Loading ...

Play interactive tourEdit tour

Analysis Report cosmic.exe

Overview

General Information

Sample Name:cosmic.exe
Analysis ID:384269
MD5:2369d06b31cff81c84e889cb4fbca7b4
SHA1:bd606a3ca19a5faf32a4e5ed7dd260411d6cae7a
SHA256:ab88a3ed9f8763297791571f9738decb06d122e5402dd5168708586f9390b48f
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Creates a DirectInput object (often for capturing keystrokes)
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cosmic.exe (PID: 5948 cmdline: 'C:\Users\user\Desktop\cosmic.exe' MD5: 2369D06B31CFF81C84E889CB4FBCA7B4)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.717158398.00000000004F0000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: cosmic.exeVirustotal: Detection: 44%Perma Link
    Source: cosmic.exeReversingLabs: Detection: 72%
    Machine Learning detection for sampleShow sources
    Source: cosmic.exeJoe Sandbox ML: detected
    Source: cosmic.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: cosmic.exe, 00000000.00000002.717349068.00000000006FA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: C:\Users\user\Desktop\cosmic.exeProcess Stats: CPU usage > 98%
    Source: cosmic.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: cosmic.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: cosmic.exe, 00000000.00000002.717806368.0000000002240000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs cosmic.exe
    Source: cosmic.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal72.troj.evad.winEXE@1/0@0/0
    Source: C:\Users\user\Desktop\cosmic.exeFile created: C:\Users\user\AppData\Local\Temp\~DF14F05F567A5D0232.TMPJump to behavior
    Source: cosmic.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\cosmic.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\cosmic.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: cosmic.exeVirustotal: Detection: 44%
    Source: cosmic.exeReversingLabs: Detection: 72%

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.717158398.00000000004F0000.00000040.00000001.sdmp, type: MEMORY
    Source: cosmic.exeStatic PE information: real checksum: 0x1c69d should be: 0x1ecf4
    Source: C:\Users\user\Desktop\cosmic.exeCode function: 0_2_0040412F push eax; iretd 0_2_0040413D
    Source: C:\Users\user\Desktop\cosmic.exeCode function: 0_2_0040BDC2 push 7600FFCEh; iretd 0_2_0040BDC7
    Source: C:\Users\user\Desktop\cosmic.exeCode function: 0_2_004065EE push ebx; ret 0_2_004065F5
    Source: C:\Users\user\Desktop\cosmic.exeCode function: 0_2_004035F7 push cs; retf 0_2_00403636
    Source: C:\Users\user\Desktop\cosmic.exeCode function: 0_2_00406649 push ebx; ret 0_2_004065F5
    Source: C:\Users\user\Desktop\cosmic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\cosmic.exeRDTSC instruction interceptor: First address: 00000000004F36BC second address: 00000000004F3615 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F3BD07FFE63h 0x0000000f cmp cx, FCDBh 0x00000014 cmp cx, ax 0x00000017 xor edi, edi 0x00000019 cmp dl, cl 0x0000001b mov ecx, 00A95F60h 0x00000020 test ch, dh 0x00000022 cmp ebx, FD3F3D34h 0x00000028 push ecx 0x00000029 test ebx, eax 0x0000002b test cl, al 0x0000002d call 00007F3BD07FFFE6h 0x00000032 call 00007F3BD07FFFC8h 0x00000037 lfence 0x0000003a mov edx, dword ptr [7FFE0014h] 0x00000040 lfence 0x00000043 ret 0x00000044 mov esi, edx 0x00000046 pushad 0x00000047 rdtsc
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\cosmic.exeRDTSC instruction interceptor: First address: 00000000004F36BC second address: 00000000004F3615 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F3BD07FFE63h 0x0000000f cmp cx, FCDBh 0x00000014 cmp cx, ax 0x00000017 xor edi, edi 0x00000019 cmp dl, cl 0x0000001b mov ecx, 00A95F60h 0x00000020 test ch, dh 0x00000022 cmp ebx, FD3F3D34h 0x00000028 push ecx 0x00000029 test ebx, eax 0x0000002b test cl, al 0x0000002d call 00007F3BD07FFFE6h 0x00000032 call 00007F3BD07FFFC8h 0x00000037 lfence 0x0000003a mov edx, dword ptr [7FFE0014h] 0x00000040 lfence 0x00000043 ret 0x00000044 mov esi, edx 0x00000046 pushad 0x00000047 rdtsc
    Source: C:\Users\user\Desktop\cosmic.exeRDTSC instruction interceptor: First address: 00000000004F3615 second address: 00000000004F3615 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F3BD0ABFE48h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007F3BD0ABFE3Ah 0x00000020 cmp ah, ah 0x00000022 add edi, edx 0x00000024 dec ecx 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007F3BD0ABFDEBh 0x0000002a test ch, dh 0x0000002c cmp ebx, FD3F3D34h 0x00000032 push ecx 0x00000033 test ebx, eax 0x00000035 test cl, al 0x00000037 call 00007F3BD0ABFE76h 0x0000003c call 00007F3BD0ABFE58h 0x00000041 lfence 0x00000044 mov edx, dword ptr [7FFE0014h] 0x0000004a lfence 0x0000004d ret 0x0000004e mov esi, edx 0x00000050 pushad 0x00000051 rdtsc
    Source: C:\Users\user\Desktop\cosmic.exeCode function: 0_2_00409255 rdtsc 0_2_00409255
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\cosmic.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\cosmic.exeCode function: 0_2_00409255 rdtsc 0_2_00409255
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: cosmic.exe, 00000000.00000002.717553804.0000000000C80000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: cosmic.exe, 00000000.00000002.717553804.0000000000C80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: cosmic.exe, 00000000.00000002.717553804.0000000000C80000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: cosmic.exe, 00000000.00000002.717553804.0000000000C80000.00000002.00000001.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11Input Capture1Security Software Discovery31Remote ServicesInput Capture1Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery21Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    cosmic.exe44%VirustotalBrowse
    cosmic.exe72%ReversingLabsWin32.Worm.GenericML
    cosmic.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:31.0.0 Emerald
    Analysis ID:384269
    Start date:08.04.2021
    Start time:20:23:40
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 6m 31s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:cosmic.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:33
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal72.troj.evad.winEXE@1/0@0/0
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:
    • Successful, ratio: 95.3% (good quality ratio 40.2%)
    • Quality average: 21.5%
    • Quality standard deviation: 28.9%
    HCA Information:Failed
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    • Override analysis time to 240s for sample files taking high CPU consumption
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):5.649585019201811
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:cosmic.exe
    File size:110592
    MD5:2369d06b31cff81c84e889cb4fbca7b4
    SHA1:bd606a3ca19a5faf32a4e5ed7dd260411d6cae7a
    SHA256:ab88a3ed9f8763297791571f9738decb06d122e5402dd5168708586f9390b48f
    SHA512:eb4b5917ae3abc3b78a7ccb6b6ebed9c93b158e01a912946557a0f7fa7ddf1f227ba0cad4454826eef17a3281dd43e4ed7f82357f562590a807d2e342acd8d42
    SSDEEP:1536:qS6vcuDLST/fxj1Z02vL2M/FPVm9vx2cfCPVm9vDd2Mf2v:qFcueZw8VmDfeVmy
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......K.................0...................@....@................

    File Icon

    Icon Hash:c0c6f2e0e4fefe3f

    Static PE Info

    General

    Entrypoint:0x4013e8
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x4B06DDF9 [Fri Nov 20 18:20:41 2009 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:d1ed0dda3501483d16a7ad09b76f3b08

    Entrypoint Preview

    Instruction
    push 004113BCh
    call 00007F3BD0F053E3h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    cmp byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xchg dword ptr [edi+611D7AEDh], ecx
    push cs
    inc edi
    pushfd
    sbb bh, cl
    bound esi, dword ptr [ebp]
    mov eax, 0000FEDAh
    add byte ptr [eax], al
    add byte ptr [eax], al
    add dword ptr [eax], eax
    add byte ptr [eax], al
    add byte ptr [eax+00000000h], al
    dec eax
    inc ecx
    push esp
    push esp
    dec ecx
    inc ebp
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    dec esp
    xor dword ptr [eax], eax
    or esi, dword ptr [ebp-1504545Eh]
    push dword ptr [ecx]
    inc esi
    cmpsb
    jnbe 00007F3BD0F05463h
    mov esp, 7E2DD200h
    pop esp
    enter D782h, A8h
    mov fs, word ptr [eax-71E670B8h]
    idiv byte ptr [esi-59h]
    xor eax, dword ptr [ebx+3Ah]
    dec edi
    lodsd
    xor ebx, dword ptr [ecx-48EE309Ah]
    or al, 00h
    stosb
    add byte ptr [eax-2Dh], ah
    xchg eax, ebx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    sub bh, bh
    add byte ptr [eax], al
    push esp
    std
    add byte ptr [eax], al
    add byte ptr [eax], cl
    add byte ptr [eax+6Fh], dl
    insb
    jns 00007F3BD0F05457h
    outsb
    xor dword ptr [eax], eax
    or eax, 4D000501h
    jc 00007F3BD0F0545Dh
    jnc 00007F3BD0F053F3h
    sbb dword ptr [ecx], eax
    add byte ptr [edx+00h], al
    and dword ptr [esi], ebp
    movsd

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x138640x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x5c32.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x108.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x12d0c0x13000False0.42769582648data6.07072824479IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x140000x117c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x160000x5c320x6000False0.359334309896data5.26889176316IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    RT_ICON0x1ad8a0xea8data
    RT_ICON0x1a4e20x8a8data
    RT_ICON0x19f7a0x568GLS_BINARY_LSB_FIRST
    RT_ICON0x179d20x25a8dBase III DBT, version number 0, next free block index 40
    RT_ICON0x1692a0x10a8data
    RT_ICON0x164c20x468GLS_BINARY_LSB_FIRST
    RT_GROUP_ICON0x164680x5adata
    RT_VERSION0x161e00x288dataGuaraniParaguay

    Imports

    DLLImport
    MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaLineInputStr, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaObjVar, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, _adj_fdivr_m32, _adj_fdiv_r, __vbaLateMemCall, __vbaVarAdd, __vbaVarDup, __vbaFpI4, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

    Version Infos

    DescriptionData
    Translation0x0474 0x04b0
    InternalNamecosmic
    FileVersion1.00
    CompanyNamePana-sonic
    CommentsPana-sonic
    ProductNamePana-sonic
    ProductVersion1.00
    FileDescriptionPana-sonic
    OriginalFilenamecosmic.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    GuaraniParaguay

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    General

    Start time:20:24:23
    Start date:08/04/2021
    Path:C:\Users\user\Desktop\cosmic.exe
    Wow64 process (32bit):true
    Commandline:'C:\Users\user\Desktop\cosmic.exe'
    Imagebase:0x400000
    File size:110592 bytes
    MD5 hash:2369D06B31CFF81C84E889CB4FBCA7B4
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Yara matches:
    • Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000000.00000002.717158398.00000000004F0000.00000040.00000001.sdmp, Author: Joe Security
    Reputation:low

    Disassembly

    Code Analysis

    Reset < >

      Execution Graph

      Execution Coverage:1.9%
      Dynamic/Decrypted Code Coverage:2.1%
      Signature Coverage:3.1%
      Total number of Nodes:97
      Total number of Limit Nodes:3

