Play interactive tour

Edit tour

Analysis Report Transferencia.exe

Overview

General Information

Sample Name:	Transferencia.exe
Analysis ID:	384290
MD5:	7c22c3e3b8726dd1b03e69c203590026
SHA1:	7715be6b73e52535d81b083a3dfd95568a729782
SHA256:	96fb89fdc3873864981ec26c355111c26c7ab5132770ead9d1d97bdfac32e566
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contain functionality to detect virtual machines

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Hides threads from debuggers

Machine Learning detection for sample

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

Transferencia.exe (PID: 1956 cmdline: 'C:\Users\user\Desktop\Transferencia.exe' MD5: 7C22C3E3B8726DD1B03E69C203590026)

RegAsm.exe (PID: 1324 cmdline: 'C:\Users\user\Desktop\Transferencia.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 1332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: RegAsm.exe PID: 1324	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Transferencia.exe	Virustotal: Detection: 28%			Perma Link
Source: Transferencia.exe	ReversingLabs: Detection: 68%

Machine Learning detection for sample

Show sources

Source: Transferencia.exe

Joe Sandbox ML: detected

Source: Transferencia.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 10_2_00DC88DE LoadLibraryA,InternetReadFile,

10_2_00DC88DE

Source: RegAsm.exe, 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp

String found in binary or memory: https://drive.google.com/uc?export=download&id=1cUL0K7dYgbhK7vN-RFgTfWB-AllHwx8q

Source: C:\Users\user\Desktop\Transferencia.exe

Code function: 0_2_004145B8 OpenClipboard,

0_2_004145B8

Source: C:\Users\user\Desktop\Transferencia.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC849A NtProtectVirtualMemory,	10_2_00DC849A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC2C3F NtSetInformationThread,	10_2_00DC2C3F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0BF8 NtSetInformationThread,LoadLibraryA,	10_2_00DC0BF8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0724 EnumWindows,NtSetInformationThread,	10_2_00DC0724
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC64F1 NtSetInformationThread,	10_2_00DC64F1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC08E7 NtSetInformationThread,	10_2_00DC08E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC08BA NtSetInformationThread,	10_2_00DC08BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0848 NtSetInformationThread,	10_2_00DC0848
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC084A NtSetInformationThread,	10_2_00DC084A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC844B NtProtectVirtualMemory,	10_2_00DC844B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0878 NtSetInformationThread,	10_2_00DC0878
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC846D NtProtectVirtualMemory,	10_2_00DC846D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC6409 NtSetInformationThread,LoadLibraryA,	10_2_00DC6409
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC09C6 NtSetInformationThread,	10_2_00DC09C6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC09FC NtSetInformationThread,	10_2_00DC09FC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC69E2 NtSetInformationThread,	10_2_00DC69E2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC099A NtSetInformationThread,	10_2_00DC099A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0942 NtSetInformationThread,	10_2_00DC0942
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC096A NtSetInformationThread,	10_2_00DC096A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0AC7 NtSetInformationThread,	10_2_00DC0AC7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0A6E NtSetInformationThread,	10_2_00DC0A6E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0A24 NtSetInformationThread,	10_2_00DC0A24
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC7BEA NtSetInformationThread,	10_2_00DC7BEA

Source: Transferencia.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Transferencia.exe, 00000000.00000000.192474638.0000000000419000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exe vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.518045434.0000000002890000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2X vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.518045434.0000000002890000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2XPr vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.518045434.0000000002890000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2X7s vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.518045434.0000000002890000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2XSq vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.518045434.0000000002890000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2X:vR vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.518045434.0000000002890000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs Transferencia.exe
Source: Transferencia.exe	Binary or memory string: OriginalFilenameYCIETRA.exe vs Transferencia.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Source: Transferencia.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal96.troj.evad.winEXE@3/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1332:120:WilError_01

Source: C:\Users\user\Desktop\Transferencia.exe

File created: C:\Users\user\AppData\Local\Temp\~DFE80FAB2DF37D26B6.TMP

Jump to behavior

Source: Transferencia.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Transferencia.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Transferencia.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Transferencia.exe	Virustotal: Detection: 28%
Source: Transferencia.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\Transferencia.exe 'C:\Users\user\Desktop\Transferencia.exe'
Source: C:\Users\user\Desktop\Transferencia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Transferencia.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1324, type: MEMORY

Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00404E48 pushfd ; iretd	0_2_00404E49
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00404049 pushfd ; iretd	0_2_0040404D
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_0040904D push eax; ret	0_2_00409056
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_004020CE pushfd ; iretd	0_2_004020FD
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402EEA push dword ptr [edi-4B012F33h]; retf	0_2_00402EFD
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_004020FE pushfd ; iretd	0_2_00402101
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00407E96 push esi; iretd	0_2_00407E9D
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_0040336C push fs; ret	0_2_00403405
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00408F70 push eax; ret	0_2_00408F7E
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00408976 push eax; ret	0_2_0040897A
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402302 pushfd ; iretd	0_2_00402305
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_0040911A push eax; iretd	0_2_00409182
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402BD9 pushfd ; iretd	0_2_00402BE1
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402F92 pushfd ; iretd	0_2_00402F95

Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contain functionality to detect virtual machines

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: C:\Program Files\Qemu-ga\qemu-ga.exe C:\Program Files\Qemu-ga\qemu-ga.exe		10_2_00DC421B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: C:\Program Files\Qemu-ga\qemu-ga.exe C:\Program Files\Qemu-ga\qemu-ga.exe		10_2_00DC4236

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0CFF LoadLibraryA,	10_2_00DC0CFF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0BF8 NtSetInformationThread,LoadLibraryA,	10_2_00DC0BF8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0CBA	10_2_00DC0CBA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0C23	10_2_00DC0C23
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC1DBB LoadLibraryA,	10_2_00DC1DBB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0D04	10_2_00DC0D04
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC7E0C LoadLibraryA,	10_2_00DC7E0C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC0B8E	10_2_00DC0B8E

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000503DB0 second address: 0000000000503DB0 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F16884CF258h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test al, bl 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 jmp 00007F16884CF272h 0x00000024 cmp dh, 00000056h 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F16884CF1ACh 0x00000031 push ecx 0x00000032 jmp 00007F16884CF272h 0x00000034 push esi 0x00000035 jmp 00007F16884CF297h 0x00000037 call 00007F16884CF22Ch 0x0000003c pop esi 0x0000003d jmp esi 0x0000003f pop esi 0x00000040 call 00007F16884CF2C8h 0x00000045 call 00007F16884CF268h 0x0000004a lfence 0x0000004d mov edx, dword ptr [7FFE0014h] 0x00000053 lfence 0x00000056 ret 0x00000057 mov esi, edx 0x00000059 pushad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000507E3E second address: 0000000000507E3E instructions:
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000500CE2 second address: 0000000000500CE2 instructions:

Tries to detect Any.run

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Transferencia.exe, 00000000.00000002.517554355.00000000006A9000.00000004.00000020.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE:
Source: RegAsm.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000503DB0 second address: 0000000000503DB0 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F16884CF258h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test al, bl 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 jmp 00007F16884CF272h 0x00000024 cmp dh, 00000056h 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F16884CF1ACh 0x00000031 push ecx 0x00000032 jmp 00007F16884CF272h 0x00000034 push esi 0x00000035 jmp 00007F16884CF297h 0x00000037 call 00007F16884CF22Ch 0x0000003c pop esi 0x0000003d jmp esi 0x0000003f pop esi 0x00000040 call 00007F16884CF2C8h 0x00000045 call 00007F16884CF268h 0x0000004a lfence 0x0000004d mov edx, dword ptr [7FFE0014h] 0x00000053 lfence 0x00000056 ret 0x00000057 mov esi, edx 0x00000059 pushad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000504092 second address: 0000000000504092 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F168903D370h 0x0000001d popad 0x0000001e call 00007F1689039E45h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000507E3E second address: 0000000000507E3E instructions:
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000500CE2 second address: 0000000000500CE2 instructions:
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000500FA9 second address: 0000000000501036 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b add edi, 00010000h 0x00000011 jmp 00007F16884CF276h 0x00000013 test bh, ah 0x00000015 push edi 0x00000016 test ch, dh 0x00000018 add edi, 04h 0x0000001b push edi 0x0000001c pushad 0x0000001d mov ax, 0E01h 0x00000021 cmp ax, 00000E01h 0x00000025 jne 00007F16884CEAFFh 0x0000002b popad 0x0000002c add edi, 04h 0x0000002f push edi 0x00000030 jmp 00007F16884CF27Ah 0x00000032 test ecx, ebx 0x00000034 push 0003E800h 0x00000039 cmp ax, 00001CE5h 0x0000003d pushad 0x0000003e lfence 0x00000041 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000DC4092 second address: 0000000000DC4092 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F168903D370h 0x0000001d popad 0x0000001e call 00007F1689039E45h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000DC0FA9 second address: 0000000000DC1036 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b add edi, 00010000h 0x00000011 jmp 00007F16884CF276h 0x00000013 test bh, ah 0x00000015 push edi 0x00000016 test ch, dh 0x00000018 add edi, 04h 0x0000001b push edi 0x0000001c pushad 0x0000001d mov ax, 0E01h 0x00000021 cmp ax, 00000E01h 0x00000025 jne 00007F16884CEAFFh 0x0000002b popad 0x0000002c add edi, 04h 0x0000002f push edi 0x00000030 jmp 00007F16884CF27Ah 0x00000032 test ecx, ebx 0x00000034 push 0003E800h 0x00000039 cmp ax, 00001CE5h 0x0000003d pushad 0x0000003e lfence 0x00000041 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 10_2_00DC88DE rdtsc

10_2_00DC88DE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

API coverage: 7.8 %

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1260

Thread sleep time: -70000s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: RegAsm.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Transferencia.exe, 00000000.00000002.517554355.00000000006A9000.00000004.00000020.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe:

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 10_2_00DC2C3F NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000

10_2_00DC2C3F

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process Stats: CPU usage > 90% for more than 60s

Hides threads from debuggers

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 10_2_00DC88DE rdtsc

10_2_00DC88DE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 10_2_00DC5079 LdrInitializeThunk,

10_2_00DC5079

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC60E3 mov eax, dword ptr fs:[00000030h]	10_2_00DC60E3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC29E7 mov eax, dword ptr fs:[00000030h]	10_2_00DC29E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC299C mov eax, dword ptr fs:[00000030h]	10_2_00DC299C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC29A6 mov eax, dword ptr fs:[00000030h]	10_2_00DC29A6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC26DC mov eax, dword ptr fs:[00000030h]	10_2_00DC26DC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC2696 mov eax, dword ptr fs:[00000030h]	10_2_00DC2696
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC2684 mov eax, dword ptr fs:[00000030h]	10_2_00DC2684
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC6E17 mov eax, dword ptr fs:[00000030h]	10_2_00DC6E17
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC7E0C mov eax, dword ptr fs:[00000030h]	10_2_00DC7E0C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC2A37 mov eax, dword ptr fs:[00000030h]	10_2_00DC2A37
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC7E22 mov eax, dword ptr fs:[00000030h]	10_2_00DC7E22
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC1FD0 mov eax, dword ptr fs:[00000030h]	10_2_00DC1FD0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_00DC3B32 mov eax, dword ptr fs:[00000030h]	10_2_00DC3B32

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: RegAsm.exe, 0000000A.00000002.587019635.0000000001600000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 0000000A.00000002.587019635.0000000001600000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000000A.00000002.587019635.0000000001600000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 0000000A.00000002.587019635.0000000001600000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	DLL Side-Loading1	Process Injection2	Virtualization/Sandbox Evasion421	OS Credential Dumping	Security Software Discovery921	Remote Services	Clipboard Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Process Injection2	LSASS Memory	Virtualization/Sandbox Evasion421	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	DLL Side-Loading1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	System Information Discovery311	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Transferencia.exe	29%	Virustotal		Browse
Transferencia.exe	69%	ReversingLabs	Win32.Backdoor.Convagent
Transferencia.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	384290
Start date:	08.04.2021
Start time:	21:17:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Transferencia.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@3/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 98.6% (good quality ratio 66.2%) Quality average: 39.4% Quality standard deviation: 38.2%
HCA Information:	Successful, ratio: 73% Number of executed functions: 115 Number of non-executed functions: 17
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 52.255.188.83, 52.147.198.201, 168.61.161.212, 95.100.54.203, 172.217.168.14 Excluded domains from analysis (whitelisted): skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, fs.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, drive.google.com, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, skypedataprdcolwus16.cloudapp.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.7314228952467845
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Transferencia.exe
File size:	122880
MD5:	7c22c3e3b8726dd1b03e69c203590026
SHA1:	7715be6b73e52535d81b083a3dfd95568a729782
SHA256:	96fb89fdc3873864981ec26c355111c26c7ab5132770ead9d1d97bdfac32e566
SHA512:	bea857c957f771e3b7c24a3e9770da90766f3c8bf2af74fa79a7b2e9a372b55a1fe628dd72f0744ac1e99d63527e72092dfc47bc2e9b09e2c84030e25f519625
SSDEEP:	1536:yGouBnMJDe1Rd/tnt+5vAQlhI2k1c8VtK9ihGo:yGZBn5j+3I2gtVtK9ihG
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L....{.O.................p...`......(.............@................

File Icon


Icon Hash:	0ccea09899191898

Static PE Info

General
Entrypoint:	0x401328
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4F8F7B90 [Thu Apr 19 02:42:24 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	efa774b90ad6b9ab8c4fabb031ebe78d

Entrypoint Preview

Instruction
push 00413E10h
call 00007F1688DD5365h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jl 00007F1688DD5364h
fisub dword ptr [edi]
mov bh, 3Fh
sti
inc eax
or dword ptr [edi-6Fh], 17349181h
push esi
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc ecx
add byte ptr [esi+53018250h], al
push 7372656Fh
aaa
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
sub bl, dl
aam 67h
dec esi
add dword ptr [ebp-6Ah], DE15A246h
inc dword ptr [edx]
sal byte ptr [ebx-5D2637B1h], 00000045h
push ecx
jc 00007F1688DD534Ah
dec ebp
sahf
pop ds
in al, dx
dec ebx
inc esi
push esp
mov word ptr [edi+33AD4F3Ah], seg?
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov ebp, D8000129h
inc esp
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [ecx+eax*2+53h], cl
push esp
inc ebp
push eax
inc ecx
dec esp
dec esp
add byte ptr [62000701h], cl
insb
jo 00007F1688DD53DBh
popad
jc 00007F1688DD5372h
sbb dword ptr [ecx], eax
add byte ptr [edx+00h], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17614	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19000	0x4856	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xd4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x16a04	0x17000	False	0.347465183424	data	6.19151280258	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x18000	0xa88	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x19000	0x4856	0x5000	False	0.4142578125	data	4.36602718987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1b2ae	0x25a8	data
RT_ICON	0x1a206	0x10a8	data
RT_ICON	0x1987e	0x988	data
RT_ICON	0x19416	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x193d8	0x3e	data
RT_VERSION	0x19180	0x258	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaVarForInit, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, __vbaVarForNext, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	YCIETRA
FileVersion	3.00
CompanyName	Salty
Comments	Salty
ProductName	Salty
ProductVersion	3.00
FileDescription	Salty
OriginalFilename	YCIETRA.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2021 21:17:48.342315912 CEST	60152	53	192.168.2.3	8.8.8.8
Apr 8, 2021 21:17:48.355184078 CEST	53	60152	8.8.8.8	192.168.2.3
Apr 8, 2021 21:17:50.509349108 CEST	57544	53	192.168.2.3	8.8.8.8
Apr 8, 2021 21:17:50.524214029 CEST	53	57544	8.8.8.8	192.168.2.3
Apr 8, 2021 21:17:51.181819916 CEST	55984	53	192.168.2.3	8.8.8.8
Apr 8, 2021 21:17:51.197040081 CEST	53	55984	8.8.8.8	192.168.2.3
Apr 8, 2021 21:17:51.860984087 CEST	64185	53	192.168.2.3	8.8.8.8
Apr 8, 2021 21:17:51.873694897 CEST	53	64185	8.8.8.8	192.168.2.3
Apr 8, 2021 21:17:52.752033949 CEST	65110	53	192.168.2.3	8.8.8.8
Apr 8, 2021 21:17:52.765578032 CEST	53	65110	8.8.8.8	192.168.2.3
Apr 8, 2021 21:17:53.476093054 CEST	58361	53	192.168.2.3	8.8.8.8
Apr 8, 2021 21:17:53.489474058 CEST	53	58361	8.8.8.8	192.168.2.3
Apr 8, 2021 21:17:54.170295000 CEST	63492	53	192.168.2.3	8.8.8.8
Apr 8, 2021 21:17:54.183653116 CEST	53	63492	8.8.8.8	192.168.2.3
Apr 8, 2021 21:17:55.128566980 CEST	60831	53	192.168.2.3	8.8.8.8
Apr 8, 2021 21:17:55.142463923 CEST	53	60831	8.8.8.8	192.168.2.3
Apr 8, 2021 21:17:55.759937048 CEST	60100	53	192.168.2.3	8.8.8.8
Apr 8, 2021 21:17:55.772763968 CEST	53	60100	8.8.8.8	192.168.2.3
Apr 8, 2021 21:17:56.524694920 CEST	53195	53	192.168.2.3	8.8.8.8
Apr 8, 2021 21:17:56.539074898 CEST	53	53195	8.8.8.8	192.168.2.3
Apr 8, 2021 21:17:57.306094885 CEST	50141	53	192.168.2.3	8.8.8.8
Apr 8, 2021 21:17:57.319078922 CEST	53	50141	8.8.8.8	192.168.2.3
Apr 8, 2021 21:17:58.121081114 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 8, 2021 21:17:58.133268118 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 8, 2021 21:17:58.802112103 CEST	49563	53	192.168.2.3	8.8.8.8
Apr 8, 2021 21:17:58.815773010 CEST	53	49563	8.8.8.8	192.168.2.3
Apr 8, 2021 21:17:59.425882101 CEST	51352	53	192.168.2.3	8.8.8.8
Apr 8, 2021 21:17:59.439336061 CEST	53	51352	8.8.8.8	192.168.2.3
Apr 8, 2021 21:18:00.184001923 CEST	59349	53	192.168.2.3	8.8.8.8
Apr 8, 2021 21:18:00.197241068 CEST	53	59349	8.8.8.8	192.168.2.3
Apr 8, 2021 21:18:00.819571972 CEST	57084	53	192.168.2.3	8.8.8.8
Apr 8, 2021 21:18:00.831968069 CEST	53	57084	8.8.8.8	192.168.2.3
Apr 8, 2021 21:18:01.851623058 CEST	58823	53	192.168.2.3	8.8.8.8
Apr 8, 2021 21:18:01.864420891 CEST	53	58823	8.8.8.8	192.168.2.3
Apr 8, 2021 21:18:27.940393925 CEST	57568	53	192.168.2.3	8.8.8.8
Apr 8, 2021 21:18:27.981368065 CEST	53	57568	8.8.8.8	192.168.2.3
Apr 8, 2021 21:19:29.645251989 CEST	50540	53	192.168.2.3	8.8.8.8
Apr 8, 2021 21:19:29.670944929 CEST	53	50540	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Transferencia.exe PID: 1956 Parent PID: 5560

General

Start time:	21:17:54
Start date:	08/04/2021
Path:	C:\Users\user\Desktop\Transferencia.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Transferencia.exe'
Imagebase:	0x400000
File size:	122880 bytes
MD5 hash:	7C22C3E3B8726DD1B03E69C203590026
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 1324 Parent PID: 1956

General

Start time:	21:19:20
Start date:	08/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Transferencia.exe'
Imagebase:	0x9f0000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1332 Parent PID: 1324

General

Start time:	21:19:20
Start date:	08/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Transferencia.exe PID: 1956 Parent PID: 5560 Transferencia.exeCOMMON

Execution Graph

Execution Coverage:	13.7%
Dynamic/Decrypted Code Coverage:	8.6%
Signature Coverage:	0%
Total number of Nodes:	139
Total number of Limit Nodes:	16

Executed Functions

Function 00416164, Relevance: 151.4, APIs: 82, Strings: 4, Instructions: 924
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E00416164(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				void* _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				intOrPtr _v80;
				short _v84;
				signed int _v88;
				signed int _v92;
				char _v96;
				char _v100;
				signed int _v104;
				char _v108;
				intOrPtr _v116;
				char _v124;
				signed int _v132;
				char _v140;
				signed int _v148;
				char _v156;
				signed int _v164;
				char _v172;
				short _v176;
				signed int _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				char _v192;
				signed int _v196;
				signed int _v200;
				void* _v204;
				signed int _v208;
				signed int _v212;
				char _v228;
				char _v244;
				signed int _v268;
				intOrPtr _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				intOrPtr* _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				intOrPtr* _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				intOrPtr* _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				intOrPtr* _v336;
				signed int _v340;
				intOrPtr* _v344;
				signed int _v348;
				signed int _v352;
				intOrPtr* _v356;
				signed int _v360;
				signed int _v364;
				intOrPtr* _v368;
				intOrPtr* _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				char _v388;
				signed int _v392;
				intOrPtr* _v396;
				signed int _v400;
				intOrPtr* _v404;
				short _v408;
				char _v412;
				signed int _v416;
				signed int _t483;
				signed int _t489;
				signed int _t494;
				signed int* _t495;
				signed int _t500;
				signed int _t506;
				signed int _t512;
				char* _t514;
				signed int _t517;
				signed int _t523;
				signed int _t526;
				intOrPtr _t531;
				signed int _t535;
				char* _t539;
				signed int _t540;
				char* _t546;
				signed int _t550;
				signed int _t554;
				signed int* _t558;
				signed int _t562;
				signed int _t572;
				signed int _t581;
				signed int _t586;
				signed int _t595;
				signed int _t599;
				signed int _t603;
				signed int _t610;
				signed int _t614;
				signed int* _t618;
				signed int _t625;
				char* _t630;
				void* _t631;
				char* _t637;
				signed int _t643;
				signed int _t647;
				signed int* _t648;
				signed int _t651;
				signed int _t656;
				char* _t669;
				char* _t676;
				signed int* _t679;
				void* _t714;
				void* _t716;
				intOrPtr _t717;
				void* _t718;
				void* _t719;
				void* _t742;

