Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
171121_PDF.exe

Overview

General Information

Sample Name:171121_PDF.exe
Analysis ID:558240
MD5:60d8b8589ba8045361ae148ee76c7582
SHA1:328a778d026ad6611bb295bf3a799b6499fc7c7c
SHA256:8f34d0008f07a4460c9ebc5a8d8a558a85979bd0112962eddf9506dc5b627989
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Found stalling execution ending in API Sleep call
Tries to detect Any.run
C2 URLs / IPs found in malware configuration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
PE / OLE file has an invalid certificate
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • 171121_PDF.exe (PID: 6968 cmdline: "C:\Users\user\Desktop\171121_PDF.exe" MD5: 60D8B8589BA8045361AE148EE76C7582)
    • ieinstal.exe (PID: 5012 cmdline: "C:\Users\user\Desktop\171121_PDF.exe" MD5: DAD17AB737E680C47C8A44CBB95EE67E)
    • ieinstal.exe (PID: 7124 cmdline: "C:\Users\user\Desktop\171121_PDF.exe" MD5: DAD17AB737E680C47C8A44CBB95EE67E)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://onedrive.live.com/downloa"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    0000000F.00000000.352935282.0000000003200000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

        Sigma Overview

        No Sigma rule has matched

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: 171121_PDF.exeAvira: detected
        Found malware configuration
        Source: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/downloa"}
        Multi AV Scanner detection for submitted file
        Source: 171121_PDF.exeVirustotal: Detection: 60%Perma Link
        Source: 171121_PDF.exeMetadefender: Detection: 17%Perma Link
        Source: 171121_PDF.exeReversingLabs: Detection: 67%
        Machine Learning detection for sample
        Source: 171121_PDF.exeJoe Sandbox ML: detected
        Source: 0.0.171121_PDF.exe.400000.0.unpackAvira: Label: TR/AD.Nekark.jinay
        Source: 171121_PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

        Networking

        barindex
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: https://onedrive.live.com/downloa
        Source: unknownDNS traffic detected: queries for: onedrive.live.com

        System Summary

        barindex
        Initial sample is a PE file and has a suspicious name
        Source: initial sampleStatic PE information: Filename: 171121_PDF.exe
        Source: 171121_PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: 171121_PDF.exe, 00000000.00000002.497741806.0000000000419000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBrugstyveriscortic.exe vs 171121_PDF.exe
        Source: 171121_PDF.exeBinary or memory string: OriginalFilenameBrugstyveriscortic.exe vs 171121_PDF.exe
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_00405A7F0_2_00405A7F
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0040721E0_2_0040721E
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_00406A360_2_00406A36
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_004053950_2_00405395
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_023284F70_2_023284F7
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02321A5F0_2_02321A5F
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232FB8E0_2_0232FB8E
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232CFC20_2_0232CFC2
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232330D0_2_0232330D
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232702D0_2_0232702D
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_023270050_2_02327005
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232E6290_2_0232E629
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232E6650_2_0232E665
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D66F0_2_0232D66F
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D6980_2_0232D698
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232E6F90_2_0232E6F9
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232E6CD0_2_0232E6CD
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232E7340_2_0232E734
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232272C0_2_0232272C
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D71E0_2_0232D71E
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232E76E0_2_0232E76E
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D7580_2_0232D758
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_023297840_2_02329784
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_023247F10_2_023247F1
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_023274630_2_02327463
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232E59E0_2_0232E59E
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232E5EC0_2_0232E5EC
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232DA300_2_0232DA30
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02320A5C0_2_02320A5C
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02324A410_2_02324A41
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02324A810_2_02324A81
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02324AE40_2_02324AE4
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02324B2E0_2_02324B2E
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02324BB40_2_02324BB4
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232DBC50_2_0232DBC5
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_023248190_2_02324819
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232E8190_2_0232E819
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D8550_2_0232D855
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232E8440_2_0232E844
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D89D0_2_0232D89D
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_023248DD0_2_023248DD
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D9890_2_0232D989
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D9D10_2_0232D9D1
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232CFED0_2_0232CFED
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02326FD90_2_02326FD9
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02324C320_2_02324C32
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02321DBE0_2_02321DBE
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320376015_2_03203760
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_032047F115_2_032047F1
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320FB8E15_2_0320FB8E
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03201A5F15_2_03201A5F
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320CFC215_2_0320CFC2
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320330D15_2_0320330D
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320702D15_2_0320702D
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320700515_2_03207005
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320272C15_2_0320272C
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320378115_2_03203781
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320978415_2_03209784
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320D69815_2_0320D698
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320E59E15_2_0320E59E
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320746315_2_03207463
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03204B2E15_2_03204B2E
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03204BB415_2_03204BB4
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03204A4115_2_03204A41
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03200A5C15_2_03200A5C
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03204A8115_2_03204A81
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03204AE415_2_03204AE4
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320481915_2_03204819
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320384915_2_03203849
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_032048DD15_2_032048DD
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320CFED15_2_0320CFED
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03206FD915_2_03206FD9
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03201DBE15_2_03201DBE
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03204C3215_2_03204C32
        Source: 171121_PDF.exeStatic PE information: invalid certificate
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232F695 NtProtectVirtualMemory,0_2_0232F695
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232FB8E NtResumeThread,0_2_0232FB8E
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232CFC2 NtAllocateVirtualMemory,0_2_0232CFC2
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D210 NtAllocateVirtualMemory,0_2_0232D210
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D295 NtAllocateVirtualMemory,0_2_0232D295
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D2E0 NtAllocateVirtualMemory,0_2_0232D2E0
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D311 NtAllocateVirtualMemory,0_2_0232D311
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D046 NtAllocateVirtualMemory,0_2_0232D046
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D0E6 NtAllocateVirtualMemory,0_2_0232D0E6
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D0D1 NtAllocateVirtualMemory,0_2_0232D0D1
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232D13C NtAllocateVirtualMemory,0_2_0232D13C
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02328A05 NtWriteVirtualMemory,0_2_02328A05
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232CFED NtAllocateVirtualMemory,0_2_0232CFED
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320F695 NtProtectVirtualMemory,15_2_0320F695
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320CFC2 NtAllocateVirtualMemory,15_2_0320CFC2
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320D311 NtAllocateVirtualMemory,15_2_0320D311
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320D210 NtAllocateVirtualMemory,15_2_0320D210
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320D295 NtAllocateVirtualMemory,15_2_0320D295
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320D2E0 NtAllocateVirtualMemory,15_2_0320D2E0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320D13C NtAllocateVirtualMemory,15_2_0320D13C
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320D046 NtAllocateVirtualMemory,15_2_0320D046
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320D0E6 NtAllocateVirtualMemory,15_2_0320D0E6
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320D0D1 NtAllocateVirtualMemory,15_2_0320D0D1
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320CFED NtAllocateVirtualMemory,15_2_0320CFED
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess Stats: CPU usage > 98%
        Source: 171121_PDF.exeVirustotal: Detection: 60%
        Source: 171121_PDF.exeMetadefender: Detection: 17%
        Source: 171121_PDF.exeReversingLabs: Detection: 67%
        Source: 171121_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\171121_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\171121_PDF.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\171121_PDF.exe "C:\Users\user\Desktop\171121_PDF.exe"
        Source: C:\Users\user\Desktop\171121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"
        Source: C:\Users\user\Desktop\171121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"
        Source: C:\Users\user\Desktop\171121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe" Jump to behavior
        Source: C:\Users\user\Desktop\171121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe" Jump to behavior
        Source: C:\Users\user\Desktop\171121_PDF.exeFile created: C:\Users\user\AppData\Local\Temp\~DFD14B856B0CE15507.TMPJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@5/2@2/0

        Data Obfuscation

        barindex
        Yara detected GuLoader
        Source: Yara matchFile source: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000000.352935282.0000000003200000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_00405241 pushfd ; retf 0_2_00405242
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_00405A57 push 0000004Bh; retf 0_2_00405A7B
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_00408858 push 00000018h; ret 0_2_0040885A
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0040A864 push esi; iretd 0_2_0040A865
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_00405A7F push ebx; ret 0_2_00405B0D
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_00406A27 push es; iretd 0_2_00406A35
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_00405AD4 push ebx; ret 0_2_00405B0D
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_00405CFE push 18FEA023h; retf 0_2_00405D16
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_004086A1 push edx; iretd 0_2_004086AE
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232816B push ss; iretd 0_2_023281C4
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_023281D4 push ss; iretd 0_2_023281C4
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232564B push ebp; iretd 0_2_0232564C
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232A7C6 push ecx; ret 0_2_0232A7DA
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02321834 push es; retf 0_2_0232183A
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02322EF5 push ebp; iretd 0_2_02322F47
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02320F16 push edx; ret 0_2_02320F31
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_02322F48 pushad ; iretd 0_2_02322F57
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320816B push ss; iretd 15_2_032081C4
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320A7C6 push ecx; ret 15_2_0320A7DA
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320564B push ebp; iretd 15_2_0320564C
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03201834 push es; retf 15_2_0320183A
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03200F16 push edx; ret 15_2_03200F31
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03202F48 pushad ; iretd 15_2_03202F57
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_03202EF5 push ebp; iretd 15_2_03202F47
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Skuffejernenesco2Jump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Skuffejernenesco2Jump to behavior
        Source: C:\Users\user\Desktop\171121_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Found stalling execution ending in API Sleep call
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeStalling execution: Execution stalls by calling Sleepgraph_15-8580
        Tries to detect Any.run
        Source: C:\Users\user\Desktop\171121_PDF.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\Desktop\171121_PDF.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
        Source: ieinstal.exe, 0000000F.00000002.544039436.0000000003690000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=\VAGABO.EXE\CUSCONINESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSKUFFEJERNENESCO2
        Source: 171121_PDF.exe, 00000000.00000002.498410892.0000000003940000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLLPROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
        Source: 171121_PDF.exe, 00000000.00000002.498410892.0000000003940000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544039436.0000000003690000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_023240AA rdtsc 0_2_023240AA
        Source: C:\Users\user\Desktop\171121_PDF.exeSystem information queried: ModuleInformationJump to behavior
        Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
        Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
        Source: ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
        Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
        Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
        Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
        Source: ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmpBinary or memory string: vmicvss
        Source: 171121_PDF.exe, 00000000.00000002.498410892.0000000003940000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544039436.0000000003690000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
        Source: ieinstal.exe, 0000000F.00000002.544039436.0000000003690000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=\vagabo.exe\CUSCONINESoftware\Microsoft\Windows\CurrentVersion\RunSkuffejernenesco2
        Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
        Source: 171121_PDF.exe, 00000000.00000002.498429562.0000000003A0A000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
        Source: 171121_PDF.exe, 00000000.00000002.498410892.0000000003940000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dllProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
        Source: ieinstal.exe, 0000000F.00000002.544366173.0000000004F3A000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat

        Anti Debugging

        barindex
        Hides threads from debuggers
        Source: C:\Users\user\Desktop\171121_PDF.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_023296BF mov eax, dword ptr fs:[00000030h]0_2_023296BF
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232E59E mov eax, dword ptr fs:[00000030h]0_2_0232E59E
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232C982 mov eax, dword ptr fs:[00000030h]0_2_0232C982
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232BEA2 mov eax, dword ptr fs:[00000030h]0_2_0232BEA2
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_032096BF mov eax, dword ptr fs:[00000030h]15_2_032096BF
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320E59E mov eax, dword ptr fs:[00000030h]15_2_0320E59E
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320C982 mov eax, dword ptr fs:[00000030h]15_2_0320C982
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 15_2_0320BEA2 mov eax, dword ptr fs:[00000030h]15_2_0320BEA2
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_023240AA rdtsc 0_2_023240AA
        Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 0_2_0232AB06 LdrInitializeThunk,0_2_0232AB06

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Writes to foreign memory regions
        Source: C:\Users\user\Desktop\171121_PDF.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3200000Jump to behavior
        Source: C:\Users\user\Desktop\171121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe" Jump to behavior
        Source: C:\Users\user\Desktop\171121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe" Jump to behavior
        Source: ieinstal.exe, 0000000F.00000002.544154942.0000000003AE0000.00000002.00020000.sdmpBinary or memory string: Program Manager
        Source: ieinstal.exe, 0000000F.00000002.544154942.0000000003AE0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: ieinstal.exe, 0000000F.00000002.544154942.0000000003AE0000.00000002.00020000.sdmpBinary or memory string: Progman
        Source: ieinstal.exe, 0000000F.00000002.544154942.0000000003AE0000.00000002.00020000.sdmpBinary or memory string: Progmanlock

        Stealing of Sensitive Information

        barindex
        GuLoader behavior detected
        Source: Initial fileSignature Results: GuLoader behavior

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1
        Registry Run Keys / Startup Folder        		112
        Process Injection        		2
        Virtualization/Sandbox Evasion        		OS Credential Dumping311
        Security Software Discovery        		Remote Services1
        Archive Collected Data        		Exfiltration Over Other Network Medium1
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        Registry Run Keys / Startup Folder        		1
        Software Packing        		LSASS Memory2
        Virtualization/Sandbox Evasion        		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
        Non-Application Layer Protocol        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)112
        Process Injection        		Security Account Manager1
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration11
        Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
        Obfuscated Files or Information        		NTDS2
        System Information Discovery        		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        171121_PDF.exe60%VirustotalBrowse
        171121_PDF.exe17%MetadefenderBrowse
        171121_PDF.exe68%ReversingLabsWin32.Trojan.Shelsy
        171121_PDF.exe100%AviraTR/AD.Nekark.jinay
        171121_PDF.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        0.2.171121_PDF.exe.400000.0.unpack100%AviraHEUR/AGEN.1107800Download File
        0.0.171121_PDF.exe.400000.0.unpack100%AviraTR/AD.Nekark.jinayDownload File

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        onedrive.live.com
        		unknown
        		unknownfalse
          		high
          d34m1w.bn.files.1drv.com
          		unknown
          		unknownfalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://onedrive.live.com/downloafalse
              		high

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox Version:34.0.0 Boulder Opal
              Analysis ID:558240
              Start date:23.01.2022
              Start time:06:42:50
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 5m 17s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:171121_PDF.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:26
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@5/2@2/0
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 8.4% (good quality ratio 4.3%)
              • Quality average: 24.5%
              • Quality standard deviation: 29.5%
              HCA Information:
              • Successful, ratio: 79%
              • Number of executed functions: 87
              • Number of non-executed functions: 44
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
              • Excluded IPs from analysis (whitelisted): 23.211.4.86, 13.107.42.13, 13.107.42.12
              • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, fs.microsoft.com, bn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-web-geo.onedrive.akadns.net, odc-bn-files-brs.onedrive.akadns.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, odc-bn-files-geo.onedrive.akadns.net, ris.api.iris.microsoft.com, l-0004.l-msedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
              • Not all processes where analyzed, report is missing behavior information

              Simulations

              Behavior and APIs

              TimeTypeDescription
              06:45:46AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Skuffejernenesco2 C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe
              06:45:54AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Skuffejernenesco2 C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe

              Download File
              Process:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
              File Type:data
              Category:dropped
              Size (bytes):112464
              Entropy (8bit):6.100427719868403
              Encrypted:false
              SSDEEP:1536:9PtG0c3vhsblLAvTIpS1HP9CGZG48TdiwOeQqn4kFgGYglLg:61JsblLAvI+FW48QwOen4Hi8
              MD5:68F03A1A9EC55A9B943A015C091817D6
              SHA1:C952F771410E036D5C897EC956FFBB09291B167E
              SHA-256:75E5DC79753DA6494A68CF2F5E9101FB6433103DD3AA7D8BADCD23DDD2F5F651
              SHA-512:A9C5946EEF3B54BCAF23EB53CBBABA0B1BB6438A0A6DEC675F7F2E4AF7CA1CED7AF2737DB1079A68F9EBE1126D9338EE91436E847D57C9A5726759B4F8EA5C0C
              Malicious:false
              Reputation:low
              Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$..................._.................Rich...........................PE..L....~.N.................`...P...............p....@..........................................................................m..(........+..............P...................................................8... ....................................text...._.......`.................. ..`.data........p.......p..............@....rsrc....+.......0..................@..@..^............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\~DFD14B856B0CE15507.TMP

              Download File
              Process:C:\Users\user\Desktop\171121_PDF.exe
              File Type:Composite Document File V2 Document, Cannot read section info
              Category:dropped
              Size (bytes):16384
              Entropy (8bit):0.623084520004525
              Encrypted:false
              SSDEEP:12:rl3lKFQCb776fGZHbYS6TS63TXlYdl7HtllGXPuK9iUmTc:rbQylDVYdtNllG/uw7
              MD5:23BC92D1C5A3C3698C8524B7CEB3F5D9
              SHA1:199D2660FEA3F7310397A37A8C7C600E7A26D461
              SHA-256:5A6730EB0987730B214A46DC814FE2071576A338B2210DECE2780AC6E3B45DD7
              SHA-512:6FA7CAB689912B93C312D35E0E0F218E6138A3BCB8BC1B31CF0F80E4795C079F8589B879CCAC55C14262C710D4772A4067CCA4ED7890AED678EC988D113227DD
              Malicious:false
              Reputation:low
              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):6.100488610521297
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.15%
              • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:171121_PDF.exe
              File size:112464
              MD5:60d8b8589ba8045361ae148ee76c7582
              SHA1:328a778d026ad6611bb295bf3a799b6499fc7c7c
              SHA256:8f34d0008f07a4460c9ebc5a8d8a558a85979bd0112962eddf9506dc5b627989
              SHA512:6d7ab39a3367d72d70e0cf8af182fdf7b20100be1159465cebf5603c06bd485ffd0b5acee687ad029c1205c1cdadfbfe10002451b484cde1746ed2c8814f58e7
              SSDEEP:1536:OPtG0c3vhsblLAvTIpS1HP9CGZG48TdiwOeQqn4kFgGYglLg:X1JsblLAvI+FW48QwOen4Hi8
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................._.......................Rich............................PE..L....~.N.................`...P...............p....@

              File Icon

              Icon Hash:f2c2c29190d2c783

              Static PE Info

              General

              Entrypoint:0x401194
              Entrypoint Section:.text
              Digitally signed:true
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              DLL Characteristics:
              Time Stamp:0x4ED97EE6 [Sat Dec 3 01:44:06 2011 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:fca27436e553ec62bb2d0905390fd4e6

              Authenticode Signature

              Signature Valid:false
              Signature Issuer:E=Bibaciousnessmnten3@Pinjerforhaa.Non, CN=Vrdiheftesgalets, OU=Formationsskridt, O=ptychoptery, L=Retrickedtrbesk, S=Linoxininvectivel5, C=LV
              Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
              Error Number:-2146762487
              Not Before, Not After
              • 11/16/2021 7:35:05 PM 11/16/2022 7:35:05 PM
              Subject Chain
              • E=Bibaciousnessmnten3@Pinjerforhaa.Non, CN=Vrdiheftesgalets, OU=Formationsskridt, O=ptychoptery, L=Retrickedtrbesk, S=Linoxininvectivel5, C=LV
              Version:3
              Thumbprint MD5:81C291A64F4EEAD3EB815B820975A11F
              Thumbprint SHA-1:3B9FB2B3310D80BB215D1F0A8A1B4C5CE397126F
              Thumbprint SHA-256:6E26EF48D70BCD9763606EA3E88539664649D7701B6F561892E318BB4DB04839
              Serial:00