      Graph

      execution_graph 2950 412ac4 __vbaChkstk 2951 412b04 #648 __vbaFreeVar __vbaStrCmp 2950->2951 2952 412b44 #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 2951->2952 2953 412b3a __vbaFreeStr __vbaFreeVar 2951->2953 2952->2953 2954 412b93 __vbaFileOpen 2952->2954 2955 412ba4 #571 2954->2955 2957 412bb3 __vbaLineInputStr __vbaChkstk __vbaObjVar __vbaLateMemCall 2955->2957 2958 412bf8 __vbaFileClose #598 2955->2958 2957->2955 2958->2953 2862 40a98b 2863 40a9e1 VirtualAlloc 2862->2863 2864 40aa6d 2863->2864 2887 409255 2888 409268 VirtualAlloc 2887->2888 2890 40aa6d 2888->2890 2865 412c5c __vbaChkstk 2866 412cb0 _CIsin __vbaFpR8 2865->2866 2867 412cd5 __vbaVarDup #600 __vbaFreeVar 2866->2867 2868 412d18 #612 __vbaStrVarMove __vbaStrMove __vbaFreeVar 2866->2868 2867->2868 2869 412d5f __vbaStrCopy 2868->2869 2870 412dc2 __vbaFreeStr 2869->2870 2871 412e05 2870->2871 2872 412e14 __vbaHresultCheckObj 2871->2872 2873 412e34 2871->2873 2872->2873 2874 412ee9 2873->2874 2875 412ec9 __vbaHresultCheckObj 2873->2875 2876 412ef0 __vbaOnError 2874->2876 2875->2876 2877 412f25 2876->2877 2878 412f56 2877->2878 2879 412f36 __vbaHresultCheckObj 2877->2879 2880 412fa9 2878->2880 2881 412f89 __vbaHresultCheckObj 2878->2881 2879->2878 2882 412fb0 __vbaVarMove 2880->2882 2881->2882 2883 412fd7 __vbaVarAdd __vbaVarMove __vbaVarTstLt 2882->2883 2884 41303c 2883->2884 2885 41303e 2883->2885 2884->2883 2885->2885 2886 413084 __vbaFreeVar __vbaFreeVar __vbaFreeStr 2885->2886 3080 4135a0 __vbaChkstk __vbaR8Str 3081 4135e2 __vbaFpI4 3080->3081 3082 41364f #536 __vbaStrMove __vbaFreeVar 3080->3082 3084 413626 3081->3084 3083 413689 __vbaFreeStr 3082->3083 3085 413631 __vbaHresultCheckObj 3084->3085 3086 41364b 3084->3086 3085->3082 3086->3082 2979 4136a5 __vbaChkstk 2980 4136e5 __vbaR8Str 2979->2980 2981 4136fa __vbaFpI4 2980->2981 2985 413763 2980->2985 2983 41373e 2981->2983 2982 413770 __vbaNew2 2984 413788 2982->2984 2983->2985 2986 413749 __vbaHresultCheckObj 2983->2986 2987 4137b1 __vbaHresultCheckObj 2984->2987 2988 4137c8 2984->2988 2985->2982 2985->2984 2986->2985 2987->2988 2989 413809 2988->2989 2990 4137ef __vbaHresultCheckObj 2988->2990 2991 41380d __vbaFreeObj 2989->2991 2990->2991 2992 413834 2991->2992 2912 413224 __vbaChkstk __vbaAryConstruct2 2913 413271 __vbaGenerateBoundsError 2912->2913 2914 41326b 2912->2914 2913->2914 2915 413291 2914->2915 2916 413297 __vbaGenerateBoundsError 2914->2916 2917 41329f #684 __vbaFpR8 2915->2917 2916->2917 2918 4133a0 _CIcos __vbaFpR8 2917->2918 2919 4132d8 2917->2919 2920 4133b7 __vbaChkstk __vbaChkstk 2918->2920 2925 41342b __vbaAryDestruct 2918->2925 2921 4132e1 __vbaNew2 2919->2921 2922 4132f9 2919->2922 2924 413403 2920->2924 2921->2922 2927 413322 __vbaHresultCheckObj 2922->2927 2928 413339 2922->2928 2924->2925 2926 41340e __vbaHresultCheckObj 2924->2926 2926->2925 2929 41333d __vbaChkstk 2927->2929 2928->2929 2930 413372 2929->2930 2931 413394 2930->2931 2932 41337d __vbaHresultCheckObj 2930->2932 2933 413398 __vbaFreeObj 2931->2933 2932->2933 2933->2918 2860 4013e8 #100 2861 401440 2860->2861 2899 413477 __vbaChkstk 2900 4134b9 __vbaLenBstrB 2899->2900 2901 4134c8 __vbaVarDup #595 __vbaFreeVarList 2900->2901 2902 41353c #516 2900->2902 2901->2902 2903 41354c 2902->2903 2993 4130bc __vbaChkstk _CIsqrt __vbaFpR8 2994 41313c 2993->2994 2995 413104 2993->2995 2996 4131ee 2994->2996 2997 413153 __vbaNew2 2994->2997 2998 41316b 2994->2998 2995->2994 2999 413122 __vbaHresultCheckObj 2995->2999 2997->2998 3000 413194 __vbaHresultCheckObj 2998->3000 3001 4131ab 2998->3001 2999->2994 3000->3001 3002 4131e2 3001->3002 3003 4131cb __vbaHresultCheckObj 3001->3003 3004 4131e6 __vbaFreeObj 3002->3004 3003->3004 3004->2996

      Executed Functions

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 106 409255-409266 107 409268-409281 106->107 108 4092df-4093da 106->108 112 4092b1-4092dc 107->112 113 409283-4092b0 107->113 114 4093dd-409587 108->114 112->108 113->112 119 40958d-409e93 114->119 139 409e99-40a0d8 119->139 144 40a0de-40b054 VirtualAlloc 139->144 172 40b0b1-40b399 call 40b5e4 144->172 180 40b39f-40b548 172->180
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID:
      • String ID: #$+$/$/$0$3$5$5$6$8$L$Q$S$S$Z$\$^$b$h$j$j$j$k$r$t$t$v
      • API String ID: 0-2042281906
      • Opcode ID: 7176f0e19fb40cdabf4525a286ba3fb2aaf4d0da7f6825559160abb21fba587c
      • Instruction ID: 33b91a82abc96719e01952a95111cd4e6c23e71d782e2ef0f67e8c3259b050c4
      • Opcode Fuzzy Hash: 7176f0e19fb40cdabf4525a286ba3fb2aaf4d0da7f6825559160abb21fba587c
      • Instruction Fuzzy Hash: 48621281A2A30289FFB32160C5D075D6680DF16785F318F7BCC61F55E2BA2F89CA159B
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      C-Code - Quality: 66%
      			E00412C5C(void* __ebx, void* __edi, void* __esi, long long __fp0, signed int _a4, intOrPtr _a20) {
      				void* _v3;
      				char _v8;
      				intOrPtr _v16;
      				signed int _v20;
      				intOrPtr _v24;
      				intOrPtr _v28;
      				void* _v52;
      				char _v68;
      				short _v72;
      				char _v80;
      				short _v84;
      				void* _v88;
      				long long _v96;
      				char _v100;
      				char _v104;
      				char _v120;
      				signed int _v124;
      				signed int _v128;
      				char _v136;
      				char _v140;
      				void* _v144;
      				char _v148;
      				char _v156;
      				signed int _v160;
      				signed int _v164;
      				signed int _v188;
      				signed int _v192;
      				signed int _v196;
      				signed int _v200;
      				signed int _t144;
      				signed int _t166;
      				signed int _t177;
      				signed int _t182;
      				signed int _t188;
      				char* _t191;
      				char* _t193;
      				intOrPtr* _t195;
      				char* _t212;
      				void* _t218;
      				void* _t221;
      				intOrPtr _t222;
      
      				_t222 = _t221 - 0x18;
      				 *[fs:0x0] = _t222;
      				L00401260();
      				_v28 = _t222;
      				_v24 = 0x401118;
      				_v20 = _a4 & 0x00000001;
      				_t144 = _a4 & 0xfffffffe;
      				_a4 = _t144;
      				_v16 = 0;
      				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401266, _t218);
      				_v8 = 1;
      				_v8 = 2;
      				asm("fldz");
      				L004012D8();
      				L0040137A();
      				asm("fcomp qword [0x4011a8]");
      				asm("fnstsw ax");
      				asm("sahf");
      				if(_t144 != 0) {
      					_v8 = 3;
      					_v8 = 4;
      					_v128 = L"Rosenstokkesegedesm";
      					_v136 = 8;
      					L0040136E();
      					_push(2);
      					_push( &_v120);
      					L00401374();
      					_v96 = __fp0;
      					L004013C2();
      				}
      				_v8 = 6;
      				L00401362();
      				L00401368();
      				L004013B6();
      				L004013C2();
      				_v8 = 7;
      				 *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v156,  &_v120,  &_v120);
      				_v80 = _v156;
      				_v8 = 8;
      				_v140 = 0x3fc5;
      				L0040135C();
      				_v156 =  *0x4011a0;
      				_v80 =  *0x401198;
      				 *((intOrPtr*)( *_a4 + 0x70c))(_a4,  &_v156,  &_v104,  &_v104,  &_v140,  &_v148);
      				_v100 = _v148;
      				L004013AA();
      				_v8 = 9;
      				_v148 = 0x76e32;
      				_t166 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v148, 0x67c7,  &_v140);
      				_v160 = _t166;
      				if(_v160 >= 0) {
      					_v188 = _v188 & 0x00000000;
      				} else {
      					_push(0x6fc);
      					_push(0x411ac8);
      					_push(_a4);
      					_push(_v160);
      					L00401356();
      					_v188 = _t166;
      				}
      				_v72 = _v140;
      				_v8 = 0xa;
      				 *((intOrPtr*)( *_a4 + 0x710))(_a4);
      				_v8 = 0xb;
      				_v156 =  *0x401190;
      				_v148 = 0x3ac53e;
      				_v140 = 0x3fc5;
      				_t177 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v140,  &_v148, 0x2802,  &_v156, 0x33164f, 0x5bf3,  &_v144);
      				_v160 = _t177;
      				if(_v160 >= 0) {
      					_v192 = _v192 & 0x00000000;
      				} else {
      					_push(0x700);
      					_push(0x411ac8);
      					_push(_a4);
      					_push(_v160);
      					L00401356();
      					_v192 = _t177;
      				}
      				_v84 = _v144;
      				_v8 = 0xc;
      				L00401350();
      				_v8 = 0xd;
      				_t182 =  *((intOrPtr*)( *_a4 + 0x1b8))(_a4,  &_v140, 0xffffffff);
      				asm("fclex");
      				_v160 = _t182;
      				if(_v160 >= 0) {
      					_v196 = _v196 & 0x00000000;
      				} else {
      					_push(0x1b8);
      					_push(0x411a94);
      					_push(_a4);
      					_push(_v160);
      					L00401356();
      					_v196 = _t182;
      				}
      				_t188 =  *((intOrPtr*)( *_a4 + 0x1bc))(_a4, 0);
      				asm("fclex");
      				_v164 = _t188;
      				if(_v164 >= 0) {
      					_v200 = _v200 & 0x00000000;
      				} else {
      					_push(0x1bc);
      					_push(0x411a94);
      					_push(_a4);
      					_push(_v164);
      					L00401356();
      					_v200 = _t188;
      				}
      				_v8 = 0xe;
      				_v128 = _v128 & 0x00000000;
      				_v124 = _v124 & 0x00000000;
      				_v136 = 6;
      				L0040134A();
      				while(1) {
      					_v8 = 0x10;
      					_v128 = 1;
      					_v136 = 2;
      					_push( &_v68);
      					_push( &_v136);
      					_t191 =  &_v120;
      					_push(_t191);
      					L00401344();
      					_t212 = _t191;
      					L0040134A();
      					_v8 = 0x11;
      					_v128 = 0x2ffff;
      					_v136 = 0x8003;
      					_push( &_v68);
      					_t193 =  &_v136;
      					_push(_t193);
      					L0040133E();
      					if(_t193 == 0) {
      						break;
      					}
      				}
      				_v8 = 0x14;
      				_v128 = 0xff8ac1e0;
      				do {
      					_t212 = _t212 + 1;
      				} while (_t212 != 0xffcbf228);
      				_a20 = _t212 + 0x74a08d;
      				_t195 = _a20();
      				asm("loop 0x0");
      				asm("lock add [eax], al");
      				 *_t195 =  *_t195 + _t195;
      				asm("wait");
      				_push(0x41309d);
      				L004013C2();
      				L004013C2();
      				L004013AA();
      				return _t195;
      			}












