				_t717 = _t716 - 0x18;
				 *[fs:0x0] = _t717;
				L004011F0();
				_v28 = _t717;
				_v24 = E004010D8;
				_v20 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4011f6, _t714);
				_v8 = 1;
				_v8 = 2;
				L0040130A();
				_v8 = 3;
				_t483 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4, 0xffffffff);
				asm("fclex");
				_v196 = _t483;
				if(_v196 >= 0) {
					_v284 = _v284 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x4141b0);
					_push(_a4);
					_push(_v196);
					L00401304();
					_v284 = _t483;
				}
				_v8 = 4;
				if( *0x41831c != 0) {
					_v288 = 0x41831c;
				} else {
					_push(0x41831c);
					_push(0x414720);
					L004012FE();
					_v288 = 0x41831c;
				}
				_v196 =  *_v288;
				_t489 =  *((intOrPtr*)( *_v196 + 0x14))(_v196,  &_v100);
				asm("fclex");
				_v200 = _t489;
				if(_v200 >= 0) {
					_v292 = _v292 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x414710);
					_push(_v196);
					_push(_v200);
					L00401304();
					_v292 = _t489;
				}
				_v204 = _v100;
				_t494 =  *((intOrPtr*)( *_v204 + 0x100))(_v204,  &_v180);
				asm("fclex");
				_v208 = _t494;
				if(_v208 >= 0) {
					_v296 = _v296 & 0x00000000;
				} else {
					_push(0x100);
					_push(0x414730);
					_push(_v204);
					_push(_v208);
					L00401304();
					_v296 = _t494;
				}
				_t495 =  &_v88;
				L004012F8();
				E00414528(); // executed
				_v184 = _t495;
				L004012F2();
				_v80 = _v184;
				L004012EC();
				L004012E6();
				_v8 = 5;
				_v8 = 7;
				_t500 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v180, _v180, _t495, _t495, L"c:\\windows\\logow.sys", 0, 0x140, 0xc8, 0x10);
				asm("fclex");
				_v196 = _t500;
				if(_v196 >= 0) {
					_v300 = _v300 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x4141b0);
					_push(_a4);
					_push(_v196);
					L00401304();
					_v300 = _t500;
				}
				_push(_v180);
				E004145B8();
				L004012F2();
				_v8 = 8;
				E00414610();
				L004012F2();
				_v8 = 9;
				_push(_v80);
				_push(2);
				E0041465C();
				L004012F2();
				_v8 = 0xa;
				_push(2);
				E004146B0();
				_v180 = _t500;
				L004012F2();
				_v8 = 0xc;
				E00414570();
				L004012F2();
				_v8 = 0xd;
				if( *0x41831c != 0) {
					_v304 = 0x41831c;
				} else {
					_push(0x41831c);
					_push(0x414720);
					L004012FE();
					_v304 = 0x41831c;
				}
				_v196 =  *_v304;
				_t506 =  *((intOrPtr*)( *_v196 + 0x1c))(_v196,  &_v100);
				asm("fclex");
				_v200 = _t506;
				if(_v200 >= 0) {
					_v308 = _v308 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x414710);
					_push(_v196);
					_push(_v200);
					L00401304();
					_v308 = _t506;
				}
				_v204 = _v100;
				_v132 = 2;
				_v140 = 3;
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t512 =  *((intOrPtr*)( *_v204 + 0x54))(_v204, 0x10,  &_v104);
				asm("fclex");
				_v208 = _t512;
				if(_v208 >= 0) {
					_v312 = _v312 & 0x00000000;
				} else {
					_push(0x54);
					_push(0x414770);
					_push(_v204);
					_push(_v208);
					L00401304();
					_v312 = _t512;
				}
				_v268 = _v104;
				_v104 = _v104 & 0x00000000;
				_t514 =  &_v108;
				L004012E0();
				_t517 =  *((intOrPtr*)( *_a4 + 0x154))(_a4, _t514, _t514, _v268);
				asm("fclex");
				_v212 = _t517;
				if(_v212 >= 0) {
					_v316 = _v316 & 0x00000000;
				} else {
					_push(0x154);
					_push(0x4141b0);
					_push(_a4);
					_push(_v212);
					L00401304();
					_v316 = _t517;
				}
				_push( &_v108);
				_push( &_v100);
				_push(2);
				L004012DA();
				_t718 = _t717 + 0xc;
				_v8 = 0xe;
				if( *0x418010 != 0) {
					_v320 = 0x418010;
				} else {
					_push(0x418010);
					_push(0x414948);
					L004012FE();
					_v320 = 0x418010;
				}
				_t523 =  &_v100;
				L004012E0();
				_v196 = _t523;
				_t526 =  *((intOrPtr*)( *_v196 + 0x1f8))(_v196, _t523,  *((intOrPtr*)( *((intOrPtr*)( *_v320)) + 0x380))( *_v320));
				asm("fclex");
				_v200 = _t526;
				if(_v200 >= 0) {
					_v324 = _v324 & 0x00000000;
				} else {
					_push(0x1f8);
					_push(0x414780);
					_push(_v196);
					_push(_v200);
					L00401304();
					_v324 = _t526;
				}
				L004012E6();
				_v8 = 0xf;
				_v132 = L"greenfield";
				_v140 = 8;
				_v192 = 0x3b1d5c60;
				_v188 = 0x5af4;
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t531 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v192, 0x10);
				_v8 = 0x10;
				L004012D4();
				_v60 = _t531;
				_v8 = 0x11;
				_t535 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v192);
				_v196 = _t535;
				if(_v196 >= 0) {
					_v328 = _v328 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x4141e0);
					_push(_a4);
					_push(_v196);
					L00401304();
					_v328 = _t535;
				}
				_v76 = _v192;
				_v72 = _v188;
				_v8 = 0x12;
				_push(0xb);
				_push(0xb);
				_push(0x7db);
				_push( &_v124);
				L004012C8();
				_t539 =  &_v124;
				_push(_t539);
				L004012CE();
				_v196 =  ~(0 | _t539 != 0x0000ffff);
				_t669 =  &_v124;
				L004012C2();
				_t540 = _v196;
				if(_t540 != 0) {
					_v8 = 0x13;
					L004012BC();
					_t656 =  *((intOrPtr*)( *_a4 + 0x64))(_a4, _t540);
					asm("fclex");
					_v196 = _t656;
					if(_v196 >= 0) {
						_v332 = _v332 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x4141b0);
						_push(_a4);
						_push(_v196);
						L00401304();
						_v332 = _t656;
					}
				}
				_v8 = 0x15;
				_v132 = 1;
				_v140 = 2;
				_v148 = 0x1c977;
				_v156 = 3;
				_v164 = _v164 & 0x00000000;
				_v172 = 2;
				_push( &_v140);
				_push( &_v156);
				_push( &_v172);
				_push( &_v244);
				_push( &_v228);
				_t546 =  &_v52;
				_push(_t546);
				L004012B6();
				_v272 = _t546;
				while(_v272 != 0) {
					_v8 = 0x16;
					if( *0x418010 != 0) {
						_v336 = 0x418010;
					} else {
						_push(0x418010);
						_push(0x414948);
						L004012FE();
						_v336 = 0x418010;
					}
					_t550 =  &_v100;
					L004012E0();
					_v196 = _t550;
					_t554 =  *((intOrPtr*)( *_v196 + 0x48))(_v196,  &_v88, _t550,  *((intOrPtr*)( *((intOrPtr*)( *_v336)) + 0x330))( *_v336));
					asm("fclex");
					_v200 = _t554;
					if(_v200 >= 0) {
						_v340 = _v340 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x4145e8);
						_push(_v196);
						_push(_v200);
						L00401304();
						_v340 = _t554;
					}
					if( *0x418010 != 0) {
						_v344 = 0x418010;
					} else {
						_push(0x418010);
						_push(0x414948);
						L004012FE();
						_v344 = 0x418010;
					}
					_t558 =  &_v104;
					L004012E0();
					_v204 = _t558;
					_t562 =  *((intOrPtr*)( *_v204 + 0xc8))(_v204,  &_v92, _t558,  *((intOrPtr*)( *((intOrPtr*)( *_v344)) + 0x344))( *_v344));
					asm("fclex");
					_v208 = _t562;
					if(_v208 >= 0) {
						_v348 = _v348 & 0x00000000;
					} else {
						_push(0xc8);
						_push(0x4147ac);
						_push(_v204);
						_push(_v208);
						L00401304();
						_v348 = _t562;
					}
					_v276 = _v92;
					_v92 = _v92 & 0x00000000;
					_t676 =  &_v96;
					L004012B0();
					_v280 = _v88;
					_v88 = _v88 & 0x00000000;
					_v116 = _v280;
					_v124 = 8;
					_v132 = 0x3b7931;
					_v140 = 3;
					_v296 =  *0x401180;
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t572 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4, 0x10,  &_v124, _t676, _t676,  &_v96,  &_v176);
					_v212 = _t572;
					if(_v212 >= 0) {
						_v352 = _v352 & 0x00000000;
					} else {
						_push(0x6fc);
						_push(0x4141e0);
						_push(_a4);
						_push(_v212);
						L00401304();
						_v352 = _t572;
					}
					_v84 = _v176;
					L004012EC();
					_push( &_v104);
					_push( &_v100);
					_push(2);
					L004012DA();
					_t719 = _t718 + 0xc;
					L004012C2();
					_v8 = 0x17;
					if( *0x41831c != 0) {
						_v356 = 0x41831c;
					} else {
						_push(0x41831c);
						_push(0x414720);
						L004012FE();
						_v356 = 0x41831c;
					}
					_v196 =  *_v356;
					_t581 =  *((intOrPtr*)( *_v196 + 0x14))(_v196,  &_v100);
					asm("fclex");
					_v200 = _t581;
					if(_v200 >= 0) {
						_v360 = _v360 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x414710);
						_push(_v196);
						_push(_v200);
						L00401304();
						_v360 = _t581;
					}
					_v204 = _v100;
					_t586 =  *((intOrPtr*)( *_v204 + 0x128))(_v204,  &_v180);
					asm("fclex");
					_v208 = _t586;
					if(_v208 >= 0) {
						_v364 = _v364 & 0x00000000;
					} else {
						_push(0x128);
						_push(0x414730);
						_push(_v204);
						_push(_v208);
						L00401304();
						_v364 = _t586;
					}
					_v212 =  ~(0 | _v180 == 0x00000000);
					_t679 =  &_v100;
					L004012E6();
					if(_v212 != 0) {
						_v8 = 0x18;
						_v8 = 0x19;
						if( *0x41831c != 0) {
							_v368 = 0x41831c;
						} else {
							_push(0x41831c);
							_push(0x414720);
							L004012FE();
							_v368 = 0x41831c;
						}
						_v204 =  *_v368;
						if( *0x418010 != 0) {
							_v372 = 0x418010;
						} else {
							_push(0x418010);
							_push(0x414948);
							L004012FE();
							_v372 = 0x418010;
						}
						_t643 =  &_v100;
						L004012E0();
						_v196 = _t643;
						_t647 =  *((intOrPtr*)( *_v196 + 0x198))(_v196,  &_v88, _t643,  *((intOrPtr*)( *((intOrPtr*)( *_v372)) + 0x38c))( *_v372));
						asm("fclex");
						_v200 = _t647;
						if(_v200 >= 0) {
							_v376 = _v376 & 0x00000000;
						} else {
							_push(0x198);
							_push(0x4147bc);
							_push(_v196);
							_push(_v200);
							L00401304();
							_v376 = _t647;
						}
						L004012AA();
						_t648 =  &_v104;
						L004012E0();
						_t651 =  *((intOrPtr*)( *_v204 + 0x40))(_v204, _t648, _t648, _t647, _v68, 0x4147cc, _v88);
						asm("fclex");
						_v208 = _t651;
						if(_v208 >= 0) {
							_v380 = _v380 & 0x00000000;
						} else {
							_push(0x40);
							_push(0x414710);
							_push(_v204);
							_push(_v208);
							L00401304();
							_v380 = _t651;
						}
						_t679 =  &_v88;
						L004012EC();
						_push( &_v104);
						_push( &_v100);
						_push(2);
						L004012DA();
						_t719 = _t719 + 0xc;
					}
					_v8 = 0x1b;
					_v192 = 0x781b26e0;
					_v188 = 0x5af6;
					_v132 = 0x452f97;
					_v140 = 3;
					_t742 =  *0x40117c;
					_v324 = _t742;
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t595 =  *((intOrPtr*)( *_a4 + 0x700))(_a4, 0x10,  &_v192, _t679);
					_v196 = _t595;
					if(_v196 >= 0) {
						_v384 = _v384 & 0x00000000;
					} else {
						_push(0x700);
						_push(0x4141e0);
						_push(_a4);
						_push(_v196);
						L00401304();
						_v384 = _t595;
					}
					_v8 = 0x1c;
					if( *0x418010 != 0) {
						_v388 = 0x418010;
					} else {
						_push(0x418010);
						_push(0x414948);
						L004012FE();
						_v388 = 0x418010;
					}
					_t599 =  &_v100;
					L004012E0();
					_v196 = _t599;
					_v132 = _v132 & 0x00000000;
					_v140 = 2;
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t603 =  *((intOrPtr*)( *_v196 + 0x200))(_v196, 0x10, _t599,  *((intOrPtr*)( *((intOrPtr*)( *_v388)) + 0x384))( *_v388));
					asm("fclex");
					_v200 = _t603;
					if(_v200 >= 0) {
						_v392 = _v392 & 0x00000000;
					} else {
						_push(0x200);
						_push(0x414780);
						_push(_v196);
						_push(_v200);
						L00401304();
						_v392 = _t603;
					}
					L004012E6();
					_v8 = 0x1d;
					 *((intOrPtr*)( *_a4 + 0x70c))(_a4);
					_v8 = 0x1e;
					if( *0x418010 != 0) {
						_v396 = 0x418010;
					} else {
						_push(0x418010);
						_push(0x414948);
						L004012FE();
						_v396 = 0x418010;
					}
					_t610 =  &_v100;
					L004012E0();
					_v196 = _t610;
					_t614 =  *((intOrPtr*)( *_v196 + 0xd0))(_v196,  &_v176, _t610,  *((intOrPtr*)( *((intOrPtr*)( *_v396)) + 0x310))( *_v396));
					asm("fclex");
					_v200 = _t614;
					if(_v200 >= 0) {
						_v400 = _v400 & 0x00000000;
					} else {
						_push(0xd0);
						_push(0x4147dc);
						_push(_v196);
						_push(_v200);
						L00401304();
						_v400 = _t614;
					}
					if( *0x418010 != 0) {
						_v404 = 0x418010;
					} else {
						_push(0x418010);
						_push(0x414948);
						L004012FE();
						_v404 = 0x418010;
					}
					_t669 =  *((intOrPtr*)( *_v404));
					_t618 =  &_v104;
					L004012E0();
					_v204 = _t618;
					_v164 = 0x80020004;
					_v172 = 0xa;
					_v148 = 0x80020004;
					_v156 = 0xa;
					_v132 = 0x80020004;
					_v140 = 0xa;
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v408 = _v176;
					asm("fild dword [ebp-0x194]");
					_v412 = _t742;
					_v388 = _v412;
					_t625 =  *((intOrPtr*)( *_v204 + 0x130))(_v204, _t669, 0x10, 0x10, 0x10, _t618,  *((intOrPtr*)(_t669 + 0x334))( *_v404));
					asm("fclex");
					_v208 = _t625;
					if(_v208 >= 0) {
						_v416 = _v416 & 0x00000000;
					} else {
						_push(0x130);
						_push(0x4147ec);
						_push(_v204);
						_push(_v208);
						L00401304();
						_v416 = _t625;
					}
					_push( &_v104);
					_push( &_v100);
					_push(2);
					L004012DA();
					_t718 = _t719 + 0xc;
					_v8 = 0x1f;
					_push( &_v244);
					_push( &_v228);
					_t630 =  &_v52;
					_push(_t630);
					L004012A4();
					_v272 = _t630;
				}
				_v8 = 0x20;
				_v12 = 0xffd4eb26;
				_t461 =  &_v12;
				 *_t461 = _v12 + 0x6c1c73;
				_t631 = _v12();
				if( *_t461 >= 0) {
					asm("invalid");
					_push(_t631);
					_push(2);
					L00401298();
					L004012C2();
					L004012E6();
					return _t631;
				} else {
					_push( &_v92);
					_push( &_v88);
					_push(3);
					L0040129E();
					_push( &_v108);
					_push( &_v104);
					_t637 =  &_v100;
					_push(_t637);
					_push(3);
					L004012DA();
					L004012C2();
					return _t637;
				}
			}

