA27E29F45310FD4411ACC4A8708CC7B69586CA22

Uniqueness

Uniqueness Score: -1.00%

Function 02236B47, Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621213134e35109a937c92cb58305a44b626c2de223008533ec152ba102a0043
Instruction ID: b614b33c36024a9fca410a7ef981603b0d8cb97e11624e7db89eea2aa1c7f67b
Opcode Fuzzy Hash: 621213134e35109a937c92cb58305a44b626c2de223008533ec152ba102a0043
Instruction Fuzzy Hash: 4D31E4F063820AEEDF2B4ED0C5987F8239EAB52350F984516C916C709CD7B584C9CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 02236BB3, Relevance: 1.6, APIs: 1, Instructions: 105processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,?,?), ref: 02236ED9

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 4a2141324a4fca7aec1df34db09a3cbeb1421ef0aaf5739bd07e2440b7694e52
Instruction ID: be2c3a596963ef6dad409af004fd3d27d17c48853701625860a4693fcdca7e3b
Opcode Fuzzy Hash: 4a2141324a4fca7aec1df34db09a3cbeb1421ef0aaf5739bd07e2440b7694e52
Instruction Fuzzy Hash: 1131E5F063420AEEDF2B4BE0C4587F8239EEB52350F984516C916CB09CD7B584C9C75A

Uniqueness

Uniqueness Score: -1.00%

Function 02230CBB, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

Part of subcall function 02235220: LoadLibraryA.KERNELBASE(?,082962C8,?,02230630,00000000,?,02235021,00000000,00000079), ref: 022352CC

TerminateProcess.KERNELBASE(000000FF,00000000,-00000053,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004), ref: 02232EC0

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: 4d806fa0313e4451a79a75b4df4ce4b9f504ceea84e55647284657108f033e58
Instruction ID: 3df68306969aadd2cf91d447e06b6be5febd40a32f7a3060d6a376a7e3b8949f
Opcode Fuzzy Hash: 4d806fa0313e4451a79a75b4df4ce4b9f504ceea84e55647284657108f033e58
Instruction Fuzzy Hash: A831AEB4B3434A96EF3369F449807FE26D29F81310FD4811ADC56571CCC7BA9586CA22

Uniqueness

Uniqueness Score: -1.00%

Function 02236BFC, Relevance: 1.6, APIs: 1, Instructions: 99processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,?,?), ref: 02236ED9

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 24a9ff91d56af6126d81fafb35e816f05724b2a9af726ea6eeb057c65ae6f32e
Instruction ID: 0cbbe02235bb304c79b8ba669c3ee616991a1bb2bfa30d9a6287e993432599a9
Opcode Fuzzy Hash: 24a9ff91d56af6126d81fafb35e816f05724b2a9af726ea6eeb057c65ae6f32e
Instruction Fuzzy Hash: C431F7F063420AEDEF2B4BA4C4587B8339EEB52354F98451AC917CB09CD7B584C9C75A

Uniqueness

Uniqueness Score: -1.00%

Function 02236C23, Relevance: 1.6, APIs: 1, Instructions: 96processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,?,?), ref: 02236ED9

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: c3aa6b9cfe63b4c26d74d91ec7a94167f43368023d1e2739bcabc63669d99cd7
Instruction ID: f3b3c0d4d29d4c46680beb907b2e8463d123577217f61ad95e2db2b9d0d36ae2
Opcode Fuzzy Hash: c3aa6b9cfe63b4c26d74d91ec7a94167f43368023d1e2739bcabc63669d99cd7
Instruction Fuzzy Hash: 883127F163420AEEDB2B4BE1C0987B8335EEF92350F88411AC916CB09CDBB584C5C75A

Uniqueness

Uniqueness Score: -1.00%

Function 02230D48, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,-00000053,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004), ref: 02232EC0

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 7b253b8821c1047f7d5e378a0af535d631dfe2cef5d303da81680400fc3bd29d
Instruction ID: 40848bb0459c58ec3482b83a6412a98810d52afde7e0d07e684bddffcd3ff734
Opcode Fuzzy Hash: 7b253b8821c1047f7d5e378a0af535d631dfe2cef5d303da81680400fc3bd29d
Instruction Fuzzy Hash: 9C21B1B473834A95EF3329E849503FA36D39F42310FE44259D845461CDC7B69587CA66

Uniqueness

Uniqueness Score: -1.00%

Function 02236C8C, Relevance: 1.6, APIs: 1, Instructions: 89processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,?,?), ref: 02236ED9

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 3994688e29d2f1685505b7d3e984a59079d34514f791f2dfa31610d8af718b7c
Instruction ID: 0d7e2d36bb454fab80c9d9ab8a7e1deb7f4ac1c83c239e59ebecac12ba245b4c
Opcode Fuzzy Hash: 3994688e29d2f1685505b7d3e984a59079d34514f791f2dfa31610d8af718b7c
Instruction Fuzzy Hash: 02312CF1A3420AEDDF2A4BE1C4587B8375DEF92350F89410AC916CB098D7B194C5C759

Uniqueness

Uniqueness Score: -1.00%

Function 02236C65, Relevance: 1.6, APIs: 1, Instructions: 88processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,?,?), ref: 02236ED9

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 828df366469480513d5ecf130d9afe0720a95dc35a9af586d1c091ff9b429996
Instruction ID: 33b330cea7c5c944d26ada145ae7d7f6289c5c8fa28f6fba78ef8433d9c8fb88
Opcode Fuzzy Hash: 828df366469480513d5ecf130d9afe0720a95dc35a9af586d1c091ff9b429996
Instruction Fuzzy Hash: CB31E9F063420AFEDF2A4BE0C5587B8339EAF52350F88411AC916CB09CDBB588C9C759

Uniqueness

Uniqueness Score: -1.00%

Function 02230D0B, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 02235220: LoadLibraryA.KERNELBASE(?,082962C8,?,02230630,00000000,?,02235021,00000000,00000079), ref: 022352CC

TerminateProcess.KERNELBASE(000000FF,00000000,-00000053,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004), ref: 02232EC0

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: 66c26f1784f274ceade1a873d0940c7f193607b5addc83defabb96bbe2300da5
Instruction ID: c76c1a6486af4a2866594c51cca61954e1339f0a33d887a6b8bbd3340cb43eb5
Opcode Fuzzy Hash: 66c26f1784f274ceade1a873d0940c7f193607b5addc83defabb96bbe2300da5
Instruction Fuzzy Hash: F521ADB4A3834A95EF3369E489807FE26D2DF81320F94411ADC15571CCC7BA9582CA22

Uniqueness

Uniqueness Score: -1.00%

Function 02230DB0, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,-00000053,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004), ref: 02232EC0

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: f786295e1996a601f5813bbf6d500258f6da9971f95327698cc2f9c55183f9cc
Instruction ID: 52b23f435704719a61cf66090672321fe4aacaca29e8a4e014c13cb6e4cb45e4
Opcode Fuzzy Hash: f786295e1996a601f5813bbf6d500258f6da9971f95327698cc2f9c55183f9cc
Instruction Fuzzy Hash: EC21E1B063834A9AEF336DF84D517FA7BD3AF02320F644219D841061CEC7769186CB65

Uniqueness

Uniqueness Score: -1.00%

Function 02236CE3, Relevance: 1.6, APIs: 1, Instructions: 76processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,?,?), ref: 02236ED9

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: b68c23c455fef0522a8ae2758f99df55e461dee4e9d1aeb72dec7e5b8d37bd72
Instruction ID: 4f4e55375fd241958ab3a1d6040dd856493dcbda4c114e636e8ca9f60ecde261
Opcode Fuzzy Hash: b68c23c455fef0522a8ae2758f99df55e461dee4e9d1aeb72dec7e5b8d37bd72
Instruction Fuzzy Hash: A721F8F063420AFDDB2B4BE0C158BB4339DAF52354F884159D916CB09CDBB484C5C75A

Uniqueness

Uniqueness Score: -1.00%

Function 02236D08, Relevance: 1.6, APIs: 1, Instructions: 75processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,?,?), ref: 02236ED9

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: a4e18d961a51065e6464df7bbd9ff09ce0f766197fd16a36dc282c469cf1a5f5
Instruction ID: 89f3b855cb12e79827b1a8b7a8fd058ce992ae52665485a0637ca61b5dc7301d
Opcode Fuzzy Hash: a4e18d961a51065e6464df7bbd9ff09ce0f766197fd16a36dc282c469cf1a5f5
Instruction Fuzzy Hash: E12107F063420AEDDB2B4BE0C1587B4339DAF52394F98415AC916CB0ACEBB4C4C5C75A

Uniqueness

Uniqueness Score: -1.00%

Function 02230D77, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,-00000053,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004), ref: 02232EC0

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 6053aa741bad7c6f34078776bb58b1951257fb783a22ce86a34d3009023346e0
Instruction ID: 41df3f087ab9f2bd41ca39907a33bb21e42db076fdcc4816eefd985f3bb37751
Opcode Fuzzy Hash: 6053aa741bad7c6f34078776bb58b1951257fb783a22ce86a34d3009023346e0
Instruction Fuzzy Hash: 9A11AFB1A38386D6EF3369E48D957EA36D6EF42324F584219CC56470CDC7BA9181CA32

Uniqueness

Uniqueness Score: -1.00%

Function 02236D2D, Relevance: 1.6, APIs: 1, Instructions: 69processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,?,?), ref: 02236ED9

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: f0850c53af92b290f10d66bd626ba2bac991a26872b494a17bc6b65f8a181b88
Instruction ID: 86831b50dd8bd72e472ffb1b50fc33fe192fdbe5e810075198de5c1cf7aa2a54
Opcode Fuzzy Hash: f0850c53af92b290f10d66bd626ba2bac991a26872b494a17bc6b65f8a181b88
Instruction Fuzzy Hash: 2521F6F063420AEDDF2A4BE0C1587B433ADAB52354F884116C416CB0ACD7B0C8C5C75A