      0x00412c5f
      0x00412c6e
      0x00412c7a
      0x00412c82
      0x00412c85
      0x00412c92
      0x00412c98
      0x00412c9b
      0x00412c9e
      0x00412cad
      0x00412cb0
      0x00412cb7
      0x00412cbe
      0x00412cc0
      0x00412cc5
      0x00412cca
      0x00412cd0
      0x00412cd2
      0x00412cd3
      0x00412cd5
      0x00412cdc
      0x00412ce3
      0x00412cea
      0x00412cfd
      0x00412d02
      0x00412d07
      0x00412d08
      0x00412d0d
      0x00412d13
      0x00412d13
      0x00412d18
      0x00412d23
      0x00412d2c
      0x00412d36
      0x00412d3e
      0x00412d43
      0x00412d59
      0x00412d65
      0x00412d68
      0x00412d6f
      0x00412d80
      0x00412d8b
      0x00412da6
      0x00412dbc
      0x00412dc8
      0x00412dce
      0x00412dd3
      0x00412dda
      0x00412dff
      0x00412e05
      0x00412e12
      0x00412e34
      0x00412e14
      0x00412e14
      0x00412e19
      0x00412e1e
      0x00412e21
      0x00412e27
      0x00412e2c
      0x00412e2c
      0x00412e42
      0x00412e46
      0x00412e55
      0x00412e5b
      0x00412e68
      0x00412e6e
      0x00412e78
      0x00412eb4
      0x00412eba
      0x00412ec7
      0x00412ee9
      0x00412ec9
      0x00412ec9
      0x00412ece
      0x00412ed3
      0x00412ed6
      0x00412edc
      0x00412ee1
      0x00412ee1
      0x00412ef7
      0x00412efb
      0x00412f04
      0x00412f09
      0x00412f1f
      0x00412f25
      0x00412f27
      0x00412f34
      0x00412f56
      0x00412f36
      0x00412f36
      0x00412f3b
      0x00412f40
      0x00412f43
      0x00412f49
      0x00412f4e
      0x00412f4e
      0x00412f72
      0x00412f78
      0x00412f7a
      0x00412f87
      0x00412fa9
      0x00412f89
      0x00412f89
      0x00412f8e
      0x00412f93
      0x00412f96
      0x00412f9c
      0x00412fa1
      0x00412fa1
      0x00412fb0
      0x00412fb7
      0x00412fbb
      0x00412fbf
      0x00412fd2
      0x00412fd7
      0x00412fd7
      0x00412fde
      0x00412fe5
      0x00412ff2
      0x00412ff9
      0x00412ffa
      0x00412ffd
      0x00412ffe
      0x00413003
      0x00413008
      0x0041300d
      0x00413014
      0x0041301b
      0x00413028
      0x00413029
      0x0041302f
      0x00413030
      0x0041303a
      0x00000000
      0x00000000
      0x0041303c
      0x0041303e
      0x00413045
      0x0041304c
      0x0041304c
      0x0041304d
      0x0041305b
      0x0041305e
      0x00413061
      0x00413066
      0x00413069
      0x0041306b
      0x0041306c
      0x00413087
      0x0041308f
      0x00413097
      0x0041309c

      APIs
      • __vbaChkstk.MSVBVM60(?,00401266), ref: 00412C7A
      • _CIsin.MSVBVM60(?,?,?,?,00401266), ref: 00412CC0
      • __vbaFpR8.MSVBVM60(?,?,?,?,00401266), ref: 00412CC5
      • __vbaVarDup.MSVBVM60 ref: 00412CFD
      • #600.MSVBVM60(?,00000002), ref: 00412D08
      • __vbaFreeVar.MSVBVM60(?,00000002), ref: 00412D13
      • #612.MSVBVM60(?,?,?,?,?,00401266), ref: 00412D23
      • __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,00401266), ref: 00412D2C
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,00401266), ref: 00412D36
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00401266), ref: 00412D3E
      • __vbaStrCopy.MSVBVM60 ref: 00412D80
      • __vbaFreeStr.MSVBVM60(?,00003FC5,?), ref: 00412DCE
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AC8,000006FC,?,?,?,00003FC5,?), ref: 00412E27
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AC8,00000700,?,?,?,?,?,?,?,?,?,?,00003FC5,?), ref: 00412EDC
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,?,?,?,?,?,?,00003FC5,?), ref: 00412F04
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411A94,000001B8,?,?,?,?,?,?,?,?,?,?,00003FC5,?), ref: 00412F49
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411A94,000001BC), ref: 00412F9C
      • __vbaVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00003FC5,?), ref: 00412FD2
      • __vbaVarAdd.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,00003FC5), ref: 00412FFE
      • __vbaVarMove.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,00003FC5), ref: 00413008
      • __vbaVarTstLt.MSVBVM60(00008003,?,?,00000002,?), ref: 00413030
      • __vbaFreeVar.MSVBVM60(0041309D,?,?,?,?,?,?,?,?,?,?,?,?,00003FC5,?), ref: 00413087
      • __vbaFreeVar.MSVBVM60(0041309D,?,?,?,?,?,?,?,?,?,?,?,?,00003FC5,?), ref: 0041308F
      • __vbaFreeStr.MSVBVM60(0041309D,?,?,?,?,?,?,?,?,?,?,?,?,00003FC5,?), ref: 00413097
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresultMove$#600#612ChkstkCopyErrorIsin
      • String ID: Kompetenceomraaders$Rosenstokkesegedesm
      • API String ID: 3051467023-1030129653
      • Opcode ID: febd1f5d0f5e0b65bdb5662035cff00054722255f03231ff97678b1934111390
      • Instruction ID: 0b69ef7ada4a0b5e9851bdd1f5864ee973ca73e6882423e32099b7b870af6888
      • Opcode Fuzzy Hash: febd1f5d0f5e0b65bdb5662035cff00054722255f03231ff97678b1934111390
      • Instruction Fuzzy Hash: 20C1E57490021CEFDB10DFA1C949BDDBBB4FF08304F1081AAE549AB2A1DB785A99DF54
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 31 4092eb-4093da 34 4093dd-409587 31->34 39 40958d-409e93 34->39 59 409e99-40a0d8 39->59 64 40a0de-40b054 VirtualAlloc 59->64 92 40b0b1-40b399 call 40b5e4 64->92 100 40b39f-40b548 92->100
      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID: #$+$/$/$0$3$5$5$6$8$L$Q$S$S$Z$\$^$b$h$j$j$j$k$r$t$t$v
      • API String ID: 4275171209-2042281906
      • Opcode ID: 6f728520acc15e0e5555c1798d329108353c0a6959c4f9ace28f36c3d1323431
      • Instruction ID: a196bdf0fb13214c6cf331ea1796e728de9ba168faf0cb18ce8deca2bdea3c31
      • Opcode Fuzzy Hash: 6f728520acc15e0e5555c1798d329108353c0a6959c4f9ace28f36c3d1323431
      • Instruction Fuzzy Hash: 5752E181A2A70289FFB32060C5D075DA280DF16785F318F37DC61F55E2BA2F89CA1597
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 186 409376-4093da 187 4093dd-409587 186->187 192 40958d-409e93 187->192 212 409e99-40a0d8 192->212 217 40a0de-40b054 VirtualAlloc 212->217 245 40b0b1-40b399 call 40b5e4 217->245 253 40b39f-40b548 245->253
      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID: +$/$/$0$3$5$5$6$8$L$S$Z$\$^$b$h$j$j$j$k$r$t$t$v
      • API String ID: 4275171209-3243391027
      • Opcode ID: 44835972a2f401212357116986840ef7d9c68e564d6537af5c8a05c9ae519331
      • Instruction ID: f7689c2e4ab331b5b4a18f8319c392a33433c8220f4d531f4b59e5553f36aefa
      • Opcode Fuzzy Hash: 44835972a2f401212357116986840ef7d9c68e564d6537af5c8a05c9ae519331
      • Instruction Fuzzy Hash: D952E181A2A70289FFB32060C5D075DA280DF16785F318F37DC61F55E2BA2F89CA159B
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 259 409400-409403 260 409405 259->260 261 40947e-40947f 259->261 262 409480-409481 260->262 263 409407 260->263 261->262 265 409482-409483 262->265 263->265 266 409409 263->266 267 409484-409485 265->267 266->267 268 40940b 266->268 269 409486-409487 267->269 268->269 270 40940d 268->270 271 409488 269->271 270->271 272 40940f 270->272 274 40948a 271->274 273 409411 272->273 272->274 276 409413 273->276 277 40948c 273->277 278 4094e3-409587 274->278 279 40948e 276->279 280 409415 276->280 277->279 284 4093dd-409487 278->284 285 40958d-409e93 278->285 282 409490 279->282 280->282 283 409417-40947c 280->283 282->278 283->261 284->274 325 409e99-40a0d8 285->325 335 40a0de-40b054 VirtualAlloc 325->335 370 40b0b1-40b399 call 40b5e4 335->370 378 40b39f-40b548 370->378