              Entrypoint Preview

              Instruction
              push 00401A0Ch
              call 00007F4FD4A94823h
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              xor byte ptr [eax], al
              add byte ptr [eax], al
              inc eax
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [ecx+58h], al
              push FFFFFFBFh
              fadd st(0), st(7)
              int1
              dec edi
              movsb
              jmp 00007F4FD4A94840h
              sbb al, 8Eh
              scasd
              inc edx
              aas
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add dword ptr [eax], eax
              add byte ptr [eax], al
              add byte ptr [eax], al
              loopne 00007F4FD4A947F8h
              or dword ptr [ebx], eax
              jnc 00007F4FD4A948A7h
              bound ebp, dword ptr [edi+72h]
              imul ebp, dword ptr fs:[esi+00h], 20004108h
              or byte ptr [ecx+00h], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              dec esp
              xor dword ptr [eax], eax
              add dword ptr [edi+ebx*8-316D0720h], ecx
              xor eax, 8026BB49h
              nop
              dec edx
              and eax, 87C64A41h
              out E9h, al
              cmpsd
              pop eax
              rol dword ptr [edi-7Dh], 1
              arpl word ptr [ebx+7Ah], dx
              arpl word ptr [edx], cx
              pop ss
              and byte ptr [edx], bh
              dec edi
              lodsd
              xor ebx, dword ptr [ecx-48EE309Ah]
              or al, 00h
              stosb
              add byte ptr [eax-2Dh], ah
              xchg eax, ebx
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              je 00007F4FD4A94835h
              add byte ptr [eax], al
              push ebx
              add eax, dword ptr [eax]
              add byte ptr [eax], al
              push cs
              add byte ptr [esi+4Fh], al
              inc esp
              inc ebp
              push edx
              inc ecx
              dec esp
              inc ebp
              push edx
              push ebx
              dec eax
              pop ecx
              inc esp
              push edx
              add byte ptr [42000701h], cl

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x16d140x28.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000x2bca.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x1b0000x750.rsrc
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x20
              IMAGE_DIRECTORY_ENTRY_IAT0x10000x90.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x15ffc0x16000False0.495827414773data6.39269902756IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .data0x170000x17f80x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .rsrc0x190000x2bca0x3000False0.236735026042data3.87641922123IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              SET0x197240x24a6MS Windows icon resource - 3 icons, 24x24, 16 colors, 4 bits/pixel, 24x24, 8 bits/pixelEnglishUnited States
              RT_ICON0x1943c0x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4152326007, next used block 7370615
              RT_GROUP_ICON0x194280x14data
              RT_VERSION0x191400x2e8dataEnglishUnited States

              Imports

              DLLImport
              MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarSetVar, __vbaLateMemCallLd, _CIatan, __vbaR8IntI4, _allmul, _CItan, _CIexp, __vbaFreeObj

              Version Infos

              DescriptionData
              Translation0x0409 0x04b0
              LegalCopyrightART
              InternalNameBrugstyveriscortic
              FileVersion1.00
              CompanyNameART
              LegalTrademarksART
              CommentsART
              ProductNameART
              ProductVersion1.00
              FileDescriptionClassic ART
              OriginalFilenameBrugstyveriscortic.exe

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Network Port Distribution

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 23, 2022 06:45:47.377051115 CET5510253192.168.2.38.8.8.8
              Jan 23, 2022 06:45:47.926724911 CET5623653192.168.2.38.8.8.8

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              Jan 23, 2022 06:45:47.377051115 CET192.168.2.38.8.8.80x102aStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
              Jan 23, 2022 06:45:47.926724911 CET192.168.2.38.8.8.80x6b8cStandard query (0)d34m1w.bn.files.1drv.comA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              Jan 23, 2022 06:45:47.424824953 CET8.8.8.8192.168.2.30x102aNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
              Jan 23, 2022 06:45:47.976964951 CET8.8.8.8192.168.2.30x6b8cNo error (0)d34m1w.bn.files.1drv.combn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
              Jan 23, 2022 06:45:47.976964951 CET8.8.8.8192.168.2.30x6b8cNo error (0)bn-files.fe.1drv.comodc-bn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Start time:06:43:39
              Start date:23/01/2022
              Path:C:\Users\user\Desktop\171121_PDF.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\171121_PDF.exe"
              Imagebase:0x400000
              File size:112464 bytes
              MD5 hash:60D8B8589BA8045361AE148EE76C7582
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Visual Basic
              Yara matches:
              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Author: Joe Security
              Reputation:low

              General

              Start time:06:44:14
              Start date:23/01/2022
              Path:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\Desktop\171121_PDF.exe"
              Imagebase:0xdd0000
              File size:480256 bytes
              MD5 hash:DAD17AB737E680C47C8A44CBB95EE67E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate

              General

              Start time:06:44:15
              Start date:23/01/2022
              Path:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\171121_PDF.exe"
              Imagebase:0xdd0000
              File size:480256 bytes
              MD5 hash:DAD17AB737E680C47C8A44CBB95EE67E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000F.00000000.352935282.0000000003200000.00000040.00000001.sdmp, Author: Joe Security
              Reputation:moderate

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:1.2%
                Dynamic/Decrypted Code Coverage:93.5%
                Signature Coverage:46.8%
                Total number of Nodes:124
                Total number of Limit Nodes:6
                execution_graph 16278 416ba0 16279 416be0 16278->16279 16280 416c10 __vbaHresultCheckObj 16279->16280 16281 416c22 __vbaLateMemCallLd __vbaVarSetVar __vbaFreeObj 16279->16281 16280->16281 16282 416c90 16281->16282 16283 416c96 __vbaHresultCheckObj 16282->16283 16284 416ca8 __vbaR8IntI4 16282->16284 16283->16284 16285 416cc8 __vbaFreeVar 16284->16285 16287 232d311 16288 232d33c NtAllocateVirtualMemory 16287->16288 16289 232d38c 16288->16289 16387 232ab06 LdrInitializeThunk 16388 401194 #100 16389 4011c9 16388->16389 16290 23296b7 TerminateProcess 16291 232f695 16292 232f6ef NtProtectVirtualMemory 16291->16292 16390 232d5e5 16391 232befb 16390->16391 16392 232d5f9 16390->16392 16393 232bfe4 LoadLibraryA 16391->16393 16394 232c982 GetPEB 16391->16394 16395 232c014 4 API calls 16393->16395 16396 232bfd7 16394->16396 16397 232bfec 16395->16397 16398 232c014 4 API calls 16396->16398 16399 232bfe1 16398->16399 16399->16393 16400 2328a05 16401 2328a0c NtWriteVirtualMemory 16400->16401 16403 2328a68 16401->16403 16404 2321c65 16405 2321c74 16404->16405 16406 232c281 4 API calls 16405->16406 16407 2321d2d 16405->16407 16406->16407 16408 232c982 GetPEB 16407->16408 16409 232e09c 16408->16409 16410 2321e08 16413 2321af9 16410->16413 16411 2321e84 16412 232befb 4 API calls 16411->16412 16414 2321e94 16412->16414 16413->16411 16415 2321be8 16413->16415 16414->16414 16294 2328d1d 16296 2328cb1 16294->16296 16295 2328d26 16301 232fb89 16295->16301 16296->16295 16299 232fb89 LoadLibraryA GetPEB GetPEB NtProtectVirtualMemory NtResumeThread 16296->16299 16298 2328d51 Sleep 16300 2328d9e 16298->16300 16299->16296 16303 232fb8e 16301->16303 16304 232fb99 16303->16304 16309 232cefb 16304->16309 16306 2330148 16307 232fc7a 16307->16306 16308 233010d NtResumeThread 16307->16308 16308->16306 16330 232c982 GetPEB 16309->16330 16312 2320f39 16313 2321044 16312->16313 16314 2320fee 16312->16314 16322 2320d75 16312->16322 16317 2320ff9 16313->16317 16314->16307 16315 232befb LoadLibraryA GetPEB GetPEB NtProtectVirtualMemory 16315->16317 16316 232107b 16316->16307 16317->16313 16317->16315 16317->16316 16319 232e092 16317->16319 16332 232c281 16317->16332 16320 232c982 GetPEB 16319->16320 16321 232e09c 16320->16321 16325 2320d85 16322->16325 16323 232befb LoadLibraryA GetPEB GetPEB NtProtectVirtualMemory 16323->16325 16324 2320f0d 16324->16312 16325->16323 16325->16324 16326 232c281 4 API calls 16325->16326 16327 232e092 16325->16327 16326->16325 16328 232c982 GetPEB 16327->16328 16329 232e09c 16328->16329 16331 232c9bd 16330->16331 16331->16312 16333 2327463 16332->16333 16335 232762b 16333->16335 16336 232e59e 16333->16336 16335->16317 16371 232befb 16336->16371 16339 232befb 3 API calls 16340 232e5bc 16339->16340 16341 232e5f0 GetPEB 16340->16341 16342 232e62f 16341->16342 16380 232f695 16342->16380 16344 232f107 16344->16335 16345 232e74e 16345->16344 16347 232ea4e 16345->16347 16351 2327463 16345->16351 16346 232f13b 16354 232f42a 16346->16354 16355 232f1d0 16346->16355 16347->16346 16362 232ec10 16347->16362 16348 232f695 NtProtectVirtualMemory 16350 232f692 16348->16350 16349 232e59e 3 API calls 16353 232762b 16349->16353 16350->16335 16351->16349 16351->16353 16352 2330888 16352->16335 16353->16335 16354->16348 16354->16352 16356 232f695 NtProtectVirtualMemory 16355->16356 16358 232f427 16356->16358 16357 2320d75 3 API calls 16359 2320f39 16357->16359 16358->16335 16359->16357 16361 2320fee 16359->16361 16366 2320ff9 16359->16366 16360 232f0c0 16363 232f695 NtProtectVirtualMemory 16360->16363 16361->16335 16362->16359 16362->16360 16363->16344 16364 232befb LoadLibraryA GetPEB NtProtectVirtualMemory 16364->16366 16365 232107b 16365->16335 16366->16364 16366->16365 16367 232c281 3 API calls 16366->16367 16368 232e092 16366->16368 16367->16366 16369 232c982 GetPEB 16368->16369 16370 232e09c 16369->16370 16373 232bf41 16371->16373 16372 232bfe4 LoadLibraryA 16375 232c014 3 API calls 16372->16375 16373->16372 16374 232c982 GetPEB 16373->16374 16376 232bfd7 16374->16376 16377 232bfec 16375->16377 16383 232c014 16376->16383 16377->16339 16381 232f6ef NtProtectVirtualMemory 16380->16381 16381->16345 16384 232c04d 16383->16384 16385 232c281 4 API calls 16384->16385 16386 232bfe1 16384->16386 16385->16384 16386->16372 16416 232b66d 16417 232b673 CreateFileA 16416->16417