Uniqueness

Uniqueness Score: -1.00%

Function 02236D53, Relevance: 1.6, APIs: 1, Instructions: 65processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,?,?), ref: 02236ED9

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 700be179558655b31cc71ead8964ef7f062703d2a4a9b24aaf68f4a472c8d3a3
Instruction ID: 0642e5fd88a10d326d212253e54bb8390676b28f13a85b389224f0a09fca565e
Opcode Fuzzy Hash: 700be179558655b31cc71ead8964ef7f062703d2a4a9b24aaf68f4a472c8d3a3
Instruction Fuzzy Hash: 4921B7F1A3420AFDDF2A4BA4D09C7B433ADAF52394F994155C816CB098D7B1C8C9C759

Uniqueness

Uniqueness Score: -1.00%

Function 02236DF7, Relevance: 1.6, APIs: 1, Instructions: 65processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,?,?), ref: 02236ED9

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: ef67df99846aaf50a35ea37ed02189c5cfc4f1c8ef694244fd558e896e460aa8
Instruction ID: 71f406515a1d8d35814ea1a9a46a13ad31631b858937153e6444c3c2058a4b97
Opcode Fuzzy Hash: ef67df99846aaf50a35ea37ed02189c5cfc4f1c8ef694244fd558e896e460aa8
Instruction Fuzzy Hash: 9821F2B2A18343DEDB1A4BB1E1D87687B3DEFB2200F8D048AC425DF054EB719185C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 02236D73, Relevance: 1.6, APIs: 1, Instructions: 64processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,?,?), ref: 02236ED9

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 916a782f6308c7536ee4382819e728a29657718cf69e8556933cc210392d9e72
Instruction ID: 85b9ad33e15df349d075fb436a7966598c298dde6abfd31c1b4c9f9e7311b5d6
Opcode Fuzzy Hash: 916a782f6308c7536ee4382819e728a29657718cf69e8556933cc210392d9e72
Instruction Fuzzy Hash: 6721B4F0634206EEDB2B5BA4C05C7B433ADAF523A4F994155C91ACB0A8E771C8C9C759

Uniqueness

Uniqueness Score: -1.00%

Function 02236D99, Relevance: 1.6, APIs: 1, Instructions: 61processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,?,?), ref: 02236ED9

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: d5f1cdaa80edf99dfb40fa13221c0219bcee9faee67bb8b913e696ea1a4ff899
Instruction ID: 8664c4588ac1f795d3f8e47099c912bdf2e653d0704bdc620503e5cf64506016
Opcode Fuzzy Hash: d5f1cdaa80edf99dfb40fa13221c0219bcee9faee67bb8b913e696ea1a4ff899
Instruction Fuzzy Hash: 7211D6F0634207EDDB1A5BE4C05C77833ADAF51364F995155C516C70A8D770C4C6C759

Uniqueness

Uniqueness Score: -1.00%

Function 022350E1, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,02230630,00000000,?,02235021,00000000,00000079), ref: 022352CC

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 29df193c16c8703f793076f8bfb5fb90a15a69103c4ff00a2ba815073e450b00
Instruction ID: 9c95a4657ec2a17fa204c8a6fff85f193d3111fab00b4ccb335022d55e47cdfd
Opcode Fuzzy Hash: 29df193c16c8703f793076f8bfb5fb90a15a69103c4ff00a2ba815073e450b00
Instruction Fuzzy Hash: 2E01F2D0A70306A8EE3335E459447EE2247AF4E770FE54126EC8A4984E97E480A58A93

Uniqueness

Uniqueness Score: -1.00%

Function 02236DC8, Relevance: 1.6, APIs: 1, Instructions: 57processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,?,?), ref: 02236ED9

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 1dbe0aae510ce52292dfa00df3f7671d7e12bd4b48ff65559c2c21de590d2305
Instruction ID: ef1fa212a81277dc959ad3581f80b785aa41879bdd7618b97e36c8c0ad4d589f
Opcode Fuzzy Hash: 1dbe0aae510ce52292dfa00df3f7671d7e12bd4b48ff65559c2c21de590d2305
Instruction Fuzzy Hash: 3F11A3F0A30206EDDB2A4BA4C19C77433ADAB523A4F995155C916CB0A8E774C8CAC759

Uniqueness

Uniqueness Score: -1.00%

Function 02235220, Relevance: 1.5, APIs: 1, Instructions: 48libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,02230630,00000000,?,02235021,00000000,00000079), ref: 022352CC

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 071072534d961b8c0073abb7efc4a7435670c3a48753ed434fba729aed15d39a
Instruction ID: c95c20e8feadf78cb340ef6c0cfe4ccc6d1b446dc5b3932c981ae209afa41d05
Opcode Fuzzy Hash: 071072534d961b8c0073abb7efc4a7435670c3a48753ed434fba729aed15d39a
Instruction Fuzzy Hash: BDF028C0B20306ACDF3335E459847ED22479F4A774FD54115ECCA4544AD3D440A58E53

Uniqueness

Uniqueness Score: -1.00%

Function 0223522F, Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,082962C8,?,02230630,00000000,?,02235021,00000000,00000079), ref: 022352CC

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: bd4a335ccde3b5dc5003eb53cb1be434b4efaf0c1cfcf2588da93d032ab09f50
Instruction ID: 7172a67a7f376f7cf53a527b7ab2f1c3e905590e16b22309ae9d67ff8bac996b
Opcode Fuzzy Hash: bd4a335ccde3b5dc5003eb53cb1be434b4efaf0c1cfcf2588da93d032ab09f50
Instruction Fuzzy Hash: D40126D0E50306E8DF223AE095C07DC2217EF9A370FDA4015DD9A5A489D7E441A4CE52

Uniqueness

Uniqueness Score: -1.00%

Function 02230DF8, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,-00000053,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004), ref: 02232EC0

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: b827b4d52595eca2c7731338c307243aae813a75a6b70c1c842c732aad77dd41
Instruction ID: 23638bc3d33d46847be9fc909f46f08e046d42be74df3fe48be3817dfc5a7a3e
Opcode Fuzzy Hash: b827b4d52595eca2c7731338c307243aae813a75a6b70c1c842c732aad77dd41
Instruction Fuzzy Hash: B3016D70A38342C5EB3366E4485479D3AD1AF82354F5C4109CC5557088C7B69141CB66

Uniqueness

Uniqueness Score: -1.00%

Function 02230E97, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,-00000053,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004), ref: 02232EC0

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: e3fefa0b954862086838fcd6c8813642613f43aa268abebaa02bb09b4749e051
Instruction ID: 5356608d7f70bc9c0971548079dddb23fb45ee82e4a6ff2630fe2eaa1d40630b
Opcode Fuzzy Hash: e3fefa0b954862086838fcd6c8813642613f43aa268abebaa02bb09b4749e051
Instruction Fuzzy Hash: 46F0286063DBC5A9DB138AAC095136A7FE26F53114F54C2C9C0550B1CBC7B952458765

Uniqueness

Uniqueness Score: -1.00%

Function 0223058C, Relevance: 1.5, APIs: 1, Instructions: 33nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(022305DC,?,00000000,?,02235021,00000000,00000079), ref: 022305BF
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,02235021,00000000,00000079), ref: 0223070C

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: EnumInformationThreadWindows
String ID:
API String ID: 1954852945-0
Opcode ID: 5305ccc3ce02a3c9a46a8c1e318a4a9de88dc2f60a622a90a82d80fc9050fa32
Instruction ID: f1ad8770c83eb03b969bb4eda0e88e1ed6142321bd76f2f0fa9cfbbafbe13bdd
Opcode Fuzzy Hash: 5305ccc3ce02a3c9a46a8c1e318a4a9de88dc2f60a622a90a82d80fc9050fa32
Instruction Fuzzy Hash: A6F059716047039EE60156F549A078C2665EFE7330F744705D935EB0E0C7A09541CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02230E4F, Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,-00000053,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004), ref: 02232EC0

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 6952ff675c76fc643f4d2f3e5125ed82d6bdcb17798524cd8ec898a32d352cb1
Instruction ID: 899452580d298348f4a18aa6e20ed71ac32e0a52bcf1dca956b3188e9b9591e2
Opcode Fuzzy Hash: 6952ff675c76fc643f4d2f3e5125ed82d6bdcb17798524cd8ec898a32d352cb1
Instruction Fuzzy Hash: 9FF04C24A1C3C199D71396B888D47197FB49F93100F8C818F84A95F0CAC5A62144D377

Uniqueness

Uniqueness Score: -1.00%

Function 02236E9B, Relevance: 1.5, APIs: 1, Instructions: 28processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,?,?), ref: 02236ED9

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 96eca85ebece9d99548fd8adbcc4a5deb1da9632ab7c6a0dbcc072788b24ecc7
Instruction ID: f69826381beaf5d81972900852a98ce3a858ec65af9fea9fb0b00dbcf51a6b5f
Opcode Fuzzy Hash: 96eca85ebece9d99548fd8adbcc4a5deb1da9632ab7c6a0dbcc072788b24ecc7
Instruction Fuzzy Hash: ACF0A0A1B143079C9B1EAAA4D1D83B8732DEEA27443CC4119C92ADF068EB315481C769

Uniqueness

Uniqueness Score: -1.00%

Function 022332B5, Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,02233252,02233305,02230721), ref: 022332EC