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID:
      • String ID: +$/$/$0$3$5$6$8$L$S$Z$\$^$b$h$j$j$j$k$r$t$v
      • API String ID: 0-1728991491
      • Opcode ID: 926a67556d32435f080c17d7832669919b66b7a68cb30450a5101e5ea6e370fb
      • Instruction ID: c012bcd859a00e7fb3760a4e2044448024dcf3023fee634ee1009ea3e6858af9
      • Opcode Fuzzy Hash: 926a67556d32435f080c17d7832669919b66b7a68cb30450a5101e5ea6e370fb
      • Instruction Fuzzy Hash: 3F52F381A2A30289FFB32060C5D075D6280DF16785F318F3BDD65F55E2BA2F89CA159B
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 384 40951e-409523 385 409575-409587 384->385 386 4093dd-40951c 385->386 387 40958d-409e93 385->387 386->385 410 409e99-40a0d8 387->410 415 40a0de-40b054 VirtualAlloc 410->415 443 40b0b1-40b399 call 40b5e4 415->443 451 40b39f-40b548 443->451
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID:
      • String ID: +$/$/$3$5$6$L$S$Z$\$^$h$j$j$j$k$r$t$v
      • API String ID: 0-2166363353
      • Opcode ID: 1dcb82125cf1ddc55250212197c02b0ad8ce6b74de782a77648e2eb4cde845de
      • Instruction ID: 375074263f7917e166a6991235a4aeb12ec4f60d9878c24d0ce5262dacf4a6ef
      • Opcode Fuzzy Hash: 1dcb82125cf1ddc55250212197c02b0ad8ce6b74de782a77648e2eb4cde845de
      • Instruction Fuzzy Hash: B642E181A2A70289FFB32060C5D075DA281DF16785F318F37DC61F55E2BA2F89CA159B
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 457 4095ae-409e93 476 409e99-40a0d8 457->476 481 40a0de-40b054 VirtualAlloc 476->481 509 40b0b1-40b399 call 40b5e4 481->509 517 40b39f-40b548 509->517
      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID: +$/$/$3$6$L$S$Z$\$^$h$j$j$j$k$r$t$v
      • API String ID: 4275171209-1949328999
      • Opcode ID: 5307bb817283c8ef3eabcc4ea34fda3fe37ba12dd6c23aec9dd6bd7107545df3
      • Instruction ID: c31a5a3ed431312e8963574f3d9a917aa25999cb463f79141004b974cdeeca2f
      • Opcode Fuzzy Hash: 5307bb817283c8ef3eabcc4ea34fda3fe37ba12dd6c23aec9dd6bd7107545df3
      • Instruction Fuzzy Hash: 1042E181A2A70289FFB22060C5D075D6680DF16785F318F37DC62F55E2BA2FC9CA159B
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 523 40976c-409e93 541 409e99-40a0d8 523->541 546 40a0de-40b054 VirtualAlloc 541->546 574 40b0b1-40b399 call 40b5e4 546->574 582 40b39f-40b548 574->582
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID:
      • String ID: +$/$/$3$L$S$\$j$j$k$t$v
      • API String ID: 0-3667247253
      • Opcode ID: 355b39fb1627de1964dcde276607dcc02435bc7cd87c6338a6bebdb3e36bce88
      • Instruction ID: acdff012051a50c6e3b05e57ec59a22c44d1db73155103cc091437d89c401289
      • Opcode Fuzzy Hash: 355b39fb1627de1964dcde276607dcc02435bc7cd87c6338a6bebdb3e36bce88
      • Instruction Fuzzy Hash: A842D081E2A70289FFB22060C5D075D6280DF16785F318F37DD61F15E2BA2F8ACA1597
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 588 4097fc-409e93 604 409e99-40a0d8 588->604 609 40a0de-40b054 VirtualAlloc 604->609 637 40b0b1-40b399 call 40b5e4 609->637 645 40b39f-40b548 637->645
      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID: +$/$/$3$L$S$j$j$k$v
      • API String ID: 4275171209-1838759407
      • Opcode ID: e792b252b322a9cdf36e4968b51102161fcfbf3c68ce0d421057440eece7a69f
      • Instruction ID: 5ab43da6bb21ceda8c452216ed700220a5c0381ef04d9a998e2c4a00a28882d2
      • Opcode Fuzzy Hash: e792b252b322a9cdf36e4968b51102161fcfbf3c68ce0d421057440eece7a69f
      • Instruction Fuzzy Hash: 8742D081E2A70289FFB22060C5D075D6681DF16781F318F37D862F15E2BA2FC9CA1997
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 651 409889-409e93 666 409e99-40a0d8 651->666 671 40a0de-40b054 VirtualAlloc 666->671 699 40b0b1-40b399 call 40b5e4 671->699 707 40b39f-40b548 699->707
      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID: +$/$/$3$S$j$k$v
      • API String ID: 4275171209-2644486370
      • Opcode ID: cba54b456ca189bb949d6e2b5f5e2d4784a4b3f4112d5edbc283941c96019d39
      • Instruction ID: 31d3c01c3763c83863b342314b18f738fa2873a76deef8c10691fdf2a7db3ccc
      • Opcode Fuzzy Hash: cba54b456ca189bb949d6e2b5f5e2d4784a4b3f4112d5edbc283941c96019d39
      • Instruction Fuzzy Hash: B632D081E2A70289FFB22060C5D075D6681DF16781F318F37DD62F15E2BA2F89CA1997
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 713 409917-409e93 728 409e99-40a0d8 713->728 733 40a0de-40b054 VirtualAlloc 728->733 761 40b0b1-40b399 call 40b5e4 733->761 769 40b39f-40b548 761->769
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID:
      • String ID: +$/$k
      • API String ID: 0-1207601610
      • Opcode ID: b0c0dde6681ffa959c3d0c9e72ac4d7e65ed59edb84ace02101cf6fc44e6499e
      • Instruction ID: f5235221ea33978e73e91a036c4a4f74061de5b84e92b64659a00070a969102f
      • Opcode Fuzzy Hash: b0c0dde6681ffa959c3d0c9e72ac4d7e65ed59edb84ace02101cf6fc44e6499e
      • Instruction Fuzzy Hash: 6732CF81E2A70289FFB22060C5D075D6681DF16781F318F37D962F15E2BA2F89CA159B
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 775 4013e8-40143e #100 776 401440-401497 775->776 777 4014b1-4014fc 775->777 778 401499-4014a2 776->778 779 4014fe-401504 776->779 777->779 781 4014a4-4014af 778->781 782 40150f-401542 778->782 784 401543-401856 779->784 785 401506-40150b 779->785 781->777 782->784 787 401857-4018aa 784->787 785->782 787->787 788 4018ac-4018b3 787->788
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: #100
      • String ID: VB5!6&*
      • API String ID: 1341478452-3593831657
      • Opcode ID: 02d99e9cf5731f6a0aa36951293a800a515d04b8ae8b54e08722be6312001da3
      • Instruction ID: cf87dc595dc968d443094d09ffe2555bd67e18e7b4dec2e75654a573883ac9cd
      • Opcode Fuzzy Hash: 02d99e9cf5731f6a0aa36951293a800a515d04b8ae8b54e08722be6312001da3
      • Instruction Fuzzy Hash: E3A2322109E3E09FD7538BB888B5A557FB0EE5760470A5ADBC4C0CF0A7C228685DDB67
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 789 409fe9-409fee 790 40a040-40a0d8 789->790 792 409e99-409fe5 790->792 793 40a0de-40b054 VirtualAlloc 790->793 792->790 823 40b0b1-40b399 call 40b5e4 793->823 831 40b39f-40b548 823->831
      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID: ;;;
      • API String ID: 4275171209-3950916373
      • Opcode ID: c3b714ff3860087ccafb6c940962cacfe5eb6987532f77a1c3a4db9cf482ecaa
      • Instruction ID: 98a9eca45b9cfa64b62d1252e48e1a25b1f87a9108b9dd82ea02cc296253852e
      • Opcode Fuzzy Hash: c3b714ff3860087ccafb6c940962cacfe5eb6987532f77a1c3a4db9cf482ecaa
      • Instruction Fuzzy Hash: E502C081E2A70299FF722060C5D075D6680DF16781F318F3BD862F55E2BA2F89CA1997
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 837 40a7d6-40a7d7 838 40a768-40a7d4 837->838 839 40a7d9-40a82a 837->839 840 40a82b-40b054 VirtualAlloc 838->840 839->840 855 40b0b1-40b399 call 40b5e4 840->855 863 40b39f-40b548 855->863
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID:
      • String ID: !
      • API String ID: 0-2657877971
      • Opcode ID: 9e62e4f00982c0eec109aa7c6914c9be54a08591f8e00a2a6dadd09a9f56e2b3
      • Instruction ID: 3d296869b60e0cb783f16a294c10da001ecc7b05c049e11fb1f8ab55706ba0fe
      • Opcode Fuzzy Hash: 9e62e4f00982c0eec109aa7c6914c9be54a08591f8e00a2a6dadd09a9f56e2b3
      • Instruction Fuzzy Hash: EFC1E181E2A70289FF722160C5D075D6680DF26781F368F3BD865F14D2BA2FC6CA159B
      Uniqueness