                Executed Functions

                Function 023247F1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 231libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • LoadLibraryA.KERNELBASE(1AE1C299), ref: 0232BFE4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: LibraryLoad
                • String ID: ~iD
                • API String ID: 1029625771-1955462559
                • Opcode ID: d03e2929a55809ffc75b54e53ba69d622c1a22addc169433234063c90710a046
                • Instruction ID: ddc5aad194d96b051b64eb8047b444804b42b737db79763b370855e07108405c
                • Opcode Fuzzy Hash: d03e2929a55809ffc75b54e53ba69d622c1a22addc169433234063c90710a046
                • Instruction Fuzzy Hash: 59A1DC312083989FCB749F24C8957EEB7E6FF94754F05891EDD8A9B612C7308A85CB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232FB8E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198nativethreadCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 55 232fb8e-232fb98 56 232fb99-232fc12 55->56 58 232fc14-232fc7d call 232cefb 56->58 63 232fc83-232fcaa 58->63 65 232fcb0-232fcc2 63->65 66 2330888-233088e 63->66 65->63 67 232fcc4-232fd7d call 2330194 65->67 68 233088f-23308dc 66->68 76 232fd83-232fe71 67->76 71 23308de-23308e0 68->71 81 232fe77-232ff6e call 2330194 76->81 88 2330185-2330214 81->88 89 232ff74-232ffc9 81->89 97 233021a-23302c5 88->97 89->88 92 232ffcf-232ffe1 89->92 92->88 94 232ffe7-2330039 92->94 94->88 98 233003f-2330051 94->98 97->88 105 23302cb-233037c 97->105 98->88 100 2330057-23300a5 98->100 100->88 104 23300ab-23300e5 100->104 104->88 108 23300eb-233011e NtResumeThread 104->108 105->88 114 2330382 105->114 112 2330148 108->112 113 233014a-2330152 112->113 113->113 115 2330154-2330180 113->115 115->88
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: ResumeThread
                • String ID: eKU$
                • API String ID: 947044025-2864510924
                • Opcode ID: 5a888558f530ea920920d540d0bbc9b17a70b8a607c4af46095f8a0e8cebe8bd
                • Instruction ID: b8cb48979069b89bd450440f187d51b22ef68749ac09ac2a9c61bc4c4bd844e1
                • Opcode Fuzzy Hash: 5a888558f530ea920920d540d0bbc9b17a70b8a607c4af46095f8a0e8cebe8bd
                • Instruction Fuzzy Hash: 7471C270509249CBDB7EDE28C9A4BEA77B2AF85310F11812EDC4B8BA56C7349645CB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232CFC2 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153memorynativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 119 232cfc2-232cffa 121 232d000-232d191 call 232befb 119->121 122 232d3b8-232d5fa call 232be84 call 232d474 119->122 140 232d198-232d215 121->140 137 232d5ff-232d613 122->137 141 232d615-232d697 call 232d66c 137->141 142 232d5fe 137->142 148 232d216-232d3b5 NtAllocateVirtualMemory 140->148 142->137 148->122
                APIs
                  • Part of subcall function 0232BEFB: LoadLibraryA.KERNELBASE(1AE1C299), ref: 0232BFE4
                • NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0232D344
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: AllocateLibraryLoadMemoryVirtual
                • String ID: W&R_
                • API String ID: 2616484454-940024294
                • Opcode ID: fd72866d491360dbc49b3b2a6e7cb8fcdc270621c7c3a384141e676c2bda7b9a
                • Instruction ID: b833f8fbdd60c3ff8264f01db94ca3792e3db10b2d891ce6fd5777fa20389eaf
                • Opcode Fuzzy Hash: fd72866d491360dbc49b3b2a6e7cb8fcdc270621c7c3a384141e676c2bda7b9a
                • Instruction Fuzzy Hash: 67514A725093A8CFDB709F20CD017EABBB5AF45350F154419DC8A8BA62D730894ACB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232CFED Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 137memorynativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 157 232cfed-232cffa 158 232d000-232d191 call 232befb 157->158 159 232d3b8-232d5fa call 232be84 call 232d474 157->159 177 232d198-232d215 158->177 174 232d5ff-232d613 159->174 178 232d615-232d697 call 232d66c 174->178 179 232d5fe 174->179 185 232d216-232d3b5 NtAllocateVirtualMemory 177->185 179->174 185->159
                APIs
                  • Part of subcall function 0232BEFB: LoadLibraryA.KERNELBASE(1AE1C299), ref: 0232BFE4
                • NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0232D344
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: AllocateLibraryLoadMemoryVirtual
                • String ID: W&R_
                • API String ID: 2616484454-940024294
                • Opcode ID: 1d7feb93c1e0cce13a763aa75c650759768cb17940812feec9c66e92c3145dc0
                • Instruction ID: 67ed52662b599627e970646f5d61986212a5ffc21381205dc31071f9a07962d0
                • Opcode Fuzzy Hash: 1d7feb93c1e0cce13a763aa75c650759768cb17940812feec9c66e92c3145dc0
                • Instruction Fuzzy Hash: AB5148725093A8CFDB709F20CD017EABBF5AF45354F154009CC8E8BA22C7309A4ACB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232D046 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126memorynativeCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 0232BEFB: LoadLibraryA.KERNELBASE(1AE1C299), ref: 0232BFE4
                • NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0232D344
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: AllocateLibraryLoadMemoryVirtual
                • String ID: W&R_
                • API String ID: 2616484454-940024294
                • Opcode ID: 6d3ec819fca886c26ff7a179f79721739e75eccedb5a213723b6c300aa9ce506
                • Instruction ID: c8ea8b0083d06839a0511bd3f7a4c8c83902337397795d6f82b049c81a707550
                • Opcode Fuzzy Hash: 6d3ec819fca886c26ff7a179f79721739e75eccedb5a213723b6c300aa9ce506
                • Instruction Fuzzy Hash: 9E5125710093A8CFDB709F20CD017EABBB6AF56350F54441ED8CA4BA63D770958ACB56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232D0D1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114memorynativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 229 232d0d1-232d0da 230 232d0e4-232d191 229->230 231 232d0df call 232befb 229->231 235 232d198-232d215 230->235 231->230 239 232d216-232d5fa NtAllocateVirtualMemory call 232be84 call 232d474 235->239 255 232d5ff-232d613 239->255 257 232d615-232d697 call 232d66c 255->257 258 232d5fe 255->258 258->255
                APIs
                  • Part of subcall function 0232BEFB: LoadLibraryA.KERNELBASE(1AE1C299), ref: 0232BFE4
                • NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0232D344
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: AllocateLibraryLoadMemoryVirtual
                • String ID: W&R_
                • API String ID: 2616484454-940024294
                • Opcode ID: 44088a8b423f241dde5861bdd25c8833e8c219ac7ece6668bd2f616940731547
                • Instruction ID: a8ff957a470579d683407cd4124f23873ed44182cfcce1de702666ff1dc9170a
                • Opcode Fuzzy Hash: 44088a8b423f241dde5861bdd25c8833e8c219ac7ece6668bd2f616940731547
                • Instruction Fuzzy Hash: 134127711093A8CFDB709F24CD017EABBF5AF85354F144419DC8E8BA62D7309A4ACB56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232D0E6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113memorynativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 262 232d0e6-232d191 265 232d198-232d215 262->265 269 232d216-232d5fa NtAllocateVirtualMemory call 232be84 call 232d474 265->269 285 232d5ff-232d613 269->285 287 232d615-232d697 call 232d66c 285->287 288 232d5fe 285->288 288->285
                APIs
                • NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0232D344
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: AllocateMemoryVirtual
                • String ID: W&R_
                • API String ID: 2167126740-940024294
                • Opcode ID: 9816b7768e3a806f5268fa1b33f22c823fffe13cf82ef30dfe4e9a093f944bcf
                • Instruction ID: 8d99e2faf031b87e58a39362e77c2915449edcb3e7909dbf4facbee07ed9cdda
                • Opcode Fuzzy Hash: 9816b7768e3a806f5268fa1b33f22c823fffe13cf82ef30dfe4e9a093f944bcf
                • Instruction Fuzzy Hash: F741F071009398CFDB70DF60CD01BEABBB6AF56350F144419D8CA4BA62D370864ACB56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 023284F7 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 144sleepCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 345 23284f7-2328513 346 2328539-232853a 345->346 347 2328556-2328563 346->347 348 232853b-232853c 346->348 349 2328522-2328534 347->349 350 2328565 347->350 351 23285ab-23285b2 348->351 352 232853e-2328542 348->352 349->346 354 2328567-23285aa 350->354 355 23285be-23285c4 350->355 356 23285b4 351->356 357 23285ee-23285f4 351->357 352->347 353 2328544-2328552 352->353 353->347 358 2328cd9-2328d24 call 232fb89 * 2 353->358 354->351 359 23285c6-23285e4 355->359 360 23285fa-2328612 355->360 356->355 357->358 357->360 376 2328cb1-2328cba 358->376 377 2328d26-2328da7 call 232fb89 Sleep 358->377 359->357 360->358 363 2328618-232863f 360->363 367 2328641-2328661 363->367 368 2328667-232866e 363->368 371 232868f-232869e 367->371 369 232867a-232867b 368->369 369->371 372 232869f-23286a8 371->372 372->372 375 23286aa-23286dd 372->375 375->369 381 23286df-2328716 375->381 376->358
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: Sleep
                • String ID: vk2#
                • API String ID: 3472027048-1686446494
                • Opcode ID: a24a85b7e2fe9af2471a09c835a92835126ee5096237c5642aa9958a30c384d3
                • Instruction ID: e9e4032c6cb6b73c34fd77d7e90428d6dec9efe861ca02f8c6ba7cc325cb5de4
                • Opcode Fuzzy Hash: a24a85b7e2fe9af2471a09c835a92835126ee5096237c5642aa9958a30c384d3
                • Instruction Fuzzy Hash: 2751F0314182D9DFCB369F348C496E9BF71EF16304F184A9AD9859B8A3C3314649CFA6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232D13C Relevance: 1.6, APIs: 1, Instructions: 104memorynativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 388 232d13c-232d191 390 232d198-232d215 388->390 394 232d216-232d5fa NtAllocateVirtualMemory call 232be84 call 232d474 390->394 410 232d5ff-232d613 394->410 412 232d615-232d697 call 232d66c 410->412 413 232d5fe 410->413 413->410
                APIs
                • NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0232D344
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: AllocateMemoryVirtual
                • String ID:
                • API String ID: 2167126740-0
                • Opcode ID: 31c114de92f744edb83625db5b48e2a7e83e0d90de3b3f5ca56bfabb0c68a7a7
                • Instruction ID: ccc06db5cc4ef304ed639cbef58bf4722168cc44b18f526ea4c4db4bd65360e4
                • Opcode Fuzzy Hash: 31c114de92f744edb83625db5b48e2a7e83e0d90de3b3f5ca56bfabb0c68a7a7
                • Instruction Fuzzy Hash: 18411571009798CFDB709F20CD01BEABBB5EF85354F144019DC8E4BA62D3308A4ACB56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232D210 Relevance: 1.6, APIs: 1, Instructions: 97memorynativeCOMMON
                Download Yara Rule
                APIs
                • NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0232D344
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: AllocateMemoryVirtual
                • String ID:
                • API String ID: 2167126740-0
                • Opcode ID: 13e0267752e4356819f03f81f0c4b7b49f7e91d615854204c28a7e2e460fb956
                • Instruction ID: 758f6bc1536815326357fda1d6152484730261c5471335a73a71ca35ff905da2
                • Opcode Fuzzy Hash: 13e0267752e4356819f03f81f0c4b7b49f7e91d615854204c28a7e2e460fb956
                • Instruction Fuzzy Hash: C53123710093A8CFDB309F20CD41BDABBB6AF9A354F144019C88E4BA62C3308A4ACB55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232D295 Relevance: 1.6, APIs: 1, Instructions: 68memorynativeCOMMON
                Download Yara Rule
                APIs
                • NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0232D344
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: AllocateMemoryVirtual
                • String ID:
                • API String ID: 2167126740-0
                • Opcode ID: 35f17c6955378cdd63720aa2360d474b865b2c11fc31b1f8ed2b5c2810160e82
                • Instruction ID: 8a17e3a5b59d710c8992a89b5a453b23e318e1d6f39d9336d02bce16e0ac399c
                • Opcode Fuzzy Hash: 35f17c6955378cdd63720aa2360d474b865b2c11fc31b1f8ed2b5c2810160e82
                • Instruction Fuzzy Hash: 0F21F571049698CFDB309F10CD11BDABF76AF4A394F140509D88E5BA67C730964ACB55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232D2E0 Relevance: 1.6, APIs: 1, Instructions: 61memorynativeCOMMON
                Download Yara Rule
                APIs
                • NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0232D344
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: AllocateMemoryVirtual
                • String ID:
                • API String ID: 2167126740-0
                • Opcode ID: 833df68078b0f54b4324a03178602dd50c05a2423dda8891bf3383eb7303c877
                • Instruction ID: 140003220a302e79c5f73fdd24eb6c624efb085a9b89cd328666b4e04a9162cd
                • Opcode Fuzzy Hash: 833df68078b0f54b4324a03178602dd50c05a2423dda8891bf3383eb7303c877
                • Instruction Fuzzy Hash: BE21F0310492A8CFDB319F20CA11BDABFB6AF4A394F040549D98A0F667C730964ACB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232D311 Relevance: 1.6, APIs: 1, Instructions: 57memorynativeCOMMON
                Download Yara Rule
                APIs
                • NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0232D344
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: AllocateMemoryVirtual
                • String ID:
                • API String ID: 2167126740-0
                • Opcode ID: 1ed1646b72c225e054776e6b9c80ad645b0125cb99d5103ec849b391657de2b4
                • Instruction ID: bb2c4b08fb6fa6fc27fef16d5a319c7c39208fa2fbe0a6c55b6effd49316b233
                • Opcode Fuzzy Hash: 1ed1646b72c225e054776e6b9c80ad645b0125cb99d5103ec849b391657de2b4
                • Instruction Fuzzy Hash: 8A21DF31009698CFDB309F50C911BDABF76AF4A394F040509D98E5F663C3309A4ACB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232F695 Relevance: 1.5, APIs: 1, Instructions: 35nativeCOMMON
                Download Yara Rule
                APIs
                • NtProtectVirtualMemory.NTDLL ref: 0232F776
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: MemoryProtectVirtual
                • String ID:
                • API String ID: 2706961497-0
                • Opcode ID: d9d5fe42c558867c47ff0812a8cb6df3d09a26546aeda0ca16a2ba3de1ef4832
                • Instruction ID: 686b25928622871900f8b607f988b77c1558fc00b88de414f2ffe83ce8d25094
                • Opcode Fuzzy Hash: d9d5fe42c558867c47ff0812a8cb6df3d09a26546aeda0ca16a2ba3de1ef4832
                • Instruction Fuzzy Hash: 2C0137B16046868FD721DE58CD54AEAB7EAFFD8344F14812DDD8A8BA05E7309A01CB11
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02328A05 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON
                Download Yara Rule
                APIs
                • NtWriteVirtualMemory.NTDLL(?,?), ref: 02328A17
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: MemoryVirtualWrite
                • String ID:
                • API String ID: 3527976591-0
                • Opcode ID: 56e16f54b69c42899c2ae2f523c582f4a80e6a8ab5c6b80d9a3094d2db55f621
                • Instruction ID: a1dd197eb5109da1dbd67688760429cb82d6e06f4f8d613dac722a5df35a3b6e
                • Opcode Fuzzy Hash: 56e16f54b69c42899c2ae2f523c582f4a80e6a8ab5c6b80d9a3094d2db55f621
                • Instruction Fuzzy Hash: 4BE0683D1241DA2B8704CF20848868FBEE9AF161217000476B510FE805CA358180C322
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232AB06 Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 9f6a7f825f83d88c1ed46004d353caebf5f2c4a4ced15f79f09715c02936f21f
                • Instruction ID: a575a6436e1d294ad8230f224e082f9729413bfa3f979c4c9e838c1fe41a2d27
                • Opcode Fuzzy Hash: 9f6a7f825f83d88c1ed46004d353caebf5f2c4a4ced15f79f09715c02936f21f
                • Instruction Fuzzy Hash: E2D012B14493C0CFC371DFE4444054B7E31AB32350794584ED0821FAC7C760018AEB75
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02321A5F Relevance: .2, Instructions: 235COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: deaf34fbfc0284bc89a9a34986d1a08ec29e8e0fc51b643f153a9479dc3d2115
                • Instruction ID: c8f82b969b0d10c3e5f8796557fe69a08da86ef75079455b36d77d2a9dc5cb8d
                • Opcode Fuzzy Hash: deaf34fbfc0284bc89a9a34986d1a08ec29e8e0fc51b643f153a9479dc3d2115
                • Instruction Fuzzy Hash: 618197728083D58FC7229F3889952EA7FB4EF26210F144A9DC0D89B5A3E761454BCB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02321DBE Relevance: .2, Instructions: 161COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 24b4c77ad923b09a42d0c728debfd8632988641a9cdda6cbd685c1ce6ebdd6d3
                • Instruction ID: d3bb6db5c074f98cf70217c1ff2676760ba550955cca2868a9c0d33094c01a39
                • Opcode Fuzzy Hash: 24b4c77ad923b09a42d0c728debfd8632988641a9cdda6cbd685c1ce6ebdd6d3
                • Instruction Fuzzy Hash: 6D5101B28093E48FC7269F7489552EA7FB0EF16300F14499EC4C89B663E7B1064ADB56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00416BA0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 104COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • __vbaHresultCheckObj.MSVBVM60(00000000,004010A8,004024D0,00000218), ref: 00416C1C
                • __vbaLateMemCallLd.MSVBVM60(?,?,Add,00000002), ref: 00416C6A
                • __vbaVarSetVar.MSVBVM60(?,00000000), ref: 00416C78
                • __vbaFreeObj.MSVBVM60 ref: 00416C81
                • __vbaHresultCheckObj.MSVBVM60(00000000,004010A8,004024D0,000002B4), ref: 00416CA2
                • __vbaR8IntI4.MSVBVM60 ref: 00416CAE
                • __vbaFreeVar.MSVBVM60(00416CF0), ref: 00416CE9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497705232.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497696445.0000000000400000.00000002.00020000.sdmpDownload File
                • Associated: 00000000.00000002.497735867.0000000000417000.00000004.00020000.sdmpDownload File
                • Associated: 00000000.00000002.497741806.0000000000419000.00000002.00020000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_171121_PDF.jbxd
                Similarity
                • API ID: __vba$CheckFreeHresult$CallLate
                • String ID: Add$Cmd1$vb.commandbutton
                • API String ID: 305031756-2351469399
                • Opcode ID: 86c8c4e18875b1e6af665bd720da9b2a10bcf72e5815a6f596bb8fa22780111d
                • Instruction ID: f88ade7cd543f66a4aac683785c3c4feef702e574f8b5d3de027c4b2330f6eea
                • Opcode Fuzzy Hash: 86c8c4e18875b1e6af665bd720da9b2a10bcf72e5815a6f596bb8fa22780111d
                • Instruction Fuzzy Hash: 48415F71901208AFCB00DF98C948ADDBFF8FF48714F24856AE845B72A1D7759985CF94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004011BB Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 156COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 117 4011bb-4011cb
                C-Code - Quality: 61%
                			E004011BB() {
				intOrPtr* _t92;
				void* _t93;
				void* _t110;
				void* _t121;
				void* _t122;
				void* _t133;
				void* _t134;

				asm("sbb al, 0x8e");
				asm("scasd");
				_t122 = _t121 + 1;
				asm("aas");
				 *_t92 =  *_t92 + _t92;
				 *_t92 =  *_t92 + _t92;
				 *_t92 =  *_t92 + _t92;
				 *_t92 =  *_t92 + _t92;
				 *_t92 =  *_t92 + _t92;
				 *_t92 =  *_t92 + _t92;
				_t93 = _t92 + _t92;
				asm("invalid");
				_t134 = _t133 +  *((intOrPtr*)(_t110 + 0x75));
			}










                0x004011bb
                0x004011bd
                0x004011be
                0x004011bf
                0x004011c0
                0x004011c2
                0x004011c4
                0x004011c6
                0x004011c8
                0x004011c9
                0x004011cb
                0x004011cd
                0x004011cf

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497705232.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497696445.0000000000400000.00000002.00020000.sdmpDownload File
                • Associated: 00000000.00000002.497735867.0000000000417000.00000004.00020000.sdmpDownload File
                • Associated: 00000000.00000002.497741806.0000000000419000.00000002.00020000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_171121_PDF.jbxd
                Similarity
                • API ID: #100
                • String ID: VB5!6&*
                • API String ID: 1341478452-3593831657
                • Opcode ID: 60fa8c3065fe033f1738318b9b090bc371a0b23f51cd03b96e801335617b5e4d
                • Instruction ID: af42044adc57a1f6c059b7c30ee1fd78fb8e6d1c82520dc48754f4d6afad53bd
                • Opcode Fuzzy Hash: 60fa8c3065fe033f1738318b9b090bc371a0b23f51cd03b96e801335617b5e4d
                • Instruction Fuzzy Hash: C641EAA248E7C05FD30387B08C656917FB4AE53228B0A86EBC4C1CF4F3D25D190ADB66
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232D5C7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 292 232d5c7-232d5f3 294 232befb-232bfcb 292->294 295 232d5f9-232d5fa call 232d474 292->295 302 232bfe4-232c013 LoadLibraryA call 232c014 294->302 303 232bfcd-232bfe1 call 232c982 call 232c014 294->303 301 232d5ff-232d613 295->301 306 232d615-232d697 call 232d66c 301->306 307 232d5fe 301->307 303->302 307->301
                APIs
                • LoadLibraryA.KERNELBASE(1AE1C299), ref: 0232BFE4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: LibraryLoad
                • String ID: ~iD
                • API String ID: 1029625771-1955462559
                • Opcode ID: 57d693f531353628a3b477cbe76b9b5da69eef17910e5efe44229ee05fd73a19
                • Instruction ID: 432b4798dfc7854db8a0750f0a28dc59966e279c20ff645d7006854efeaedb0b
                • Opcode Fuzzy Hash: 57d693f531353628a3b477cbe76b9b5da69eef17910e5efe44229ee05fd73a19
                • Instruction Fuzzy Hash: DD21CC701487E4DBCB30EF608844BEEBBB6AF59368F148509EC896F606C3704A49CF65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232BEF6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 317 232bef6-232bfcb 321 232bfe4-232c013 LoadLibraryA call 232c014 317->321 322 232bfcd-232bfe1 call 232c982 call 232c014 317->322 322->321
                APIs
                • LoadLibraryA.KERNELBASE(1AE1C299), ref: 0232BFE4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: LibraryLoad
                • String ID: ~iD
                • API String ID: 1029625771-1955462559
                • Opcode ID: f22d72dfbe8584e41e1283b85695698eb0de99e2651c130974e8c406437ab02a
                • Instruction ID: 8326cdced532f381dc94dfa9a817b2b6269a3a0845b24e62d7902d5e02911ca7
                • Opcode Fuzzy Hash: f22d72dfbe8584e41e1283b85695698eb0de99e2651c130974e8c406437ab02a
                • Instruction Fuzzy Hash: 31018F7000D7E4AFD722DB70D8147EEBBA29F12358F19855ADC465A542C3754B45CB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232BEFB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 330 232befb-232bfcb 334 232bfe4-232c013 LoadLibraryA call 232c014 330->334 335 232bfcd-232bfe1 call 232c982 call 232c014 330->335 335->334
                APIs
                • LoadLibraryA.KERNELBASE(1AE1C299), ref: 0232BFE4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: LibraryLoad
                • String ID: ~iD
                • API String ID: 1029625771-1955462559
                • Opcode ID: 0b1f4ef82597150acb0c0035b749fdd4253229fdc8b8995d10706d9417939067
                • Instruction ID: 259102e86409a9cecf7f73dde07ff7f121f5932b57ea477f60596976853aee1a
                • Opcode Fuzzy Hash: 0b1f4ef82597150acb0c0035b749fdd4253229fdc8b8995d10706d9417939067
                • Instruction Fuzzy Hash: 86014B702086A8EFCB70DF24D884BEEBBA6BF44758F058416EC09AB611C3704B04DF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401194 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 343 401194-4011b9 #100 344 4011c9-4011cb 343->344
                C-Code - Quality: 68%
                			_entry_() {
				signed char _t94;
				intOrPtr* _t95;
				void* _t96;
				void* _t113;
				void* _t120;
				void* _t128;
				void* _t129;
				void* _t136;
				void* _t137;

				_push("VB5!6&*"); // executed
				L0040118C(); // executed
				 *_t94 =  *_t94 + _t94;
				 *_t94 =  *_t94 + _t94;
				 *_t94 =  *_t94 + _t94;
				 *_t94 =  *_t94 ^ _t94;
				 *_t94 =  *_t94 + _t94;
				_t95 = _t94 + 1;
				 *_t95 =  *_t95 + _t95;
				 *_t95 =  *_t95 + _t95;
				 *_t95 =  *_t95 + _t95;
				 *((intOrPtr*)(_t120 + 0x58)) =  *((intOrPtr*)(_t120 + 0x58)) + _t95;
				_push(0xffffffbf);
				asm("int1");
				_t129 = _t128 - 1;
				asm("movsb");
				 *_t95 =  *_t95 + _t95;
				_t96 = _t95 + _t95;
				asm("invalid");
				_t137 = _t136 +  *((intOrPtr*)(_t113 + 0x75));
			}












                0x00401194
                0x00401199
                0x0040119e
                0x004011a0
                0x004011a2
                0x004011a4
                0x004011a6
                0x004011a8
                0x004011a9
                0x004011ab
                0x004011ad
                0x004011af
                0x004011b2
                0x004011b6
                0x004011b7
                0x004011b8
                0x004011c9
                0x004011cb
                0x004011cd
                0x004011cf