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 50ac6188a2aa3856c6561ae1aa9db1bd6ad03e4195ae6e65fa8b163ac368f493
Instruction ID: 3e579c24153d6b531175d4093de7a1b65191f22aed4b41f68342107e2c9257ae
Opcode Fuzzy Hash: 50ac6188a2aa3856c6561ae1aa9db1bd6ad03e4195ae6e65fa8b163ac368f493
Instruction Fuzzy Hash: 93D08C783A0340F6FA3086204D42FB961109B80F00F20440BBF05BC0C0D5F0A940C61A

Uniqueness

Uniqueness Score: -1.00%

Function 022332C7, Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,02233252,02233305,02230721), ref: 022332EC

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d7e22faf07ba4fe185ed71ae8f0334a9c33bdd5a77aa074506ee68e9daae3d82
Instruction ID: b350aea418ef7ebba865a4be95a90973039351e70b2cd76a7d6e4818dfb6750a
Opcode Fuzzy Hash: d7e22faf07ba4fe185ed71ae8f0334a9c33bdd5a77aa074506ee68e9daae3d82
Instruction Fuzzy Hash: 96D01279954342D5FA3056A15D81F9C6625DFF5780F498405AF187F0C059B53110C9BC

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02233D0A, Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

rX4, xrefs: 02233D80

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: LibraryLoad
String ID: rX4
API String ID: 1029625771-805084833
Opcode ID: 4a73ffdef601368dc9eefd72bb7bdc5cb8df7069adc4f74046159a1db4aa907c
Instruction ID: 710859b20ecd28865ab492c103588b485e5006860335b46aff4b4d693584e03f
Opcode Fuzzy Hash: 4a73ffdef601368dc9eefd72bb7bdc5cb8df7069adc4f74046159a1db4aa907c
Instruction Fuzzy Hash: 7DE0D8F963434F9B9B16EFE4A4512FD27A26F09360F90416BFC059224CEE70C945CA51

Uniqueness

Uniqueness Score: -1.00%

Function 022360DD, Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: bfb7aca369959c3e2a2d789d0b2917db1d653747dcaa1fe0e48505e64afd4768
Instruction ID: 8e3befa465fb464d49128f1803d0e10cd45d491a7d73dd102041d79fbe398008
Opcode Fuzzy Hash: bfb7aca369959c3e2a2d789d0b2917db1d653747dcaa1fe0e48505e64afd4768
Instruction Fuzzy Hash: DCA130A1A243439EDB22DFA885D4775B799AF52360F448269CDD68F2DEC370C442C71A

Uniqueness

Uniqueness Score: -1.00%

Function 02236071, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: b6e650449d3cd74665b521b835a95441db521d9e268a35fa966e6771cd53ef7b
Instruction ID: bc837a0f626aba301b1627f01195b12211918b75f71d524bb9c89f229974a8e5
Opcode Fuzzy Hash: b6e650449d3cd74665b521b835a95441db521d9e268a35fa966e6771cd53ef7b
Instruction Fuzzy Hash: 37712BB4914343DEDB12DFA485D4765BBA9EF62320F49815DCDA68F2DAC3718042C71A

Uniqueness

Uniqueness Score: -1.00%

Function 022360FB, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 8bd1f324c439cc3332c8f46072fd008ca8107cc3dd24a1e105e2ef5f1224dddc
Instruction ID: 7a3ccf914d1e7c38a235f7d082a68f074c520d6aceba154aa0f19268278f76d0
Opcode Fuzzy Hash: 8bd1f324c439cc3332c8f46072fd008ca8107cc3dd24a1e105e2ef5f1224dddc
Instruction Fuzzy Hash: 9551F9B4924342DEDB12DFA8C4D4765BB99EF52324F498299CDA68F2DAC371C042C71A

Uniqueness

Uniqueness Score: -1.00%

Function 02232230, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016a7bc9c12dadf8f5c3cdb13f60eaaba319ad17c6171b437c01b2550f13f640
Instruction ID: 4864a5c1af4b21591a65fb3c98d43f07e33dc226d3910fed1a52db7df7ffc3ba
Opcode Fuzzy Hash: 016a7bc9c12dadf8f5c3cdb13f60eaaba319ad17c6171b437c01b2550f13f640
Instruction Fuzzy Hash: 1C4123B0664300EFEB226EA0CC58BE473A6BF01764F854245EC869B1EAC7F5CCC4CA11

Uniqueness

Uniqueness Score: -1.00%

Function 02232254, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65968fd5ac6444f8be60e74caf84c52efc77d9edbd1fd828b227a2e1747197af
Instruction ID: 5afed7f89f8549df20e64a501eb571486659c0bbe816de509f183e2269978c63
Opcode Fuzzy Hash: 65968fd5ac6444f8be60e74caf84c52efc77d9edbd1fd828b227a2e1747197af
Instruction Fuzzy Hash: E921F8B0664301EEEB226FA09C95BD43766FF41B10F898245ED46AF0D5C7B2DD84CA51

Uniqueness

Uniqueness Score: -1.00%

Function 0223574D, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 819ab78417e819bc863569baa5bf56a28bffc5c72c66d9649581e3290eac7ccb
Instruction ID: 9a19d41f25a76802d399f3d255c7d91a21ce696d3b686634bc8d17f3f16a7fb4
Opcode Fuzzy Hash: 819ab78417e819bc863569baa5bf56a28bffc5c72c66d9649581e3290eac7ccb
Instruction Fuzzy Hash: 8AF05EB4321301CFE726DE58C5D0BAA73B6ABACB50FC48469D80A8B19EC724D860C611

Uniqueness

Uniqueness Score: -1.00%

Function 02232ED0, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a8d8264201017a1d51e18f219bed2ec61f8b951a981a192e44d16de404805b
Instruction ID: e534ad90014208a7fba3831276b4dbb8ab95b771cff9757966ef617b14e5b999
Opcode Fuzzy Hash: 57a8d8264201017a1d51e18f219bed2ec61f8b951a981a192e44d16de404805b
Instruction Fuzzy Hash: 61C08CF2315580CFFB41CE48C482B0033F1FB10A48F0800A4E8028FA82C324EC20C600

Uniqueness

Uniqueness Score: -1.00%

Function 022351D5, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.450474176.0000000002230000.00000040.00000001.sdmp, Offset: 02230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2230000_march OG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed2511702d7b69225ed1970ee9bd7944878a4dc7cb4fa9e3b54f5268025ccd5
Instruction ID: ab4e41e2af550c324ff47457599b5eca53275bc3267dd2e98d53ffce93150715
Opcode Fuzzy Hash: 5ed2511702d7b69225ed1970ee9bd7944878a4dc7cb4fa9e3b54f5268025ccd5
Instruction Fuzzy Hash: E5B092B422A540CFCA5ADA0CC090E54B3B1FF48A10BC58491F457CBE2DC3A4EC81C900

Uniqueness

Uniqueness Score: -1.00%

Function 0040C316, Relevance: 40.6, APIs: 27, Instructions: 130COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 0040C330
#607.MSVBVM60(?,000000FF,00000002), ref: 0040C372
__vbaStrVarMove.MSVBVM60(?,?,000000FF,00000002), ref: 0040C37B
__vbaStrMove.MSVBVM60(?,?,000000FF,00000002), ref: 0040C385
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,000000FF,00000002), ref: 0040C394
__vbaLenBstr.MSVBVM60(?,?,?,004014C6), ref: 0040C39F
__vbaStrToAnsi.MSVBVM60(00000000,?,00000000,?,?,?,004014C6), ref: 0040C3AC
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,?,00000000,?,?,?,004014C6), ref: 0040C3BB
__vbaSetSystemError.MSVBVM60(00000000,?,?,00000000,00000000,?,00000000,?,?,?,004014C6), ref: 0040C3C6
__vbaStrToUnicode.MSVBVM60(?,?,00000000,?,?,00000000,00000000,?,00000000,?,?,?,004014C6), ref: 0040C3D1
__vbaStrToUnicode.MSVBVM60(?,00000000,?,?,00000000,?,?,00000000,00000000,?,00000000,?,?,?,004014C6), ref: 0040C3DD
__vbaFreeStrList.MSVBVM60(00000002,?,00000000,?,00000000,?,?,00000000,?,?,00000000,00000000,?,00000000,?), ref: 0040C3EC
#537.MSVBVM60(00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C3FB
__vbaStrMove.MSVBVM60(00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C405
__vbaInStr.MSVBVM60(00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C40D
__vbaFreeStr.MSVBVM60(00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C422
#537.MSVBVM60(00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C436
__vbaStrMove.MSVBVM60(00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C440
__vbaInStr.MSVBVM60(00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C448
#616.MSVBVM60(?,-00000001,00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?), ref: 0040C45A
__vbaStrMove.MSVBVM60(?,-00000001,00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?), ref: 0040C464
__vbaFreeStr.MSVBVM60(?,-00000001,00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?), ref: 0040C46C
__vbaStrCat.MSVBVM60(00402A50,?,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C47B
__vbaStrMove.MSVBVM60(00402A50,?,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C485
__vbaStrCat.MSVBVM60(?,00000000,00402A50,?,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C48E
__vbaStrMove.MSVBVM60(?,00000000,00402A50,?,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C498
__vbaFreeStr.MSVBVM60(?,00000000,00402A50,?,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C4A0
__vbaErrorOverflow.MSVBVM60(00000000,00000000,00000000,?,00000001,00000000,00000000,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C50B
__vbaChkstk.MSVBVM60(00000000,004014C6,00000000,?,00000001,?,00000000,?,?,?,004014C6), ref: 0040C52C
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004014C6,00000000), ref: 0040C563
__vbaHresultCheckObj.MSVBVM60(00000000,004011A0,0040279C,000006F8), ref: 0040C597
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040C5AF