0x00416167
0x00416176
0x00416182
0x0041618a
0x0041618d
0x0041619a
0x004161a3
0x004161a6
0x004161b5
0x004161b8
0x004161bf
0x004161c8
0x004161cd
0x004161dc
0x004161e2
0x004161e4
0x004161f1
0x00416213
0x004161f3
0x004161f3
0x004161f8
0x004161fd
0x00416200
0x00416206
0x0041620b
0x0041620b
0x0041621a
0x00416228
0x00416245
0x0041622a
0x0041622a
0x0041622f
0x00416234
0x00416239
0x00416239
0x00416257
0x0041626f
0x00416272
0x00416274
0x00416281
0x004162a3
0x00416283
0x00416283
0x00416285
0x0041628a
0x00416290
0x00416296
0x0041629b
0x0041629b
0x004162ad
0x004162c8
0x004162ce
0x004162d0
0x004162dd
0x00416302
0x004162df
0x004162df
0x004162e4
0x004162e9
0x004162ef
0x004162f5
0x004162fa
0x004162fa
0x0041631c
0x00416320
0x0041632c
0x00416331
0x00416337
0x00416342
0x00416348
0x00416350
0x00416355
0x0041635c
0x00416372
0x00416375
0x00416377
0x00416384
0x004163a3
0x00416386
0x00416386
0x00416388
0x0041638d
0x00416390
0x00416396
0x0041639b
0x0041639b
0x004163aa
0x004163b0
0x004163b5
0x004163ba
0x004163c1
0x004163c6
0x004163cb
0x004163d2
0x004163d5
0x004163d7
0x004163dc
0x004163e1
0x004163e8
0x004163ea
0x004163ef
0x004163f5
0x004163fa
0x00416401
0x00416406
0x0041640b
0x00416419
0x00416436
0x0041641b
0x0041641b
0x00416420
0x00416425
0x0041642a
0x0041642a
0x00416448
0x00416460
0x00416463
0x00416465
0x00416472
0x00416494
0x00416474
0x00416474
0x00416476
0x0041647b
0x00416481
0x00416487
0x0041648c
0x0041648c
0x0041649e
0x004164a4
0x004164ab
0x004164bc
0x004164c9
0x004164ca
0x004164cb
0x004164cc
0x004164db
0x004164de
0x004164e0
0x004164ed
0x0041650f
0x004164ef
0x004164ef
0x004164f1
0x004164f6
0x004164fc
0x00416502
0x00416507
0x00416507
0x00416519
0x0041651f
0x00416529
0x0041652d
0x0041653b
0x00416541
0x00416543
0x00416550
0x00416572
0x00416552
0x00416552
0x00416557
0x0041655c
0x0041655f
0x00416565
0x0041656a
0x0041656a
0x0041657c
0x00416580
0x00416581
0x00416583
0x00416588
0x0041658b
0x00416599
0x004165b6
0x0041659b
0x0041659b
0x004165a0
0x004165a5
0x004165aa
0x004165aa
0x004165da
0x004165de
0x004165e3
0x004165f7
0x004165fd
0x004165ff
0x0041660c
0x00416631
0x0041660e
0x0041660e
0x00416613
0x00416618
0x0041661e
0x00416624
0x00416629
0x00416629
0x0041663b
0x00416640
0x00416647
0x0041664e
0x00416658
0x00416662
0x0041666f
0x0041667c
0x0041667d
0x0041667e
0x0041667f
0x0041668f
0x00416695
0x0041669c
0x004166a1
0x004166a4
0x004166ba
0x004166c0
0x004166cd
0x004166ef
0x004166cf
0x004166cf
0x004166d4
0x004166d9
0x004166dc
0x004166e2
0x004166e7
0x004166e7
0x004166fc
0x00416705
0x00416708
0x0041670f
0x00416711
0x00416713
0x0041671b
0x0041671c
0x00416721
0x00416724
0x00416725
0x00416735
0x0041673c
0x0041673f
0x00416744
0x0041674d
0x0041674f
0x0041675c
0x0041676a
0x0041676d
0x0041676f
0x0041677c
0x0041679b
0x0041677e
0x0041677e
0x00416780
0x00416785
0x00416788
0x0041678e
0x00416793
0x00416793
0x0041677c
0x004167a2
0x004167a9
0x004167b0
0x004167ba
0x004167c4
0x004167ce
0x004167d5
0x004167e5
0x004167ec
0x004167f3
0x004167fa
0x00416801
0x00416802
0x00416805
0x00416806
0x0041680b
0x00417089
0x00416816
0x00416824
0x00416841
0x00416826
0x00416826
0x0041682b
0x00416830
0x00416835
0x00416835
0x00416865
0x00416869
0x0041686e
0x00416886
0x00416889
0x0041688b
0x00416898
0x004168ba
0x0041689a
0x0041689a
0x0041689c
0x004168a1
0x004168a7
0x004168ad
0x004168b2
0x004168b2
0x004168c8
0x004168e5
0x004168ca
0x004168ca
0x004168cf
0x004168d4
0x004168d9
0x004168d9
0x00416909
0x0041690d
0x00416912
0x0041692a
0x00416930
0x00416932
0x0041693f
0x00416964
0x00416941
0x00416941
0x00416946
0x0041694b
0x00416951
0x00416957
0x0041695c
0x0041695c
0x0041696e
0x00416974
0x0041697e
0x00416981
0x00416989
0x0041698f
0x00416999
0x0041699c
0x004169a3
0x004169aa
0x004169c7
0x004169d1
0x004169de
0x004169df
0x004169e0
0x004169e1
0x004169ea
0x004169f0
0x004169fd
0x00416a1f
0x004169ff
0x004169ff
0x00416a04
0x00416a09
0x00416a0c
0x00416a12
0x00416a17
0x00416a17
0x00416a2d
0x00416a34
0x00416a3c
0x00416a40
0x00416a41
0x00416a43
0x00416a48
0x00416a4e
0x00416a53
0x00416a61
0x00416a7e
0x00416a63
0x00416a63
0x00416a68
0x00416a6d
0x00416a72
0x00416a72
0x00416a90
0x00416aa8
0x00416aab
0x00416aad
0x00416aba
0x00416adc
0x00416abc
0x00416abc
0x00416abe
0x00416ac3
0x00416ac9
0x00416acf
0x00416ad4
0x00416ad4
0x00416ae6
0x00416b01
0x00416b07
0x00416b09
0x00416b16
0x00416b3b
0x00416b18
0x00416b18
0x00416b1d
0x00416b22
0x00416b28
0x00416b2e
0x00416b33
0x00416b33
0x00416b50
0x00416b57
0x00416b5a
0x00416b68
0x00416b6e
0x00416b75
0x00416b83
0x00416ba0
0x00416b85
0x00416b85
0x00416b8a
0x00416b8f
0x00416b94
0x00416b94
0x00416bb2
0x00416bbf
0x00416bdc
0x00416bc1
0x00416bc1
0x00416bc6
0x00416bcb
0x00416bd0
0x00416bd0
0x00416c00
0x00416c04
0x00416c09
0x00416c21
0x00416c27
0x00416c29
0x00416c36
0x00416c5b
0x00416c38
0x00416c38
0x00416c3d
0x00416c42
0x00416c48
0x00416c4e
0x00416c53
0x00416c53
0x00416c6d
0x00416c73
0x00416c77
0x00416c8b
0x00416c8e
0x00416c90
0x00416c9d
0x00416cbf
0x00416c9f
0x00416c9f
0x00416ca1
0x00416ca6
0x00416cac
0x00416cb2
0x00416cb7
0x00416cb7
0x00416cc6
0x00416cc9
0x00416cd1
0x00416cd5
0x00416cd6
0x00416cd8
0x00416cdd
0x00416cdd
0x00416ce0
0x00416ce7
0x00416cf1
0x00416cfb
0x00416d02
0x00416d0c
0x00416d13
0x00416d20
0x00416d2d
0x00416d2e
0x00416d2f
0x00416d30
0x00416d39
0x00416d3f
0x00416d4c
0x00416d6e
0x00416d4e
0x00416d4e
0x00416d53
0x00416d58
0x00416d5b
0x00416d61
0x00416d66
0x00416d66
0x00416d75
0x00416d83
0x00416da0
0x00416d85
0x00416d85
0x00416d8a
0x00416d8f
0x00416d94
0x00416d94
0x00416dc4
0x00416dc8
0x00416dcd
0x00416dd3
0x00416dd7
0x00416de4
0x00416df1
0x00416df2
0x00416df3
0x00416df4
0x00416e03
0x00416e09
0x00416e0b
0x00416e18
0x00416e3d
0x00416e1a
0x00416e1a
0x00416e1f
0x00416e24
0x00416e2a
0x00416e30
0x00416e35
0x00416e35
0x00416e47
0x00416e4c
0x00416e5b
0x00416e61
0x00416e6f
0x00416e8c
0x00416e71
0x00416e71
0x00416e76
0x00416e7b
0x00416e80
0x00416e80
0x00416eb0
0x00416eb4
0x00416eb9
0x00416ed4
0x00416eda
0x00416edc
0x00416ee9
0x00416f0e
0x00416eeb
0x00416eeb
0x00416ef0
0x00416ef5
0x00416efb
0x00416f01
0x00416f06
0x00416f06
0x00416f1c
0x00416f39
0x00416f1e
0x00416f1e
0x00416f23
0x00416f28
0x00416f2d
0x00416f2d
0x00416f53
0x00416f5d
0x00416f61
0x00416f66
0x00416f6c
0x00416f76
0x00416f80
0x00416f8a
0x00416f94
0x00416f9b
0x00416fa8
0x00416fb5
0x00416fb6
0x00416fb7
0x00416fb8
0x00416fbc
0x00416fc9
0x00416fca
0x00416fcb
0x00416fcc
0x00416fd0
0x00416fdd
0x00416fde
0x00416fdf
0x00416fe0
0x00416fe8
0x00416fee
0x00416ff4
0x00417001
0x00417012
0x00417018
0x0041701a
0x00417027
0x0041704c
0x00417029
0x00417029
0x0041702e
0x00417033
0x00417039
0x0041703f
0x00417044
0x00417044
0x00417056
0x0041705a
0x0041705b
0x0041705d
0x00417062
0x00417065
0x00417072
0x00417079
0x0041707a
0x0041707d
0x0041707e
0x00417083
0x00417083
0x00417096
0x0041709d
0x004170a4
0x004170a4
0x004170ab
0x004170ae
0x004170f3
0x004170f5
0x004170f6
0x004170f8
0x00417103
0x0041710b
0x00417110
0x004170b0
0x004170ba
0x004170be
0x004170bf
0x004170c1
0x004170cc
0x004170d0
0x004170d1
0x004170d4
0x004170d5
0x004170d7
0x004170e2
0x004170e7
0x004170e7

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 00416182
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,004011F6), ref: 004161C8
__vbaHresultCheckObj.MSVBVM60(00000000,?,004141B0,000002B4), ref: 00416206
__vbaNew2.MSVBVM60(00414720,0041831C), ref: 00416234
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00414710,00000014), ref: 00416296
__vbaHresultCheckObj.MSVBVM60(00000000,?,00414730,00000100), ref: 004162F5
__vbaStrToAnsi.MSVBVM60(?,c:\windows\logow.sys,00000000,00000140,000000C8,00000010), ref: 00416320
__vbaSetSystemError.MSVBVM60(?,00000000,?,c:\windows\logow.sys,00000000,00000140,000000C8,00000010), ref: 00416337
__vbaFreeStr.MSVBVM60(?,00000000,?,c:\windows\logow.sys,00000000,00000140,000000C8,00000010), ref: 00416348
__vbaFreeObj.MSVBVM60(?,00000000,?,c:\windows\logow.sys,00000000,00000140,000000C8,00000010), ref: 00416350
__vbaHresultCheckObj.MSVBVM60(00000000,?,004141B0,00000058), ref: 00416396
__vbaSetSystemError.MSVBVM60(?), ref: 004163B5
__vbaSetSystemError.MSVBVM60(?), ref: 004163C6
__vbaSetSystemError.MSVBVM60(00000002,?,?), ref: 004163DC
__vbaSetSystemError.MSVBVM60(00000002,00000002,?,?), ref: 004163F5
__vbaSetSystemError.MSVBVM60(00000002,00000002,?,?), ref: 00416406
__vbaNew2.MSVBVM60(00414720,0041831C,00000002,00000002,?,?), ref: 00416425
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00414710,0000001C), ref: 00416487
__vbaChkstk.MSVBVM60(?), ref: 004164BC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00414770,00000054), ref: 00416502
__vbaObjSet.MSVBVM60(?,?), ref: 0041652D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004141B0,00000154), ref: 00416565
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00416583
__vbaNew2.MSVBVM60(00414948,00418010,?,?,004011F6), ref: 004165A5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004165DE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00414780,000001F8), ref: 00416624
__vbaFreeObj.MSVBVM60(00000000,?,00414780,000001F8), ref: 0041663B
__vbaChkstk.MSVBVM60(00000000,?,00414780,000001F8), ref: 0041666F
#615.MSVBVM60 ref: 0041669C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004141E0,000006F8), ref: 004166E2
#538.MSVBVM60(?,000007DB,0000000B,0000000B), ref: 0041671C
#557.MSVBVM60(?,?,000007DB,0000000B,0000000B), ref: 00416725
__vbaFreeVar.MSVBVM60(?,?,000007DB,0000000B,0000000B), ref: 0041673F
__vbaFpI4.MSVBVM60(?,?,000007DB,0000000B,0000000B), ref: 0041675C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004141B0,00000064), ref: 0041678E
__vbaVarForInit.MSVBVM60(?,?,?,00000002,00000003,00000002,?,?,000007DB,0000000B,0000000B), ref: 00416806
__vbaNew2.MSVBVM60(00414948,00418010,?,?,?,00000002,00000003,00000002,?,?,000007DB,0000000B,0000000B), ref: 00416830
__vbaObjSet.MSVBVM60(?,00000000), ref: 00416869
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004145E8,00000048), ref: 004168AD
__vbaNew2.MSVBVM60(00414948,00418010), ref: 004168D4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041690D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004147AC,000000C8), ref: 00416957
__vbaStrMove.MSVBVM60(00000000,?,004147AC,000000C8), ref: 00416981
__vbaChkstk.MSVBVM60(00000008,?,?,?,?), ref: 004169D1
__vbaFreeStrList.MSVBVM60(00000003,?,?), ref: 004170C1
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,?,?,?), ref: 004170D7
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?), ref: 004170E2

Strings

1y;, xrefs: 004169A3
c:\windows\logow.sys, xrefs: 00416317
greenfield, xrefs: 00416647
, xrefs: 00417096

Memory Dump Source

Source File: 00000000.00000002.517364158.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.517360021.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.517378063.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517382174.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: __vba$CheckHresult$Free$Error$System$New2$Chkstk$List$#538#557#615AnsiInitMove
String ID: $1y;$c:\windows\logow.sys$greenfield
API String ID: 3170813935-685939622
Opcode ID: 4a2cda3e415bdb016dd9f16a8029b0c47a9ddd40040d526cfe8643457f84ed3a
Instruction ID: 40fa5e21e30815420802455b1e08bd9787e7b2c425080e49f72cd1173220fb09
Opcode Fuzzy Hash: 4a2cda3e415bdb016dd9f16a8029b0c47a9ddd40040d526cfe8643457f84ed3a
Instruction Fuzzy Hash: 8C92D570901228EFEB21DF94CC45BDDBBB5BB08304F1041EAE509BB2A1DB795A84DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00417505, Relevance: 7.5, APIs: 5, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E00417505(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				intOrPtr _v32;
				char _v40;
				char* _t11;
				intOrPtr _t22;

				_push(0x4011f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t22;
				_push(0x28);
				L004011F0();
				_v12 = _t22;
				_v8 = 0x4011d0;
				_v32 = 1;
				_v40 = 2;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_t11 =  &_v40;
				_push(_t11); // executed
				L00401286(); // executed
				L004012B0();
				L004012C2();
				_push(0x41757c);
				L004012EC();
				return _t11;
			}

0x0041750a
0x00417515
0x00417516
0x0041751d
0x00417520
0x00417528
0x0041752b
0x00417532
0x00417539
0x00417540
0x00417542
0x00417544
0x00417546
0x00417548
0x0041754b
0x0041754c
0x00417556
0x0041755e
0x00417563
0x00417576
0x0041757b

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 00417520
#703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,004011F6), ref: 0041754C
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,004011F6), ref: 00417556
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,004011F6), ref: 0041755E
__vbaFreeStr.MSVBVM60(0041757C,00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,004011F6), ref: 00417576

Memory Dump Source

Source File: 00000000.00000002.517364158.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.517360021.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.517378063.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517382174.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: __vba$Free$#703ChkstkMove
String ID:
API String ID: 469383263-0
Opcode ID: 0bcffce797d9cb15b79d6f0db3f4e14ef7328ac327dcc04380491e599b44ce6f
Instruction ID: 120789474c7b99996ad5a8fadc1ffc24220b9e974042e878f46b6a063fee0454
Opcode Fuzzy Hash: 0bcffce797d9cb15b79d6f0db3f4e14ef7328ac327dcc04380491e599b44ce6f
Instruction Fuzzy Hash: FEF04470804108BACB04DB95CD46FDEB6B9AB09764F70436EB121761E1DA781D048669

Uniqueness

Uniqueness Score: -1.00%

Function 00401328, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 28%

			_entry_() {
				signed char _t39;
				signed char _t40;
				intOrPtr* _t43;
				signed char _t45;
				signed char _t46;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				signed char _t53;
				signed char _t54;
				void* _t55;
				void* _t56;
				intOrPtr* _t57;
				void* _t58;
				void* _t59;
				intOrPtr* _t60;
				signed int _t61;
				signed int _t63;
				signed char _t64;
				signed int _t66;
				void* _t69;
				intOrPtr* _t70;
				void* _t73;
				void* _t74;
				signed int _t75;
				intOrPtr* _t76;
				void* _t80;
				void* _t89;
				void* _t90;
				void* _t92;
				intOrPtr _t99;

				_push("VB5!6&*"); // executed
				L00401322(); // executed
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				do {
					 *_t39 =  *_t39 ^ _t39;
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
				} while ( *_t39 < 0);
				asm("fisub dword [edi]");
				_t55 = 0x3f;
				asm("sti");
				_t40 = _t39 + 1;
				 *(_t69 - 0x6f) =  *(_t69 - 0x6f) | 0x17349181;
				_push(_t73);
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				_t60 = _t59 + 1;
				 *((intOrPtr*)(_t73 + 0x53018250)) =  *((intOrPtr*)(_t73 + 0x53018250)) + _t40;
				do {
					_push(_t55);
					_push(0x7372656f);
					asm("aaa");
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					_t56 = _t55 + _t55;
					_t89 = _t89 - 1;
					 *_t40 =  *_t40 ^ _t40;
					_t55 = _t56 - _t64;
					asm("aam 0x67");
					_t73 = _t73 - 1;
					 *((intOrPtr*)(_t80 - 0x6a)) =  *((intOrPtr*)(_t80 - 0x6a)) + 0xde15a246;
					 *_t64 =  *_t64 + 1;
					_t7 = _t55 - 0x5d2637b1;
					 *_t7 =  *(_t55 - 0x5d2637b1) << 0x45;
					_push(_t60);
				} while ( *_t7 < 0);
				asm("sahf");
				_pop(ds);
				asm("in al, dx");
				_t57 = _t55 - 1;
				_t74 = _t73 + 1;
				_push(_t89);
				asm("invalid");
				asm("cdq");
				asm("iretw");
				asm("adc [edi+0xaa000c], esi");
				asm("pushad");
				asm("rcl dword [ebx], cl");
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				_t90 = _t89 + 1;
				 *_t40 =  *_t40 + _t40;
				 *_t60 =  *_t60 + _t60;
				 *((intOrPtr*)(_t60 + 0x53 + _t40 * 2)) =  *((intOrPtr*)(_t60 + 0x53 + _t40 * 2)) + _t60;
				_push(_t90);
				_push(_t40);
				_t61 = _t60 + 1;
				_t92 = _t90;
				 *0x62000701 =  *0x62000701 + _t61;
				_t99 =  *0x62000701;
				asm("insb");
				if(_t99 < 0) {
					L9:
					 *_t61 =  *_t61 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *((intOrPtr*)(_t40 + 0x25)) =  *((intOrPtr*)(_t40 + 0x25)) + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t64 =  *_t64 + _t64;
					_t75 = _t40;
					_t66 = _t64 - 0x00000001 ^  *[gs:edx+0x60];
					_t43 = _t40 & 0x30;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *_t43 =  *_t43 + _t43;
					 *((intOrPtr*)(_t66 + 0x4d)) =  *((intOrPtr*)(_t66 + 0x4d)) - _t43;
					 *0x217e6456 =  *0x217e6456 | _t75;
					asm("scasb");
					_t45 = _t69;
					asm("a16 jb 0x2d");
					_t46 = _t45 |  *_t45;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *0x1fe9564f =  *0x1fe9564f + _t66;
					_t70 = _t69 - 1;
					goto 0xfe683e1b;
					 *0x25 =  *0x25 + 1;
					asm("invalid");
					asm("das");
					asm("aaa");
					asm("xlatb");
					asm("sbb ch, [edx]");
					_t49 = _t46 + 0x00000006 +  *_t57 ^  *_t66;
					 *_t49 =  *_t49 + _t49;
					 *0x6000000 =  *0x6000000 + _t49;
					 *_t49 =  *_t49 + _t49;
					 *_t70 =  *_t70 + _t49;
					 *_t49 =  *_t49 + _t49;
					 *_t49 =  *_t49 + 0x25;
					 *_t49 =  *_t49 + _t49;
					 *_t49 =  *_t49 + 0x25;
					 *_t49 =  *_t49 + _t49;
					 *_t49 =  *_t49 + 0x25;
					 *_t49 =  *_t49 + _t49;
					 *_t49 =  *_t49 + 0x25;
					 *_t49 =  *_t49 + _t49;
					 *_t49 =  *_t49 + 0x25;
					 *_t49 =  *_t49 + _t49;
					 *_t49 =  *_t49 + 0x25;
					 *_t49 =  *_t49 + _t49;
					 *_t49 =  *_t49 + 0x25;
					 *_t49 =  *_t49 + _t49;
					 *_t70 =  *_t70 + _t49;
					 *_t49 =  *_t49 + _t49;
					 *_t75 =  *_t75 + _t49;
					 *_t49 =  *_t49 + _t49;
					 *0x4000000 =  *0x4000000 + _t49;
					 *_t75 =  *_t75 | 0x00000025;
					asm("adc [ebx], eax");
					_t76 = _t57;
					asm("stosb");
					_t50 = _t49 & 0x0705ff26;
					es = ds;
					 *_t50 =  *_t50 + 1;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + 1;
					 *_t50 =  *_t50 + _t50;
					asm("invalid");
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *0x25 =  *0x25 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *_t57 =  *_t57 + _t50;
					 *_t50 =  *_t50 + _t50;
					 *0x8050503 =  *0x8050503 + _t50;
					_t63 = 0x00000025 ^  *(_t57 + 0x51);
					[far dword [edi](_t63, es, es, _t75, _t45);
					asm("daa");
					 *_t63 =  *_t63 - 1;
					_t51 = _t50 | 0x0000ff0d;
					_t58 = _t57 + _t57;
					_push(ss);
					 *_t51 =  *_t51 + _t51;
					 *0x16000000 =  *0x16000000 + 0x3c;
					 *_t51 =  *_t51 + _t51;
					 *_t51 =  *_t51 + _t58;
					 *_t51 =  *_t51 + _t51;
					 *_t51 =  *_t51 + _t58;
					 *_t51 =  *_t51 + _t51;
					 *_t51 =  *_t51 + _t58;
					 *_t51 =  *_t51 + _t51;
					 *_t51 =  *_t51 + _t58;
					 *_t51 =  *_t51 + _t51;
					 *_t51 =  *_t51 + _t58;
					 *_t51 =  *_t51 + _t51;
					 *_t51 =  *_t51 + _t58;
					 *_t51 =  *_t51 + _t51;
					 *_t51 =  *_t51 + _t58;
					 *_t51 =  *_t51 + _t51;
					 *_t51 =  *_t51 + _t58;
					 *_t51 =  *_t51 + _t51;
					 *0x16000000 =  *0x16000000 + 0x3c;
					 *_t51 =  *_t51 + _t51;
					 *_t76 =  *_t76 + 0x3c;
					 *_t51 =  *_t51 + _t51;
					 *0x14000000 =  *0x14000000 + 0x3c;
					 *_t51 =  *_t51 + _t51;
					 *_t63 =  *_t63 + 0x3c;
					 *(_t51 + 0x4e) =  *(_t51 + 0x4e) ^ _t63;
					 *(_t92 + _t51 * 2) =  *(_t92 + _t51 * 2) << 1;
					goto ( *__ecx);
				}
				asm("popad");
				if (_t99 < 0) goto L7;
				asm("sbb [ecx], eax");
				 *_t64 =  *_t64 + _t40;
				_t52 = _t40 &  *_t40;
				_t61 = _t61 &  *(_t74 + 0x6c000044);
				if (_t61 == 0) goto L8;
				 *((intOrPtr*)(_t74 + 0x44)) =  *((intOrPtr*)(_t74 + 0x44)) + _t52;
				 *_t61 =  *_t61 + _t52;
				 *((intOrPtr*)(_t52 + _t52)) =  *((intOrPtr*)(_t52 + _t52)) + _t52;
				 *_t52 =  *_t52 ^ _t64;
				 *_t52 =  *_t52 + _t52;
				 *_t52 =  *_t52 + _t52;
				 *_t52 =  *_t52 & _t52;
				 *_t52 =  *_t52 + _t52;
				 *_t52 =  *_t52 + _t52;
				 *_t52 =  *_t52 + _t52;
				 *_t52 =  *_t52 & _t52;
				 *_t61 =  *_t61 + _t52;
				 *_t52 =  *_t52 + _t52;
				 *((intOrPtr*)(_t52 - 0x11fffff0)) =  *((intOrPtr*)(_t52 - 0x11fffff0)) + _t61;
				_t53 = _t52 & 0x18180000;
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 & _t53;
				 *_t61 = _t61;
				 *_t53 =  *_t53 + _t53;
				_t54 = _t74 + 1;
				 *[ss:eax] =  *[ss:eax] + _t54;
				asm("adc [eax], dl");
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 & _t54;
				_push(0x1e000004);
				_t40 = _t54 + 1;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 - _t40;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 ^ _t40;
				 *_t40 =  *_t40 + _t40;
				asm("pushad");
				 *_t40 =  *_t40 + _t40;
				goto L9;
			}