      Uniqueness Score: -1.00%

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 869 409d08-409d0c 870 409d8d 869->870 871 409d0e 869->871 874 409d91-409d96 870->874 872 409d10 871->872 873 409d8f-409d90 871->873 872->874 875 409d12-409d16 872->875 873->874 876 409d99 874->876 882 409d97 875->882 883 409d18 875->883 878 409df5-409e93 876->878 881 409e99-40a0d8 878->881 895 40a0de-40b054 VirtualAlloc 881->895 882->876 883->876 885 409d1a 883->885 887 409d9b-409d9c 885->887 888 409d1c 885->888 889 409d9d 887->889 888->889 891 409d1e 888->891 892 409d9f 889->892 891->892 894 409d20-409d8c 891->894 892->878 894->870 951 40b0b1-40b399 call 40b5e4 895->951 964 40b39f-40b548 951->964
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a4189372d677f9b55ff3f42c2b3ad5def13ea49a2f909e686eaa604b00598751
      • Instruction ID: 3e21f441fc7490b67fd9ad37d00e989e78d9952395c229d8e10a0a7c4a7aa1fa
      • Opcode Fuzzy Hash: a4189372d677f9b55ff3f42c2b3ad5def13ea49a2f909e686eaa604b00598751
      • Instruction Fuzzy Hash: 69222482A6A74289FF722064C9D075D6240EF12781F358F37DC61F15E3BA2F89CA159B
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 5e786afff201332ec5a88cf200dbf84d3dee62f9bd584374561d7403a25c2313
      • Instruction ID: 896472a15108382fe9297acbd36714a955ecf94890ef8e62fb7d24f94ea905bb
      • Opcode Fuzzy Hash: 5e786afff201332ec5a88cf200dbf84d3dee62f9bd584374561d7403a25c2313
      • Instruction Fuzzy Hash: 0822E181E2A70299FF722060C5D075D6680DF16781F318F37D962F15E2BA2FC9CA159B
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: bebc2b67c3ad44072dbf9ee98a1c41cb46c0772b7f9e265603386e1da9b2d9f7
      • Instruction ID: 1a1a7e43b3f30522b57b3380d853b8ef22ae34480bbe1d20a4e8a10ffd963c00
      • Opcode Fuzzy Hash: bebc2b67c3ad44072dbf9ee98a1c41cb46c0772b7f9e265603386e1da9b2d9f7
      • Instruction Fuzzy Hash: 8932D081E2A70289FFB32060C5D075D6680DF16781F358F77D862F15E2BA2F8ACA1597
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 7955bd4b6257baaf0133a41b7277892904fee166f87c5a6c6439c04b408d7aa9
      • Instruction ID: 57563b1664059d86781760b86d049130050936d2c0f1cc563344aeea24a52e0c
      • Opcode Fuzzy Hash: 7955bd4b6257baaf0133a41b7277892904fee166f87c5a6c6439c04b408d7aa9
      • Instruction Fuzzy Hash: 1F22DF81E2A70289FFB22060C5D075D6680DF16781F358F37D962F15E2BA2FC9CA159B
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 9f6eea941e4f175d9844aab25d84b6f8fc811b56f05c4611347c5b6174312055
      • Instruction ID: 95cf1966e0e148b49c5e1015437119fddb27e6d7e4fdf42a261764def217897a
      • Opcode Fuzzy Hash: 9f6eea941e4f175d9844aab25d84b6f8fc811b56f05c4611347c5b6174312055
      • Instruction Fuzzy Hash: 1332F181E2A70289FFB32060C5D075D6680DF16781F358F37D862F55E2BA2F89CA159B
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 23aaf0c403e289e79845c4680ad8917d23879e01cfe1253fe709ae9db65597fc
      • Instruction ID: 8e1d90dac9f3de6b8fe3ca5c55dda6528843e2101f952588bfd7cfdd5554373d
      • Opcode Fuzzy Hash: 23aaf0c403e289e79845c4680ad8917d23879e01cfe1253fe709ae9db65597fc
      • Instruction Fuzzy Hash: 1812D181E2A70299FF722060C5D075D6681DF16781F318F3BC862F55E2BA2FC9CA1997
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: affaa7063875d2ed01598a1b87a649e7319cc8412c0db53949c8e3c249022843
      • Instruction ID: 5ab8ba565867bf1de929f21281cfd8bb1c706becf0b79c88a63382a80b19a488
      • Opcode Fuzzy Hash: affaa7063875d2ed01598a1b87a649e7319cc8412c0db53949c8e3c249022843
      • Instruction Fuzzy Hash: C912E281E2A30299FF722060C5D075D6680DF16781F318F3BD862F55E2BA1FC9CA1997
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 09b8955e1dd415188d48cf1bb16b1b1137f6661fa330e8f1909740909a0db242
      • Instruction ID: f59e316e5378b894b92b1494b8a65a23e7e781bd8c8892887dd685837c1a961a
      • Opcode Fuzzy Hash: 09b8955e1dd415188d48cf1bb16b1b1137f6661fa330e8f1909740909a0db242
      • Instruction Fuzzy Hash: A602D181E2A70299FF722060C5D075D6680DF16781F318F3BD862F55E2BA2FC9CA1997
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: e2a3154ddc5f2c3d43e0cc541830d21e0faa0711cc8bfd504df717d5ef05c684
      • Instruction ID: 93b93ea7371f4cbb0cd1387295f671ab7fced7df0825050bc2acd5b4c17a45f7
      • Opcode Fuzzy Hash: e2a3154ddc5f2c3d43e0cc541830d21e0faa0711cc8bfd504df717d5ef05c684
      • Instruction Fuzzy Hash: 9B12C082E2A70299FF722060C5D075D6680DF16781F318F3BD862F55E2BA1FC9CA1997
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 9a7f1e5cc60197223b1e02972dcdd4a9ac4b7fcce610aa890eee07f787662940
      • Instruction ID: d1e9ffe9690103a5a8161d09f9bf4930aef028b342b6211962fa29b83a37ef29
      • Opcode Fuzzy Hash: 9a7f1e5cc60197223b1e02972dcdd4a9ac4b7fcce610aa890eee07f787662940
      • Instruction Fuzzy Hash: 3402E182E2A30299FF722060C5D075D6680DF16781F318F7BC866F55E2BA2FC9CA1597
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: dbe2b59ea88ad43b1a7729682c9a72cd222a2a30dd9428c6a253c3540ec6dba7
      • Instruction ID: 83ea81b770b7f1bb50be61492ffe1474bdc32dd2b6eb18ba14399c826c802616
      • Opcode Fuzzy Hash: dbe2b59ea88ad43b1a7729682c9a72cd222a2a30dd9428c6a253c3540ec6dba7
      • Instruction Fuzzy Hash: BBF1D081E2A70299FF722060C5D075D6680DF16781F318F3BD866F15E2BA2FC9CA1597
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: d7776959bc675dfe34d1d748ff78719096ec0676e627f93f2096f212a14f4b18
      • Instruction ID: 18aefde2612b4322436b2f850d7ee4553fb279a212be3020472629379e1a2dd6
      • Opcode Fuzzy Hash: d7776959bc675dfe34d1d748ff78719096ec0676e627f93f2096f212a14f4b18
      • Instruction Fuzzy Hash: C8E1E082E2A70299FF722060C5D075D6280DF16781F318F37C866F55E2BA2FC5CA159B
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: ba11c5ff2d57c1a2acc7845f9c4f7cedf74d075466901bc6126a729daa57bab0
      • Instruction ID: cc1d9ba71bec4ca976a8179b5d8386c9b0b545802c27571b55656a0ea735d6f8
      • Opcode Fuzzy Hash: ba11c5ff2d57c1a2acc7845f9c4f7cedf74d075466901bc6126a729daa57bab0
      • Instruction Fuzzy Hash: 25F1F081E2A70299FF722060C5D075D6680DF16781F318F3BC862F15E2BA2FC9CA159B
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 00ba05dd1433903f0a079422e7cc15a5f9369b94ddb215efeed575d00d25a010
      • Instruction ID: 8b86b45119ed8e403ed8acda22671a036be19893a13d2859049a056e6fd9fc1e
      • Opcode Fuzzy Hash: 00ba05dd1433903f0a079422e7cc15a5f9369b94ddb215efeed575d00d25a010
      • Instruction Fuzzy Hash: 2AE1EF82E2A70299FFB22060C5D075D6280DF16781F318F37D866F55D2BA2FC5CA159B
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f662f7a8d5903d08a0554fc6dd53153d5aeebcb5bc40c9aa9ca3c6a4b13c7060
      • Instruction ID: 7558449447d815b2e3b86c905451ef22f7f203aa0173c631b663047469cff467
      • Opcode Fuzzy Hash: f662f7a8d5903d08a0554fc6dd53153d5aeebcb5bc40c9aa9ca3c6a4b13c7060
      • Instruction Fuzzy Hash: E6E1E081E2A70289FFB22060C5D075D6280DF16781F318F37D866F55D2BA2FC9CA159B
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: fdbd521a6a6e753b7d9badcbc76c528a8722893991988af3106a0aed6ddd541a
      • Instruction ID: 0cfaad7c4375b087b121193e6d27172ff3a22381d31c8d0d380c4ab6430746d8
      • Opcode Fuzzy Hash: fdbd521a6a6e753b7d9badcbc76c528a8722893991988af3106a0aed6ddd541a
      • Instruction Fuzzy Hash: F1D1DD81E2A70299FF722060C5D075D6280DF26781F318F3BD865F55E2BA2FC9CA159B
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: c2c8242a88eece85c3806f51d8254addeb900e4e255bb93e82d659eb012d3c19
      • Instruction ID: 6eef0632d7bcb9d3cbd2e9daaff138101edb1d4dad3595220c532f662cf09f4e
      • Opcode Fuzzy Hash: c2c8242a88eece85c3806f51d8254addeb900e4e255bb93e82d659eb012d3c19
      • Instruction Fuzzy Hash: B1C1E081E2A70289FF722060C5D075D6680DF26781F328F3BD865F15D2BA2FC9CA159B
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: fba7a7bafe6a5b85d889737ac6a25e3ff1b26bde875231bb87b472d99e0e33df
      • Instruction ID: 218a08315468b31291debc9d4591207f1ac9e7049a8ce064fc269041da1fd5bf
      • Opcode Fuzzy Hash: fba7a7bafe6a5b85d889737ac6a25e3ff1b26bde875231bb87b472d99e0e33df
      • Instruction Fuzzy Hash: 73D1D081E2A70299FF722060C5D075D6280DF16781F318F37DC65F55D2BA2F89CA159B
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 077f81e1de5066d49174adc248b1acae7e4322fdc9c58524ef786fce98c32ef8
      • Instruction ID: a29965c81ee9b1388ff942c6bd721c4d2e2ea79d201b026b11246fea085694f3
      • Opcode Fuzzy Hash: 077f81e1de5066d49174adc248b1acae7e4322fdc9c58524ef786fce98c32ef8
      • Instruction Fuzzy Hash: EEC1D081E2A70289FF722060C5D075D6680DF16781F368F3BD865F15D2BA2FC6CA159B
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 687eaea3ca40306be557a0d2e68c37f9fce108b4272a376695e491b0c1e460af
      • Instruction ID: 4b21a2722a2fa7d87791d771122e28be472c8a091ac3176538b6432af78079f5
      • Opcode Fuzzy Hash: 687eaea3ca40306be557a0d2e68c37f9fce108b4272a376695e491b0c1e460af
      • Instruction Fuzzy Hash: 85C1D181E2A70289FF722060C5D075D6680DF26781F328F37D865F15D2BA2FC6CA159B
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: b3d68998eadf4c9536d14bba968d7f060273a9341c5ea43957674e184a3416e0
      • Instruction ID: 558ab077385f6128dfec0ad7095dc1a325e474627e823965574d39ff4ce7a14f
      • Opcode Fuzzy Hash: b3d68998eadf4c9536d14bba968d7f060273a9341c5ea43957674e184a3416e0
      • Instruction Fuzzy Hash: 5EC1E281E2A70289FF722060C5D075D6680DF16781F328F77D866F15D2BA2FC6CA159B
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: ce716d459b07c8dddab63f6554753d737a83945466cb0761ecb98968dc123ea5
      • Instruction ID: a6d0473afbbb6e5633de8c0f007e07e585b7b43cf6acb7bfbae3afe213874cf1
      • Opcode Fuzzy Hash: ce716d459b07c8dddab63f6554753d737a83945466cb0761ecb98968dc123ea5
      • Instruction Fuzzy Hash: ACA1D081E6A70289FF722060C5D075D6680DF16782F328F7BDC65F14D2BA2F86CA159B
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: a01f4e8d86459d39d00a4db6d0f592b4d779eff9a5d0f04651c6f95d756950dd
      • Instruction ID: c6add494babb59b44627b46caaba0df997abbcdbcdb7684fc3137428b9451f1e
      • Opcode Fuzzy Hash: a01f4e8d86459d39d00a4db6d0f592b4d779eff9a5d0f04651c6f95d756950dd
      • Instruction Fuzzy Hash: 24B1D181E6A70289FF722060C5D075D6680DF16781F368F37DC65F14D2BA2F8ACA159B
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A9FC
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 04778587bbe4bca3d87de65eb64bd51a3b45e9f393673a54a6e6ea90831d882d
      • Instruction ID: c129017237b9915a92392a5ea4090262af2ba573a1bb9ac608bad73eaf082ca7
      • Opcode Fuzzy Hash: 04778587bbe4bca3d87de65eb64bd51a3b45e9f393673a54a6e6ea90831d882d
      • Instruction Fuzzy Hash: 09A1F081E2A70289FF722160C5D075D6680DF16781F368F3BD865F14D2BA2F8ACA159B
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      C-Code - Quality: 48%
      			E00413224(void* __ebx, void* __ecx, void* __edi, void* __esi, long long __fp0, intOrPtr* _a4) {
      				intOrPtr _v8;
      				intOrPtr _v12;
      				intOrPtr _v24;
      				intOrPtr _v36;
      				char _v48;
      				void* _v56;
      				intOrPtr _v64;
      				intOrPtr _v72;
      				intOrPtr _v80;
      				intOrPtr _v88;
      				char _v92;
      				signed int _v96;
      				signed int _v100;
      				intOrPtr* _v104;
      				signed int _v108;
      				signed int _v116;
      				signed int _v120;
      				char _v124;
      				signed int _v128;
      				signed int _v132;
      				signed int _v136;
      				signed int _t79;
      				signed int _t80;
      				char* _t85;
      				signed int _t90;
      				signed int _t96;
      				signed int _t101;
      				intOrPtr _t105;
      				intOrPtr _t117;
      				void* _t119;
      				signed int _t122;
      				long long _t124;
      				char _t125;
      