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Move$Free$List$#537AnsiChkstkErrorUnicode$#607#616BstrCheckCopyHresultOverflowSystem
String ID:
API String ID: 1401190187-0
Opcode ID: 75d9e12d4025ff665aff680624f197e169ac2b3f35a384fef7339d418a4cdd82
Instruction ID: 43ba1e99afc4c7bb6831e2b235b490e52bf668ee3e3b7d1a55e175ed0f668d86
Opcode Fuzzy Hash: 75d9e12d4025ff665aff680624f197e169ac2b3f35a384fef7339d418a4cdd82
Instruction Fuzzy Hash: AA412A71D00109ABDF01ABE1CC96FEF7BB8AF04304F14493AB611B61F1DE7A99458B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041261A, Relevance: 36.8, APIs: 18, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00412635
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 0041264D
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00412658
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00412663
#670.MSVBVM60(?,?,?,?,?,004014C6), ref: 0041266C
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 00412687
__vbaFreeVar.MSVBVM60(00008008,?), ref: 00412693
__vbaNew2.MSVBVM60(00402DB0,00415348,00008008,?), ref: 004126B7
__vbaLateMemCallLd.MSVBVM60(?,?,mDddaTHbiK109,00000000,?,?,00008008,?), ref: 004126E2
__vbaObjVar.MSVBVM60(00000000), ref: 004126EB
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000), ref: 004126F5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,0000000C), ref: 0041271E
__vbaFreeObj.MSVBVM60(00000000,?,00402DA0,0000000C), ref: 0041272F
__vbaFreeVar.MSVBVM60(00000000,?,00402DA0,0000000C), ref: 00412737
__vbaFreeObj.MSVBVM60(0041277F,00008008,?), ref: 00412761
__vbaFreeStr.MSVBVM60(0041277F,00008008,?), ref: 00412769
__vbaFreeVar.MSVBVM60(0041277F,00008008,?), ref: 00412771
__vbaFreeVar.MSVBVM60(0041277F,00008008,?), ref: 00412779

Strings

Ferskvandsomraaderne4, xrefs: 00412671
HSA, xrefs: 004126CC
mDddaTHbiK109, xrefs: 004126D6

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$#670AddrefCallCheckChkstkCopyHresultLateNew2
String ID: Ferskvandsomraaderne4$HSA$mDddaTHbiK109
API String ID: 1327288182-1825278231
Opcode ID: 926d05d7b37add073712cf40af82349a97cc49529074da5a5ce751f4a91e4093
Instruction ID: b8e5183ea26046bdba3ff3c6e95c6c2f9b62bae2e2c04f476e05be9ac922925d
Opcode Fuzzy Hash: 926d05d7b37add073712cf40af82349a97cc49529074da5a5ce751f4a91e4093
Instruction Fuzzy Hash: 02310B70C00208ABCB14EBE1CD46EDEB7B8AF14748F60452EF411B71E1DBB95945CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00413B56, Relevance: 35.1, APIs: 19, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00413B74
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00413B9E
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00413BA9
#610.MSVBVM60(?,?,?,?,?,004014C6), ref: 00413BB2
#661.MSVBVM60(?,00403098,?,?,?,?,?,?,?,?,004014C6), ref: 00413BCB
#610.MSVBVM60(?,?,00403098,?,?,?,?,?,?,?,?,004014C6), ref: 00413BD4
__vbaVarAdd.MSVBVM60(?,00000002,?,?), ref: 00413C00
__vbaVarTstNe.MSVBVM60(00000000,?,00000002,?,?), ref: 00413C06
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,00000000,?,00000002,?,?), ref: 00413C24
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 00413C4E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413C87
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402ABC,000000E0), ref: 00413CD1
#666.MSVBVM60(?,00000008), ref: 00413D0A
__vbaVarMove.MSVBVM60(?,00000008), ref: 00413D15
__vbaFreeObj.MSVBVM60(?,00000008), ref: 00413D1D
__vbaFreeVar.MSVBVM60(?,00000008), ref: 00413D25
__vbaFreeVar.MSVBVM60(00413D7D,?,?,?,?,004014C6), ref: 00413D67
__vbaFreeStr.MSVBVM60(00413D7D,?,?,?,?,004014C6), ref: 00413D6F
__vbaFreeStr.MSVBVM60(00413D7D,?,?,?,?,004014C6), ref: 00413D77

Strings

}=A, xrefs: 00413D64

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$#610Copy$#661#666CheckChkstkHresultListMoveNew2
String ID: }=A
API String ID: 1255821010-3361414057
Opcode ID: a7aa25c433e95d5f7ed8840ce532b04ff59121eb3d55a22c86960f40f3e51d4d
Instruction ID: 093f5e0fbf5057ec6d61d855e46b19d98a2cbec8d5aa33af4322b3192fd964b9
Opcode Fuzzy Hash: a7aa25c433e95d5f7ed8840ce532b04ff59121eb3d55a22c86960f40f3e51d4d
Instruction Fuzzy Hash: 8751ED71900208EFDB10EFA1CD95FDEB7B8AF04304F1045AAE509B71A1DB796A89CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00412CC0, Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00412CDB
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00412CF3
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00412CFE
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00412D0B
#712.MSVBVM60(?,00402F88,00000000,00000001,000000FF,00000000,?,?,?,?,004014C6), ref: 00412D20
__vbaStrMove.MSVBVM60(?,00402F88,00000000,00000001,000000FF,00000000,?,?,?,?,004014C6), ref: 00412D2A
__vbaStrCmp.MSVBVM60(00402F90,?,?,00402F88,00000000,00000001,000000FF,00000000,?,?,?,?,004014C6), ref: 00412D37
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,00402F90,?,?,00402F88,00000000,00000001,000000FF,00000000), ref: 00412D54
#667.MSVBVM60(?,?,?,?,?,?,?,?,00402F90,?,?,00402F88,00000000,00000001,000000FF,00000000), ref: 00412D5D
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00402F90,?,?,00402F88,00000000,00000001,000000FF,00000000), ref: 00412D67
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,00402F90,?,?,00402F88,00000000,00000001,000000FF,00000000), ref: 00412D6F
__vbaFreeVar.MSVBVM60(00412DA5,00402F90,?,?,00402F88,00000000,00000001,000000FF,00000000,?,?,?,?,004014C6), ref: 00412D87
__vbaFreeVar.MSVBVM60(00412DA5,00402F90,?,?,00402F88,00000000,00000001,000000FF,00000000,?,?,?,?,004014C6), ref: 00412D8F
__vbaFreeStr.MSVBVM60(00412DA5,00402F90,?,?,00402F88,00000000,00000001,000000FF,00000000,?,?,?,?,004014C6), ref: 00412D97
__vbaFreeStr.MSVBVM60(00412DA5,00402F90,?,?,00402F88,00000000,00000001,000000FF,00000000,?,?,?,?,004014C6), ref: 00412D9F

Strings

cer, xrefs: 00412D03
Restproduktet6, xrefs: 00412D40

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$Move$#667#712ChkstkCopy
String ID: Restproduktet6$cer
API String ID: 1621521382-3279456967
Opcode ID: 51a2cb30fd4d73b9e94e6b6b7ddd9e0ca597fe406f55029c84651346528b7e16
Instruction ID: 69e45d2cfcd18ff73cfd476d852d8b40ed88bd269eddb023bbd4675536ab821e
Opcode Fuzzy Hash: 51a2cb30fd4d73b9e94e6b6b7ddd9e0ca597fe406f55029c84651346528b7e16
Instruction Fuzzy Hash: A5211830910249ABCB04EBA1DD52EDDBB74AF10748F54493EB002760F1EFB96949CA48

Uniqueness

Uniqueness Score: -1.00%

Function 00413085, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 004130A1
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 004130CB
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 004130D8
#523.MSVBVM60(?,?,?,?,?,004014C6), ref: 004130E0
__vbaStrMove.MSVBVM60(?,?,?,?,?,004014C6), ref: 004130EA
__vbaStrCmp.MSVBVM60(00402FCC,00000000,?,?,?,?,?,004014C6), ref: 004130F5
__vbaFreeStr.MSVBVM60(00402FCC,00000000,?,?,?,?,?,004014C6), ref: 00413109
__vbaNew2.MSVBVM60(00402DB0,00415348,00402FCC,00000000,?,?,?,?,?,004014C6), ref: 0041312D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,0000001C), ref: 00413171
__vbaChkstk.MSVBVM60(00000000,?,00402DA0,0000001C), ref: 00413196
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402F08,00000060), ref: 004131CC
__vbaFreeObj.MSVBVM60(00000000,?,00402F08,00000060), ref: 004131DD
__vbaFreeVar.MSVBVM60(0041320B,00402FCC,00000000,?,?,?,?,?,004014C6), ref: 004131FD
__vbaFreeStr.MSVBVM60(0041320B,00402FCC,00000000,?,?,?,?,?,004014C6), ref: 00413205

Strings

HSA, xrefs: 00413142
Hin7, xrefs: 004131A4

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$CheckChkstkHresult$#523CopyMoveNew2
String ID: HSA$Hin7
API String ID: 27921420-659015245
Opcode ID: c67f671d4824f325c2a00d634b41a3abf745553271e1ecc3202c89754d5008e4
Instruction ID: e5b06f73e85defc90c717eac996c81157e1fe345159a0436afd722830ff3169e
Opcode Fuzzy Hash: c67f671d4824f325c2a00d634b41a3abf745553271e1ecc3202c89754d5008e4
Instruction Fuzzy Hash: B7411570940208EFCF00EFA5C945BDDBBB5BF14705F24452AF405BB2A1DBB95A86DB18