0x00401328
0x0040132d
0x00401332
0x00401334
0x00401336
0x00401338
0x00401338
0x0040133a
0x0040133e
0x00401340
0x00401342
0x00401342
0x00401346
0x00401348
0x0040134a
0x0040134b
0x0040134c
0x00401353
0x00401354
0x00401356
0x00401358
0x0040135a
0x0040135c
0x0040135e
0x0040135f
0x00401364
0x00401364
0x00401365
0x0040136a
0x0040136b
0x0040136d
0x0040136f
0x00401370
0x00401372
0x00401374
0x00401376
0x00401378
0x00401379
0x00401380
0x00401382
0x00401382
0x00401389
0x00401389
0x0040138d
0x0040138e
0x0040138f
0x00401390
0x00401391
0x00401392
0x00401393
0x00401399
0x0040139a
0x0040139c
0x004013a2
0x004013a3
0x004013a9
0x004013ab
0x004013ad
0x004013af
0x004013b1
0x004013b3
0x004013b5
0x004013b7
0x004013b9
0x004013bb
0x004013bd
0x004013bf
0x004013c1
0x004013c3
0x004013c5
0x004013c7
0x004013ce
0x004013cf
0x004013d1
0x004013d3
0x004013d7
0x004013d9
0x004013da
0x004013dc
0x004013dd
0x004013dd
0x004013e3
0x004013e4
0x0040144f
0x0040144f
0x00401451
0x00401453
0x00401455
0x00401457
0x0040145d
0x0040145f
0x00401461
0x00401463
0x00401465
0x00401467
0x00401469
0x0040146b
0x0040146d
0x0040146f
0x00401471
0x00401473
0x00401475
0x00401477
0x00401479
0x0040147b
0x0040147d
0x0040147f
0x00401481
0x00401483
0x00401485
0x00401487
0x00401489
0x0040148b
0x0040148d
0x0040148f
0x00401491
0x00401493
0x00401495
0x00401497
0x00401499
0x0040149b
0x0040149d
0x0040149f
0x004014a1
0x004014a3
0x004014a5
0x004014a7
0x004014a9
0x004014ab
0x004014ad
0x004014af
0x004014b1
0x004014b3
0x004014b5
0x004014b7
0x004014b9
0x004014bb
0x004014bd
0x004014bf
0x004014c1
0x004014c3
0x004014c5
0x004014c7
0x004014c9
0x004014cb
0x004014cd
0x004014cf
0x004014d1
0x004014d3
0x004014d5
0x004014d7
0x004014d9
0x004014db
0x004014dd
0x004014df
0x004014e1
0x004014e3
0x004014e5
0x004014e7
0x004014e9
0x004014eb
0x004014ed
0x004014ef
0x004014f1
0x004014f3
0x004014f5
0x004014f7
0x004014f9
0x004014fb
0x004014fd
0x004014ff
0x00401501
0x00401503
0x00401505
0x00401507
0x00401509
0x0040150b
0x0040150d
0x0040150f
0x00401511
0x00401513
0x00401515
0x00401517
0x00401519
0x0040151b
0x0040151d
0x0040151f
0x00401521
0x00401523
0x00401525
0x00401527
0x00401529
0x0040152b
0x0040152d
0x0040152f
0x00401531
0x00401533
0x00401535
0x00401537
0x00401539
0x0040153b
0x0040153d
0x0040153f
0x00401541
0x00401543
0x00401545
0x00401547
0x00401549
0x0040154b
0x0040154d
0x0040154f
0x00401551
0x00401553
0x00401555
0x00401557
0x00401559
0x0040155b
0x0040155d
0x0040155f
0x00401561
0x00401563
0x00401565
0x00401567
0x00401569
0x0040156b
0x0040156d
0x0040156f
0x00401571
0x00401573
0x00401575
0x00401577
0x00401579
0x0040157b
0x0040157d
0x0040157f
0x00401581
0x00401583
0x00401585
0x00401587
0x00401589
0x0040158b
0x0040158d
0x0040158f
0x00401591
0x00401593
0x00401595
0x00401597
0x00401599
0x0040159b
0x0040159d
0x0040159f
0x004015a1
0x004015a3
0x004015a5
0x004015a7
0x004015a9
0x004015ab
0x004015ad
0x004015af
0x004015b1
0x004015b3
0x004015b5
0x004015b7
0x004015b9
0x004015bb
0x004015bd
0x004015bf
0x004015c1
0x004015c3
0x004015c5
0x004015c7
0x004015c9
0x004015cb
0x004015cd
0x004015cf
0x004015d1
0x004015d3
0x004015d5
0x004015d7
0x004015d9
0x004015db
0x004015dd
0x004015df
0x004015e1
0x004015e3
0x004015e5
0x004015e7
0x004015e9
0x004015eb
0x004015ed
0x004015ef
0x004015f1
0x004015f3
0x004015f5
0x004015f7
0x004015f9
0x004015fb
0x004015fd
0x004015ff
0x00401601
0x00401603
0x00401605
0x00401607
0x00401609
0x0040160b
0x0040160d
0x0040160f
0x00401611
0x00401613
0x00401615
0x00401617
0x00401619
0x0040161b
0x0040161d
0x0040161f
0x00401621
0x00401623
0x00401625
0x00401627
0x00401629
0x0040162b
0x0040162d
0x0040162f
0x00401631
0x00401633
0x00401636
0x0040163f
0x00401647
0x0040164c
0x0040164e
0x00401650
0x00401652
0x00401654
0x00401656
0x00401658
0x0040165a
0x0040165c
0x0040165e
0x00401660
0x00401662
0x00401664
0x00401666
0x00401668
0x0040166a
0x0040166c
0x0040166e
0x00401670
0x00401672
0x00401674
0x00401676
0x00401678
0x0040167a
0x0040167c
0x0040167e
0x00401680
0x00401682
0x00401684
0x00401686
0x00401688
0x0040168b
0x00401697
0x00401698
0x0040169a
0x0040169f
0x004016a1
0x004016a3
0x004016a5
0x004016a7
0x004016a9
0x004016ab
0x004016ad
0x004016af
0x004016b1
0x004016b3
0x004016b5
0x004016b7
0x004016b9
0x004016bb
0x004016bd
0x004016bf
0x004016c1
0x004016c3
0x004016c5
0x004016c7
0x004016c9
0x004016cb
0x004016cd
0x004016cf
0x004016d1
0x004016d3
0x004016d5
0x004016d7
0x004016d9
0x004016db
0x004016dd
0x004016df
0x004016e1
0x004016e3
0x004016e5
0x004016e7
0x004016e9
0x004016eb
0x004016ed
0x004016ef
0x004016f1
0x004016f3
0x004016f5
0x004016f7
0x004016ff
0x00401703
0x00401705
0x00401706
0x00401707
0x00401708
0x0040170a
0x0040170c
0x0040170e
0x00401714
0x00401716
0x00401718
0x0040171a
0x0040171c
0x0040171e
0x00401720
0x00401722
0x00401724
0x00401726
0x00401728
0x0040172a
0x0040172c
0x0040172e
0x00401730
0x00401732
0x00401734
0x00401736
0x00401738
0x0040173a
0x0040173c
0x0040173e
0x00401744
0x00401746
0x0040174a
0x0040174b
0x0040174d
0x00401752
0x00401753
0x00401755
0x00401757
0x00401759
0x0040175b
0x00401764
0x00401766
0x00401768
0x0040176a
0x0040176c
0x0040176e
0x00401770
0x00401772
0x00401774
0x00401776
0x00401778
0x0040177a
0x0040177c
0x0040177e
0x00401780
0x00401782
0x00401784
0x00401786
0x00401788
0x0040178a
0x0040178c
0x0040178e
0x00401790
0x00401792
0x00401794
0x00401796
0x00401798
0x0040179a
0x0040179c
0x0040179e
0x004017a0
0x004017a2
0x004017a4
0x004017a6
0x004017a8
0x004017aa
0x004017ac
0x004017ae
0x004017b4
0x004017bb
0x004017be
0x004017bf
0x004017c1
0x004017c6
0x004017c8
0x004017d0
0x004017d2
0x004017d4
0x004017d6
0x004017d8
0x004017da
0x004017dc
0x004017de
0x004017e0
0x004017e2
0x004017e4
0x004017e6
0x004017e8
0x004017ea
0x004017ec
0x004017ee
0x004017f0
0x004017f2
0x004017f4
0x004017f6
0x004017f8
0x004017fa
0x004017fc
0x004017fe
0x00401804
0x00401806
0x00401808
0x0040180b
0x0040180f
0x0040180f
0x004013e7
0x004013e8
0x004013ea
0x004013ec
0x004013ef
0x004013f1
0x004013f7
0x004013f9
0x004013ff
0x00401401
0x00401404
0x00401406
0x00401408
0x0040140a
0x0040140e
0x00401411
0x00401413
0x00401415
0x00401417
0x00401419
0x0040141b
0x00401421
0x00401426
0x00401428
0x0040142a
0x0040142c
0x0040142e
0x00401430
0x00401431
0x00401434
0x00401436
0x00401438
0x0040143a
0x0040143c
0x00401441
0x00401442
0x00401444
0x00401446
0x00401448
0x0040144a
0x0040144c
0x0040144d
0x00000000

APIs

#100.MSVBVM60(VB5!6&*), ref: 0040132D

Strings

VB5!6&*, xrefs: 00401328

Memory Dump Source

Source File: 00000000.00000002.517364158.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.517360021.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.517378063.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517382174.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: a379705f11cc3262f5b1dd9dc71cd1c78ad3aa2fc2a0a310faf9fd3ef98b0380
Instruction ID: 863b19195d7ca7125e0c8eb0abf83b6066f3c2dc813de14bd21e215bc050e3e2
Opcode Fuzzy Hash: a379705f11cc3262f5b1dd9dc71cd1c78ad3aa2fc2a0a310faf9fd3ef98b0380
Instruction Fuzzy Hash: 2101CC61A5E7C1AFD7079B354CA5982BFB4AE0325530A06DBD482DF4B3D22D0C1AC76A

Uniqueness

Uniqueness Score: -1.00%

Function 00414528, Relevance: .0, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.517364158.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.517360021.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.517378063.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517382174.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c86724e1b4d65043b60bea7e113f50d5b496f554b42f1d4fde11737a366b2f2
Instruction ID: 62285ec04df69faa409a0099abe131dc54f1baede82f8d7fc38cdb1ddeef0124
Opcode Fuzzy Hash: 2c86724e1b4d65043b60bea7e113f50d5b496f554b42f1d4fde11737a366b2f2
Instruction Fuzzy Hash: E6B01230386001BF970042D46C014A21181D380BC03208C77F501D33D1DB28CC40412D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004145B8, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.517364158.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.517360021.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.517378063.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517382174.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d8f1f195151a3571b7b7305865becfa1317242ab0f18a7e7545d9aed6398b2
Instruction ID: 15df0377eb914a4a6d654d1db9e9196803201494f8317a0833ad6970402ee143
Opcode Fuzzy Hash: 08d8f1f195151a3571b7b7305865becfa1317242ab0f18a7e7545d9aed6398b2
Instruction Fuzzy Hash: FAB012303A5103BF974046985C41CA111C1D3C07803304C77F600D11D1DA68CD40C12D

Uniqueness

Uniqueness Score: -1.00%

Function 004172B8, Relevance: 10.6, APIs: 7, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E004172B8(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				short _v48;
				void* _v52;
				void* _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v84;
				signed int _v88;
				signed int _v92;
				signed int _t51;
				signed int _t56;
				short _t57;
				void* _t65;
				void* _t67;
				intOrPtr _t68;

				_t68 = _t67 - 0xc;
				 *[fs:0x0] = _t68;
				L004011F0();
				_v16 = _t68;
				_v12 = 0x4011b0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x4011f6, _t65);
				L00401292();
				if( *0x41831c != 0) {
					_v84 = 0x41831c;
				} else {
					_push(0x41831c);
					_push(0x414720);
					L004012FE();
					_v84 = 0x41831c;
				}
				_v60 =  *_v84;
				_t51 =  *((intOrPtr*)( *_v60 + 0x14))(_v60,  &_v52);
				asm("fclex");
				_v64 = _t51;
				if(_v64 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x414710);
					_push(_v60);
					_push(_v64);
					L00401304();
					_v88 = _t51;
				}
				_v68 = _v52;
				_t56 =  *((intOrPtr*)( *_v68 + 0xc8))(_v68,  &_v56);
				asm("fclex");
				_v72 = _t56;
				if(_v72 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0xc8);
					_push(0x414730);
					_push(_v68);
					_push(_v72);
					L00401304();
					_v92 = _t56;
				}
				_t57 = _v56;
				_v48 = _t57;
				L004012E6();
				_push(0x4173d2);
				L004012C2();
				return _t57;
			}

0x004172bb
0x004172ca
0x004172d4
0x004172dc
0x004172df
0x004172e6
0x004172f5
0x004172fe
0x0041730a
0x00417324
0x0041730c
0x0041730c
0x00417311
0x00417316
0x0041731b
0x0041731b
0x00417330
0x0041733f
0x00417342
0x00417344
0x0041734b
0x00417364
0x0041734d
0x0041734d
0x0041734f
0x00417354
0x00417357
0x0041735a
0x0041735f
0x0041735f
0x0041736b
0x0041737a
0x00417380
0x00417382
0x00417389
0x004173a5
0x0041738b
0x0041738b
0x00417390
0x00417395
0x00417398
0x0041739b
0x004173a0
0x004173a0
0x004173a9
0x004173ad
0x004173b4
0x004173b9
0x004173cc
0x004173d1

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 004172D4
__vbaVarDup.MSVBVM60(?,?,?,?,004011F6), ref: 004172FE
__vbaNew2.MSVBVM60(00414720,0041831C,?,?,?,?,004011F6), ref: 00417316
__vbaHresultCheckObj.MSVBVM60(00000000,?,00414710,00000014), ref: 0041735A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00414730,000000C8), ref: 0041739B
__vbaFreeObj.MSVBVM60 ref: 004173B4
__vbaFreeVar.MSVBVM60(004173D2), ref: 004173CC

Memory Dump Source

Source File: 00000000.00000002.517364158.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.517360021.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.517378063.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517382174.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: __vba$CheckFreeHresult$ChkstkNew2
String ID:
API String ID: 304406766-0
Opcode ID: daad8b53f26b49ffc38ab44b4c40b6e53013abc1f1e0f38c5c632609c963093b
Instruction ID: b18cf59156409c941507b0e749e94b197ffebd9bd433b5d8235eecde308a7e2e
Opcode Fuzzy Hash: daad8b53f26b49ffc38ab44b4c40b6e53013abc1f1e0f38c5c632609c963093b
Instruction Fuzzy Hash: 8E31E27490024CEFCB01EF95D985BDDBBB0BF08704F10806AF911BB2A5DB795985DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004173FB, Relevance: 10.6, APIs: 7, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E004173FB(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				char _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v64;
				signed int _v68;
				char* _t36;
				signed int _t39;
				void* _t50;
				void* _t52;
				intOrPtr _t53;

				_t53 = _t52 - 0xc;
				 *[fs:0x0] = _t53;
				L004011F0();
				_v16 = _t53;
				_v12 = 0x4011c0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x2c,  *[fs:0x0], 0x4011f6, _t50);
				L00401292();
				if( *0x418010 != 0) {
					_v64 = 0x418010;
				} else {
					_push(0x418010);
					_push(0x414948);
					L004012FE();
					_v64 = 0x418010;
				}
				_t36 =  &_v44;
				L004012E0();
				_v48 = _t36;
				_t39 =  *((intOrPtr*)( *_v48 + 0x1ac))(_v48, _t36,  *((intOrPtr*)( *((intOrPtr*)( *_v64)) + 0x340))( *_v64));
				asm("fclex");
				_v52 = _t39;
				if(_v52 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x1ac);
					_push(0x4147fc);
					_push(_v48);
					_push(_v52);
					L00401304();
					_v68 = _t39;
				}
				L004012E6();
				_push(0x4174e6);
				L004012C2();
				return _t39;
			}

0x004173fe
0x0041740d
0x00417417
0x0041741f
0x00417422
0x00417429
0x00417438
0x00417441
0x0041744d
0x00417467
0x0041744f
0x0041744f
0x00417454
0x00417459
0x0041745e
0x0041745e
0x00417482
0x00417486
0x0041748b
0x00417496
0x0041749c
0x0041749e
0x004174a5
0x004174c1
0x004174a7
0x004174a7
0x004174ac
0x004174b1
0x004174b4
0x004174b7
0x004174bc
0x004174bc
0x004174c8
0x004174cd
0x004174e0
0x004174e5

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 00417417
__vbaVarDup.MSVBVM60(?,?,?,?,004011F6), ref: 00417441
__vbaNew2.MSVBVM60(00414948,00418010,?,?,?,?,004011F6), ref: 00417459
__vbaObjSet.MSVBVM60(?,00000000), ref: 00417486
__vbaHresultCheckObj.MSVBVM60(00000000,?,004147FC,000001AC), ref: 004174B7
__vbaFreeObj.MSVBVM60 ref: 004174C8
__vbaFreeVar.MSVBVM60(004174E6), ref: 004174E0

Memory Dump Source

Source File: 00000000.00000002.517364158.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.517360021.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.517378063.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517382174.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2
String ID:
API String ID: 1725699769-0
Opcode ID: c569b068fee98ceb34f959458d6007dcae46d13cf2d4e8480e2abd149ec326fa
Instruction ID: 29557a3e9451cb818039caf3b1bcd09051441f46f913ae73d28ed6e68a6f27e4
Opcode Fuzzy Hash: c569b068fee98ceb34f959458d6007dcae46d13cf2d4e8480e2abd149ec326fa
Instruction Fuzzy Hash: B621F470A00208EFCB14EFA5D889BDDBBB4BB08718F10846EF501BB2A1CB785944DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00417130, Relevance: 10.6, APIs: 7, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00417130(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				char _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v56;
				signed int _v60;
				char* _t29;
				signed int _t32;
				intOrPtr _t46;

				_push(0x4011f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				_push(0x28);
				L004011F0();
				_v12 = _t46;
				_v8 = 0x401190;
				L00401292();
				if( *0x418010 != 0) {
					_v56 = 0x418010;
				} else {
					_push(0x418010);
					_push(0x414948);
					L004012FE();
					_v56 = 0x418010;
				}
				_t29 =  &_v40;
				L004012E0();
				_v44 = _t29;
				_t32 =  *((intOrPtr*)( *_v44 + 0x1c8))(_v44, _t29,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x38c))( *_v56));
				asm("fclex");
				_v48 = _t32;
				if(_v48 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x1c8);
					_push(0x4147bc);
					_push(_v44);
					_push(_v48);
					L00401304();
					_v60 = _t32;
				}
				L004012E6();
				_push(0x417208);
				L004012C2();
				return _t32;
			}

0x00417135
0x00417140
0x00417141
0x00417148
0x0041714b
0x00417153
0x00417156
0x00417163
0x0041716f
0x00417189
0x00417171
0x00417171
0x00417176
0x0041717b
0x00417180
0x00417180
0x004171a4
0x004171a8
0x004171ad
0x004171b8
0x004171be
0x004171c0
0x004171c7
0x004171e3
0x004171c9
0x004171c9
0x004171ce
0x004171d3
0x004171d6
0x004171d9
0x004171de
0x004171de
0x004171ea
0x004171ef
0x00417202
0x00417207

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 0041714B
__vbaVarDup.MSVBVM60(?,?,?,?,004011F6), ref: 00417163
__vbaNew2.MSVBVM60(00414948,00418010,?,?,?,?,004011F6), ref: 0041717B
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,004011F6), ref: 004171A8
__vbaHresultCheckObj.MSVBVM60(00000000,?,004147BC,000001C8,?,?,?,?,?,?,?,?,?,?,004011F6), ref: 004171D9
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004011F6), ref: 004171EA
__vbaFreeVar.MSVBVM60(00417208,?,?,?,?,?,?,?,?,?,?,004011F6), ref: 00417202