      				_t124 = __fp0;
      				_push(0x401266);
      				_push( *[fs:0x0]);
      				 *[fs:0x0] = _t117;
      				_push(0x74);
      				L00401260();
      				_v12 = _t117;
      				_v8 = 0x4011e8;
      				_push(5);
      				_push(0x411cfc);
      				_t79 =  &_v48;
      				_push(_t79);
      				L0040132C();
      				_v96 = _v96 & 0x00000000;
      				if(_v96 >= 2) {
      					L00401326();
      					_v116 = _t79;
      				} else {
      					_v116 = _v116 & 0x00000000;
      				}
      				_t80 = _v96;
      				asm("fld1");
      				 *((long long*)(_v36 + _t80 * 8)) = _t124;
      				_v96 = 1;
      				_t119 = _v96 - 2;
      				if(_t119 >= 0) {
      					L00401326();
      					_v120 = _t80;
      				} else {
      					_v120 = _v120 & 0x00000000;
      				}
      				_t105 = _v36;
      				_t125 =  *0x4011e0;
      				 *((long long*)(_t105 + _v96 * 8)) = _t125;
      				_v92 =  &_v48;
      				_push( &_v92);
      				asm("fld1");
      				_push(_t105);
      				_push(_t105);
      				_v56 = _t125;
      				L00401320();
      				L0040137A();
      				asm("fcomp qword [0x4011d8]");
      				asm("fnstsw ax");
      				asm("sahf");
      				if(_t119 != 0) {
      					if( *0x41433c != 0) {
      						_v124 = 0x41433c;
      					} else {
      						_push(0x41433c);
      						_push(0x411cb4);
      						L00401338();
      						_v124 = 0x41433c;
      					}
      					_t28 =  &_v124; // 0x41433c
      					_v96 =  *((intOrPtr*)( *_t28));
      					_t96 =  *((intOrPtr*)( *_v96 + 0x1c))(_v96,  &_v56);
      					asm("fclex");
      					_v100 = _t96;
      					if(_v100 >= 0) {
      						_v128 = _v128 & 0x00000000;
      					} else {
      						_push(0x1c);
      						_push(0x411ca4);
      						_push(_v96);
      						_push(_v100);
      						L00401356();
      						_v128 = _t96;
      					}
      					_v104 = _v56;
      					_v64 = 0x80020004;
      					_v72 = 0xa;
      					L00401260();
      					asm("movsd");
      					asm("movsd");
      					asm("movsd");
      					asm("movsd");
      					_t101 =  *((intOrPtr*)( *_v104 + 0x60))(_v104, L"Magterobringen", 0x10);
      					asm("fclex");
      					_v108 = _t101;
      					_t122 = _v108;
      					if(_t122 >= 0) {
      						_v132 = _v132 & 0x00000000;
      					} else {
      						_push(0x60);
      						_push(0x411cc4);
      						_push(_v104);
      						_push(_v108);
      						L00401356();
      						_v132 = _t101;
      					}
      					L00401332();
      				}
      				asm("fldz");
      				L004012C6();
      				L0040137A();
      				asm("fcomp qword [0x4011d8]");
      				asm("fnstsw ax");
      				asm("sahf");
      				if(_t122 != 0) {
      					_v80 = 0x80020004;
      					_v88 = 0xa;
      					_v64 = 0x80020004;
      					_v72 = 0xa;
      					L00401260();
      					asm("movsd");
      					asm("movsd");
      					asm("movsd");
      					asm("movsd");
      					L00401260();
      					asm("movsd");
      					asm("movsd");
      					asm("movsd");
      					asm("movsd");
      					_t90 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10);
      					asm("fclex");
      					_v96 = _t90;
      					if(_v96 >= 0) {
      						_v136 = _v136 & 0x00000000;
      					} else {
      						_push(0x2b0);
      						_push(0x411a94);
      						_push(_a4);
      						_push(_v96);
      						L00401356();
      						_v136 = _t90;
      					}
      				}
      				_v24 = 0x7131b;
      				asm("wait");
      				_push(0x41345c);
      				_v92 =  &_v48;
      				_t85 =  &_v92;
      				_push(_t85);
      				_push(0);
      				L0040131A();
      				return _t85;
      			}




































      0x00413224
      0x00413229
      0x00413234
      0x00413235
      0x0041323c
      0x0041323f
      0x00413247
      0x0041324a
      0x00413251
      0x00413253
      0x00413258
      0x0041325b
      0x0041325c
      0x00413261
      0x00413269
      0x00413271
      0x00413276
      0x0041326b
      0x0041326b
      0x0041326b
      0x00413279
      0x0041327f
      0x00413281
      0x00413284
      0x0041328b
      0x0041328f
      0x00413297
      0x0041329c
      0x00413291
      0x00413291
      0x00413291
      0x004132a2
      0x004132a5
      0x004132ab
      0x004132b1
      0x004132b7
      0x004132b8
      0x004132ba
      0x004132bb
      0x004132bc
      0x004132bf
      0x004132c4
      0x004132c9
      0x004132cf
      0x004132d1
      0x004132d2
      0x004132df
      0x004132f9
      0x004132e1
      0x004132e1
      0x004132e6
      0x004132eb
      0x004132f0
      0x004132f0
      0x00413300
      0x00413305
      0x00413314
      0x00413317
      0x00413319
      0x00413320
      0x00413339
      0x00413322
      0x00413322
      0x00413324
      0x00413329
      0x0041332c
      0x0041332f
      0x00413334
      0x00413334
      0x00413340
      0x00413343
      0x0041334a
      0x00413354
      0x0041335e
      0x0041335f
      0x00413360
      0x00413361
      0x0041336f
      0x00413372
      0x00413374
      0x00413377
      0x0041337b
      0x00413394
      0x0041337d
      0x0041337d
      0x0041337f
      0x00413384
      0x00413387
      0x0041338a
      0x0041338f
      0x0041338f
      0x0041339b
      0x0041339b
      0x004133a0
      0x004133a2
      0x004133a7
      0x004133ac
      0x004133b2
      0x004133b4
      0x004133b5
      0x004133b7
      0x004133be
      0x004133c5
      0x004133cc
      0x004133d6
      0x004133e0
      0x004133e1
      0x004133e2
      0x004133e3
      0x004133e7
      0x004133f1
      0x004133f2
      0x004133f3
      0x004133f4
      0x004133fd
      0x00413403
      0x00413405
      0x0041340c
      0x0041342b
      0x0041340e
      0x0041340e
      0x00413413
      0x00413418
      0x0041341b
      0x0041341e
      0x00413423
      0x00413423
      0x0041340c
      0x00413432
      0x00413439
      0x0041343a
      0x0041344d
      0x00413450
      0x00413453
      0x00413454
      0x00413456
      0x0041345b

      APIs
      • __vbaChkstk.MSVBVM60(?,00401266), ref: 0041323F
      • __vbaAryConstruct2.MSVBVM60(?,00411CFC,00000005,?,?,?,?,00401266), ref: 0041325C
      • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00411CFC,00000005), ref: 00413271
      • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00411CFC,00000005), ref: 00413297
      • #684.MSVBVM60(?,?,?), ref: 004132BF
      • __vbaFpR8.MSVBVM60(?,?,?), ref: 004132C4
      • __vbaNew2.MSVBVM60(00411CB4,0041433C,?,?,?), ref: 004132EB
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000002,00411CA4,0000001C,?,?,?,?,?,?,?), ref: 0041332F
      • __vbaChkstk.MSVBVM60(?,?,?,?,?,?,?), ref: 00413354
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411CC4,00000060,?,?,?,?,?,?,?), ref: 0041338A
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?), ref: 0041339B
      • _CIcos.MSVBVM60(?,?,?), ref: 004133A2
      • __vbaFpR8.MSVBVM60(?,?,?), ref: 004133A7
      • __vbaChkstk.MSVBVM60(?,?,?), ref: 004133D6
      • __vbaChkstk.MSVBVM60(?,?,?), ref: 004133E7
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411A94,000002B0), ref: 0041341E
      • __vbaAryDestruct.MSVBVM60(00000000,?,0041345C,?,?,?), ref: 00413456
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: __vba$Chkstk$CheckHresult$BoundsErrorGenerate$#684Construct2DestructFreeIcosNew2
      • String ID: <CA$Magterobringen
      • API String ID: 2333708068-3107163244
      • Opcode ID: 1b0093ce6edb01c0c64ad3f016c28a21cf3ee79a85c27e0e14de1de5fd6163c3
      • Instruction ID: a0928ec9bcb9a7d7c01dcc16b9077fa04973512805689114d4e96bd9c55d6e0e
      • Opcode Fuzzy Hash: 1b0093ce6edb01c0c64ad3f016c28a21cf3ee79a85c27e0e14de1de5fd6163c3
      • Instruction Fuzzy Hash: 2F612670D0020CEBDB10EFE5C94ABDDBBB1BF08705F20406AE915BB2A1C7B919859F49
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 56%
      			E00412AC4(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, char* _a8) {
      				intOrPtr _v8;
      				intOrPtr _v12;
      				intOrPtr _v16;
      				char _v28;
      				signed int _v32;
      				char _v48;
      				short _v52;
      				void* _v56;
      				intOrPtr _v64;
      				char _v72;
      				char* _v80;
      				char _v88;
      				short _v92;
      				short _t45;
      				intOrPtr* _t46;
      				signed int _t48;
      				char* _t52;
      				char* _t53;
      				void* _t68;
      				void* _t70;
      				intOrPtr _t71;
      
      				_t71 = _t70 - 0xc;
      				 *[fs:0x0] = _t71;
      				L00401260();
      				_v16 = _t71;
      				_v12 = 0x401108;
      				_v8 = 0;
      				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x4c,  *[fs:0x0], 0x401266, _t68);
      				_v64 = 0x80020004;
      				_v72 = 0xa;
      				_t45 =  &_v72;
      				_push(_t45);
      				L004013C8();
      				_v52 = _t45;
      				L004013C2();
      				_t46 = _a8;
      				_push( *_t46);
      				_push(0x411c5c);
      				L004013BC();
      				if(_t46 != 0) {
      					_v80 = _a8;
      					_v88 = 0x4008;
      					_push(0);
      					_t48 =  &_v88;
      					_push(_t48);
      					L004013B0();
      					L004013B6();
      					_push(_t48);
      					_push(0x411c5c);
      					L004013BC();
      					asm("sbb eax, eax");
      					_v92 =  ~( ~_t48 + 1);
      					L004013AA();
      					_t52 = _v92;
      					if(_t52 == 0) {
      						_t53 = _a8;
      						_push( *_t53);
      						_push(_v52);
      						_push(0xffffffff);
      						_push(1);
      						L004013A4();
      						while(1) {
      							_push(_v52);
      							L0040139E();
      							_t52 = _t53;
      							if(_t52 != 0) {
      								break;
      							}
      							_push(_v52);
      							_push( &_v28);
      							L00401398();
      							_v80 =  &_v28;
      							_v88 = 0x4008;
      							_push(0x10);
      							L00401260();
      							asm("movsd");
      							asm("movsd");
      							asm("movsd");
      							asm("movsd");
      							_push(1);
      							_push("Add");
      							_t53 =  &_v48;
      							_push(_t53);
      							L0040138C();
      							_push(_t53);
      							L00401392();
      							_t71 = _t71 + 0x1c;
      						}
      						_push(_v52);
      						L00401386();
      						L00401380();
      						_v32 = _v32 | 0x0000ffff;
      					} else {
      						_v32 = _v32 & 0x00000000;
      					}
      				} else {
      					_v32 = _v32 & 0x00000000;
      				}
      				_push(0x412c33);
      				L004013AA();
      				L004013C2();
      				return _t52;
      			}
