Uniqueness

Uniqueness Score: -1.00%

Function 004115B1, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 004115CC
#646.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 004115F0
__vbaStrMove.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 004115FA
__vbaStrCmp.MSVBVM60(spisestellene,00000000,0000000A,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00411605
__vbaFreeStr.MSVBVM60(spisestellene,00000000,0000000A,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00411618
__vbaFreeVar.MSVBVM60(spisestellene,00000000,0000000A,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00411620
__vbaNew2.MSVBVM60(00402DB0,00415348,spisestellene,00000000,0000000A,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00411644
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,0000004C,?,?,?,?,?,?,?,?,spisestellene,00000000,0000000A), ref: 00411688
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,spisestellene,00000000,0000000A), ref: 004116B1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402E5C,0000001C,?,?,?,?,?,?,?,?,spisestellene,00000000,0000000A), ref: 004116E2
__vbaObjSet.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,spisestellene,00000000,0000000A), ref: 00411701
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,spisestellene,00000000,0000000A), ref: 00411709
__vbaFreeObj.MSVBVM60(00411741,spisestellene,00000000,0000000A,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 0041173B

Strings

spisestellene, xrefs: 00411600
HSA, xrefs: 00411659

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$CheckChkstkHresult$#646MoveNew2
String ID: HSA$spisestellene
API String ID: 2019826511-4040083204
Opcode ID: 8672e1ce3e2c01730a305f817076942b53583e1e885915e656a17d18eab8e145
Instruction ID: 5fe6ec2fdcb64fafd825d929ac4f13983a0be50c74be57eaf57d36824d6874c9
Opcode Fuzzy Hash: 8672e1ce3e2c01730a305f817076942b53583e1e885915e656a17d18eab8e145
Instruction Fuzzy Hash: 3F41F470D50308EFDB00EFD1C955BEEBBB5AF04704F24452AE501BB2A1D7BA5946CB19

Uniqueness

Uniqueness Score: -1.00%

Function 004122E8, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00412303
#631.MSVBVM60(FGFG,00000002,00000002,?,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 0041232E
__vbaStrMove.MSVBVM60(FGFG,00000002,00000002,?,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00412338
__vbaStrCmp.MSVBVM60(00402F04,00000000,FGFG,00000002,00000002), ref: 00412343
__vbaFreeStr.MSVBVM60(00402F04,00000000,FGFG,00000002,00000002), ref: 00412357
__vbaFreeVar.MSVBVM60(00402F04,00000000,FGFG,00000002,00000002), ref: 0041235F
__vbaNew2.MSVBVM60(00401E74,00415010,00402F04,00000000,FGFG,00000002,00000002), ref: 00412383
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00402F04,00000000,FGFG,00000002,00000002), ref: 004123B0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000108,?,?,?,?,?,?,?,?,00402F04,00000000,FGFG,00000002), ref: 004123E5
#666.MSVBVM60(?,00000008,?,?,?,?,?,?,?,?,00402F04,00000000,FGFG,00000002,00000002), ref: 00412412
__vbaVarMove.MSVBVM60(?,00000008,?,?,?,?,?,?,?,?,00402F04,00000000,FGFG,00000002,00000002), ref: 0041241D
__vbaFreeObj.MSVBVM60(?,00000008,?,?,?,?,?,?,?,?,00402F04,00000000,FGFG,00000002,00000002), ref: 00412425
__vbaFreeVar.MSVBVM60(?,00000008,?,?,?,?,?,?,?,?,00402F04,00000000,FGFG,00000002,00000002), ref: 0041242D
__vbaFreeVar.MSVBVM60(00412465,00402F04,00000000,FGFG,00000002,00000002), ref: 0041245F

Strings

FGFG, xrefs: 00412329

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$Move$#631#666CheckChkstkHresultNew2
String ID: FGFG
API String ID: 704291291-2759163656
Opcode ID: a7eaa0eaf7fe46571da90a485917c02c76e9570b96954f5f7e0d1b201f75b8b0
Instruction ID: 1348005867bcb56c377947b6fac47b7d3265205b25ed005b72191f799e6df17c
Opcode Fuzzy Hash: a7eaa0eaf7fe46571da90a485917c02c76e9570b96954f5f7e0d1b201f75b8b0
Instruction Fuzzy Hash: E0410871940208AFCF00EFE1C995BDDBBB8BF18704F14452AF405BB2A1DBBA5985CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00413EE2, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00413EFE
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00413F28
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00413F33
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00413F3E
__vbaNew2.MSVBVM60(00402DB0,00415348,?,?,?,?,004014C6), ref: 00413F56
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,00000014), ref: 00413F9A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DC0,00000130), ref: 00413FDB
__vbaStrMove.MSVBVM60 ref: 00413FF9
__vbaFreeObj.MSVBVM60 ref: 00414001
__vbaFreeStr.MSVBVM60(0041403F), ref: 00414021
__vbaFreeVar.MSVBVM60(0041403F), ref: 00414029
__vbaFreeStr.MSVBVM60(0041403F), ref: 00414031
__vbaFreeVar.MSVBVM60(0041403F), ref: 00414039

Strings

HSA, xrefs: 00413F6B

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$CheckHresult$ChkstkCopyMoveNew2
String ID: HSA
API String ID: 3448594947-293960443
Opcode ID: 3383e6a8fb6001976ccdeb9d226c2eea9e708bb05f3108114c29e65f223af2c5
Instruction ID: 3965eb5541186d9e3fd1075af2c0ba8b23b1f2b3ec1b0926a082b8a15874e2d2
Opcode Fuzzy Hash: 3383e6a8fb6001976ccdeb9d226c2eea9e708bb05f3108114c29e65f223af2c5
Instruction Fuzzy Hash: 6441C570D00208DFCB00EFD5C955BDDBBB4BF18309F14852AE4157B2A1DBB96A8ACB54

Uniqueness

Uniqueness Score: -1.00%

Function 00412ED5, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00412EF1
__vbaVarDup.MSVBVM60 ref: 00412F29
#563.MSVBVM60(?), ref: 00412F32
__vbaFreeVar.MSVBVM60(?), ref: 00412F48
__vbaNew2.MSVBVM60(00402DB0,00415348,?), ref: 00412F6C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,0000001C,?,?,?,?,?,?,?), ref: 00412FB0
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?), ref: 00412FD2
__vbaCastObj.MSVBVM60(?,00402EE0,?,?,?,?,?,?,?), ref: 00412FE8
__vbaObjSet.MSVBVM60(?,00000000,?,00402EE0,?,?,?,?,?,?,?), ref: 00412FF2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402F08,00000058,?,?,?,?,?,?,?), ref: 0041301B
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?), ref: 00413033
__vbaFreeObj.MSVBVM60(00413066,?), ref: 00413060

Strings

HSA, xrefs: 00412F81

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$CheckChkstkHresult$#563CastListNew2
String ID: HSA
API String ID: 4064276064-293960443
Opcode ID: bd06443c3f1632cb0f12b1bc094df87c4b677b7c87bb16fad8fb999cc30f709a
Instruction ID: 8c285f0052f7ee2791d4b4e28a6b00bcf7454a03f830b03d8b2a1e9821a72987
Opcode Fuzzy Hash: bd06443c3f1632cb0f12b1bc094df87c4b677b7c87bb16fad8fb999cc30f709a
Instruction Fuzzy Hash: CB41E170900618EFCB00EFD4C94ABDEBBB8BF08745F10452AF401BB2A1D7B95986DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041405E, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 0041407C
__vbaVarDup.MSVBVM60 ref: 004140B4
#564.MSVBVM60(?,?), ref: 004140C1
__vbaHresultCheck.MSVBVM60(00000000,?,?,?,?,?), ref: 004140D2
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004140FC
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041410F
__vbaHresultCheckObj.MSVBVM60(00000000,00401460,0040276C,00000160), ref: 00414150
__vbaNew2.MSVBVM60(00402DB0,00415348), ref: 00414177
__vbaObjSet.MSVBVM60(?,?,GAARDHUSET), ref: 004141B9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,00000040), ref: 004141E2
__vbaFreeObj.MSVBVM60(00000000,?,00402DA0,00000040), ref: 004141F9

Strings

GAARDHUSET, xrefs: 004141AA
HSA, xrefs: 00414192

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$CheckHresult$Free$#564ChkstkListNew2
String ID: GAARDHUSET$HSA
API String ID: 851593083-2964492987
Opcode ID: f3474c0c2beaf9490de55d71a4bb8be780808cdc08f33bef5e71a6b54484271b
Instruction ID: f41ee5d753e93676b5138cc95c73b84fa4cbcc48cf45b7652e970b0ba98902de
Opcode Fuzzy Hash: f3474c0c2beaf9490de55d71a4bb8be780808cdc08f33bef5e71a6b54484271b
Instruction Fuzzy Hash: D6510770D00218EFDB10DFA5C849BDDBBB8BB14704F20856AE509B72A1DB795A89CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00412478, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00412493
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 004124B9
#563.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 004124C2
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 004124D8
__vbaNew2.MSVBVM60(00402DB0,00415348,?), ref: 004124FC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,0000001C,?,?,?,?,?,?), ref: 00412540
__vbaChkstk.MSVBVM60(?,?,?,?,?,?), ref: 00412565
__vbaCastObj.MSVBVM60(?,00402EE0,?,?,?,?,?,?), ref: 0041257B
__vbaObjSet.MSVBVM60(?,00000000,?,00402EE0,?,?,?,?,?,?), ref: 00412585
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402F08,00000058,?,?,?,?,?,?), ref: 004125AE
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?), ref: 004125C6
__vbaFreeObj.MSVBVM60(004125F9,?), ref: 004125F3