Memory Dump Source

Source File: 00000000.00000002.517364158.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.517360021.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.517378063.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.517382174.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2
String ID:
API String ID: 1725699769-0
Opcode ID: 3ef67aeff9f70704ab7f2bbb462a54a9155d40d379e95e2475bff1004a4d5f24
Instruction ID: 891ae4dc86439a73de278833737c0754afe011df5d2f876b714830d28958ff03
Opcode Fuzzy Hash: 3ef67aeff9f70704ab7f2bbb462a54a9155d40d379e95e2475bff1004a4d5f24
Instruction Fuzzy Hash: 9E21E875A41208AFCB00DF95C885BDDBBB9EB08714F20446EF101B72A1DBB95985DB68

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 1324 Parent PID: 1956 RegAsm.exeCOMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	46.7%
Total number of Nodes:	345
Total number of Limit Nodes:	22

Executed Functions

Function 00DC0BF8, Relevance: 7.7, APIs: 2, Strings: 2, Instructions: 662
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

down, xrefs: 00DC6165
1.!T, xrefs: 00DC0A55

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 1.!T$down
API String ID: 0-3297775217
Opcode ID: f222726e2f8578b796f1aafd7b4fa4113d504ba9276bbd91ecc260d07761390f
Instruction ID: c8ba8d4b334c4cb18d6b34bfbb9f291092fe3db6d474c16c8b81bd6b646cae3d
Opcode Fuzzy Hash: f222726e2f8578b796f1aafd7b4fa4113d504ba9276bbd91ecc260d07761390f
Instruction Fuzzy Hash: 55128C74648317EAEF216A648A61FFA3B56DF43790F6C412DFC8297187C764C8829631

Uniqueness

Uniqueness Score: -1.00%

Function 00DC6409, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 304
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,00DC6439), ref: 00DC6404

Strings

1.!T, xrefs: 00DC0A55

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 1.!T
API String ID: 1029625771-3147410236
Opcode ID: fe11204883e9bae0d610cf7d1ecbf9d3aec7b75f233a3c562ad950af6d514bb4
Instruction ID: 551a3180a97386e49ab588b9d62cf40a6ed22c78d1399bcb7f9f6dfea6e42ad3
Opcode Fuzzy Hash: fe11204883e9bae0d610cf7d1ecbf9d3aec7b75f233a3c562ad950af6d514bb4
Instruction Fuzzy Hash: 3DA1BF2020E386EBFB11FFA89980FE63BD69B57B94F58485CE882D7546C721EC059731

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0724, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 155
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32(00DC0837,?,00000000,0000510A,00000020,00000040,00DC0A1D,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00DC6439), ref: 00DC07EB
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 00DC0AA5

Strings

1.!T, xrefs: 00DC0A55

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnumInformationThreadWindows
String ID: 1.!T
API String ID: 1954852945-3147410236
Opcode ID: b16edb44f1ace06b5b929fb48eb75ca03e49d98af105013f5f1adf01d448aca2
Instruction ID: cc486a688d7ae1055058b5d49eade21c6c0b9c42556435919e93f653f9878204
Opcode Fuzzy Hash: b16edb44f1ace06b5b929fb48eb75ca03e49d98af105013f5f1adf01d448aca2
Instruction Fuzzy Hash: 4E41277464430BEEEF10AE244991FFA2F569F85794F74812DFD96971C5CA30CC829631

Uniqueness

Uniqueness Score: -1.00%

Function 00DC2C3F, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 228
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 00DC0AA5

Strings

1.!T, xrefs: 00DC0A55

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: e457348f8e0da4836d090cb1b103b1ddf0c79d99686d6065e1731863493433cc
Instruction ID: e9e307846eaa9959c418ea0bfec662d473c2b474ad9448d0cf38b4202963eb5f
Opcode Fuzzy Hash: e457348f8e0da4836d090cb1b103b1ddf0c79d99686d6065e1731863493433cc
Instruction Fuzzy Hash: 1E615570644307EFEB109E2489A2FEA3B62EF453A4F64812DFD8697196C774CC81CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00DC64F1, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 211
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 00DC0AA5

Strings

1.!T, xrefs: 00DC0A55

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 94f05f8677b6e05e19221c11c7e7579fe555d8192c5bf952f0731d49ab2a5af4
Instruction ID: eb62a4d987418128b4d8c66322cf5f76a277b03ff57442f1bc605986ae0e0b8c
Opcode Fuzzy Hash: 94f05f8677b6e05e19221c11c7e7579fe555d8192c5bf952f0731d49ab2a5af4
Instruction Fuzzy Hash: 18510175644307EBDF109E108691FFA2B62AF44794FA4802EECCA97285D730DC82EA71

Uniqueness

Uniqueness Score: -1.00%

Function 00DC08E7, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 208
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 00DC0AA5

Strings

1.!T, xrefs: 00DC0A55

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 26fe9637b3545ce68eb2cdd84d60ea25726269e88d28937fe658face79b94627
Instruction ID: 61290154c362aa46bc8405df9958edef941be0ffbcb8fb51eb3abe0616be7f3c
Opcode Fuzzy Hash: 26fe9637b3545ce68eb2cdd84d60ea25726269e88d28937fe658face79b94627
Instruction Fuzzy Hash: 4D61332020A34BEBFF10FE688941FE63F929F53784F58485CEC82A3546C720EC469761

Uniqueness

Uniqueness Score: -1.00%

Function 00DC084A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1.!T, xrefs: 00DC0A55

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 1.!T
API String ID: 0-3147410236
Opcode ID: 8d93201fcba6fa1ba768ea2c11293290c04d94c5d1c7e2abad1eb463f2f99a7c
Instruction ID: c3523b6467659dda744984f27a7c58bd9221d375b51270ccfea52722c608b20a
Opcode Fuzzy Hash: 8d93201fcba6fa1ba768ea2c11293290c04d94c5d1c7e2abad1eb463f2f99a7c
Instruction Fuzzy Hash: 16413474649307EBEB10AE248951FEA3F92AF56394F64815DFC8697185C730DC829731

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0878, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 158
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 00DC0AA5

Strings

1.!T, xrefs: 00DC0A55

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 8650373492a2a373b6c56e89dc7adf335904569c385ee8ca9f8ab55325737331
Instruction ID: 335f55044b0075ac0ed28958a72186b3b3791500df5cf77f454e595a50cd4f09
Opcode Fuzzy Hash: 8650373492a2a373b6c56e89dc7adf335904569c385ee8ca9f8ab55325737331
Instruction Fuzzy Hash: 2141332474930BEAEB10AE244951FEA2F929F86794F68805DFCC697186CB30DC86D731

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0942, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 158
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 00DC0AA5

Strings

1.!T, xrefs: 00DC0A55

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: e44f11f7dfc54b5a00d762bb68082c64cfe4d8c515a40c5ba1583e6dc44e500c
Instruction ID: de4bdd4fe8c7fdc491a2efd4e31c17bee80af81ca83c45faa500b4414125203b
Opcode Fuzzy Hash: e44f11f7dfc54b5a00d762bb68082c64cfe4d8c515a40c5ba1583e6dc44e500c
Instruction Fuzzy Hash: CE41232474930BEBFB10AE688991FE63F969F46794F58445CFC86E3086CB30DC469631

Uniqueness

Uniqueness Score: -1.00%

Function 00DC09C6, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 00DC0AA5

Strings

1.!T, xrefs: 00DC0A55

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 022c27e86a3a4276b77062a69e597ac2138a5b7b669840cbee7cc8fbbec37ecd
Instruction ID: 56f38ce185d9b4fc98a07889f56c351fb7357d3b663548899ee0a64f3621b6d0
Opcode Fuzzy Hash: 022c27e86a3a4276b77062a69e597ac2138a5b7b669840cbee7cc8fbbec37ecd
Instruction Fuzzy Hash: D2413824249347EBFB20AE284991FE63F929F47794F58051CFC82A3046C730EC469631

Uniqueness

Uniqueness Score: -1.00%

Function 00DC099A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 00DC0AA5

Strings

1.!T, xrefs: 00DC0A55

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: fcd2906d16cf527765c8dbf5beb793fd408ea5417e8923cc53d32fff8f3cf512
Instruction ID: 17c96e53c3b151530faf37b4a799a0a823ef34fd4cb33cdc106edc066bee113a
Opcode Fuzzy Hash: fcd2906d16cf527765c8dbf5beb793fd408ea5417e8923cc53d32fff8f3cf512
Instruction Fuzzy Hash: 3C41352474A347EBFB11AE284991FE63F969F57794F68045CFC82A7086CB20EC469631

Uniqueness

Uniqueness Score: -1.00%

Function 00DC7BEA, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

1.!T, xrefs: 00DC0A55

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 1.!T
API String ID: 0-3147410236
Opcode ID: 1ef0c473c20d0b22e707a05fe070826de8f6c1976c8736a1635da26ff6314c21
Instruction ID: 651e33ec9b234439d08606c3773bdd52eaa3d8c4f03e9bd370cb2f75d93dda51
Opcode Fuzzy Hash: 1ef0c473c20d0b22e707a05fe070826de8f6c1976c8736a1635da26ff6314c21
Instruction Fuzzy Hash: DF416C3874830BEAEF10AE204A91FFA2B52EF55794F64412DFDC697185DB34CC829A31

Uniqueness

Uniqueness Score: -1.00%

Function 00DC69E2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 00DC0AA5

Strings

1.!T, xrefs: 00DC0A55

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 682fb43418010098d0b452550f1a77d7d20c6a54a1213ba2e015a98dddb3cad6
Instruction ID: c04056f8f095d0b6f9b2783f324fef771633b52fa4d7964f4bb32a35aab6613e
Opcode Fuzzy Hash: 682fb43418010098d0b452550f1a77d7d20c6a54a1213ba2e015a98dddb3cad6
Instruction Fuzzy Hash: 8441686474430BEAEF209E204A91FE62F529F95794F64812DBDC6E3185DB30CC82D631

Uniqueness

Uniqueness Score: -1.00%

Function 00DC096A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 144nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 00DC0AA5

Strings

1.!T, xrefs: 00DC0A55

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 8972e517577b9e03a2b37d15fa013a9459da72dc60ac83b2f700c0e7eb7b8b52
Instruction ID: d510ffd830528ceb20e025ad6e8a70c805d01585d8625f133f7e41f29fb895a7
Opcode Fuzzy Hash: 8972e517577b9e03a2b37d15fa013a9459da72dc60ac83b2f700c0e7eb7b8b52
Instruction Fuzzy Hash: 8441242474930BEBFB10AE284991FE63F969F56794F68441CFD86E3186CB30DC469631

Uniqueness

Uniqueness Score: -1.00%

Function 00DC08BA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 00DC0AA5

Strings

1.!T, xrefs: 00DC0A55

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 1520d4f64f75caf99d3972ad9784dfa45aa49a0c1659f13e9768dcb986534bc2
Instruction ID: 8b8faa1686c43d6433289439bd093a6bb54c9dffa02e4646f874013dca16883b
Opcode Fuzzy Hash: 1520d4f64f75caf99d3972ad9784dfa45aa49a0c1659f13e9768dcb986534bc2
Instruction Fuzzy Hash: AD41693474930BEAFF10AE244951FEA2F929F46784F68401CFDC697186CB30DC469631

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0848, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 00DC0AA5

Strings

1.!T, xrefs: 00DC0A55

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: e61963e84dd0587911bebb04f9b97ddb4d8198101404ed3e8e94e9e5fb902871
Instruction ID: 77bf59cf40938b82f803ae03f7a2cd50ff95f17d46be22fc581c985191be7a41
Opcode Fuzzy Hash: e61963e84dd0587911bebb04f9b97ddb4d8198101404ed3e8e94e9e5fb902871
Instruction Fuzzy Hash: E6317D7478430BEAFF10AD204A51FFA2F529F85794F64411DBDC697185CB30CC829571

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0A24, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 00DC0AA5

Strings

1.!T, xrefs: 00DC0A55

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: f17486f01bcf1001a7bf02c8cda4413557857b200da7ce1ff9d5316d4280b8e7
Instruction ID: 7979f3ac308937f253a141414444a7b60719eeaa249c43298969870086831dbe
Opcode Fuzzy Hash: f17486f01bcf1001a7bf02c8cda4413557857b200da7ce1ff9d5316d4280b8e7
Instruction Fuzzy Hash: 3431342864930BEBFF10AE684991FEA2F629F42798F64441CFDD6E3185C724DC869231

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0A6E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 00DC0AA5

Strings

1.!T, xrefs: 00DC0A55

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 4b25ca37d01e3bc8a09bacbf3fb159cc00a4e7ad49f02be89c57188b6cf048d4
Instruction ID: e06fddb12e50b40615b34da3907f28c72ea8c2612d6e74537d1ed27f9dec2668
Opcode Fuzzy Hash: 4b25ca37d01e3bc8a09bacbf3fb159cc00a4e7ad49f02be89c57188b6cf048d4
Instruction Fuzzy Hash: 8E21367434530BEBFF10EE6849A1FEA3F96AF46794F64401CED96D3185C724DC868221

Uniqueness

Uniqueness Score: -1.00%

Function 00DC09FC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 00DC0AA5

Strings

1.!T, xrefs: 00DC0A55

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 4379ee50a138c9c13fa91673bfe7ac2184ebdcef16be9f6e44ab17c6045e9383
Instruction ID: 8034ec272bb43d23f30665045792c6e56543a78e762cb42391138ff3cdc93497
Opcode Fuzzy Hash: 4379ee50a138c9c13fa91673bfe7ac2184ebdcef16be9f6e44ab17c6045e9383
Instruction Fuzzy Hash: 8121877824430BABEB10AE2449A1FEA2F62EF42398F64401CFD82D3184C730DC879231

Uniqueness

Uniqueness Score: -1.00%

Function 00DC5079, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,00DC50F2,?), ref: 00DC5073

Strings

ntdll, xrefs: 00DC50B2

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ntdll
API String ID: 2994545307-3337577438
Opcode ID: cf59adcde6631365b0b8f51156ef9062fbd838062a0b4d59fda88821b7e0fcf3
Instruction ID: f2905b97d8cb6a17dc643955052f22e34c1f0e70913e451bb2e4dabff0fc6fdf
Opcode Fuzzy Hash: cf59adcde6631365b0b8f51156ef9062fbd838062a0b4d59fda88821b7e0fcf3
Instruction Fuzzy Hash: 3211C83110D7869FEB22EB689582FD53FE1EB13300B1D4889D490DB517CB21BC5AE7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00DC88DE, Relevance: 3.2, APIs: 2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33fcff2bc506c8073170baeb1ab55760110036fe1cdbb7a425f6695c6fd88103
Instruction ID: 3d9f9a42fa1e312370dbd7422beccf21642dbccfe59f808759177c892d31c3f1
Opcode Fuzzy Hash: 33fcff2bc506c8073170baeb1ab55760110036fe1cdbb7a425f6695c6fd88103
Instruction Fuzzy Hash: 5151E16060C207DEEF296A64C554FB96266EB61360FB8462FE9C387081CF75C8C4B673

Uniqueness

Uniqueness Score: -1.00%

Function 00DC1FD0, Relevance: 1.9, APIs: 1, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc8e02aa95ab557f841e5375759377ef2b199ecbbce06f3ecff90ae0eb69b6fe
Instruction ID: 838e4050e39b96fc38e5f93fe0a63fd17a1d7e27a5055777f1b217d2278da08f
Opcode Fuzzy Hash: bc8e02aa95ab557f841e5375759377ef2b199ecbbce06f3ecff90ae0eb69b6fe
Instruction Fuzzy Hash: E0E1E271704603EBDB199E28C990FFAB3A4FF15350F25422DEC9A93241DB34E8559BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0CFF, Relevance: 1.9, APIs: 1, Instructions: 368nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 00DC0AA5

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 4677a3bfbe5abb6e4819fc1e684829d649f68b6dff6e4fa3295515660c6657fe
Instruction ID: 8f4548708883598cf4eabe9a5050c7476087cbc659a983fac92dea994a85ccdf
Opcode Fuzzy Hash: 4677a3bfbe5abb6e4819fc1e684829d649f68b6dff6e4fa3295515660c6657fe
Instruction Fuzzy Hash: C5A19B64648317A6FF3125648AA1FFE265ACF433A0F7C422DFDC397086D768C8829176

Uniqueness

Uniqueness Score: -1.00%

Function 00DC7E0C, Relevance: 1.8, APIs: 1, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 7ace82f40a10615e097b171d8a0f587214cce37e723cd361930cac34ead7515d
Instruction ID: 7f385528d97f00d4e91bc9df08387cd6bc8d910bea32eeaf0d828487c67ecb34
Opcode Fuzzy Hash: 7ace82f40a10615e097b171d8a0f587214cce37e723cd361930cac34ead7515d
Instruction Fuzzy Hash: CEB1F864A08343CEDB259E288494F69B6D1EF56320F5C82ADD9D68B2D6C770C442E736

Uniqueness

Uniqueness Score: -1.00%

Function 00DC846D, Relevance: 1.7, APIs: 1, Instructions: 246nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00DC7E9D,00000040,00DC0A1D,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00DC8466

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4ac2eb73a7871b49f0f4772356ac3aae8e732bfc6dd87eb6726598ee8fcfff89
Instruction ID: 16729d6d909acc9432459aa2cf4b01317467b4494fc1cea2b28bcb732ddd18ef
Opcode Fuzzy Hash: 4ac2eb73a7871b49f0f4772356ac3aae8e732bfc6dd87eb6726598ee8fcfff89
Instruction Fuzzy Hash: 745149A156D2C19FE70A9B28CC89F763BA9DB57315F19019FE082C70A3C964A806D332

Uniqueness

Uniqueness Score: -1.00%

Function 00DC849A, Relevance: 1.7, APIs: 1, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e45526aa55762065be4e99e8a23603ac2348b1387a7ca856a4cd37989888c2
Instruction ID: b6b1bfdc81fa15b01a434248064a5affb4e3a174ad12640d11f876323b0d3d94
Opcode Fuzzy Hash: a8e45526aa55762065be4e99e8a23603ac2348b1387a7ca856a4cd37989888c2
Instruction Fuzzy Hash: EC41177121E2C59FE70ADB68DC85F723BA9DB57315B1905CEE082C71A3C964AC05D731

Uniqueness

Uniqueness Score: -1.00%

Function 00DC1DBB, Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb68e52accbac1283f36afcb6ee4fedf9e1f64065e0fe6fca98513f9b160e0a
Instruction ID: 0a9829aaa0dd2db96ecb2053f7059f861a64e56be9df46ed7dda2647d19d0139
Opcode Fuzzy Hash: bbb68e52accbac1283f36afcb6ee4fedf9e1f64065e0fe6fca98513f9b160e0a
Instruction Fuzzy Hash: 9031487964C223B6EA3119608D11FFA2255DF427A0F78412EBDC3A70C6D7A1D840A172

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0AC7, Relevance: 1.6, APIs: 1, Instructions: 86nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 00DC0AA5

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 4eedfb92dcd44b2b7222527fc355fd6c27c48e673bc9c3b68c8b8f87dc0b42c1
Instruction ID: f02c9dfc2814716b0e6ce31eb0b0871e14c6c15c3fe7576232cda76a9295aaf5
Opcode Fuzzy Hash: 4eedfb92dcd44b2b7222527fc355fd6c27c48e673bc9c3b68c8b8f87dc0b42c1
Instruction Fuzzy Hash: 61214875249307EBEF10EE684951FE63F529F03398F68455CEC92D3146C724EC86D261

Uniqueness

Uniqueness Score: -1.00%

Function 00DC844B, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00DC7E9D,00000040,00DC0A1D,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00DC8466

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a082ce208c2f132c7b6e50e98319d7b26e10bbd825a5419c11cba5b320e60bdc
Instruction ID: c546c4077c87792ccf82bb952680dd026a467b548c7537b61ca5d6b35e6428e5
Opcode Fuzzy Hash: a082ce208c2f132c7b6e50e98319d7b26e10bbd825a5419c11cba5b320e60bdc
Instruction Fuzzy Hash: 0AC012E52250002E69048A28CD88D6BB7AA8AD5A28B14C32CB872222CCCA30EC088032

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0B8E, Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c84e003fced31ade32b54db09c8bbafee067895e0fb973e35a36d10d7a8d94f1
Instruction ID: 5e0c8f674f7d7f24d7d6ab53a09bf5ea342a1643729b619b79a43f5df81221c0
Opcode Fuzzy Hash: c84e003fced31ade32b54db09c8bbafee067895e0fb973e35a36d10d7a8d94f1
Instruction Fuzzy Hash: CFB1CE34644307DAEF31696889A1FFA2B56DF433A0F7C462DECD297586CB74D8829231

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0C23, Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3678227003838e4058cd39c1de09b9d9d9234d6a3ad1d690c9663c2ea98fd2
Instruction ID: e3948adeca31f831b936e2bcfdb1158d3321b9874fc4029055b288d2ab02c0a5
Opcode Fuzzy Hash: fb3678227003838e4058cd39c1de09b9d9d9234d6a3ad1d690c9663c2ea98fd2
Instruction Fuzzy Hash: C6A1D034648307DAFB31696889A1FFA3656DF43360F78462DECC297586D774C8828231

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0D04, Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3eb042ade8c4dad5db8c0cfee1dccda6faa4f1a4bcdec9d3649cdb1c120775c
Instruction ID: ea26ec4c5686c82b096e94c42e795b58fda28d818e9857249fcfdee27444d4af
Opcode Fuzzy Hash: b3eb042ade8c4dad5db8c0cfee1dccda6faa4f1a4bcdec9d3649cdb1c120775c
Instruction Fuzzy Hash: 9F91A024648317D6FB3125648AA1FFA2A56DF433A0F7C462DEDC397487D764C8C29232

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0CBA, Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ac0af3ba0a07e18c371e32571aa388fa85bff8c644dd56b5282a73d95f8d83
Instruction ID: 376e44fd7712bc1ede41f9dc97198b8a582438ca2a37e441c1d0255454353087
Opcode Fuzzy Hash: 68ac0af3ba0a07e18c371e32571aa388fa85bff8c644dd56b5282a73d95f8d83
Instruction Fuzzy Hash: 5C81A024648317D6FB31256489A1FFA2A56DF433A0F7C462DEDC397487D764C8C29632

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4B36, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 455
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0={,, xrefs: 00DC4C4F

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 0={,
API String ID: 0-63937952
Opcode ID: 7f89db3a40f079a7f1fd8cef03318b12b710e1a78137ce5f877ef9d258f0b00f
Instruction ID: f8778027ab95aa96f0fad6ec85cb25806197748eba7381f539f48aa3dc393349
Opcode Fuzzy Hash: 7f89db3a40f079a7f1fd8cef03318b12b710e1a78137ce5f877ef9d258f0b00f
Instruction Fuzzy Hash: B9F134B024030BABEB219F64CC91FEA7BA2EF15340F64812DED858B281D775D881DB75

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8A56, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 205
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetReadFile.WININET(?,?,?,?,00DC50F2,?,00DC30F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00DC8E3B

Strings

aH$, xrefs: 00DC8A28

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID: aH$
API String ID: 778332206-933212851
Opcode ID: 8971a50eb7a68629c532164865fea72f985878b2204cff5997481e247012fbab
Instruction ID: 32f64fda74d83e11e1669c61abb7be17c6ed88c30e106c3839ed4812a7ef32f2
Opcode Fuzzy Hash: 8971a50eb7a68629c532164865fea72f985878b2204cff5997481e247012fbab
Instruction Fuzzy Hash: D161282050E247DEEB22EB28C540FB57796AB63310F59099EE482C7551CB31E885BB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4BA6, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0={,, xrefs: 00DC4C4F

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 0={,
API String ID: 0-63937952
Opcode ID: 83cdf01bdecb20f72be9e61af60fd047e8ce4bbb14cecddaa0a01b8503a320ec
Instruction ID: caea62d39bc9b901ea5b6fe7cb3bd1dfc124036fbcc7414c12915bb54a58ff6c
Opcode Fuzzy Hash: 83cdf01bdecb20f72be9e61af60fd047e8ce4bbb14cecddaa0a01b8503a320ec
Instruction Fuzzy Hash: C461D17060534B8BDB11EFA4C4A1FDA7BA6AF56750F20802DEC428B345DB31D812CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4B44, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 158
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(B800001B,?,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,00DC50F2,?), ref: 00DC5073

Strings

0={,, xrefs: 00DC4C4F

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: 0={,
API String ID: 2994545307-63937952
Opcode ID: 76d04dd5f81a393503de015344273cb6e438ccba3a5ad02209321ecb74a2d441
Instruction ID: 4df7aaaef0a5c857fafd720dd565c898411b131c578e2f7c28f3e247e4dfcc5d
Opcode Fuzzy Hash: 76d04dd5f81a393503de015344273cb6e438ccba3a5ad02209321ecb74a2d441
Instruction Fuzzy Hash: EE51A37074030B8BCB10EFA584A1BDA7BA6AF55750F60812EEC468B345EB31C852DB75

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4C03, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

0={,, xrefs: 00DC4C4F

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 0={,
API String ID: 0-63937952
Opcode ID: 89fc2b34b164caf49304aa17d325e8d901f8942c5f716d432284e6b067c40fb5
Instruction ID: 0440bac61ae34c33cfea3cc3da237390169bd2d9980bcaf21ba77fc7c1a1d6b2
Opcode Fuzzy Hash: 89fc2b34b164caf49304aa17d325e8d901f8942c5f716d432284e6b067c40fb5
Instruction Fuzzy Hash: 6B51907060534B8FDB11EFA484A2FDA7BA6AF56790F20801EEC468B345DB30D852DB75

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4C9A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

0={,, xrefs: 00DC4C4F

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 0={,
API String ID: 0-63937952
Opcode ID: ec70bd3e769fabb4e3a5ffe976457a548c224a309ae20bda4b6c9f5280ac7c56
Instruction ID: ebb8426dd7e5b846f2a6ea3711d3118495b10febd59bec6aae87e60af0d8e219
Opcode Fuzzy Hash: ec70bd3e769fabb4e3a5ffe976457a548c224a309ae20bda4b6c9f5280ac7c56
Instruction Fuzzy Hash: DB51D17060534B8BDB10EFA485A1FDA7BA6AF66790F20851DEC468B305DB30D812DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4BCD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,00DC50F2,?), ref: 00DC5073

Strings

0={,, xrefs: 00DC4C4F

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: 0={,
API String ID: 2994545307-63937952
Opcode ID: a25a1d0df6ea4326346fd978f2465b02eceee67ba26af3c3c22dfc881f6ad95b
Instruction ID: cff9d85b78db934d0d44debfb2b1e7135d86f70c8093e8817714f219c1356236
Opcode Fuzzy Hash: a25a1d0df6ea4326346fd978f2465b02eceee67ba26af3c3c22dfc881f6ad95b
Instruction Fuzzy Hash: C751A57074130B8BCB10EFA484A1BDA7BA6EF55790F60812DEC468B345EB30D852DB75

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4C62, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

0={,, xrefs: 00DC4C4F

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 0={,
API String ID: 0-63937952
Opcode ID: 6d1dc367b6c9cad944f4dff31b0d7d183c0ffd87c66a76512a59d528b08a8560
Instruction ID: 1eed15ea10f203e13a1c862a17c51137e655e92f248080299510ff2220526ad4
Opcode Fuzzy Hash: 6d1dc367b6c9cad944f4dff31b0d7d183c0ffd87c66a76512a59d528b08a8560
Instruction Fuzzy Hash: 3741907064534B8FCB10EFA485A2FDA7BA6AF59790F20801DEC468B305DB31D852DB75

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4F9E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 121libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC47CE: InternetOpenA.WININET(00DC4FD3,00000000,00000000,00000000,00000000,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?), ref: 00DC47DF
Part of subcall function 00DC47CE: InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004,?,?,?,?,?), ref: 00DC48B0

LdrInitializeThunk.NTDLL(B800001B,?,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,00DC50F2,?), ref: 00DC5073

Strings

rX4, xrefs: 00DC4F57

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen$InitializeThunk
String ID: rX4
API String ID: 518753361-805084833
Opcode ID: d71153ee07e6ed63048a0f7c361e61e6e7460427149686b8d4cb5a79fc75948e
Instruction ID: 8a19eda9bc0a7f6112eb30fa24cd83108df5795648ac83ef3fd70861d5b9d13d
Opcode Fuzzy Hash: d71153ee07e6ed63048a0f7c361e61e6e7460427149686b8d4cb5a79fc75948e
Instruction Fuzzy Hash: B941223060E3C69FEB12EF788561E967FE1EF17350B19488DE0829B416C761F801D7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00DC47CE, Relevance: 3.1, APIs: 2, Instructions: 109networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00DC4FD3,00000000,00000000,00000000,00000000,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?), ref: 00DC47DF
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004,?,?,?,?,?), ref: 00DC48B0

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: b1db422d9a1ead5d530f91c9f4f65998ea64090ad4fcc0c1cc22dca69e03e00e
Instruction ID: 6704e5e9e23d85811997637f4d468158d5e5c940e47915e0f97a342d4869a749
Opcode Fuzzy Hash: b1db422d9a1ead5d530f91c9f4f65998ea64090ad4fcc0c1cc22dca69e03e00e
Instruction Fuzzy Hash: 83418070244387AAEF349E54CD61FFE36A5AF40740F54812DED8A9B490EB71DA40EB31

Uniqueness

Uniqueness Score: -1.00%

Function 00DC480D, Relevance: 3.1, APIs: 2, Instructions: 107networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00DC4FD3,00000000,00000000,00000000,00000000,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?), ref: 00DC47DF
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004,?,?,?,?,?), ref: 00DC48B0

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: c915ddefeb1e49201ed4b395594e6eb57ff8e77e574a0d66d0c3e8eb64936ae0
Instruction ID: 988cf72f9e21e902dabd53e32b25e81cd9fe69fe6b343bcaf47e2ced10628932
Opcode Fuzzy Hash: c915ddefeb1e49201ed4b395594e6eb57ff8e77e574a0d66d0c3e8eb64936ae0
Instruction Fuzzy Hash: 3831A0702483C7AFEB319E64DC61FEA3BA49F02740F18445EED8A9B592DB309945DB31

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8496, Relevance: 1.8, APIs: 1, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bbca46df2f038ebf779d8ba2685adc2851c825c57c2a6b2884d966e6dc3d0a8
Instruction ID: 0e89a4becac795a4d2465b8611c9ac71b50342df9a97795349d5d8281d308035
Opcode Fuzzy Hash: 0bbca46df2f038ebf779d8ba2685adc2851c825c57c2a6b2884d966e6dc3d0a8
Instruction Fuzzy Hash: B05123A112D6C29FE70A97249C95FB63BA9DB17314F2C009FE5C3C7193DAA9D8059332

Uniqueness

Uniqueness Score: -1.00%

Function 00DC62AE, Relevance: 1.7, APIs: 1, Instructions: 194libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,00DC6439), ref: 00DC6404

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6aaf5a2b215f9b09fafc2f80e80d5a65fead1ebfe4b560749397b579408c4113
Instruction ID: 2a12b9c5f66e7a6b623992a627f19387464dc4caf3424de043a89c3c38f18da6
Opcode Fuzzy Hash: 6aaf5a2b215f9b09fafc2f80e80d5a65fead1ebfe4b560749397b579408c4113
Instruction Fuzzy Hash: 1151B32020E292EBFB22FB6D8540FB9BBD59B17754B5C0C9DE892D7403C351E815973A

Uniqueness

Uniqueness Score: -1.00%

Function 00DC898F, Relevance: 1.7, APIs: 1, Instructions: 185filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?,00DC50F2,?,00DC30F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00DC8E3B

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: d412adad46908b27f42f4a3b9e049ce0e53bf45e03803845f7e2059a9b610433
Instruction ID: c3d953ef7aff02c3665516689a7c647fb1d1405b6d350ffb806f770fce1465e6
Opcode Fuzzy Hash: d412adad46908b27f42f4a3b9e049ce0e53bf45e03803845f7e2059a9b610433
Instruction Fuzzy Hash: 7651C02020D347DEEF22AA68C440FB57792AB23315F69095EE88397551CF31EC85BB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8C02, Relevance: 1.7, APIs: 1, Instructions: 169filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?,00DC50F2,?,00DC30F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00DC8E3B

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 834a3b5314129e4b949d74358bc11fda9a15006dded4cb878c99ea8da9eb41d7
Instruction ID: 4554477b99a8f322375d92fec0826656b28f9a716175bd84336571b08511bf7b
Opcode Fuzzy Hash: 834a3b5314129e4b949d74358bc11fda9a15006dded4cb878c99ea8da9eb41d7
Instruction Fuzzy Hash: 5951B46060E342DFFB61EA58C540FA277D69B23715F5D088DE48297152CB22EC85B772

Uniqueness

Uniqueness Score: -1.00%

Function 00DC630A, Relevance: 1.7, APIs: 1, Instructions: 166libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,00DC6439), ref: 00DC6404

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 11bc4938270ceb18945bf9e08a8f6fa053d2afe3bbcab0ef84fb2cfeb81d4f4f
Instruction ID: 32897ff8d65d8f97d51872bf1f0c6e63c3725a057290f9e7b50d2badc1a7b4bd
Opcode Fuzzy Hash: 11bc4938270ceb18945bf9e08a8f6fa053d2afe3bbcab0ef84fb2cfeb81d4f4f
Instruction Fuzzy Hash: 3C51DD2020E3C6ABFB22FFB98580FE57BD59A53754B1D0C9CE892D7417C261E805972A

Uniqueness

Uniqueness Score: -1.00%

Function 00DC892F, Relevance: 1.7, APIs: 1, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4417f6ae5a3934d3eb9442280facd84d0500892c1d9b7616933321fb8af43b68
Instruction ID: c4ed7d736610aede1f6ae6157626f2a24bfb0893dba957b0a61f3e0cdabc82a1
Opcode Fuzzy Hash: 4417f6ae5a3934d3eb9442280facd84d0500892c1d9b7616933321fb8af43b68
Instruction Fuzzy Hash: 3B51E12060C347CEEF26AA24C450FB577A2AB22314F69095FD88397451CF35DC85BB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DC895E, Relevance: 1.7, APIs: 1, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f437ac1bd6c6be6b273fe43e033a3eb71034578cad9d31fab26e8f3c8b8fdd57
Instruction ID: 34c1ee08357a25d58db0a9d76c8087810b26ebe1e59db10dee8bc7f64117b82d
Opcode Fuzzy Hash: f437ac1bd6c6be6b273fe43e033a3eb71034578cad9d31fab26e8f3c8b8fdd57
Instruction Fuzzy Hash: 1451DF2060D347DEEF25AA28C450FB57692AB22315F69095EE88397051CF32DC85BB73

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8B22, Relevance: 1.7, APIs: 1, Instructions: 155filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?,00DC50F2,?,00DC30F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00DC8E3B

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 867b023a9ad259e93af2c611f152e8fbe9c3825f8a864e70f463f978825b944b
Instruction ID: 4c0b3b8f89bf85b3c9f9c7369037c2109921feb53a6c714bf23ec787649a6c72
Opcode Fuzzy Hash: 867b023a9ad259e93af2c611f152e8fbe9c3825f8a864e70f463f978825b944b
Instruction Fuzzy Hash: 1951C06060D347DEEF25EA68C444FB577A2AB23311F69089EE48297051CB32EC85F732

Uniqueness

Uniqueness Score: -1.00%

Function 00DC88F9, Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a848a032e4fdf66bcf5d794ff1e365c5bba9b4c6b84f0b5891ac26fc78d5d1e5
Instruction ID: b9d1d7c3c98dd2902f97d45fbbdece1eef54decd8f0ce1b5ece98f01c4b0746a
Opcode Fuzzy Hash: a848a032e4fdf66bcf5d794ff1e365c5bba9b4c6b84f0b5891ac26fc78d5d1e5
Instruction Fuzzy Hash: E941A06060D347CEEF259A248454FB97662AB22311F69095FD88397451CF36C885B772

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8B72, Relevance: 1.7, APIs: 1, Instructions: 151filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?,00DC50F2,?,00DC30F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00DC8E3B

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 8670c0fd5522d90d776976314181250afb3b7815613e5a94898e327938f0e8eb
Instruction ID: bd4561aa7ee73a35d08264cbef101ce057b89edc70575414fb752d5bb8e263f7
Opcode Fuzzy Hash: 8670c0fd5522d90d776976314181250afb3b7815613e5a94898e327938f0e8eb
Instruction Fuzzy Hash: 7A51D42060D387DEEF15EB688444FA57B969B23314F6D0C9EE48287452CB61EC85F736

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8AAE, Relevance: 1.6, APIs: 1, Instructions: 140filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?,00DC50F2,?,00DC30F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00DC8E3B

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: c8e9806a67c63cbabd00efc0944ff7e0275210c4fbb7acdd21044dfe854f69b1
Instruction ID: 2078a7f9cb07151b3c4f899df15c048f19319421d971926faff927ab3866fa81
Opcode Fuzzy Hash: c8e9806a67c63cbabd00efc0944ff7e0275210c4fbb7acdd21044dfe854f69b1
Instruction Fuzzy Hash: 8D41D320609343DEEF21AA68C444FB57792AB23311F69195FE48397151CB32DC81F772

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8ADE, Relevance: 1.6, APIs: 1, Instructions: 139filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?,00DC50F2,?,00DC30F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00DC8E3B

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 6a24290dc696c96bb1f760320150260715c14d2f4e639b689c5e969a91e97ba7
Instruction ID: 46e2a7b5bb549ee7e7c724c146af1eadb78eb4dd6ad2b674d118bb876cddbbed
Opcode Fuzzy Hash: 6a24290dc696c96bb1f760320150260715c14d2f4e639b689c5e969a91e97ba7
Instruction Fuzzy Hash: B741D420609247DEEF25EB688404FB57792AB23310F6D199EE883874A1CB61DC84F732

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8D6A, Relevance: 1.6, APIs: 1, Instructions: 128filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?,00DC50F2,?,00DC30F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00DC8E3B

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 1c62894302ee11bd1a9982052c0677289e79858c7ad4c88f7a34d90839f9066c
Instruction ID: 1dd78e8f499f7db1d7dcab44ae69c0604443241a8c54eec5d01e128aa2bcafb2
Opcode Fuzzy Hash: 1c62894302ee11bd1a9982052c0677289e79858c7ad4c88f7a34d90839f9066c
Instruction Fuzzy Hash: C841E02020E3C6AFFB12FF6D9540EA57BD69A2375075D0C8CE48397456CA22AC44E726

Uniqueness

Uniqueness Score: -1.00%

Function 00DC468F, Relevance: 1.6, APIs: 1, Instructions: 128libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC47CE: InternetOpenA.WININET(00DC4FD3,00000000,00000000,00000000,00000000,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?), ref: 00DC47DF
Part of subcall function 00DC47CE: InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004,?,?,?,?,?), ref: 00DC48B0

LdrInitializeThunk.NTDLL(B800001B,?,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,00DC50F2,?), ref: 00DC5073

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen$InitializeThunk
String ID:
API String ID: 518753361-0
Opcode ID: 584692fea70e0eb4363184e262bb417f2b14fb9477ec3759b4f78899028e9066
Instruction ID: d08a9912bd1e746e4c375adf601fcd832f9d7c09ac8644ddd8cd7d51a422057c
Opcode Fuzzy Hash: 584692fea70e0eb4363184e262bb417f2b14fb9477ec3759b4f78899028e9066
Instruction Fuzzy Hash: 1541353060A38A9FDB20EF6485A2BD67FA2FF47340F64844DD8C15F156C731A942D7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8A7F, Relevance: 1.6, APIs: 1, Instructions: 128filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?,00DC50F2,?,00DC30F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00DC8E3B

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: b42d170a2eb4a3527f45a44c774b44d885e585967e925f89d34137096e93497f
Instruction ID: c522c5f43eed881711039c2233ad6673a29943fc769d69442654409681c58298
Opcode Fuzzy Hash: b42d170a2eb4a3527f45a44c774b44d885e585967e925f89d34137096e93497f
Instruction Fuzzy Hash: 5741F32060D347DEEF25AA24C444FB577A2AB22311F69195FE88397191CB32DC80F772

Uniqueness

Uniqueness Score: -1.00%

Function 00DC46AE, Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9868028ea170cbec7d30983065ff9ddf74762ac331c1c48b1f9c29aa6f67f3e
Instruction ID: fc7ec4dd3cc5c3b13e6e989c12a644ae4ae17404c2b44607c56fc4eb85caeeab
Opcode Fuzzy Hash: c9868028ea170cbec7d30983065ff9ddf74762ac331c1c48b1f9c29aa6f67f3e
Instruction Fuzzy Hash: 9B41253060A3C69FDB21EF748561BD63FA2AF13340F65448CD8C29B156C731A842D7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00DC474E, Relevance: 1.6, APIs: 1, Instructions: 120libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,00DC50F2,?), ref: 00DC5073

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f0b054d425bbad70d12dbe6f71059ee9ab9117edd58cba34d4d1d6b102642b4e
Instruction ID: 2574010cd97ca098380bce071321cfa758763d0a741765f94c5842e58f6e20eb
Opcode Fuzzy Hash: f0b054d425bbad70d12dbe6f71059ee9ab9117edd58cba34d4d1d6b102642b4e
Instruction Fuzzy Hash: CB41113020A3C69FDB22EF648965FD67FA1AF13340F58888DD4819B157C771A841D7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8E82, Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91247ff59a2bdc30d8ba5f27ecff8085189358d1a2a2d738b63507b4b0266efd
Instruction ID: 4484d84226c5481c6bebc07e26565ef23ea739caed69dc564c95541e8a3554be
Opcode Fuzzy Hash: 91247ff59a2bdc30d8ba5f27ecff8085189358d1a2a2d738b63507b4b0266efd
Instruction Fuzzy Hash: 6D41B82120E386AFFB12FF6CC540EA57BDA9A27750B5D0C8DE48297556CB22BC01E725

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4702, Relevance: 1.6, APIs: 1, Instructions: 118libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,00DC50F2,?), ref: 00DC5073

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9ccfc975306a8060c4f11bc25f0f7257b4ceb86ef56c2cf3ed3e023283f85547
Instruction ID: e74b6012c84cd7e5886e9af878983cdc8b54e6eec4f4eb6e9232a100a6e6df10
Opcode Fuzzy Hash: 9ccfc975306a8060c4f11bc25f0f7257b4ceb86ef56c2cf3ed3e023283f85547
Instruction Fuzzy Hash: 6A41233020A3C69FDB22EFB48965BC67FA1AF13340F59488DD4C29B157C731A801D76A

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8CB1, Relevance: 1.6, APIs: 1, Instructions: 117filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?,00DC50F2,?,00DC30F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00DC8E3B

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 719e63f941de513f512367438cebde27e953f0e150da666dd3e22f299c0d8569
Instruction ID: f5afd944ee6d2343d2432721d539c91a0202cb84639f08a0903ebe40128a0f79
Opcode Fuzzy Hash: 719e63f941de513f512367438cebde27e953f0e150da666dd3e22f299c0d8569
Instruction Fuzzy Hash: D741D62060E383DFEB16EA688644FE13BA59B23354B6D088DD48297512CB32A845F771

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4876, Relevance: 1.6, APIs: 1, Instructions: 116networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004,?,?,?,?,?), ref: 00DC48B0

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: e8cd5bb889e6e796f179b28f703731a81c63d8daae3803f805a67a947f17ce67
Instruction ID: 5f3104add63314855dec50b5bcb8d8f2868edeec93708627b143543863f5a39d
Opcode Fuzzy Hash: e8cd5bb889e6e796f179b28f703731a81c63d8daae3803f805a67a947f17ce67
Instruction Fuzzy Hash: 80418F30209287ABEB31EEA8D960FEA37A5AF46750F19481DEC86D7542D730ED419B31

Uniqueness

Uniqueness Score: -1.00%

Function 00DC62CA, Relevance: 1.6, APIs: 1, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,00DC6439), ref: 00DC6404

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a857edf3ef15ca16de027dc6aac024342981ebb791fc8a4d76c7964ca6a00bcc
Instruction ID: af1d0f0e8d6392b617cc6d01e2ac26613849a8addf4ad8bd498202b0adc7751c
Opcode Fuzzy Hash: a857edf3ef15ca16de027dc6aac024342981ebb791fc8a4d76c7964ca6a00bcc
Instruction Fuzzy Hash: D731936020E296ABEF22FBB98540FA9BB95DB53754F58095DF8C2C3407C355E801973A

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4CEA, Relevance: 1.6, APIs: 1, Instructions: 115libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,00DC50F2,?), ref: 00DC5073

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c47b4ca384c02d320e6f23969e72ebd4fcffab5813b32ef95db91cfb44eb06a0
Instruction ID: 55204d51f6d42e78a1d7346a118bb7015a2bc1af9265c64a949ed2a157dd1218
Opcode Fuzzy Hash: c47b4ca384c02d320e6f23969e72ebd4fcffab5813b32ef95db91cfb44eb06a0
Instruction Fuzzy Hash: 1B41F37060534B8FDB11EFA88462FDA7BA6BF56790F20805DEC428B246DB30D811DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8B44, Relevance: 1.6, APIs: 1, Instructions: 114filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?,00DC50F2,?,00DC30F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00DC8E3B

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 077875274481c2484e776ed376abbba648c665a820830c1447a227194a01f13e
Instruction ID: 18fd90f51a9474d6dbdc72f24e02de7e7e8e775b720630994abd592e1b700ae3
Opcode Fuzzy Hash: 077875274481c2484e776ed376abbba648c665a820830c1447a227194a01f13e
Instruction Fuzzy Hash: E841BF60609347DEEB25AB24C454FB577A6AB23315F6D089EE88247061CB72DC84F772

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4D3A, Relevance: 1.6, APIs: 1, Instructions: 111libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,00DC50F2,?), ref: 00DC5073

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ac8c763c8ff2a751189c0fbc175a689909dea3b874022505cae2fd061b661911
Instruction ID: c39704f3d32eed2cb4c73c6adba9f25d591cb612af4d236f8ab733d5ac1ec944
Opcode Fuzzy Hash: ac8c763c8ff2a751189c0fbc175a689909dea3b874022505cae2fd061b661911
Instruction Fuzzy Hash: C941287064A34B8FDB11EF648462FCA7BA6BF56750F20805DEC428B246DB30D811DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00DC48C6, Relevance: 1.6, APIs: 1, Instructions: 109networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004,?,?,?,?,?), ref: 00DC48B0

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: fb1e77d0fb1e6654818f242ef4c5c08ea7c232b063c54fd10ab57f4c8ef4f571
Instruction ID: 84a2c13995827c4c64c0d82a8656838ca3ca74fc98b878a8b8890929ba7af371
Opcode Fuzzy Hash: fb1e77d0fb1e6654818f242ef4c5c08ea7c232b063c54fd10ab57f4c8ef4f571
Instruction Fuzzy Hash: 2441A36110A3C7AFEB22DF64DC60FEA3BA59F17340F09089ED885DB452D6309904DB31

Uniqueness

Uniqueness Score: -1.00%

Function 00DC484A, Relevance: 1.6, APIs: 1, Instructions: 105networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004,?,?,?,?,?), ref: 00DC48B0

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 94d56d9bad0b62cffde2371ef218da7edf93de481de10a0d210dda79c4ac04e5
Instruction ID: 7df4c05b2eadebb59d9380146b6a9492b8c42bb9d2c368d94fdd6b6a3d2e93ba
Opcode Fuzzy Hash: 94d56d9bad0b62cffde2371ef218da7edf93de481de10a0d210dda79c4ac04e5
Instruction Fuzzy Hash: C931C070208387AFEB319E64CC61FEA3BA49F06740F19445DEC869B582DB31A941EB31

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4E1E, Relevance: 1.6, APIs: 1, Instructions: 103libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,00DC50F2,?), ref: 00DC5073

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 748694bb12ed62619360f4b4d8fbbd0540751420eac5810f7c6bb35df11d38e6
Instruction ID: c83c02e1360b33f42bb055ae2bc2ae8c3dc127dbc0531146a94ecc1c06c6eb74
Opcode Fuzzy Hash: 748694bb12ed62619360f4b4d8fbbd0540751420eac5810f7c6bb35df11d38e6
Instruction Fuzzy Hash: 6431227020A3879BDB02EFA88451FDA3BE6BF12750B24445CE8428B206CB30E811D7B5

Uniqueness

Uniqueness Score: -1.00%

Function 00DC89FF, Relevance: 1.6, APIs: 1, Instructions: 101filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?,00DC50F2,?,00DC30F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00DC8E3B

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: b1f8d4c89c1d209859319673815c2beaca17e1b70c4f6a158c6d30753369e51d
Instruction ID: 119949053622464d505b1047256d9b9fce18c7996b0c7791d0d548fc8eeb6c04
Opcode Fuzzy Hash: b1f8d4c89c1d209859319673815c2beaca17e1b70c4f6a158c6d30753369e51d
Instruction Fuzzy Hash: F131BF60608207CEEF259A14C464FB96262AB61325FB9156FE88347190CF76CCC5F772

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8A26, Relevance: 1.6, APIs: 1, Instructions: 99filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?,00DC50F2,?,00DC30F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00DC8E3B

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 947f33cff946bba6ad55f4c8b331ef73dddaeec728fd33c421209cd0a56ca44f
Instruction ID: 7061494e6d11447aae7ae97dccc2151bd7328c9f9688df9581491f0d3f6a7585
Opcode Fuzzy Hash: 947f33cff946bba6ad55f4c8b331ef73dddaeec728fd33c421209cd0a56ca44f
Instruction Fuzzy Hash: 8C31BF60608207CEEF249A10C564FB96262AB21311FB9155FE883471A0CF76CCC4F772

Uniqueness

Uniqueness Score: -1.00%

Function 00DC479E, Relevance: 1.6, APIs: 1, Instructions: 95libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,00DC50F2,?), ref: 00DC5073

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eb3093aea8c7b864614715ccb95e05df5ef3e11ea346527941c8d0740f38d033
Instruction ID: 1ce4353a2f4daa4c2b9eba4290064325888fe026007bcf610ce9bcf05a6d2247
Opcode Fuzzy Hash: eb3093aea8c7b864614715ccb95e05df5ef3e11ea346527941c8d0740f38d033
Instruction Fuzzy Hash: EF31323020E7D69BDB22EFB88565F927FA1BF13300B29488CD4C29B453C361A811D7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8BCC, Relevance: 1.6, APIs: 1, Instructions: 94filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?,00DC50F2,?,00DC30F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00DC8E3B

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: f973a7ec10696219a000e97fed3d97eb7517c775465869f94b32d4396bc6a617
Instruction ID: 00aeccac1aaf1d456fefaaf4a6c85e2463fc6475ab18f9b001afb45de4747c45
Opcode Fuzzy Hash: f973a7ec10696219a000e97fed3d97eb7517c775465869f94b32d4396bc6a617
Instruction Fuzzy Hash: 7831D420509347DEEF15AB24C514FB5B7A6AB22315F6D198EE88247091CB22DCC5F772

Uniqueness

Uniqueness Score: -1.00%

Function 00DC7665, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3536beb867e8d07c386686d16264558c6b6f460ecd518b64ef70871c3e854bb0
Instruction ID: 7db770507d7edc4a1e3e5c391617997693f4d6e514b4314092185c646bf6fcba
Opcode Fuzzy Hash: 3536beb867e8d07c386686d16264558c6b6f460ecd518b64ef70871c3e854bb0
Instruction Fuzzy Hash: 7E21576414C257E6EE282AB48A61FFE2155DF527A0F78022EFED383086DB64C440B973

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8C71, Relevance: 1.6, APIs: 1, Instructions: 92filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?,00DC50F2,?,00DC30F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00DC8E3B

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: e044a099de0dca171987ed3a1cf3ff872bb9e1fda5f100d21b1c4f38390e14b0
Instruction ID: 2a4b08a36740d5dd40b41c1d48ac780cd17ec7ce56c2069072d152d2b9f42346
Opcode Fuzzy Hash: e044a099de0dca171987ed3a1cf3ff872bb9e1fda5f100d21b1c4f38390e14b0
Instruction Fuzzy Hash: 7E31C92060E383DEEB15EB28C554FA177A59F23315F5D088EE88247162CB22D8C4F772

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8D1E, Relevance: 1.6, APIs: 1, Instructions: 88filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?,00DC50F2,?,00DC30F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00DC8E3B

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 11c3083dc88ca23ddfacc51e6738399b142ffd57f0ca098cfd921cc0436bd413
Instruction ID: e928faafa1f4f99598dfa5a6efffb39103a50d3a0a339b8e9d2a578ce6f394af
Opcode Fuzzy Hash: 11c3083dc88ca23ddfacc51e6738399b142ffd57f0ca098cfd921cc0436bd413
Instruction Fuzzy Hash: 7621D62020E283DEFB26FA68C540FF537959A233547AC088ED48387555CB22A845F731

Uniqueness

Uniqueness Score: -1.00%

Function 00DC00EC, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c6fc16e36f3d783b7f61d4c66cbbfdda3473258ba0a23c60ee831e1a7e63b3c
Instruction ID: ba82e7692f12bf6c9bff1869ad2879c5d3da4576d2dd73dbefbfbbb48e20cb11
Opcode Fuzzy Hash: 2c6fc16e36f3d783b7f61d4c66cbbfdda3473258ba0a23c60ee831e1a7e63b3c
Instruction Fuzzy Hash: 11119B8454C367E1AF253AA48665FFEAA9E8F527A0FBC412EBDD3830078755C048717B

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8B09, Relevance: 1.6, APIs: 1, Instructions: 84filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?,00DC50F2,?,00DC30F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00DC8E3B

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 68e7dcc3ce3d1113b6e969b583a2bec2118b05f2f1e7f93d0369e8117068a90e
Instruction ID: e7f5b51ac3b9bcb3bd1dd0e0bc4de690f3f64c24414b6b886dc92d1ff1e1bd03
Opcode Fuzzy Hash: 68e7dcc3ce3d1113b6e969b583a2bec2118b05f2f1e7f93d0369e8117068a90e
Instruction Fuzzy Hash: 06218C60608307CDEF299A20C554FB56266AB62326F7D159FE8830B0A0CF72C8C4F772

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4D8A, Relevance: 1.6, APIs: 1, Instructions: 81libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,00DC50F2,?), ref: 00DC5073

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f51971ba27a04e5ae32452d18a19740d3dac10625ce683874d05e862aff332e1
Instruction ID: ecea794f4ae29d41ff6e03364d9f732ff0d43013753f56f88a0e032c87eceb65
Opcode Fuzzy Hash: f51971ba27a04e5ae32452d18a19740d3dac10625ce683874d05e862aff332e1
Instruction Fuzzy Hash: B321267060534B9BCB11EFA88452FDA3BEABF56390F20845DEC418B206DB30E812DB75

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4EE0, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,00DC50F2,?), ref: 00DC5073

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9dde39fce7064a31ad78e5e496ed3272186cc6aa0421e4f08a5a614a5c224fee
Instruction ID: 61ea620d4ef04c89b56b25c52edcd8776583c33397c9f828b2c753817686d039
Opcode Fuzzy Hash: 9dde39fce7064a31ad78e5e496ed3272186cc6aa0421e4f08a5a614a5c224fee
Instruction Fuzzy Hash: AB21662000D7C35FDB02AB745865F967FE4AF43310B1985CED4818B867C720B946E735

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8BA6, Relevance: 1.6, APIs: 1, Instructions: 74filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?,00DC50F2,?,00DC30F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00DC8E3B

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: b1bcb37ad154e1506116d50eb232e3a39fee61fca8828056921dcadf6223ce87
Instruction ID: 04199a829ecbd4bf862a92899390abd8ce9bc81e75b6ee10f92ba6a5afe50e86
Opcode Fuzzy Hash: b1bcb37ad154e1506116d50eb232e3a39fee61fca8828056921dcadf6223ce87
Instruction Fuzzy Hash: 8F219320608307DDEF259624C518FB5B266AB71325FAD555FE88347091CB36C8C4F772

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4DEB, Relevance: 1.6, APIs: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,00DC50F2,?), ref: 00DC5073

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ddd5b9bcf6e022ff6538ba7a26227be97612421899e376d25002b5a6a2362e7
Instruction ID: ca0f33db8cd07a136b92179d3cfe364dd725fbaf629b204cedbad3d305f18fbf
Opcode Fuzzy Hash: 7ddd5b9bcf6e022ff6538ba7a26227be97612421899e376d25002b5a6a2362e7
Instruction Fuzzy Hash: 1521B37060934B8FDB11EFA48551F8A7BA6BF56790F24805DE8418B246DB30E811DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4D61, Relevance: 1.6, APIs: 1, Instructions: 72libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,00DC50F2,?), ref: 00DC5073

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 751f89919ca7cf1e5fa114a48484fc480f5aa78596e731a2cf8a87492de7b176
Instruction ID: a58a6fd09760bb6cedd093ad72056782a1b45bd2e37eccbae34cf4db5a58f607
Opcode Fuzzy Hash: 751f89919ca7cf1e5fa114a48484fc480f5aa78596e731a2cf8a87492de7b176
Instruction Fuzzy Hash: 4721C87064534B8BCB11DFA48492BCA7BA6BF55790F20802DEC458B205DB30D811DBB9

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8E45, Relevance: 1.6, APIs: 1, Instructions: 71filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?,00DC50F2,?,00DC30F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00DC8E3B

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 92885758edf3b654390d7317bd5a72e13392f346bba9182a9d7d6b4b56e31a14
Instruction ID: d0bd03a86c1d1fa0ab5d553f90b6fa1535a91f6d5624621e2e453d3fd860e73c
Opcode Fuzzy Hash: 92885758edf3b654390d7317bd5a72e13392f346bba9182a9d7d6b4b56e31a14
Instruction Fuzzy Hash: FD11E96160D3979EFB13EF78C640FA97B9ADA17314F6C088CE48397156CA62A845E321

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8D3A, Relevance: 1.6, APIs: 1, Instructions: 56filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?,00DC50F2,?,00DC30F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00DC8E3B

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: ec671602b39a7b8c28fcd63917d706ea8bc06ae1ad4576ad2925c37364070776
Instruction ID: f117531bd47ee23ce7d3dcbc13cb6ed71af1ddcd0a8f9cb219f800527409841f
Opcode Fuzzy Hash: ec671602b39a7b8c28fcd63917d706ea8bc06ae1ad4576ad2925c37364070776
Instruction Fuzzy Hash: 7C01D2207092479EBB26FA78C050FB53796D9233507AC1C8DE8C387565CB22A881F331

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4E8C, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,00DC50F2,?), ref: 00DC5073

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 527ff68bc3a3b95d79d6d3d69c3bacacb3315c52aa670c1d3eaf26f83fd33aac
Instruction ID: 81bd0bd4e86f0af249ea84c9aa2135c244c8f75a3d3a9d6b81fa6e78a089440e
Opcode Fuzzy Hash: 527ff68bc3a3b95d79d6d3d69c3bacacb3315c52aa670c1d3eaf26f83fd33aac
Instruction Fuzzy Hash: A111293050A38B9FDB02AFA48052EC73FA5AF13750B254889E8814B517DB34A822E7B5

Uniqueness

Uniqueness Score: -1.00%

Function 00DC6286, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,00DC6439), ref: 00DC6404

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b8469a3ea64247e50e550eae2007dd2ee54b9b90b188bc38eb89caba0d007aef
Instruction ID: e1ea48cda16b400cbadac06f25ce48909745339df06b903232b06d67fee9b838
Opcode Fuzzy Hash: b8469a3ea64247e50e550eae2007dd2ee54b9b90b188bc38eb89caba0d007aef
Instruction Fuzzy Hash: 7A01F49010C1A7E6DE253AB48611FFD3256DB023A0FB8412EFED3830068765C4406673

Uniqueness

Uniqueness Score: -1.00%

Function 00DC63AE, Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,00DC6439), ref: 00DC6404

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 34f9e0c7cf3eee6ab5ab3691b8a93e2d829c4beab2271bd3c02375da53eedcaa
Instruction ID: 02b1d5b30ae55dfe454dff67ca9d3c995be63fe8f9044a6f18067df984e33fe3
Opcode Fuzzy Hash: 34f9e0c7cf3eee6ab5ab3691b8a93e2d829c4beab2271bd3c02375da53eedcaa
Instruction Fuzzy Hash: D5014F2020E386ABAF16FFBC8540EE637D29A47794B591C9CE892D7516C761F8049722

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8D96, Relevance: 1.5, APIs: 1, Instructions: 43filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?,00DC50F2,?,00DC30F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00DC8E3B

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 36e88aef834b8d78a1773baa3139f1a80abf46ff88c7feefa7dc97a1df3c982c
Instruction ID: 21e6acc17a3e7fc7027f2200d2908024f8faabad11fe79da8b20d185cc195240
Opcode Fuzzy Hash: 36e88aef834b8d78a1773baa3139f1a80abf46ff88c7feefa7dc97a1df3c982c
Instruction Fuzzy Hash: B9F0C820709247DEBF26FE78C400FE5379A991371479D098CE88387565CB23AC81F325

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0742, Relevance: 1.5, APIs: 1, Instructions: 38nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(00DC0837,?,00000000,0000510A,00000020,00000040,00DC0A1D,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00DC6439), ref: 00DC07EB
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 00DC0AA5

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnumInformationThreadWindows
String ID:
API String ID: 1954852945-0
Opcode ID: 77db77bb1c8192bffd1410eb684ff8039d49e04af468e6933b15429faca9aee2
Instruction ID: 7f677ee8c6337a321618babce620de5b9adeddc876539f50f29c32144c0d4460
Opcode Fuzzy Hash: 77db77bb1c8192bffd1410eb684ff8039d49e04af468e6933b15429faca9aee2
Instruction Fuzzy Hash: 9AF0243410D203EEDA95E6248C90F792BE59F95720F30C42EF496D71C1C020A840DA71

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8DF8, Relevance: 1.5, APIs: 1, Instructions: 37filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?,00DC50F2,?,00DC30F2,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00DC8E3B

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 20b35d7f5bf7eb7da883a2af535258ec4c00fc97d969a2d8e538c812fa30b929
Instruction ID: 9dc35d71a6c8ffff631b9e0123bfb3894cf4c5b8ed431f9be9a1763dafe633c8
Opcode Fuzzy Hash: 20b35d7f5bf7eb7da883a2af535258ec4c00fc97d969a2d8e538c812fa30b929
Instruction Fuzzy Hash: 7BF0B42020D347DFBF16FE68C540FA67B9A9D13740B9C0C8CE44397525CA22AC84E376

Uniqueness

Uniqueness Score: -1.00%

Function 00DC079A, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00DC0837,?,00000000,0000510A,00000020,00000040,00DC0A1D,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00DC6439), ref: 00DC07EB

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: c8fff4ec5a57611b01cc0f45674071b3e4338707782591ccb32214984ddbb9e4
Instruction ID: c59a2880639ec81dedca8e3455334bc34cd445c48ca3c9b5de4cb7148ce4817d
Opcode Fuzzy Hash: c8fff4ec5a57611b01cc0f45674071b3e4338707782591ccb32214984ddbb9e4
Instruction Fuzzy Hash: 63F08274209106FEEA55AA24DD90F793AE59B96B20F30C82CF4A6D75D1C520E8419A31

Uniqueness

Uniqueness Score: -1.00%

Function 00DC637E, Relevance: 1.5, APIs: 1, Instructions: 35libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,00DC6439), ref: 00DC6404

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7e8b7735a7ec05fee2f3569820638273edac6b034c1f5454a9e60a46a5e1b352
Instruction ID: 1a48ba440aac819127a4be91bc79b1f020e04b2832ff3bde0e374c6ea98449dd
Opcode Fuzzy Hash: 7e8b7735a7ec05fee2f3569820638273edac6b034c1f5454a9e60a46a5e1b352
Instruction Fuzzy Hash: 64F0902010D2E7D79B0ABFA88100FEA37919907398BAC085CFCD383002C765E4049722

Uniqueness

Uniqueness Score: -1.00%

Function 00DC076E, Relevance: 1.5, APIs: 1, Instructions: 33nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(00DC0837,?,00000000,0000510A,00000020,00000040,00DC0A1D,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00DC6439), ref: 00DC07EB
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 00DC0AA5

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnumInformationThreadWindows
String ID:
API String ID: 1954852945-0
Opcode ID: 01bcbdb96aa450e7bab76fb76ca8601ddb7e64bbecd355102a7ede061f53cdd0
Instruction ID: 1fe24135f5e1bd1254203925a566d8aff38997bcedae75cf8964aae3674d1d2c
Opcode Fuzzy Hash: 01bcbdb96aa450e7bab76fb76ca8601ddb7e64bbecd355102a7ede061f53cdd0
Instruction Fuzzy Hash: F6F0A074209106FEDA94EA288D90F3D2AE6DFC6B20F30C86CF4AAD75D1C520E8419B31

Uniqueness

Uniqueness Score: -1.00%

Function 00DC07B8, Relevance: 1.5, APIs: 1, Instructions: 28nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(00DC0837,?,00000000,0000510A,00000020,00000040,00DC0A1D,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00DC6439), ref: 00DC07EB
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000), ref: 00DC0AA5

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnumInformationThreadWindows
String ID:
API String ID: 1954852945-0
Opcode ID: 5cf12ade839df3952328cf2ed22f62b2630b66e5cf4be01bcc58fd9b3ff59083
Instruction ID: c2756044ae1a655a3674d71d95e67a6c8a92dee81eda9426222b4cb002d4495c
Opcode Fuzzy Hash: 5cf12ade839df3952328cf2ed22f62b2630b66e5cf4be01bcc58fd9b3ff59083
Instruction Fuzzy Hash: 0FE09279205106EEDAA4AA24CD40F7E36E5DFC9720F30C92CF4AADB691C53084858B70

Uniqueness

Uniqueness Score: -1.00%

Function 00DC468A, Relevance: 1.5, APIs: 1, Instructions: 21libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(B800001B,?,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,00DC50F2,?), ref: 00DC5073

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fb34fe92f3031e14ed9f1094632ff198218a165f2ff7fbb0c2af3a970598c4bf
Instruction ID: 10594f6c4360d892b0c0ee4686cfea2320dac86044ffa389cdbbba568ef74e64
Opcode Fuzzy Hash: fb34fe92f3031e14ed9f1094632ff198218a165f2ff7fbb0c2af3a970598c4bf
Instruction Fuzzy Hash: BFE0C23B08238B1ED9006A74024ABC77F249A8235035EC08E9151C357A8F147E57F3F5

Uniqueness

Uniqueness Score: -1.00%

Function 00DC430A, Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00DC4297,00DC4355,00DC0A22,00000000,00000000,00000000,?,00000000,00000000), ref: 00DC42FD

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b9283189814f6a031c1261a28c5dc8f104b8d3fcaa22487a9846dcb3aeed55da
Instruction ID: 9c4a497b3349c21ba5d1c57d6255a21350bc3693a4cc714afe994ee925cf682e
Opcode Fuzzy Hash: b9283189814f6a031c1261a28c5dc8f104b8d3fcaa22487a9846dcb3aeed55da
Instruction Fuzzy Hash: 6DE0263010E2C2ABEB21FF388841F86BB819B03240F154C88F456D3002C321B411C329

Uniqueness

Uniqueness Score: -1.00%

Function 00DC623C, Relevance: 1.5, APIs: 1, Instructions: 15libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,00DC6439), ref: 00DC6404

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d20705a509bc88788a139ed4b6265eac5ab1b8dccc975818000088cdad72f077
Instruction ID: 2d1c2f4f52762cfad56bd5c923a22e4e3d2e5568027f85833a96c09028ba9196
Opcode Fuzzy Hash: d20705a509bc88788a139ed4b6265eac5ab1b8dccc975818000088cdad72f077
Instruction Fuzzy Hash: CDC0129441D277E85B1C3A508A29FBF2434CF407D5F64442CFCC3431005F31C4005135

Uniqueness

Uniqueness Score: -1.00%

Function 00DC42E9, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00DC4297,00DC4355,00DC0A22,00000000,00000000,00000000,?,00000000,00000000), ref: 00DC42FD

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e2f8b3fc84afe77b2e44bd9eac774263979335adf19bdf2e5a41aedaa8eff26f
Instruction ID: 90778f157ef074656d7de284b4bab831f576b04e2021a8a1eff49e75729f027a
Opcode Fuzzy Hash: e2f8b3fc84afe77b2e44bd9eac774263979335adf19bdf2e5a41aedaa8eff26f
Instruction Fuzzy Hash: A4C092717E0300B6FA348A208D57F8A62159B90F00F30840877093C0C085F1B610C62C

Uniqueness

Uniqueness Score: -1.00%

Function 00DC162D, Relevance: 1.3, APIs: 1, Instructions: 58sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710,00000000,00000000,00000000,00000000,00000050,00000315,?,00DC6143,00000000,000000FF,00000007,?,00000004,00000000), ref: 00DC16EE

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 11d2c22560b4e0e64189e5a85e06d662b3a0d6bce01278f80a4f5b2060dfe284
Instruction ID: 0f7eb9c3cc8b22070925fe7b7278f646dac6599a7428c4dfe18df8e4254dce69
Opcode Fuzzy Hash: 11d2c22560b4e0e64189e5a85e06d662b3a0d6bce01278f80a4f5b2060dfe284
Instruction Fuzzy Hash: CF11513424A396DBEF26AF759804FEA3BA29F43740F18084CE88597413C771D964A732

Uniqueness

Uniqueness Score: -1.00%

Function 00DC15EE, Relevance: 1.3, APIs: 1, Instructions: 56sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710,00000000,00000000,00000000,00000000,00000050,00000315,?,00DC6143,00000000,000000FF,00000007,?,00000004,00000000), ref: 00DC16EE

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 9352d7e7c8a4fe8b36baf7ff838d1a53e0cc58ac2a278d7e0bc0f74f5856ae0d
Instruction ID: 781f467d55551cd18206a973eddb677c2c45f26395f20fd02ff99acd7f2121ac
Opcode Fuzzy Hash: 9352d7e7c8a4fe8b36baf7ff838d1a53e0cc58ac2a278d7e0bc0f74f5856ae0d
Instruction Fuzzy Hash: AB119E3428935AEBEF256F258D55FEA3BA2AF47740F18440CFC4697002D731DA60AB32

Uniqueness

Uniqueness Score: -1.00%

Function 00DC16BF, Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710,00000000,00000000,00000000,00000000,00000050,00000315,?,00DC6143,00000000,000000FF,00000007,?,00000004,00000000), ref: 00DC16EE

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: ff3bbf9aab3365a966ce5b26833a7b5d83a9bea1d7ecd42c3b5a86178471a5e2
Instruction ID: 7b2350dd868bf1d556f1b5fa6beade657907538e2a1bb365c65f0aea67106d0a
Opcode Fuzzy Hash: ff3bbf9aab3365a966ce5b26833a7b5d83a9bea1d7ecd42c3b5a86178471a5e2
Instruction Fuzzy Hash: CA11E22564A3D6AFEF22AF248844FE93B66AF03344F19088DE8818B453D371C9659732

Uniqueness

Uniqueness Score: -1.00%

Function 00DC158D, Relevance: 1.3, APIs: 1, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC468A: LdrInitializeThunk.NTDLL(B800001B,?,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,00DC50F2,?), ref: 00DC5073

Sleep.KERNEL32(00002710,00000000,00000000,00000000,00000000,00000050,00000315,?,00DC6143,00000000,000000FF,00000007,?,00000004,00000000), ref: 00DC16EE

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeSleepThunk
String ID:
API String ID: 145592009-0
Opcode ID: ba9461119e50546d6d99856ea3c5b824bda2fc96c338713eb3c5d1e96fc9b8bd
Instruction ID: d8bea3959f046bfe50a94cd6655d8e810c9da1f8f77c72191e922e1d7b34e67f
Opcode Fuzzy Hash: ba9461119e50546d6d99856ea3c5b824bda2fc96c338713eb3c5d1e96fc9b8bd
Instruction Fuzzy Hash: 49117C3478531ADEEF256F219D55FE93762EF82740F18400DEC4A8B042D731C660AA32

Uniqueness

Uniqueness Score: -1.00%

Function 00DC1560, Relevance: 1.3, APIs: 1, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC468A: LdrInitializeThunk.NTDLL(B800001B,?,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,00DC50F2,?), ref: 00DC5073

Sleep.KERNEL32(00002710,00000000,00000000,00000000,00000000,00000050,00000315,?,00DC6143,00000000,000000FF,00000007,?,00000004,00000000), ref: 00DC16EE

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeSleepThunk
String ID:
API String ID: 145592009-0
Opcode ID: c0f581927610b23d896641d3ab9c700f40462e0e70c7ae2456dce85e1744afec
Instruction ID: 279052ef018c620b7634b1fc776a7cfabd208680551a26b851ee5582325f280d
Opcode Fuzzy Hash: c0f581927610b23d896641d3ab9c700f40462e0e70c7ae2456dce85e1744afec
Instruction Fuzzy Hash: 50113C3878531AEAEF352F219E55FEA3766AF86740F28400DFD4A47042D731C664AA32

Uniqueness

Uniqueness Score: -1.00%

Function 00DC1676, Relevance: 1.3, APIs: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710,00000000,00000000,00000000,00000000,00000050,00000315,?,00DC6143,00000000,000000FF,00000007,?,00000004,00000000), ref: 00DC16EE

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 8e7cb2735ce6664672d2bc1b4babd8cbff5f2945d4a6063816f6f33612384a1b
Instruction ID: c95a32e56c61615ef700a1d81d738547911858f3b4b2242ac9d0bd6c9e9e6eb2
Opcode Fuzzy Hash: 8e7cb2735ce6664672d2bc1b4babd8cbff5f2945d4a6063816f6f33612384a1b
Instruction Fuzzy Hash: D111C23424D3A5AFDF22AF648844FD93BA6AF43740F18448CE88597153D375D861A732

Uniqueness

Uniqueness Score: -1.00%

Function 00DC15C2, Relevance: 1.3, APIs: 1, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC468A: LdrInitializeThunk.NTDLL(B800001B,?,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,00DC50F2,?), ref: 00DC5073

Sleep.KERNEL32(00002710,00000000,00000000,00000000,00000000,00000050,00000315,?,00DC6143,00000000,000000FF,00000007,?,00000004,00000000), ref: 00DC16EE

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeSleepThunk
String ID:
API String ID: 145592009-0
Opcode ID: d987186f8958f664fa1318071561337cbd073873a2eafd0fde97d901f8c6610c
Instruction ID: a4e8fb29afee264d4c01979441dabc17b37a379b6fbeaabc9c15fd3312dfca79
Opcode Fuzzy Hash: d987186f8958f664fa1318071561337cbd073873a2eafd0fde97d901f8c6610c
Instruction Fuzzy Hash: 63014C3438531AEAEF351F219E55FEA3767AF42740F18400DFD4956042D771CA64AA32

Uniqueness

Uniqueness Score: -1.00%

Function 00DC156F, Relevance: 1.3, APIs: 1, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC468A: LdrInitializeThunk.NTDLL(B800001B,?,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,00DC50F2,?), ref: 00DC5073

Sleep.KERNEL32(00002710,00000000,00000000,00000000,00000000,00000050,00000315,?,00DC6143,00000000,000000FF,00000007,?,00000004,00000000), ref: 00DC16EE

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeSleepThunk
String ID:
API String ID: 145592009-0
Opcode ID: 6b298533e090c1e4c4ce7779ec2f0d02ad5ee123d4aace40d52f4d6b61bae110
Instruction ID: 2cf09b183c35afdb11b5e54570c50f95ef355c5b72287a3240c27856f5d08aec
Opcode Fuzzy Hash: 6b298533e090c1e4c4ce7779ec2f0d02ad5ee123d4aace40d52f4d6b61bae110
Instruction Fuzzy Hash: BD014C3438531AEAEF351F218D55FE93762AF82740F18400DFD4A57142D731CA60AA32

Uniqueness

Uniqueness Score: -1.00%

Function 00DC1587, Relevance: 1.3, APIs: 1, Instructions: 41sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC468A: LdrInitializeThunk.NTDLL(B800001B,?,00DC1D72,?,00000000,?,00000050,00000315,?,?,?,?,?,?,00DC50F2,?), ref: 00DC5073

Sleep.KERNEL32(00002710,00000000,00000000,00000000,00000000,00000050,00000315,?,00DC6143,00000000,000000FF,00000007,?,00000004,00000000), ref: 00DC16EE

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeSleepThunk
String ID:
API String ID: 145592009-0
Opcode ID: cf32073a2e3426b41f1281cca78d6661184685c54bb131003e9fe8b32d2e0694
Instruction ID: a1c37c80614f71327c94520ee4232ba700d0adaa7f934b65add040eadc6d6462
Opcode Fuzzy Hash: cf32073a2e3426b41f1281cca78d6661184685c54bb131003e9fe8b32d2e0694
Instruction Fuzzy Hash: EE012C3428939ADBDF265E218D15FE93B62AF43340F18411DEC8A87142D735C664AB32

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00DC4236, Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

C:\Program Files\Qemu-ga\qemu-ga.exe, xrefs: 00DC4355

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Program Files\Qemu-ga\qemu-ga.exe
API String ID: 0-2445177104
Opcode ID: bc4994659978f11c35b7e148deb97586e055191f74f73e52f4c0ea3f13a6c67b
Instruction ID: cccac3a3c7b16d624e6ff1047ad90ce03145fdd3ea229166e9a25a4ebbc3744e
Opcode Fuzzy Hash: bc4994659978f11c35b7e148deb97586e055191f74f73e52f4c0ea3f13a6c67b
Instruction Fuzzy Hash: CA315770209383AFEB10ABB89561FA63BA6DF57330F65455CE89287153D770D840C735

Uniqueness

Uniqueness Score: -1.00%

Function 00DC421B, Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

C:\Program Files\Qemu-ga\qemu-ga.exe, xrefs: 00DC4355

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Program Files\Qemu-ga\qemu-ga.exe
API String ID: 0-2445177104
Opcode ID: da5504eb67321b895845a3d1c9f742c3d209fd4c0eeac871bae7483b2bc0a46a
Instruction ID: 53f73aacc50cc10a7132517cffa8e996ccc1b59c972ba0e1249f783d2c789f69
Opcode Fuzzy Hash: da5504eb67321b895845a3d1c9f742c3d209fd4c0eeac871bae7483b2bc0a46a
Instruction Fuzzy Hash: 903154702093839FEB14AB789562FAA3BA6DF57370F64059CE88287153C370D840C735

Uniqueness

Uniqueness Score: -1.00%

Function 00DC2684, Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2360591a535876496bdb49534d88de6f279d7d1cd0e2afb52ee38844ad7ed0e
Instruction ID: fce59ebced60e8f668bd663215b55f2be38b8029f4f78885883ceb4ba0e7a687
Opcode Fuzzy Hash: c2360591a535876496bdb49534d88de6f279d7d1cd0e2afb52ee38844ad7ed0e
Instruction Fuzzy Hash: 16D132B1740207AFEB215E24CC85FE936A1FF04350F68822DFD86972C1D7B9D9859B61

Uniqueness

Uniqueness Score: -1.00%

Function 00DC2696, Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa7a1f8cda9104e860299ca49e5c49bfa2756983627ffe1d659adf57116b9f3d
Instruction ID: dc46cdb56dfb83c68557f650bd09a0317071d3dad9374db5a18d3c48c9e0b086
Opcode Fuzzy Hash: aa7a1f8cda9104e860299ca49e5c49bfa2756983627ffe1d659adf57116b9f3d
Instruction Fuzzy Hash: 3251CD71744603AFDB199B28CD91FF6B3A4BF16350F29422CEC9693242DB20E845DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC7E22, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 31feb4ccb62e27f31eadce2eb6567e5ae49edbfb2630c081512b05602409a997
Instruction ID: 319004b7a14af802b928485bd513d6a62878857ee9fdaf764a9cea70d3edad3a
Opcode Fuzzy Hash: 31feb4ccb62e27f31eadce2eb6567e5ae49edbfb2630c081512b05602409a997
Instruction Fuzzy Hash: 685192709083838EDB21CF68C484F65BBD1AB26320F58869DD8D68B2D6C774C846DB32

Uniqueness

Uniqueness Score: -1.00%

Function 00DC29A6, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c0349306c3226ca616e7dd229bca9343b85cf351eca4f1ec340a36a2a162ae
Instruction ID: aab3a4c4c03c3cfc3e61ab4b229620e88d1ab4180ebff88080fbe790df68391d
Opcode Fuzzy Hash: 29c0349306c3226ca616e7dd229bca9343b85cf351eca4f1ec340a36a2a162ae
Instruction Fuzzy Hash: F5412830249382DFEB21AB688850FF97BE1AF16710F59455DE886CB192C770D845DB32

Uniqueness

Uniqueness Score: -1.00%

Function 00DC26DC, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc23c91be88b3269c2e818951eada163a9ec7249aa0a595a99f48799a9c363c
Instruction ID: be1431e305236d072cfd49eac6ea28e0daa1deb5a9db529ca576ce076eab293c
Opcode Fuzzy Hash: 9bc23c91be88b3269c2e818951eada163a9ec7249aa0a595a99f48799a9c363c
Instruction Fuzzy Hash: 6E4125317446039FDB16AA28CD81FBA73E4BF06360F25423DEC9697252DB20E8459B71

Uniqueness

Uniqueness Score: -1.00%

Function 00DC299C, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1193e724c7828e69a614fd50246bd745df1e919e4b8f9df1b9c9ce0630de4f59
Instruction ID: c8bd6c3c0f2e54f666983409ec3f2af4bb52736037bfd1b0711c69a74f6c5f2d
Opcode Fuzzy Hash: 1193e724c7828e69a614fd50246bd745df1e919e4b8f9df1b9c9ce0630de4f59
Instruction Fuzzy Hash: 7831EF30284343EEEB246F24C869FB973A1AF14751F65411EF9C69B1D6CB74C880DA32

Uniqueness

Uniqueness Score: -1.00%

Function 00DC29E7, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16411d60ff4623f723788b64748f8484babadecabce0cb6201a4659dec21839c
Instruction ID: e1080bcd37aeb7ad3351d3e49f759c82c933fdd4f648d912e15a0c73a974f3f2
Opcode Fuzzy Hash: 16411d60ff4623f723788b64748f8484babadecabce0cb6201a4659dec21839c
Instruction Fuzzy Hash: 0A31E530249342AFEB22AF289861FF537D1AF16750F69445DE8829B1D2C7709881DB32

Uniqueness

Uniqueness Score: -1.00%

Function 00DC2A37, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd61b55252adff2a8cb49d0554b0ebc4a9c564d00ff83a2503f4c26bb5c6c46e
Instruction ID: 30588fd539c3c42f94c440b598b5b95cf18698d76043c35a4ea9d4b6aba053bf
Opcode Fuzzy Hash: bd61b55252adff2a8cb49d0554b0ebc4a9c564d00ff83a2503f4c26bb5c6c46e
Instruction Fuzzy Hash: A421043024A342EFEB21AF288855FF537A2AF12750F69445DE9829B092C770D841DB32

Uniqueness

Uniqueness Score: -1.00%

Function 00DC6E17, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd362b220dd4f08bb6352d15e2ddc2baef80ba54a58d612b056e73ae9bccc2be
Instruction ID: 3952c37b4567ffcd426bf79ca36810140f15533d22f393eed5b3d78c05459397
Opcode Fuzzy Hash: cd362b220dd4f08bb6352d15e2ddc2baef80ba54a58d612b056e73ae9bccc2be
Instruction Fuzzy Hash: B0F01C79329103DFC615DA04D2C4F6573A6EF64700F6588AFFA828B669C730EC52EA31

Uniqueness

Uniqueness Score: -1.00%

Function 00DC3B32, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 00DC60E3, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.586179396.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dc0000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Transferencia.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Transferencia.exe PID: 1956 Parent PID: 5560

General

Chronological Activities

Analysis Process: RegAsm.exe PID: 1324 Parent PID: 1956

Function 00416164, Relevance: 151.4, APIs: 82, Strings: 4, Instructions: 924
COMMON

Function 00417505, Relevance: 7.5, APIs: 5, Instructions: 35
COMMON

Function 00401328, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51
COMMON

Function 00414528, Relevance: .0, Instructions: 8
COMMON

Function 004172B8, Relevance: 10.6, APIs: 7, Instructions: 81
COMMON

Function 004173FB, Relevance: 10.6, APIs: 7, Instructions: 66
COMMON

Function 00417130, Relevance: 10.6, APIs: 7, Instructions: 62
COMMON

Function 00DC0BF8, Relevance: 7.7, APIs: 2, Strings: 2, Instructions: 662
COMMON

Function 00DC6409, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 304
libraryCOMMON

Function 00DC0724, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 155
nativethreadCOMMON

Function 00DC2C3F, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 228
nativethreadCOMMON

Function 00DC64F1, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 211
nativethreadCOMMON

Function 00DC08E7, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 208
nativethreadCOMMON

Function 00DC084A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 160
COMMON

Function 00DC0878, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 158
nativethreadCOMMON

Function 00DC0942, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 158
nativethreadCOMMON

Function 00DC09C6, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153
nativethreadCOMMON

Function 00DC099A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153
nativethreadCOMMON