Play interactive tour

Edit tour

Windows Analysis Report 41609787.exe

Overview

General Information

Sample Name:	41609787.exe
Analysis ID:	452431
MD5:	242fb5498503fdae24861ca26f762745
SHA1:	e45e4180137ea7c9d81f127fac0af48cf3b4e8d7
SHA256:	7984d85806d611e8d7e3ec5640186ebce9b1daccbd07a4bbda0fc6e0e5666299
Infos:
Most interesting Screenshot:

Detection

GuLoader Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

GuLoader behavior detected

Multi AV Scanner detection for domain / URL

Yara detected GuLoader

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Installs a global keyboard hook

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Classification

Process Tree

System is w10x64

41609787.exe (PID: 4548 cmdline: 'C:\Users\user\Desktop\41609787.exe' MD5: 242FB5498503FDAE24861CA26F762745)

ieinstal.exe (PID: 2120 cmdline: 'C:\Users\user\Desktop\41609787.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

cmd.exe (PID: 4608 cmdline: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 5776 cmdline: C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://smokeadmsend.online/loade"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://smokeadmsend.online/loade"}

Multi AV Scanner detection for domain / URL

Show sources

Source: databasepropersonombrecomercialideasearchwords.services

Virustotal: Detection: 11%

Perma Link

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: 0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmp, type: MEMORY

Source: 41609787.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 198.54.115.48:443 -> 192.168.2.3:49752 version: TLS 1.2

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://smokeadmsend.online/loade

Source: global traffic

TCP traffic: 192.168.2.3:49753 -> 186.169.69.166:2508

Source: Joe Sandbox View	ASN Name: COLOMBIATELECOMUNICACIONESSAESPCO COLOMBIATELECOMUNICACIONESSAESPCO
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: smokeadmsend.online

Source: ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmp	String found in binary or memory: https://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.bin
Source: ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmp	String found in binary or memory: https://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.binwininet.dllMozilla/5.0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443

Source: unknown

HTTPS traffic detected: 198.54.115.48:443 -> 192.168.2.3:49752 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\internet explorer\ieinstal.exe

Jump to behavior

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: 0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\41609787.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021107A1 NtSetInformationThread,	0_2_021107A1
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021013C1 NtWriteVirtualMemory,TerminateProcess,	0_2_021013C1
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02110176 NtProtectVirtualMemory,	0_2_02110176
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107E15 NtWriteVirtualMemory,	0_2_02107E15
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02108607 NtWriteVirtualMemory,	0_2_02108607
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210720B NtWriteVirtualMemory,	0_2_0210720B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210762B NtWriteVirtualMemory,	0_2_0210762B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210825E NtWriteVirtualMemory,	0_2_0210825E
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02108677 NtWriteVirtualMemory,	0_2_02108677
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107A95 NtWriteVirtualMemory,	0_2_02107A95
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210669A NtWriteVirtualMemory,LoadLibraryA,	0_2_0210669A
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210829B NtWriteVirtualMemory,	0_2_0210829B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210728B NtWriteVirtualMemory,	0_2_0210728B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107EA3 NtWriteVirtualMemory,	0_2_02107EA3
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021076E5 NtWriteVirtualMemory,	0_2_021076E5
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02108703 NtWriteVirtualMemory,	0_2_02108703
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107305 NtWriteVirtualMemory,	0_2_02107305
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02105F21 NtWriteVirtualMemory,	0_2_02105F21
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02108324 NtWriteVirtualMemory,	0_2_02108324
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107F2C NtWriteVirtualMemory,	0_2_02107F2C
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107B2D NtWriteVirtualMemory,	0_2_02107B2D
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107381 NtWriteVirtualMemory,	0_2_02107381
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107FB3 NtWriteVirtualMemory,	0_2_02107FB3
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021083B7 NtWriteVirtualMemory,	0_2_021083B7
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107BC0 NtWriteVirtualMemory,	0_2_02107BC0
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021077EF NtWriteVirtualMemory,	0_2_021077EF
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210741B NtWriteVirtualMemory,	0_2_0210741B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107801 NtWriteVirtualMemory,	0_2_02107801
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210843F NtWriteVirtualMemory,	0_2_0210843F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210802F NtWriteVirtualMemory,	0_2_0210802F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107C4F NtWriteVirtualMemory,	0_2_02107C4F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107879 NtWriteVirtualMemory,	0_2_02107879
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210749C NtWriteVirtualMemory,	0_2_0210749C
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021070AF NtWriteVirtualMemory,	0_2_021070AF
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021084D1 NtWriteVirtualMemory,	0_2_021084D1
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021080C7 NtWriteVirtualMemory,	0_2_021080C7
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107CE5 NtWriteVirtualMemory,	0_2_02107CE5
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210711D NtWriteVirtualMemory,	0_2_0210711D
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107903 NtWriteVirtualMemory,	0_2_02107903
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02103D32 NtWriteVirtualMemory,	0_2_02103D32
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210813C NtWriteVirtualMemory,	0_2_0210813C
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107529 NtWriteVirtualMemory,	0_2_02107529
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210794C NtWriteVirtualMemory,	0_2_0210794C
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107D6B NtWriteVirtualMemory,	0_2_02107D6B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107191 NtWriteVirtualMemory,	0_2_02107191
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210799F NtWriteVirtualMemory,	0_2_0210799F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107DB4 NtWriteVirtualMemory,	0_2_02107DB4
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021081A7 NtWriteVirtualMemory,	0_2_021081A7
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021075A9 NtWriteVirtualMemory,	0_2_021075A9
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107DF5 NtWriteVirtualMemory,	0_2_02107DF5
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021081FF NtWriteVirtualMemory,	0_2_021081FF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_03011587 LdrInitializeThunk,Sleep,LdrInitializeThunk,NtProtectVirtualMemory,	27_2_03011587
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_030116CC NtProtectVirtualMemory,	27_2_030116CC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_0301156F LdrInitializeThunk,Sleep,LdrInitializeThunk,NtProtectVirtualMemory,	27_2_0301156F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_03011687 NtProtectVirtualMemory,NtProtectVirtualMemory,	27_2_03011687
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_0301174E NtProtectVirtualMemory,	27_2_0301174E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_030116D3 NtProtectVirtualMemory,	27_2_030116D3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_030117D3 NtProtectVirtualMemory,	27_2_030117D3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_030115E3 LdrInitializeThunk,NtProtectVirtualMemory,	27_2_030115E3

Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_004014F0	0_2_004014F0
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210EB03	0_2_0210EB03
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021107A1	0_2_021107A1
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021013C1	0_2_021013C1
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02109130	0_2_02109130
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107E15	0_2_02107E15
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02106A1F	0_2_02106A1F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210720B	0_2_0210720B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101E3A	0_2_02101E3A
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101629	0_2_02101629
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210362A	0_2_0210362A
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210222A	0_2_0210222A
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210762B	0_2_0210762B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101A2F	0_2_02101A2F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02104651	0_2_02104651
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02102259	0_2_02102259
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210825E	0_2_0210825E
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02100E47	0_2_02100E47
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107A95	0_2_02107A95
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210169A	0_2_0210169A
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210669A	0_2_0210669A
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210829B	0_2_0210829B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210728B	0_2_0210728B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101AB7	0_2_02101AB7
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107EA3	0_2_02107EA3
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02104AAD	0_2_02104AAD
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02100EDB	0_2_02100EDB
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021022DF	0_2_021022DF
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101EC4	0_2_02101EC4
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021046FB	0_2_021046FB
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021076E5	0_2_021076E5
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101715	0_2_02101715
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02108703	0_2_02108703
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107305	0_2_02107305
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02104730	0_2_02104730
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101B37	0_2_02101B37
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101F3F	0_2_02101F3F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02105F21	0_2_02105F21
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02108324	0_2_02108324
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107F2C	0_2_02107F2C
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107B2D	0_2_02107B2D
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210032F	0_2_0210032F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02102359	0_2_02102359
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02100F79	0_2_02100F79
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101F93	0_2_02101F93
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210179F	0_2_0210179F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107381	0_2_02107381
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101387	0_2_02101387
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107FB3	0_2_02107FB3
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021083B7	0_2_021083B7
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101BBD	0_2_02101BBD
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02109BD1	0_2_02109BD1
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107BC0	0_2_02107BC0
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02106BC7	0_2_02106BC7
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101FF6	0_2_02101FF6
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021023EA	0_2_021023EA
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02100FEF	0_2_02100FEF
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021077EF	0_2_021077EF
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101819	0_2_02101819
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210741B	0_2_0210741B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107801	0_2_02107801
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02104802	0_2_02104802
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210D404	0_2_0210D404
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02106C0F	0_2_02106C0F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101C37	0_2_02101C37
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02106C37	0_2_02106C37
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210843F	0_2_0210843F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210EC2A	0_2_0210EC2A
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210802F	0_2_0210802F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02103053	0_2_02103053
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02102043	0_2_02102043
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107C4F	0_2_02107C4F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02106472	0_2_02106472
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107879	0_2_02107879
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210107F	0_2_0210107F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210146D	0_2_0210146D
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101890	0_2_02101890
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210749C	0_2_0210749C
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02104880	0_2_02104880
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021024A7	0_2_021024A7
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021064AF	0_2_021064AF
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021070AF	0_2_021070AF
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021084D1	0_2_021084D1
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021080C7	0_2_021080C7
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021060CB	0_2_021060CB
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02106CE1	0_2_02106CE1
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107CE5	0_2_02107CE5
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02104914	0_2_02104914
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101918	0_2_02101918
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210451B	0_2_0210451B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210711D	0_2_0210711D
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101503	0_2_02101503
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107903	0_2_02107903
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02103D32	0_2_02103D32
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101934	0_2_02101934
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210813C	0_2_0210813C
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107529	0_2_02107529
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210794C	0_2_0210794C
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210B962	0_2_0210B962
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107D6B	0_2_02107D6B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101591	0_2_02101591
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107191	0_2_02107191
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210699F	0_2_0210699F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210799F	0_2_0210799F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02106D85	0_2_02106D85
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107DB4	0_2_02107DB4
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02101DB7	0_2_02101DB7
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210D5B8	0_2_0210D5B8
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210F9A3	0_2_0210F9A3
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021081A7	0_2_021081A7
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021075A9	0_2_021075A9
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021055AB	0_2_021055AB
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021019AF	0_2_021019AF
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021069D9	0_2_021069D9
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021021DF	0_2_021021DF
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210B1C3	0_2_0210B1C3
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02100DF1	0_2_02100DF1
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107DF5	0_2_02107DF5
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021081FF	0_2_021081FF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_0301136D	27_2_0301136D

Source: 41609787.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 41609787.exe, 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameImpennate7.exe vs 41609787.exe
Source: 41609787.exe	Binary or memory string: OriginalFilenameImpennate7.exe vs 41609787.exe

Source: 41609787.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/2@3/2

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File created: C:\Users\user\AppData\Roaming\Runtime2021

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Mutant created: \Sessions\1\BaseNamedObjects\RemcosLEG-0OFGX3
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5156:120:WilError_01

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File created: C:\Users\user\AppData\Local\Temp\posekiggerne

Jump to behavior

Source: 41609787.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\41609787.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\41609787.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\41609787.exe 'C:\Users\user\Desktop\41609787.exe'
Source: C:\Users\user\Desktop\41609787.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\41609787.exe'
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process created: C:\Windows\SysWOW64\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Users\user\Desktop\41609787.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\41609787.exe'	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process created: C:\Windows\SysWOW64\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f	Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02061774 push edx; ret	0_2_020617A1
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02064205 push edx; ret	0_2_02064231
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02062A05 push edx; ret	0_2_02062A31
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02061205 push edx; ret	0_2_02061231
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02065A03 push edx; ret	0_2_02065A31
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02066214 push edx; ret	0_2_02066241
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02064A13 push edx; ret	0_2_02064A41
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02063213 push edx; ret	0_2_02063241
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02061A13 push edx; ret	0_2_02061A41
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02060218 push edx; ret	0_2_02060241
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02063A24 push edx; ret	0_2_02063A51
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02062224 push edx; ret	0_2_02062251
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02060A24 push edx; ret	0_2_02060A51
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02066A24 push edx; ret	0_2_02066A51
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02065225 push edx; ret	0_2_02065251
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02064233 push edx; ret	0_2_02064261
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02062A33 push edx; ret	0_2_02062A61
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02061233 push edx; ret	0_2_02061261
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02065A33 push edx; ret	0_2_02065A61
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02064A44 push edx; ret	0_2_02064A71
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02063244 push edx; ret	0_2_02063271
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02061A44 push edx; ret	0_2_02061A71
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02066244 push edx; ret	0_2_02066271
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02060248 push edx; ret	0_2_02060271
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02063A54 push edx; ret	0_2_02063A81
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02062254 push edx; ret	0_2_02062281
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02066A54 push edx; ret	0_2_02066A81
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02065253 push edx; ret	0_2_02065281
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02060A58 push edx; ret	0_2_02060A81
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02065A64 push edx; ret	0_2_02065A91
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02064263 push edx; ret	0_2_02064291

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SPINTOS			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SPINTOS			Jump to behavior

Source: C:\Users\user\Desktop\41609787.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021013C1 NtWriteVirtualMemory,TerminateProcess,	0_2_021013C1
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107E15 NtWriteVirtualMemory,	0_2_02107E15
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210720B NtWriteVirtualMemory,	0_2_0210720B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210222A	0_2_0210222A
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210762B NtWriteVirtualMemory,	0_2_0210762B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02104651	0_2_02104651
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02102259 TerminateProcess,	0_2_02102259
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107A95 NtWriteVirtualMemory,	0_2_02107A95
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210669A NtWriteVirtualMemory,LoadLibraryA,	0_2_0210669A
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210728B NtWriteVirtualMemory,	0_2_0210728B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107EA3 NtWriteVirtualMemory,	0_2_02107EA3
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021022DF	0_2_021022DF
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021076E5 NtWriteVirtualMemory,	0_2_021076E5
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107305 NtWriteVirtualMemory,	0_2_02107305
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02105F21 NtWriteVirtualMemory,	0_2_02105F21
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107F2C NtWriteVirtualMemory,	0_2_02107F2C
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107B2D NtWriteVirtualMemory,	0_2_02107B2D
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210032F LdrInitializeThunk,	0_2_0210032F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02102359	0_2_02102359
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107381 NtWriteVirtualMemory,	0_2_02107381
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107FB3 NtWriteVirtualMemory,	0_2_02107FB3
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107BC0 NtWriteVirtualMemory,	0_2_02107BC0
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021023EA	0_2_021023EA
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021077EF NtWriteVirtualMemory,	0_2_021077EF
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210741B NtWriteVirtualMemory,	0_2_0210741B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107801 NtWriteVirtualMemory,	0_2_02107801
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107C4F NtWriteVirtualMemory,	0_2_02107C4F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107879 NtWriteVirtualMemory,	0_2_02107879
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210749C NtWriteVirtualMemory,	0_2_0210749C
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021024A7	0_2_021024A7
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021070AF NtWriteVirtualMemory,	0_2_021070AF
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107CE5 NtWriteVirtualMemory,	0_2_02107CE5
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210451B	0_2_0210451B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210711D NtWriteVirtualMemory,	0_2_0210711D
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107903 NtWriteVirtualMemory,	0_2_02107903
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02103D32 NtWriteVirtualMemory,	0_2_02103D32
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107529 NtWriteVirtualMemory,	0_2_02107529
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210794C NtWriteVirtualMemory,	0_2_0210794C
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107D6B NtWriteVirtualMemory,	0_2_02107D6B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107191 NtWriteVirtualMemory,	0_2_02107191
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210799F NtWriteVirtualMemory,	0_2_0210799F
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107DB4 NtWriteVirtualMemory,	0_2_02107DB4
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021075A9 NtWriteVirtualMemory,	0_2_021075A9
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021021DF TerminateProcess,	0_2_021021DF
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02107DF5 NtWriteVirtualMemory,	0_2_02107DF5

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\41609787.exe

RDTSC instruction interceptor: First address: 000000000210047C second address: 000000000210047C instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\41609787.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\41609787.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 41609787.exe, 00000000.00000002.669638225.00000000020E0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32MSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
Source: 41609787.exe, 00000000.00000002.669638225.00000000020E0000.00000004.00000001.sdmp, ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32MSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=\OPTRNER.EXE\POSEKIGGERNESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSPINTOSHTTPS://SMOKEADMSEND.ONLINE/LOADER/1ARMADANAC1COPIA_YCUSOPUSF143.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\41609787.exe	RDTSC instruction interceptor: First address: 000000000210047C second address: 000000000210047C instructions:
Source: C:\Users\user\Desktop\41609787.exe	RDTSC instruction interceptor: First address: 000000000210DA09 second address: 000000000210DA09 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add esi, 02h 0x00000006 mov word ptr [ebp+00000176h], ax 0x0000000d mov ax, word ptr [esi] 0x00000010 cmp ax, 0000h 0x00000014 mov ax, word ptr [ebp+00000176h] 0x0000001b jne 00007F5CC09CC9EFh 0x0000001d mov ebx, edx 0x0000001f shl edx, 05h 0x00000022 add edx, ebx 0x00000024 movzx ebx, byte ptr [esi] 0x00000027 add edx, ebx 0x00000029 xor edx, 19974490h 0x0000002f jmp 00007F5CC09CCA9Eh 0x00000031 pushad 0x00000032 mov edx, 0000000Dh 0x00000037 rdtsc

Source: C:\Users\user\Desktop\41609787.exe

Code function: 0_2_021107A1 rdtsc

0_2_021107A1

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Window / User API: threadDelayed 1353

Jump to behavior

Source: C:\Users\user\Desktop\41609787.exe

API coverage: 9.9 %

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 1936

Thread sleep count: 1353 > 30

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Thread sleep count: Count: 1353 delay: -5

Jump to behavior

Source: ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32Msi.dllPublishershell32advapi32TEMP=\optrner.exe\posekiggerneSoftware\Microsoft\Windows\CurrentVersion\RunSPINTOShttps://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: reg.exe, 0000001F.00000002.669516417.00000000008C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: 41609787.exe, 00000000.00000002.669638225.00000000020E0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32Msi.dllPublishershell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
Source: reg.exe, 0000001F.00000002.669516417.00000000008C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: 41609787.exe, 00000000.00000002.669638225.00000000020E0000.00000004.00000001.sdmp, ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: reg.exe, 0000001F.00000002.669516417.00000000008C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: reg.exe, 0000001F.00000002.669516417.00000000008C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\41609787.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\41609787.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\41609787.exe

Code function: 0_2_021107A1 rdtsc

0_2_021107A1

Source: C:\Users\user\Desktop\41609787.exe

Code function: 0_2_0210A907 LdrInitializeThunk,

0_2_0210A907

Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210EB03 mov eax, dword ptr fs:[00000030h]	0_2_0210EB03
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210CE1B mov eax, dword ptr fs:[00000030h]	0_2_0210CE1B
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_02105F21 mov eax, dword ptr fs:[00000030h]	0_2_02105F21
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210943A mov eax, dword ptr fs:[00000030h]	0_2_0210943A
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_0210D822 mov eax, dword ptr fs:[00000030h]	0_2_0210D822
Source: C:\Users\user\Desktop\41609787.exe	Code function: 0_2_021055AB mov eax, dword ptr fs:[00000030h]	0_2_021055AB

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\41609787.exe

Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3000000

Jump to behavior

Source: C:\Users\user\Desktop\41609787.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\41609787.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f			Jump to behavior

Source: ieinstal.exe, 0000001B.00000002.726234403.0000000003800000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: ieinstal.exe, 0000001B.00000002.726234403.0000000003800000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 0000001B.00000002.726234403.0000000003800000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: xlogs201.dat.27.dr	Binary or memory string: [ Program Manager ]
Source: ieinstal.exe, 0000001B.00000002.726234403.0000000003800000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: 0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: 0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Registry Run Keys / Startup Folder1	Process Injection112	Masquerading1	Input Capture11	Security Software Discovery621	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Modify Registry1	LSASS Memory	Virtualization/Sandbox Evasion23	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion23	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery311	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
databasepropersonombrecomercialideasearchwords.services	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.bin	0%	Avira URL Cloud	safe
https://smokeadmsend.online/loade	0%	Avira URL Cloud	safe
https://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.binwininet.dllMozilla/5.0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
smokeadmsend.online	198.54.115.48	true	true		unknown
databasepropersonombrecomercialideasearchwords.services	186.169.69.166	true	true	11%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://smokeadmsend.online/loade	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.bin	ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://smokeadmsend.online/loader/1ArmadaNac1copia_YCusoPusF143.binwininet.dllMozilla/5.0	ieinstal.exe, 0000001B.00000002.725990141.00000000031E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
186.169.69.166	databasepropersonombrecomercialideasearchwords.services	Colombia		3816	COLOMBIATELECOMUNICACIONESSAESPCO	true
198.54.115.48	smokeadmsend.online	United States		22612	NAMECHEAP-NETUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	452431
Start date:	22.07.2021
Start time:	10:40:48
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	41609787.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/2@3/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 1.6% (good quality ratio 0.1%) Quality average: 4.8% Quality standard deviation: 11.9%
HCA Information:	Successful, ratio: 68% Number of executed functions: 137 Number of non-executed functions: 51
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.255.188.83, 23.211.6.115, 104.43.193.48, 20.82.210.154, 23.211.4.86, 173.222.108.226, 173.222.108.210, 51.103.5.186, 40.112.88.60, 80.67.82.235, 80.67.82.211, 20.82.209.183, 20.54.110.249 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:45:06	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SPINTOS C:\Users\user\AppData\Local\Temp\posekiggerne\optrner.exe
10:45:15	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SPINTOS C:\Users\user\AppData\Local\Temp\posekiggerne\optrner.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.54.115.48	75PO9981.exe	Get hash	malicious	Browse	www.ownfiles.info/fl/
198.54.115.48	21PO7513.exe	Get hash	malicious	Browse	www.ownfiles.info/fl/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
databasepropersonombrecomercialideasearchwords.services	75030908.exe	Get hash	malicious	Browse	186.169.42.8
	76947851729_.exe	Get hash	malicious	Browse	181.235.3.85
	166691_pdf.exe	Get hash	malicious	Browse	181.235.4.212
	Factura Serfinanza051053709735077235764653194.exe	Get hash	malicious	Browse	186.169.43.144
	056373_pdf.exe	Get hash	malicious	Browse	186.169.43.144
	Factura Serfinanza023854786775241209783648129.exe	Get hash	malicious	Browse	186.169.43.144
	Factura Serfinanza085399218111227761873550570.exe	Get hash	malicious	Browse	186.169.43.144
	Factura Serfinanza038612482397383420891150743.exe	Get hash	malicious	Browse	186.169.43.144
	Factura Serfinanza106109596363318359608727771.exe	Get hash	malicious	Browse	186.169.72.174
	Factura Serfinanza050288227788749652817960744.exe	Get hash	malicious	Browse	186.169.72.174
	Factura Serfinanza049997609832517851274630184.exe	Get hash	malicious	Browse	186.169.72.174
	EXTRACTOSERFINANZA718365418101786154346661555.exe	Get hash	malicious	Browse	190.255.84.57
	EXTRACTOSERFINANZA989543704031499704092798964.exe	Get hash	malicious	Browse	190.255.84.57
	32657046_pdf.exe	Get hash	malicious	Browse	190.255.84.57
	6565426875_p.exe	Get hash	malicious	Browse	186.169.38.241
	4831902122_p.exe	Get hash	malicious	Browse	186.169.38.241
	8992538102_p.exe	Get hash	malicious	Browse	186.169.38.241
	9604_pdf.exe	Get hash	malicious	Browse	186.169.38.241
	Factura Serfinanza089768553548090985869814228.exe	Get hash	malicious	Browse	186.169.38.241
	EXTRACTOSERFINANZA894978636268808051252452885.exe	Get hash	malicious	Browse	186.169.38.241

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
COLOMBIATELECOMUNICACIONESSAESPCO	U1R7Ed7940	Get hash	malicious	Browse	186.113.206.66
	oEF7GAiRIg	Get hash	malicious	Browse	186.113.131.237
	BTNNG17tlh	Get hash	malicious	Browse	190.255.99.57
	MD5OxTSc6i	Get hash	malicious	Browse	190.252.136.167
	SUpODCSauS	Get hash	malicious	Browse	191.109.106.145
	TFG18FA4eD	Get hash	malicious	Browse	152.205.93.205
	eAtDhymLzp	Get hash	malicious	Browse	181.235.115.105
	ehn0f1d63M	Get hash	malicious	Browse	186.116.212.222
	zWumjXhWWz	Get hash	malicious	Browse	190.254.50.129
	e4qhQIKEim	Get hash	malicious	Browse	179.48.76.227
	YazlX01sZD	Get hash	malicious	Browse	186.116.154.100
	7Pvt6Jni6p	Get hash	malicious	Browse	167.65.244.226
	a1sMR3Vj8o	Get hash	malicious	Browse	167.2.131.28
	471u0A1FPw	Get hash	malicious	Browse	190.255.75.41
	395d6gwkWK	Get hash	malicious	Browse	152.205.93.229
	YXYFqHRx2m	Get hash	malicious	Browse	167.13.146.158
	XfKsLIPLUu	Get hash	malicious	Browse	190.67.85.74
	Z7bNxhhS7y	Get hash	malicious	Browse	190.67.85.63
	lq2609LxT8	Get hash	malicious	Browse	190.254.187.199
	khGshuibcr	Get hash	malicious	Browse	186.116.212.225
NAMECHEAP-NETUS	ORDER . 4500028602 .doc	Get hash	malicious	Browse	198.54.122.60
	Payment_invoice.exe	Get hash	malicious	Browse	198.54.117.212
	SUpODCSauS	Get hash	malicious	Browse	198.54.114.130
	0ZZqw52a6S.exe	Get hash	malicious	Browse	199.193.7.228
	nZdwtTEYoW.exe	Get hash	malicious	Browse	198.54.122.60
	CORRECT BANK DETAILS FORM.doc	Get hash	malicious	Browse	198.54.122.60
	Shipping Documents .doc	Get hash	malicious	Browse	198.54.122.60
	QxnlprRUTx.exe	Get hash	malicious	Browse	199.188.200.230
	0Lh7eA2VUZ.exe	Get hash	malicious	Browse	198.54.122.60
	REQUEST FOR QUOTATIO 158930165.doc	Get hash	malicious	Browse	198.54.122.60
	Statement.xlsx	Get hash	malicious	Browse	162.0.237.9
	Inv PKF312021.doc	Get hash	malicious	Browse	198.54.122.60
	RFQ- ROTO Fittings- 19072021.doc	Get hash	malicious	Browse	198.54.122.60
	INVOICE.exe	Get hash	malicious	Browse	198.54.117.211
	Order.exe	Get hash	malicious	Browse	198.54.117.215
	SOA.exe	Get hash	malicious	Browse	198.54.122.60
	Inv_7623980.exe	Get hash	malicious	Browse	63.250.34.223
	xBMx9OBP97.exe	Get hash	malicious	Browse	198.54.114.131
	CSyG3zNcwS.exe	Get hash	malicious	Browse	198.54.114.131
	BrCi5pJr8J.exe	Get hash	malicious	Browse	198.54.114.131

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	B5xK9XEvzO.exe	Get hash	malicious	Browse	198.54.115.48
	RsEvjI1iTt.exe	Get hash	malicious	Browse	198.54.115.48
	ORD.ppt	Get hash	malicious	Browse	198.54.115.48
	39pfFwU3Ns.exe	Get hash	malicious	Browse	198.54.115.48
	47a8af.exe.exe	Get hash	malicious	Browse	198.54.115.48
	Comprobante1.vbs	Get hash	malicious	Browse	198.54.115.48
	ZlvFNj.dll	Get hash	malicious	Browse	198.54.115.48
	QT2kxM315B.exe	Get hash	malicious	Browse	198.54.115.48
	4QKHQR82Xt.exe	Get hash	malicious	Browse	198.54.115.48
	Convert HEX uit phishing mail.htm	Get hash	malicious	Browse	198.54.115.48
	#U2706_#U260e_Play _to _Listen.htm	Get hash	malicious	Browse	198.54.115.48
	192-3216-Us.gt.com.html	Get hash	malicious	Browse	198.54.115.48
	N41101255652.vbs	Get hash	malicious	Browse	198.54.115.48
	FILE_2932NH_9923.exe	Get hash	malicious	Browse	198.54.115.48
	RDlkHCLRxE.exe	Get hash	malicious	Browse	198.54.115.48
	#U2706_#U260e_Play _to _Listen.htm	Get hash	malicious	Browse	198.54.115.48
	Swift_Fattura_0093320128_.exe	Get hash	malicious	Browse	198.54.115.48
	SecuriteInfo.com.Variant.Graftor.981190.24096.exe	Get hash	malicious	Browse	198.54.115.48
	IPVrDRKfYj.exe	Get hash	malicious	Browse	198.54.115.48
	11.docx	Get hash	malicious	Browse	198.54.115.48

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\posekiggerne\optrner.exe Download File
Process:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
File Type:	data
Category:	dropped
Size (bytes):	192513
Entropy (8bit):	5.613557039365368
Encrypted:	false
SSDEEP:	3072:2+ogFpSWSqqbZ0ZEuwGE5pwFGHiG1InFGHiPZEuwGE5pi:2+7AtqqbZFfGE5pakipkiufGE5pi
MD5:	873CC0BFAAB852FD58C0EB4B8D29026D
SHA1:	07C871EC1385B80D314A9EA0B047CC85D24CEE24
SHA-256:	9E6B7578CAE3E4CC0354AD9912EA36F7E3D0968DE07D30C4F3C60C1183D919C6
SHA-512:	A7609B36561ACD7AACAD21ABF085489C86A72103FCE5F32501B2B660644C6DF1AC5A4A201E39DF67F21D6F3E5C519EC3C51A633E99D8FED07D425497E84997F3
Malicious:	false
Reputation:	low
Preview:	.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+O.E..E..E.X.K..E...L..E..H..E.Rich.E.................PE..L.....1M.................@...................P....@.................................c........................................E..(....p......................................................................0... .......D............................text....;.......@.................. ..`.data...$....P.......P..............@....rsrc........p.......`..............@..@..^............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Runtime2021\xlogs201.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
File Type:	data
Category:	dropped
Size (bytes):	182
Entropy (8bit):	3.366956781623735
Encrypted:	false
SSDEEP:	3:rklKlVnGlNWKUel5JWRal2Jl+7R0DAlBG4J+Rf3GLilXIknNQblovDl9il:IlK/yN+65YcIeeDAlgRf2e56bW/G
MD5:	CBD9A222C0C0CB1C08C8DC24D7C02F86
SHA1:	40FCA05C695340804995E29FDD5D11A488D8CAEA
SHA-256:	A59E7F82238F3158F2F86EFEFA0A8FB20ACEA309AD84DD61683639197D01A01C
SHA-512:	485877FC044D8046B408C5157BCB29FB3DC06B7DB10695F5886474398217B54EE8A2607527B292D3B179E37904C31FB186FB140ECBA375D7AAE360E6DBDFF44C
Malicious:	false
Reputation:	low
Preview:	....[.2.0.2.1./.0.7./.2.2. .1.0.:.4.5.:.1.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[. .R.u.n. .].....[.W.i.n.].r.....[. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r. .].....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.613575589393616
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	41609787.exe
File size:	192512
MD5:	242fb5498503fdae24861ca26f762745
SHA1:	e45e4180137ea7c9d81f127fac0af48cf3b4e8d7
SHA256:	7984d85806d611e8d7e3ec5640186ebce9b1daccbd07a4bbda0fc6e0e5666299
SHA512:	5717a9d38ff151384fe522b5b55f7a4882bcb897d65d1c9fbd0b155f05138cc698db39805d34150daf5260906d8e09d6d752190e7d681eb181eb3569378a48fd
SSDEEP:	3072:F+ogFpSWSqqbZ0ZEuwGE5pwFGHiG1InFGHiPZEuwGE5p:F+7AtqqbZFfGE5pakipkiufGE5p
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+O..E...E...E.X.K...E...L...E...H...E.Rich..E.................PE..L.....1M.................@...................P....@........

File Icon


Icon Hash:	734c5974650d010d

Static PE Info

General
Entrypoint:	0x4014f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4D31AB09 [Sat Jan 15 14:11:21 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a70b1f0c9f8eea03c5b5d32861bccaa9

Entrypoint Preview

Instruction
push 00401F04h
call 00007F5CC0966285h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx+43347C7Eh], bh
dec ebx
inc edi
dec ebp
mov cl, E1h
mov ss, word ptr [906A07DAh]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jo 00007F5CC09662F3h
jo 00007F5CC09662FBh
jc 00007F5CC0966305h
je 00007F5CC0966304h
jc 00007F5CC09662F7h
insb
jnc 00007F5CC09662F7h
jc 00007F5CC0966305h
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
sbb byte ptr [edx], bl
xor eax, B1E56B83h
das
inc ebx
mov es, bp
test al, 9Eh
push ss
add al, B3h
call far 2631h : D68942F0h
inc edx
dec esp
mov eax, 79EDC0D1h
push eax
xor dl, byte ptr [ecx+33AD4F3Ah]
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or byte ptr [eax+eax], al
add byte ptr [ebx+00h], cl
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [ecx+62h], dh
insb
imul esi, dword ptr [ecx+00h], 000B010Dh
jnbe 00007F5CC09662FAh
jc 00007F5CC09662F8h
je 00007F5CC0966301h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x245a4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x27000	0x8ac0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x144	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x23b04	0x24000	False	0.399773491753	data	5.92220108342	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x25000	0x1a24	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x27000	0x8ac0	0x9000	False	0.329942491319	data	4.39398480347	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2f218	0x8a8	data
RT_ICON	0x2aff0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0
RT_ICON	0x28a48	0x25a8	data
RT_ICON	0x279a0	0x10a8	data
RT_ICON	0x27538	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x274ec	0x4c	data
RT_VERSION	0x271b0	0x33c	data	Kazakh	Kazakhstan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaVarForInit, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaVarErrI4, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaAryCopy, _allmul, _CItan, __vbaVarForNext, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x043f 0x04b0
LegalCopyright	@P.I.C Program
InternalName	Impennate7
FileVersion	7.00
CompanyName	@Broadcom@
LegalTrademarks	@P.I.C Program
Comments	@P.I.C Program
ProductName	@P.I.C Program
ProductVersion	7.00
FileDescription	@P.I.C Program
OriginalFilename	Impennate7.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Kazakh	Kazakhstan

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/22/21-10:45:13.302249	ICMP	399	ICMP Destination Unreachable Host Unreachable			186.169.69.166	192.168.2.3
07/22/21-10:45:44.235836	ICMP	399	ICMP Destination Unreachable Host Unreachable			186.169.69.166	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 10:45:09.966116905 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.156882048 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.157150030 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.185319901 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.376385927 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.376420021 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.376436949 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.376451969 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.376671076 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.378618956 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.378905058 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.509068012 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.699985981 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.700149059 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.717775106 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.914993048 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.915028095 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.915045023 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.915060043 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.915080070 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.915102959 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.915141106 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.915144920 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.915163040 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.915163040 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.915183067 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.915195942 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.915205002 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:10.915226936 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:10.915251017 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.105845928 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.105910063 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.105947018 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.105963945 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.105966091 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.105999947 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.106010914 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.106046915 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.106066942 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.106101990 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.106205940 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.106257915 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.106267929 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.106309891 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.106308937 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.106343985 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.106368065 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.106403112 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.106408119 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.106445074 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.106450081 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.106482983 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.106484890 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.106533051 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.106539011 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.106575012 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297169924 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297302008 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297312021 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297343016 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297368050 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297369957 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297404051 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297425985 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297425985 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297449112 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297472954 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297481060 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297499895 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297518015 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297524929 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297548056 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297555923 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297573090 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297596931 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297597885 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297621012 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297621012 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297646999 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297662973 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297671080 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297698975 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297703028 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297724962 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297734022 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297749996 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297759056 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297774076 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297795057 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297796965 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297821045 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297833920 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297846079 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297868967 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297869921 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297897100 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297902107 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297923088 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.297944069 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.297972918 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.488461018 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.488518000 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.488555908 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.488595009 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.488632917 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.488662004 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.488686085 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.488714933 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.488729954 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.488764048 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.488775969 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.488830090 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.488847017 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.488883972 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.488915920 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.488938093 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.488993883 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.489008904 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.489051104 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.489053965 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.489119053 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.489125967 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.489175081 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.489216089 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.489227057 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.489254951 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.489276886 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.489303112 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.489346981 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.489361048 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.489398956 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.489439964 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.489444971 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.489497900 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.489532948 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.489542007 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.489584923 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.489589930 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.489640951 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.489660025 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.489671946 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.489722967 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.489739895 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.489764929 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.489808083 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.489808083 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.489866018 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.489893913 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.489907026 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.489955902 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.490001917 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.490015984 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.490050077 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.490067959 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.490118027 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.490134954 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.490169048 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.490212917 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.490214109 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.490257978 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.490293026 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.490303040 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.490335941 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.490387917 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.490396976 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.490444899 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.490519047 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.682394028 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.682424068 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.682585955 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.682710886 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.682729006 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.682744026 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.682756901 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.682769060 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.682785988 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.682801008 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.682823896 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.682846069 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.682854891 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.682862043 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.682867050 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.682883024 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.682898998 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.682904005 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.682915926 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.682921886 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.682941914 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.682949066 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.682969093 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.682987928 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683000088 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683008909 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683023930 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683032036 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683052063 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683064938 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683070898 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683092117 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683101892 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683110952 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683140993 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683145046 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683165073 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683170080 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683187008 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683202982 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683207989 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683231115 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683240891 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683252096 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683271885 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683288097 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683291912 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683310986 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683320999 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683332920 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683341980 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683351040 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683371067 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683386087 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683396101 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683413982 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683418989 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683430910 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683444977 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683456898 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683468103 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683489084 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683505058 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683511019 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683538914 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683543921 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683562040 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683573961 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683588028 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683608055 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683609962 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683620930 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683635950 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683638096 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683659077 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683666945 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683680058 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683701992 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683706999 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683723927 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683729887 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683749914 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683768034 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683774948 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683795929 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683806896 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683816910 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683842897 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683844090 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683865070 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683880091 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683888912 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683904886 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683917046 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683928013 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683953047 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683954954 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.683978081 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.683990955 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.684000969 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.684016943 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.684022903 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.684051037 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.684092999 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.873121023 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.873155117 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.873342037 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.874443054 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.874473095 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.874495029 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.874521971 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.874543905 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.874566078 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.874583006 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.874587059 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.874609947 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.874620914 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.874631882 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.874645948 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.874655008 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.874670029 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.874677896 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.874702930 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.874726057 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.874737978 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.874749899 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.874773026 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.874779940 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.874795914 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.874806881 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.874855995 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.874999046 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875021935 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875046968 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875068903 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875091076 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875102997 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875125885 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875147104 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875153065 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875153065 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875179052 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875200987 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875205040 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875224113 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875241041 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875246048 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875257969 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875288010 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875341892 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875364065 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875389099 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875411987 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875416040 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875433922 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875457048 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875464916 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875478983 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875499010 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875507116 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875521898 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875544071 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875547886 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875566959 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875588894 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875591040 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875611067 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875614882 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875633001 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875641108 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875655890 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875675917 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875680923 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875705004 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875708103 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875726938 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875746012 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875749111 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875780106 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875790119 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875801086 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875824928 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875839949 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875845909 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875857115 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875870943 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875894070 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875895977 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875916004 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875937939 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875941038 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.875961065 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875981092 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.875981092 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876004934 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876015902 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876034021 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876044035 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876059055 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876081944 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876084089 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876104116 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876127005 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876133919 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876148939 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876166105 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876171112 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876194000 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876205921 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876215935 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876235962 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876243114 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876266003 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876281977 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876287937 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876310110 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876327038 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876332045 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876353979 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876364946 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876375914 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876398087 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876399040 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876422882 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876441956 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876446009 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876470089 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876492023 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876496077 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876514912 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876518011 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876537085 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876550913 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876559019 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876580954 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876605988 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876610041 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876630068 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876641035 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876652002 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876669884 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876673937 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876697063 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876718044 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876719952 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876738071 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876746893 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876760006 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876777887 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876796007 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876796007 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876813889 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876831055 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876837969 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876863956 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876877069 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876885891 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876900911 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876915932 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876920938 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876943111 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876946926 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.876961946 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876986027 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.876991034 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.877010107 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.877018929 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.877048016 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:11.877048969 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.877082109 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:11.877099037 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.066399097 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.066469908 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.066632986 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.067157030 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.067224979 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.067286015 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.067336082 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.067341089 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.067363024 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.067384005 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.067403078 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.067437887 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.067441940 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.067497015 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.067553043 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.067554951 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.067609072 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.067665100 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.067673922 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.067735910 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.067780972 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.067785978 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.067819118 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.067826033 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.067856073 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.067869902 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.067894936 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.067898989 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.067933083 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.067943096 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.067971945 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068030119 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.068036079 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068080902 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068116903 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068129063 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.068156004 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068192005 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068222046 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.068228006 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068255901 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.068264961 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068276882 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.068303108 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068319082 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.068346024 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.068351984 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068393946 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068397999 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.068429947 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068434954 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.068469048 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068479061 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.068506956 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068542957 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068557024 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.068583965 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.068583965 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068620920 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068630934 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.068662882 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.068666935 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068708897 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068744898 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068759918 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.068783045 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068797112 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.068820000 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068830967 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.068855047 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068892002 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.068908930 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.068938017 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.069266081 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.069327116 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.069327116 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.069372892 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.069425106 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.069428921 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.069487095 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.069541931 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.069544077 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.069602013 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.069653988 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.069658041 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.069722891 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.069778919 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.069782019 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.069838047 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.069895029 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.069897890 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.069956064 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070015907 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070023060 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.070055962 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070059061 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.070092916 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070103884 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.070130110 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070166111 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070180893 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.070202112 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070209026 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.070250034 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070291042 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070297003 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.070327044 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070364952 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070378065 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.070401907 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070419073 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.070437908 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070444107 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.070476055 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070482969 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.070513010 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070532084 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.070557117 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.070560932 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070601940 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070640087 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070652008 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.070677042 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070691109 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.070714951 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070719004 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.070749998 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070787907 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070800066 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.070825100 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070835114 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.070872068 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070914030 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070924997 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.070950985 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.070960999 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.070991039 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.071017981 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.071031094 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.071069002 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.071110964 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.071180105 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.071198940 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.071201086 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.071239948 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.071286917 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.071290016 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.071330070 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.071367025 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.071386099 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.071422100 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.071445942 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.071460009 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.071460962 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.071495056 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.071508884 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.071538925 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.071541071 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.071580887 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:12.071584940 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.072047949 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:12.839066029 CEST	49753	2508	192.168.2.3	186.169.69.166
Jul 22, 2021 10:45:15.843580961 CEST	49753	2508	192.168.2.3	186.169.69.166
Jul 22, 2021 10:45:21.852430105 CEST	49753	2508	192.168.2.3	186.169.69.166
Jul 22, 2021 10:45:27.069648027 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:27.069674969 CEST	443	49752	198.54.115.48	192.168.2.3
Jul 22, 2021 10:45:27.069755077 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:27.069788933 CEST	49752	443	192.168.2.3	198.54.115.48
Jul 22, 2021 10:45:34.995014906 CEST	49754	2508	192.168.2.3	186.169.69.166
Jul 22, 2021 10:45:37.999269009 CEST	49754	2508	192.168.2.3	186.169.69.166
Jul 22, 2021 10:45:44.005176067 CEST	49754	2508	192.168.2.3	186.169.69.166

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 10:41:28.855549097 CEST	57544	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:28.913228035 CEST	53	57544	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:29.627794027 CEST	55984	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:29.681444883 CEST	53	55984	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:30.439649105 CEST	64185	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:30.491682053 CEST	53	64185	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:30.696984053 CEST	65110	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:30.756556034 CEST	53	65110	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:32.226253033 CEST	58361	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:32.286098003 CEST	53	58361	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:33.432280064 CEST	63492	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:33.485963106 CEST	53	63492	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:34.687273979 CEST	60831	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:34.738322973 CEST	53	60831	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:35.702337027 CEST	60100	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:35.753923893 CEST	53	60100	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:36.631591082 CEST	53195	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:36.680809975 CEST	53	53195	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:39.727713108 CEST	50141	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:39.777374029 CEST	53	50141	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:40.709177017 CEST	53023	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:40.762366056 CEST	53	53023	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:41.704982042 CEST	49563	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:41.757411003 CEST	53	49563	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:42.597750902 CEST	51352	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:42.658118963 CEST	53	51352	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:46.766100883 CEST	59349	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:46.819855928 CEST	53	59349	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:48.145740032 CEST	57084	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:48.198137999 CEST	53	57084	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:49.517611980 CEST	58823	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:49.569657087 CEST	53	58823	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:56.434962988 CEST	57568	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:56.487602949 CEST	53	57568	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:57.219800949 CEST	50540	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:57.270225048 CEST	53	50540	8.8.8.8	192.168.2.3
Jul 22, 2021 10:41:59.087013960 CEST	54366	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:41:59.136548042 CEST	53	54366	8.8.8.8	192.168.2.3
Jul 22, 2021 10:42:05.132457018 CEST	53034	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:42:05.190510988 CEST	53	53034	8.8.8.8	192.168.2.3
Jul 22, 2021 10:42:05.638375044 CEST	57762	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:42:05.697576046 CEST	53	57762	8.8.8.8	192.168.2.3
Jul 22, 2021 10:42:22.473356009 CEST	55435	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:42:22.533193111 CEST	53	55435	8.8.8.8	192.168.2.3
Jul 22, 2021 10:42:24.855288982 CEST	50713	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:42:24.914053917 CEST	53	50713	8.8.8.8	192.168.2.3
Jul 22, 2021 10:42:36.374967098 CEST	56132	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:42:36.452851057 CEST	53	56132	8.8.8.8	192.168.2.3
Jul 22, 2021 10:42:37.046250105 CEST	58987	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:42:37.104217052 CEST	53	58987	8.8.8.8	192.168.2.3
Jul 22, 2021 10:43:08.455636978 CEST	56579	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:43:08.523492098 CEST	53	56579	8.8.8.8	192.168.2.3
Jul 22, 2021 10:43:09.006038904 CEST	60633	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:43:09.074167013 CEST	53	60633	8.8.8.8	192.168.2.3
Jul 22, 2021 10:43:25.719934940 CEST	61292	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:43:25.792639017 CEST	53	61292	8.8.8.8	192.168.2.3
Jul 22, 2021 10:44:23.550378084 CEST	63619	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:44:23.641876936 CEST	53	63619	8.8.8.8	192.168.2.3
Jul 22, 2021 10:44:25.413438082 CEST	64938	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:44:25.543364048 CEST	53	64938	8.8.8.8	192.168.2.3
Jul 22, 2021 10:44:26.391135931 CEST	61946	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:44:26.450129032 CEST	53	61946	8.8.8.8	192.168.2.3
Jul 22, 2021 10:44:26.938622952 CEST	64910	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:44:26.998559952 CEST	53	64910	8.8.8.8	192.168.2.3
Jul 22, 2021 10:44:27.642832994 CEST	52123	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:44:27.702327967 CEST	53	52123	8.8.8.8	192.168.2.3
Jul 22, 2021 10:44:28.215982914 CEST	56130	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:44:28.274662018 CEST	53	56130	8.8.8.8	192.168.2.3
Jul 22, 2021 10:44:28.861097097 CEST	56338	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:44:28.913039923 CEST	53	56338	8.8.8.8	192.168.2.3
Jul 22, 2021 10:44:29.772561073 CEST	59420	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:44:29.832505941 CEST	53	59420	8.8.8.8	192.168.2.3
Jul 22, 2021 10:44:30.739958048 CEST	58784	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:44:30.797008991 CEST	53	58784	8.8.8.8	192.168.2.3
Jul 22, 2021 10:44:31.252382040 CEST	63978	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:44:31.315813065 CEST	53	63978	8.8.8.8	192.168.2.3
Jul 22, 2021 10:45:09.855098009 CEST	62938	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:45:09.919981956 CEST	53	62938	8.8.8.8	192.168.2.3
Jul 22, 2021 10:45:12.766573906 CEST	55708	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:45:12.826633930 CEST	53	55708	8.8.8.8	192.168.2.3
Jul 22, 2021 10:45:34.928658009 CEST	56803	53	192.168.2.3	8.8.8.8
Jul 22, 2021 10:45:34.986488104 CEST	53	56803	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jul 22, 2021 10:45:13.302248955 CEST	186.169.69.166	192.168.2.3	c020	(Host unreachable)	Destination Unreachable
Jul 22, 2021 10:45:44.235836029 CEST	186.169.69.166	192.168.2.3	c020	(Host unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 22, 2021 10:45:09.855098009 CEST	192.168.2.3	8.8.8.8	0x18f2	Standard query (0)	smokeadmsend.online	A (IP address)	IN (0x0001)
Jul 22, 2021 10:45:12.766573906 CEST	192.168.2.3	8.8.8.8	0xfec1	Standard query (0)	databasepropersonombrecomercialideasearchwords.services	A (IP address)	IN (0x0001)
Jul 22, 2021 10:45:34.928658009 CEST	192.168.2.3	8.8.8.8	0xf13	Standard query (0)	databasepropersonombrecomercialideasearchwords.services	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jul 22, 2021 10:45:09.919981956 CEST	8.8.8.8	192.168.2.3	0x18f2	No error (0)	smokeadmsend.online	198.54.115.48	A (IP address)	IN (0x0001)
Jul 22, 2021 10:45:12.826633930 CEST	8.8.8.8	192.168.2.3	0xfec1	No error (0)	databasepropersonombrecomercialideasearchwords.services	186.169.69.166	A (IP address)	IN (0x0001)
Jul 22, 2021 10:45:34.986488104 CEST	8.8.8.8	192.168.2.3	0xf13	No error (0)	databasepropersonombrecomercialideasearchwords.services	186.169.69.166	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jul 22, 2021 10:45:10.378618956 CEST	198.54.115.48	443	192.168.2.3	49752	CN=smokeadmsend.online CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jun 17 02:00:00 CEST 2021 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019	Sat Jun 18 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	Fri Nov 02 01:00:00 CET 2018	Wed Jan 01 00:59:59 CET 2031
					CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Mar 12 01:00:00 CET 2019	Mon Jan 01 00:59:59 CET 2029

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 41609787.exe PID: 4548 Parent PID: 5784

General

Start time:	10:41:34
Start date:	22/07/2021
Path:	C:\Users\user\Desktop\41609787.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\41609787.exe'
Imagebase:	0x400000
File size:	192512 bytes
MD5 hash:	242FB5498503FDAE24861CA26F762745
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: ieinstal.exe PID: 2120 Parent PID: 4548

General

Start time:	10:44:29
Start date:	22/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\41609787.exe'
Imagebase:	0xbb0000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001B.00000002.726106922.00000000032B5000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 4608 Parent PID: 2120

General

Start time:	10:45:11
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5156 Parent PID: 4608

General

Start time:	10:45:12
Start date:	22/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: reg.exe PID: 5776 Parent PID: 4608

General

Start time:	10:45:12
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Imagebase:	0x1380000
File size:	59392 bytes
MD5 hash:	CEE2A7E57DF2A159A065A34913A055C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 41609787.exe PID: 4548 Parent PID: 5784 41609787.exeCOMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	60.8%
Signature Coverage:	49.6%
Total number of Nodes:	339
Total number of Limit Nodes:	63

Executed Functions

Function 021013C1, Relevance: 28.4, APIs: 2, Strings: 13, Instructions: 2118COMMON

Download Yara Rule

Strings

Vpul, xrefs: 02101D5D
k , xrefs: 021088E3
]2V$, xrefs: 021026EF
T5o, xrefs: 02102326
%q[K, xrefs: 021021BE
}(iy, xrefs: 0210161B
Q}, xrefs: 02108A46
(n, xrefs: 02101D9E
z:w, xrefs: 02108524
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03
c, xrefs: 02101767

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K$(n$F\oR$T5o$Vpul$WfiM$]2V$$c$k $}(iy$Q}$z:w$z:w
API String ID: 0-3825205698
Opcode ID: 6fd0b034e8457cf72fb67ed6cab52e42c06dde530ebd72f98e442b89ef8dfd8a
Instruction ID: e7ce7867680b43eaced81eecb2731d989f5cd73ebacaf2227e67d2780d49f30f
Opcode Fuzzy Hash: 6fd0b034e8457cf72fb67ed6cab52e42c06dde530ebd72f98e442b89ef8dfd8a
Instruction Fuzzy Hash: 9CF25671A84349DFDB389E388DD47EA7BA2FF85350F56412EDD899B180D3B48981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0210669A, Relevance: 15.1, APIs: 2, Strings: 6, Instructions: 1143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z:w, xrefs: 02108524
TPh_, xrefs: 0210696D
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$TPh_$WfiM$k $z:w$z:w
API String ID: 0-2634905961
Opcode ID: dddaf3f00803681326384b3a4a214587ce7f871c39c5eb7c7dc754e6ada785f3
Instruction ID: ab8f45bbdc7d432b1497589718b8331698143c73951de46f37e3ea5c1e398076
Opcode Fuzzy Hash: dddaf3f00803681326384b3a4a214587ce7f871c39c5eb7c7dc754e6ada785f3
Instruction Fuzzy Hash: EF92537164434ADFDB389E38CD957EA7BA2FF45350F52812EDC9A9B290D3704A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02103D32, Relevance: 13.6, APIs: 1, Strings: 6, Instructions: 1388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03
`, xrefs: 02103F9C

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$WfiM$`$k $z:w$z:w
API String ID: 0-4173191499
Opcode ID: 1d450da74ba206c0893d5d5ead7ee0bbb28e266f6d332224a48bd3e57dd9db39
Instruction ID: 162df1b6fb09c4ea03200402828d5dfc2b9e7f7a19461344bcc83ae25526a313
Opcode Fuzzy Hash: 1d450da74ba206c0893d5d5ead7ee0bbb28e266f6d332224a48bd3e57dd9db39
Instruction Fuzzy Hash: 61B27772A84345DFDB389E34CD953EA7BA2FF85350F56422EDD9A9B180D3B04981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0210799F, Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 677
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

YLfX, xrefs: 02107A63
z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$WfiM$YLfX$k $z:w$z:w
API String ID: 0-594147441
Opcode ID: 34fc540719d15b94782ff90d4458909eedbc2110ce532e8e4a0226a1f485dbac
Instruction ID: 8f40cca18d9e3033b20b819068a40237c81e9e920b4d83587dae76ed0ffe8fb5
Opcode Fuzzy Hash: 34fc540719d15b94782ff90d4458909eedbc2110ce532e8e4a0226a1f485dbac
Instruction Fuzzy Hash: FD424571A44349DFDB389E34CD857EA7BB2FF85310F56422ADC999B290C3B05A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02105F21, Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1063
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$WfiM$k $z:w$z:w
API String ID: 0-1615776370
Opcode ID: 20009716c46d676f1c39b6f388ff8f0be946a6a3b7a1805966c96f6fa4503a46
Instruction ID: 2fe62f1b8b50892b702bf212f452c651c39442ff674104b7c6e5c64ca5bb46b9
Opcode Fuzzy Hash: 20009716c46d676f1c39b6f388ff8f0be946a6a3b7a1805966c96f6fa4503a46
Instruction Fuzzy Hash: 3E925271A44349DFDB389F34C9957EAB7B2BF46350F56812EDC9A9B290C3704A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021070AF, Relevance: 11.5, APIs: 1, Strings: 5, Instructions: 961
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$WfiM$k $z:w$z:w
API String ID: 0-1615776370
Opcode ID: 6b3d5b5f4deaebf04cf897800637f7dd03edf4a28e30080da83caab1d428d066
Instruction ID: b4e74a437828db2bdd99cce7bde28c85058a79f22d4a2482721c450077358a68
Opcode Fuzzy Hash: 6b3d5b5f4deaebf04cf897800637f7dd03edf4a28e30080da83caab1d428d066
Instruction Fuzzy Hash: 3E725471A44345DFDB389E34CD957EABBB2FF46300F56822ADC999B280D3705A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0210720B, Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 935COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$WfiM$k $z:w$z:w
API String ID: 0-1615776370
Opcode ID: 7a3e863e3ffcc3547bcc6a11085127434d991cf90c00ea55ad763eb152ba4868
Instruction ID: d2190c0303d2efc1b11098ece4d506e6c989f2617fdea1fb31ee00f07e75a5a1
Opcode Fuzzy Hash: 7a3e863e3ffcc3547bcc6a11085127434d991cf90c00ea55ad763eb152ba4868
Instruction Fuzzy Hash: 59723271A44345DFDB389E38C9953EABBB2FF46310F56812EDC999B280D3705A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0210711D, Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 875
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$WfiM$k $z:w$z:w
API String ID: 0-1615776370
Opcode ID: 7a69a5eaa11b7e2f746e549b489c7e4ae01caf3627dc4ce3628b033c4b21e765
Instruction ID: fd9a625783fc910cc3aa17d33d9fbd99af7c1f4f25214f23011ef17dccd3e17d
Opcode Fuzzy Hash: 7a69a5eaa11b7e2f746e549b489c7e4ae01caf3627dc4ce3628b033c4b21e765
Instruction Fuzzy Hash: 45724271644349DFDB389E34CD957EABBB2FF46340F56822ADC999B280C3705A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02107191, Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 871
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$WfiM$k $z:w$z:w
API String ID: 0-1615776370
Opcode ID: a845b4d3310cc20399455bfd48746cfd9f2c17751066349376039a798bde6b2b
Instruction ID: d50cfca6b0e291796868e7505841170958c5480d674c44038a91c69937f6ec7b
Opcode Fuzzy Hash: a845b4d3310cc20399455bfd48746cfd9f2c17751066349376039a798bde6b2b
Instruction Fuzzy Hash: 9B724271A44349DFDB389E34CD953EABBB2FF85340F56422ADC999B280D3705A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02107381, Relevance: 11.3, APIs: 1, Strings: 5, Instructions: 841
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$WfiM$k $z:w$z:w
API String ID: 0-1615776370
Opcode ID: 103ba71c57e15379499f9d10fbab3b6bb0eebf1dfeb3da974827578b9b6baa28
Instruction ID: b336ec11dd8978efa6f8c57a43506573eddaf632bd57d97c443866169ee7868d
Opcode Fuzzy Hash: 103ba71c57e15379499f9d10fbab3b6bb0eebf1dfeb3da974827578b9b6baa28
Instruction Fuzzy Hash: 5A623371A44349DFDB388E34CD957EABBB2BF46300F56812EDC999B290D3705A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0210728B, Relevance: 11.3, APIs: 1, Strings: 5, Instructions: 840COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$WfiM$k $z:w$z:w
API String ID: 0-1615776370
Opcode ID: 76c7fd993b7ccd266f2fb46d5022b46fd8fabe0e4ab338072546f1a65924ac8a
Instruction ID: 9fda937d2db7cc0e0c0d655d28149e3b15e3c4740aec1e8914a331ecced4230c
Opcode Fuzzy Hash: 76c7fd993b7ccd266f2fb46d5022b46fd8fabe0e4ab338072546f1a65924ac8a
Instruction Fuzzy Hash: 00623371A44349DFDB389E34CD953EA7BB2BF46340F56812EDC999B280D3705A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02107305, Relevance: 11.3, APIs: 1, Strings: 5, Instructions: 834COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$WfiM$k $z:w$z:w
API String ID: 0-1615776370
Opcode ID: eb5bf9d82fff5aa6dec5ed1fc64c8a3d62f6691469ba65fdd9e8d0771846069d
Instruction ID: 0df11e2c7b18d30ae7f1ffba40dbe5ab3cdd441a1e12ba61f817dea1226cb192
Opcode Fuzzy Hash: eb5bf9d82fff5aa6dec5ed1fc64c8a3d62f6691469ba65fdd9e8d0771846069d
Instruction Fuzzy Hash: 3D622271A44349DFDB389E34CD953EABBB2FF46300F56812ADC999B290D3705A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0210741B, Relevance: 11.3, APIs: 1, Strings: 5, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$WfiM$k $z:w$z:w
API String ID: 0-1615776370
Opcode ID: 8a379d93cd12b5e9735de0af25746bc8f11833d231c8c9be8c43c9a10377bece
Instruction ID: d46c1a7d9d6d9a4ae9c9f8e93f9dda18151d2b5af9f03dfe7639508bfb8c25bf
Opcode Fuzzy Hash: 8a379d93cd12b5e9735de0af25746bc8f11833d231c8c9be8c43c9a10377bece
Instruction Fuzzy Hash: 83623271A44349DFDB389E38CD957EA7BA2FF46300F56812EDC999B290D3705A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0210749C, Relevance: 11.3, APIs: 1, Strings: 5, Instructions: 791
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$WfiM$k $z:w$z:w
API String ID: 0-1615776370
Opcode ID: 05cebbb44d7d5a5881746a7bc766f447aa4abfa62c822f0533ddebbb0e9933b8
Instruction ID: 3e0c7dc7eeb498bd36190c9720e1c88cddc38d031d5d17a0532c062a126e3e6d
Opcode Fuzzy Hash: 05cebbb44d7d5a5881746a7bc766f447aa4abfa62c822f0533ddebbb0e9933b8
Instruction Fuzzy Hash: F3623271A44349DFDB389E38CD957EA7BA2FF46310F56412EDC999B290C3705A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02107529, Relevance: 11.3, APIs: 1, Strings: 5, Instructions: 765
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$WfiM$k $z:w$z:w
API String ID: 0-1615776370
Opcode ID: 491431ccaf5fb3c1c93eda3a28523ac2a9e3ed2e1f8e824b96de703640b9b7d0
Instruction ID: feeb2c52e5c835b5c7341afc871a295580ab73ba34a62832443893eb576921cb
Opcode Fuzzy Hash: 491431ccaf5fb3c1c93eda3a28523ac2a9e3ed2e1f8e824b96de703640b9b7d0
Instruction Fuzzy Hash: B2522171A44349DFDB389E34CD953EA7BB2BF46310F56822EDC999B290D3705A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021075A9, Relevance: 11.3, APIs: 1, Strings: 5, Instructions: 765
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$WfiM$k $z:w$z:w
API String ID: 0-1615776370
Opcode ID: 3849699429617068fb9ff99a1eb52ccd5ec142d90cfe08b6c0233e40835e3cad
Instruction ID: cc31f0a4903d9c9ede07a382b4527824145a443511fc9a3612fc8596d5edba5c
Opcode Fuzzy Hash: 3849699429617068fb9ff99a1eb52ccd5ec142d90cfe08b6c0233e40835e3cad
Instruction Fuzzy Hash: A4521071644349DFDB388E34CD957EA7BA2FF46310F56822EDC999B290D3705A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02101387, Relevance: 11.2, APIs: 1, Strings: 5, Instructions: 750COMMON

Download Yara Rule

Strings

(n, xrefs: 02101D9E
Vpul, xrefs: 02101D5D
%q[K, xrefs: 021021BE
}(iy, xrefs: 0210161B
c, xrefs: 02101767

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K$(n$Vpul$c$}(iy
API String ID: 0-2965748852
Opcode ID: 355419527b6313388a34171c4a2eacd6fe300ff4070aa9998af7be0f01cf9b06
Instruction ID: 92358a2af75fe311d276eb3fed48de136b0c8034877f343b21d7a44892bf177b
Opcode Fuzzy Hash: 355419527b6313388a34171c4a2eacd6fe300ff4070aa9998af7be0f01cf9b06
Instruction Fuzzy Hash: 93425B72A84385EFDB349E398CD43DA3BB1BF95350F9A411ADC9D8B191C7B88585CB02

Uniqueness

Uniqueness Score: -1.00%

Function 021076E5, Relevance: 11.2, APIs: 1, Strings: 5, Instructions: 744COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$WfiM$k $z:w$z:w
API String ID: 0-1615776370
Opcode ID: dae18bd0ea2e136f9bebb788f6b011fbb99dcb9c5ea1db10311f32e323b4240c
Instruction ID: b6bed802c62e46c3bf4cd228fae456c5dc1ab250deead7563a6c372b24e7027d
Opcode Fuzzy Hash: dae18bd0ea2e136f9bebb788f6b011fbb99dcb9c5ea1db10311f32e323b4240c
Instruction Fuzzy Hash: 41522571A44345DFDB389E38CD853EABBB2FF85340F56822ADC999B290D3705985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0210762B, Relevance: 11.2, APIs: 1, Strings: 5, Instructions: 726
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$WfiM$k $z:w$z:w
API String ID: 0-1615776370
Opcode ID: 25e713216228ddab9e6da5dcb6b2926bc5df786d58b99402b4e79da85719c48d
Instruction ID: f207ae5c5d52e30f3e1668a3181c283f48f05e4b4405b53a268c2ac84b69bda8
Opcode Fuzzy Hash: 25e713216228ddab9e6da5dcb6b2926bc5df786d58b99402b4e79da85719c48d
Instruction Fuzzy Hash: CB523371644349DFDB388E38CD953EA7BB2FF46310F56822ACC999B290D3705A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02107801, Relevance: 11.2, APIs: 1, Strings: 5, Instructions: 721
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$WfiM$k $z:w$z:w
API String ID: 0-1615776370
Opcode ID: 879e865bba87125553f920dd3d45c77c6b8f91be39651427e3dad00712805efe
Instruction ID: ee7dbf87c684d69c4fed237ef86b83561e9d347a65ec4c14b2c452ee7b3c4c6d
Opcode Fuzzy Hash: 879e865bba87125553f920dd3d45c77c6b8f91be39651427e3dad00712805efe
Instruction Fuzzy Hash: C7423472644345DFDB389E34CD853EA7BB2FF85310F56822ADC999B290D3B05A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02107903, Relevance: 11.1, APIs: 1, Strings: 5, Instructions: 632
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$WfiM$k $z:w$z:w
API String ID: 0-1615776370
Opcode ID: 2beae54deb998bab49cae9587f6d24ac0d589ebae404d2bc60c73690a10b2f31
Instruction ID: ffdf43e1c318ff6b0b562c68228128aa36013adf234f7e98022bbc38c11980d1
Opcode Fuzzy Hash: 2beae54deb998bab49cae9587f6d24ac0d589ebae404d2bc60c73690a10b2f31
Instruction Fuzzy Hash: 83323471644349DFDB389E34CD853EA7BB2FF46350F56822ADC999B284C3B05A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02107879, Relevance: 11.1, APIs: 1, Strings: 5, Instructions: 623COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$WfiM$k $z:w$z:w
API String ID: 0-1615776370
Opcode ID: 662ba7064c2d8fd0e20c4ddbb6a00be097b784beab0c99f33826bc74a1d0cabc
Instruction ID: 0d23b76f3f3afdbbc88f9c3fe60793cd4befbe6a1e23ee86d730fd8c63622e58
Opcode Fuzzy Hash: 662ba7064c2d8fd0e20c4ddbb6a00be097b784beab0c99f33826bc74a1d0cabc
Instruction Fuzzy Hash: AF322171644349DFDB389E38CD853EA7BB2FF45310F56822ADC999B294C3B05A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021077EF, Relevance: 11.1, APIs: 1, Strings: 5, Instructions: 608COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$WfiM$k $z:w$z:w
API String ID: 0-1615776370
Opcode ID: 306d862f93f6235a11ba0ff3ca5f604bc3e6828482f376d21e660d2ef4f0aa80
Instruction ID: c2ad65e699c25e54f821a9bc73d95682d481afcc4b65511345f4ab23d2fb0afb
Opcode Fuzzy Hash: 306d862f93f6235a11ba0ff3ca5f604bc3e6828482f376d21e660d2ef4f0aa80
Instruction Fuzzy Hash: 48323171644349DFDB389E34CD957EA7BB2BF46310F56822ADC999B240D3B09A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0210794C, Relevance: 11.1, APIs: 1, Strings: 5, Instructions: 566COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE
WfiM, xrefs: 02107A03

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$WfiM$k $z:w$z:w
API String ID: 0-1615776370
Opcode ID: 087b9b90ba683373e5cbeb78e6b2db440a7611b75a87943e2b3d07aafb048a28
Instruction ID: f22f434f5de52145e16787730ad05014cee9c12c45abd7e53c4f47e0c8366d78
Opcode Fuzzy Hash: 087b9b90ba683373e5cbeb78e6b2db440a7611b75a87943e2b3d07aafb048a28
Instruction Fuzzy Hash: 81223171648349DFDB388E34CD857EA7BB2BF46310F56812EDC9A9B254C3B05A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0210146D, Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 522COMMON

Download Yara Rule

Strings

(n, xrefs: 02101D9E
Vpul, xrefs: 02101D5D
%q[K, xrefs: 021021BE
}(iy, xrefs: 0210161B
c, xrefs: 02101767

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K$(n$Vpul$c$}(iy
API String ID: 0-2965748852
Opcode ID: c45db323f73eeb6ed003667b40a7a817f02f3f41129aab2440c67f58fa89eb2c
Instruction ID: fa617aa9eb40c1d0182d53e1f23eeed5997c679f397dc4383dfd6d2fbe9b895e
Opcode Fuzzy Hash: c45db323f73eeb6ed003667b40a7a817f02f3f41129aab2440c67f58fa89eb2c
Instruction Fuzzy Hash: 99024775A84349DFDF389E2989D47EE37A2BF95340F96412ADC8DC7294C3B48985CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02101591, Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 511COMMON

Download Yara Rule

Strings

(n, xrefs: 02101D9E
Vpul, xrefs: 02101D5D
%q[K, xrefs: 021021BE
}(iy, xrefs: 0210161B
c, xrefs: 02101767

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K$(n$Vpul$c$}(iy
API String ID: 0-2965748852
Opcode ID: cee4921fec771dc4006f7d9aa12e1a0901922a0fd08324371b71256a4bb54594
Instruction ID: 33f28e4c2b0c56f6402c5101b405338000f4a5fa23e4d65d2bdfd1338ebb691b
Opcode Fuzzy Hash: cee4921fec771dc4006f7d9aa12e1a0901922a0fd08324371b71256a4bb54594
Instruction Fuzzy Hash: 30024971A84349DFDF349E6988D47EE37A2BF55340F95412EDC8E8B284D3B58981CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02101503, Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 501COMMON

Download Yara Rule

Strings

(n, xrefs: 02101D9E
Vpul, xrefs: 02101D5D
%q[K, xrefs: 021021BE
}(iy, xrefs: 0210161B
c, xrefs: 02101767

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K$(n$Vpul$c$}(iy
API String ID: 0-2965748852
Opcode ID: ec4a8098c09d2b1cffb95d26205f15e5c7f9a63bd552ea68f7e329d2112723a0
Instruction ID: 7241b9be41c4a82265a225242c398851f4786831b5c7ae54312a3c648fa0bb7b
Opcode Fuzzy Hash: ec4a8098c09d2b1cffb95d26205f15e5c7f9a63bd552ea68f7e329d2112723a0
Instruction Fuzzy Hash: A1025975A84349DFDF389E2989E47EE37A2BF95340F95412EDC8D87294C3B58981CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02101629, Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 495COMMON

Download Yara Rule

Strings

(n, xrefs: 02101D9E
Vpul, xrefs: 02101D5D
%q[K, xrefs: 021021BE
}(iy, xrefs: 0210161B
c, xrefs: 02101767

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K$(n$Vpul$c$}(iy
API String ID: 0-2965748852
Opcode ID: a01373dfd41e829656b40e6b594e252949f72b53aaaa5cc1577796b83631a288
Instruction ID: d3e5010fa47d8f82b0472792164be524515a3af51e3099c3ba794de97217f08d
Opcode Fuzzy Hash: a01373dfd41e829656b40e6b594e252949f72b53aaaa5cc1577796b83631a288
Instruction Fuzzy Hash: 69F16775A84349DFDB389E698CD47EE37A2BF95340F96412ECC9E87284C3B48581CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02107C4F, Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 617COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$k $z:w$z:w
API String ID: 0-574126991
Opcode ID: 1859f306ce3b7ad0db00f6ca9de515f4530d313450a188876dd51269274578bf
Instruction ID: a10a5172bf1d5fef67317eded34fea85722aa10275fd54e4d75ecd002968a6e9
Opcode Fuzzy Hash: 1859f306ce3b7ad0db00f6ca9de515f4530d313450a188876dd51269274578bf
Instruction Fuzzy Hash: 76326A71A44349DFEB359E34CD853EA7BB2FF86300F56412ADC899B191D3B05A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02107A95, Relevance: 9.3, APIs: 1, Strings: 4, Instructions: 593COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$k $z:w$z:w
API String ID: 0-574126991
Opcode ID: c67f662ec7a0e7888496115138e1b1e022f2d559090ca7cfb537d53db97ab7cd
Instruction ID: 914c00f90822c502f3a55e51b63728857b88eded931f382e2f12bed8fe6f75dc
Opcode Fuzzy Hash: c67f662ec7a0e7888496115138e1b1e022f2d559090ca7cfb537d53db97ab7cd
Instruction Fuzzy Hash: 30224571644349DFDB389E38CD953EA7BB2FF85310F56412ADC999B294C3B05A85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02107B2D, Relevance: 9.3, APIs: 1, Strings: 4, Instructions: 557COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$k $z:w$z:w
API String ID: 0-574126991
Opcode ID: 7602f59a66480140a666552f49a49e0b789799683fddab8fb85ec2d569e8838e
Instruction ID: 28e36a06e01ca0df37dc1fa0cad6b4066b991ec6c1fefccd739a7e5abb8d41e0
Opcode Fuzzy Hash: 7602f59a66480140a666552f49a49e0b789799683fddab8fb85ec2d569e8838e
Instruction Fuzzy Hash: 12224471A48348DFDB389E34CD957EA7BB2FF46310F56412ADC899B284C3B04A85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02107BC0, Relevance: 9.3, APIs: 1, Strings: 4, Instructions: 531COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$k $z:w$z:w
API String ID: 0-574126991
Opcode ID: 72f7264e968c4e45c28607a34f940fd109491da8681ea61842da7ebb88a0fe31
Instruction ID: 840d298c081494528f9df391f413d5c51684430e944105854ecf352cd0bff640
Opcode Fuzzy Hash: 72f7264e968c4e45c28607a34f940fd109491da8681ea61842da7ebb88a0fe31
Instruction Fuzzy Hash: 0D124471A48349DFDB399E34CD953EA7BB2FF46300F56412ADC999B291D3B04A85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02107D6B, Relevance: 9.3, APIs: 1, Strings: 4, Instructions: 505COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$k $z:w$z:w
API String ID: 0-574126991
Opcode ID: 5848124733bafbc167a63087e2251dde413cc507249864a2b09aa0ab563c0232
Instruction ID: 0fbec0d6e65199be67e30fcc6598946c5dd46b5d9f9ae4f83a675044293d9fae
Opcode Fuzzy Hash: 5848124733bafbc167a63087e2251dde413cc507249864a2b09aa0ab563c0232
Instruction Fuzzy Hash: 9C125471A48348DFDB399E34CD857EA7BB2FF56300F56412ADC899B281D3B05A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02107E15, Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 491COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$k $z:w$z:w
API String ID: 0-574126991
Opcode ID: 6ac8043605c8569ec57b0d3d32d899c7a157e3036ce8ed4f199e5f3a7740ff99
Instruction ID: 1d5c6984c01195c244735fe204239712d1e59edac7f8e0932e91be95d4e10ab2
Opcode Fuzzy Hash: 6ac8043605c8569ec57b0d3d32d899c7a157e3036ce8ed4f199e5f3a7740ff99
Instruction Fuzzy Hash: 19024471648348DFDB399E38CD957EA7BB2FF46300F56412ACC999B181D3B05A85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0210169A, Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 478COMMON

Download Yara Rule

Strings

(n, xrefs: 02101D9E
Vpul, xrefs: 02101D5D
%q[K, xrefs: 021021BE
c, xrefs: 02101767

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K$(n$Vpul$c
API String ID: 0-2362888104
Opcode ID: 0e94e2abdae98fe99f52a61de2306573a31aa69b9e716f9bc1b353a24160c98f
Instruction ID: 81d976c6584b458c12362c1a4d527989de71a9e00540af174a862f353d2cad24
Opcode Fuzzy Hash: 0e94e2abdae98fe99f52a61de2306573a31aa69b9e716f9bc1b353a24160c98f
Instruction Fuzzy Hash: EAF15771A84349EFDB389E798CD47DA37A2BF95300F9A411EDC9D87284D7B48581CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02101715, Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 473COMMON

Download Yara Rule

Strings

(n, xrefs: 02101D9E
Vpul, xrefs: 02101D5D
%q[K, xrefs: 021021BE
c, xrefs: 02101767

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K$(n$Vpul$c
API String ID: 0-2362888104
Opcode ID: 247caba861ac19f992588a9472e1b2322980ac14395dd5c9547ed7e263283f7f
Instruction ID: a434bc4bb7b419140ebbf9b898f0591f95f3f019cf88760a6ebe0f5132c650e3
Opcode Fuzzy Hash: 247caba861ac19f992588a9472e1b2322980ac14395dd5c9547ed7e263283f7f
Instruction Fuzzy Hash: 29F16775A84349EFEB389E798CD47DA37A2BF95340F96411EDC8D87280D7B48681CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0210179F, Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 467COMMON

Download Yara Rule

Strings

(n, xrefs: 02101D9E
Vpul, xrefs: 02101D5D
%q[K, xrefs: 021021BE
c, xrefs: 02101767

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K$(n$Vpul$c
API String ID: 0-2362888104
Opcode ID: a2f5a1cffe3942ac3628c37540bf7104cab0964aaf0da93a90643fe8b43bb8f3
Instruction ID: 3ec243bb56f6ca433389efcd22abbb91481b831151b11b4e30f706616f33fec3
Opcode Fuzzy Hash: a2f5a1cffe3942ac3628c37540bf7104cab0964aaf0da93a90643fe8b43bb8f3
Instruction Fuzzy Hash: C9F15975A84349DFDB349E798CD47DA37A2BF96340F96411EDC8D9B284C3B48A85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02107CE5, Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 459COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$k $z:w$z:w
API String ID: 0-574126991
Opcode ID: b72102190e4abb7dccd62cd52d9e63f50141911eaeb0500ae433ec9a3210beca
Instruction ID: 8d69cbe81239e339380b4b8753f88389a5fcb16b64dcf6cacbc5049be3f76b1d
Opcode Fuzzy Hash: b72102190e4abb7dccd62cd52d9e63f50141911eaeb0500ae433ec9a3210beca
Instruction Fuzzy Hash: FB023271A48349DFDB389E34CD957EA7BB2FF46300F56412ADC899B291D3B04A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02107EA3, Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 450COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$k $z:w$z:w
API String ID: 0-574126991
Opcode ID: 0d7fbdf2b75abb3d1fdb98fcacc39181230923df28d3d3653a931c766cebc2b1
Instruction ID: e0509d4b27ce0989173ceee7218d163e1003a978fb1e4ca79ef8056e8d84dcd6
Opcode Fuzzy Hash: 0d7fbdf2b75abb3d1fdb98fcacc39181230923df28d3d3653a931c766cebc2b1
Instruction Fuzzy Hash: BD023471648388DFDB399E38CD953EA7BB2FF46300F56412ADC899B291D3704A85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02107FB3, Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$k $z:w$z:w
API String ID: 0-574126991
Opcode ID: ecb22ecafee0a56027cc69e833646217ce1149c5692d459b84263a05246a3fdd
Instruction ID: 9cfb60c64e9ee24cffb4a850fce9de1944a36413aa44fdbc957b530d5ec3fa7e
Opcode Fuzzy Hash: ecb22ecafee0a56027cc69e833646217ce1149c5692d459b84263a05246a3fdd
Instruction Fuzzy Hash: 53F13372A48349DFDB398E34CD957EA3BB2FF96300F56412ADC999B185C7704A85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02107F2C, Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 424COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$k $z:w$z:w
API String ID: 0-574126991
Opcode ID: 4c372bffbca2b96e03d33cb60df2fd7afea14aab2f2edebf0bb1b96eda66ec02
Instruction ID: 7ac19e451675f303b1eaf03a0273d1e95ea03579208666cd0f93f478c563dcd7
Opcode Fuzzy Hash: 4c372bffbca2b96e03d33cb60df2fd7afea14aab2f2edebf0bb1b96eda66ec02
Instruction Fuzzy Hash: A1F14371644388DFDB399E38CD953EA7BB2FF86300F56412ADC999B291C3704A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02107DB4, Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 415COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$k $z:w$z:w
API String ID: 0-574126991
Opcode ID: 68ca1a3cc4113ebe1854cd43ecdc6b9ff7394ba449619958a80766a41bd2338b
Instruction ID: 97a4e7c9e484b81df7cd0d01a7f740361538ee2da02c2c810633b7776f1b47bc
Opcode Fuzzy Hash: 68ca1a3cc4113ebe1854cd43ecdc6b9ff7394ba449619958a80766a41bd2338b
Instruction Fuzzy Hash: 8EF12071648348DFDB399E34CD957EA37B2BF46300F56812ADC8A9B255D7B04A85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02107DF5, Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 401COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$k $z:w$z:w
API String ID: 0-574126991
Opcode ID: 7c8d4fe09736ddb88059be057372ed55b0b688b063b23e9be5428a0aaecf9af2
Instruction ID: b9c2dc209fab917152e68b680e24b5e08ed0f845255a1d0de2271bfe35d51932
Opcode Fuzzy Hash: 7c8d4fe09736ddb88059be057372ed55b0b688b063b23e9be5428a0aaecf9af2
Instruction Fuzzy Hash: 29F11F71648348DFDF399E38CD957EA37B2FF46300F56812ADC8A9B255D7704A858B02

Uniqueness

Uniqueness Score: -1.00%

Function 0210802F, Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 397COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$k $z:w$z:w
API String ID: 0-574126991
Opcode ID: e0efe26034ee20061c228746cf437d85826cbd7904a0dcc474fb971931c28974
Instruction ID: edfa997684db7313f129b95a54cace990e17f642ed062607940d8589ceaf78ec
Opcode Fuzzy Hash: e0efe26034ee20061c228746cf437d85826cbd7904a0dcc474fb971931c28974
Instruction Fuzzy Hash: 9BE14371A48388DFDB399E34CD957EA37B2FF86300F56422ADC998B195C7704A85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 021080C7, Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 377COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$k $z:w$z:w
API String ID: 0-574126991
Opcode ID: 4e4dbfa2a4e11d71c093bad12e97ba89122444e4f9bc25f3639bb6d9940e751f
Instruction ID: 2e8bab324e8295c360ea32d7ce976e8c0170d08d08f784bd641dd6f34bb39f65
Opcode Fuzzy Hash: 4e4dbfa2a4e11d71c093bad12e97ba89122444e4f9bc25f3639bb6d9940e751f
Instruction Fuzzy Hash: 03E13571A48389DFDB399E38CD957EA3BB2FF45300F56412ADC895B241C7704A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0210813C, Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 358COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$k $z:w$z:w
API String ID: 0-574126991
Opcode ID: 8b0bc49c9f0775d7f3a15a9621a61b065c89351b13364b68e38445fe50e98fe0
Instruction ID: b2007e3edfd8f9a3a5afca38194288a1f0be28ee3667f5b94e5f93280195d64d
Opcode Fuzzy Hash: 8b0bc49c9f0775d7f3a15a9621a61b065c89351b13364b68e38445fe50e98fe0
Instruction Fuzzy Hash: 4DD10471A48388DFDB399F38CD997EA37B2FF95300F5A411ADC995B241C7704A858B42

Uniqueness

Uniqueness Score: -1.00%

Function 021081FF, Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$k $z:w$z:w
API String ID: 0-574126991
Opcode ID: d67b8721045dca7b98d354564b4ad6aa1475290939f1c614a89734dc1226a36c
Instruction ID: 3e805ce69f4257428e3fe9d8c422fa1a453c6cf2fae076a5d089ecde3780ea31
Opcode Fuzzy Hash: d67b8721045dca7b98d354564b4ad6aa1475290939f1c614a89734dc1226a36c
Instruction Fuzzy Hash: 2CD11571A48788DFDB399E34CD953DA37B2FF9A310F16412ACC895B185C7704A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021081A7, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 280COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8
F\oR, xrefs: 021081DE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: F\oR$k $z:w$z:w
API String ID: 0-574126991
Opcode ID: 57f924646bd75ee5b98a0cf874e52c01a2875ae083719833d6eb3975a3a25ad1
Instruction ID: 91c22c12edd8316e8312fa84cde445edd24be5b4534073a9a62160b83f6e4714
Opcode Fuzzy Hash: 57f924646bd75ee5b98a0cf874e52c01a2875ae083719833d6eb3975a3a25ad1
Instruction Fuzzy Hash: D5B11471A44388DFDF389F24CD997EA37B2FF95300F56812ADC899B245C7704A858B02

Uniqueness

Uniqueness Score: -1.00%

Function 02101890, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 439COMMON

Download Yara Rule

Strings

(n, xrefs: 02101D9E
Vpul, xrefs: 02101D5D
%q[K, xrefs: 021021BE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K$(n$Vpul
API String ID: 0-3606006924
Opcode ID: 6f0a87800e846bc3fc3802f8cd7dbf17f3635eb59d6f4311d68a639256e0de79
Instruction ID: 1196ab8f013207919e75abfbb1e62255e204557b8954599c285d49bb7297138a
Opcode Fuzzy Hash: 6f0a87800e846bc3fc3802f8cd7dbf17f3635eb59d6f4311d68a639256e0de79
Instruction Fuzzy Hash: C6E15A71A84349DFDB389E298CD47DA37A2FF95350F95012EDC9D87284D3B48A85CB06

Uniqueness

Uniqueness Score: -1.00%

Function 02101819, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 431COMMON

Download Yara Rule

Strings

(n, xrefs: 02101D9E
Vpul, xrefs: 02101D5D
%q[K, xrefs: 021021BE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K$(n$Vpul
API String ID: 0-3606006924
Opcode ID: 103f40f8173aa1181bf0e03b3e7693fc131cb99f65a4630405c59d79c9cb898a
Instruction ID: 660a4d81ec2fb9f19fd49b6d489f5bc158c7e1face66886e39a449457efd27bb
Opcode Fuzzy Hash: 103f40f8173aa1181bf0e03b3e7693fc131cb99f65a4630405c59d79c9cb898a
Instruction Fuzzy Hash: D1E16A75A84349DFDB389E398CD47DA37A2BF95350F96411EDC8D9B284C3B48A85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02101934, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 404COMMON

Download Yara Rule

Strings

(n, xrefs: 02101D9E
Vpul, xrefs: 02101D5D
%q[K, xrefs: 021021BE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K$(n$Vpul
API String ID: 0-3606006924
Opcode ID: d6703637e8d8780487b1cf249098e03ab56bd60b8cfabde198f29b1272a8e5ce
Instruction ID: 2cb677548e52acf5b59672b0ec45eb8c26e46efa1876891bbce691f726f03e61
Opcode Fuzzy Hash: d6703637e8d8780487b1cf249098e03ab56bd60b8cfabde198f29b1272a8e5ce
Instruction Fuzzy Hash: 87D14A71A84389DFDB349E398CD47DA7BA2BF86310F95411EDC9D8B285D3B48685CB01

Uniqueness

Uniqueness Score: -1.00%

Function 021019AF, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 367COMMON

Download Yara Rule

Strings

(n, xrefs: 02101D9E
Vpul, xrefs: 02101D5D
%q[K, xrefs: 021021BE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K$(n$Vpul
API String ID: 0-3606006924
Opcode ID: 5079486c295fc85e860bd3c41ec0516fccd62c2a21a4d7d4345e8742bedbe7b5
Instruction ID: e7ce8b4d13e7323896f1a3be77175d9bee9be6be643024f4a9638f7877652471
Opcode Fuzzy Hash: 5079486c295fc85e860bd3c41ec0516fccd62c2a21a4d7d4345e8742bedbe7b5
Instruction Fuzzy Hash: 20C13671A84349DFDB349E398CD87DA7BA2BF89340F95411EDC9D87284D3B48685CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02101C37, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 364COMMON

Download Yara Rule

Strings

(n, xrefs: 02101D9E
Vpul, xrefs: 02101D5D
%q[K, xrefs: 021021BE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K$(n$Vpul
API String ID: 0-3606006924
Opcode ID: 0a56d2dac25c02dbe764492b23e99f8e8cf2088b311ae77d059474ab554430dd
Instruction ID: a947b44bdc4b38735f9c562cbc08e0c47056afec30d8a31e09702ad66e189f6d
Opcode Fuzzy Hash: 0a56d2dac25c02dbe764492b23e99f8e8cf2088b311ae77d059474ab554430dd
Instruction Fuzzy Hash: E8C15B76A84389EBDB399E3889D83DA3BB1FF85310F99011EDC5D9B191D3B88585CB01

Uniqueness

Uniqueness Score: -1.00%

Function 021021DF, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 359COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(74763EEF), ref: 0210942A

Strings

]2V$, xrefs: 021026EF
T5o, xrefs: 02102326
%q[K, xrefs: 021021BE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID: %q[K$T5o$]2V$
API String ID: 560597551-4193607111
Opcode ID: 420ae2f1e3cf5c59225c89a7c16299968c4666fac8398431d4057e51f250a6ef
Instruction ID: 91b6ed45553179a49ec49337e3c5c36bef33764c8f2f852979faf77357906590
Opcode Fuzzy Hash: 420ae2f1e3cf5c59225c89a7c16299968c4666fac8398431d4057e51f250a6ef
Instruction Fuzzy Hash: E9D179726883859FDB269F358CD83DA7BF2BF8A350F6A015ACC859B181D3B44945CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02101A2F, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 354COMMON

Download Yara Rule

Strings

(n, xrefs: 02101D9E
Vpul, xrefs: 02101D5D
%q[K, xrefs: 021021BE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K$(n$Vpul
API String ID: 0-3606006924
Opcode ID: a89a70f47d88c36fb4e9ff90497209875d89db65c04caee8a1a9037c6768c326
Instruction ID: f5df09edac8e5fd749f73a31822b3b1842cda306ab8c4f95c7af8a309de4d682
Opcode Fuzzy Hash: a89a70f47d88c36fb4e9ff90497209875d89db65c04caee8a1a9037c6768c326
Instruction Fuzzy Hash: 94C14771A84389DFDB349E398CD87DA37A2BF85340F95411EDC9E8B285D3B48685CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02101B37, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 347COMMON

Download Yara Rule

Strings

(n, xrefs: 02101D9E
Vpul, xrefs: 02101D5D
%q[K, xrefs: 021021BE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K$(n$Vpul
API String ID: 0-3606006924
Opcode ID: c1e84f3dc8fb130527360b49933ee3b11ae17e550108010be1d3d0305cfa0ca3
Instruction ID: 2ff4f24f59870f9e3e861eb1caf8588a0fbdf44fa5b385c6e404b8ec4a4c10b8
Opcode Fuzzy Hash: c1e84f3dc8fb130527360b49933ee3b11ae17e550108010be1d3d0305cfa0ca3
Instruction Fuzzy Hash: 24C13B71A84389DFDB349E3988E53DA3BB2BF85310F95411ECC9D87195D3B48685CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02101AB7, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 334COMMON

Download Yara Rule

Strings

(n, xrefs: 02101D9E
Vpul, xrefs: 02101D5D
%q[K, xrefs: 021021BE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K$(n$Vpul
API String ID: 0-3606006924
Opcode ID: 37bd2e4904ddcc8b34038c1dbb996c6fb54a53c650601843d6bd251a5de1c9d5
Instruction ID: 1915089543d2f09c1c2401eac91f54871b2ee27b912eddcd961c3b650335003f
Opcode Fuzzy Hash: 37bd2e4904ddcc8b34038c1dbb996c6fb54a53c650601843d6bd251a5de1c9d5
Instruction Fuzzy Hash: 22C16B71A84389DFDB349E798DD43DA7BA2BF86300F95401ECC9E8B195D3B48685CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02101918, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 328COMMON

Download Yara Rule

Strings

(n, xrefs: 02101D9E
Vpul, xrefs: 02101D5D
%q[K, xrefs: 021021BE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K$(n$Vpul
API String ID: 0-3606006924
Opcode ID: f159d745e2864c71890319122cbcb51745174c67677b35132fd159cd824c6f03
Instruction ID: d1b94ab20aed24590612d0ecaeb57f39d52f4c6514a4671f97ae840457c72b3d
Opcode Fuzzy Hash: f159d745e2864c71890319122cbcb51745174c67677b35132fd159cd824c6f03
Instruction Fuzzy Hash: 74C12775684349DFDF349E298DE47DA37A2AF89340F95401EDC8ED7284D3748685CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0210829B, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 321COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: k $z:w$z:w
API String ID: 0-4106860417
Opcode ID: 6b7fdf64c16b58704fb0bf6f60814fc8ba9db136a09c882767bbbecf744c4e9a
Instruction ID: a6fa8122580259082c43bdad73cb2ce92fdfdc5b309db3b58ce1046090efd644
Opcode Fuzzy Hash: 6b7fdf64c16b58704fb0bf6f60814fc8ba9db136a09c882767bbbecf744c4e9a
Instruction Fuzzy Hash: C1C13671A48789DFDB399F34CD993EA37A2FF89300F56412ADC995B281C7704A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021084D1, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 307nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,773A7AE0,?,00000000,?,?,?,0000001F,6DBEA05A,?,-000000018CA24DAA,0FB1135D), ref: 021086C4

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: k $z:w$z:w
API String ID: 3527976591-4106860417
Opcode ID: b1fcf9209d4ece79e05fc5ffda6a84943350a719d3647438e3e77c910a49d969
Instruction ID: 4bd12dc443d4307ef215007d2ff9a15bd3d84a9455a0e010a719925de0d62d45
Opcode Fuzzy Hash: b1fcf9209d4ece79e05fc5ffda6a84943350a719d3647438e3e77c910a49d969
Instruction Fuzzy Hash: 86B147B2A887859FDB359F34CCD53D93BB2FF96300F5A416AD8994B192C7B04585CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02108324, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: k $z:w$z:w
API String ID: 0-4106860417
Opcode ID: aaab0e68a7f16e1ff7f2704bec3c1abd1d2ff0886381e8e578e1c2b0703d39d3
Instruction ID: 5a534d09f3412269aaed8f7d0746a891c54a65b59970a316d2134077df0c9324
Opcode Fuzzy Hash: aaab0e68a7f16e1ff7f2704bec3c1abd1d2ff0886381e8e578e1c2b0703d39d3
Instruction Fuzzy Hash: 93C114B1A483859FDB399F34CC957DA3BB2FF99300F5A412ADC895B281D7704A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02101BBD, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 283COMMON

Download Yara Rule

Strings

(n, xrefs: 02101D9E
Vpul, xrefs: 02101D5D
%q[K, xrefs: 021021BE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K$(n$Vpul
API String ID: 0-3606006924
Opcode ID: 5cc6f7e6a0e41cbe9561f811a0a61abf4892028001c6cf0defca6f1d71b650f6
Instruction ID: 2d7272a7b03fe14b9194d4bacd05572afe27bccf95f0d24eba6ba0c45a489033
Opcode Fuzzy Hash: 5cc6f7e6a0e41cbe9561f811a0a61abf4892028001c6cf0defca6f1d71b650f6
Instruction Fuzzy Hash: 02A12571A84349DBDB389E3989E93EA37A2BF89350F95001ECC9D97180D3B48685CB02

Uniqueness

Uniqueness Score: -1.00%

Function 021083B7, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 274COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: k $z:w$z:w
API String ID: 0-4106860417
Opcode ID: ca11208d2ccaaf29c9a47912744e9f942005b267548dab5bb22c4efa84a9012e
Instruction ID: 1ac21dbe60ad62163087e3d38d20d9992e99bc1a3e762658cdab56d8a89a40ff
Opcode Fuzzy Hash: ca11208d2ccaaf29c9a47912744e9f942005b267548dab5bb22c4efa84a9012e
Instruction Fuzzy Hash: 75A125B1644389DFEB39DF24CD957DA37B2FF95300F5A812ADC994B241C77086858B42

Uniqueness

Uniqueness Score: -1.00%

Function 0210825E, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 266COMMON

Download Yara Rule

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: k $z:w$z:w
API String ID: 0-4106860417
Opcode ID: 096a7252557945d90698f2fb02d6fe1bc573ab9104aea9a60e632f51862b09f9
Instruction ID: dc709190eb93d4f606e175231fe91e195724596fcd81e7ce2c65c3cbc6e95e59
Opcode Fuzzy Hash: 096a7252557945d90698f2fb02d6fe1bc573ab9104aea9a60e632f51862b09f9
Instruction Fuzzy Hash: 75B11571644348DFDF398E38CD957EA37B2FF99300F56812ADC899B255D7704A858B02

Uniqueness

Uniqueness Score: -1.00%

Function 0210843F, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 253nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,773A7AE0,?,00000000,?,?,?,0000001F,6DBEA05A,?,-000000018CA24DAA,0FB1135D), ref: 021086C4

Strings

z:w, xrefs: 02108524
k , xrefs: 021088E3
z:w, xrefs: 021086B8

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: k $z:w$z:w
API String ID: 3527976591-4106860417
Opcode ID: 8f5c3cdf60ad0f6a1ec67d4ac9d8847a3c3a7cae5ad07dd5a51befd7d0e5a932
Instruction ID: a1d2bea30d91272bd375b0a6d59c4342b3f38e550c7210feb1dff64574ed4dd7
Opcode Fuzzy Hash: 8f5c3cdf60ad0f6a1ec67d4ac9d8847a3c3a7cae5ad07dd5a51befd7d0e5a932
Instruction Fuzzy Hash: 19A102B2A48388DFEB359F34CC857DA3BB2FF96300F5A4129D9998B251D7704685CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02102259, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 405COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(74763EEF), ref: 0210942A

Strings

]2V$, xrefs: 021026EF
T5o, xrefs: 02102326

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID: T5o$]2V$
API String ID: 560597551-2236104366
Opcode ID: 3a96d0ab610e7be249b6ddb380f54375b2552cb3de7d3a0389cc214a778b4d8c
Instruction ID: ced5c99db81cde998e5e05ce4134d4bdcde1dcd0fb5a56512bbbfe7d88fc225c
Opcode Fuzzy Hash: 3a96d0ab610e7be249b6ddb380f54375b2552cb3de7d3a0389cc214a778b4d8c
Instruction Fuzzy Hash: EED18672A843859FD7269F79CCC83CA7BA2FF8A310F6A421ECC955B195D3B44945CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02108703, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 330nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,773A7AE0,?,00000000,?,?,?,0000001F,6DBEA05A,?,-000000018CA24DAA,0FB1135D), ref: 021086C4

Strings

k , xrefs: 021088E3
z:w, xrefs: 021086B8

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: k $z:w
API String ID: 3527976591-3769489843
Opcode ID: 92f85ee1952722fd87407db17774ff5357a6fe2f8334f9cd3e80ab0f298f2dbc
Instruction ID: ddd7b1db0e831681c7cc0e7d91ce829667a57dee66854de10161d3f7e04da388
Opcode Fuzzy Hash: 92f85ee1952722fd87407db17774ff5357a6fe2f8334f9cd3e80ab0f298f2dbc
Instruction Fuzzy Hash: A5B137B29886849FE72A9F38CC883D53BA1FF95700F5F016AD8950B1D6C7B05095CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 02101DB7, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 227COMMON

Download Yara Rule

Strings

(n, xrefs: 02101D9E
%q[K, xrefs: 021021BE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K$(n
API String ID: 0-1733685635
Opcode ID: b6c2f4429e9241c91b51d119f6873c33261cf7b234902f479ac7e5b0f368a765
Instruction ID: 3cbe1f1bad751e9b77061c137c082017f5024e0ca610be80bc1b92f92b49c091
Opcode Fuzzy Hash: b6c2f4429e9241c91b51d119f6873c33261cf7b234902f479ac7e5b0f368a765
Instruction Fuzzy Hash: 55714675A84345EBDB385E39C8D93EA3BA2FF89300F96011ECD9D87585D3B58685CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02108677, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 208nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,773A7AE0,?,00000000,?,?,?,0000001F,6DBEA05A,?,-000000018CA24DAA,0FB1135D), ref: 021086C4

Strings

k , xrefs: 021088E3
z:w, xrefs: 021086B8

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: k $z:w
API String ID: 3527976591-3769489843
Opcode ID: 308dac74a0b8312fd1cb13e22702af8eb1b039fe1dfb5adba2a7681c7152d107
Instruction ID: 01fcb13b77d43b6509fa253f519fdb4ee80170c80a005d7ab5bbf1f76c308cef
Opcode Fuzzy Hash: 308dac74a0b8312fd1cb13e22702af8eb1b039fe1dfb5adba2a7681c7152d107
Instruction Fuzzy Hash: 977132B2A48388DFDB368F74CD993D93BA2FF96300F5B416AD8950B192C7704595CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02108607, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 183nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,773A7AE0,?,00000000,?,?,?,0000001F,6DBEA05A,?,-000000018CA24DAA,0FB1135D), ref: 021086C4

Strings

k , xrefs: 021088E3
z:w, xrefs: 021086B8

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: k $z:w
API String ID: 3527976591-3769489843
Opcode ID: 26e5bb7459de0b5fb9053a961631cce24146106f0ed646a521fe31b0050f4dee
Instruction ID: 1ebaef1a4e833303957a496cce0e24c6692578bba97310cfa553cd1ba7703183
Opcode Fuzzy Hash: 26e5bb7459de0b5fb9053a961631cce24146106f0ed646a521fe31b0050f4dee
Instruction Fuzzy Hash: A66101B2A48348DFEB399F24CD957DA3BB2FF96300F564129DC994B192D3704A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0210EB03, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 730COMMON

Download Yara Rule

Strings

8:{g, xrefs: 021100D0

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: 8:{g
API String ID: 0-574241746
Opcode ID: 4de92d6895a27ddad203c7bec833343f05a387b9de81b9ee225f8bbf0c7f0c1d
Instruction ID: 808efa81838fb10147939b55549ed605654147f685151b1f5e41ae8cbda0bdb9
Opcode Fuzzy Hash: 4de92d6895a27ddad203c7bec833343f05a387b9de81b9ee225f8bbf0c7f0c1d
Instruction Fuzzy Hash: F3429B316483858FDB34DF38C8D97DA7BE2AF16320F89856ACC9A8B1D5D7718542CB12

Uniqueness

Uniqueness Score: -1.00%

Function 004014F0, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 520COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 004014F5

Strings

VB5!6&*, xrefs: 004014F0

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: fe6bcdf7a211bb4a5310fc5c7b6a4452d9107ba669a2206b2c9f4d061e84caa3
Instruction ID: f6c4100e24907f38f7db4d69059254fbc8352fd23a989a64d3ed8fe52a3f8660
Opcode Fuzzy Hash: fe6bcdf7a211bb4a5310fc5c7b6a4452d9107ba669a2206b2c9f4d061e84caa3
Instruction Fuzzy Hash: DF029D3244E3D18FC7139B749EA21927FB0AE1331472E05DBC4C19F1B3D2296A2AD766

Uniqueness

Uniqueness Score: -1.00%

Function 02103053, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 486COMMON

Download Yara Rule

Strings

<, xrefs: 0210AFEB

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: <
API String ID: 0-930352506
Opcode ID: eb3a45cef3acfcc0a01705f7d03313a75c627c9dd4b8a5ea6b30390d32a309bb
Instruction ID: f85244ecb52ba8352d4f94067d15ea615efa41afc9e15b466236ce22f4c52845
Opcode Fuzzy Hash: eb3a45cef3acfcc0a01705f7d03313a75c627c9dd4b8a5ea6b30390d32a309bb
Instruction Fuzzy Hash: E1E17AB2A887859FD7386E38D8C5AEA3BB1FFC4704F99021AD86947194D7B04A84CF45

Uniqueness

Uniqueness Score: -1.00%

Function 02101F3F, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 230COMMON

Download Yara Rule

Strings

%q[K, xrefs: 021021BE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K
API String ID: 0-1541054192
Opcode ID: 33d69fb57be9cd23d80b4fe6851631f09c271d356bcb10a593be245b92391a4c
Instruction ID: ec138b436438515534a555de480c3fd378f5360118e87c14fff2af3f3fa86559
Opcode Fuzzy Hash: 33d69fb57be9cd23d80b4fe6851631f09c271d356bcb10a593be245b92391a4c
Instruction Fuzzy Hash: 94614572A84745ABE734AE38C8D93DA77E1FF89700F8A011EDD9D87181D7B84589CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02101E3A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

%q[K, xrefs: 021021BE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K
API String ID: 0-1541054192
Opcode ID: 1b461242edd33ac5d041a9954a14ae4e110aac1d4663e2243df10213332dadd2
Instruction ID: 140655a8e2caf90a6a91d99196f1191e0cdf64d4ed2261e268b67680319a07aa
Opcode Fuzzy Hash: 1b461242edd33ac5d041a9954a14ae4e110aac1d4663e2243df10213332dadd2
Instruction Fuzzy Hash: AE714A76A88385AFDB359E3989D83DE7BB2FF49300F99001ADD9987181D3B44685CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02101EC4, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

%q[K, xrefs: 021021BE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K
API String ID: 0-1541054192
Opcode ID: ee9f66f9aecead423f3a817a9c5cf6ee5867a8d36fe77932a84d2c75a9cbf0ab
Instruction ID: caf715145ce9a017fcfc8dff17677c86b12585343261505363a777fdffd7edc8
Opcode Fuzzy Hash: ee9f66f9aecead423f3a817a9c5cf6ee5867a8d36fe77932a84d2c75a9cbf0ab
Instruction Fuzzy Hash: 4E516672A84345EFEB359E78C8D47DA77A2FF49300F95011ADC9E87281D3B44685CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02101FF6, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 171COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(74763EEF), ref: 0210942A

Strings

%q[K, xrefs: 021021BE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID: %q[K
API String ID: 560597551-1541054192
Opcode ID: bd6dade4467bb327761c5aa89cbf1d5c61be58d0487b765503e5764bb211e7c2
Instruction ID: 1973f52e48a78e48df34deb4276ac3f571da232c18d5d09847cb0d93b0cde537
Opcode Fuzzy Hash: bd6dade4467bb327761c5aa89cbf1d5c61be58d0487b765503e5764bb211e7c2
Instruction Fuzzy Hash: 4B513576A883449AE7249E388CDD7DA7BE2FF48300FD9411EDD9A871D9D3B04589CA02

Uniqueness

Uniqueness Score: -1.00%

Function 02101F93, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

%q[K, xrefs: 021021BE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K
API String ID: 0-1541054192
Opcode ID: 6a11c1f458adbb0b9c1717e3eaf0a6c6dd6565f4d245eec8319a66d406631016
Instruction ID: 115aeabde230371dc79399515b9c6ba15a55580e3404c928ebda525c47e41497
Opcode Fuzzy Hash: 6a11c1f458adbb0b9c1717e3eaf0a6c6dd6565f4d245eec8319a66d406631016
Instruction Fuzzy Hash: 6B412572A84345ABEB34AE3989D93DA76E6FF48300FC6011EDD5D87185D3B44689CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02102043, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

%q[K, xrefs: 021021BE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: %q[K
API String ID: 0-1541054192
Opcode ID: 7f6f05ab166c34ac89899c49fbb581c3797dbe4be1d550824a58cbe14a37422f
Instruction ID: c436c43e8bd56f832f74b697a0a6e13a1508c2603e7053eaed815014f7755e28
Opcode Fuzzy Hash: 7f6f05ab166c34ac89899c49fbb581c3797dbe4be1d550824a58cbe14a37422f
Instruction Fuzzy Hash: DB413672A843449BEB349E3888D97DA77E2FF48300FC6411EDD9A87589D3B44689CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02110176, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(46341624,?,?,?,?,0210F0F2,-CEC2260B,?,?), ref: 021102CE

Strings

/uz, xrefs: 0211029E

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: /uz
API String ID: 2706961497-3618625899
Opcode ID: 1ba9d705612e61028bb38e8fcd9809353954660442f0af943e153af8c3246c70
Instruction ID: 7d952a5bb9129d79b6cc7f0e656a2bca66d04de7e2252e6477cf1a1072853d78
Opcode Fuzzy Hash: 1ba9d705612e61028bb38e8fcd9809353954660442f0af943e153af8c3246c70
Instruction Fuzzy Hash: CD11AFB1A552498FEB78CE28CC94BEE77A29FD9300F55812DE84A8B344C7319945CB16

Uniqueness

Uniqueness Score: -1.00%

Function 0210B962, Relevance: 3.2, APIs: 2, Instructions: 217fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(0000A3E5,89B249F4,-00000001F1D129A7,214D1B82,-20FB2893,-61BEF55F,-AD6097E2,0210B588,A62E25CF), ref: 0210C185

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2cd025b00d549f99be50d652a87fb85525b2ab71ae20f7705b73028f84d98e26
Instruction ID: 42c4c4d2cea18d8f5b4fcfceb435f9cd2cb7155eb19f564007729f0950f6addb
Opcode Fuzzy Hash: 2cd025b00d549f99be50d652a87fb85525b2ab71ae20f7705b73028f84d98e26
Instruction Fuzzy Hash: D5617A71588349CFCF385E6889D47EA36A2EF29254F92002BDC1F9B284C7F14F41CA52

Uniqueness

Uniqueness Score: -1.00%

Function 0210032F, Relevance: 2.9, APIs: 1, Instructions: 1399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4923c0193cc7e284aab4d27ab90b3f6718424329159357b310ed19d7b789efc
Instruction ID: 03a0d20cf787ec040bb5e3ceba4363644f7ae141f447169e60820289b13b2b47
Opcode Fuzzy Hash: b4923c0193cc7e284aab4d27ab90b3f6718424329159357b310ed19d7b789efc
Instruction Fuzzy Hash: D4724AF3EC4A81AAB329AE39D8C93657BE4FECC70178E234AD2A5160D1D7E04594CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0210362A, Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac5239a5c4dcd1f4a6ae9dd4767dfdf7500e1ea25f986749f656c103533088f
Instruction ID: a2bcf402cdb06e78a13c19e3452831e9d12ce6492849db7f0383286f23b8718d
Opcode Fuzzy Hash: eac5239a5c4dcd1f4a6ae9dd4767dfdf7500e1ea25f986749f656c103533088f
Instruction Fuzzy Hash: 9A8157B568438ADFCF309E788CD4BEA3766AF59350F91412ADC5DCB284D7B08A41CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021107A1, Relevance: 1.7, APIs: 1, Instructions: 242nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL ref: 02111136

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: a8d90e394692c56b3b011436fb98c7e5f62cec114b0282265bc1ace99a5f73a2
Instruction ID: 4bd46616a42dbf64c66e0cba4fe732abbdae71c6b51532cd6d0b8b962d222875
Opcode Fuzzy Hash: a8d90e394692c56b3b011436fb98c7e5f62cec114b0282265bc1ace99a5f73a2
Instruction Fuzzy Hash: 7F913731984749CFDB78CE3489A43DA77A2AF49350F56812BCC6D9B254D3318A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0210A907, Relevance: 1.6, APIs: 1, Instructions: 81libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0210A951

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f324aa93c6a3875472d912dac325d630ca58cd2d1cc045f8e02e9fcd00aa72af
Instruction ID: df0aae539fc2874cc9740dcf17b05ad5c9250e1f68d50b2f18d04b7fa4bbbaf9
Opcode Fuzzy Hash: f324aa93c6a3875472d912dac325d630ca58cd2d1cc045f8e02e9fcd00aa72af
Instruction Fuzzy Hash: B31194F3FC0F8165B219AA79D8C91046BE8FDD4B0338E222B9361160D1D3D055969FCD

Uniqueness

Uniqueness Score: -1.00%

Function 02109BD1, Relevance: .5, Instructions: 530COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d96cdbfef67da2659e31049381a72a882254b4644ae223a6e31cef796ff53a19
Instruction ID: 200e802e021191dcbd62885f44368a90d6d9fd28cc025bd863bc259be12de307
Opcode Fuzzy Hash: d96cdbfef67da2659e31049381a72a882254b4644ae223a6e31cef796ff53a19
Instruction Fuzzy Hash: C0F169B2A807899FEB38AE35C9D53EA3BA6FF95350F49021ADE95570D1D3B04980CF41

Uniqueness

Uniqueness Score: -1.00%

Function 02100DF1, Relevance: .5, Instructions: 530COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a19df0dfaf88a27582e4167c4b8f27640fc30d8528dd1441de303a37c332d88
Instruction ID: 2aa216b59b672d09aee171ba052361bb83b0908f00dfe4c27a3132db0b97daf1
Opcode Fuzzy Hash: 5a19df0dfaf88a27582e4167c4b8f27640fc30d8528dd1441de303a37c332d88
Instruction Fuzzy Hash: D0E168B3AC0745ABE328AE3989C93E57FA5FFC9710B5E120ADA95170D1D3E05984CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02100F79, Relevance: .5, Instructions: 518COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef9f2236321aeefaf069fab55b0285b086b242ce473806d6e8a4420f76bb7ec
Instruction ID: b1cf8d7a27483fc42f60831569669dccf3550a60a1bd217c06d2278cbbdaedd3
Opcode Fuzzy Hash: 6ef9f2236321aeefaf069fab55b0285b086b242ce473806d6e8a4420f76bb7ec
Instruction Fuzzy Hash: B7E168B3AC4B81ABE328AE3988C93957FE5FFD9710B5E120AD6A5170D1D3E44884CF41

Uniqueness

Uniqueness Score: -1.00%

Function 02109130, Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b7f4d10012db6d4458e1cb2075fc99076d43121626e3a8d7bca0f9fef537f44
Instruction ID: 5c19d5d1a602ad93ca7a21b7a8f32a7a3b27be697c4982fbc29045fc9812d89f
Opcode Fuzzy Hash: 8b7f4d10012db6d4458e1cb2075fc99076d43121626e3a8d7bca0f9fef537f44
Instruction Fuzzy Hash: C5E158B3AC4745ABE738AE3989C53E53BA6FFD9350B4E021ADB95170D1D3A48980CF41

Uniqueness

Uniqueness Score: -1.00%

Function 02100EDB, Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f780cb89556195b349f83e17a98cb02d67540e9e4af7ce27d0f6eff18032d0eb
Instruction ID: 62f9d0d7a797486c6bf86c3a67ae6ee2ade834b2403ca0e339224d59048f99af
Opcode Fuzzy Hash: f780cb89556195b349f83e17a98cb02d67540e9e4af7ce27d0f6eff18032d0eb
Instruction Fuzzy Hash: 25D167B3AC0B45ABE734AE3989C53D57BA5FFC9750B5E120ADA95170D1D3E04980CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02106BC7, Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2407888e8cb54403a63aa142dfdbc0a0fc751a552dadbac2de3f416d9e2220af
Instruction ID: 5eb6fe484616df34e746cc5b05e87327ba3fdb918db34f94d93651c393fa8dc2
Opcode Fuzzy Hash: 2407888e8cb54403a63aa142dfdbc0a0fc751a552dadbac2de3f416d9e2220af
Instruction Fuzzy Hash: E0D178B3AC0745AFE738AE3589C53E53BA6FFD9350B4E021ADA96170D0D3A04984CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02100E47, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7bb5af26ec121c6dd15a02c13d3f887e17dc080662e2bbdfd352aa729efd9fb
Instruction ID: 698e103b18b6c73058f639f7d770c2e2b7651edbfd1b3006102f52f8f9ce7332
Opcode Fuzzy Hash: e7bb5af26ec121c6dd15a02c13d3f887e17dc080662e2bbdfd352aa729efd9fb
Instruction Fuzzy Hash: 2CC178B3AC0745ABE338AE3989C53E53BA5FFD9750B5E120ADA95170D0D3E04984CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0210B1C3, Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b4c238a3acc4e7db850793a230b93e022044edfaa45d4729945ab999c58a7e
Instruction ID: 85c427847ca1b745eba9bd91a43706cdae216ea991cf874f30cc832e7059213d
Opcode Fuzzy Hash: 34b4c238a3acc4e7db850793a230b93e022044edfaa45d4729945ab999c58a7e
Instruction Fuzzy Hash: D7C159B3AC47459FE738AE3589C53E93BA6FF99350B5E020ADA95170D1D3E44980CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0210D404, Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eadbba9ba54f98bf849e1ca04421b41641fda84ba33510925028a70ea25877fb
Instruction ID: 07dae332399e5e3c26c813c022bbfc33abc30554b8183c3958c966c9727a649b
Opcode Fuzzy Hash: eadbba9ba54f98bf849e1ca04421b41641fda84ba33510925028a70ea25877fb
Instruction Fuzzy Hash: 9CC148B3AC0745AFE734AE3589C53E93BA6FF99350B5E021ADA95170D1D3E44980CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0210107F, Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba10cbad276b70b6822a464a54ce7b5fcb668f1332c5435e918682c60f779ae
Instruction ID: 617d88752992d79e682e64713fc0ea7e1f6c547c12f23f703ff2ab6954eba378
Opcode Fuzzy Hash: 3ba10cbad276b70b6822a464a54ce7b5fcb668f1332c5435e918682c60f779ae
Instruction Fuzzy Hash: 32B147B3AC0B85AAA338AE3A89C96957BE5FFC871079E120AD795170D1D3E48494CF41

Uniqueness

Uniqueness Score: -1.00%

Function 02100FEF, Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d027736f7a654d77c84cffacf52431873682e86d77da4ac133dd29e50e44aef
Instruction ID: e48c7efa9fb3356bb6d0c9f143f30c4f8662d4b329d1fa360a8585bbf388c81f
Opcode Fuzzy Hash: 9d027736f7a654d77c84cffacf52431873682e86d77da4ac133dd29e50e44aef
Instruction Fuzzy Hash: 6DA146B3EC0B85ABA338AE3A89C92957BA5FFD871075E120AD7A5170D1D3E48494CF41

Uniqueness

Uniqueness Score: -1.00%

Function 004218F0, Relevance: 321.9, APIs: 168, Strings: 15, Instructions: 1605COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402320,00425010), ref: 004219E1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004219FA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E60,00000138), ref: 00421A24
#561.MSVBVM60(?), ref: 00421A47
__vbaFreeObj.MSVBVM60 ref: 00421A5E
__vbaFreeVar.MSVBVM60 ref: 00421A6A
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00421ABA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00421AD3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403F2C,00000178), ref: 00421AFA
#595.MSVBVM60(00000003,00000000,?,?,?), ref: 00421B33
__vbaFreeObj.MSVBVM60 ref: 00421B3C
__vbaFreeVarList.MSVBVM60(00000004,00000009,?,?,?), ref: 00421B60
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00421B7C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00421B95
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403EE8,000001A8), ref: 00421BB8
__vbaFreeObj.MSVBVM60 ref: 00421BC1
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00421BDA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00421BF3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E60,00000070), ref: 00421C17
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00421C30
__vbaObjSet.MSVBVM60(?,00000000), ref: 00421C49
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E70,00000150), ref: 00421C73
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00421C8C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00421CA5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E70,00000108), ref: 00421CCC
__vbaHresultCheckObj.MSVBVM60(00000000,004011B0,00403814,00000700), ref: 00421D1F
__vbaFreeStr.MSVBVM60 ref: 00421D28
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00421D3C
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00421D58
__vbaObjSet.MSVBVM60(?,00000000), ref: 00421D71
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E40,00000108), ref: 00421D9B
__vbaFreeObj.MSVBVM60 ref: 00421DC5
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00421DDE
__vbaObjSet.MSVBVM60(?,00000000), ref: 00421DF7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403F2C,00000178), ref: 00421E1E
__vbaLateIdCallLd.MSVBVM60(00000003,?,00000000,00000000), ref: 00421E33
__vbaStrVarMove.MSVBVM60(00000003), ref: 00421E43
__vbaStrMove.MSVBVM60 ref: 00421E54
__vbaFreeStr.MSVBVM60 ref: 00421E8D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00421E9D
__vbaFreeVar.MSVBVM60 ref: 00421EAC
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00421EC5
__vbaObjSet.MSVBVM60(?,00000000), ref: 00421EDE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E40,000001C8), ref: 00421F05
__vbaStrCopy.MSVBVM60 ref: 00421F3B
__vbaStrMove.MSVBVM60 ref: 00421F4E
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00421F79
__vbaFreeObj.MSVBVM60 ref: 00421F85
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00421F9E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00421FB7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403F3C,00000048), ref: 00421FDE
__vbaStrCopy.MSVBVM60 ref: 00422018
__vbaHresultCheckObj.MSVBVM60(00000000,004011B0,00403814,00000704), ref: 0042205E
__vbaFreeStrList.MSVBVM60(00000002,?,00000000), ref: 0042206A
__vbaFreeObj.MSVBVM60 ref: 00422076
__vbaHresultCheckObj.MSVBVM60(00000000,004011B0,00403814,00000708), ref: 004220A5
__vbaNew2.MSVBVM60(00402320,00425010), ref: 004220BA
__vbaObjSet.MSVBVM60(?,00000000), ref: 004220D3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E60,00000048), ref: 004220F4
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00422109
__vbaObjSet.MSVBVM60(?,00000000), ref: 00422122
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E60,00000140), ref: 0042214C
__vbaFreeStr.MSVBVM60 ref: 00422187
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00422197
__vbaHresultCheckObj.MSVBVM60(00000000,004011B0,00403814,0000070C), ref: 004221CF
__vbaNew2.MSVBVM60(00402320,00425010), ref: 004221E4
__vbaObjSet.MSVBVM60(?,00000000), ref: 004221FD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E60,00000088), ref: 00422227
__vbaStrCopy.MSVBVM60 ref: 00422231
__vbaFreeStr.MSVBVM60 ref: 00422253
__vbaFreeObj.MSVBVM60 ref: 0042225C
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00422275
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042228E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403F3C,00000070), ref: 004222B2
__vbaNew2.MSVBVM60(00402320,00425010), ref: 004222C7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004222E0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E70,00000108), ref: 00422307
__vbaStrCopy.MSVBVM60 ref: 00422311
__vbaFreeStrList.MSVBVM60(00000002,?,00000000), ref: 00422360
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00422370
__vbaNew2.MSVBVM60(00402320,00425010), ref: 004223C1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004223DA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E60,00000138), ref: 00422404
__vbaHresultCheckObj.MSVBVM60(00000000,004011B0,00403814,00000710), ref: 00422461
__vbaFreeObj.MSVBVM60 ref: 00422466
__vbaHresultCheckObj.MSVBVM60(00000000,004011B0,00403814,00000714), ref: 004224BB
__vbaStrCopy.MSVBVM60 ref: 004224C5
__vbaFreeStr.MSVBVM60 ref: 00422511
__vbaVarForInit.MSVBVM60(?,?,?,?,?,?), ref: 00422577
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00422598
__vbaObjSet.MSVBVM60(?,00000000), ref: 004225B1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E60,000000F8), ref: 004225D8
__vbaLateIdCallLd.MSVBVM60(00000003,?,00000000,00000000), ref: 004225E9
__vbaStrCopy.MSVBVM60 ref: 004225FA
__vbaI4Var.MSVBVM60(00000003,?,00000000), ref: 00422628
__vbaFreeStr.MSVBVM60 ref: 00422645
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00422655
__vbaFreeVar.MSVBVM60 ref: 00422664
__vbaHresultCheckObj.MSVBVM60(00000000,004011B0,00403814,00000718), ref: 00422683
__vbaNew2.MSVBVM60(00402320,00425010), ref: 004226A1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004226BA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E60,00000060), ref: 004226DE
__vbaNew2.MSVBVM60(00402320,00425010), ref: 004226F3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042270C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E60,00000160), ref: 00422733
__vbaLateIdCallLd.MSVBVM60(00000003,?,00000000,00000000), ref: 00422744
__vbaI4Var.MSVBVM60(00000003,33500000), ref: 0042277B
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004227AC
__vbaFreeVar.MSVBVM60 ref: 004227BB
__vbaNew2.MSVBVM60(00402320,00425010), ref: 004227D4
__vbaObjSet.MSVBVM60(?,00000000), ref: 004227ED
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403F2C,00000048), ref: 0042280E
__vbaFreeStr.MSVBVM60 ref: 00422840
__vbaFreeObj.MSVBVM60 ref: 00422849
__vbaVarForNext.MSVBVM60(?,?,?), ref: 00422861
__vbaHresultCheckObj.MSVBVM60(00000000,004011B0,00403814), ref: 00422891
__vbaSetSystemError.MSVBVM60 ref: 0042289E
__vbaNew2.MSVBVM60(00402320,00425010), ref: 004228B7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004228D0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E60,00000188), ref: 004228FA
__vbaFreeObj.MSVBVM60 ref: 00422917
__vbaNew2.MSVBVM60(00403EA0,00425B90), ref: 00422935
__vbaHresultCheckObj.MSVBVM60(00000000,0052E9A4,00403E90,0000001C), ref: 0042295A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040410C,00000064), ref: 0042297F
__vbaFreeObj.MSVBVM60 ref: 00422984
__vbaNew2.MSVBVM60(00402320,00425010), ref: 0042299D
__vbaObjSet.MSVBVM60(?,00000000), ref: 004229B6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403EE8,00000180), ref: 004229E0
__vbaNew2.MSVBVM60(00402320,00425010), ref: 004229F5
__vbaObjSet.MSVBVM60(?,00000000), ref: 00422A0E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E70,00000060), ref: 00422A32
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00422A47
__vbaObjSet.MSVBVM60(?,00000000), ref: 00422A60
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403EE8,00000168), ref: 00422A8A
__vbaLateIdCallLd.MSVBVM60(00000003,?,00000000,00000000), ref: 00422A9E
__vbaI4Var.MSVBVM60(00000003,0057934C), ref: 00422AB3
__vbaSetSystemError.MSVBVM60(001C01CD,006AB41C,00621C3E,00159F56,0044A76F,0013F3EE,?,0069125E,000B0E66,00000000), ref: 00422AF6
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00422B0F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00422B2B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E40,00000058), ref: 00422B4F
__vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,?), ref: 00422B85
__vbaFreeVar.MSVBVM60 ref: 00422B94
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00422BB6
__vbaObjSet.MSVBVM60(?,00000000), ref: 00422BCF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E60,00000118), ref: 00422BF9
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00422C0E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00422C27
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403EE8,00000180), ref: 00422C51
__vbaFpI4.MSVBVM60 ref: 00422C5B
__vbaHresultCheckObj.MSVBVM60(00000000,004011B0,004037E4,000002C8), ref: 00422CAD
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00422CB9
__vbaSetSystemError.MSVBVM60 ref: 00422CCD
__vbaHresultCheckObj.MSVBVM60(00000000,004011B0,004037E4,00000084), ref: 00422D1A
__vbaStrToAnsi.MSVBVM60(?,Timothee), ref: 00422D2B
__vbaStrToAnsi.MSVBVM60(00000000,Ackees,00000000), ref: 00422D37
__vbaSetSystemError.MSVBVM60(00000000), ref: 00422D45
__vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 00422D6B
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00422D90
__vbaObjSet.MSVBVM60(?,00000000), ref: 00422DA9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E60,000000F8), ref: 00422DD0
__vbaLateIdCallLd.MSVBVM60(00000003,?,00000000,00000000), ref: 00422DE1
__vbaFpI4.MSVBVM60 ref: 00422DF2
__vbaI4Var.MSVBVM60(00000003,4AEDEF88,00000000), ref: 00422E05
__vbaHresultCheckObj.MSVBVM60(00000000,004011B0,004037E4,000002C8), ref: 00422E49
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00422E55
__vbaFreeVar.MSVBVM60 ref: 00422E64
__vbaFreeVarList.MSVBVM60(00000002,?,?,00422EFA), ref: 00422EE7
__vbaFreeVar.MSVBVM60 ref: 00422EF3

Strings

R7K, xrefs: 0042261E
NEGOTIANTS, xrefs: 00422340
Timothee, xrefs: 00422D25
Ackees, xrefs: 00422D31
Nutriture4, xrefs: 00421F0B
Amphidiarthrosis, xrefs: 00422636
EXTENSORYMOVERESPIRALNOBI, xrefs: 004224EE
RIFFELGANG, xrefs: 00421FE8
Nringsvirksomhed, xrefs: 004225F2
VP, xrefs: 004221A8
macaranga, xrefs: 00422309
Wineglassful, xrefs: 0042238D
mosquital, xrefs: 00422229
BRUDELYS, xrefs: 004224BD
Skatteer1, xrefs: 00421CFD

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$CheckHresult$Free$New2$List$Copy$CallLate$ErrorSystem$Move$Ansi$#561#595InitNext
String ID: Ackees$Amphidiarthrosis$BRUDELYS$EXTENSORYMOVERESPIRALNOBI$NEGOTIANTS$Nringsvirksomhed$Nutriture4$R7K$RIFFELGANG$Skatteer1$Timothee$VP$Wineglassful$macaranga$mosquital
API String ID: 2303545845-1592060415
Opcode ID: 06206079cf428afd6eb0d8b1ea397ff26ef161a4c4ce2bca31a680e67e7170e2
Instruction ID: 27879ab2088f3aca2b7cd1a025eb754b6da19bac29a35e7e0de8b11a1f475ed6
Opcode Fuzzy Hash: 06206079cf428afd6eb0d8b1ea397ff26ef161a4c4ce2bca31a680e67e7170e2
Instruction Fuzzy Hash: 51D28F70A00218AFDB20DF64CD88FEAB7B8FB58701F508569F549E71A0DB745A85CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00423450, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0042349C
#705.MSVBVM60(?,00000000), ref: 004234B5
__vbaStrMove.MSVBVM60 ref: 004234C0
__vbaFreeVar.MSVBVM60 ref: 004234C9
__vbaFreeStr.MSVBVM60(00423500), ref: 004234F8
__vbaFreeStr.MSVBVM60 ref: 004234FD

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$Free$#705CopyMove
String ID:
API String ID: 4024075114-0
Opcode ID: 12e1ddc4d7f56f3374140685529ff06c8830ee54dd8df04a7e537cc0627329ba
Instruction ID: efe62c541f236023aacdd268b4ee6a70e2b88cda778bd68d8105b00b868c9c60
Opcode Fuzzy Hash: 12e1ddc4d7f56f3374140685529ff06c8830ee54dd8df04a7e537cc0627329ba
Instruction Fuzzy Hash: 4D11E9B1D01229EBCB00DF95DA45ADEBFB8FF08705F10815AE505B7260D7781A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00423DD0, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00423DD0(intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr* _t11;
				intOrPtr* _t13;
				void* _t16;
				void* _t21;
				void* _t23;
				intOrPtr _t25;

				 *[fs:0x0] = _t25;
				_v16 = _t25 - 8;
				_v12 = 0x401298;
				_v8 = 0;
				_t11 = _a4;
				 *((intOrPtr*)( *_t11 + 4))(_t11, _t21, _t23, _t16,  *[fs:0x0], 0x401316);
				__imp__#690(L"Underfeature2", L"boardwalks", L"trophoplasmatic", L"nonvital"); // executed
				_t13 = _a4;
				 *((intOrPtr*)( *_t13 + 8))(_t13);
				 *[fs:0x0] = _v24;
				return _v8;
			}

0x00423de2
0x00423def
0x00423df2
0x00423df9
0x00423e00
0x00423e06
0x00423e1d
0x00423e23
0x00423e29
0x00423e34
0x00423e3f

APIs

#690.MSVBVM60(Underfeature2,boardwalks,trophoplasmatic,nonvital,?,?,?,?,00401316), ref: 00423E1D

Strings

Underfeature2, xrefs: 00423E18
trophoplasmatic, xrefs: 00423E0E
nonvital, xrefs: 00423E09
boardwalks, xrefs: 00423E13

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: #690
String ID: Underfeature2$boardwalks$nonvital$trophoplasmatic
API String ID: 2608397304-685263129
Opcode ID: 3a5174c50cdb7e2d05a09dbb6d0363c42d1e578427f150ecea44b3233256b174
Instruction ID: ca91bac600f65f2ae0b89a027047624bc19171f814d5bdff6376a963ec8668ff
Opcode Fuzzy Hash: 3a5174c50cdb7e2d05a09dbb6d0363c42d1e578427f150ecea44b3233256b174
Instruction Fuzzy Hash: CDF068B5640208FFC300EF88D945F59BBF8FB49B41F10816AF505B7690C7785944CB95

Uniqueness

Uniqueness Score: -1.00%

Function 021020CF, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(74763EEF), ref: 0210942A

Strings

%q[K, xrefs: 021021BE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID: %q[K
API String ID: 560597551-1541054192
Opcode ID: 1b5a2fa1b0d6bc830ef4f96b174a2570e7a4e904bd8d1094eee9f847cdebc5fb
Instruction ID: aebca70f6ba3c56aa214ddf9069c4e5aaa33b0f921610b18767e2073781e9108
Opcode Fuzzy Hash: 1b5a2fa1b0d6bc830ef4f96b174a2570e7a4e904bd8d1094eee9f847cdebc5fb
Instruction Fuzzy Hash: 06410372A843449BE7349E3889D97DA7BE6FF88300F8A421E9D5597189D3B44689CF02

Uniqueness

Uniqueness Score: -1.00%

Function 0210215B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(74763EEF), ref: 0210942A

Strings

%q[K, xrefs: 021021BE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID: %q[K
API String ID: 560597551-1541054192
Opcode ID: 6f30a30ae56fc109830ced1c01f15f4497f53d7a37979e9d1b28ac4efe4c51fc
Instruction ID: 3dbedfd2144462aaf5ae15530071616f23c5d257d8e7ac37a153e686781ec3ff
Opcode Fuzzy Hash: 6f30a30ae56fc109830ced1c01f15f4497f53d7a37979e9d1b28ac4efe4c51fc
Instruction Fuzzy Hash: 3C41E7B29897809EE7259E348CDD3967BB1BF46304F8A015BDE94870D2D3B44999CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02102198, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(74763EEF), ref: 0210942A

Strings

%q[K, xrefs: 021021BE

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID: %q[K
API String ID: 560597551-1541054192
Opcode ID: 11b6bd921e54c78354af8ee0f28343d333677c9d3eecc808e46f6e632f20d76c
Instruction ID: dae57274da48a1ad740cde5bfbe710e65e259c02c17d62ecdaa43cdd9f2067c2
Opcode Fuzzy Hash: 11b6bd921e54c78354af8ee0f28343d333677c9d3eecc808e46f6e632f20d76c
Instruction Fuzzy Hash: A911ED3568C3808FDB221E348DE13DA7BB1AF06200F8A009ECDC59B596C7B9098AC712

Uniqueness

Uniqueness Score: -1.00%

Function 02100B7F, Relevance: 1.8, APIs: 1, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e15389b616b366a077d68c6a3d1bc218a0509b4334e81f9220801466bde01adb
Instruction ID: e3d171ec301e4aabe8369f82d434e34607082fb82ac7758355c57c6e4ae15c23
Opcode Fuzzy Hash: e15389b616b366a077d68c6a3d1bc218a0509b4334e81f9220801466bde01adb
Instruction Fuzzy Hash: 3A9158B3AC4B89AAE334AE39C9C93953BE6FFC8710B5D421AD6954B0D1D3E05584CF01

Uniqueness

Uniqueness Score: -1.00%

Function 0210B965, Relevance: 1.7, APIs: 1, Instructions: 187fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(0000A3E5,89B249F4,-00000001F1D129A7,214D1B82,-20FB2893,-61BEF55F,-AD6097E2,0210B588,A62E25CF), ref: 0210C185

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b1829642669a1e9cd4f9ab9d88a74d3ad15ff3ca666f1d19a2825e3961b5d380
Instruction ID: afeccbd3b5df7189802372c1f0eb67fb35120f23677587ca9361180424887485
Opcode Fuzzy Hash: b1829642669a1e9cd4f9ab9d88a74d3ad15ff3ca666f1d19a2825e3961b5d380
Instruction Fuzzy Hash: 1851E6F2DCC649DADB385E2989C43E566B5FF9470CF9A012BD82A57180D3F05B44CE46

Uniqueness

Uniqueness Score: -1.00%

Function 0210BA3E, Relevance: 1.7, APIs: 1, Instructions: 164fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(0000A3E5,89B249F4,-00000001F1D129A7,214D1B82,-20FB2893,-61BEF55F,-AD6097E2,0210B588,A62E25CF), ref: 0210C185

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 18de17e95f6664fc6c707dd6aad659157ed74202022a05d9f41f7936f9ce17a6
Instruction ID: 5f0b8beef263c2a0eab4d773f60089a87100917bb95b794673a304cfa16c41db
Opcode Fuzzy Hash: 18de17e95f6664fc6c707dd6aad659157ed74202022a05d9f41f7936f9ce17a6
Instruction Fuzzy Hash: 904125B39CC24ADADB385E2AC9C43E166B5FFA460CF8A02179C2A17181D3F05B45CA56

Uniqueness

Uniqueness Score: -1.00%

Function 021092EB, Relevance: 1.7, APIs: 1, Instructions: 164COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(74763EEF), ref: 0210942A

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 00c73173b9bbcdf15f2f54e7c134df426618f66e46b6801e910dbad3d9a7c6c3
Instruction ID: 5c9824d69ab38d06d4075ea03a82162cab04c2a6f171ee31a40406366890714f
Opcode Fuzzy Hash: 00c73173b9bbcdf15f2f54e7c134df426618f66e46b6801e910dbad3d9a7c6c3
Instruction Fuzzy Hash: FC4115B2A847859FE325AE38D8E42D67BF4FFC9B00F8A015EC5958B192D3A44584CF05

Uniqueness

Uniqueness Score: -1.00%

Function 02100CFB, Relevance: 1.6, APIs: 1, Instructions: 150COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,?,00000000,?,?,00000040,00000000,?), ref: 02100CB2

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: e8cfdca136cbf8b0772b0ae2235b98765e7baccd3b5bcc977f603afc66ead9b7
Instruction ID: 56e26ee548eba0a90a9df524a2d829a79ff42e185953334c79c821c55e60381c
Opcode Fuzzy Hash: e8cfdca136cbf8b0772b0ae2235b98765e7baccd3b5bcc977f603afc66ead9b7
Instruction Fuzzy Hash: B0414CB3A84B499AE7599F38C9C43D43BE0FF9D300F5D525AD0995B095C3A3A588CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0210BBFD, Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b7b6219e07688201206f215f5963684a313aec16b9d63b1bdb00594e82b0c0
Instruction ID: 4b100b9100225956c7ad11a935a6707defe2a5c7697dd02b6f65696e2303745b
Opcode Fuzzy Hash: b7b7b6219e07688201206f215f5963684a313aec16b9d63b1bdb00594e82b0c0
Instruction Fuzzy Hash: BC412AB39CCA4DD6A738AE29C9C429166A5FFE470CB9E1217842A071C5C7F04B85CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0210BA8D, Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72de2a72e3f4b7bfa464f1d987f6ea3a4d8712147ae30aa16424c01e551eaac
Instruction ID: 15f03631da2aa9cb63463e5f4bedb1ecdbf21602b252f6ee93e89111b7a7e923
Opcode Fuzzy Hash: e72de2a72e3f4b7bfa464f1d987f6ea3a4d8712147ae30aa16424c01e551eaac
Instruction Fuzzy Hash: 314136B29CC249DADB385D2A8DC43E666B5FFA864CF8B01179C2B571C0D3F05B44CA52

Uniqueness

Uniqueness Score: -1.00%

Function 02100C57, Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,?,00000000,?,?,00000040,00000000,?), ref: 02100CB2

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: eae38337472ab9733b6c19ebc5f3b427cbcafd30088f43777ebb41eadf39f79d
Instruction ID: a0d012456e0cc21ffcf19ca840db5ab87c5f2ba9953e94c4f7091d8869486ca7
Opcode Fuzzy Hash: eae38337472ab9733b6c19ebc5f3b427cbcafd30088f43777ebb41eadf39f79d
Instruction Fuzzy Hash: 83413A71A8878CAFD7759F3889D83D53BE1BF9A310F58459BD4888B192C3B0858DCB12

Uniqueness

Uniqueness Score: -1.00%

Function 0210BDAD, Relevance: 1.6, APIs: 1, Instructions: 128fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(0000A3E5,89B249F4,-00000001F1D129A7,214D1B82,-20FB2893,-61BEF55F,-AD6097E2,0210B588,A62E25CF), ref: 0210C185

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 238e8e7142e647017a4b025b271b3b5c4f4a3e61d6227408c42bed30e7337338
Instruction ID: 772daa5ae546a5bd83df60b7cf671421f94e5cd1e61afb9a3002e608580e73ae
Opcode Fuzzy Hash: 238e8e7142e647017a4b025b271b3b5c4f4a3e61d6227408c42bed30e7337338
Instruction Fuzzy Hash: 5831D7F39DCA85DAA7286E29C8C4291E6B4FFE470DB9E12179569071C193E24784CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0210BAD3, Relevance: 1.6, APIs: 1, Instructions: 124fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(0000A3E5,89B249F4,-00000001F1D129A7,214D1B82,-20FB2893,-61BEF55F,-AD6097E2,0210B588,A62E25CF), ref: 0210C185

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4a536a1fbe4e9e78091475d0cd227ebd5d2bd6b7c9ad433c06e5a96bbc8fc820
Instruction ID: 4879b036cf7002eb6829705d819c1a3c701af131fd6d2b0ff11c5be7da6454a4
Opcode Fuzzy Hash: 4a536a1fbe4e9e78091475d0cd227ebd5d2bd6b7c9ad433c06e5a96bbc8fc820
Instruction Fuzzy Hash: 944123B29CC249DBDB385E298DC43E666B5FFA461CF9A02179C2A57284D3F01B01CE52

Uniqueness

Uniqueness Score: -1.00%

Function 0210BB1A, Relevance: 1.6, APIs: 1, Instructions: 123fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(0000A3E5,89B249F4,-00000001F1D129A7,214D1B82,-20FB2893,-61BEF55F,-AD6097E2,0210B588,A62E25CF), ref: 0210C185

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a7915cfb725d0aab32d2c3880adeb44075fe5389c1977aec2a95a2d42e247f2a
Instruction ID: 1254edb7354f599216e443626e332d84818f0258ab43cec7df587e06bc1d997a
Opcode Fuzzy Hash: a7915cfb725d0aab32d2c3880adeb44075fe5389c1977aec2a95a2d42e247f2a
Instruction Fuzzy Hash: CE312AB29CC249DBDB385D2A89C43E666B5FFA861CF9A01178C2E571C0D3F05B44CE56

Uniqueness

Uniqueness Score: -1.00%

Function 0210937B, Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(74763EEF), ref: 0210942A

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 24b0836c4ff1b8e7a6057102a516ce3796abe12fd7d9aede89d2ac662578c65f
Instruction ID: 6d613178a932bc61529d004cd5feae8bc48686257f6aee8c9b1af7bacbb9f24f
Opcode Fuzzy Hash: 24b0836c4ff1b8e7a6057102a516ce3796abe12fd7d9aede89d2ac662578c65f
Instruction Fuzzy Hash: 3331E4B2A84B819AE725AE39DCF82877AE4FFC4F01B8D115A85958F1D3C7E04555CF02

Uniqueness

Uniqueness Score: -1.00%

Function 0210BBA3, Relevance: 1.6, APIs: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(0000A3E5,89B249F4,-00000001F1D129A7,214D1B82,-20FB2893,-61BEF55F,-AD6097E2,0210B588,A62E25CF), ref: 0210C185

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1c8b0683902fde1b1b4890c4beabcb5560a35bcb75844b413a615204063fd665
Instruction ID: 861d97f71e9a3aeaf5746c1696ff9203c3ccb8e7216772b3c2e96df89f8abce2
Opcode Fuzzy Hash: 1c8b0683902fde1b1b4890c4beabcb5560a35bcb75844b413a615204063fd665
Instruction Fuzzy Hash: 2B3159B29CC249DBDB385D29CDC43E666B5FFA460CF9A02179C2A07288C3F04B44CE52

Uniqueness

Uniqueness Score: -1.00%

Function 0210BE7B, Relevance: 1.6, APIs: 1, Instructions: 84fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(0000A3E5,89B249F4,-00000001F1D129A7,214D1B82,-20FB2893,-61BEF55F,-AD6097E2,0210B588,A62E25CF), ref: 0210C185

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6dda469d37a2cb184b737e0f85846576d88c30941acf35ce0431249b232d874b
Instruction ID: 8d7df6476903ac2e108fe9b95ed46cdaf7e16d291f0b40d370dc35a757ce3902
Opcode Fuzzy Hash: 6dda469d37a2cb184b737e0f85846576d88c30941acf35ce0431249b232d874b
Instruction Fuzzy Hash: 0021F9B29C8645DAD7389E28D8C86D5F7F5FBA4708BAA02178769472C1D3F01B41CE51

Uniqueness

Uniqueness Score: -1.00%

Function 0210BDF3, Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(0000A3E5,89B249F4,-00000001F1D129A7,214D1B82,-20FB2893,-61BEF55F,-AD6097E2,0210B588,A62E25CF), ref: 0210C185

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8dbe2e5c87750879287073a3bb30e8ccf910f176343c63d3430aa1a5a5120cc8
Instruction ID: 34f50ac22b2fa4d8cdd7e1e6194b646364da6b475a4c0bce4fdd3c9ccd267065
Opcode Fuzzy Hash: 8dbe2e5c87750879287073a3bb30e8ccf910f176343c63d3430aa1a5a5120cc8
Instruction Fuzzy Hash: E021F8B25C8649DAD7389E19CCC46D1A6B5FFA470CA9A02178A6907181C3F11740CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02100C2A, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,?,00000000,?,?,00000040,00000000,?), ref: 02100CB2

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 1847e3a938856e041fa025e1f076960ffc7874f8b376593c788c5d45ac9a546b
Instruction ID: e789f1c2054b0a3008ea0cc2f246a5ac20e59a860c233c27b43abfc61dde7270
Opcode Fuzzy Hash: 1847e3a938856e041fa025e1f076960ffc7874f8b376593c788c5d45ac9a546b
Instruction Fuzzy Hash: CD210371A4434D9FDB648E38C9D83EA77A2BF59310FA4852AD889CB256D3718A85CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0210BFAB, Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(0000A3E5,89B249F4,-00000001F1D129A7,214D1B82,-20FB2893,-61BEF55F,-AD6097E2,0210B588,A62E25CF), ref: 0210C185

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 44fefe9f7c4c48b6c1dbeb4545fdcb4470f2786af2fb6acd4dbeb17f54225cb0
Instruction ID: a4fd3582543190e40f4d6aa0cb30066b0cf9f8e254bad579832ae412a747cc0b
Opcode Fuzzy Hash: 44fefe9f7c4c48b6c1dbeb4545fdcb4470f2786af2fb6acd4dbeb17f54225cb0
Instruction Fuzzy Hash: 8A11E9F3AC8A49DAE7349E39CCC869D67A4FBA8708B9E0307D569475C5C3B05B50CE81

Uniqueness

Uniqueness Score: -1.00%

Function 0210C062, Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(0000A3E5,89B249F4,-00000001F1D129A7,214D1B82,-20FB2893,-61BEF55F,-AD6097E2,0210B588,A62E25CF), ref: 0210C185

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: adca688e2e72bf3d46336ba4b51798fd8ff0571aa4f16ebc0a92e39d19d2e910
Instruction ID: d6f01d3bb4026fdaa5bf83ac0166055ec59353ecbee6bd7682562ca7d82ee6b1
Opcode Fuzzy Hash: adca688e2e72bf3d46336ba4b51798fd8ff0571aa4f16ebc0a92e39d19d2e910
Instruction Fuzzy Hash: D601A7FBAC0985A6B734AE3CC8C8F8566E8FBD4704B8D53079655060DD83B04544CED1

Uniqueness

Uniqueness Score: -1.00%

Function 0210C0AD, Relevance: 1.6, APIs: 1, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(0000A3E5,89B249F4,-00000001F1D129A7,214D1B82,-20FB2893,-61BEF55F,-AD6097E2,0210B588,A62E25CF), ref: 0210C185

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ff3522cc80d39a73da74e09f3439f091d3f51705edd02bba9f6ba8389defbd92
Instruction ID: de744213015a8de1fd05e93f04b9a209a832a8d3598fc5491c4e0188eeef6f09
Opcode Fuzzy Hash: ff3522cc80d39a73da74e09f3439f091d3f51705edd02bba9f6ba8389defbd92
Instruction Fuzzy Hash: F2F086FBAC098695A738AE39C8C8A806AA4FBE8B05B9C53079565161DD43B00994CEC5

Uniqueness

Uniqueness Score: -1.00%

Function 0210C18F, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(0000A3E5,89B249F4,-00000001F1D129A7,214D1B82,-20FB2893,-61BEF55F,-AD6097E2,0210B588,A62E25CF), ref: 0210C185

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 89529ad1e05ce6ba45b4470ab1a55f6f1c0de29bd5f061e00adc5290102bfe97
Instruction ID: 00d4d280d33a1650bbe2e25dec27a194e95a47f9789a8c02c35e21931b82db41
Opcode Fuzzy Hash: 89529ad1e05ce6ba45b4470ab1a55f6f1c0de29bd5f061e00adc5290102bfe97
Instruction Fuzzy Hash: E1F030F3AC0D86E6B328AA2DD8C91406AF4FBF9B0668D23079175561D197F00D90CEC5

Uniqueness

Uniqueness Score: -1.00%

Function 0210C144, Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(0000A3E5,89B249F4,-00000001F1D129A7,214D1B82,-20FB2893,-61BEF55F,-AD6097E2,0210B588,A62E25CF), ref: 0210C185

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 79cbb4ab3261adb549ce80f3b472c4f4ddae104f997ae4ad801b0903e09ab4bf
Instruction ID: 854646e969d93d1a41cb11b0754c647679d322ca2e947a12a15f91c736f32a25
Opcode Fuzzy Hash: 79cbb4ab3261adb549ce80f3b472c4f4ddae104f997ae4ad801b0903e09ab4bf
Instruction Fuzzy Hash: F4F01CF7E80986F6B325AA39C8C96806AF4FBF8B0569D23479129160D153B04D94CED5

Uniqueness

Uniqueness Score: -1.00%

Function 02061774, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669580214.0000000002060000.00000020.00000001.sdmp, Offset: 02060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2060000_41609787.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419940e7749f6dbeea4cb8745417377563d30f4aa1c692a2e17406000fc9d882
Instruction ID: eb71e0ccb10e0241a4b1be8d8a0d7d7a8adb8f99506b8fb7b515f990ed0a6afc
Opcode Fuzzy Hash: 419940e7749f6dbeea4cb8745417377563d30f4aa1c692a2e17406000fc9d882
Instruction Fuzzy Hash: 9BD05E7130F280BFD3099B248D269E63FF4EF82225F0909EAF544DB253E6159D058366

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 021022DF, Relevance: 2.8, Strings: 2, Instructions: 292COMMON

Download Yara Rule

Strings

]2V$, xrefs: 021026EF
T5o, xrefs: 02102326

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: T5o$]2V$
API String ID: 0-2236104366
Opcode ID: d6904dc67f5f977c3d7373e1aa0af81512dce80c862aeceaadf9c3f1d010756d
Instruction ID: ccee979d409420fa0dee04b5aa4e0009a388712664195516c6acbf91fe504a46
Opcode Fuzzy Hash: d6904dc67f5f977c3d7373e1aa0af81512dce80c862aeceaadf9c3f1d010756d
Instruction Fuzzy Hash: 40A199726843499FDB359F79CCC83DA7BE2BF8A350F6A411ACC895B280D3B04945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02102359, Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

]2V$, xrefs: 021026EF
T5o, xrefs: 02102326

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: T5o$]2V$
API String ID: 0-2236104366
Opcode ID: 22d7bcbbc319f531bb624394c915c22a745c3cdca436d7615d4eabac9e104faa
Instruction ID: 597e4b6c74958ff608be1b2bd143258fee02d8395f424fd2274ed26ab9723a67
Opcode Fuzzy Hash: 22d7bcbbc319f531bb624394c915c22a745c3cdca436d7615d4eabac9e104faa
Instruction Fuzzy Hash: 42A158726843499FDB259F39CCC83CB7BE2BF89350F6A411ACD895B194D3B05A45CB12

Uniqueness

Uniqueness Score: -1.00%

Function 0210222A, Relevance: 2.8, Strings: 2, Instructions: 262COMMON

Download Yara Rule

Strings

]2V$, xrefs: 021026EF
T5o, xrefs: 02102326

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: T5o$]2V$
API String ID: 0-2236104366
Opcode ID: 480fa2343097af30aa0496ef9244304ea3539899b6ebd7aae93f55fa00634b47
Instruction ID: 05a82261ff1b1f3631a582daa14e689301f21fb475d58885595dbb6f9e64ea90
Opcode Fuzzy Hash: 480fa2343097af30aa0496ef9244304ea3539899b6ebd7aae93f55fa00634b47
Instruction Fuzzy Hash: 25A16972644349CFDB319F39CC983DB77A3AF89350F66412ACC899B285D3B48A41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 021055AB, Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

Fs+9, xrefs: 02105685

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: Fs+9
API String ID: 0-3774446485
Opcode ID: fb04e346100a597eb4c16b028abe95848968c35128e4077b75e31ae0a942c04c
Instruction ID: f254c46c0318e37da00396f1f0165be4718ccca230b27ab9d12b5d4330219307
Opcode Fuzzy Hash: fb04e346100a597eb4c16b028abe95848968c35128e4077b75e31ae0a942c04c
Instruction Fuzzy Hash: D5E1E271644689EFDB28CF28CCD47EA77A2FF49300F99812ADC9987281D770A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0210451B, Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

U4X^, xrefs: 021045BD

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: U4X^
API String ID: 0-4507247
Opcode ID: 1fb461925fdd2414b45e849d7818e35033bfedaf9902dfd487bd25fd2ce7d8ec
Instruction ID: 58b0e231cf733314c0c8825b346c7954d2331c34b9b5c846360c7cb913aad6bb
Opcode Fuzzy Hash: 1fb461925fdd2414b45e849d7818e35033bfedaf9902dfd487bd25fd2ce7d8ec
Instruction Fuzzy Hash: 92A15471A443499FDB389E29C9907EE77F3EF84350F66842DDD8A97244D3719A81CB02

Uniqueness

Uniqueness Score: -1.00%

Function 021023EA, Relevance: 1.5, Strings: 1, Instructions: 267COMMON

Download Yara Rule

Strings

]2V$, xrefs: 021026EF

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: ]2V$
API String ID: 0-4012779422
Opcode ID: 4e5bb0fb178e8621710776ae2ee4ed0f7b84e3051654a380396ad554eb36a93d
Instruction ID: 9ab2cad1ba7bf13514ded5c0e26946d7dfbe8ba111f25235ceced0798997e8c4
Opcode Fuzzy Hash: 4e5bb0fb178e8621710776ae2ee4ed0f7b84e3051654a380396ad554eb36a93d
Instruction Fuzzy Hash: 7C918A726843898FDB259F39CCC83DA7BE2FF89350F6A411ACD855B191D3B04946CB12

Uniqueness

Uniqueness Score: -1.00%

Function 021024A7, Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

]2V$, xrefs: 021026EF

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID: ]2V$
API String ID: 0-4012779422
Opcode ID: 506a616e6d7ba74d13ddffc356fdaa193a285a9eacab6ea0bc856e263d76eb4f
Instruction ID: 97fc1231838690dd570d17c3b8fe7fe9253137e3bc58e50466db44b37c494cbd
Opcode Fuzzy Hash: 506a616e6d7ba74d13ddffc356fdaa193a285a9eacab6ea0bc856e263d76eb4f
Instruction Fuzzy Hash: 85617972644389CFDB319F38CCD83DA7BA2AF85350F6A411ACD895B285D3F49941CB16

Uniqueness

Uniqueness Score: -1.00%

Function 02104651, Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae57231f575607df2a77974f49ac3b562f9ee9bf1bacd713cfea8d13f389f1f
Instruction ID: 879175d0e00bf887e78f3b679e30f73192a4593937fe662b8f171c081b2f110e
Opcode Fuzzy Hash: fae57231f575607df2a77974f49ac3b562f9ee9bf1bacd713cfea8d13f389f1f
Instruction Fuzzy Hash: 2DA14472A443859FDB349E69C8D53EA7BF2FF84350F5A402EDD8997244E3718982CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02104802, Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a52dc9c5b737c96b14b99348be57c2714c62ec6dcbddeb5c0dc95698694f8d
Instruction ID: 37eeec86d3c6f91d602c0a72e1ca2af8b83d939de838a58544fd9c9932c39ad3
Opcode Fuzzy Hash: f6a52dc9c5b737c96b14b99348be57c2714c62ec6dcbddeb5c0dc95698694f8d
Instruction Fuzzy Hash: C5715572A807898FDB249E29C8D13EA77F2FFC5750F5A852EDE8997240D3715981CB02

Uniqueness

Uniqueness Score: -1.00%

Function 021046FB, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee9b74c65cd762a92dec980fab64425378888db87cd6606663a63fee290b6c9
Instruction ID: 903df4a6f74fa3bcfce1fc1729b144d400ab2cb56549b3bd14f57445f3596f5f
Opcode Fuzzy Hash: 6ee9b74c65cd762a92dec980fab64425378888db87cd6606663a63fee290b6c9
Instruction Fuzzy Hash: 36712371A44389DFCB349E2589D17EE77F3AF84390F56842DDD8997244D3719A82CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0210F9A3, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 217afecc622d10158e356d4cba81616c42b2d1d8fe928b135c9c3c4b68d7d2fd
Instruction ID: 42ebda08a9616fc2fe14d6b107835c2c57f4386a0659b3f6e6206bd0a3221316
Opcode Fuzzy Hash: 217afecc622d10158e356d4cba81616c42b2d1d8fe928b135c9c3c4b68d7d2fd
Instruction Fuzzy Hash: 31717635D883858BDB35CE3888D63CA7BA39F52360F59C26A8C994B2CAD7744542C752

Uniqueness

Uniqueness Score: -1.00%

Function 02106C37, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851a39a1237339df4b278b4966462b04561db078f1992352b2288ea41a651f44
Instruction ID: 0acc1d0da3a1781f01070cd7d9aba0d2360274c392ea688831dc96850ce1c9ce
Opcode Fuzzy Hash: 851a39a1237339df4b278b4966462b04561db078f1992352b2288ea41a651f44
Instruction Fuzzy Hash: 346134B26807899FE730CE24CAD47C77BF6FF56700F95052ACD4A8B281D375AA568B01

Uniqueness

Uniqueness Score: -1.00%

Function 02104880, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 274a4b2512253ea92a97f5ab8817235441a18e819332087cf07065fb5af3e758
Instruction ID: f152656f06005f5532066bf9d15975c5a868f1a6320279759efdcca7d9c61a79
Opcode Fuzzy Hash: 274a4b2512253ea92a97f5ab8817235441a18e819332087cf07065fb5af3e758
Instruction Fuzzy Hash: B4617672A843C58FDB24AE6988D13EA77F2FFC4750F5A442EDE899B150D3B04981CB46

Uniqueness

Uniqueness Score: -1.00%

Function 02106CE1, Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e8918cdd769f10ed2bd03a808e1070d8531124f0eb5f5c39a5eec5715ed3c2
Instruction ID: 6e56cde124be0e72d65675af529381a009b39e0b20054e335216399c6b922021
Opcode Fuzzy Hash: 95e8918cdd769f10ed2bd03a808e1070d8531124f0eb5f5c39a5eec5715ed3c2
Instruction Fuzzy Hash: 366143B26807C99FD7308E25CAD47C63BE5FF46704F89022ACD898F185D3B5AA56CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02104730, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c9cca172bea34bb0bc1443d8ebb4aaac01952966a70420d0380724469322e1d
Instruction ID: c0485fd99964bf583fc31f15c2624f87a05b475e294eaebe92c9a5fba3269014
Opcode Fuzzy Hash: 6c9cca172bea34bb0bc1443d8ebb4aaac01952966a70420d0380724469322e1d
Instruction Fuzzy Hash: 0E615771A44389DFCB349E2989917EFB7F3AF84790F56842DDC8997204D3719981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02104914, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a9a9a88545142ee85eec2c7a6f06f93e78735458c04d6d748887d414f05605
Instruction ID: 4e3587dabeb463f7a3606f88677ef9293d1b79f28fe642f635cf1879d5b516ff
Opcode Fuzzy Hash: b5a9a9a88545142ee85eec2c7a6f06f93e78735458c04d6d748887d414f05605
Instruction Fuzzy Hash: EF513772A443C68FD721AF2588D12EABBF2FF85714F5A046ECEC55B252C3705986CB06

Uniqueness

Uniqueness Score: -1.00%

Function 021060CB, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a599c010185f0cfa9137492ca64d38ff1044c25801fc17031560751accb42d7e
Instruction ID: d92fa5214b418c39eb86f1b88e0d2c17825b53f4d5c1466012d81bad332ecb2f
Opcode Fuzzy Hash: a599c010185f0cfa9137492ca64d38ff1044c25801fc17031560751accb42d7e
Instruction Fuzzy Hash: 9B519972984389CFEB389F7489857DA77BAFF05350F8A412ECD995B191C3B04984CB82

Uniqueness

Uniqueness Score: -1.00%

Function 021069D9, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b842daa406e806f06c471f7ff5737449a467f9d9aec33c8b0da4f4372961d4
Instruction ID: 7e71aa09d865305db26304493db6f967d91c8c53a9029fc592b7dbb1cc847681
Opcode Fuzzy Hash: 78b842daa406e806f06c471f7ff5737449a467f9d9aec33c8b0da4f4372961d4
Instruction Fuzzy Hash: 74513772E887C18FEB3A9F7888D43417FE8BF86714B4E82DAC4A54A1D3D36144A5C702

Uniqueness

Uniqueness Score: -1.00%

Function 02106D85, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efab7fc34e357e3530f7e288eca177710e844a772663acb55665ddeddfadc636
Instruction ID: ceba4c2e45696381e0e4a21f8dff4bff2511fd4ea27d41a124facc0d23116d0f
Opcode Fuzzy Hash: efab7fc34e357e3530f7e288eca177710e844a772663acb55665ddeddfadc636
Instruction Fuzzy Hash: F55131B2A847C59FD7308E26C9C47C67BF5FF85300F58066ACD898B185D376A996CB00

Uniqueness

Uniqueness Score: -1.00%

Function 02106C0F, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 891eb0ebb7f54905e1d0ad3ab1fbc294464e5a98a9bf78624ec208d876d6b9ae
Instruction ID: 956b550b62005f51cd16d454396ff36852651cfe7883d13cdf928301a4c6d8aa
Opcode Fuzzy Hash: 891eb0ebb7f54905e1d0ad3ab1fbc294464e5a98a9bf78624ec208d876d6b9ae
Instruction Fuzzy Hash: 935138726803499FDB30CE64CED4BDB77F2AF19704F95062ACD4A8B684D375AA46CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02104AAD, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5abf485f79d29760e6714b200abbc3a27af9610537739a73ec6d6512d9fdb1
Instruction ID: 7073174e282df13a30cfb9c1dac4811817e3c816f1b51c2fb76946525206a0ed
Opcode Fuzzy Hash: 7c5abf485f79d29760e6714b200abbc3a27af9610537739a73ec6d6512d9fdb1
Instruction Fuzzy Hash: 364168BB9847818BE328AE3AC8C139A7BF0FFC4760F4A011DDAD757190D3A05581CB05

Uniqueness

Uniqueness Score: -1.00%

Function 02106A1F, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e0604ee703df79173ce9c6852736cb04969a95332ac01825b89336abcc2ef1
Instruction ID: 1a7daf3e6409b9f5ef06ba11c97ad0daea6cd4a5c07c713352608a434d212e32
Opcode Fuzzy Hash: 53e0604ee703df79173ce9c6852736cb04969a95332ac01825b89336abcc2ef1
Instruction Fuzzy Hash: 97313972E487C18AEB399E7888C47527AD5BB96324F8DC39EC8A94B0D7D3718552C702

Uniqueness

Uniqueness Score: -1.00%

Function 0210699F, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17c326be4121b017a8ac1a8e7570c7c8ddca9ee7fdc8cdca36a227af3f66ec7c
Instruction ID: 0d5f1d77deaeda77030ccbca8d972ea3c1e4798cb70a04b749f5297fdad86ec2
Opcode Fuzzy Hash: 17c326be4121b017a8ac1a8e7570c7c8ddca9ee7fdc8cdca36a227af3f66ec7c
Instruction Fuzzy Hash: D831F331A483858BDF35CE78C5D07967BD29B46324F49C2AEC8998B2DBE7718942C742

Uniqueness

Uniqueness Score: -1.00%

Function 0210D5B8, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 893d25fab411a4b331fee3814ceb1dae62daf0acac9c9f0c62d391dae4536a02
Instruction ID: 9aae8af049b106ad59ba20af6cc1c7117f4a832a0848516184a589d1996ad5f7
Opcode Fuzzy Hash: 893d25fab411a4b331fee3814ceb1dae62daf0acac9c9f0c62d391dae4536a02
Instruction Fuzzy Hash: F3214D3524834BCFCB349EB8D4D03DA7352EF46714F8A421ADD9B8B691E3715981C742

Uniqueness

Uniqueness Score: -1.00%

Function 0210EC2A, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0bff9af6f64b8a261feeff58184b9bef44ec40584bc27c947084f8ab4a24160
Instruction ID: 85dbc076dfd759f2fa3dd3f4a2756d7e8ddd79f3d28d62d9c397541fca2e87d8
Opcode Fuzzy Hash: f0bff9af6f64b8a261feeff58184b9bef44ec40584bc27c947084f8ab4a24160
Instruction Fuzzy Hash: 512165317453068FEF38AE748AB53EA36A1EF443A0FD1882EDDD786699C7715580CA03

Uniqueness

Uniqueness Score: -1.00%

Function 02106472, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebee893e327ba1b4ad2266ec75b82d1d7cc2dc47efa5051b1acfc66aeb651f54
Instruction ID: 2426c25026d0f29cf29af2d11c250140eb5a2389be7a37c5c70d8579e394f742
Opcode Fuzzy Hash: ebee893e327ba1b4ad2266ec75b82d1d7cc2dc47efa5051b1acfc66aeb651f54
Instruction Fuzzy Hash: B111E735A48345DFEB686E748E863FB7AE6EF42254F86842DCCD6CA108D3358595CB03

Uniqueness

Uniqueness Score: -1.00%

Function 021064AF, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 411dffa952c3aab7b98ae45f13e0f2cbe87010baa5f59ce3f55374670cb7639f
Instruction ID: 3186682195174d30ada071934b2fb2088a05b4b44a1f381305968c04c7e58329
Opcode Fuzzy Hash: 411dffa952c3aab7b98ae45f13e0f2cbe87010baa5f59ce3f55374670cb7639f
Instruction Fuzzy Hash: AC11D535A48345DFEB68AF748E863FA7BE6EF42254F86842DCCC5DA108D3354595CA03

Uniqueness

Uniqueness Score: -1.00%

Function 0210D822, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1a2a7f628ae489c048853511f0eb489a827ee6b0ee2e161a8d9e8810acd524
Instruction ID: 54e9640fcd951fab765965e792f43dd6de64c3d534667f75f34442fc6129c4ac
Opcode Fuzzy Hash: 0a1a2a7f628ae489c048853511f0eb489a827ee6b0ee2e161a8d9e8810acd524
Instruction Fuzzy Hash: 50012571A883498FDB24DF68D9C4BD973B2FF59714F81803AD9088B619C770AA40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0210943A, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 0210CE1B, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669650402.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_41609787.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec12b8e93eae30d63e59dd76028af381413cbf4e66a037168c46ec61f0662275
Instruction ID: b09643351c387927486e8bd246cc4a6b2b826b9fb4c98d96abe5f4fa44092c45
Opcode Fuzzy Hash: ec12b8e93eae30d63e59dd76028af381413cbf4e66a037168c46ec61f0662275
Instruction Fuzzy Hash: BAB00275656A418FDA55DB09C290E4073A4B745754B855491E8118BB21D264E900CA11

Uniqueness

Uniqueness Score: -1.00%

Function 0041F810, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 293COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402320,00425010), ref: 0041F88D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F8AC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E40,000001E8), ref: 0041F8CB
__vbaFreeObj.MSVBVM60 ref: 0041F8D4
__vbaVarDup.MSVBVM60 ref: 0041F8F4
#518.MSVBVM60(?,?), ref: 0041F902
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041F927
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041F93A
__vbaNew2.MSVBVM60(00402320,00425010), ref: 0041F95F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F978
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E60,00000108), ref: 0041F99B
__vbaNew2.MSVBVM60(00402320,00425010), ref: 0041F9B4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F9CD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E70,00000130), ref: 0041F9F0
__vbaNew2.MSVBVM60(00403EA0,00425B90), ref: 0041FA08
__vbaHresultCheckObj.MSVBVM60(00000000,0052E9A4,00403E90,0000004C), ref: 0041FA2D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403EB0,00000024), ref: 0041FA59
__vbaStrMove.MSVBVM60 ref: 0041FA68
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041FA78
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041FA8C
#610.MSVBVM60(?), ref: 0041FA9F
__vbaStrVarVal.MSVBVM60(?,?), ref: 0041FAA9
#540.MSVBVM60(?,00000000), ref: 0041FAB4
#610.MSVBVM60(?), ref: 0041FABE
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041FAC8
__vbaFreeStr.MSVBVM60 ref: 0041FAD4
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0041FAE8
#580.MSVBVM60(markeringsfelter,00000001), ref: 0041FAFD
__vbaNew2.MSVBVM60(00402320,00425010), ref: 0041FB16
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FB2F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403EE8,00000158), ref: 0041FB52
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041FB62
__vbaI4Var.MSVBVM60(00000000), ref: 0041FB6C
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041FB7F
__vbaFreeVar.MSVBVM60 ref: 0041FB8B
__vbaFreeStr.MSVBVM60(0041FBE6), ref: 0041FBDF

Strings

markeringsfelter, xrefs: 0041FAF8

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$Free$CheckHresult$ListNew2$#610$#518#540#580CallLateMove
String ID: markeringsfelter
API String ID: 528581227-1727724952
Opcode ID: 8b3763c0771f7e9da60432f301aaffca48600059144ff4fb6f9059b2153e0460
Instruction ID: 6ed78282c0e0dfc65efc494154929b8d47325c041ffe63739f112c7089930418
Opcode Fuzzy Hash: 8b3763c0771f7e9da60432f301aaffca48600059144ff4fb6f9059b2153e0460
Instruction Fuzzy Hash: 7DB14D70900209AFDB10DFA4DE89EEEBBB8FF58701F10452AF545F71A0D6746A45CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004212E0, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0042131A
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00421333
__vbaObjSet.MSVBVM60(?,00000000), ref: 00421352
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403F2C,000001EC), ref: 0042139C
__vbaFreeObj.MSVBVM60 ref: 004213A5
__vbaNew2.MSVBVM60(00402320,00425010), ref: 004213BE
__vbaObjSet.MSVBVM60(?,00000000), ref: 004213D7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403F2C,000001EC), ref: 0042141E
__vbaFreeObj.MSVBVM60 ref: 00421431
__vbaNew2.MSVBVM60(00403EA0,00425B90), ref: 00421446
__vbaHresultCheckObj.MSVBVM60(00000000,0052E9A4,00403E90,00000014), ref: 0042146B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403FC4,000000C8), ref: 00421491
__vbaFreeObj.MSVBVM60 ref: 00421496
__vbaFreeStr.MSVBVM60(004214C2), ref: 004214BB

Strings

Forureningsforebyggende, xrefs: 004213EA
meriting, xrefs: 0042136D

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$CheckFreeHresult$New2$Copy
String ID: Forureningsforebyggende$meriting
API String ID: 642038886-873963558
Opcode ID: 87eaa6f25b9ae7aa4b6356673f76f3f564a2eac4d7c4c602d0c829d56279af76
Instruction ID: c1c17f59fe3f5836e9a273c6e7d346be82fc77614e50c3794a216425d0f859ca
Opcode Fuzzy Hash: 87eaa6f25b9ae7aa4b6356673f76f3f564a2eac4d7c4c602d0c829d56279af76
Instruction Fuzzy Hash: EA516170B00215ABCB10EF69DD45E9EBBF8FF58700F608529E545F72A0D778A901CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00423E50, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00423E96
#711.MSVBVM60(?,00404240,?,000000FF,00000000), ref: 00423EBA
__vbaAryVar.MSVBVM60(00002008,?), ref: 00423EC9
__vbaAryCopy.MSVBVM60(?,?), ref: 00423EDA
__vbaFreeVarList.MSVBVM60(00000002,0000000A,?), ref: 00423EEA
__vbaGenerateBoundsError.MSVBVM60 ref: 00423F0C
__vbaGenerateBoundsError.MSVBVM60 ref: 00423F1E
__vbaStrCmp.MSVBVM60(00403E5C), ref: 00423F33
__vbaNew2.MSVBVM60(00403EA0,00425B90), ref: 00423F4F
__vbaHresultCheckObj.MSVBVM60(00000000,0052E9A4,00403E90,0000001C), ref: 00423F74
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040410C,00000064), ref: 00423F9A
__vbaFreeObj.MSVBVM60 ref: 00423FA3
__vbaAryDestruct.MSVBVM60(00000000,?,00423FEA), ref: 00423FDA
__vbaFreeStr.MSVBVM60 ref: 00423FE3

Strings

+k, xrefs: 00423FA9

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$Free$BoundsCheckCopyErrorGenerateHresult$#711DestructListNew2
String ID: +k
API String ID: 1597829538-3989395270
Opcode ID: b451d9d85d1f8c41eaf2be55f88c6b94184aa05a493f443232ab0f6abfc3b658
Instruction ID: 5dcaf1cad6a84874b2b78185fac9bb9ec712439a22ed8a164488a7fb13f06a2a
Opcode Fuzzy Hash: b451d9d85d1f8c41eaf2be55f88c6b94184aa05a493f443232ab0f6abfc3b658
Instruction Fuzzy Hash: 60416170E00209EFDB00DF94EA49EEEBBB8FF54701F20411AE505B72A0D7786946CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004216B0, Relevance: 24.2, APIs: 16, Instructions: 158COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00421708
__vbaStrCopy.MSVBVM60 ref: 00421710
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00421725
__vbaObjSet.MSVBVM60(?,00000000), ref: 00421744
__vbaNew2.MSVBVM60(00402320,00425010), ref: 0042175B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00421774
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403F2C,000000F8), ref: 00421799
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403F2C,000001EC), ref: 004217DE
__vbaFreeStr.MSVBVM60 ref: 004217E7
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004217F7
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00421813
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042182C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E60,000001B0), ref: 00421868
__vbaFreeObj.MSVBVM60 ref: 00421871
__vbaFreeStr.MSVBVM60(004218BB), ref: 004218B3
__vbaFreeStr.MSVBVM60 ref: 004218B8

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$Free$CheckHresultNew2$Copy$List
String ID:
API String ID: 4106465447-0
Opcode ID: eece2ca8e8f0fee8757feb967212b8f54d183c594b487ce20a3d3cc519707415
Instruction ID: 70602980e93db9a70661584d4f6ca2f04027008388ff6b6d419a9bf48aace21c
Opcode Fuzzy Hash: eece2ca8e8f0fee8757feb967212b8f54d183c594b487ce20a3d3cc519707415
Instruction Fuzzy Hash: 70513D70A00215ABCB10DFA9DD88EAEBBB8FF58700F50816AF545F72A1D7749905CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00424320, Relevance: 24.2, APIs: 16, Instructions: 156COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00424366
#672.MSVBVM60(00000000,40080000,00000000,3FF00000,00000000,3FF00000,00000000,3FF00000), ref: 00424384
__vbaFpR8.MSVBVM60 ref: 0042438A
__vbaNew2.MSVBVM60(00402320,00425010), ref: 004243B4
__vbaObjSet.MSVBVM60(?,00000000), ref: 004243D3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E60,00000068), ref: 004243F6
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00424413
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042442C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E60,00000048), ref: 00424449
__vbaNew2.MSVBVM60(00402320,00425010), ref: 0042445E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00424477
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403F2C,000001C0), ref: 0042449A
__vbaInStr.MSVBVM60(00000000,?,?,?), ref: 004244AC
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004244BC
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004244D0
__vbaFreeStr.MSVBVM60(00424513), ref: 0042450C

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$CheckFreeHresultNew2$List$#672Copy
String ID:
API String ID: 472107970-0
Opcode ID: 2ef55511052479aeaea1381addfdf513325f7f6781ba42bef26aa8fb11154359
Instruction ID: 8b5d8c13027ed38e4a3f9325e63f3914e584f6c96f5fbdddf1a23aa6d321181f
Opcode Fuzzy Hash: 2ef55511052479aeaea1381addfdf513325f7f6781ba42bef26aa8fb11154359
Instruction Fuzzy Hash: F6515170A00214AFDB10EFA5DD89FEE77BCFB48700F508529F545F72A0D674A9458BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00422F20, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00422F72
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00422F7A
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00422F8F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00422FAE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403F2C,000001EC), ref: 00422FF2
__vbaFreeObj.MSVBVM60 ref: 00423001
__vbaNew2.MSVBVM60(00402320,00425010), ref: 00423016
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042302F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E60,00000078), ref: 0042304C
__vbaFreeObj.MSVBVM60 ref: 0042305B
__vbaFreeStr.MSVBVM60(00423080), ref: 00423078
__vbaFreeStr.MSVBVM60 ref: 0042307D

Strings

Upstaters9, xrefs: 00422FC1

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$Free$CheckCopyHresultNew2
String ID: Upstaters9
API String ID: 4138333463-3112961830
Opcode ID: fb1628d25ddf96275fc27dd22df7253d8fa449a695449a2bb0c9b51483c1d12d
Instruction ID: 5c2ff5969d47ad57664b2ea121a758146eb9d6181eb7b8eed283971510ab3695
Opcode Fuzzy Hash: fb1628d25ddf96275fc27dd22df7253d8fa449a695449a2bb0c9b51483c1d12d
Instruction Fuzzy Hash: 3B413070A00215ABCB10DFA5DD84A9EBBF8FF58700F508166E505F72A0D6789945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00423A50, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00423A99
__vbaStrCopy.MSVBVM60 ref: 00423AA1
__vbaI4Str.MSVBVM60(0040419C), ref: 00423AA8
#698.MSVBVM60(?,00000000), ref: 00423AB3
__vbaVarTstNe.MSVBVM60(?,?), ref: 00423ACF
__vbaFreeVar.MSVBVM60 ref: 00423ADB
__vbaNew2.MSVBVM60(00403EA0,00425B90), ref: 00423AFC
__vbaHresultCheckObj.MSVBVM60(00000000,0052E9A4,00403E90,0000001C), ref: 00423B21
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040410C,00000060), ref: 00423B6C
__vbaFreeObj.MSVBVM60 ref: 00423B75
__vbaFreeStr.MSVBVM60(00423BBE), ref: 00423BB6
__vbaFreeStr.MSVBVM60 ref: 00423BBB

Strings

Vatterede, xrefs: 00423B49

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$Free$CheckCopyHresult$#698New2
String ID: Vatterede
API String ID: 2470338467-2435159309
Opcode ID: 51374ef2f8064294ef219f93a7ae8a92c67f9edcb47a86598a63e679d2b44f7e
Instruction ID: 1cd07d43e46d3fe7e11c5e36085065abff903fb04ba04c63ae0463a92ec42713
Opcode Fuzzy Hash: 51374ef2f8064294ef219f93a7ae8a92c67f9edcb47a86598a63e679d2b44f7e
Instruction Fuzzy Hash: AA416D74A012189FCB04DF95DA49ADEBFB8FF58701F20812AE405B72A4D7786E05CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00423290, Relevance: 19.6, APIs: 13, Instructions: 124COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402320,00425010), ref: 004232DD
__vbaObjSet.MSVBVM60(?,00000000), ref: 004232F6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E70,00000190), ref: 0042331D
__vbaVarErrI4.MSVBVM60(?,?), ref: 0042332C
#559.MSVBVM60(00000000), ref: 00423333
__vbaFreeObj.MSVBVM60 ref: 0042334A
__vbaFreeVar.MSVBVM60 ref: 00423353
__vbaNew2.MSVBVM60(00403EA0,00425B90), ref: 00423374
__vbaHresultCheckObj.MSVBVM60(00000000,0052E9A4,00403E90,0000004C), ref: 00423399
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403EB0,0000001C), ref: 004233E3
__vbaObjSet.MSVBVM60(?,?), ref: 004233F8
__vbaFreeObj.MSVBVM60 ref: 00423401
__vbaFreeObj.MSVBVM60(0042342C), ref: 00423425

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$Free$CheckHresult$New2$#559
String ID:
API String ID: 3234916204-0
Opcode ID: 8e768211928ac7f1f439fd1b849b2eb858b4c049f7bf6ef87a6e6191d6b3c7ca
Instruction ID: e29c211e6bfc27328b97f23a138db38bdbd73d39bb5c9a2402b624bbe51dc319
Opcode Fuzzy Hash: 8e768211928ac7f1f439fd1b849b2eb858b4c049f7bf6ef87a6e6191d6b3c7ca
Instruction Fuzzy Hash: 6D415E70A00215ABCB10DFA5DD49AEEBBB8FF48701F50412AF545F72A0D7785945CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004214F0, Relevance: 15.1, APIs: 10, Instructions: 111COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0042153F
__vbaVarDup.MSVBVM60 ref: 00421567
#632.MSVBVM60(?,?,00000002,00000002), ref: 0042157B
__vbaVarTstNe.MSVBVM60(?,?), ref: 0042159D
__vbaFreeVarList.MSVBVM60(00000003,?,00000002,?), ref: 004215B4
__vbaNew2.MSVBVM60(00403EA0,00425B90), ref: 004215D8
__vbaHresultCheckObj.MSVBVM60(00000000,0052E9A4,00403E90,0000004C), ref: 004215FD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403EB0,0000002C), ref: 0042164D
__vbaFreeObj.MSVBVM60 ref: 00421656
__vbaFreeStr.MSVBVM60(00421692), ref: 0042168B

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$Free$CheckHresult$#632CopyListNew2
String ID:
API String ID: 4107304827-0
Opcode ID: 3ab83ab2ea4a62bcf6c54e07782cc8aa70bacab5b7dede7664c2db3e2b791b17
Instruction ID: 2d91b493808bfb357edf09964de312456ebb686000fb7cd8523c619567063e15
Opcode Fuzzy Hash: 3ab83ab2ea4a62bcf6c54e07782cc8aa70bacab5b7dede7664c2db3e2b791b17
Instruction Fuzzy Hash: 93414BB0D00209AFDB10CF94D989AEEBFB8FF54701F50812AE509BB2A0D7746989CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004230B0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

#628.MSVBVM60(FGFG,00000001,?), ref: 004230F6
__vbaStrMove.MSVBVM60 ref: 00423101
__vbaStrCmp.MSVBVM60(0040417C,00000000), ref: 0042310D
__vbaFreeStr.MSVBVM60 ref: 00423120
__vbaFreeVar.MSVBVM60 ref: 00423129
__vbaFpI4.MSVBVM60 ref: 0042313F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004037E4,00000064), ref: 00423159

Strings

FGFG, xrefs: 004230F1

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$Free$#628CheckHresultMove
String ID: FGFG
API String ID: 1677052577-2759163656
Opcode ID: 1593b2bf782ed43b15d3350475c4922dd1ff60502eedf35fcc540fdfa51c32a5
Instruction ID: 61e885fbcabe18465313e6b8560cf15d0f5a76fc84459a8d5102b1f5b05ab5fa
Opcode Fuzzy Hash: 1593b2bf782ed43b15d3350475c4922dd1ff60502eedf35fcc540fdfa51c32a5
Instruction Fuzzy Hash: 36119671D00214EBD7109FA4ED09BAEBB78FB08741F108125F941B72A0D7785944CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 00423530, Relevance: 12.1, APIs: 8, Instructions: 96COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402320,00425010), ref: 00423577
__vbaObjSet.MSVBVM60(?,00000000), ref: 00423596
__vbaNew2.MSVBVM60(00402320,00425010), ref: 004235B2
__vbaObjSet.MSVBVM60(?,00000000), ref: 004235CB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403F3C,00000048), ref: 004235E8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403F2C,000001EC), ref: 00423628
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00423631
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00423641

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$CheckFreeHresultNew2$List
String ID:
API String ID: 2509323985-0
Opcode ID: e3b24db23db38ead2d0ecc7448a1449291ba6cd5f900bf91e9b0843fd1a703b6
Instruction ID: aabde9bd3da2e8b816ea6023c3d78ea6243404b7b5868c84fa423846070f03ff
Opcode Fuzzy Hash: e3b24db23db38ead2d0ecc7448a1449291ba6cd5f900bf91e9b0843fd1a703b6
Instruction Fuzzy Hash: B2318170A00205AFC710DFA8DD49FAE7BBCFB48B01F508429F505F7291D7789A468BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00423BF0, Relevance: 12.1, APIs: 8, Instructions: 63COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401316), ref: 00423C2A
__vbaLenBstrB.MSVBVM60(004041C0,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00423C35
#568.MSVBVM60(000000CF,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00423C45
__vbaNew2.MSVBVM60(00402320,00425010,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00423C5E
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00423C77
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E60,000000D8,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00423C9E
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401316), ref: 00423CAD
__vbaFreeStr.MSVBVM60(00423CCE,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00423CC7

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$Free$#568BstrCheckCopyHresultNew2
String ID:
API String ID: 953296257-0
Opcode ID: d089c70892a454886be6306855cf49d4ed54bdc214dbfe9138d263edce3f9f96
Instruction ID: 296d23004f974bf400aba464725b3edd6b30393cad0263f209d9af11cf8ad095
Opcode Fuzzy Hash: d089c70892a454886be6306855cf49d4ed54bdc214dbfe9138d263edce3f9f96
Instruction Fuzzy Hash: 0721AC74A00204ABCB10DFA5DE89EEEBBB8EF48701F504526F542F36A0C7785945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00424010, Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 0042404A
__vbaNew2.MSVBVM60(00403EA0,00425B90,?,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00424062
__vbaHresultCheckObj.MSVBVM60(00000000,0052E9A4,00403E90,0000004C), ref: 00424087
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403EB0,00000020), ref: 004240AB
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 004240C2
#569.MSVBVM60(00000032,?,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 004240CF
__vbaFreeStr.MSVBVM60(004240F0,?,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 004240E9

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$CheckFreeHresult$#569CopyNew2
String ID:
API String ID: 291378957-0
Opcode ID: 603399e09e53dbc9f16acda24412b0a925df055bb00ecd2c9b14513361c557bc
Instruction ID: 57909598efba5fa1407c770153b94edd85a50b4e1e3aee7c9a3529e385419e9c
Opcode Fuzzy Hash: 603399e09e53dbc9f16acda24412b0a925df055bb00ecd2c9b14513361c557bc
Instruction Fuzzy Hash: DD21C170E00214ABCB10CF94DD89EAEBBB8FF48701F904216F605B72A0D7786941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00423690, Relevance: 9.1, APIs: 6, Instructions: 70COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00403EA0,00425B90,?,?,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 004236E6
__vbaHresultCheckObj.MSVBVM60(00000000,0052E9A4,00403E90,00000014), ref: 0042370B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403FC4,00000058), ref: 0042372F
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 0042373E
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00423747
__vbaFreeStr.MSVBVM60(00423778), ref: 00423771

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$CheckFreeHresult$MoveNew2
String ID:
API String ID: 2347022188-0
Opcode ID: fd075fa189c37e8fa9c3856c88eb141c446a47d19b38db919b28f707619a3cd9
Instruction ID: 4cb06e2211cd6317e1f20c87e54b8c93e2009ec9a99abb75217ae554da3fbfc9
Opcode Fuzzy Hash: fd075fa189c37e8fa9c3856c88eb141c446a47d19b38db919b28f707619a3cd9
Instruction Fuzzy Hash: 282180B0A00208ABCB00DF55DD899EEBBF8FB48701F604016E501F32A0C7785901CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004237B0, Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00401316), ref: 004237E7
__vbaNew2.MSVBVM60(00402320,00425010,?,?,?,?,?,?,?,?,00401316), ref: 00423800
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401316), ref: 00423819
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403F2C,0000020C,?,?,?,?,?,?,?,?,00401316), ref: 0042383C
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401316), ref: 00423845
__vbaFreeStr.MSVBVM60(0042386E), ref: 00423867

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$Free$CheckCopyHresultNew2
String ID:
API String ID: 4138333463-0
Opcode ID: 27144af2c453efa3ce2eab04af54305ff2a7044efa7b26113643de9aebf81712
Instruction ID: ee09201bb749f5c44a78d203f95f0999bea34d2e40576e2d260101bed4fd0ceb
Opcode Fuzzy Hash: 27144af2c453efa3ce2eab04af54305ff2a7044efa7b26113643de9aebf81712
Instruction Fuzzy Hash: A511BF70A00205EBCB10EF65DE49EAE7BF8EB44701FA04525F941F72A1C7785905CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00423890, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00423890(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr* _t17;
				intOrPtr* _t19;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t26;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;
				intOrPtr _t40;
				intOrPtr _t41;

				_t40 = _t39 - 0xc;
				 *[fs:0x0] = _t40;
				_t41 = _t40 - 0x24;
				_v16 = _t41;
				_v12 = 0x401248;
				_v8 = 0;
				_t17 = _a4;
				 *((intOrPtr*)( *_t17 + 4))(_t17, __edi, __esi, __ebx,  *[fs:0x0], 0x401316, _t37);
				_t19 =  *0x425010; // 0x58fea8
				_v28 = 0;
				if(_t19 == 0) {
					__imp____vbaNew2(0x402320, 0x425010);
					_t19 =  *0x425010; // 0x58fea8
				}
				_t21 =  &_v28;
				__imp____vbaObjSet(_t21,  *((intOrPtr*)( *_t19 + 0x338))(_t19));
				_t26 = _t41 - 0x10;
				_t36 = _t21;
				 *_t26 = 0xa;
				 *((intOrPtr*)(_t26 + 4)) = _v40;
				 *((intOrPtr*)(_t26 + 8)) = 0x80020004;
				 *((intOrPtr*)(_t26 + 0xc)) = _v32;
				_t24 =  *((intOrPtr*)( *_t36 + 0x1ec))(_t36, L"Purveys6");
				asm("fclex");
				if(_t24 < 0) {
					__imp____vbaHresultCheckObj(_t24, _t36, 0x403e40, 0x1ec);
				}
				__imp____vbaFreeObj();
				_push(0x42395f);
				return _t24;
			}

0x00423893
0x004238a2
0x004238a9
0x004238af
0x004238b2
0x004238bb
0x004238be
0x004238c4
0x004238c7
0x004238cc
0x004238d1
0x004238dd
0x004238e3
0x004238e3
0x004238f2
0x004238f6
0x00423904
0x00423906
0x00423914
0x0042391a
0x0042391d
0x00423923
0x00423926
0x0042392e
0x00423930
0x0042393e
0x0042393e
0x00423947
0x0042394d
0x00000000

APIs

__vbaNew2.MSVBVM60(00402320,00425010,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 004238DD
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 004238F6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E40,000001EC), ref: 0042393E
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00423947

Strings

Purveys6, xrefs: 0042390D

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: Purveys6
API String ID: 1645334062-576487876
Opcode ID: 8614a62aca1115a33a71a623eae636c81669c007083d220cefdefc7c02144f82
Instruction ID: 4f1520f568ff909983864acccec5b874a2d790d21997caf876206f959b83aad9
Opcode Fuzzy Hash: 8614a62aca1115a33a71a623eae636c81669c007083d220cefdefc7c02144f82
Instruction Fuzzy Hash: 712160B0A00204AFC710EFA9DD89B9ABFF8FB49701F50816AF505E7291C6789981CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00423CF0, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00403EA0,00425B90,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00423D40
__vbaHresultCheckObj.MSVBVM60(00000000,0052E9A4,00403E90,00000014,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00423D65
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403FC4,00000120,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00423D8F
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00423D98

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID:
API String ID: 4261391273-0
Opcode ID: 749f87a06ab6a0f6b90ffb9fc3ecdf4a0e958de9832413984fd802f61767c5fe
Instruction ID: 07d047bcd91c5c33a1b499e270232e175450a40d2ba6f6bbe1f1a2344208683c
Opcode Fuzzy Hash: 749f87a06ab6a0f6b90ffb9fc3ecdf4a0e958de9832413984fd802f61767c5fe
Instruction Fuzzy Hash: F8117F74A00214ABCB00DF55DD49EAEBBBDFB48705F904166F505F72A0C378A9028F98

Uniqueness

Uniqueness Score: -1.00%

Function 00424230, Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00403EA0,00425B90,?,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00424274
__vbaHresultCheckObj.MSVBVM60(00000000,0052E9A4,00403E90,00000014), ref: 00424299
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403FC4,00000108), ref: 004242C3
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 004242CC

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID:
API String ID: 4261391273-0
Opcode ID: a37370478aee43caba30f50c44939640ea8ed9f562fa1a8e639801304bfc08a5
Instruction ID: b66e80788f2610edad76c8110dacee07b805b54df17f0d89964609a112477d7a
Opcode Fuzzy Hash: a37370478aee43caba30f50c44939640ea8ed9f562fa1a8e639801304bfc08a5
Instruction Fuzzy Hash: 50119370A40218EBCB00CF95DD49EDEBBB8FB58741F900165F145B35A0C7B869018BB8

Uniqueness

Uniqueness Score: -1.00%

Function 00423980, Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00403EA0,00425B90,?,?,?,?,?,?,?,?,?,?,00401316), ref: 004239C4
__vbaHresultCheckObj.MSVBVM60(00000000,0052E9A4,00403E90,00000014,?,?,?,?,?,?,?,?,?,?,00401316), ref: 004239E9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403FC4,00000120,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00423A13
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401316), ref: 00423A1C

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID:
API String ID: 4261391273-0
Opcode ID: 150dc48f10eb7e1e1b31e7a000735d965862b11b7f6a8b3e4444f546837701ed
Instruction ID: 97400ed208f30b3d6825ab8480b8d5b38b088bb6922a0dc26df15b8083d9f1de
Opcode Fuzzy Hash: 150dc48f10eb7e1e1b31e7a000735d965862b11b7f6a8b3e4444f546837701ed
Instruction Fuzzy Hash: 86119170A40205ABC700DF95DD4AEAEBFB8FB58702F900126F145F31E0D2B869418B98

Uniqueness

Uniqueness Score: -1.00%

Function 004231B0, Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402320,00425010), ref: 004231F3
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042320C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E60,000001AC), ref: 0042322F
__vbaFreeObj.MSVBVM60 ref: 00423238

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 70439abc5d945d7951a6b6b5f3db60e8fdc08d05f352f6652a3f7b635021e61a
Instruction ID: 7c2dd1253dbcdafcbcf7b8cc7cdd2cbd873103e53d7f64f71cf583cb273f332f
Opcode Fuzzy Hash: 70439abc5d945d7951a6b6b5f3db60e8fdc08d05f352f6652a3f7b635021e61a
Instruction Fuzzy Hash: 3101E174A00305EFD710AFA5DE49FAA7BB8EB05B01F504075F841F32A0D77C5A058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00424170, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402320,00425010), ref: 004241B3
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004241CC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403E60,000001AC), ref: 004241EF
__vbaFreeObj.MSVBVM60 ref: 004241F8

Memory Dump Source

Source File: 00000000.00000002.669321060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.669315754.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.669341790.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.669348751.0000000000427000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_41609787.jbxd

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 5c16103a50f5b6db2818cd5bc6ee81280f9b3cedcb20bab0fbf6c84b5ac17c20
Instruction ID: 080ae976fd8b1a3a9a2555df3ae57fd3ef4fc92c588c944d03fb37bf23ab377e
Opcode Fuzzy Hash: 5c16103a50f5b6db2818cd5bc6ee81280f9b3cedcb20bab0fbf6c84b5ac17c20
Instruction Fuzzy Hash: B601CC74640214ABD710AFA8DE0DFAA7BB8FB05B00F904465F841F32A0D2B858048BAA

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ieinstal.exe PID: 2120 Parent PID: 4548 ieinstal.exeCOMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	72
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 03011687, Relevance: 3.2, APIs: 2, Instructions: 161
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 03011664
NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 0301181E

Memory Dump Source

Source File: 0000001B.00000002.725610981.0000000003011000.00000040.00000001.sdmp, Offset: 03011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_3011000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d176e24c00479f0ae410771109bb7d176228d8f3bfe4516d044b3cf1f90c811b
Instruction ID: a22f1f700d74663537210ed38808da8716785a8b67925b3866bb0355e06aeead
Opcode Fuzzy Hash: d176e24c00479f0ae410771109bb7d176228d8f3bfe4516d044b3cf1f90c811b
Instruction Fuzzy Hash: C15155B3A16B419FE75CDF78C849799BBF5FF9562074D038AD6918F0A1C36584A0CB02

Uniqueness

Uniqueness Score: -1.00%

Function 03011587, Relevance: 3.1, APIs: 2, Instructions: 148
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(?), ref: 030115DB
NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 03011664

Memory Dump Source

Source File: 0000001B.00000002.725610981.0000000003011000.00000040.00000001.sdmp, Offset: 03011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_3011000_ieinstal.jbxd

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: dc8259ee87906b1d5abf9db04b250f60578e79a50b81d946c8412d22acb8fa1f
Instruction ID: 95b5d7116164604e7fbee4fdecc3c1c6f28676d817ddf49f572d8181a4cd9d54
Opcode Fuzzy Hash: dc8259ee87906b1d5abf9db04b250f60578e79a50b81d946c8412d22acb8fa1f
Instruction Fuzzy Hash: AC41D2F3A06A42DFE36DEE39D808398B7F6FFD064179D0249D3570F219D22185A48A41

Uniqueness

Uniqueness Score: -1.00%

Function 0301156F, Relevance: 3.0, APIs: 2, Instructions: 43
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(?), ref: 030115DB
NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 03011664

Memory Dump Source

Source File: 0000001B.00000002.725610981.0000000003011000.00000040.00000001.sdmp, Offset: 03011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_3011000_ieinstal.jbxd

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: 8efef7bbe1ecbf25b61b7faabfeeb50db1d2d708cfb10daf0c9126206c12d2dd
Instruction ID: cdcdc3bd249f0d83ab72331caeceae5cb2698da733653789449d5c663ec65ec4
Opcode Fuzzy Hash: 8efef7bbe1ecbf25b61b7faabfeeb50db1d2d708cfb10daf0c9126206c12d2dd
Instruction Fuzzy Hash: A701DEB1542301DFE70CDF31C81CB99B3B8AF143A1F898184EA424B1AAC3748980CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0301136D, Relevance: 1.7, APIs: 1, Instructions: 171
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNELBASE ref: 0301143E

Memory Dump Source

Source File: 0000001B.00000002.725610981.0000000003011000.00000040.00000001.sdmp, Offset: 03011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_3011000_ieinstal.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: e895506eee786188b9256c185d11bca2bd0bb4bdccb389c573337d1ded20e1b6
Instruction ID: 7dff3084280b3525374df51f40f418992bdca6332022e93391ad15d4f08458e4
Opcode Fuzzy Hash: e895506eee786188b9256c185d11bca2bd0bb4bdccb389c573337d1ded20e1b6
Instruction Fuzzy Hash: 48514476A067819BE36EEF34C884399B7F2FF85650F8C064ACB911B869D32100A4870B

Uniqueness

Uniqueness Score: -1.00%

Function 0301174E, Relevance: 1.6, APIs: 1, Instructions: 120
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 0301181E

Memory Dump Source

Source File: 0000001B.00000002.725610981.0000000003011000.00000040.00000001.sdmp, Offset: 03011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_3011000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: f1eaf74cc69ba75cd11ec51cfa4dd9efe8a0aa6fc9d905ab8b66d6b38c2e7cec
Instruction ID: 8f0dcb90246aac35ef7605af3019d3331d9a269b2449dc3cfd091b61679d7ffe
Opcode Fuzzy Hash: f1eaf74cc69ba75cd11ec51cfa4dd9efe8a0aa6fc9d905ab8b66d6b38c2e7cec
Instruction Fuzzy Hash: 5A318BB750A7416FE35DDF38D844B867BF1FF86250B5D438ADA818F2A2D32484A58702

Uniqueness

Uniqueness Score: -1.00%

Function 030116D3, Relevance: 1.6, APIs: 1, Instructions: 93
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 0301181E

Memory Dump Source

Source File: 0000001B.00000002.725610981.0000000003011000.00000040.00000001.sdmp, Offset: 03011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_3011000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 9c9c0441f46aad4d250f45e37ea3a056cf422b61ddd55330e441d46fc7dd284a
Instruction ID: a47b46fb30ccb833fb24cf70ea2c4f67186c2eda184926754984726304cebd98
Opcode Fuzzy Hash: 9c9c0441f46aad4d250f45e37ea3a056cf422b61ddd55330e441d46fc7dd284a
Instruction Fuzzy Hash: 33218BB3602700AFE75CDE78C844B9A3BF5FF95610B5D439ADB418F2A1D335C0A08611

Uniqueness

Uniqueness Score: -1.00%

Function 030117D3, Relevance: 1.6, APIs: 1, Instructions: 89
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 0301181E

Memory Dump Source

Source File: 0000001B.00000002.725610981.0000000003011000.00000040.00000001.sdmp, Offset: 03011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_3011000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: c1ca16e5f839e82735d3526c65abbd58dec15ebc02de65eaeb207facd183797a
Instruction ID: ca50928a51341cacae9060326532b3d260aadb8037a2e9141445418083ff741f
Opcode Fuzzy Hash: c1ca16e5f839e82735d3526c65abbd58dec15ebc02de65eaeb207facd183797a
Instruction Fuzzy Hash: 102176F390AA40AFE35CDE38C8097963BF2FFD55A131C839AE6424F261D37880658605

Uniqueness

Uniqueness Score: -1.00%

Function 030116CC, Relevance: 1.6, APIs: 1, Instructions: 74
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 0301181E

Memory Dump Source

Source File: 0000001B.00000002.725610981.0000000003011000.00000040.00000001.sdmp, Offset: 03011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_3011000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: e5b0aa4ce46de44dbcb0b47789bff05cd5cad098c35907ac62ff17a21eb8969f
Instruction ID: 681303d66b95d53c47273e17c8c5886d24447530cfda8b22a1d5acb953cb0363
Opcode Fuzzy Hash: e5b0aa4ce46de44dbcb0b47789bff05cd5cad098c35907ac62ff17a21eb8969f
Instruction Fuzzy Hash: C6212B72105301AFEB1CCEA8C641BDB3B95AF162A4F5543A9DE82CB1A1D3B4D4818611

Uniqueness

Uniqueness Score: -1.00%

Function 030115E3, Relevance: 1.6, APIs: 1, Instructions: 60
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(?), ref: 030115DB
NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 03011664

Memory Dump Source

Source File: 0000001B.00000002.725610981.0000000003011000.00000040.00000001.sdmp, Offset: 03011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_3011000_ieinstal.jbxd

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: 4b7b87de816732bcc69d89c708d754173b2049621880ffd5199f75682e5fc659
Instruction ID: d1c38f90d05ba2f2ac2af7c5e28d08cf1bda51c56dca8297be6a8fb63075bc49
Opcode Fuzzy Hash: 4b7b87de816732bcc69d89c708d754173b2049621880ffd5199f75682e5fc659
Instruction Fuzzy Hash: 7C11CAF3912A41DEE36CDA39C80C398B7F6FFA4661B8D0249D2521F168C22545A08A46

Uniqueness

Uniqueness Score: -1.00%

Function 030113FF, Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNELBASE ref: 0301143E

Memory Dump Source

Source File: 0000001B.00000002.725610981.0000000003011000.00000040.00000001.sdmp, Offset: 03011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_3011000_ieinstal.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: a53f130c2b195e7a7e76aea24650f495224a338833fd8b79d252386b9a248288
Instruction ID: 98c937895a19b1b2b9266c91c1b9fa87e7c48b80541620f3b2e0f10b4732be48
Opcode Fuzzy Hash: a53f130c2b195e7a7e76aea24650f495224a338833fd8b79d252386b9a248288
Instruction Fuzzy Hash: 9A11CAB7606B429BE35DEE38C845358B7F6FF91A51F8D074AC7E11B854D21114A8860A

Uniqueness

Uniqueness Score: -1.00%

Function 03011338, Relevance: 1.5, APIs: 1, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNELBASE ref: 0301143E

Memory Dump Source

Source File: 0000001B.00000002.725610981.0000000003011000.00000040.00000001.sdmp, Offset: 03011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_3011000_ieinstal.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 6779e2c1c8c0cbfb1cc6c94743f0aced8d270f6c61db8f949a54ebabbe53a0a9
Instruction ID: 5774afbf04374d288a348c6206b844c3a30dfd0d64785bcffbc2bc40ab9d37c7
Opcode Fuzzy Hash: 6779e2c1c8c0cbfb1cc6c94743f0aced8d270f6c61db8f949a54ebabbe53a0a9
Instruction Fuzzy Hash: 6A018F792453529BDB28AE308A917EA73F5BF227A0F42461DCDD59B498E33A40858606

Uniqueness

Uniqueness Score: -1.00%

Function 0301153F, Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(?), ref: 030115DB

Memory Dump Source

Source File: 0000001B.00000002.725610981.0000000003011000.00000040.00000001.sdmp, Offset: 03011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_3011000_ieinstal.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 97a713e2a69f0278429f1e9583296ed98f3fca9896a1153da43e2fe5884bda19
Instruction ID: 48802caa2c3d9985d4d19760bc129f121028aaccad03b15860f79732536c4a4c
Opcode Fuzzy Hash: 97a713e2a69f0278429f1e9583296ed98f3fca9896a1153da43e2fe5884bda19
Instruction Fuzzy Hash: DC11A73060F7828FD31EDB344854754BBB1FF422A0B8D42C6C1A54F1E7D7148459C792

Uniqueness

Uniqueness Score: -1.00%

Function 03011568, Relevance: 1.3, APIs: 1, Instructions: 20
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(?), ref: 030115DB
NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 03011664

Memory Dump Source

Source File: 0000001B.00000002.725610981.0000000003011000.00000040.00000001.sdmp, Offset: 03011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_3011000_ieinstal.jbxd

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: b3eaa81e3ead142a646c7cd0b6d9a3d472c2e7aa81124fc6de45d937371612ef
Instruction ID: 872b299c0182dc81af0ec2342f6cb9b34cd5fc1479377acc9246e66ecae5a026
Opcode Fuzzy Hash: b3eaa81e3ead142a646c7cd0b6d9a3d472c2e7aa81124fc6de45d937371612ef
Instruction Fuzzy Hash: 19E04674646300DFE70CEF7184A8B8473BAAF003A0F4A80C8DA470F2A69320C890CA50

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 41609787.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

Function 0210669A, Relevance: 15.1, APIs: 2, Strings: 6, Instructions: 1143
COMMON

Function 02103D32, Relevance: 13.6, APIs: 1, Strings: 6, Instructions: 1388
COMMON

Function 0210799F, Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 677
COMMON

Function 02105F21, Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1063
COMMON

Function 021070AF, Relevance: 11.5, APIs: 1, Strings: 5, Instructions: 961
COMMON

Function 0210711D, Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 875
COMMON

Function 02107191, Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 871
COMMON

Function 02107381, Relevance: 11.3, APIs: 1, Strings: 5, Instructions: 841
COMMON

Function 0210741B, Relevance: 11.3, APIs: 1, Strings: 5, Instructions: 800
COMMON

Function 0210749C, Relevance: 11.3, APIs: 1, Strings: 5, Instructions: 791
COMMON

Function 02107529, Relevance: 11.3, APIs: 1, Strings: 5, Instructions: 765
COMMON

Function 021075A9, Relevance: 11.3, APIs: 1, Strings: 5, Instructions: 765
COMMON

Function 0210762B, Relevance: 11.2, APIs: 1, Strings: 5, Instructions: 726
COMMON

Function 02107801, Relevance: 11.2, APIs: 1, Strings: 5, Instructions: 721
COMMON

Function 02107903, Relevance: 11.1, APIs: 1, Strings: 5, Instructions: 632
COMMON