Strings

HSA, xrefs: 00412511

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$CheckChkstkHresult$#563CastListNew2
String ID: HSA
API String ID: 4064276064-293960443
Opcode ID: 21390c43d88d2e1f1048f87a93f5e9d506f96e34b691568b3dc78f71824cfa1f
Instruction ID: 1b85c62744a4e3610a7a2c3e7991478a83d02ce6b2c1230d40da447b3bed7837
Opcode Fuzzy Hash: 21390c43d88d2e1f1048f87a93f5e9d506f96e34b691568b3dc78f71824cfa1f
Instruction Fuzzy Hash: 1541E470D00618AFCB00DFD1C986BDEBBB9BF08745F24442AF401BB1A1D7B95955DB18

Uniqueness

Uniqueness Score: -1.00%

Function 00411418, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00411434
__vbaNew2.MSVBVM60(00402DB0,00415348,?,?,?,?,004014C6), ref: 0041146B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,00000014), ref: 004114AF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DC0,00000128), ref: 004114F6
__vbaFreeObj.MSVBVM60(00000000,?,00402DC0,00000128), ref: 0041151C
__vbaChkstk.MSVBVM60(00000000,?,00402DC0,00000128), ref: 00411548
__vbaChkstk.MSVBVM60(00000000,?,00402DC0,00000128), ref: 00411559
__vbaLateMemCall.MSVBVM60(?,IXie2utHRx0hSBLrnl2lM4fNpqMGsjbukbu73oU84,00000002), ref: 00411571
__vbaFreeObj.MSVBVM60(00411592), ref: 0041158C

Strings

HSA, xrefs: 00411480
Triorchis, xrefs: 00411529
IXie2utHRx0hSBLrnl2lM4fNpqMGsjbukbu73oU84, xrefs: 00411569

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Chkstk$CheckFreeHresult$CallLateNew2
String ID: HSA$IXie2utHRx0hSBLrnl2lM4fNpqMGsjbukbu73oU84$Triorchis
API String ID: 3443168283-3629061477
Opcode ID: 28352fdc2bf43e92c8d29c880d75b2a3155a7e921acb13d461446cf4fed1a66a
Instruction ID: a04313485f6c9a6e1c6e7e673818826ed8dab57f8a768214b5a687b4b7aac699
Opcode Fuzzy Hash: 28352fdc2bf43e92c8d29c880d75b2a3155a7e921acb13d461446cf4fed1a66a
Instruction Fuzzy Hash: 3C412774D00308EFCB10DFA5C949BDEBBB5BF08704F20852AE505BB2A1DBB95985DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00412792, Relevance: 21.1, APIs: 14, Instructions: 92COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 004127AE
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 004127D8
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 004127E3
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 004127EE
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 004127F9
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 00412811
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041283E
__vbaChkstk.MSVBVM60(?,00000000), ref: 00412857
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AAC,000001B0), ref: 0041288E
__vbaFreeObj.MSVBVM60 ref: 004128A5
__vbaFreeVar.MSVBVM60(004128DB), ref: 004128BD
__vbaFreeVar.MSVBVM60(004128DB), ref: 004128C5
__vbaFreeVar.MSVBVM60(004128DB), ref: 004128CD
__vbaFreeVar.MSVBVM60(004128DB), ref: 004128D5

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$Chkstk$CheckHresultNew2
String ID:
API String ID: 2096563423-0
Opcode ID: f63c9d142257c49606896ad5de17b2c4fc7c45eabb1b596ac6a2810d03d1b6ee
Instruction ID: 51fce569daac9b000fdf8a2d3f8868c4c6881ddf1b2f89bb75533612a9ab8d9f
Opcode Fuzzy Hash: f63c9d142257c49606896ad5de17b2c4fc7c45eabb1b596ac6a2810d03d1b6ee
Instruction Fuzzy Hash: C5310630900208DFCB10EFA5C995BDDBBB5BF14308F50496EF405BB2A1DBBA6A45CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00413D9C, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00413DB7
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00413DCF
#693.MSVBVM60(00402D7C,?,?,?,?,004014C6), ref: 00413DD9
__vbaHresultCheckObj.MSVBVM60(?,?,0040276C,00000160,?,?,?,?,004014C6), ref: 00413E19
__vbaNew2.MSVBVM60(00402DB0,00415348,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00413E3A
__vbaObjSet.MSVBVM60(?,?,stvendtes,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00413E6D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,00000040,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00413E96
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00413EA7
__vbaFreeStr.MSVBVM60(00413ECF,00402D7C,?,?,?,?,004014C6), ref: 00413EC9

Strings

HSA, xrefs: 00413E4F
stvendtes, xrefs: 00413E61

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$CheckFreeHresult$#693ChkstkCopyNew2
String ID: HSA$stvendtes
API String ID: 663426343-3571590191
Opcode ID: bc92d0e9f33bcc557ccc80453930d75329ca1324e7228c3cc07857dc1f7c84b0
Instruction ID: bafae0f77cf21ae2ad6b48ae06931612411d394296e492b563bc48efda18ccc3
Opcode Fuzzy Hash: bc92d0e9f33bcc557ccc80453930d75329ca1324e7228c3cc07857dc1f7c84b0
Instruction Fuzzy Hash: 5331E870940309EFCB00EF95C94ABDEBBB5EF08716F20452AF501B72A0D7B95A85CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411A49, Relevance: 18.1, APIs: 12, Instructions: 123COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00411A65
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00411A8F
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 00411AA7
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411AD4
__vbaNew2.MSVBVM60(00401E74,00415010,?,00000000), ref: 00411AFD
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411B2A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AF8,00000188), ref: 00411B5F
__vbaChkstk.MSVBVM60 ref: 00411B70
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A8C,000001EC), ref: 00411BAA
__vbaFreeStr.MSVBVM60 ref: 00411BBB
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00411BCA
__vbaFreeStr.MSVBVM60(00411BFD,?,?,004014C6), ref: 00411BF7

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2$CopyList
String ID:
API String ID: 897315418-0
Opcode ID: a9c92f27b6d300a240f4ff8dea0719f2f2768b146f6a55f71697d83b2232d10e
Instruction ID: 15a12843fe16d59a9410e598b34cc931a5654bb9a015de64b6d6205cc9272b3e
Opcode Fuzzy Hash: a9c92f27b6d300a240f4ff8dea0719f2f2768b146f6a55f71697d83b2232d10e
Instruction Fuzzy Hash: 2C51D774900608EFCB10EFD0C895BDDBBB9BF09304F10456AF501BB2A1DB796985DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041213A, Relevance: 18.1, APIs: 12, Instructions: 119COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00412155
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 0041216D
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 00412185
__vbaObjSet.MSVBVM60(?,00000000), ref: 004121B2
__vbaNew2.MSVBVM60(00401E74,00415010,?,00000000), ref: 004121DB
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412208
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000050), ref: 00412237
__vbaChkstk.MSVBVM60 ref: 00412248
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AF8,000001EC), ref: 00412282
__vbaFreeStr.MSVBVM60 ref: 00412293
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004122A2
__vbaFreeStr.MSVBVM60(004122D5), ref: 004122CF

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2$CopyList
String ID:
API String ID: 897315418-0
Opcode ID: 442d0be792afeb568cac3133116538382786c5871fe6370b7809b3d93082ce4e
Instruction ID: 9c39b4a93efd2b246c38cd9a70899190072e546f4003c1938a1a71c11fb8842f
Opcode Fuzzy Hash: 442d0be792afeb568cac3133116538382786c5871fe6370b7809b3d93082ce4e
Instruction Fuzzy Hash: A541F970A00608EFCF10EFD0D995BDEBBB9BF08304F14452AF501BB2A1C7B959959B59

Uniqueness

Uniqueness Score: -1.00%

Function 00413234, Relevance: 18.1, APIs: 12, Instructions: 73COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00413250
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 0041327A
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00413285
__vbaAryConstruct2.MSVBVM60(?,00402FEC,00000008,?,?,?,?,004014C6), ref: 00413295
#708.MSVBVM60(?,00006008,00402FE4,000000FF,00000000), ref: 004132BE
__vbaAryVar.MSVBVM60(00002008,?,?,00006008,00402FE4,000000FF,00000000), ref: 004132CC
__vbaAryCopy.MSVBVM60(?,?,00002008,?,?,00006008,00402FE4,000000FF,00000000), ref: 004132DC
__vbaFreeVar.MSVBVM60(?,?,00002008,?,?,00006008,00402FE4,000000FF,00000000), ref: 004132E4
__vbaFreeVar.MSVBVM60(00413326,?,?,00002008,?,?,00006008,00402FE4,000000FF,00000000), ref: 004132FC
__vbaFreeVar.MSVBVM60(00413326,?,?,00002008,?,?,00006008,00402FE4,000000FF,00000000), ref: 00413304
__vbaAryDestruct.MSVBVM60(00000000,?,00413326,?,?,00002008,?,?,00006008,00402FE4,000000FF,00000000), ref: 0041330F
__vbaAryDestruct.MSVBVM60(00000000,?,00000000,?,00413326,?,?,00002008,?,?,00006008,00402FE4,000000FF,00000000), ref: 00413320

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$Destruct$#708ChkstkConstruct2Copy
String ID:
API String ID: 2065015019-0
Opcode ID: a7e98dca05792bbfb9294d5c7de89a4f31ce9d1e896feb65d7e1ff97153676e1
Instruction ID: 5fd3a0376af6b4831edb9c1784ca8953cfd3ba7f9d9b9afee1427de3561f7e29
Opcode Fuzzy Hash: a7e98dca05792bbfb9294d5c7de89a4f31ce9d1e896feb65d7e1ff97153676e1
Instruction Fuzzy Hash: C021CA71D40208AADB10EFE5CC86FDDBBB8AF04704F50852BF515BB1E1DB78A6498B54