      0x00412ac7
      0x00412ad6
      0x00412ae0
      0x00412ae8
      0x00412aeb
      0x00412af2
      0x00412b01
      0x00412b04
      0x00412b0b
      0x00412b12
      0x00412b15
      0x00412b16
      0x00412b1b
      0x00412b22
      0x00412b27
      0x00412b2a
      0x00412b2c
      0x00412b31
      0x00412b38
      0x00412b47
      0x00412b4a
      0x00412b51
      0x00412b53
      0x00412b56
      0x00412b57
      0x00412b61
      0x00412b66
      0x00412b67
      0x00412b6c
      0x00412b73
      0x00412b78
      0x00412b7f
      0x00412b84
      0x00412b8a
      0x00412b93
      0x00412b96
      0x00412b98
      0x00412b9b
      0x00412b9d
      0x00412b9f
      0x00412ba4
      0x00412ba4
      0x00412ba7
      0x00412bac
      0x00412bb1
      0x00000000
      0x00000000
      0x00412bb3
      0x00412bb9
      0x00412bba
      0x00412bc2
      0x00412bc5
      0x00412bcc
      0x00412bcf
      0x00412bd9
      0x00412bda
      0x00412bdb
      0x00412bdc
      0x00412bdd
      0x00412bdf
      0x00412be4
      0x00412be7
      0x00412be8
      0x00412bed
      0x00412bee
      0x00412bf3
      0x00412bf3
      0x00412bf8
      0x00412bfb
      0x00412c00
      0x00412c05
      0x00412b8c
      0x00412b8c
      0x00412b8c
      0x00412b3a
      0x00412b3a
      0x00412b3a
      0x00412c0a
      0x00412c25
      0x00412c2d
      0x00412c32

      APIs
      • __vbaChkstk.MSVBVM60(?,00401266), ref: 00412AE0
      • #648.MSVBVM60(0000000A), ref: 00412B16
      • __vbaFreeVar.MSVBVM60(0000000A), ref: 00412B22
      • __vbaStrCmp.MSVBVM60(00411C5C,?,0000000A), ref: 00412B31
      • #645.MSVBVM60(?,00000000,00411C5C,?,0000000A), ref: 00412B57
      • __vbaStrMove.MSVBVM60(?,00000000,00411C5C,?,0000000A), ref: 00412B61
      • __vbaStrCmp.MSVBVM60(00411C5C,00000000,?,00000000,00411C5C,?,0000000A), ref: 00412B6C
      • __vbaFreeStr.MSVBVM60(00411C5C,00000000,?,00000000,00411C5C,?,0000000A), ref: 00412B7F
      • __vbaFreeStr.MSVBVM60(00412C33,?,?,00000001,000000FF,?,?,00411C5C,00000000,?,00000000,00411C5C,?,0000000A), ref: 00412C25
      • __vbaFreeVar.MSVBVM60(00412C33,?,?,00000001,000000FF,?,?,00411C5C,00000000,?,00000000,00411C5C,?,0000000A), ref: 00412C2D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: __vba$Free$#645#648ChkstkMove
      • String ID: Add
      • API String ID: 4182468812-3310826759
      • Opcode ID: 8d1c35165536c5a30a7bddccebdea8125c3255f3c9420e85fe13735d1084a622
      • Instruction ID: ea73f89a1b4ee3f02bc1f7b6366c60c79a9ad2bc872a98d6a187b6d261dac76e
      • Opcode Fuzzy Hash: 8d1c35165536c5a30a7bddccebdea8125c3255f3c9420e85fe13735d1084a622
      • Instruction Fuzzy Hash: E7416F71D50208AADF00EFE5C942BDE7BB8AF04704F10412AFA01FB1E1EB7C95558B59
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 60%
      			E004136A5(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
      				intOrPtr _v8;
      				intOrPtr _v12;
      				intOrPtr* _v16;
      				short _v28;
      				short _v32;
      				char _v36;
      				void* _v40;
      				signed int _v44;
      				signed int _v48;
      				void* _v52;
      				signed int _v56;
      				signed int _v68;
      				char _v72;
      				signed int _v76;
      				signed int _v80;
      				void* _t53;
      				signed int _t59;
      				signed int _t64;
      				short _t65;
      				signed int _t68;
      				void* _t74;
      				void* _t76;
      				intOrPtr* _t77;
      
      				_t77 = _t76 - 0xc;
      				 *[fs:0x0] = _t77;
      				L00401260();
      				_v16 = _t77;
      				_v12 = 0x401248;
      				_v8 = 0;
      				_t53 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x38,  *[fs:0x0], 0x401266, _t74);
      				_push(0x411d48);
      				L004012FC();
      				asm("fcomp qword [0x4011e0]");
      				asm("fnstsw ax");
      				asm("sahf");
      				if(__eflags != 0) {
      					L004012F6();
      					_v52 =  *0x40123c;
      					_v56 =  *0x401238;
      					 *_t77 =  *0x401234;
      					 *_t77 =  *0x401230;
      					_t68 =  *((intOrPtr*)( *_a4 + 0x2c8))(_a4, 6, __ecx, __ecx, __ecx, __ecx, _t53);
      					asm("fclex");
      					_v44 = _t68;
      					if(_v44 >= 0) {
      						_t15 =  &_v68;
      						 *_t15 = _v68 & 0x00000000;
      						__eflags =  *_t15;
      					} else {
      						_push(0x2c8);
      						_push(0x411a94);
      						_push(_a4);
      						_push(_v44);
      						L00401356();
      						_v68 = _t68;
      					}
      				}
      				if( *0x41433c != 0) {
      					_v72 = 0x41433c;
      				} else {
      					_push(0x41433c);
      					_push(0x411cb4);
      					L00401338();
      					_v72 = 0x41433c;
      				}
      				_t19 =  &_v72; // 0x41433c
      				_v44 =  *((intOrPtr*)( *_t19));
      				_t59 =  *((intOrPtr*)( *_v44 + 0x14))(_v44,  &_v36);
      				asm("fclex");
      				_v48 = _t59;
      				if(_v48 >= 0) {
      					_t30 =  &_v76;
      					 *_t30 = _v76 & 0x00000000;
      					__eflags =  *_t30;
      				} else {
      					_push(0x14);
      					_push(0x411ca4);
      					_push(_v44);
      					_push(_v48);
      					L00401356();
      					_v76 = _t59;
      				}
      				_v52 = _v36;
      				_t64 =  *((intOrPtr*)( *_v52 + 0x120))(_v52,  &_v40);
      				asm("fclex");
      				_v56 = _t64;
      				if(_v56 >= 0) {
      					_t43 =  &_v80;
      					 *_t43 = _v80 & 0x00000000;
      					__eflags =  *_t43;
      				} else {
      					_push(0x120);
      					_push(0x411d4c);
      					_push(_v52);
      					_push(_v56);
      					L00401356();
      					_v80 = _t64;
      				}
      				_t65 = _v40;
      				_v32 = _t65;
      				L00401332();
      				_v28 = 0xf6;
      				asm("wait");
      				_push(0x413835);
      				return _t65;
      			}


























      0x004136a8
      0x004136b7
      0x004136c1
      0x004136c9
      0x004136cc
      0x004136d3
      0x004136e2
      0x004136e5
      0x004136ea
      0x004136ef
      0x004136f5
      0x004136f7
      0x004136f8
      0x00413700
      0x0041370d
      0x00413717
      0x00413721
      0x0041372b
      0x00413738
      0x0041373e
      0x00413740
      0x00413747
      0x00413763
      0x00413763
      0x00413763
      0x00413749
      0x00413749
      0x0041374e
      0x00413753
      0x00413756
      0x00413759
      0x0041375e
      0x0041375e
      0x00413747
      0x0041376e
      0x00413788
      0x00413770
      0x00413770
      0x00413775
      0x0041377a
      0x0041377f
      0x0041377f
      0x0041378f
      0x00413794
      0x004137a3
      0x004137a6
      0x004137a8
      0x004137af
      0x004137c8
      0x004137c8
      0x004137c8
      0x004137b1
      0x004137b1
      0x004137b3
      0x004137b8
      0x004137bb
      0x004137be
      0x004137c3
      0x004137c3
      0x004137cf
      0x004137de
      0x004137e4
      0x004137e6
      0x004137ed
      0x00413809
      0x00413809
      0x00413809
      0x004137ef
      0x004137ef
      0x004137f4
      0x004137f9
      0x004137fc
      0x004137ff
      0x00413804
      0x00413804
      0x0041380d
      0x00413811
      0x00413818
      0x0041381d
      0x00413823
      0x00413824
      0x00000000

      APIs
      • __vbaChkstk.MSVBVM60(?,00401266), ref: 004136C1
      • __vbaR8Str.MSVBVM60(00411D48,?,?,?,?,00401266), ref: 004136EA
      • __vbaFpI4.MSVBVM60(00411D48,?,?,?,?,00401266), ref: 00413700
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401248,00411A94,000002C8), ref: 00413759
      • __vbaNew2.MSVBVM60(00411CB4,0041433C,00411D48,?,?,?,?,00401266), ref: 0041377A
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411CA4,00000014), ref: 004137BE
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411D4C,00000120), ref: 004137FF
      • __vbaFreeObj.MSVBVM60 ref: 00413818
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: __vba$CheckHresult$ChkstkFreeNew2
      • String ID: <CA
      • API String ID: 1616694062-146778150
      • Opcode ID: f96ea6ad3510bf82250a3226fff21a8e05f78186b42e1aa49a43a2c90145eafe
      • Instruction ID: 300cebd31de005c86781198ab8f3b1bdce045228a1d9763ac542530ea5886079
      • Opcode Fuzzy Hash: f96ea6ad3510bf82250a3226fff21a8e05f78186b42e1aa49a43a2c90145eafe
      • Instruction Fuzzy Hash: 3D4132B1900208EFDB00AF95DA49BDDBFB0FF08705F1080AAF501B62A0D3784991DF69
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 33%
      			E004130BC(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
      				intOrPtr _v8;
      				intOrPtr _v12;
      				long long _v28;
      				void* _v32;
      				signed int _v36;
      				signed int _v40;
      				intOrPtr* _v44;
      				signed int _v48;
      				signed int _v56;
      				char _v60;
      				signed int _v64;
      				signed int _v68;
      				signed int _t44;
      				signed int _t50;
      				signed int _t56;
      				intOrPtr _t64;
      
      				_push(0x401266);
      				_push( *[fs:0x0]);
      				 *[fs:0x0] = _t64;
      				_push(0x30);
      				L00401260();
      				_v12 = _t64;
      				_v8 = 0x4011c8;
      				L004012DE();
      				L0040137A();
      				asm("fcomp qword [0x4011b8]");
      				asm("fnstsw ax");
      				asm("sahf");
      				if(__eflags != 0) {
      					_t56 =  *((intOrPtr*)( *_a4 + 0x254))(_a4, 0x30ef);
      					asm("fclex");
      					_v36 = _t56;
      					if(_v36 >= 0) {
      						_t11 =  &_v56;
      						 *_t11 = _v56 & 0x00000000;
      						__eflags =  *_t11;
      					} else {
      						_push(0x254);
      						_push(0x411a94);
      						_push(_a4);
      						_push(_v36);
      						L00401356();
      						_v56 = _t56;
      					}
      				}
      				_t44 = 0;
      				if(0 != 0) {
      					if( *0x41433c != 0) {
      						_v60 = 0x41433c;
      					} else {
      						_push(0x41433c);
      						_push(0x411cb4);
      						L00401338();
      						_v60 = 0x41433c;
      					}
      					_t15 =  &_v60; // 0x41433c
      					_v36 =  *((intOrPtr*)( *_t15));
      					_t50 =  *((intOrPtr*)( *_v36 + 0x1c))(_v36,  &_v32);
      					asm("fclex");
      					_v40 = _t50;
      					if(_v40 >= 0) {
      						_t26 =  &_v64;
      						 *_t26 = _v64 & 0x00000000;
      						__eflags =  *_t26;
      					} else {
      						_push(0x1c);
      						_push(0x411ca4);
      						_push(_v36);
      						_push(_v40);
      						L00401356();
      						_v64 = _t50;
      					}
      					_v44 = _v32;
      					_t44 =  *((intOrPtr*)( *_v44 + 0x50))(_v44);
      					asm("fclex");
      					_v48 = _t44;
      					if(_v48 >= 0) {
      						_t38 =  &_v68;
      						 *_t38 = _v68 & 0x00000000;
      						__eflags =  *_t38;
      					} else {
      						_push(0x50);
      						_push(0x411cc4);
      						_push(_v44);
      						_push(_v48);
      						L00401356();
      						_v68 = _t44;
      					}
      					L00401332();
      				}
      				_v28 =  *0x4011b0;
      				asm("wait");
      				_push(0x413209);
      				return _t44;
      			}



