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.497705232.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497696445.0000000000400000.00000002.00020000.sdmpDownload File
                • Associated: 00000000.00000002.497735867.0000000000417000.00000004.00020000.sdmpDownload File
                • Associated: 00000000.00000002.497741806.0000000000419000.00000002.00020000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_171121_PDF.jbxd
                Similarity
                • API ID: #100
                • String ID: VB5!6&*
                • API String ID: 1341478452-3593831657
                • Opcode ID: 4e8cd71f24929f04a384fa40ee1b9263bc0f44107e98a8a096ba516acf44c8ce
                • Instruction ID: 7c201c1c41bf3efc9138c70f9f249352741062b138810f808ceab0e8fdd70dce
                • Opcode Fuzzy Hash: 4e8cd71f24929f04a384fa40ee1b9263bc0f44107e98a8a096ba516acf44c8ce
                • Instruction Fuzzy Hash: 00E0245194F3C01EC30712B54C211856FB08D6722532A42EB91D0DE4F7D05D4C4EC777
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232B33D Relevance: 1.6, APIs: 1, Instructions: 72fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: f4e2f788b8c0b89ff964337a9ff2733ea7af6b8a92d9c1f22bc67d389b543f5b
                • Instruction ID: 5a8035d78ab6c7267c2ebb60a999c4a711ee708501f3746b59195215de010344
                • Opcode Fuzzy Hash: f4e2f788b8c0b89ff964337a9ff2733ea7af6b8a92d9c1f22bc67d389b543f5b
                • Instruction Fuzzy Hash: 4821F771648225DBD7345E348980BFDB7AAEF60309F05451E99CAABA06D3708A89CB16
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232B340 Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 191f3c4898debd0053b1a881641acf634ec38ccce335fb726118714705d289df
                • Instruction ID: 42406da04aa368d05196a085dfa5df99b10f79d9c24292a3909a650774432e66
                • Opcode Fuzzy Hash: 191f3c4898debd0053b1a881641acf634ec38ccce335fb726118714705d289df
                • Instruction Fuzzy Hash: 3D21F97164C325DBD7345E348980BFDB7EAEF50308F05451E99CAABA06D3705A89CB16
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232B39C Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 119bd0f5df08b913e7755431f7bc020f5ffb80dbb7fc4b2314ecfb469711253e
                • Instruction ID: 954ff52d77ee56b8dc329a9e783d5b6682efec697a7b2c126cfcf23b2d080cfd
                • Opcode Fuzzy Hash: 119bd0f5df08b913e7755431f7bc020f5ffb80dbb7fc4b2314ecfb469711253e
                • Instruction Fuzzy Hash: 29210A7164D224DBD7345E34C880BFEB7E9EF14308F09451E99CAABA06D3744A85CB13
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232B3BA Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: e3b6cdef90bb82cff36af5f4f8512e975fefbdb7d2b57415ba763839f191e667
                • Instruction ID: 13c3d675dde76e3a1cae690708cbe0d818efb79b24dffc5cc048abccef452ffe
                • Opcode Fuzzy Hash: e3b6cdef90bb82cff36af5f4f8512e975fefbdb7d2b57415ba763839f191e667
                • Instruction Fuzzy Hash: DF21F47154C354DBD730AF7488807EEBBBAEF24314F19491E88C66BA46D3704A89CB22
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232B3FD Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: eb3b53fb6f6f647481d877d5f13a70bcecab48a7ac7ffc882a0eff20f206e7a1
                • Instruction ID: 9a948a28353c6eda4f75e50d25d308da6d8005d98b81d92624e60488563d30e1
                • Opcode Fuzzy Hash: eb3b53fb6f6f647481d877d5f13a70bcecab48a7ac7ffc882a0eff20f206e7a1
                • Instruction Fuzzy Hash: 7D110A7194D324DBD7206E3488807EDB3E9EF14304F15491E88CAABA06D3744A89CB53
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232B50D Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 92adf7d8b0cf98552cb709ca7e6e0ddbd010713ed85e3940d9d3d956d05032d0
                • Instruction ID: 20c2775b5a30d7320cbed8d02322ef843e912f816cd073a0cc1d3707a4e1554a
                • Opcode Fuzzy Hash: 92adf7d8b0cf98552cb709ca7e6e0ddbd010713ed85e3940d9d3d956d05032d0
                • Instruction Fuzzy Hash: 8AF0F971845164DBD7309E38C984BEE77EEEF04305F15451A9889BF709D2708644CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232B541 Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: af5a0ec251ba285eb4c2f5fcc5f7d4c3128bef85e62d7c4a24cd94df22664a2b
                • Instruction ID: b85ff4f81f7de784047f3352ffcf1eee49d0359cd046d9cf7ad1e165ff2a03a5
                • Opcode Fuzzy Hash: af5a0ec251ba285eb4c2f5fcc5f7d4c3128bef85e62d7c4a24cd94df22664a2b
                • Instruction Fuzzy Hash: EBF0C871445168DBD7309E38C944BEE77EAEF04305F19451A9889FF705D7708645CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232B5AD Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 0f7061ce7ec2c9980a7ce6070be0d3ec452d6640e8782201e0de56ecb6d1eaf6
                • Instruction ID: da19b76ab7462825c81953f9a81270a2aadebc59c12fd5a4173af984e14fe6bb
                • Opcode Fuzzy Hash: 0f7061ce7ec2c9980a7ce6070be0d3ec452d6640e8782201e0de56ecb6d1eaf6
                • Instruction Fuzzy Hash: 5EF0A031898169DBD7205E748504AAEB7A8FF14201F0A081A8CC9EF605D7B0C980CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232B5E8 Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 4cd2aec42154dc64c7b6aff9b7e2f1b8649bef3c3d873b5db2a081e53b403b04
                • Instruction ID: 8e043d1bfcda193db842be2d8156a8ed8017582c00a648a80069fdec3c3e2d63
                • Opcode Fuzzy Hash: 4cd2aec42154dc64c7b6aff9b7e2f1b8649bef3c3d873b5db2a081e53b403b04
                • Instruction Fuzzy Hash: 87E04F31899165EFDB209E74C944AEE77A8FF10601F4A05199CC5EB295C7B089818FA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232A1FA Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: ad79ed8a70bdede800d73ad264cad05953adcaf6112d283c7cf8e68fb18f1d0b
                • Instruction ID: 87c2c1ea00e5e6d64994bf28e1d65b21c7f3447bd726a02dca544dbbaddc69b3
                • Opcode Fuzzy Hash: ad79ed8a70bdede800d73ad264cad05953adcaf6112d283c7cf8e68fb18f1d0b
                • Instruction Fuzzy Hash: 43E07DB240C2D45FD3125F6888422CA3F18AB636107A5824DC0924B0CBC621010AFBF2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232B619 Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: d07a0f0660d20d61ea79881b08ce5f2b72ee7d8dc448ce8e19c11b54a837dc13
                • Instruction ID: 404be42c4f587a589917a8c0fd0237ea00d3a316a89d866851a0aefa5c97b7e8
                • Opcode Fuzzy Hash: d07a0f0660d20d61ea79881b08ce5f2b72ee7d8dc448ce8e19c11b54a837dc13
                • Instruction Fuzzy Hash: 5AE0C231869258DFDB30AE20CC48AED73B8FF10301F09042A9C88AB250CFF09941CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232B66D Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: f72a1cc11805a60fd870e32b0ad0d62b864aa7e363c3df7fb791dfcdffa0d56f
                • Instruction ID: 697cdcaeb78753e3388d6a2b5f42ec4d6a25c9fa1d501708c7e3d8a3206a3565
                • Opcode Fuzzy Hash: f72a1cc11805a60fd870e32b0ad0d62b864aa7e363c3df7fb791dfcdffa0d56f
                • Instruction Fuzzy Hash: 68B092319A626ACEFB309E689C44BDA36589F21300F0240315C08EB141CAB19D418AA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 023296B7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                APIs
                • TerminateProcess.KERNELBASE ref: 023296B7
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: ProcessTerminate
                • String ID:
                • API String ID: 560597551-0
                • Opcode ID: c0afe43128711c10c1f3279f9138c5eb041f0334a379efdb483d156338410906
                • Instruction ID: aac19403dbea7a5cd6293e8fc350dc81ea41ad7e5d5d68f215ab341cd10a786c
                • Opcode Fuzzy Hash: c0afe43128711c10c1f3279f9138c5eb041f0334a379efdb483d156338410906
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02327F16 Relevance: 1.4, APIs: 1, Instructions: 119COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6701051800404775ebc5985b7fd4b3ea37ba8433769fc91943c8f6c5a051e480
                • Instruction ID: 12949f637f5206d221089b9b6069148169e3c8fbd98b8ee9bed6e7bbc753c517
                • Opcode Fuzzy Hash: 6701051800404775ebc5985b7fd4b3ea37ba8433769fc91943c8f6c5a051e480
                • Instruction Fuzzy Hash: 1941563241C3659FCB668F30CC4AAE8FBB1FF12710F180A5DD8954B993D321605ACB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02328AEC Relevance: 1.4, APIs: 1, Instructions: 112sleepCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: 0a6802aca7557838e0ed1390658d0733b80a36c18f6f99765d3e946c0e89bd04
                • Instruction ID: ce2da599f916fd2bbb19107fa3178acfcdc47a45f5f83ec6f3bd12872dc2c8fc
                • Opcode Fuzzy Hash: 0a6802aca7557838e0ed1390658d0733b80a36c18f6f99765d3e946c0e89bd04
                • Instruction Fuzzy Hash: F74123754092A8DFCF7A6F34DC58ADCBBB1FF18314F054519D9888A512C3320689CF52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 023281D4 Relevance: 1.3, APIs: 1, Instructions: 77sleepCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: 57afa0a398aa11df66fa3bc981b21b7e99f5b9fc50bf280cc59a90cba119a774
                • Instruction ID: d7106622f181bd746eb9c3987b669634f5896ed41afd1da3cb0f73408639dbbc
                • Opcode Fuzzy Hash: 57afa0a398aa11df66fa3bc981b21b7e99f5b9fc50bf280cc59a90cba119a774
                • Instruction Fuzzy Hash: 722106351583A8DBCB2A6F60AC889DCBFB1FF59310F160959E9854A913C3324599DB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02328A77 Relevance: 1.3, APIs: 1, Instructions: 68sleepCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: fef98fbfdc8ac9e5c6d7e60ec6bbeabb1e8f011517b71136ce83d31bf8c29886
                • Instruction ID: 45e31159948b712813f6d71b44036b068e5489556c4927729e31e55abf6c825d
                • Opcode Fuzzy Hash: fef98fbfdc8ac9e5c6d7e60ec6bbeabb1e8f011517b71136ce83d31bf8c29886
                • Instruction Fuzzy Hash: A321D33144829ACFDB6A6F38CC497DCBBB0FF05314F180669E9949A452C732459ADF92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02327A72 Relevance: 1.3, APIs: 1, Instructions: 62sleepCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: a8074036657c86605386923733c272db6dd469ce90789a7a6e80d746f4985718
                • Instruction ID: e78d8716ddb3002ddc691a24478f55c895025d64b1979115b2e728f530fdb79a
                • Opcode Fuzzy Hash: a8074036657c86605386923733c272db6dd469ce90789a7a6e80d746f4985718
                • Instruction Fuzzy Hash: BC21053140D2A8CFCB262F34CC08AECBBB1FF15310F190659D8914A4A2C732859DDF82
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02328D1D Relevance: 1.3, APIs: 1, Instructions: 26sleepCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: 925591e5255f357b731162b300754998fea45dba551c36effb1a3da38608406f
                • Instruction ID: 36db23fc5c949eb0fc9b15719b07a15ba2265d300c470b179c5c4f9ee2ceaeb5
                • Opcode Fuzzy Hash: 925591e5255f357b731162b300754998fea45dba551c36effb1a3da38608406f
                • Instruction Fuzzy Hash: 5AF08C3109C269CBCB6A3F3088496ECFBB1FF11700F25482CD9C596812C732468D8F86
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 0232E59E Relevance: 4.4, Strings: 3, Instructions: 679COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: LibraryLoadMemoryProtectVirtual
                • String ID: TG-F$oja:$xs T
                • API String ID: 3389902171-2920937423
                • Opcode ID: 9e54541e5fce6fcdeb2816a74887ac58870364969fef084744e6eecb4ccffc82
                • Instruction ID: 717a9b7c5572b911ea60a9969454d34d1bb336c90f1285e36fd2e4db720aac6d
                • Opcode Fuzzy Hash: 9e54541e5fce6fcdeb2816a74887ac58870364969fef084744e6eecb4ccffc82
                • Instruction Fuzzy Hash: 74423A7150C3D48FCB35CF38C9997EABBA5AF52310F55829AC89A8F697D330950AC712
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232E5EC Relevance: 2.8, Strings: 2, Instructions: 317COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: MemoryProtectVirtual
                • String ID: TG-F$xs T
                • API String ID: 2706961497-2826639612
                • Opcode ID: f331a96151e7f3e5db4fbe2402f59eaccb52cf8b4402ebfceaa9bd57c2afeb94
                • Instruction ID: 41c9bdfbb1543dac9dcbca2f2ad1f79519e58ec56dd644174dd427c548128eeb
                • Opcode Fuzzy Hash: f331a96151e7f3e5db4fbe2402f59eaccb52cf8b4402ebfceaa9bd57c2afeb94
                • Instruction Fuzzy Hash: 3AD1A2715083D58FCB35CF38C8997A67BE1AF52320F09829AC89A8F6A7D374554AC713
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232E629 Relevance: 2.8, Strings: 2, Instructions: 310COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: MemoryProtectVirtual
                • String ID: TG-F$xs T
                • API String ID: 2706961497-2826639612
                • Opcode ID: ff141ac1576d6412a07127cfc266af0f001cfbe9e8270e323faf97388b79cb3b
                • Instruction ID: c4e333d1d0fb872721d5f41a18c2928a1083ebdfb9194883c7d2dea31a88c06b
                • Opcode Fuzzy Hash: ff141ac1576d6412a07127cfc266af0f001cfbe9e8270e323faf97388b79cb3b
                • Instruction Fuzzy Hash: 09D1B3715083D58FCB35CF38C8997A67BE1AF52320F09829AC89A8F6A7D374554AC713
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232E665 Relevance: 2.8, Strings: 2, Instructions: 308COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: MemoryProtectVirtual
                • String ID: TG-F$xs T
                • API String ID: 2706961497-2826639612
                • Opcode ID: ed5a1dd5ac680cf5cbba7a48185afb6f279e4e1c915d245b037461df1137c04f
                • Instruction ID: a4325ec3d28d9b7f6fbd0f92cccbeab577285d0b88316451a296bf7a38135237
                • Opcode Fuzzy Hash: ed5a1dd5ac680cf5cbba7a48185afb6f279e4e1c915d245b037461df1137c04f
                • Instruction Fuzzy Hash: D7D1B27140C3D58ECB36CF38889A7967FE1AF52320F49829AC89A4F697D374514AC717
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232E6CD Relevance: 2.8, Strings: 2, Instructions: 292COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: MemoryProtectVirtual
                • String ID: TG-F$xs T
                • API String ID: 2706961497-2826639612
                • Opcode ID: 8454e73eb01a0cee21c77c09f66041c3b28802374ab27b78d0368915ad1203a5
                • Instruction ID: 694c023f350023e9c9f11c8a65e6961948d4f050cd6ba23cb5ecdc7caf495d78
                • Opcode Fuzzy Hash: 8454e73eb01a0cee21c77c09f66041c3b28802374ab27b78d0368915ad1203a5
                • Instruction Fuzzy Hash: 26C1B2715083D58ECB35CF3888997A67FD1AF52320F49C29AC89A4F5A7D374514AC713
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232E6F9 Relevance: 2.8, Strings: 2, Instructions: 289COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: MemoryProtectVirtual
                • String ID: TG-F$xs T
                • API String ID: 2706961497-2826639612
                • Opcode ID: ae471aaba8c3bdb66088603f9ad9dc32901db74fec8c900afbc207a33172220d
                • Instruction ID: 1977cd7df3e548eceb6c90da0c9b0056186bdf2f9e5e41be2354a9d97fc7f79a
                • Opcode Fuzzy Hash: ae471aaba8c3bdb66088603f9ad9dc32901db74fec8c900afbc207a33172220d
                • Instruction Fuzzy Hash: 4DC1C13150C3D58ECB36CF3888997A67FE1AF52220F49C29AC89A8F5A7D374514AC713
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232E734 Relevance: 2.8, Strings: 2, Instructions: 283COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: MemoryProtectVirtual
                • String ID: TG-F$xs T
                • API String ID: 2706961497-2826639612
                • Opcode ID: 18a5481a87d4143e8c30b5e9b52d69514ef89c2073f565378767924e90ce1919
                • Instruction ID: 11ad531057f9f1de030c2a1e9df98e6f91c35d0e503cccb80473e16ede3219db
                • Opcode Fuzzy Hash: 18a5481a87d4143e8c30b5e9b52d69514ef89c2073f565378767924e90ce1919
                • Instruction Fuzzy Hash: B2C1B1715083D58ECB36CF3888997A67FE1AF52320F49C29AC89A8F5A7D374514AC713
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232E76E Relevance: 2.8, Strings: 2, Instructions: 283COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: TG-F$xs T
                • API String ID: 0-2826639612
                • Opcode ID: 533014a9c16c18a50f172478e61148e3d5d74b82139ad0eb0d9bf995b73b4ac7
                • Instruction ID: 02602ca44697e31631ed5b3634a039a3d47664e4a4833d93786bdbba7dd2de00
                • Opcode Fuzzy Hash: 533014a9c16c18a50f172478e61148e3d5d74b82139ad0eb0d9bf995b73b4ac7
                • Instruction Fuzzy Hash: 6CC1B13150C3D58EDB36CF3888997A67FE1AF52320F49829AC89A4F6A7D374514AC713
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232E819 Relevance: 1.5, Strings: 1, Instructions: 261COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: TG-F
                • API String ID: 0-2943050470
                • Opcode ID: f7e8a0c6bee2915afe6aabd9d69ab1411135d86f209b06907a63be872e94cefa
                • Instruction ID: 812103b2b13f6e4ea73918834ef53881a323d4d5914a1b8e9d40aa87add035f7
                • Opcode Fuzzy Hash: f7e8a0c6bee2915afe6aabd9d69ab1411135d86f209b06907a63be872e94cefa
                • Instruction Fuzzy Hash: C4B1B33150C3D58ECB35CF3888997A67FD1AB52220F49C29AC89A8F697D374514AC713
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232E844 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: TG-F
                • API String ID: 0-2943050470
                • Opcode ID: f2e225a5557ec388d035185e65395ae1d2c47942b08b487237cb84eafb7d3224
                • Instruction ID: d038694d531ad42ac5f3896f57090a1e5a4e869924d8a96fec82884125ac6f65
                • Opcode Fuzzy Hash: f2e225a5557ec388d035185e65395ae1d2c47942b08b487237cb84eafb7d3224
                • Instruction Fuzzy Hash: ECB1C23150C3D58ECB35CF38889A7A67FD1AB52220F49C29AC89A8F6A7D374514AC713
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02320A5C Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: LibraryLoad
                • String ID: ,qp$
                • API String ID: 1029625771-2377076954
                • Opcode ID: 3a6ea12f1679e3a79602be95117d920597d8ad43a665947770670afd515bbca4
                • Instruction ID: 745879f7ce67b32c5f0202132910538076498ab4807b4da88cbe8878dca78031
                • Opcode Fuzzy Hash: 3a6ea12f1679e3a79602be95117d920597d8ad43a665947770670afd515bbca4
                • Instruction Fuzzy Hash: 8D71DD7295D3A49FC3298F348895199BBA1AB36314F5418AEC9C18FA93D721844FCB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232330D Relevance: 1.4, Strings: 1, Instructions: 165COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: :B?&
                • API String ID: 0-1193226678
                • Opcode ID: e4ab62abb44269dd9d870e56d1e6217136b3d75f1e00fdea6f6687777aa0fda8
                • Instruction ID: 7fb645cd719ea3b69b6938b75a5568b782cab151fb9b85471a448dde6f73f127
                • Opcode Fuzzy Hash: e4ab62abb44269dd9d870e56d1e6217136b3d75f1e00fdea6f6687777aa0fda8
                • Instruction Fuzzy Hash: 5C515772A08398CFDB308E25CC88BEAB7EAEF98340F45005DDC4D97612D7754A89CB41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232272C Relevance: .5, Instructions: 463COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6690f50c9312fba0250a7336f078444cdbb16ada7789d82bfb055eae2a554299
                • Instruction ID: c71a7f1db3f561d72e4f23a7b78a653573183bf51bb0f364654cb9d4f75c42bf
                • Opcode Fuzzy Hash: 6690f50c9312fba0250a7336f078444cdbb16ada7789d82bfb055eae2a554299
                • Instruction Fuzzy Hash: 09F1B9729082A5CFD7268F388C452EA7BB5FF15310F240AAED990CF5A3D734854ACB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232D698 Relevance: .3, Instructions: 252COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: afebeab93fac1bdd5688cf52e1255c9d753ea20a36ac4581508fc95405916abd
                • Instruction ID: 2a16c16754ff084aaef90c6fa5b6018c07315a3cc8e3920d2a956ec6bc198214
                • Opcode Fuzzy Hash: afebeab93fac1bdd5688cf52e1255c9d753ea20a36ac4581508fc95405916abd
                • Instruction Fuzzy Hash: 0AA1347150836DDFDB34CE25C9857FA77BAAF94340F15802BCC8A8BA55D3305A89CB82
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02327463 Relevance: .2, Instructions: 192COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c1cc9359e3ee92ab53e1f4fe62f0acfc878525d83089c8000f0be342e46f6f41
                • Instruction ID: 0977130ceefd8d14ace59bac4011952c886556e39f04bc13f010b1e54c761c39
                • Opcode Fuzzy Hash: c1cc9359e3ee92ab53e1f4fe62f0acfc878525d83089c8000f0be342e46f6f41
                • Instruction Fuzzy Hash: C1619C7290C2A28FD3228F3C88053D9FFA5BB52214F350A59C5A19F693D730884FCB95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02324819 Relevance: .2, Instructions: 189libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNELBASE(1AE1C299), ref: 0232BFE4
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: b49a8a561d453542ecced20594aec47b85a42442f0d68dbb115246ff38d9aff5
                • Instruction ID: 43ed5ecc3acbe75e3bd71b3d947febbeb11000719c5732b47340e3f9e46f3625
                • Opcode Fuzzy Hash: b49a8a561d453542ecced20594aec47b85a42442f0d68dbb115246ff38d9aff5
                • Instruction Fuzzy Hash: 1E81ED362083589FCB349F25C9857EEB7E6EF94300F41881EDD8A97652C7308A85CB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232D66F Relevance: .2, Instructions: 182COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f240d23d4925602c8667ba8727a06c5dcab915b48267a4ecf351759f53c0b464
                • Instruction ID: a9422b89d6a6f961a20effb5b4c3b128e2f8996c6a4b347ad440e7357e510e2b
                • Opcode Fuzzy Hash: f240d23d4925602c8667ba8727a06c5dcab915b48267a4ecf351759f53c0b464
                • Instruction Fuzzy Hash: 58615572408268CFDB34CF34C9457EAB7B6EF55340F11811BCC8A9BA56D3305A89CB82
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02329784 Relevance: .2, Instructions: 164COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: AllocateMemoryVirtual
                • String ID:
                • API String ID: 2167126740-0
                • Opcode ID: 5c25d0b3ffb5a6aea68954858b93c9f8588a544eaf0abaa2fe1493046ceadc74
                • Instruction ID: 67a354a06ae8c97d073a8634f71c947a5aee17cd292fe7de6e108004150d2981
                • Opcode Fuzzy Hash: 5c25d0b3ffb5a6aea68954858b93c9f8588a544eaf0abaa2fe1493046ceadc74
                • Instruction Fuzzy Hash: B85156768083988FC7658F78C8913D9BBB5FF16320F250A5AC9A5DAA93D334444ACB11
                Uniqueness

                Uniqueness Score: -1.00%

                Function 023248DD Relevance: .2, Instructions: 163libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNELBASE(1AE1C299), ref: 0232BFE4
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 4e20730c14b86e5a5bed2215f6137a2eee15eb07a4fceac1d0bc43a990196613
                • Instruction ID: 63f4571bd6e7cf9cb4b5b2c478fd9f80a1d70f4c4bb35d6fd0e469415d76fb03
                • Opcode Fuzzy Hash: 4e20730c14b86e5a5bed2215f6137a2eee15eb07a4fceac1d0bc43a990196613
                • Instruction Fuzzy Hash: FE61DC322083989FDB349E25C9957EFB7B6EF94340F41842EDD8A97612C7309A85CB02
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232DA30 Relevance: .2, Instructions: 152COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 78818622be4586ef25332df433d6954aa3c813f88a288513509018d83b88fbe6
                • Instruction ID: af003e0bb7f9856623630ca9b1f1fee961383ef3449fa9aec567910d1c2f2ed5
                • Opcode Fuzzy Hash: 78818622be4586ef25332df433d6954aa3c813f88a288513509018d83b88fbe6
                • Instruction Fuzzy Hash: 0A513531048299CFDB34CF24C9947EB7BB6EF55340F10461BDC8A8BA56C330968ACB56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232D71E Relevance: .1, Instructions: 142COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 305447bcee7da2e52235cd681ebbf663f6f532c7d9fafecbbae7e35b03401258
                • Instruction ID: 34bc8883d5a46a4c87e9b607a7ef0ee25b0323c26ebbcea14c7c545f8c7fa0b4
                • Opcode Fuzzy Hash: 305447bcee7da2e52235cd681ebbf663f6f532c7d9fafecbbae7e35b03401258
                • Instruction Fuzzy Hash: 5A51147244826CDFDB34CE35C9857EA77B6EF58340F15811BDC8A9BA15D3306A89CB82
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232DBC5 Relevance: .1, Instructions: 141COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 22eac137611daf6930f21d32f2df13c95d8e7e54db472528bc9f2d27f19fb9af
                • Instruction ID: 90beeae111513448b033dcc9df2b3dffa84dfa9fefd5c67b75bc692873e6b56a
                • Opcode Fuzzy Hash: 22eac137611daf6930f21d32f2df13c95d8e7e54db472528bc9f2d27f19fb9af
                • Instruction Fuzzy Hash: E05122714483A8CFDB34CF24C8957EABBB6EF55340F15851BDC8A8BA12D3305689CB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232D758 Relevance: .1, Instructions: 140COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 4ceba02aea663d3b0d4c3c637d657eaa76ec5652c4217849ced9eebdc67cc51d
                • Instruction ID: 47a9a4d994ec0b66005d59d1a0ef769a5cd6e7c34028b0217859d355f859df5f
                • Opcode Fuzzy Hash: 4ceba02aea663d3b0d4c3c637d657eaa76ec5652c4217849ced9eebdc67cc51d
                • Instruction Fuzzy Hash: 4C51247240826CDFDB34DE35C9857EA77B6EF58340F15811BDC8A8BA15D3306A89CB82
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02327005 Relevance: .1, Instructions: 129COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3dc53da47d7a08c9219707005f94e5080251094a24f02c1cc1eb344e836888eb
                • Instruction ID: 4e8d053ecf9966e6df74ef62bbf8456b81f4c9e858b399b55397346adeaa46d0
                • Opcode Fuzzy Hash: 3dc53da47d7a08c9219707005f94e5080251094a24f02c1cc1eb344e836888eb
                • Instruction Fuzzy Hash: 975101316453589FDB34CE258AA57EBB7E2BF59700F84011ECE4E4B702C334A648CB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405395 Relevance: .1, Instructions: 129COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 17%
                			E00405395(signed int __eax, signed char __ecx, signed int __edx, void* __edi, long long __fp0) {
				signed int _t102;
				signed int _t103;
				signed char _t126;
				signed char _t157;
				void* _t159;
				signed int* _t160;
				signed int _t162;
				signed int _t194;
				signed int _t195;
				void* _t201;
				signed int _t202;
				signed int _t211;
				signed int _t212;

				L0:
				while(1) {
					L0:
					_t156 = __edx;
					_t154 = __ecx;
					_t100 = __eax;
					_t111 = __edi - 3;
					_pop(_t160);
					asm("std");
					asm("cmc");
					asm("sbb [ecx-0x17], dh");
					while(1) {
						L4:
						goto 0x182faab8;
						asm("rcl dword [0x32155e32], 1");
						asm("adc eax, 0x32155e32");
						asm("adc eax, 0x32155e32");
						asm("adc eax, 0x32155e32");
						asm("adc eax, 0x32155e32");
						asm("adc eax, 0x32155e32");
						_pop(_t162);
						asm("aam 0xa9");
						_t102 = _t100 ^  *(_t154 + 0x41);
						 *0x8fcddf6c = _t102;
						asm("int1");
						asm("lock ror byte [ebx-0x8], 1");
						 *(_t194 - 0x41e0f1b6) =  !( *(_t194 - 0x41e0f1b6));
						if(_t102 < 0) {
							break;
						}
						L5:
						_t201 =  *((intOrPtr*)(_t160 - 0x7c)) - _t160;
						asm("int1");
						asm("movsb");
						asm("in eax, dx");
						asm("sahf");
						if(_t201 < 0) {
							L6:
							while(_t201 >= 0) {
								_t111 = _t111 - 1;
								 *(_t154 - 0x55eefa33) =  *(_t154 - 0x55eefa33) | _t111;
								asm("aas");
								 *(_t156 + 0x18 + _t194 * 8) =  *(_t156 + 0x18 + _t194 * 8) << _t154;
								_t100 = _t102 + 1;
								asm("adc [edi+eax-0x15117077], esp");
								_t39 = _t156 + _t162 * 8 - 0x19;
								 *_t39 =  *(_t156 + _t162 * 8 - 0x19) ^ 0x07ede50b;
								_t202 =  *_t39;
								_t45 = _t162 + 0x2eeab99e;
								_t46 = _t156;
								_t156 =  *_t45;
								 *_t45 = _t46;
								asm("a16 scasb");
								if(_t202 <= 0) {
									goto L4;
								} else {
									L8:
									_pop(_t160);
									asm("std");
									asm("cmc");
									asm("sbb [edi], al");
									asm("sahf");
									asm("aas");
									if(_t202 == 0) {
										continue;
									} else {
										L9:
										_t195 = _t195 |  *_t111;
										do {
											L10:
											_t194 = _t194 &  *(_t156 - 0x75);
											 *_t160 =  *_t160 << 0x7e;
											asm("lds edx, [eax]");
											asm("sbb eax, 0x63649420");
											_t160[0x9fbc71d] = _t160[0x9fbc71d] + _t111;
											asm("pushfd");
											asm("sbb esi, [ecx+0x7d]");
											asm("fnstcw word [ecx+ebx]");
											_t156 = _t156 - 1;
										} while (_t156 < 0);
										_t156 = _t156 - 1;
										asm("rcl cl, 1");
										fs = _t194;
										_t102 = 0x7e;
										_t154 = 0xd4;
										 *_t160 =  *_t160 & _t156;
										asm("fst qword [0x32155e32]");
										break;
									}
								}
								goto L14;
							}
							L12:
							L13:
							asm("adc eax, 0x32155e32");
							asm("adc eax, 0x32155e32");
							asm("adc eax, 0x32155e32");
						}
						L14:
						asm("adc eax, 0x32155e32");
						asm("adc eax, 0xd4155e32");
						_t195 = _t195 + 1;
						 *(_t156 + 0x25fee99d) = _t154;
						if(0xb2 == 0) {
							goto L13;
						}
						L15:
						_push(_t160);
						asm("cld");
						asm("cmc");
						asm("sbb [edx+0x79], al");
						L16:
						while(0xb2 < 0) {
							asm("sbb ebx, ecx");
							L18:
							asm("cld");
							_t195 = _t195 - 1;
							asm("bound ebx, [ecx]");
							asm("retf");
							asm("cld");
							_push(ds);
							asm("adc eax, 0x32155e32");
							asm("adc eax, 0x32155e32");
							asm("adc eax, 0x32155e32");
							asm("adc eax, 0x32155e32");
							asm("adc eax, 0x32155e32");
							asm("adc eax, 0x7155e32");
							_t211 = _t102 & 0xc0c163fc;
							asm("sti");
							_t102 =  *0xec855cf4;
							asm("stosb");
							if(_t211 < 0) {
								continue;
							} else {
								L19:
								_t156 = 0xfd;
								asm("cmc");
								asm("sbb [ebp+0x4f], dh");
								asm("wait");
								_t194 = 0x9acb337d;
								asm("outsb");
								_push(_t160);
								asm("cdq");
								_t212 = _t102;
							}
							break;
						}
						L20:
						asm("sbb [ebp+0x1b], bh");
					}
					L2:
					asm("aam 0xbf");
					_t103 = _t102 - 1;
					asm("sti");
					_t100 = _t103 /  *0xd7557edf;
					_t157 = _t103 %  *0xd7557edf;
					 *(_t194 - 0x37d6e23c) =  *(_t194 - 0x37d6e23c) ^ _t157;
					asm("popfd");
					_pop(_t126);
					_pop(_t159);
					_pop(ds);
					_push(cs);
					asm("lodsb");
					_t25 = _t195 + _t159;
					_t156 =  *_t25;
					 *_t25 = _t157;
					_t195 = _t195 ^  *_t162;
					goto 0x845a;
					asm("adc al, 0xee");
					_t111 = _t126 | 0x000000fc;
					if ((_t126 | 0x000000fc) < 0) goto L1;
					continue;
					asm("invalid");
					asm("wait");
					_push(__edx);
					 *((char*)(_t194 + 0x18)) = __ecx;
					asm("retf");
					_t102 = (__eax | 0xa2f0009d) +  *((intOrPtr*)((__eax | 0xa2f0009d) - 0x7c));
					asm("retf");
					asm("cld");
					asm("cmc");
					asm("out 0x1b, eax");
					_pop(ss);
					 *((long long*)(_t162 + 0x15)) = __fp0;
					goto L2;
				}
			}
















                0x00405395
                0x00405395
                0x00405395
                0x00405395
                0x00405395
                0x00405395
                0x00405395
                0x00405396
                0x00405397
                0x00405398
                0x00405399
                0x0040539b
                0x0040539b
                0x0040539b
                0x004053a0
                0x004053a7
                0x004053ad
                0x004053b3
                0x004053b9
                0x004053bf
                0x004053c4
                0x004053c5
                0x004053c7
                0x004053ca
                0x004053cf
                0x004053d0
                0x004053d4
                0x004053da
                0x00000000
                0x00000000
                0x004053dc
                0x004053dc
                0x004053df
                0x004053e0
                0x004053e1
                0x004053e2
                0x004053e3
                0x00000000
                0x004053e5
                0x004053e7
                0x004053e8
                0x004053ee
                0x004053ef
                0x004053f3
                0x004053f4
                0x004053fb
                0x004053fb
                0x004053fb
                0x00405403
                0x00405403
                0x00405403
                0x00405403
                0x0040540a
                0x0040540c
                0x00000000
                0x0040540e
                0x0040540e
                0x0040540e
                0x0040540f
                0x00405410
                0x00405411
                0x00405413
                0x00405414
                0x00405415
                0x00000000
                0x00405417
                0x00405417
                0x00405419
                0x0040541a
                0x0040541a
                0x0040541a
                0x0040541d
                0x0040541f
                0x00405421
                0x00405426
                0x0040542c
                0x0040542d
                0x00405430
                0x00405433
                0x00405433
                0x00405436
                0x00405437
                0x00405439
                0x0040543d
                0x0040543d
                0x0040543e
                0x00405440
                0x00000000
                0x00405440
                0x00405415
                0x00000000
                0x0040540c
                0x00405445
                0x00405450
                0x00405450
                0x00405456
                0x0040545c
                0x0040545c
                0x0040545f
                0x0040545f
                0x00405465
                0x0040546c
                0x0040546e
                0x00405474
                0x00000000
                0x00000000
                0x00405476
                0x00405476
                0x00405477
                0x00405478
                0x00405479
                0x00000000
                0x0040547b
                0x0040547d
                0x0040547f
                0x0040547f
                0x00405483
                0x00405494
                0x00405496
                0x00405497
                0x00405498
                0x0040549c
                0x004054a2
                0x004054a8
                0x004054ae
                0x004054b4
                0x004054ba
                0x004054bf
                0x004054c5
                0x004054c6
                0x004054cb
                0x004054cc
                0x00000000
                0x004054ce
                0x004054ce
                0x004054ce
                0x004054d0
                0x004054d1
                0x004054d4
                0x004054d6
                0x004054db
                0x004054dc
                0x004054dd
                0x004054de
                0x004054de
                0x00000000
                0x004054cc
                0x004054df
                0x004054e2
                0x004054e2
                0x0040536d
                0x0040536d
                0x0040536f
                0x00405370
                0x00405371
                0x00405371
                0x00405377
                0x0040537d
                0x0040537e
                0x0040537f
                0x00405380
                0x00405381
                0x00405382
                0x00405383
                0x00405383
                0x00405383
                0x00405386
                0x00405388
                0x0040538f
                0x00405391
                0x00405394
                0x00000000
                0x00405323
                0x00405325
                0x0040532c
                0x00405337
                0x0040533a
                0x0040533b
                0x0040533e
                0x0040533f
                0x00405340
                0x00405341
                0x00405343
                0x00405344
                0x00000000
                0x0040536b

                Memory Dump Source
                • Source File: 00000000.00000002.497705232.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497696445.0000000000400000.00000002.00020000.sdmpDownload File
                • Associated: 00000000.00000002.497735867.0000000000417000.00000004.00020000.sdmpDownload File
                • Associated: 00000000.00000002.497741806.0000000000419000.00000002.00020000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_171121_PDF.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ddfa1e2126db24b7a54a272fe4ce32455352fcfc5afebec1f3adba33ceec1b84
                • Instruction ID: a6ea1aa60396d634613261b6997d55d7790720d0167aca9184c63197e1827c53
                • Opcode Fuzzy Hash: ddfa1e2126db24b7a54a272fe4ce32455352fcfc5afebec1f3adba33ceec1b84
                • Instruction Fuzzy Hash: D74146311CEAD195C722DB78A6E46D3FFB0ED0621833D5ADEC0D15AA43D220E14ACF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02326FD9 Relevance: .1, Instructions: 125COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 10a32cb04a8d3e3afe0e60e6ad01a018951e61b603c95d619379f1d1366b1c86
                • Instruction ID: aa6f5a51dcf7f1323ff58f5abd207d8909f50a82c8489d4d4ffae625e0220120
                • Opcode Fuzzy Hash: 10a32cb04a8d3e3afe0e60e6ad01a018951e61b603c95d619379f1d1366b1c86
                • Instruction Fuzzy Hash: 3151F271645394CFDB38CE25CAA56EAB7E2BF59300F84051ECE4E5B705C730AA48CB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232D855 Relevance: .1, Instructions: 122COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 61a6f72e0ba72bc432f3238a3256fa6993081265a11d5c91502341aa1897aa52
                • Instruction ID: dd4f5ab70507735906ef15d5b745e3eb0ba07cc6e8f79623b3e283fa0cddfd01
                • Opcode Fuzzy Hash: 61a6f72e0ba72bc432f3238a3256fa6993081265a11d5c91502341aa1897aa52
                • Instruction Fuzzy Hash: BF5123711482ACDFDB34CF25C9997EA77B6EF58340F15851BDC8A8BA15C3306689CB82
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232D89D Relevance: .1, Instructions: 119COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c16778567d2b2c3b305e164b99efe8135f354af021a89474ffb673d931403087
                • Instruction ID: 06ee7e389bf49c05ff54d00511431755bce71f698fece908b699e53fa0b3fa92
                • Opcode Fuzzy Hash: c16778567d2b2c3b305e164b99efe8135f354af021a89474ffb673d931403087
                • Instruction Fuzzy Hash: FF5123710082ACDFDB34CF25C9957EA77BAEF54340F15851BDC8A8BA15C3306689CB82
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232D989 Relevance: .1, Instructions: 119COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 698b6dfe4a3aad258947946d7ead03f9653c011f906f9837f128bd32ce873031
                • Instruction ID: cde2f8865ebb385cf63a395408f44fe8e52dc3bdf7b9d153b6e69367fddb9c37
                • Opcode Fuzzy Hash: 698b6dfe4a3aad258947946d7ead03f9653c011f906f9837f128bd32ce873031
                • Instruction Fuzzy Hash: C45121710082ACDFDB34CF25C9897EA77BAEF54340F15811BDC8A8BA15C3306689CB82
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232D9D1 Relevance: .1, Instructions: 119COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2fe5b635362ca2dae788e59d39370c3735985e4be5ad958376af25b7dfff2e18
                • Instruction ID: b8c2a091271c95e5de97a1e3b0066f5428d1aa93f67b90798bc196137ee6fecd
                • Opcode Fuzzy Hash: 2fe5b635362ca2dae788e59d39370c3735985e4be5ad958376af25b7dfff2e18
                • Instruction Fuzzy Hash: B95122710082ACDFDB34CF25C9897EA77BAEF54340F15851BDC8A8BA15C3306689CB82
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02324A41 Relevance: .1, Instructions: 113COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 736329a274195ce185861daaeefb96a5b44308733e1e9fb39fc625224ddc77da
                • Instruction ID: 97d6d7a3d1b6663c350522d6cb131c5df13bb27ad3f2e051ab801726c60c58d4
                • Opcode Fuzzy Hash: 736329a274195ce185861daaeefb96a5b44308733e1e9fb39fc625224ddc77da
                • Instruction Fuzzy Hash: A341CF35508398DFDB309F25C9857EBB7BAEF94340F55892E8D8987222C7349985CB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232702D Relevance: .1, Instructions: 112COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 86211384a82839369e5ede4fe902d7796e954b5b99675d3ba7a5420e0b4fd398
                • Instruction ID: 21838682b72bbf0676f86cae513dbeda501d3b28c645575a542d029a10eafc1d
                • Opcode Fuzzy Hash: 86211384a82839369e5ede4fe902d7796e954b5b99675d3ba7a5420e0b4fd398
                • Instruction Fuzzy Hash: E841E2326453589FDB38CE15CAA57EAB7E2BF59704F84011ECE4E5B741C330AA48CB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02324A81 Relevance: .1, Instructions: 108COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 72c316ce28be51e235c4b8899aea3cb24570f3793c90a2966c8184f3f5131e19
                • Instruction ID: 6bb6751cd8662dfd4053f50c5a64cd972c57f8ec0053b1d909fb7b31dab6876f
                • Opcode Fuzzy Hash: 72c316ce28be51e235c4b8899aea3cb24570f3793c90a2966c8184f3f5131e19
                • Instruction Fuzzy Hash: 0941DE351083989FDB309F25C9857DBB7BAEF94340F11852E9D8987222C7309A85CB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405A7F Relevance: .1, Instructions: 106COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 32%
                			E00405A7F(signed int __eax, void* __ecx, signed char __edx) {
				signed char _t26;
				signed char _t44;
				signed char _t47;
				signed char _t49;
				signed char _t50;
				signed int _t52;
				signed int _t54;
				void* _t60;
				void* _t62;
				intOrPtr _t70;
				signed char _t76;

				_t47 = __edx;
				_t25 = __eax;
				asm("adc eax, 0x32155e32");
				asm("adc eax, 0x32155e32");
				asm("adc eax, 0x32155e32");
				asm("adc eax, 0x32155e32");
				asm("adc eax, 0x32155e32");
				asm("adc eax, 0x32155e32");
				_pop(_t60);
				asm("adc eax, 0x30155e32");
				_t62 = _t60 + 0x3abab3fd;
				_t44 = __ecx + 1;
				asm("hlt");
				asm("sbb bl, cl");
				if(_t44 == 0) {
					_t44 = _t44 - 1;
					_pop(es);
					 *__edx =  *__edx + _t44;
					_t25 = __eax ^ 0x714043e0;
				}
				_t31 = 0xffffffff9135d34c;
				_t26 = _t25 + 1;
				_t76 = _t26;
				if(_t76 >= 0) {
					 *0x93ab010c = _t26;
					asm("invalid");
					asm("sbb bl, cl");
					asm("adc al, 0x74");
					_t31 = 0xffffffff9135d34c + _t44;
					__eflags = _t31;
					asm("cld");
					asm("popfd");
					goto L6;
				} else {
					asm("sbb ebx, ecx");
					asm("cld");
					if(_t76 <= 0) {
						L9:
						if(__eflags >= 0) {
							L6:
							_t47 = 0x61;
							_t26 = 0x42bd6aa6;
							asm("sbb eax, 0x19224642");
							L8:
							_t31 = _t31 &  *_t44;
							asm("scasd");
							goto L9;
						}
						__eflags = _t26 - 0x11;
						asm("loopne 0xffffffb0");
						asm("repne dec edx");
						asm("rcl cl, 1");
						asm("sbb ch, al");
						 *0xd3d8cf99 = _t70;
						asm("wait");
						_t44 = _t47;
						__eflags = _t26 - 0x32;
						_t62 = ds;
						asm("adc eax, 0x32155e32");
					} else {
					}
				}
				_t31 = _t31 ^  *(_t62 + 0x15) ^  *(_t62 + 0x15) ^  *(_t62 + 0x15) ^  *(_t62 + 0x15) ^  *(_t62 + 0x15) ^  *(_t62 + 0x15) ^  *(_t62 + 0x15) ^  *(_t62 + 0x15) ^  *(_t62 + 0x15) ^  *(_t62 + 0x15) ^  *(_t62 + 0x15);
				_pop(es);
				 *(_t44 - 0x64) =  *(_t44 - 0x64) & 0x00000095;
				asm("sbb eax, ebx");
				_t26 =  *0x680e3b40 ^  *_t31;
				asm("pushad");
				asm("movsb");
				asm("retf");
				asm("cld");
				asm("cmc");
				if(_t26 < 0) {
					goto L8;
				}
				 *(_t47 + _t47 - 8) =  *(_t47 + _t47 - 8) & _t44;
				 *0xd424cef8 =  *0xd424cef8 << 1;
				_t52 = 0xc2a91b3d;
				asm("sbb [esp+ebp-0x11], dh");
				_t49 = 0;
				do {
					 *(_t62 - 0x4b8b109b) =  *(_t62 - 0x4b8b109b) ^ _t49;
					asm("scasd");
					asm("lodsb");
					asm("aaa");
					asm("aaa");
					 *[es:eax+0x7d72309b] =  *[es:eax+0x7d72309b] << 1;
					asm("fnstcw word [esi+esi*8]");
					asm("in eax, dx");
					_t26 = _t26 | 0x00000012;
					_t50 = _t49 + 1;
					asm("popad");
					asm("popfd");
					asm("sbb ebx, ecx");
					asm("cld");
					 *_t50 =  *_t50 ^ _t50;
					asm("adc eax, 0x32155e32");
					asm("adc eax, 0x32155e32");
					asm("adc eax, 0x32155e32");
					asm("adc eax, 0x32155e32");
					asm("adc eax, 0x32155e32");
					asm("adc eax, 0x32155e32");
					_t62 = ds;
					asm("adc eax, 0xd2880732");
					asm("adc ecx, edx");
					_pop(es);
					asm("sahf");
					asm("out dx, al");
					asm("adc eax, 0x81e0c6a0");
					asm("sahf");
					_t54 = _t52 + 2;
					_t49 = 0x23;
					if(_t50 - 1 < 0) {
						asm("lock fst st0");
						_t26 =  *0xbf33abd4;
					}
					_t52 = _t54 ^  *(_t54 - 0x7ced0367);
				} while (_t52 < 0);
				asm("in eax, 0x4a");
				asm("lahf");
				 *((intOrPtr*)(_t26 + 0x7402644c)) =  *((intOrPtr*)(_t26 + 0x7402644c)) - _t49;
				asm("repe sub bl, [edi+0x3f4a14a2]");
				asm("sahf");
				return _t26;
			}














                0x00405a7f
                0x00405a7f
                0x00405a7f
                0x00405a85
                0x00405a8b
                0x00405a91
                0x00405a97
                0x00405a9d
                0x00405aa2
                0x00405aa3
                0x00405ab6
                0x00405ab7
                0x00405ab8
                0x00405ab9
                0x00405abb
                0x00405abd
                0x00405abe
                0x00405ac5
                0x00405ac7
                0x00405ac7
                0x00405ac9
                0x00405aca
                0x00405aca
                0x00405acb
                0x00405b15
                0x00405b1b
                0x00405b1d
                0x00405b1f
                0x00405b21
                0x00405b21
                0x00405b23
                0x00405b24
                0x00000000
                0x00405acd
                0x00405acd
                0x00405acf
                0x00405ad0
                0x00405b37
                0x00405b37
                0x00405b2a
                0x00405b2a
                0x00405b2c
                0x00405b31
                0x00405b34
                0x00405b34
                0x00405b36
                0x00000000
                0x00405b36
                0x00405b39
                0x00405b3b
                0x00405b3d
                0x00405b3f
                0x00405b41
                0x00405b43
                0x00405b49
                0x00405b4a
                0x00405b4d
                0x00405b4f
                0x00405b50
                0x00000000
                0x00405ad2
                0x00405ad0
                0x00405b6f
                0x00405b72
                0x00405b73
                0x00405b7c
                0x00405b7e
                0x00405b80
                0x00405b81
                0x00405b82
                0x00405b83
                0x00405b84
                0x00405b85
                0x00000000
                0x00000000
                0x00405b89
                0x00405b8c
                0x00405b92
                0x00405b97
                0x00405b9b
                0x00405b9d
                0x00405b9f
                0x00405ba5
                0x00405ba6
                0x00405ba7
                0x00405ba8
                0x00405ba9
                0x00405bb0
                0x00405bb3
                0x00405bb4
                0x00405bb6
                0x00405bb7
                0x00405bb8
                0x00405bb9
                0x00405bbb
                0x00405bbd
                0x00405bc0
                0x00405bc6
                0x00405bcc
                0x00405bd2
                0x00405bd8
                0x00405bde
                0x00405be3
                0x00405be4
                0x00405bf0
                0x00405bf2
                0x00405bf3
                0x00405bf4
                0x00405bf5
                0x00405bfa
                0x00405bff
                0x00405c01
                0x00405c03
                0x00405c05
                0x00405c08
                0x00405c08
                0x00405c0b
                0x00405c0b
                0x00405c13
                0x00405c16
                0x00405c17
                0x00405c1d
                0x00405c24
                0x00405c25

                Memory Dump Source
                • Source File: 00000000.00000002.497705232.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497696445.0000000000400000.00000002.00020000.sdmpDownload File
                • Associated: 00000000.00000002.497735867.0000000000417000.00000004.00020000.sdmpDownload File
                • Associated: 00000000.00000002.497741806.0000000000419000.00000002.00020000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_171121_PDF.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e34436cc67429fb65084dd4df6dbd5c38cfcd05c41577f2c8a05c996be513182
                • Instruction ID: df235acb1f07602ac1940a3628c275a89387a192458c2b18f1c45a0e22d9b8bc
                • Opcode Fuzzy Hash: e34436cc67429fb65084dd4df6dbd5c38cfcd05c41577f2c8a05c996be513182
                • Instruction Fuzzy Hash: 9431F7321DD99055C631DA7C9AA46E3FBB0DC0A12437E89DBC0D1A9747D150F146CD90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406A36 Relevance: .1, Instructions: 106COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.497705232.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497696445.0000000000400000.00000002.00020000.sdmpDownload File
                • Associated: 00000000.00000002.497735867.0000000000417000.00000004.00020000.sdmpDownload File
                • Associated: 00000000.00000002.497741806.0000000000419000.00000002.00020000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_171121_PDF.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fbb61b717a4a871aaf52add14cf808cd21c27587c5183f7a8ff5fa115d16b8a6
                • Instruction ID: 6d6d9c208e3e8842e418d43e7cc4a5c8ab895ec131689eb0fcf70fc51be859e2
                • Opcode Fuzzy Hash: fbb61b717a4a871aaf52add14cf808cd21c27587c5183f7a8ff5fa115d16b8a6
                • Instruction Fuzzy Hash: D331C1326CA69056CB21DB7996A56D3FFF1DD0611837E989BC0D29A707D210F50ACF81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02324AE4 Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2a51230c8191efc611dc907eb77165e4f4582038edf028bffc777d903f97dab1
                • Instruction ID: 61343a23b9fdd3f8a42bde50b0360d111fda78b04870ad633cf962c6d87e6192
                • Opcode Fuzzy Hash: 2a51230c8191efc611dc907eb77165e4f4582038edf028bffc777d903f97dab1
                • Instruction Fuzzy Hash: 7B41BC361083989FDB709F35C9857DBB7BAEF90340F11891E9DC987222D7349989CA42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02324B2E Relevance: .1, Instructions: 87COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b4d9f3bf9bbedc28e89d58109357f05ffc8ac6777fb3452a5b0ca55548f565fa
                • Instruction ID: 7e59a35845547370a8d1d26ac2bb0f86919da817481f5f4fe6614dd410ce7e9c
                • Opcode Fuzzy Hash: b4d9f3bf9bbedc28e89d58109357f05ffc8ac6777fb3452a5b0ca55548f565fa
                • Instruction Fuzzy Hash: 0D31CA32108398DFDB309F6989457DBBBB6AFA1340F16891ED9C997612C330948ACB12
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02324C32 Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cdf40409105280c446f57738a16c8acd2b60af73f5953a8d4f29cbaaf0f477f1
                • Instruction ID: 9198ad57ef85b89f58513fb9a531697e787b0f14aafea42eac3b0ed07c8f23b1
                • Opcode Fuzzy Hash: cdf40409105280c446f57738a16c8acd2b60af73f5953a8d4f29cbaaf0f477f1
                • Instruction Fuzzy Hash: 7B31003210C398CFD7209F78880579FBBF1AFA1350F06491ED9C6676A2C330408ACB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02324BB4 Relevance: .1, Instructions: 65COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dfbf909ba3063c2247537e466d3eb1560fe567a0b09991017b07f02ca78ef5f7
                • Instruction ID: 665b55d1b23611fe19aa5dd8945a0b4635153b38bbfa49a2ec2ba1a812b79f3c
                • Opcode Fuzzy Hash: dfbf909ba3063c2247537e466d3eb1560fe567a0b09991017b07f02ca78ef5f7
                • Instruction Fuzzy Hash: 9021E036508368DFDB24AF39C90579BB7FAEF90340F16891E9DC993662D3349885CB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040721E Relevance: .1, Instructions: 58COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.497705232.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.497696445.0000000000400000.00000002.00020000.sdmpDownload File
                • Associated: 00000000.00000002.497735867.0000000000417000.00000004.00020000.sdmpDownload File
                • Associated: 00000000.00000002.497741806.0000000000419000.00000002.00020000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_171121_PDF.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 15834e53a2a19bcf1de4f409aff727f0c196484e4bbf55940e25dc89a41e66c2
                • Instruction ID: a483147d1e2fa76e5cde8dc1b193befe57f493faf733702a5982777ecfb72492
                • Opcode Fuzzy Hash: 15834e53a2a19bcf1de4f409aff727f0c196484e4bbf55940e25dc89a41e66c2
                • Instruction Fuzzy Hash: 8F0112221CD6A111CA61EA78D7A4AD7FBF08D0A01477EA9DBC0D1A5B07D101F54ACD91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232C982 Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 975061465194cda268d7fcf1ad8779e68bf434ac311aa3d4c0419eda6ab156c9
                • Instruction ID: 3a579504861dc45df02a5febf2be3cc39e3494ab623d6dde0ebee871e27fdc7d
                • Opcode Fuzzy Hash: 975061465194cda268d7fcf1ad8779e68bf434ac311aa3d4c0419eda6ab156c9
                • Instruction Fuzzy Hash: EB115771640764CFCB20CF18C9D4FDDB3A1BB48740F12596BC91A8B622D330AA48CA61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 023240AA Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0245025f8a0f38c0cd6f96d0222ce9d429d7178478981045d68e2f97f64c6993
                • Instruction ID: 047e0f71e175e8cae648a923f543e3320da2cb515d1e9cbef76d487a8f50f84b
                • Opcode Fuzzy Hash: 0245025f8a0f38c0cd6f96d0222ce9d429d7178478981045d68e2f97f64c6993
                • Instruction Fuzzy Hash: A2C01292D5C13869696125B85615298681949E6660B0182502905AAA0DE8D29D8F4598
                Uniqueness

                Uniqueness Score: -1.00%

                Function 023296BF Relevance: .0, Instructions: 14COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 07b1805490ec913ada3960bb4895aecee439d7037e57c98862b62a2d76bfb909
                • Instruction ID: 2c50614a7e08159708870ed301e32dc104cdbcefb1be427a63ecbb5c6302d7e9
                • Opcode Fuzzy Hash: 07b1805490ec913ada3960bb4895aecee439d7037e57c98862b62a2d76bfb909
                • Instruction Fuzzy Hash: 30D012722615C4CFEF19DB18C89179073A4F753B15F2C19D4D1428FA45C95CA801CA00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0232BEA2 Relevance: .0, Instructions: 6COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.498027231.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2320000_171121_PDF.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3a785c2a620c5eda7a528560d83b6cb4ef67904fdd379f4fe76bec28096aec66
                • Instruction ID: 25b4b243e65591eea14d805d32d00038c00db363e18544ce416dd4565dff7c9d
                • Opcode Fuzzy Hash: 3a785c2a620c5eda7a528560d83b6cb4ef67904fdd379f4fe76bec28096aec66
                • Instruction Fuzzy Hash: 3EB092362516408FCE81CA08C390F90B3A4BB04A44F410480E85187B12C224E804C940
                Uniqueness

                Uniqueness Score: -1.00%

                Execution Graph

                Execution Coverage:2.1%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:0%
                Total number of Nodes:113
                Total number of Limit Nodes:9
                execution_graph 8585 320d311 8586 320d33c NtAllocateVirtualMemory 8585->8586 8587 320d38c 8586->8587 8513 3204ae4 WriteFile 8515 3204b56 8513->8515 8514 3204dbd 8515->8514 8518 3204bc6 8515->8518 8520 320fb89 8515->8520 8516 3204d7a 8518->8516 8519 320fb89 3 API calls 8518->8519 8519->8516 8522 320fb8e 8520->8522 8523 320fb99 8522->8523 8528 320cefb 8523->8528 8525 320fc7a 8526 321010d CreateFileW 8525->8526 8527 3210148 8525->8527 8526->8527 8546 320c982 GetPEB 8528->8546 8531 3200f39 8532 3201044 8531->8532 8533 3200fee 8531->8533 8536 3200d75 8531->8536 8540 320befb 8532->8540 8533->8525 8535 3201057 8537 3200d85 8536->8537 8538 320befb 2 API calls 8537->8538 8539 3200f0d 8537->8539 8538->8539 8539->8531 8541 320bf41 8540->8541 8542 320bfe4 LoadLibraryA 8541->8542 8544 320c982 GetPEB 8541->8544 8543 320bfec 8542->8543 8543->8535 8545 320bfd7 8544->8545 8545->8542 8547 320c9bd 8546->8547 8547->8531 8548 3201c65 8549 3201c74 8548->8549 8550 320c982 GetPEB 8549->8550 8551 320e09c 8550->8551 8552 320ab06 LdrInitializeThunk 8553 3201e08 8556 3201af9 8553->8556 8554 320befb 2 API calls 8557 3201e94 8554->8557 8555 3201be8 8556->8554 8556->8555 8557->8557 8558 32038c8 8559 3203965 RegCreateKeyExA 8558->8559 8560 32039ad 8559->8560 8563 32039f0 8560->8563 8564 3203a33 8563->8564 8572 320cfc2 8564->8572 8573 320cff1 8572->8573 8574 320d38c 8573->8574 8575 320befb 2 API calls 8573->8575 8576 320d0e4 NtAllocateVirtualMemory 8575->8576 8576->8574 8578 320b969 8579 320b96f GetLongPathNameW 8578->8579 8588 3203a59 8589 3203a69 8588->8589 8590 320cfc2 3 API calls 8588->8590 8591 3203a7a RegSetValueExA 8589->8591 8593 3200ff9 8589->8593 8590->8589 8594 320befb 2 API calls 8593->8594 8595 3201057 8593->8595 8594->8595 8580 3202eca Sleep 8581 3202ee0 8580->8581 8582 3202ea1 8580->8582 8582->8580 8596 3200a5c 8597 320befb 2 API calls 8596->8597 8598 3200a61 8597->8598 8599 320befb 2 API calls 8598->8599 8601 3200a79 8599->8601 8600 320befb 2 API calls 8600->8601 8601->8600 8603 3200ac1 8601->8603 8605 3200d30 8603->8605 8606 3200d32 8603->8606 8609 3200d70 8603->8609 8613 320e59e 8603->8613 8604 3200d75 2 API calls 8604->8609 8605->8606 8607 320befb 2 API calls 8605->8607 8607->8609 8608 3201044 8611 320befb 2 API calls 8608->8611 8609->8604 8609->8608 8610 3200fee 8609->8610 8612 3201057 8611->8612 8614 320befb 2 API calls 8613->8614 8615 320e5ab 8614->8615 8616 320befb 2 API calls 8615->8616 8617 320e5bc 8616->8617 8618 320e5f0 GetPEB 8617->8618 8619 320e62f 8618->8619 8639 320f695 8619->8639 8621 320f13b 8626 320f1d0 8621->8626 8629 320f42a 8621->8629 8622 320e74e 8622->8621 8634 320ec10 8622->8634 8638 3201057 8622->8638 8623 320f695 NtProtectVirtualMemory 8624 320f692 8623->8624 8624->8603 8625 3210888 8625->8603 8627 320f695 NtProtectVirtualMemory 8626->8627 8630 320f427 8627->8630 8628 3200d75 2 API calls 8631 3200f39 8628->8631 8629->8623 8629->8625 8630->8603 8631->8628 8632 3201044 8631->8632 8635 3200fee 8631->8635 8637 320befb 2 API calls 8632->8637 8633 320f0c0 8636 320f695 NtProtectVirtualMemory 8633->8636 8634->8631 8634->8633 8635->8603 8636->8638 8637->8638 8638->8603 8640 320f6ef NtProtectVirtualMemory 8639->8640 8640->8622 8583 320b66d 8584 320b673 CreateFileA 8583->8584 8642 3203e1d 8643 3200ff9 8642->8643 8644 320befb 2 API calls 8643->8644 8645 3201057 8643->8645 8644->8645 8645->8645

                Executed Functions

                Function 032047F1 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 231filelibraryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • WriteFile.KERNELBASE(00000000,?,?), ref: 03204AF8
                • LoadLibraryA.KERNELBASE(1AE1C299), ref: 0320BFE4
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: FileLibraryLoadWrite
                • String ID: ~iD
                • API String ID: 2534920666-1955462559
                • Opcode ID: d03e2929a55809ffc75b54e53ba69d622c1a22addc169433234063c90710a046
                • Instruction ID: 1a27f85fa2f87057f2ec26cdc69a2d512174d604207e81d8aa253733586679e6
                • Opcode Fuzzy Hash: d03e2929a55809ffc75b54e53ba69d622c1a22addc169433234063c90710a046
                • Instruction Fuzzy Hash: 3BA1EE351183889FCB34EE25C9857EEB7A2EF44340F45851EDD8A9B292C7708A85CF42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320FB8E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 44 320fb8e-320fb98 45 320fb99-320fc12 44->45 47 320fc14-320fc7d call 320cefb 45->47 52 320fc83-320fcaa 47->52 54 320fcb0-320fcc2 52->54 55 3210888-321088e 52->55 54->52 57 320fcc4-320fd7d call 3210194 54->57 56 321088f-32108dc 55->56 60 32108de-32108e0 56->60 65 320fd83-320fe71 57->65 70 320fe77-320ff6e call 3210194 65->70 77 3210185-3210214 70->77 78 320ff74-320ffc9 70->78 87 321021a-32102c5 77->87 78->77 81 320ffcf-320ffe1 78->81 81->77 83 320ffe7-3210039 81->83 83->77 86 321003f-3210051 83->86 86->77 88 3210057-32100a5 86->88 87->77 95 32102cb-321037c 87->95 88->77 92 32100ab-32100e5 88->92 92->77 96 32100eb-321011e CreateFileW 92->96 95->77 103 3210382 95->103 100 3210148 96->100 102 321014a-3210152 100->102 102->102 104 3210154-3210180 102->104 104->77
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID: eKU$
                • API String ID: 823142352-2864510924
                • Opcode ID: 5a888558f530ea920920d540d0bbc9b17a70b8a607c4af46095f8a0e8cebe8bd
                • Instruction ID: f847f98f723e8937e18381742f20a62e066a078da3e1dca5a551d5e5d6f8a380
                • Opcode Fuzzy Hash: 5a888558f530ea920920d540d0bbc9b17a70b8a607c4af46095f8a0e8cebe8bd
                • Instruction Fuzzy Hash: 33710570528249DBDB79DE34CAA4BFA37A2AF85310F01812ECC4A8F295C77496C5CB41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320CFC2 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153memorynativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 106 320cfc2-320cffa 108 320d000-320d191 call 320befb 106->108 109 320d3b8-320d5fa call 320be84 call 320d474 106->109 127 320d198-320d215 108->127 125 320d5ff-320d613 109->125 129 320d615-320d697 call 320d66c 125->129 130 320d5fe 125->130 136 320d216-320d3b5 NtAllocateVirtualMemory 127->136 130->125 136->109
                APIs
                  • Part of subcall function 0320BEFB: LoadLibraryA.KERNELBASE(1AE1C299), ref: 0320BFE4
                • NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0320D344
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: AllocateLibraryLoadMemoryVirtual
                • String ID: W&R_
                • API String ID: 2616484454-940024294
                • Opcode ID: fd72866d491360dbc49b3b2a6e7cb8fcdc270621c7c3a384141e676c2bda7b9a
                • Instruction ID: 77e25910d36c69f9a3c6f65991f03a70b1e52d4fb4b41ad88bf4274d16d237a8
                • Opcode Fuzzy Hash: fd72866d491360dbc49b3b2a6e7cb8fcdc270621c7c3a384141e676c2bda7b9a
                • Instruction Fuzzy Hash: C551177142A344CFDB30DFA4CC017EABBB1AF45350F154519DC8A9B693D7B0898ACB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320CFED Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 137memorynativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 144 320cfed-320cffa 145 320d000-320d191 call 320befb 144->145 146 320d3b8-320d5fa call 320be84 call 320d474 144->146 164 320d198-320d215 145->164 162 320d5ff-320d613 146->162 166 320d615-320d697 call 320d66c 162->166 167 320d5fe 162->167 173 320d216-320d3b5 NtAllocateVirtualMemory 164->173 167->162 173->146
                APIs
                  • Part of subcall function 0320BEFB: LoadLibraryA.KERNELBASE(1AE1C299), ref: 0320BFE4
                • NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0320D344
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: AllocateLibraryLoadMemoryVirtual
                • String ID: W&R_
                • API String ID: 2616484454-940024294
                • Opcode ID: 1d7feb93c1e0cce13a763aa75c650759768cb17940812feec9c66e92c3145dc0
                • Instruction ID: 628ca1cf8d5c039d374058e4a3163e325f2be09488e6c06ded008e9f0a7f3fc6
                • Opcode Fuzzy Hash: 1d7feb93c1e0cce13a763aa75c650759768cb17940812feec9c66e92c3145dc0
                • Instruction Fuzzy Hash: 8551147143A384CBDB30DFA0CD017EABBB1AF45350F454009DC8E9B6A2C7B08A89CB56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320D046 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126memorynativeCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 0320BEFB: LoadLibraryA.KERNELBASE(1AE1C299), ref: 0320BFE4
                • NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0320D344
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: AllocateLibraryLoadMemoryVirtual
                • String ID: W&R_
                • API String ID: 2616484454-940024294
                • Opcode ID: 6d3ec819fca886c26ff7a179f79721739e75eccedb5a213723b6c300aa9ce506
                • Instruction ID: cdca31a6a67f66dc6771bb53b304299e813a46c1216b1b228d1127539c5599e6
                • Opcode Fuzzy Hash: 6d3ec819fca886c26ff7a179f79721739e75eccedb5a213723b6c300aa9ce506
                • Instruction Fuzzy Hash: B851D17106A380CFDB70EFA4C8017EABBB1AF55350F45041AD8CA4B693D7B085CACB56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320D0D1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114memorynativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 216 320d0d1-320d0da 217 320d0e4-320d191 216->217 218 320d0df call 320befb 216->218 222 320d198-320d215 217->222 218->217 226 320d216-320d5fa NtAllocateVirtualMemory call 320be84 call 320d474 222->226 242 320d5ff-320d613 226->242 244 320d615-320d697 call 320d66c 242->244 245 320d5fe 242->245 245->242
                APIs
                  • Part of subcall function 0320BEFB: LoadLibraryA.KERNELBASE(1AE1C299), ref: 0320BFE4
                • NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0320D344
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: AllocateLibraryLoadMemoryVirtual
                • String ID: W&R_
                • API String ID: 2616484454-940024294
                • Opcode ID: 44088a8b423f241dde5861bdd25c8833e8c219ac7ece6668bd2f616940731547
                • Instruction ID: e5c17b0f3e63015f5556869ea53ee2b36168ba6ff0531762e4ab36e2dfb46879
                • Opcode Fuzzy Hash: 44088a8b423f241dde5861bdd25c8833e8c219ac7ece6668bd2f616940731547
                • Instruction Fuzzy Hash: F641E47102A384CFDB70DFA4CC517EABBB1AF85350F144419D88E4B693D7B09589CB56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320D0E6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113memorynativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 249 320d0e6-320d191 252 320d198-320d215 249->252 256 320d216-320d5fa NtAllocateVirtualMemory call 320be84 call 320d474 252->256 272 320d5ff-320d613 256->272 274 320d615-320d697 call 320d66c 272->274 275 320d5fe 272->275 275->272
                APIs
                • NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0320D344
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: AllocateMemoryVirtual
                • String ID: W&R_
                • API String ID: 2167126740-940024294
                • Opcode ID: 9816b7768e3a806f5268fa1b33f22c823fffe13cf82ef30dfe4e9a093f944bcf
                • Instruction ID: b1b195c088ca3016cf9e0dc997777c114a664251100a5ce9ec7987834d4a0f93
                • Opcode Fuzzy Hash: 9816b7768e3a806f5268fa1b33f22c823fffe13cf82ef30dfe4e9a093f944bcf
                • Instruction Fuzzy Hash: 4A41C07106A784CFDB70DFA0CC11BEABBB1AF55350F044419D88A4B693D7B0868ACB56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03204819 Relevance: 1.7, APIs: 1, Instructions: 189filelibraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 305 3204819-3204936 310 320befb-320bfcb 305->310 311 320493c-32049ce call 320fb89 305->311 320 320bfe4-320c013 LoadLibraryA call 320c014 310->320 321 320bfcd-320bfe1 call 320c982 call 320c014 310->321 318 32049d4-3204b5e WriteFile 311->318 319 3204dbd-3204dd7 311->319 318->319 334 3204b64-3204b7b 318->334 321->320 335 3204bc6-3204bf6 334->335 336 3204b7d-3204bc1 call 320fb89 334->336 338 3204d7a-3204dba 335->338 339 3204bfc-3204d75 call 320fb89 335->339 336->335 339->338
                APIs
                • WriteFile.KERNELBASE(00000000,?,?), ref: 03204AF8
                • LoadLibraryA.KERNELBASE(1AE1C299), ref: 0320BFE4
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: FileLibraryLoadWrite
                • String ID:
                • API String ID: 2534920666-0
                • Opcode ID: b49a8a561d453542ecced20594aec47b85a42442f0d68dbb115246ff38d9aff5
                • Instruction ID: 6943558f867a79dbdce3469e3c375cb90f49e4265f53fab775f04245c34426fe
                • Opcode Fuzzy Hash: b49a8a561d453542ecced20594aec47b85a42442f0d68dbb115246ff38d9aff5
                • Instruction Fuzzy Hash: CC81D0351183499FCB34EE25C9957EEB7E2AF54300F45881EDD8A97292C7708AC5CB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 032048DD Relevance: 1.7, APIs: 1, Instructions: 163filelibraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 349 32048dd-3204936 351 320befb-320bfcb 349->351 352 320493c-32049ce call 320fb89 349->352 361 320bfe4-320c013 LoadLibraryA call 320c014 351->361 362 320bfcd-320bfe1 call 320c982 call 320c014 351->362 359 32049d4-3204b5e WriteFile 352->359 360 3204dbd-3204dd7 352->360 359->360 375 3204b64-3204b7b 359->375 362->361 376 3204bc6-3204bf6 375->376 377 3204b7d-3204bc1 call 320fb89 375->377 379 3204d7a-3204dba 376->379 380 3204bfc-3204d75 call 320fb89 376->380 377->376 380->379
                APIs
                • WriteFile.KERNELBASE(00000000,?,?), ref: 03204AF8
                • LoadLibraryA.KERNELBASE(1AE1C299), ref: 0320BFE4
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: FileLibraryLoadWrite
                • String ID:
                • API String ID: 2534920666-0
                • Opcode ID: 4e20730c14b86e5a5bed2215f6137a2eee15eb07a4fceac1d0bc43a990196613
                • Instruction ID: 0fc084b383073caad91e12bdaa86bdc5fdf6bbf40e1a9365e1a01ac44d92b1bf
                • Opcode Fuzzy Hash: 4e20730c14b86e5a5bed2215f6137a2eee15eb07a4fceac1d0bc43a990196613
                • Instruction Fuzzy Hash: C661DF31218348DFDB34EE26C9957EFB7B6AF94340F45842EDD8A87252C7709A85CB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03204A41 Relevance: 1.6, APIs: 1, Instructions: 113fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 390 3204a41-3204b5e WriteFile 395 3204b64-3204b7b 390->395 396 3204dbd-3204dd7 390->396 397 3204bc6-3204bf6 395->397 398 3204b7d-3204bc1 call 320fb89 395->398 400 3204d7a-3204dba 397->400 401 3204bfc-3204d75 call 320fb89 397->401 398->397 401->400
                APIs
                • WriteFile.KERNELBASE(00000000,?,?), ref: 03204AF8
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: FileWrite
                • String ID:
                • API String ID: 3934441357-0
                • Opcode ID: 736329a274195ce185861daaeefb96a5b44308733e1e9fb39fc625224ddc77da
                • Instruction ID: 8ba599e4d3d764c27d1d441c6711ae68c09ccce0171d32eeb6817784bc9406b7
                • Opcode Fuzzy Hash: 736329a274195ce185861daaeefb96a5b44308733e1e9fb39fc625224ddc77da
                • Instruction Fuzzy Hash: C441D035518388DFDB30EF26C9857EBB7B6AF94300F56851E8D8987262C7709A85CF42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03204A81 Relevance: 1.6, APIs: 1, Instructions: 108fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 411 3204a81-3204b5e WriteFile 415 3204b64-3204b7b 411->415 416 3204dbd-3204dd7 411->416 417 3204bc6-3204bf6 415->417 418 3204b7d-3204bc1 call 320fb89 415->418 420 3204d7a-3204dba 417->420 421 3204bfc-3204d75 call 320fb89 417->421 418->417 421->420
                APIs
                • WriteFile.KERNELBASE(00000000,?,?), ref: 03204AF8
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: FileWrite
                • String ID:
                • API String ID: 3934441357-0
                • Opcode ID: 72c316ce28be51e235c4b8899aea3cb24570f3793c90a2966c8184f3f5131e19
                • Instruction ID: b25401095a8e86cbce95be9ea7aed0d81e56d1b2ac31bd51ba81a136911cd484
                • Opcode Fuzzy Hash: 72c316ce28be51e235c4b8899aea3cb24570f3793c90a2966c8184f3f5131e19
                • Instruction Fuzzy Hash: 0041ED31518388DFDB30EF26C9857DBB7B6AF94300F16852E8D9987262C7709A85CF42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03203760 Relevance: 1.6, APIs: 1, Instructions: 107registryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 431 3203760-32037a5 434 32037ab call 320cfc2 431->434 435 32037b0-320393b 434->435 439 3203965-320397f RegCreateKeyExA 435->439 440 32039ad-320aee9 call 3203b3c call 32039f0 439->440 446 320af12-320af17 440->446 447 320aeeb-320af0e 440->447 447->446
                APIs
                  • Part of subcall function 0320CFC2: NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0320D344
                • RegCreateKeyExA.KERNELBASE(FA8B1BB9,998EC4FD,-9B1E3898), ref: 03203967
                  • Part of subcall function 032039F0: RegSetValueExA.KERNELBASE(?,-9EBEAE7A), ref: 03203B11
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: AllocateCreateMemoryValueVirtual
                • String ID:
                • API String ID: 17316909-0
                • Opcode ID: 7fd188c6475eff7b9d19ec049abc62f0142b11a7ea2a28cf0999b9080ea33d5c
                • Instruction ID: bdd5ba48e522779b269c7a17523523adb8e47e1b62e4f7f2a34c9543d3801b76
                • Opcode Fuzzy Hash: 7fd188c6475eff7b9d19ec049abc62f0142b11a7ea2a28cf0999b9080ea33d5c
                • Instruction Fuzzy Hash: 514143369283948BCB28DF78D8916EFBBB5EF49340F15841EDDC9AB252C3741984CB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03203781 Relevance: 1.6, APIs: 1, Instructions: 107registryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 448 3203781-32037a5 451 32037ab call 320cfc2 448->451 452 32037b0-320393b 451->452 456 3203965-320397f RegCreateKeyExA 452->456 457 32039ad-320aee9 call 3203b3c call 32039f0 456->457 463 320af12-320af17 457->463 464 320aeeb-320af0e 457->464 464->463
                APIs
                  • Part of subcall function 0320CFC2: NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0320D344
                • RegCreateKeyExA.KERNELBASE(FA8B1BB9,998EC4FD,-9B1E3898), ref: 03203967
                  • Part of subcall function 032039F0: RegSetValueExA.KERNELBASE(?,-9EBEAE7A), ref: 03203B11
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: AllocateCreateMemoryValueVirtual
                • String ID:
                • API String ID: 17316909-0
                • Opcode ID: f58eb1c0f0489cc71c0322a55899f34472a957a6a594dcbf143b0fdb72b0f8a8
                • Instruction ID: dcce49ca292e1f7e593bbc917f3186bb7a3a8689a381c20ae529cebd1bddf05c
                • Opcode Fuzzy Hash: f58eb1c0f0489cc71c0322a55899f34472a957a6a594dcbf143b0fdb72b0f8a8
                • Instruction Fuzzy Hash: 9A4143369283948BCB28DF78D8916EFBBB5EF49300F11841EDDC9AB252C3741980CB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320D13C Relevance: 1.6, APIs: 1, Instructions: 104memorynativeCOMMON
                Download Yara Rule
                APIs
                • NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0320D344
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: AllocateMemoryVirtual
                • String ID:
                • API String ID: 2167126740-0
                • Opcode ID: 31c114de92f744edb83625db5b48e2a7e83e0d90de3b3f5ca56bfabb0c68a7a7
                • Instruction ID: 8bd1829fc93a299aa67000dedea0aba35823dba0dd5a9fe86fc5cc33c30b0735
                • Opcode Fuzzy Hash: 31c114de92f744edb83625db5b48e2a7e83e0d90de3b3f5ca56bfabb0c68a7a7
                • Instruction Fuzzy Hash: E441C27106A784CFDB30DFA0CC01BEABBB1AF85350F154419DC8A4B6A7D3B09A89CB55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320D210 Relevance: 1.6, APIs: 1, Instructions: 97memorynativeCOMMON
                Download Yara Rule
                APIs
                • NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0320D344
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: AllocateMemoryVirtual
                • String ID:
                • API String ID: 2167126740-0
                • Opcode ID: 13e0267752e4356819f03f81f0c4b7b49f7e91d615854204c28a7e2e460fb956
                • Instruction ID: 9263bc272f420a9dffce2369480a9dbfd2c334fefb365ea99f9dc4e4f7a94c64
                • Opcode Fuzzy Hash: 13e0267752e4356819f03f81f0c4b7b49f7e91d615854204c28a7e2e460fb956
                • Instruction Fuzzy Hash: 2D31C27106A784CFDB30DFA0CC51BDABBB1AF95354F154019D88E4B2A7C3B09A8ACB55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03204AE4 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                Download Yara Rule
                APIs
                • WriteFile.KERNELBASE(00000000,?,?), ref: 03204AF8
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: FileWrite
                • String ID:
                • API String ID: 3934441357-0
                • Opcode ID: 2a51230c8191efc611dc907eb77165e4f4582038edf028bffc777d903f97dab1
                • Instruction ID: 41501689f3579ae1bc151f855c3e0c05c6fab12906a9f46a7c3a0f86fa484ff8
                • Opcode Fuzzy Hash: 2a51230c8191efc611dc907eb77165e4f4582038edf028bffc777d903f97dab1
                • Instruction Fuzzy Hash: 6441D0315183889FDB30EE36C9857DBB7B6AF90300F16891D8D9987262D7749589CF42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03203849 Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON
                Download Yara Rule
                APIs
                • RegCreateKeyExA.KERNELBASE(FA8B1BB9,998EC4FD,-9B1E3898), ref: 03203967
                  • Part of subcall function 032039F0: RegSetValueExA.KERNELBASE(?,-9EBEAE7A), ref: 03203B11
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: CreateValue
                • String ID:
                • API String ID: 2259555733-0
                • Opcode ID: d502a22a2023dbee7d42339f636ea35ab4d0350357124f433fecf29ad00f81a5
                • Instruction ID: 530af6f7f6043976a760945c7cb40c14b6e969da61267a576a9e679076649c33
                • Opcode Fuzzy Hash: d502a22a2023dbee7d42339f636ea35ab4d0350357124f433fecf29ad00f81a5
                • Instruction Fuzzy Hash: 393169368283958FCB28DF74D8912EFBBB5EF09300F11842EDD89AB222C2744580CF52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320D295 Relevance: 1.6, APIs: 1, Instructions: 68memorynativeCOMMON
                Download Yara Rule
                APIs
                • NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0320D344
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: AllocateMemoryVirtual
                • String ID:
                • API String ID: 2167126740-0
                • Opcode ID: 35f17c6955378cdd63720aa2360d474b865b2c11fc31b1f8ed2b5c2810160e82
                • Instruction ID: 8a3cfabf9623c0a9e5d7b1d1816f0a664419751c7105b1b1dddc75272e687c51
                • Opcode Fuzzy Hash: 35f17c6955378cdd63720aa2360d474b865b2c11fc31b1f8ed2b5c2810160e82
                • Instruction Fuzzy Hash: F821C17106A684CFDB30EFA08911BDABF71AF8A394F040509D88E5B6D7C370968ACB15
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320D2E0 Relevance: 1.6, APIs: 1, Instructions: 61memorynativeCOMMON
                Download Yara Rule
                APIs
                • NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0320D344
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: AllocateMemoryVirtual
                • String ID:
                • API String ID: 2167126740-0
                • Opcode ID: 833df68078b0f54b4324a03178602dd50c05a2423dda8891bf3383eb7303c877
                • Instruction ID: 323deba17049f61a4793593f916a6103a1e2fb57d63ece592949d855c9cc6a8b
                • Opcode Fuzzy Hash: 833df68078b0f54b4324a03178602dd50c05a2423dda8891bf3383eb7303c877
                • Instruction Fuzzy Hash: D221D13106A284CFDB31EFA08911BDABF71AF45394F040508D88A1F297C370568A8B55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320D311 Relevance: 1.6, APIs: 1, Instructions: 57memorynativeCOMMON
                Download Yara Rule
                APIs
                • NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0320D344
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: AllocateMemoryVirtual
                • String ID:
                • API String ID: 2167126740-0
                • Opcode ID: 1ed1646b72c225e054776e6b9c80ad645b0125cb99d5103ec849b391657de2b4
                • Instruction ID: f6ccc84c00194c4b1f269298db8a7c9bd416e1c7b00bf5e446ea605f35c58bca
                • Opcode Fuzzy Hash: 1ed1646b72c225e054776e6b9c80ad645b0125cb99d5103ec849b391657de2b4
                • Instruction Fuzzy Hash: 4E219D7502A784CBDB31EFA08911BDABF71EF49394F040509D88E5E2A7D3709A8A8B55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320F695 Relevance: 1.5, APIs: 1, Instructions: 35nativeCOMMON
                Download Yara Rule
                APIs
                • NtProtectVirtualMemory.NTDLL ref: 0320F776
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: MemoryProtectVirtual
                • String ID:
                • API String ID: 2706961497-0
                • Opcode ID: d9d5fe42c558867c47ff0812a8cb6df3d09a26546aeda0ca16a2ba3de1ef4832
                • Instruction ID: b700563fdfa1e634d2b77d4bc7db42589eacd18cf545d072c93f0b07566c7aef
                • Opcode Fuzzy Hash: d9d5fe42c558867c47ff0812a8cb6df3d09a26546aeda0ca16a2ba3de1ef4832
                • Instruction Fuzzy Hash: C80187B16542869FD721CE18CE54AEEB3E6BFD8340F00812DDC8A8B215E7309A01CB12
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320BEF6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 279 320bef6-320bfcb 283 320bfe4-320c013 LoadLibraryA call 320c014 279->283 284 320bfcd-320bfe1 call 320c982 call 320c014 279->284 284->283
                APIs
                • LoadLibraryA.KERNELBASE(1AE1C299), ref: 0320BFE4
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: LibraryLoad
                • String ID: ~iD
                • API String ID: 1029625771-1955462559
                • Opcode ID: f22d72dfbe8584e41e1283b85695698eb0de99e2651c130974e8c406437ab02a
                • Instruction ID: 34d0564d09cebd5236aeb40e8820b2f59dba220790891a137499586d198388a6
                • Opcode Fuzzy Hash: f22d72dfbe8584e41e1283b85695698eb0de99e2651c130974e8c406437ab02a
                • Instruction Fuzzy Hash: 3E017CB402D7D49BD722DBB098187EE7BA19F12358F18415AAC465F283C3B54A89CB02
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320BEFB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 292 320befb-320bfcb 296 320bfe4-320bfe7 LoadLibraryA call 320c014 292->296 297 320bfcd-320bfe1 call 320c982 call 320c014 292->297 300 320bfec-320c013 296->300 297->296
                APIs
                • LoadLibraryA.KERNELBASE(1AE1C299), ref: 0320BFE4
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: LibraryLoad
                • String ID: ~iD
                • API String ID: 1029625771-1955462559
                • Opcode ID: 0b1f4ef82597150acb0c0035b749fdd4253229fdc8b8995d10706d9417939067
                • Instruction ID: c58d425749fbf4b7c5ede8b2cdd650a4d1d813d77dc6b0a02928e9defbe462a5
                • Opcode Fuzzy Hash: 0b1f4ef82597150acb0c0035b749fdd4253229fdc8b8995d10706d9417939067
                • Instruction Fuzzy Hash: EA014B74228698DFCB70DF64C988BEE7BA5BF44354F044115EC099F252C3B08B84DB11
                Uniqueness

                Uniqueness Score: -1.00%

                Function 032039F0 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0320CFC2: NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0320D344
                • RegSetValueExA.KERNELBASE(?,-9EBEAE7A), ref: 03203B11
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: AllocateMemoryValueVirtual
                • String ID:
                • API String ID: 115516962-0
                • Opcode ID: 963ea72e9f25698d5bec9b9052f564aea059ea8b1bbe05b1c9b768d790fdf49b
                • Instruction ID: 5e563a3418c2a65d1808b426424c12546c063c1d2fb9a256785b598147c192e7
                • Opcode Fuzzy Hash: 963ea72e9f25698d5bec9b9052f564aea059ea8b1bbe05b1c9b768d790fdf49b
                • Instruction Fuzzy Hash: BD21AF764683488FCF24CF29C9591EEF776EF56310F15401ADC8AAB293C7B04958CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320B33D Relevance: 1.6, APIs: 1, Instructions: 72fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: f4e2f788b8c0b89ff964337a9ff2733ea7af6b8a92d9c1f22bc67d389b543f5b
                • Instruction ID: 654c95bc01534c1de8918f101a8be746dc5ba8232cb61de5a8a462a3bd22cd94
                • Opcode Fuzzy Hash: f4e2f788b8c0b89ff964337a9ff2733ea7af6b8a92d9c1f22bc67d389b543f5b
                • Instruction Fuzzy Hash: C021F771578304DBDB34DE348890AFE7BA0EF50301F05491E988AAB686D3F0CAC9CB16
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320B340 Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 191f3c4898debd0053b1a881641acf634ec38ccce335fb726118714705d289df
                • Instruction ID: 3e4a559ee84eb78336755c090ea862e2d2bbb9dddc23dcf64220425298fd8744
                • Opcode Fuzzy Hash: 191f3c4898debd0053b1a881641acf634ec38ccce335fb726118714705d289df
                • Instruction Fuzzy Hash: F221B271579304DBDB34DF348890AFE7AA0EF50301F05491E988AAB686D3F4DAC9CB16
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320B39C Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 119bd0f5df08b913e7755431f7bc020f5ffb80dbb7fc4b2314ecfb469711253e
                • Instruction ID: 3417d9960cf810176d9d37db8288cd019113373cc0939356c761b68d53d6a130
                • Opcode Fuzzy Hash: 119bd0f5df08b913e7755431f7bc020f5ffb80dbb7fc4b2314ecfb469711253e
                • Instruction Fuzzy Hash: 2921C57157D204DBDB34EE34C890AFE76A0EF54300F05491E988AAB686D3F4CAC98B17
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320B3BA Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: e3b6cdef90bb82cff36af5f4f8512e975fefbdb7d2b57415ba763839f191e667
                • Instruction ID: fe2d0b8aa2841665c58753e3b52f1094b867638dbe69481903120301bd7fb8f7
                • Opcode Fuzzy Hash: e3b6cdef90bb82cff36af5f4f8512e975fefbdb7d2b57415ba763839f191e667
                • Instruction Fuzzy Hash: FB21C471568344DBD730EF748840AEE7AB0EF15310F05491E98C66B686D3B08AC9CB26
                Uniqueness

                Uniqueness Score: -1.00%

                Function 032038C8 Relevance: 1.6, APIs: 1, Instructions: 61registryCOMMON
                Download Yara Rule
                APIs
                • RegCreateKeyExA.KERNELBASE(FA8B1BB9,998EC4FD,-9B1E3898), ref: 03203967
                  • Part of subcall function 032039F0: RegSetValueExA.KERNELBASE(?,-9EBEAE7A), ref: 03203B11
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: CreateValue
                • String ID:
                • API String ID: 2259555733-0
                • Opcode ID: 15cf7eaaff99eaf4c6d999f3e2a2a1f1ba30f59d8fce91d4a23ea9d879224688
                • Instruction ID: 3640b00bf0ffcf8037c78fbfec5acba86343de75f86f477eafd4e0442736e51f
                • Opcode Fuzzy Hash: 15cf7eaaff99eaf4c6d999f3e2a2a1f1ba30f59d8fce91d4a23ea9d879224688
                • Instruction Fuzzy Hash: 332157358182859FC718DF78D4956FABFB1FF49304F10852ED8CA9A216C3744485CF12
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320B3FD Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: eb3b53fb6f6f647481d877d5f13a70bcecab48a7ac7ffc882a0eff20f206e7a1
                • Instruction ID: f2a03bc825b5230236082bf09af8239474b62c9e4b878387cb169290a4f8aa23
                • Opcode Fuzzy Hash: eb3b53fb6f6f647481d877d5f13a70bcecab48a7ac7ffc882a0eff20f206e7a1
                • Instruction Fuzzy Hash: DE11B471979304DBD730EE7488846EE76E0EF00300F05496E988AAB686D3B4CAC98B53
                Uniqueness

                Uniqueness Score: -1.00%

                Function 032039C2 Relevance: 1.6, APIs: 1, Instructions: 57registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0320CFC2: NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0320D344
                • RegSetValueExA.KERNELBASE(?,-9EBEAE7A), ref: 03203B11
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: AllocateMemoryValueVirtual
                • String ID:
                • API String ID: 115516962-0
                • Opcode ID: 9828db03b44f863b4fa25ff28accb1af8b5ef2fcbcebebe3a9252b0a9c4dc92b
                • Instruction ID: bb079739aa141c2c8af4febe43373bda4a3526d2b4c28d2bb90ea25278fc8e26
                • Opcode Fuzzy Hash: 9828db03b44f863b4fa25ff28accb1af8b5ef2fcbcebebe3a9252b0a9c4dc92b
                • Instruction Fuzzy Hash: 01219372558384CFDB31CFA488556EEBB76EF66350F45041ED88A6B252C7B00589CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03203A2D Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0320CFC2: NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0320D344
                • RegSetValueExA.KERNELBASE(?,-9EBEAE7A), ref: 03203B11
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: AllocateMemoryValueVirtual
                • String ID:
                • API String ID: 115516962-0
                • Opcode ID: fa84682a85e937020408683e56b74da3f9b54320a107d67c4f27d633447073b9
                • Instruction ID: 6b3317067ce000fd9365a5c4e028e9251f60b6c3dffe1f0c41e8151338395e1d
                • Opcode Fuzzy Hash: fa84682a85e937020408683e56b74da3f9b54320a107d67c4f27d633447073b9
                • Instruction Fuzzy Hash: DC01B1729983088FCF31CE69C8592EEB775EF59750F52402EDD89AB212C7B00D488B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03203A59 Relevance: 1.5, APIs: 1, Instructions: 39registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0320CFC2: NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0320D344
                • RegSetValueExA.KERNELBASE(?,-9EBEAE7A), ref: 03203B11
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: AllocateMemoryValueVirtual
                • String ID:
                • API String ID: 115516962-0
                • Opcode ID: 7e7c756ae58d293e013789a32f973b89b4da0fbbb7ce0137c884e2350a07cffd
                • Instruction ID: 54a46585919358984dd02e16c7093c3910efad9fe0ce9d080d845e3a2cbe14cd
                • Opcode Fuzzy Hash: 7e7c756ae58d293e013789a32f973b89b4da0fbbb7ce0137c884e2350a07cffd
                • Instruction Fuzzy Hash: BC018F729943488FCF34CF69C8592EEB7B5EF59710F16402ADD89AB211C7B009548B51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320B50D Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 92adf7d8b0cf98552cb709ca7e6e0ddbd010713ed85e3940d9d3d956d05032d0
                • Instruction ID: d7503685fdb5807441dc0b16b36950b1f433203d0e9da37aa0fea01818bdc923
                • Opcode Fuzzy Hash: 92adf7d8b0cf98552cb709ca7e6e0ddbd010713ed85e3940d9d3d956d05032d0
                • Instruction Fuzzy Hash: 30F0F971875244DBDB30DE74C984AEE3AE5EF04301F05455A9889BB386D3F0C6C48B61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320B541 Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: af5a0ec251ba285eb4c2f5fcc5f7d4c3128bef85e62d7c4a24cd94df22664a2b
                • Instruction ID: bf878c3c88e7730981fd0592f0d7abb9dc6a6654b15b3955a85ca6daf696135e
                • Opcode Fuzzy Hash: af5a0ec251ba285eb4c2f5fcc5f7d4c3128bef85e62d7c4a24cd94df22664a2b
                • Instruction Fuzzy Hash: 50F0C8B1865258DBDB30DE78C944AEE3AE4AF04301F05451A9889FF346D7B0C6C58BA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320B5AD Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 0f7061ce7ec2c9980a7ce6070be0d3ec452d6640e8782201e0de56ecb6d1eaf6
                • Instruction ID: 98f92dd1793ced52b4161aa64bd3525161bf67237d59843913b0c0c0ed853513
                • Opcode Fuzzy Hash: 0f7061ce7ec2c9980a7ce6070be0d3ec452d6640e8782201e0de56ecb6d1eaf6
                • Instruction Fuzzy Hash: 79F0A0318A8158DBDB209E708544AAE7BA4FF14301F0A081A8C99EB245D7B0C9808BA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320B5E8 Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 4cd2aec42154dc64c7b6aff9b7e2f1b8649bef3c3d873b5db2a081e53b403b04
                • Instruction ID: 7748839b27848395e17bb71b6e6903cd732897dba03e9b27b58ce20ad522d448
                • Opcode Fuzzy Hash: 4cd2aec42154dc64c7b6aff9b7e2f1b8649bef3c3d873b5db2a081e53b403b04
                • Instruction Fuzzy Hash: 9CE04F318A9154EFDB309E74C944AEE76A4FF10201F4A09199CC5EB295C7B0C9818FA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320A1FA Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: ad79ed8a70bdede800d73ad264cad05953adcaf6112d283c7cf8e68fb18f1d0b
                • Instruction ID: 26bc9a888d22fa9380d55819d1741ef432e863bbd9d10f82cf5c9eec8295fd17
                • Opcode Fuzzy Hash: ad79ed8a70bdede800d73ad264cad05953adcaf6112d283c7cf8e68fb18f1d0b
                • Instruction Fuzzy Hash: 23E07DB202C3C45ED306DF6888412CA3F20AB636107E5824DC0924F0CBC621418AF7F2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320B918 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                Download Yara Rule
                APIs
                • GetLongPathNameW.KERNELBASE(?,?), ref: 0320B980
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: LongNamePath
                • String ID:
                • API String ID: 82841172-0
                • Opcode ID: ab6f54bbdada7728d1b9e76307180e3ad847571a4b56c41102d19628cf31ae5b
                • Instruction ID: bdb65a9098ace099e2b17c1afcfcd9fadb3453ffd677c868190f90b3cf7a66ac
                • Opcode Fuzzy Hash: ab6f54bbdada7728d1b9e76307180e3ad847571a4b56c41102d19628cf31ae5b
                • Instruction Fuzzy Hash: 3BE0E5B15183989FCB249F68D8C46EAB7A4FB28350F02480AE98997251C6B05E84CB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320B619 Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: d07a0f0660d20d61ea79881b08ce5f2b72ee7d8dc448ce8e19c11b54a837dc13
                • Instruction ID: 5540bc11e5cf8ffd8b3e99b891cf7a4f0cae63cd72848a99ded79a4b6188fc14
                • Opcode Fuzzy Hash: d07a0f0660d20d61ea79881b08ce5f2b72ee7d8dc448ce8e19c11b54a837dc13
                • Instruction Fuzzy Hash: 74E0C231869258DFDB30AE20CC48AED73B4FF10301F05042A9C88AB290CFF099818FA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320AB06 Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 9f6a7f825f83d88c1ed46004d353caebf5f2c4a4ced15f79f09715c02936f21f
                • Instruction ID: a575a6436e1d294ad8230f224e082f9729413bfa3f979c4c9e838c1fe41a2d27
                • Opcode Fuzzy Hash: 9f6a7f825f83d88c1ed46004d353caebf5f2c4a4ced15f79f09715c02936f21f
                • Instruction Fuzzy Hash: E2D012B14493C0CFC371DFE4444054B7E31AB32350794584ED0821FAC7C760018AEB75
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320B969 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • GetLongPathNameW.KERNELBASE(?,?), ref: 0320B980
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: LongNamePath
                • String ID:
                • API String ID: 82841172-0
                • Opcode ID: b5755f5f928bde619fc05f183b2212aeb5721c85b26bf32181f53618f1604de6
                • Instruction ID: 2d43426bf2471662acb7794af6996f6e706141d5a22d96803a95c155a96e09e2
                • Opcode Fuzzy Hash: b5755f5f928bde619fc05f183b2212aeb5721c85b26bf32181f53618f1604de6
                • Instruction Fuzzy Hash: C2C04C3286106D4FCB709E089DC87D93659BB25310F1545669859EB141C7B15E99CBD0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0320B66D Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: f72a1cc11805a60fd870e32b0ad0d62b864aa7e363c3df7fb791dfcdffa0d56f
                • Instruction ID: 697cdcaeb78753e3388d6a2b5f42ec4d6a25c9fa1d501708c7e3d8a3206a3565
                • Opcode Fuzzy Hash: f72a1cc11805a60fd870e32b0ad0d62b864aa7e363c3df7fb791dfcdffa0d56f
                • Instruction Fuzzy Hash: 68B092319A626ACEFB309E689C44BDA36589F21300F0240315C08EB141CAB19D418AA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03202ECA Relevance: 1.3, APIs: 1, Instructions: 22sleepCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000F.00000002.543844211.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_3200000_ieinstal.jbxd
                Yara matches
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: de36933086cc20c1691d9f6cb5813d8ac17508e32755b3ca9e26980820e18918
                • Instruction ID: d79d0cdc3dbc47ceb9db5c95c820e6d568d561fdf803f3670faf50001dfe06e8
                • Opcode Fuzzy Hash: de36933086cc20c1691d9f6cb5813d8ac17508e32755b3ca9e26980820e18918
                • Instruction Fuzzy Hash: 5BE07262C0A7C98BE310BA24CC082CD7390AB392A4FBC0B1DC1A089082E02186424BC6
                Uniqueness

                Uniqueness Score: -1.00%