Uniqueness

Uniqueness Score: -1.00%

Function 00411D26, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00411D42
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00411D6C
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00411D77
__vbaNew2.MSVBVM60(00402DB0,00415348,?,?,?,?,004014C6), ref: 00411D8F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,00000014), ref: 00411DD3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DC0,00000070), ref: 00411E0E
__vbaFreeObj.MSVBVM60 ref: 00411E27
__vbaFreeStr.MSVBVM60(00411E4D), ref: 00411E3F
__vbaFreeStr.MSVBVM60(00411E4D), ref: 00411E47

Strings

HSA, xrefs: 00411DA4

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$CheckCopyHresult$ChkstkNew2
String ID: HSA
API String ID: 1408746023-293960443
Opcode ID: d35a7267d7bab395125bd5154981e6b88e69a57707672391361fe45ad145b51b
Instruction ID: 694568201b26c24086f10fa9518c170dc1d2100792ed9ab73e5cf16a42cd3a42
Opcode Fuzzy Hash: d35a7267d7bab395125bd5154981e6b88e69a57707672391361fe45ad145b51b
Instruction Fuzzy Hash: DA31E074900208EFCB00EFA5D985BDDBBB4AF08705F20852AF501B72A0D779A986CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00412902, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 0041291D
#575.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,004014C6), ref: 00412945
__vbaVarTstNe.MSVBVM60(00008002,?), ref: 00412960
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008002,?), ref: 00412973
__vbaVarDup.MSVBVM60 ref: 00412997
#666.MSVBVM60(?,?), ref: 004129A4
__vbaVarMove.MSVBVM60(?,?), ref: 004129AF
__vbaFreeVar.MSVBVM60(?,?), ref: 004129B7
__vbaFreeVar.MSVBVM60(004129E3), ref: 004129DD

Strings

anita, xrefs: 00412983

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$#575#666ChkstkListMove
String ID: anita
API String ID: 4276905740-2406036547
Opcode ID: af7119eaba4bc636348d1176c3786ffe1308f5c1b253a375e4f381587595821a
Instruction ID: 5abc7c8de29c695bcb5b1c9eee020a3b71707b42540106494db17bed3b415df4
Opcode Fuzzy Hash: af7119eaba4bc636348d1176c3786ffe1308f5c1b253a375e4f381587595821a
Instruction Fuzzy Hash: 8121B7B191025CAADB00EBE1CD8AEEEB7BCBB14704F54452EF101B71A1EB795909CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041334F, Relevance: 16.6, APIs: 11, Instructions: 127COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 0041336D
__vbaVarDup.MSVBVM60 ref: 004133AB
#717.MSVBVM60(?,?,00000003,00000000), ref: 004133BC
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,00000003,00000000), ref: 004133E0
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,00000003,00000000), ref: 004133F6
__vbaNew2.MSVBVM60(00401E74,00415010), ref: 0041344A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413483
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000158), ref: 004134CD
#595.MSVBVM60(00000008,00000000,0000000A,0000000A,0000000A), ref: 00413510
__vbaFreeObj.MSVBVM60(00000008,00000000,0000000A,0000000A,0000000A), ref: 00413518
__vbaFreeVarList.MSVBVM60(00000004,00000008,0000000A,0000000A,0000000A,00000008,00000000,0000000A,0000000A,0000000A), ref: 0041352F

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$List$#595#717CheckChkstkHresultNew2
String ID:
API String ID: 4190091149-0
Opcode ID: d6f87d3d237522cbeb74a8414c4d70100449a3fd00935880fea83f72616c7313
Instruction ID: f328f09ebe807ae89d3453d8b797ffa87591f0cba10625b7ef86292635b940a3
Opcode Fuzzy Hash: d6f87d3d237522cbeb74a8414c4d70100449a3fd00935880fea83f72616c7313
Instruction Fuzzy Hash: E651E8B1D00218EFDB11DF90C845BDEBBB8BF08704F5085AAE105BB2A1DB799A45CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00412B25, Relevance: 15.1, APIs: 10, Instructions: 114COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00412B40
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 00412B65
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412B92
__vbaNew2.MSVBVM60(00401E74,00415010,?,00000000), ref: 00412BBB
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412BE8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AAC,00000048), ref: 00412C17
__vbaChkstk.MSVBVM60 ref: 00412C28
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A8C,000001EC), ref: 00412C62
__vbaFreeStr.MSVBVM60 ref: 00412C73
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00412C82

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2$List
String ID:
API String ID: 2926503497-0
Opcode ID: abbc911938682a9fde818ee73a22d18d20318346af242846ad90b0b427b7b0a8
Instruction ID: 3f7934e47d377584765f31b918ed1486fa1ad541a3f189e52025c8c828815165
Opcode Fuzzy Hash: abbc911938682a9fde818ee73a22d18d20318346af242846ad90b0b427b7b0a8
Instruction Fuzzy Hash: 90413C70900608EFCB10EFD0C995FDEBBB9AF08304F10452AF501B72A1D7B95981DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041424E, Relevance: 15.1, APIs: 10, Instructions: 88COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 0041426A
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00414294
__vbaStrComp.MSVBVM60(00000000,00402D7C,004030DC,?,?,?,?,004014C6), ref: 004142A5
__vbaNew2.MSVBVM60(00401E74,00415010,00000000,00402D7C,004030DC,?,?,?,?,004014C6), ref: 004142C7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004142F4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,00000108), ref: 00414329
#600.MSVBVM60(00000008,00000002), ref: 00414354
__vbaFreeObj.MSVBVM60(00000008,00000002), ref: 0041435F
__vbaFreeVar.MSVBVM60(00000008,00000002), ref: 00414367
__vbaFreeVar.MSVBVM60(00414396,00000000,00402D7C,004030DC,?,?,?,?,004014C6), ref: 00414390

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$#600CheckChkstkCompHresultNew2
String ID:
API String ID: 1824550057-0
Opcode ID: 563363eb8870310f5406d2de26f922f5d67c499fa5e611d6632c604bd8c79d5b
Instruction ID: ab0271479d9fd62e0c322ded4ee0be442299890642da9117d55afccfb72c866e
Opcode Fuzzy Hash: 563363eb8870310f5406d2de26f922f5d67c499fa5e611d6632c604bd8c79d5b
Instruction Fuzzy Hash: 90310770A40208EFCB00EFE5C959BDDBBB4AF48704F10842AF405BB2A1D7795986CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00412DB8, Relevance: 15.1, APIs: 10, Instructions: 78COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00412DD3
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00412DEB
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00412DF6
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 00412E0E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412E3B
__vbaChkstk.MSVBVM60(?,00000000), ref: 00412E54
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A8C,00000200), ref: 00412E8B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00412E9C
__vbaFreeStr.MSVBVM60(00412EC2), ref: 00412EB4
__vbaFreeVar.MSVBVM60(00412EC2), ref: 00412EBC

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$Chkstk$CheckCopyHresultNew2
String ID:
API String ID: 763330518-0
Opcode ID: 1c59f506fcd07a2097f901d8d18e6edc1694e66ef7e10e8c8bd7b23c6af108bb
Instruction ID: 3a682e4e2336f8fa0d0f715fecdc0c2a98c759ebaf6614acf20fc9f93ea4de51
Opcode Fuzzy Hash: 1c59f506fcd07a2097f901d8d18e6edc1694e66ef7e10e8c8bd7b23c6af108bb
Instruction Fuzzy Hash: E4314D70900308EFCB14EF91C996FDDBBB4AF08714F14492AF401B72A1CBB95945CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041135B, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00411377
__vbaI4Str.MSVBVM60(00402D70,?,?,?,?,004014C6), ref: 004113A0
#697.MSVBVM60(00000000,00402D70,?,?,?,?,004014C6), ref: 004113A6
__vbaStrMove.MSVBVM60(00000000,00402D70,?,?,?,?,004014C6), ref: 004113B0
__vbaStrCmp.MSVBVM60(00402D7C,00000000,00000000,00402D70,?,?,?,?,004014C6), ref: 004113BB
__vbaFreeStr.MSVBVM60(00402D7C,00000000,00000000,00402D70,?,?,?,?,004014C6), ref: 004113CF
#580.MSVBVM60(HJDE,00000001,00402D7C,00000000,00000000,00402D70,?,?,?,?,004014C6), ref: 004113E3

Strings

HJDE, xrefs: 004113DE

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$#580#697ChkstkFreeMove
String ID: HJDE
API String ID: 1745895909-2420807878
Opcode ID: 191659900c395f655622b457f642a9924e153bc13b2ea6346444ab01fff29487
Instruction ID: a9d854f457f509e41ee73a495307342d01ac95b26604af36960ecbbd0c6a6c14
Opcode Fuzzy Hash: 191659900c395f655622b457f642a9924e153bc13b2ea6346444ab01fff29487
Instruction Fuzzy Hash: 48017530A40209ABCB00BBA5CC46FAE7AB8AF00B04F14453BB501F71E1DABD98418799

Uniqueness

Uniqueness Score: -1.00%

Function 004144FF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 0041451A
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 0041453F
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 0041456C
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 00414585
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AF8,000001EC,?,?,?,?,?,?,?,?,?,?,004014C6), ref: 004145C1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004014C6), ref: 004145D2

Strings

Fierding, xrefs: 00414593

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID: Fierding
API String ID: 3189907775-2487161434
Opcode ID: 2c39dbfbed31bb04488af8aafec03f7044c56c601af5e4e73a0b5d7d7e9580cd
Instruction ID: 94dbcea938caceef3de172e441513509b2a2e7ed72a0855dfbea25bf12fdc542
Opcode Fuzzy Hash: 2c39dbfbed31bb04488af8aafec03f7044c56c601af5e4e73a0b5d7d7e9580cd
Instruction Fuzzy Hash: DC216D70A40608EFCB00DF95C895BDDBBB9EF49714F60452AF501BB2A0C7B95A80DF69