      0x004130c1
      0x004130cc
      0x004130cd
      0x004130d4
      0x004130d7
      0x004130df
      0x004130e2
      0x004130ef
      0x004130f4
      0x004130f9
      0x004130ff
      0x00413101
      0x00413102
      0x00413111
      0x00413117
      0x00413119
      0x00413120
      0x0041313c
      0x0041313c
      0x0041313c
      0x00413122
      0x00413122
      0x00413127
      0x0041312c
      0x0041312f
      0x00413132
      0x00413137
      0x00413137
      0x00413120
      0x00413140
      0x00413144
      0x00413151
      0x0041316b
      0x00413153
      0x00413153
      0x00413158
      0x0041315d
      0x00413162
      0x00413162
      0x00413172
      0x00413177
      0x00413186
      0x00413189
      0x0041318b
      0x00413192
      0x004131ab
      0x004131ab
      0x004131ab
      0x00413194
      0x00413194
      0x00413196
      0x0041319b
      0x0041319e
      0x004131a1
      0x004131a6
      0x004131a6
      0x004131b2
      0x004131bd
      0x004131c0
      0x004131c2
      0x004131c9
      0x004131e2
      0x004131e2
      0x004131e2
      0x004131cb
      0x004131cb
      0x004131cd
      0x004131d2
      0x004131d5
      0x004131d8
      0x004131dd
      0x004131dd
      0x004131e9
      0x004131e9
      0x004131f4
      0x004131f7
      0x004131f8
      0x00000000

      APIs
      • __vbaChkstk.MSVBVM60(?,00401266), ref: 004130D7
      • _CIsqrt.MSVBVM60(?,?,?,?,00401266), ref: 004130EF
      • __vbaFpR8.MSVBVM60(?,?,?,?,00401266), ref: 004130F4
      • __vbaHresultCheckObj.MSVBVM60(?,?,00411A94,00000254,?,?,?,?,00401266), ref: 00413132
      • __vbaNew2.MSVBVM60(00411CB4,0041433C,?,?,?,?,00401266), ref: 0041315D
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411CA4,0000001C,?,?,?,?,?,?,?,?,?,?,?,00401266), ref: 004131A1
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411CC4,00000050,?,?,?,?,?,?,?,?,?,?,?,00401266), ref: 004131D8
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401266), ref: 004131E9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: __vba$CheckHresult$ChkstkFreeIsqrtNew2
      • String ID: <CA
      • API String ID: 987039556-146778150
      • Opcode ID: 4dbf5570daa6793587fed77467ed837a6675b91ccb8510ea789099720da00c52
      • Instruction ID: b10ade7f8230d867041c5977717b5a677dd8999904dca6c0403a0626d3744e73
      • Opcode Fuzzy Hash: 4dbf5570daa6793587fed77467ed837a6675b91ccb8510ea789099720da00c52
      • Instruction Fuzzy Hash: 73410471A40608EFDF00AFA6C949BDDBBB4FB08756F10406AF501B62A1D7794985DB28
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 57%
      			E00413477(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
      				intOrPtr _v8;
      				intOrPtr _v12;
      				intOrPtr _v16;
      				short _v28;
      				char _v44;
      				intOrPtr _v52;
      				char _v60;
      				intOrPtr _v68;
      				char _v76;
      				intOrPtr _v84;
      				char _v92;
      				char* _v100;
      				intOrPtr _v108;
      				char* _t30;
      				void* _t43;
      				void* _t45;
      				intOrPtr _t46;
      
      				_t46 = _t45 - 0xc;
      				 *[fs:0x0] = _t46;
      				L00401260();
      				_v16 = _t46;
      				_v12 = 0x4011f8;
      				_v8 = 0;
      				_t30 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401266, _t43);
      				_push(0x411d18);
      				L00401314();
      				if(_t30 != 2) {
      					_v84 = 0x80020004;
      					_v92 = 0xa;
      					_v68 = 0x80020004;
      					_v76 = 0xa;
      					_v52 = 0x80020004;
      					_v60 = 0xa;
      					_v100 = L"HEPATATROPHY";
      					_v108 = 8;
      					L0040136E();
      					_push( &_v92);
      					_push( &_v76);
      					_push( &_v60);
      					_push(0);
      					_push( &_v44);
      					L0040130E();
      					_push( &_v92);
      					_push( &_v76);
      					_push( &_v60);
      					_t30 =  &_v44;
      					_push(_t30);
      					_push(4);
      					L00401308();
      				}
      				_push(0x411d40);
      				L00401302();
      				if(_t30 == 0x61) {
      					_v28 = 0x32bb;
      				}
      				_push(0x413577);
      				return _t30;
      			}




















      0x0041347a
      0x00413489
      0x00413495
      0x0041349d
      0x004134a0
      0x004134a7
      0x004134b6
      0x004134b9
      0x004134be
      0x004134c6
      0x004134c8
      0x004134cf
      0x004134d6
      0x004134dd
      0x004134e4
      0x004134eb
      0x004134f2
      0x004134f9
      0x00413506
      0x0041350e
      0x00413512
      0x00413516
      0x00413517
      0x0041351c
      0x0041351d
      0x00413525
      0x00413529
      0x0041352d
      0x0041352e
      0x00413531
      0x00413532
      0x00413534
      0x00413539
      0x0041353c
      0x00413541
      0x0041354a
      0x0041354e
      0x0041354e
      0x00413554
      0x00000000

      APIs
      • __vbaChkstk.MSVBVM60(?,00401266), ref: 00413495
      • __vbaLenBstrB.MSVBVM60(00411D18,?,?,?,?,00401266), ref: 004134BE
      • __vbaVarDup.MSVBVM60 ref: 00413506
      • #595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A), ref: 0041351D
      • __vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A,?,00000000,0000000A,0000000A,0000000A), ref: 00413534
      • #516.MSVBVM60(00411D40,00411D18,?,?,?,?,00401266), ref: 00413541
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: __vba$#516#595BstrChkstkFreeList
      • String ID: HEPATATROPHY
      • API String ID: 3121728414-4183309565
      • Opcode ID: 2e9c1ba4c55e21c7e1a2a77e49d6f49597a05859cb00731727006098de2112ba
      • Instruction ID: 74befddf94c26c140d0e18f8d059a5cd873ba74861c5d6fc72bb90b18cf64105
      • Opcode Fuzzy Hash: 2e9c1ba4c55e21c7e1a2a77e49d6f49597a05859cb00731727006098de2112ba
      • Instruction Fuzzy Hash: 86211DB1900248EBDB01DFC4D885BDEBBB9FF04704F50402AF501BB191D7789685CBA9
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 54%
      			E004135A0(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
      				intOrPtr _v8;
      				intOrPtr* _v12;
      				void* _v24;
      				char _v32;
      				char _v40;
      				signed int _v60;
      				signed int _v68;
      				void* _t20;
      				char* _t21;
      				signed int _t24;
      				intOrPtr* _t35;
      
      				_push(__ecx);
      				_push(__ecx);
      				_push(0x401266);
      				_push( *[fs:0x0]);
      				 *[fs:0x0] = _t35;
      				_t20 = 0x30;
      				L00401260();
      				_v12 = _t35;
      				_v8 = 0x401220;
      				_push(0x411d48);
      				L004012FC();
      				asm("fcomp qword [0x4011e0]");
      				asm("fnstsw ax");
      				asm("sahf");
      				if(__eflags != 0) {
      					L004012F6();
      					 *_t35 =  *0x401214;
      					 *_t35 =  *0x401210;
      					 *_t35 =  *0x40120c;
      					 *_t35 =  *0x401208;
      					_t24 =  *((intOrPtr*)( *_a4 + 0x2c8))(_a4, 6, __ecx, __ecx, __ecx, __ecx, _t20);
      					asm("fclex");
      					_v60 = _t24;
      					if(_v60 >= 0) {
      						_t11 =  &_v68;
      						 *_t11 = _v68 & 0x00000000;
      						__eflags =  *_t11;
      					} else {
      						_push(0x2c8);
      						_push(0x411a94);
      						_push(_a4);
      						_push(_v60);
      						L00401356();
      						_v68 = _t24;
      					}
      				}
      				_v32 = 2;
      				_v40 = 2;
      				_t21 =  &_v40;
      				_push(_t21);
      				L004012F0();
      				L004013B6();
      				L004013C2();
      				asm("wait");
      				_push(0x413692);
      				L004013AA();
      				return _t21;
      			}














      0x004135a3
      0x004135a4
      0x004135a5
      0x004135b0
      0x004135b1
      0x004135ba
      0x004135bb
      0x004135c3
      0x004135c6
      0x004135cd
      0x004135d2
      0x004135d7
      0x004135dd
      0x004135df
      0x004135e0
      0x004135e8
      0x004135f5
      0x004135ff
      0x00413609
      0x00413613
      0x00413620
      0x00413626
      0x00413628
      0x0041362f
      0x0041364b
      0x0041364b
      0x0041364b
      0x00413631
      0x00413631
      0x00413636
      0x0041363b
      0x0041363e
      0x00413641
      0x00413646
      0x00413646
      0x0041362f
      0x0041364f
      0x00413656
      0x0041365d
      0x00413660
      0x00413661
      0x0041366b
      0x00413673
      0x00413678
      0x00413679
      0x0041368c
      0x00413691

      APIs
      • __vbaChkstk.MSVBVM60(?,00401266), ref: 004135BB
      • __vbaR8Str.MSVBVM60(00411D48,?,?,?,?,00401266), ref: 004135D2
      • __vbaFpI4.MSVBVM60(00411D48,?,?,?,?,00401266), ref: 004135E8
      • __vbaHresultCheckObj.MSVBVM60(?,?,00411A94,000002C8,?,?,?,?,00000000,00411D48,?,?,?,?,00401266), ref: 00413641
      • #536.MSVBVM60(?,00411D48,?,?,?,?,00401266), ref: 00413661
      • __vbaStrMove.MSVBVM60(?,00411D48,?,?,?,?,00401266), ref: 0041366B
      • __vbaFreeVar.MSVBVM60(?,00411D48,?,?,?,?,00401266), ref: 00413673
      • __vbaFreeStr.MSVBVM60(00413692,?,00411D48,?,?,?,?,00401266), ref: 0041368C
      Memory Dump Source
      • Source File: 00000000.00000002.716326860.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.716291619.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.716425543.0000000000414000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.716443368.0000000000416000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_cosmic.jbxd
      Similarity
      • API ID: __vba$Free$#536CheckChkstkHresultMove
      • String ID:
      • API String ID: 2640481455-0
      • Opcode ID: 932e790cc74d014b77b57394c2cb30835f9a46dd5d06f34ae459bfa666bbde8c
      • Instruction ID: 437083701aaf1806db2157206c0ba521b8b5d6cd06d66c7fbd4dff1ba073e182
      • Opcode Fuzzy Hash: 932e790cc74d014b77b57394c2cb30835f9a46dd5d06f34ae459bfa666bbde8c
      • Instruction Fuzzy Hash: 1F213AB0901208FFDB00EF91DA4ABAEBBB4FB04B45F1045AEF141B61B1C7785A509B5D
      Uniqueness

      Uniqueness Score: -1.00%