Uniqueness

Uniqueness Score: -1.00%

Function 004129F6, Relevance: 12.1, APIs: 8, Instructions: 78COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00412A12
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00412A3C
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 00412A54
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412A81
__vbaChkstk.MSVBVM60(?,00000000), ref: 00412A97
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402ABC,000001C0), ref: 00412ACE
__vbaFreeObj.MSVBVM60 ref: 00412ADF
__vbaFreeStr.MSVBVM60(00412AFE), ref: 00412AF8

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$ChkstkFree$CheckCopyHresultNew2
String ID:
API String ID: 2888502551-0
Opcode ID: 9d8ec28c09ac5323956b174d0e9d89a93be222c3eecbb7e10a44741bd5c35610
Instruction ID: 639bbd743891c022fc813efb4fa65b065905c59b934d3e8f52eb3d7f5adb053f
Opcode Fuzzy Hash: 9d8ec28c09ac5323956b174d0e9d89a93be222c3eecbb7e10a44741bd5c35610
Instruction Fuzzy Hash: F4314A30900208EFCB10EF91C999BDDBBB5BF08704F50846AF401BB2A0CBB95985CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00411920, Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 0041193C
__vbaVarDup.MSVBVM60(?,?,?,?,004014C6), ref: 00411966
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 0041197E
__vbaObjSet.MSVBVM60(?,00000000), ref: 004119AB
__vbaChkstk.MSVBVM60(?,00000000), ref: 004119C4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A9C,000001B0), ref: 004119FB
__vbaFreeObj.MSVBVM60 ref: 00411A0C
__vbaFreeVar.MSVBVM60(00411A2A), ref: 00411A24

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$ChkstkFree$CheckHresultNew2
String ID:
API String ID: 2807847221-0
Opcode ID: 5319177e48b671fd447492f310eadbfb12fddb78db49abf348fb66627586bd11
Instruction ID: ee6bdefe8b03201f9af1867f2851c72aa8322a30027d9cdc305ea573b6534c12
Opcode Fuzzy Hash: 5319177e48b671fd447492f310eadbfb12fddb78db49abf348fb66627586bd11
Instruction Fuzzy Hash: 46313670A10248EFCB00EFA1C899BDDBBB4BF08304F10456AF501BB2A0DBB96941CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411C1C, Relevance: 10.6, APIs: 7, Instructions: 66COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00411C38
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 00411C62
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 00411C7A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411CA7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AAC,000001BC), ref: 00411CD8
__vbaFreeObj.MSVBVM60 ref: 00411CE9
__vbaFreeStr.MSVBVM60(00411D07), ref: 00411D01

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$CheckChkstkCopyHresultNew2
String ID:
API String ID: 2810356740-0
Opcode ID: c689be13148d7d97952d23c8ca15574de37f5d739943ad336758d680d82648ea
Instruction ID: 8b559e2c974dc90a981f84e6da7762af1da8cef9ba2aad0a763a9a9b08aca624
Opcode Fuzzy Hash: c689be13148d7d97952d23c8ca15574de37f5d739943ad336758d680d82648ea
Instruction Fuzzy Hash: 57213670A50208EFCB00EF94C899FDDBBB4BF08704F10856AF501BB2A1DB795941DB99

Uniqueness

Uniqueness Score: -1.00%

Function 004145FB, Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00414616
__vbaStrCopy.MSVBVM60(?,?,?,?,004014C6), ref: 0041462E
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 00414646
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,004014C6), ref: 00414673
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A8C,000001F8,?,?,?,?,?,?,?,?,?,004014C6), ref: 004146A4
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,004014C6), ref: 004146B5
__vbaFreeStr.MSVBVM60(004146D4,?,?,?,?,?,?,?,?,?,004014C6), ref: 004146CE

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$CheckChkstkCopyHresultNew2
String ID:
API String ID: 2810356740-0
Opcode ID: f1e8f8421268710681b4d7b909abff5a9342223c74ae886be63e77a42720da72
Instruction ID: 4f42bb803efc79e3231652cbf8864f74bfc6b433eba0a0af2af481c6e3572edc
Opcode Fuzzy Hash: f1e8f8421268710681b4d7b909abff5a9342223c74ae886be63e77a42720da72
Instruction Fuzzy Hash: AF212A70950208EFCB00DF90C995FDDBBB4BB59708F20056AF001772A1CB7D5941CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00414444, Relevance: 9.0, APIs: 6, Instructions: 39COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00414460
#610.MSVBVM60(?,?,?,?,?,004014C6), ref: 00414488
#552.MSVBVM60(?,?,00000001,?,?,?,?,?,004014C6), ref: 00414497
__vbaVarMove.MSVBVM60(?,?,00000001,?,?,?,?,?,004014C6), ref: 004144A2
__vbaFreeVar.MSVBVM60(?,?,00000001,?,?,?,?,?,004014C6), ref: 004144AA
__vbaFreeVar.MSVBVM60(004144D2,?,?,00000001,?,?,?,?,?,004014C6), ref: 004144CC

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$Free$#552#610ChkstkMove
String ID:
API String ID: 3185064854-0
Opcode ID: c83aee9bd768ded6b6e2b428e1268cbb818669aab70bf8aefb8a521eeed86d30
Instruction ID: cec1c0d65296340e5066192e2bdeccca19a0566d1bbeeee6a083544c1faff110
Opcode Fuzzy Hash: c83aee9bd768ded6b6e2b428e1268cbb818669aab70bf8aefb8a521eeed86d30
Instruction Fuzzy Hash: E901FB71D00248BBCB00EFA5C946FCEBBB8EF44748F50856AF105B71A1DB79AA048B58

Uniqueness

Uniqueness Score: -1.00%

Function 00411E6C, Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00411E87
#675.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 00411ED9
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 00411EDE
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A,?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 00411F0E
#568.MSVBVM60(0000005B), ref: 00411F20

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$#568#675ChkstkFreeList
String ID:
API String ID: 1539022685-0
Opcode ID: 9a9be583502cb285b3682d77fbbda0261ee2c1253ed11eb1aabbc1434aaccf6d
Instruction ID: 3135df5fad623a4d64432aa5dc4d96b7d496623d0eee38701d86474cd722be43
Opcode Fuzzy Hash: 9a9be583502cb285b3682d77fbbda0261ee2c1253ed11eb1aabbc1434aaccf6d
Instruction Fuzzy Hash: EC1160B1850708AADB01DFD1CD56FEEBBBCEB00B04F14462FF140A6290D7B955808B69

Uniqueness

Uniqueness Score: -1.00%

Function 0041175E, Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004014C6), ref: 00411779
__vbaNew2.MSVBVM60(00401E74,00415010,?,?,?,?,004014C6), ref: 0041179E
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,004014C6), ref: 004117CB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402AF8,000001E8,?,?,?,?,?,?,004014C6), ref: 004117FC
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,004014C6), ref: 0041180D

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: 015c44f7705ab732d5046b414572d1a6288d58afd63225a76acf5ab488483512
Instruction ID: 3fd82a4276b81878de2ad4df0b6b3077b79da55f67544d0e1ab08b2a6a74b8fd
Opcode Fuzzy Hash: 015c44f7705ab732d5046b414572d1a6288d58afd63225a76acf5ab488483512
Instruction Fuzzy Hash: 61112E74940609EFCB10EF91C956BEEBBB8EB08704F60456AE101B72A0C7795981DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041353E, Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

__vbaFreeVar.MSVBVM60 ref: 0041354B
__vbaFreeStr.MSVBVM60 ref: 00413553
__vbaFreeObj.MSVBVM60 ref: 0041355B
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00413572

Memory Dump Source

Source File: 00000011.00000002.450146530.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.450139268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.450161349.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.450169460.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_march OG.jbxd

Similarity

API ID: Free__vba$List
String ID:
API String ID: 2192533141-0
Opcode ID: 224582a13ea8c32cc541a3df5c212782702287b61164d9f0fa4b3d08184edd22
Instruction ID: e06834df7ba98d5cb87bfe0573b2770e41a1c11be254f6c502cb2ca90ff59a8c
Opcode Fuzzy Hash: 224582a13ea8c32cc541a3df5c212782702287b61164d9f0fa4b3d08184edd22
Instruction Fuzzy Hash: AFE07D73C001089BDB05EBD5CCA2DDE73BCAB14304F54457AE512B60A1EA35AA49C664

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report http://covid19vaccine.hopto.org/march%20OG.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 3476 Parent PID: 792

General

Chronological Activities

Analysis Process: iexplore.exe PID: 5588 Parent PID: 3476

Function 0223057F, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 161
nativethreadCOMMON

Function 02232721, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 357
nativeCOMMON

Function 0223063C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
nativethreadCOMMON

Function 0223068C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82
nativethreadCOMMON

Function 004106A6, Relevance: 119.7, APIs: 62, Strings: 6, Instructions: 723
COMMON

Function 004107EA, Relevance: 95.1, APIs: 49, Strings: 5, Instructions: 629
COMMON

Function 004135A5, Relevance: 94.9, APIs: 45, Strings: 9, Instructions: 355
COMMON

Function 0040C314, Relevance: 57.9, APIs: 32, Strings: 1, Instructions: 190
COMMON

Function 00411F61, Relevance: 38.6, APIs: 19, Strings: 3, Instructions: 106
COMMON

Function 00411836, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50
COMMON

Function 004143B5, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 35
COMMON

Function 0040241D, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59
COMMON

Function 02230EEA, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 192
libraryCOMMON

Function 0223529C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
libraryCOMMON

Function 00401714, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON