Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ORDINE.exe

Overview

General Information

Sample Name:ORDINE.exe
Analysis ID:679294
MD5:30e619eed663b6696ba1269dec11e1a9
SHA1:04ad1454bb163c8e1c5820ba591ae613dd6f6d45
SHA256:faaddcf1294c8358fc6ccc4c36ecdc9fccd03ac345b3d022db144798d611397d
Tags:AsyncRATexeRAT
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected AsyncRAT
Antivirus detection for dropped file
Snort IDS alert for network traffic
Injects files into Windows application
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Binary or sample is protected by dotNetProtector
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Machine Learning detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Potential browser exploit detected (process start blacklist hit)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • ORDINE.exe (PID: 5760 cmdline: "C:\Users\user\Desktop\ORDINE.exe" MD5: 30E619EED663B6696BA1269DEC11E1A9)
    • vbc.exe (PID: 1164 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • cmd.exe (PID: 3472 cmdline: cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexplore MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5416 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6000 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 5736 cmdline: cmd" /c copy "C:\Users\user\Desktop\ORDINE.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • iexplore.exe (PID: 2848 cmdline: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe MD5: 30E619EED663B6696BA1269DEC11E1A9)
    • vbc.exe (PID: 5660 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • cmd.exe (PID: 4976 cmdline: cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexplore MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 2432 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5348 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 4448 cmdline: cmd" /c copy "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • BackgroundTransferHost.exe (PID: 2432 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
  • iexplore.exe (PID: 4604 cmdline: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe MD5: 30E619EED663B6696BA1269DEC11E1A9)
  • cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "191.101.130.243", "Ports": "7707", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "F37wL6kU6d1ln0ZzFzD1Z61sP0kXqYbm", "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE8jCCAtqgAwIBAgIQALjgwS++igAkwAOyv5bgMTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwODAzMDYwMjIyWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAILRFbpKGfwFx25WYYuVCgXl7TdoxRlXM7zcKGvdFLIDy1Bwzp0Y99L/Yy/oseRDrfihrsyph3Ms454cgfjFob5XtBvoXtPAO32uamRVh+1y+C67eBmRe/MTSmTHmQsttSmFFVBwfl5rSS3q2lhTvhPSyQlNn2Y9TAvIIqrg0gIYOW65cTGikiV1+8P+sOoCH9JWRcNUKSrTDX0O+6ZCTOc3UKBW5oj//FcsGreSZw7E2mMTX5WHJNIB5zXB6cfpPdQBwpvJWnpWfCaMgEuJdRC6EznuC0ZFfxQSSCiH8ZkS+JC/MtA/WGWHggqPo/dywuLNygPleYVxK0tVPSZTFEH7Mpo7Z+TiVL6xno7y3LtuaAUvP+yddJ/rhQOmHbs6Qn9zpV39WXz4K3JBp+OYhHUCWpPfjnE9eR4xLzwK2RfwPGhbboIj7TgAdl3YHa9R+sSM19PXHNQjXRMxoZ32Em8EmdSqzbN0lW+I+7/hc+42J22p+fKOnuC2CiBUBNk5ODph27qZ65UYRywRJIkZnCz6K9VDSeDTmF8BrlxdC89mtidHBe9s+ZmBrK4hsJ7VigYXN1J5s9aiaEmfLIGfG1mzv2f9/9Dly4k0tAx9K0PgZmpHBw6HWFjj/88CKy954G2Lb9KJNRyOLLPNs9e4eh8jWEinryjA+0RG0bxlqfdJAgMBAAGjMjAwMB0GA1UdDgQWBBSTNFdMcn6A/QRYYvQpa7SIp9dQQDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAEhlXRdBaUw7zIzKsy1KHQ5goP0TMTkmw+cP2ufXJGYE1rMRHCz9CTAPCd+OSjjzljF8sVUY403LxZdaAI0wB+6RG/3gLcMhljO83Xegx0uONr50r1VAWYwbQU/qQdzsX2epdgqt3S6d0DFzfXE68V0lXL7Plw/Bc3qlrborgVfSHpdWCTCgcJ4a8YDsA+6wi3uADUlm52ztAveJ9f7IYUk7XzevOKqsqmHt+xmWFqgiw1DWvdAx+qDYfXnko8ypz1OuffTNahU82eUiD96TBJt0Gr+d5tfPLmt1yTYa0XzxWy0r9dvYZWEbV5r03Ce2cw26V3z77OX6ZvckR1/qG0tIL06V8nXhmhV0zGGK1i9by9vivfBFQxD2EcVUyPL4URLpDoCqipskOo4bt2TLqUzssOkH41l8n6yZJl8/xYFyzH/2hfY1VS6NnLd9J2w0+ToHxXlhpwZb58JOVXSavCF6d/767aBg8v+Y+MH17RTjBuB+gk7qoJLKGqyTAhag3GvQ9aMVLBxNT99JBcmyUO/3NMTDt4ckAUpEuImvo1zvPdRZV+VnmQbfTBynoWXfw1cDPc+afE2gS55hMhk/vitY9h4fy/AbcXtwb4+Diok6tOMQ32aHVws9ForCAGEKldMlus0/+WTTpqwwgmO38oegF56GzWA3PpYUedJXTE2g==", "ServerSignature": "LnD03k7cpYYvIPzVlgkFIKRQeIVSCNDslUHUMdlARBBMyw1TZMPHK9AU16GUATrv8GN6kBdJLY0QW7A/k2nEAOJPZxlNYr02XeXsdcOs4sqLfeKPYe2250zmeejLRoK8Ycov9Eks1PKGHs4jCsX/nVTmoUjPMCjEav/y5ZWKHhMYlq0kYRdgpJdRJ1kFNqoq+OhbbizKo/z+3HCVLhI3vtIqg7opzzqCrVELXFDiwRMHKt5QNjXoyKd7jvjcmDIHbNfO05ZTmF8P624rLX1x7/Z4eZEorwOSwHqTbY9t05liSFDY0xzY8Iwjx2ci6+kKP/u3Gu9jqX4lPEulNxweH+pNLpuSzxcKhLr13jkK4Gh/jz3B4L3XB2qOzo8p6Ct/Yos3DaKUHvswTfBRY7yCyHxnvWL8bxgInaQ5nXzhqTz0EcbngcX6tJYI+pRb+db/HJeF2HsiqwFHv+074+iDOan6/yyoyjaQybCmfggxaFtknvnJW8oU+aiBZAsH8ONvOVhG3wKs/fwBrND+5MPyALU61tvQK9/KY1/JC5mTD/wtUiAyXUmp3nfZ+Wc5ZSH+D39TOMVFv0u47JE0gDFoP23TyGvBBGPc2cyH86dCznzrIfqsIxOh6IQ6Fj4u9E7Mf7CHVIBjSGw//UzjI5r9DhyATGXHGkyFoHquvUk+soc=", "BDOS": "false", "Startup_Delay": "3", "Group": "Alibaba"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
  • 0x102bf2:$x1: AsyncRAT
  • 0x102c30:$x1: AsyncRAT

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000002.534970060.0000000008E76000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
  • 0x8243:$x1: AsyncRAT
  • 0x8281:$x1: AsyncRAT
00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
    • 0xa65d:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
    00000006.00000002.681364140.00000000051A3000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x35f93:$x1: AsyncRAT
    • 0x35fd1:$x1: AsyncRAT
    • 0x56ef7:$x1: AsyncRAT
    • 0x56f35:$x1: AsyncRAT
    0000000E.00000002.522558294.0000000002AD4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.0.vbc.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        6.0.vbc.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          6.0.vbc.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
          • 0x99c1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:191.101.130.243192.168.2.57707497642035595 08/05/22-14:47:38.477674
          SID:2035595
          Source Port:7707
          Destination Port:49764
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:191.101.130.243192.168.2.57707497642030673 08/05/22-14:47:38.477674
          SID:2030673
          Source Port:7707
          Destination Port:49764
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: ORDINE.exeAvira: detected
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeAvira: detection malicious, Label: TR/Dropper.Gen
          Machine Learning detection for sample
          Source: ORDINE.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeJoe Sandbox ML: detected
          Source: 0000000E.00000002.522558294.0000000002AD4000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "191.101.130.243", "Ports": "7707", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "F37wL6kU6d1ln0ZzFzD1Z61sP0kXqYbm", "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE8jCCAtqgAwIBAgIQALjgwS++igAkwAOyv5bgMTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwODAzMDYwMjIyWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAILRFbpKGfwFx25WYYuVCgXl7TdoxRlXM7zcKGvdFLIDy1Bwzp0Y99L/Yy/oseRDrfihrsyph3Ms454cgfjFob5XtBvoXtPAO32uamRVh+1y+C67eBmRe/MTSmTHmQsttSmFFVBwfl5rSS3q2lhTvhPSyQlNn2Y9TAvIIqrg0gIYOW65cTGikiV1+8P+sOoCH9JWRcNUKSrTDX0O+6ZCTOc3UKBW5oj//FcsGreSZw7E2mMTX5WHJNIB5zXB6cfpPdQBwpvJWnpWfCaMgEuJdRC6EznuC0ZFfxQSSCiH8ZkS+JC/MtA/WGWHggqPo/dywuLNygPleYVxK0tVPSZTFEH7Mpo7Z+TiVL6xno7y3LtuaAUvP+yddJ/rhQOmHbs6Qn9zpV39WXz4K3JBp+OYhHUCWpPfjnE9eR4xLzwK2RfwPGhbboIj7TgAdl3YHa9R+sSM19PXHNQjXRMxoZ32Em8EmdSqzbN0lW+I+7/hc+42J22p+fKOnuC2CiBUBNk5ODph27qZ65UYRywRJIkZnCz6K9VDSeDTmF8BrlxdC89mtidHBe9s+ZmBrK4hsJ7VigYXN1J5s9aiaEmfLIGfG1mzv2f9/9Dly4k0tAx9K0PgZmpHBw6HWFjj/88CKy954G2Lb9KJNRyOLLPNs9e4eh8jWEinryjA+0RG0bxlqfdJAgMBAAGjMjAwMB0GA1UdDgQWBBSTNFdMcn6A/QRYYvQpa7SIp9dQQDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAEhlXRdBaUw7zIzKsy1KHQ5goP0TMTkmw+cP2ufXJGYE1rMRHCz9CTAPCd+OSjjzljF8sVUY403LxZdaAI0wB+6RG/3gLcMhljO83Xegx0uONr50r1VAWYwbQU/qQdzsX2epdgqt3S6d0DFzfXE68V0lXL7Plw/Bc3qlrborgVfSHpdWCTCgcJ4a8YDsA+6wi3uADUlm52ztAveJ9f7IYUk7XzevOKqsqmHt+xmWFqgiw1DWvdAx+qDYfXnko8ypz1OuffTNahU82eUiD96TBJt0Gr+d5tfPLmt1yTYa0XzxWy0r9dvYZWEbV5r03Ce2cw26V3z77OX6ZvckR1/qG0tIL06V8nXhmhV0zGGK1i9by9vivfBFQxD2EcVUyPL4URLpDoCqipskOo4bt2TLqUzssOkH41l8n6yZJl8/xYFyzH/2hfY1VS6NnLd9J2w0+ToHxXlhpwZb58JOVXSavCF6d/767aBg8v+Y+MH17RTjBuB+gk7qoJLKGqyTAhag3GvQ9aMVLBxNT99JBcmyUO/3NMTDt4ckAUpEuImvo1zvPdRZV+VnmQbfTBynoWXfw1cDPc+afE2gS55hMhk/vitY9h4fy/AbcXtwb4+Diok6tOMQ32aHVws9ForCAGEKldMlus0/+WTTpqwwgmO38oegF56GzWA3PpYUedJXTE2g==", "ServerSignature": "LnD03k7cpYYvIPzVlgkFIKRQeIVSCNDslUHUMdlARBBMyw1TZMPHK9AU16GUATrv8GN6kBdJLY0QW7A/k2nEAOJPZxlNYr02XeXsdcOs4sqLfeKPYe2250zmeejLRoK8Ycov9Eks1PKGHs4jCsX/nVTmoUjPMCjEav/y5ZWKHhMYlq0kYRdgpJdRJ1kFNqoq+OhbbizKo/z+3HCVLhI3vtIqg7opzzqCrVELXFDiwRMHKt5QNjXoyKd7jvjcmDIHbNfO05ZTmF8P624rLX1x7/Z4eZEorwOSwHqTbY9t05liSFDY0xzY8Iwjx2ci6+kKP/u3Gu9jqX4lPEulNxweH+pNLpuSzxcKhLr13jkK4Gh/jz3B4L3XB2qOzo8p6Ct/Yos3DaKUHvswTfBRY7yCyHxnvWL8bxgInaQ5nXzhqTz0EcbngcX6tJYI+pRb+db/HJeF2HsiqwFHv+074+iDOan6/yyoyjaQybCmfggxaFtknvnJW8oU+aiBZAsH8ONvOVhG3wKs/fwBrND+5MPyALU61tvQK9/KY1/JC5mTD/wtUiAyXUmp3nfZ+Wc5ZSH+D39TOMVFv0u47JE0gDFoP23TyGvBBGPc2cyH86dCznzrIfqsIxOh6IQ6Fj4u9E7Mf7CHVIBjSGw//UzjI5r9DhyATGXHGkyFoHquvUk+soc=", "BDOS": "false", "Startup_Delay": "3", "Group": "Alibaba"}
          Source: ORDINE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: ORDINE.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: ORDINE.exe, iexplore.exe.11.dr
          Source: Binary string: YrEscapeAsciiCharBuildNumberGet_ParamNumberRevisionNumbercolumnReaderIFormatProviderMethodBuilderModuleBuilderTypeBuilderInitCustomAttributeBuilderEventBuilderAssemblyBuilderSpecialFolderBufferResourceManagerAppDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerSignatureEqualityComparerget_NotAfterSyncTextWriterPositionPointerget_IsPointerBitConverterMemberMDInitializerM_hrGetTokenForFloorSetLastWin32ErrorDynamicILGenerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrHasEventPtrAbsDllCharacteristicsSystem.DiagnosticsgsadshdsPreserveParamRidsFieldsGetMethodsAddDateWordsadsdsAesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesdebugResourcesehgIkSibci.resources_nameHashesGetDirectoriesSet_AllFilesMonthNamesPrimesS_systemTimeZonesGetSortedTypesEmptyTypesNeedFatExceptionClausesAssignAssociatesGetAssociatesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributesM_attributesGet_MinutesRfc2898DeriveBytesGetBytesNumberOfRvaAndSizesGet_NumberGroupSizesfhfsBindingFlagsGetMethodImplementationFlagsSetImplementationFlagsjfddggsshgsEncodingsfhddsdshfddfhhsagshsGetModuleSearchPathsModifiersEqualshotHeapStreamsM_iterationsCallingConventionsCompareOptionsPushOptionsCos_writePosCurPoseventDefInfosGetTokenFixupsget_CharsInitMembersGetOptionalCustomModifiersRuntimeHelpersJitHelpersGetParametersget_IsClassAssemblyBuilderAccessSuczdvssedrtrsvfcdsdasdcessSuczdvsdsdvfctesdsdrdsasdcessSuczdvsdsdvfctesdsrdsasdcessGetCurrentProcessVirtualAddressCompressgfssReadNamedArgumentsUriComponentsExists source: ORDINE.exe, iexplore.exe.11.dr
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 191.101.130.243:7707 -> 192.168.2.5:49764
          Source: TrafficSnort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 191.101.130.243:7707 -> 192.168.2.5:49764
          Yara detected Generic Downloader
          Source: Yara matchFile source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Joe Sandbox ViewASN Name: MAJESTIC-HOSTING-01US MAJESTIC-HOSTING-01US
          Source: global trafficTCP traffic: 192.168.2.5:49764 -> 191.101.130.243:7707
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: vbc.exe, 00000006.00000002.681364140.00000000051A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: vbc.exe, 00000006.00000002.681364140.00000000051A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en-
          Source: vbc.exe, 00000006.00000002.681364140.00000000051A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: vbc.exe, 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.522558294.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ORDINE.exe PID: 5760, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: iexplore.exe PID: 2848, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: iexplore.exe PID: 4604, type: MEMORYSTR

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: dump.pcap, type: PCAPMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000014.00000002.534970060.0000000008E76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000006.00000002.681364140.00000000051A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000014.00000002.527812189.00000000069C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: Process Memory Space: ORDINE.exe PID: 5760, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: Process Memory Space: iexplore.exe PID: 2848, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: Process Memory Space: vbc.exe PID: 5660, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: Process Memory Space: iexplore.exe PID: 4604, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: ORDINE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: dump.pcap, type: PCAPMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000014.00000002.534970060.0000000008E76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000006.00000002.681364140.00000000051A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000014.00000002.527812189.00000000069C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: Process Memory Space: ORDINE.exe PID: 5760, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: Process Memory Space: iexplore.exe PID: 2848, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: Process Memory Space: vbc.exe PID: 5660, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: Process Memory Space: iexplore.exe PID: 4604, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_00B72CA90_2_00B72CA9
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_00B78F500_2_00B78F50
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BC18DB0_2_04BC18DB
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BCAEC80_2_04BCAEC8
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BD57200_2_04BD5720
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BD00400_2_04BD0040
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BF5D400_2_04BF5D40
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BF00400_2_04BF0040
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04C000070_2_04C00007
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04C15CE80_2_04C15CE8
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BF5D310_2_04BF5D31
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BF00060_2_04BF0006
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BD56BE0_2_04BD56BE
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BD57100_2_04BD5710
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BD00060_2_04BD0006
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_051595306_2_05159530
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0515D5E06_2_0515D5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_051546686_2_05154668
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05158C606_2_05158C60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_051546616_2_05154661
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0515F2986_2_0515F298
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_051589186_2_05158918
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_028C2CA914_2_028C2CA9
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_028C8F5014_2_028C8F50
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_0506188E14_2_0506188E
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_0506AEC814_2_0506AEC8
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_0507572014_2_05075720
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_0507004014_2_05070040
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_05095D4014_2_05095D40
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_0509004014_2_05090040
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_050A003F14_2_050A003F
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_0509000714_2_05090007
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_05095D3F14_2_05095D3F
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_0507003F14_2_0507003F
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_050756BE14_2_050756BE
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_00B7F140 CreateProcessAsUserA,0_2_00B7F140
          Source: ORDINE.exe, 00000000.00000002.447997854.0000000000BDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ORDINE.exe
          Source: ORDINE.exe, 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome_exe< vs ORDINE.exe
          Source: ORDINE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: iexplore.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: ORDINE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\ORDINE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\ORDINE.exe "C:\Users\user\Desktop\ORDINE.exe"
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexplore
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\ORDINE.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexplore
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexploreJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /fJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\ORDINE.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /fJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexploreJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /fJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /fJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDINE.exe.logJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeFile created: C:\Users\user\AppData\Local\Temp\iexploreJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@30/5@0/1
          Source: ORDINE.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\ORDINE.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: ORDINE.exe, ToFileTimeUtc.csBase64 encoded string: 'nGkmPzup9QPT/suqCXzXd8p+N6CXtoylwVLH56TLSIhDmKvHzxbCciqmJ2fGkZ36', 'p5KZGN3BLyS03tPbahDvetnv8F426EZU1ptA0iZnCTzXvpEMxKAAu7RSCbYTrJs4', 'kSmkMwMgyTwojGjYVLQ9/m4UNBC2d1oEqLMCx18bqsCbogcZ8S7194vmqs0dbe32', 'nKugDFAAnu4KUw1dLafRGjOfRKT15LRh7pxu6CjDt6zLAN1H5Q6VR9HjUM46/xZm', 'nKzsyl0VNiKFg8zv8vJuX4FsE+zYuTdZQzxZg5stitFoLDpvibLCfmcE8lGnNYDT'
          Source: 0.0.ORDINE.exe.960000.0.unpack, ToFileTimeUtc.csBase64 encoded string: 'nGkmPzup9QPT/suqCXzXd8p+N6CXtoylwVLH56TLSIhDmKvHzxbCciqmJ2fGkZ36', 'p5KZGN3BLyS03tPbahDvetnv8F426EZU1ptA0iZnCTzXvpEMxKAAu7RSCbYTrJs4', 'kSmkMwMgyTwojGjYVLQ9/m4UNBC2d1oEqLMCx18bqsCbogcZ8S7194vmqs0dbe32', 'nKugDFAAnu4KUw1dLafRGjOfRKT15LRh7pxu6CjDt6zLAN1H5Q6VR9HjUM46/xZm', 'nKzsyl0VNiKFg8zv8vJuX4FsE+zYuTdZQzxZg5stitFoLDpvibLCfmcE8lGnNYDT'
          Source: 6.0.vbc.exe.400000.0.unpack, Client/Settings.csBase64 encoded string: 'MNO2Tfg03nxzwqpVgSyI/33z2xcuT7PfxueDhgv77bJLJ2QdHhStgX+CYFeiWREdns2MdlCanW0H0InAG4PkbA==', 'ZDC0fJzzQ9plOv1j5GXtPsGJMGPVDbpxPUhIMJKxXIQriOSH+DCPiVhdymVLsCVZAKHKnlz1XlY3lKsLP+ADbA==', 'xc3lrU/reoebtYPa5JoSpcJVnaTRsn/raQHWysdervWVGzzOn2lZLtDi+cBEutmb2Ws7VtDmGO/9TYgrVhEsSA==', 'vwRGgWYaVnV3Tt/zgXDAvdAosQzIU/JMmj41i95SoOcBpF47tiLu73Kdsvw6bWKYkcpCrEJfbfkziWhDZIqQNvf6AyVZtDo7YLMcpOoHzNEToB6hOxhLWdpfbd/iTT2pOl0MOBJJvt8E/2ANPg4FtAi5/UV7+iwCmUWOx2LT/Co0oF7qm3MbMsL5m0TbJyG5nNQNAGVeAZdO/pl98iCat3gg7NV79gHAlFs/oMvm3FHMs0sL+Kp3Hx+FPbqvjBCKCOm01WjWXjh3LGvgrg7AYAk6gCqzGvHIlQKSKDfQWpFwit/CUrnX9rjuBNDK1AX42JpErXNnhehoJiEQLLargunzGPp/ic3rKmh0ytwwkM2e/RsfQ2BBCJfAySs7GgWENsgCZnI4AvYwnrxoIS5c9PieP8z5wa7/hUEgMDzzzCXEUXm6yOwk9CDJUe9OQAMxVoEbCITLLy4WppVC8HkW1AWQCi2og7XGxh4sGdtc/P8FEAmp9KcCprtzdM6+SXsKy64d83/P8bG0Ds6PeDqcyiAcyWbSlqQ+hM/KpkjQ2hP4a8FktGejSHhKw0OuVLRV3aliXcoYUPMeO2GnRJ2qph6uTPzmGPE+xQ5bSwqAd4VVTwLRFSOBXOd8rZryQTIr6Yj71FDULFdepVEuGbjSVRRX7HMi6A6lncoWqkjf9f++7KfRJIeD+/bM8sFcLbdVeOFKwiGqjjjnD4SllkcCnncMfspbpAhp9ilqXwbeBTOuDQVy4p6vQhC6vGJoNpbPHCHGgozqIBVnOwKpFsTVYxWyTLkXGAFo+uBpSCxFqQ3b3SoYJYMuaOJ122Uh+myyNv++JBmcsvw6pq81pbsBqixmRPn7H+iOL1ViMHGMTIJTfw6TFD34s9Rag7qvBMSL/pA8fcxHlbEAXogkAL00+wqbY/a4HA7z42Y1tQUefYKf1QTuAk0bN+qejEhu9UGq/Z73dBDEFHiYIBbAKQk/ruKPV5R3nw7j4qxPlwPGyWqCw0s2CWx/GON98lpqr4wu0yhvZMspAI/WeK1GGTBJX5XfvWJz921CvfzIZZ/0yXafUw5BntVLWIKxhbeLmgDGgVr/yvQfgZ5IFVwl5BEzr8Zra+GcFuvNteMaaV3S3OpqfTc/b8sFL7UpX0qbYXEYHHZ9YRlwZf34CYzOVorAoFpeibHXuitEye2s/HE+x/bP1INgoSJkKkaRqXVZftgldxVNUFqTP5SYlGm1UaJyZc6osW5Di/d9v9U86OEZ4/G2PoAS8s1mH/NKQTnYuV3MRPrpPxTPs13kzAQKpDNTS+AjnmQfg7nVubbQn+RA4XXks+2wc2A+3H0ZhKu6WaXHPRyPGp3Yk3l64V3zHfdMUWHC+8ZUNwWgO59spNV5g6tihtVgDrPM+MaV8QwbugeO5es3O+WY61FpagqypsdF9/b7DBzdEdX6ZPDbqfuifZIWygYKVoHOJLa88Qv/wH54rC+rj2cOTnwdkDZA3NFEvqpIx6bhSuVvX9n1a0Palsx8zET0D4K2jNx7kh5EzDf9LMGVWY+kO9qWzOnKBm3yCSyaJgaMLnSvPwcbaKZf3R6nr9nCJPB+f9+zPJ847tSkl/XXYB9cuJfs0vPgc+VzpVJ4RGdGTdFXkxWizSEpq4PjgltwF8sPr4lAn7k0PLjt44CcgvrUknpMPw5m9+4b3NVjh97I3HC6jTIBFekilXXr9c0WC/s7/3GW2i2ruaTfGNwGYG0bxmjLobsAhgeenxHBsPwqPMFwhTEhUB/wnxlF8KQYWgqpW8ORnyq3e6KZtuIgCt1wkpTA+O2xiMQdfLiOjINoZ1UsSMb6CGWW8S62OxqzSpa0V4Hsxfwrp7eRO1uVrFFswIFsuTo7rm7cpR+RMANzbNtCzKtqJ2/fTXAvsPENwkdXnOckdlISrc6LYz5CyX9gyttHlpxB4OHbyUAvKvBRzfsXLQXhRsEIG9p95cvJEXbp93HacMaXdyUJm1aNDU3oOSlc9XapxGUgNqsiAnBsxLxbp9rBGYeiEawZI8or6t8lNl9P5wKtad4Ewn0mgCDuolsI+PgcmmnsHBgGSoN07GXgEWO343atuKnmDIdUiNJv9VHrlWDuy5WSQ7IwgC+pMK/PJ0SLma8d+Gy+72CIHwNeU+36y0ZOCUZ8u//cNBijQdu2fFViV9WDq5fd4YiLDA/bO18xoLrb5NtVQ9bDdpYuaICA4JsAVC8t/Aa43q3liHbfnwXxd0FVPe6cgfC6ccVnKi8M+FQMKvL6dsqAa2mOmSaWGUECVE/Z5WzElkL12BKZHD7NNp+qyX5GNZsHFBzXhxHArYRNKCYU6mQdj61dx3KrJuZtnME=', 'ydZqq1YhtqKCG4NjjeqNoIlJfBAgSONldmjlGLuftDCs+us7J5cx9NLfk5yat1y72M3NOcIcFW2UCvEwqit5Qg==', 'V0UW6o6hK8fIoHg027mAgerhquyDb27aKYrTh4U1scs72neC5oNo9A0Vxsh2mTUQ80uJJVQTH4ct5F0bGixtqw==', 'mzAEJafT5yxGpL8rfOe4t2Igrf9atyXT3SF3THcuGt9tD2iGhN918ZFQk84V54i6KRC+gF4eH/2gqcRVxt4P1w=='
          Source: iexplore.exe.11.dr, ToFileTimeUtc.csBase64 encoded string: 'nGkmPzup9QPT/suqCXzXd8p+N6CXtoylwVLH56TLSIhDmKvHzxbCciqmJ2fGkZ36', 'p5KZGN3BLyS03tPbahDvetnv8F426EZU1ptA0iZnCTzXvpEMxKAAu7RSCbYTrJs4', 'kSmkMwMgyTwojGjYVLQ9/m4UNBC2d1oEqLMCx18bqsCbogcZ8S7194vmqs0dbe32', 'nKugDFAAnu4KUw1dLafRGjOfRKT15LRh7pxu6CjDt6zLAN1H5Q6VR9HjUM46/xZm', 'nKzsyl0VNiKFg8zv8vJuX4FsE+zYuTdZQzxZg5stitFoLDpvibLCfmcE8lGnNYDT'
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3408:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_01
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4512:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5496:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5748:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5400:120:WilError_01
          Source: C:\Users\user\Desktop\ORDINE.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: ORDINE.exeStatic file information: File size 3145728 > 1048576
          Source: ORDINE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: ORDINE.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: ORDINE.exe, iexplore.exe.11.dr
          Source: Binary string: YrEscapeAsciiCharBuildNumberGet_ParamNumberRevisionNumbercolumnReaderIFormatProviderMethodBuilderModuleBuilderTypeBuilderInitCustomAttributeBuilderEventBuilderAssemblyBuilderSpecialFolderBufferResourceManagerAppDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerSignatureEqualityComparerget_NotAfterSyncTextWriterPositionPointerget_IsPointerBitConverterMemberMDInitializerM_hrGetTokenForFloorSetLastWin32ErrorDynamicILGenerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrHasEventPtrAbsDllCharacteristicsSystem.DiagnosticsgsadshdsPreserveParamRidsFieldsGetMethodsAddDateWordsadsdsAesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesdebugResourcesehgIkSibci.resources_nameHashesGetDirectoriesSet_AllFilesMonthNamesPrimesS_systemTimeZonesGetSortedTypesEmptyTypesNeedFatExceptionClausesAssignAssociatesGetAssociatesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributesM_attributesGet_MinutesRfc2898DeriveBytesGetBytesNumberOfRvaAndSizesGet_NumberGroupSizesfhfsBindingFlagsGetMethodImplementationFlagsSetImplementationFlagsjfddggsshgsEncodingsfhddsdshfddfhhsagshsGetModuleSearchPathsModifiersEqualshotHeapStreamsM_iterationsCallingConventionsCompareOptionsPushOptionsCos_writePosCurPoseventDefInfosGetTokenFixupsget_CharsInitMembersGetOptionalCustomModifiersRuntimeHelpersJitHelpersGetParametersget_IsClassAssemblyBuilderAccessSuczdvssedrtrsvfcdsdasdcessSuczdvsdsdvfctesdsdrdsasdcessSuczdvsdsdvfctesdsrdsasdcessGetCurrentProcessVirtualAddressCompressgfssReadNamedArgumentsUriComponentsExists source: ORDINE.exe, iexplore.exe.11.dr

          Data Obfuscation

          barindex
          Binary or sample is protected by dotNetProtector
          Source: ORDINE.exe, 00000000.00000000.411404596.0000000000962000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: dotNetProtector
          Source: ORDINE.exe, 00000000.00000000.411404596.0000000000962000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: YrEscapeAsciiCharBuildNumberGet_ParamNumberRevisionNumbercolumnReaderIFormatProviderMethodBuilderModuleBuilderTypeBuilderInitCustomAttributeBuilderEventBuilderAssemblyBuilderSpecialFolderBufferResourceManagerAppDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerSignatureEqualityComparerget_NotAfterSyncTextWriterPositionPointerget_IsPointerBitConverterMemberMDInitializerM_hrGetTokenForFloorSetLastWin32ErrorDynamicILGenerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrHasEventPtrAbsDllCharacteristicsSystem.DiagnosticsgsadshdsPreserveParamRidsFieldsGetMethodsAddDateWordsadsdsAesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesdebugResourcesehgIkSibci.resources_nameHashesGetDirectoriesSet_AllFilesMonthNamesPrimesS_systemTimeZonesGetSortedTypesEmptyTypesNeedFatExceptionClausesAssignAssociatesGetAssociatesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributesM_attributesGet_MinutesRfc2898DeriveBytesGetBytesNumberOfRvaAndSizesGet_NumberGroupSizesfhfsBindingFlagsGetMethodImplementationFlagsSetImplementationFlagsjfddggsshgsEncodingsfhddsdshfddfhhsagshsGetModuleSearchPathsModifiersEqualshotHeapStreamsM_iterationsCallingConventionsCompareOptionsPushOptionsCos_writePosCurPoseventDefInfosGetTokenFixupsget_CharsInitMembersGetOptionalCustomModifiersRuntimeHelpersJitHelpersGetParametersget_IsClassAssemblyBuilderAccessSuczdvssedrtrsvfcdsdasdcessSuczdvsdsdvfctesdsdrdsasdcessSuczdvsdsdvfctesdsrdsasdcessGetCurrentProcessVirtualAddressCompressgfssReadNamedArgumentsUriComponentsExists
          Source: ORDINE.exeString found in binary or memory: dotNetProtector
          Source: ORDINE.exeString found in binary or memory: YrEscapeAsciiCharBuildNumberGet_ParamNumberRevisionNumbercolumnReaderIFormatProviderMethodBuilderModuleBuilderTypeBuilderInitCustomAttributeBuilderEventBuilderAssemblyBuilderSpecialFolderBufferResourceManagerAppDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerSignatureEqualityComparerget_NotAfterSyncTextWriterPositionPointerget_IsPointerBitConverterMemberMDInitializerM_hrGetTokenForFloorSetLastWin32ErrorDynamicILGenerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrHasEventPtrAbsDllCharacteristicsSystem.DiagnosticsgsadshdsPreserveParamRidsFieldsGetMethodsAddDateWordsadsdsAesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesdebugResourcesehgIkSibci.resources_nameHashesGetDirectoriesSet_AllFilesMonthNamesPrimesS_systemTimeZonesGetSortedTypesEmptyTypesNeedFatExceptionClausesAssignAssociatesGetAssociatesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributesM_attributesGet_MinutesRfc2898DeriveBytesGetBytesNumberOfRvaAndSizesGet_NumberGroupSizesfhfsBindingFlagsGetMethodImplementationFlagsSetImplementationFlagsjfddggsshgsEncodingsfhddsdshfddfhhsagshsGetModuleSearchPathsModifiersEqualshotHeapStreamsM_iterationsCallingConventionsCompareOptionsPushOptionsCos_writePosCurPoseventDefInfosGetTokenFixupsget_CharsInitMembersGetOptionalCustomModifiersRuntimeHelpersJitHelpersGetParametersget_IsClassAssemblyBuilderAccessSuczdvssedrtrsvfcdsdasdcessSuczdvsdsdvfctesdsdrdsasdcessSuczdvsdsdvfctesdsrdsasdcessGetCurrentProcessVirtualAddressCompressgfssReadNamedArgumentsUriComponentsExists
          Source: iexplore.exe.11.drString found in binary or memory: dotNetProtector
          Source: iexplore.exe.11.drString found in binary or memory: YrEscapeAsciiCharBuildNumberGet_ParamNumberRevisionNumbercolumnReaderIFormatProviderMethodBuilderModuleBuilderTypeBuilderInitCustomAttributeBuilderEventBuilderAssemblyBuilderSpecialFolderBufferResourceManagerAppDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerSignatureEqualityComparerget_NotAfterSyncTextWriterPositionPointerget_IsPointerBitConverterMemberMDInitializerM_hrGetTokenForFloorSetLastWin32ErrorDynamicILGenerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrHasEventPtrAbsDllCharacteristicsSystem.DiagnosticsgsadshdsPreserveParamRidsFieldsGetMethodsAddDateWordsadsdsAesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesdebugResourcesehgIkSibci.resources_nameHashesGetDirectoriesSet_AllFilesMonthNamesPrimesS_systemTimeZonesGetSortedTypesEmptyTypesNeedFatExceptionClausesAssignAssociatesGetAssociatesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributesM_attributesGet_MinutesRfc2898DeriveBytesGetBytesNumberOfRvaAndSizesGet_NumberGroupSizesfhfsBindingFlagsGetMethodImplementationFlagsSetImplementationFlagsjfddggsshgsEncodingsfhddsdshfddfhhsagshsGetModuleSearchPathsModifiersEqualshotHeapStreamsM_iterationsCallingConventionsCompareOptionsPushOptionsCos_writePosCurPoseventDefInfosGetTokenFixupsget_CharsInitMembersGetOptionalCustomModifiersRuntimeHelpersJitHelpersGetParametersget_IsClassAssemblyBuilderAccessSuczdvssedrtrsvfcdsdasdcessSuczdvsdsdvfctesdsdrdsasdcessSuczdvsdsdvfctesdsrdsasdcessGetCurrentProcessVirtualAddressCompressgfssReadNamedArgumentsUriComponentsExists
          .NET source code contains potential unpacker
          Source: 6.0.vbc.exe.400000.0.unpack, Client/Handle_Packet/Packet.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_00B7E1DD push B15446CAh; retf 0_2_00B7E1E2
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BC0F24 push ds; iretd 0_2_04BC0F28
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BC0E8C push edx; ret 0_2_04BC0E8F
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BC0289 push ebp; iretd 0_2_04BC028C
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BC02C8 push ss; iretd 0_2_04BC02CB
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BD4C65 push es; ret 0_2_04BD4C66
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BF54A1 push edi; retf 0047h0_2_04BF54A2
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BF5345 push esi; retf 0_2_04BF5346
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04C053A3 push ebp; ret 0_2_04C053A4
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04C05D13 pushad ; ret 0_2_04C05D25
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04C10EC8 push ss; ret 0_2_04C10ECB
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04C118D9 push cs; iretd 0_2_04C118DF
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_028CE1DD push B15446CAh; retf 14_2_028CE1E2
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_05060E8C push edx; ret 14_2_05060E8F
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_05060289 push ebp; iretd 14_2_0506028C
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_050602C8 push ss; iretd 14_2_050602CB
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_05074C65 push es; ret 14_2_05074C66
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_05095A02 push E803D85Eh; ret 14_2_05095A09
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_05095345 push esi; retf 14_2_05095346
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_050954A1 push edi; retf 0047h14_2_050954A2
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_050959E3 push E804CF5Eh; retf 14_2_05095A01
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_050A5D13 pushad ; ret 14_2_050A5D25
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_050A53A3 push ebp; ret 14_2_050A53A4
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_050C3194 push esi; iretd 14_2_050C3197
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_050C02D8 push es; iretd 14_2_050C02DB
          Source: ORDINE.exeStatic PE information: real checksum: 0x7d9b9 should be: 0x308bb9
          Source: iexplore.exe.11.drStatic PE information: real checksum: 0x7d9b9 should be: 0x308bb9
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeJump to dropped file

          Boot Survival

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.522558294.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ORDINE.exe PID: 5760, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: iexplore.exe PID: 2848, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: iexplore.exe PID: 4604, type: MEMORYSTR
          Uses schtasks.exe or at.exe to add and modify task schedules
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.522558294.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ORDINE.exe PID: 5760, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: iexplore.exe PID: 2848, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: iexplore.exe PID: 4604, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: ORDINE.exe, 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, iexplore.exe, 0000000E.00000002.522558294.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, iexplore.exe, 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\ORDINE.exe TID: 5780Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4224Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4224Thread sleep count: 102 > 30Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 5304Thread sleep count: 9790 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe TID: 5480Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 3928Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\ORDINE.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWindow / User API: threadDelayed 9790Jump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: vbc.exe, 00000006.00000002.681364140.00000000051A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
          Source: iexplore.exe, 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware

          Anti Debugging

          barindex
          Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04C1B854 CheckRemoteDebuggerPresent,0_2_04C1B854
          Source: C:\Users\user\Desktop\ORDINE.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Injects files into Windows application
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeInjected file: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe was created by C:\Windows\SysWOW64\cmd.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeInjected file: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe was created by C:\Windows\SysWOW64\cmd.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeInjected file: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe was created by C:\Windows\SysWOW64\cmd.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeInjected file: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe was created by C:\Windows\SysWOW64\cmd.exeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\ORDINE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 402000Jump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 40E000Jump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 410000Jump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 851008Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 340000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 342000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 34E000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 350000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 464008Jump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\ORDINE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 340000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexploreJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /fJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\ORDINE.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /fJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexploreJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /fJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /fJump to behavior
          Source: vbc.exe, 00000006.00000002.684777573.0000000006C5B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.457645035.0000000009121000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.684581194.0000000006C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: C:\Users\user\Desktop\ORDINE.exeQueries volume information: C:\Users\user\Desktop\ORDINE.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.522558294.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ORDINE.exe PID: 5760, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: iexplore.exe PID: 2848, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: iexplore.exe PID: 4604, type: MEMORYSTR
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          1
          Valid Accounts          		1
          Windows Management Instrumentation          		1
          Valid Accounts          		1
          Valid Accounts          		1
          Masquerading          		OS Credential Dumping221
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts2
          Scheduled Task/Job          		2
          Scheduled Task/Job          		1
          Access Token Manipulation          		1
          Valid Accounts          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
          Non-Standard Port          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts1
          Shared Modules          		Logon Script (Windows)312
          Process Injection          		1
          Access Token Manipulation          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local Accounts1
          Exploitation for Client Execution          		Logon Script (Mac)2
          Scheduled Task/Job          		1
          Disable or Modify Tools          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script31
          Virtualization/Sandbox Evasion          		LSA Secrets13
          System Information Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common312
          Process Injection          		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items111
          Obfuscated Files or Information          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          Software Packing          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 679294 Sample: ORDINE.exe Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 6 other signatures 2->64 7 ORDINE.exe 4 2->7         started        11 iexplore.exe 3 2->11         started        13 iexplore.exe 2 2->13         started        process3 file4 50 C:\Users\user\AppData\...\ORDINE.exe.log, ASCII 7->50 dropped 68 Writes to foreign memory regions 7->68 70 Injects a PE file into a foreign processes 7->70 72 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->72 15 cmd.exe 3 7->15         started        18 cmd.exe 2 7->18         started        21 vbc.exe 2 7->21         started        24 cmd.exe 1 7->24         started        74 Antivirus detection for dropped file 11->74 76 Machine Learning detection for dropped file 11->76 78 Injects files into Windows application 11->78 26 cmd.exe 1 11->26         started        28 cmd.exe 1 11->28         started        30 cmd.exe 2 11->30         started        32 2 other processes 11->32 signatures5 process6 dnsIp7 52 C:\Users\user\AppData\Local\...\iexplore.exe, PE32 15->52 dropped 54 C:\Users\...\iexplore.exe:Zone.Identifier, ASCII 15->54 dropped 34 conhost.exe 15->34         started        66 Uses schtasks.exe or at.exe to add and modify task schedules 18->66 36 conhost.exe 18->36         started        56 191.101.130.243, 49764, 7707 MAJESTIC-HOSTING-01US Chile 21->56 38 conhost.exe 24->38         started        40 schtasks.exe 1 24->40         started        42 conhost.exe 26->42         started        44 schtasks.exe 1 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        file8 signatures9 process10

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          ORDINE.exe100%AviraTR/Dropper.Gen
          ORDINE.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe100%AviraTR/Dropper.Gen
          C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          6.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1202836Download File
          14.0.iexplore.exe.3c0000.0.unpack100%AviraHEUR/AGEN.1230579Download File

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevbc.exe, 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmpfalse
            		high

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            191.101.130.243
            		unknownChile
            		396073MAJESTIC-HOSTING-01UStrue

            General Information

            Joe Sandbox Version:35.0.0 Citrine
            Analysis ID:679294
            Start date and time: 05/08/202214:46:132022-08-05 14:46:13 +02:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 8m 32s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:ORDINE.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:40
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@30/5@0/1
            EGA Information:
            • Successful, ratio: 100%
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 97%
            • Number of executed functions: 107
            • Number of non-executed functions: 2
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Adjust boot time
            • Enable AMSI

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
            • Excluded IPs from analysis (whitelisted): 23.211.6.115
            • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, licensing.mp.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing disassembly code information.
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            14:47:36Task SchedulerRun new task: Nafifas path: "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe"

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            MAJESTIC-HOSTING-01USSecuriteInfo.com.W32.AIDetectNet.01.24135.exeGet hashmaliciousBrowse
            • 191.101.130.162
            SOA.exeGet hashmaliciousBrowse
            • 191.101.130.59
            SecuriteInfo.com.W32.AIDetect.malware2.18700.exeGet hashmaliciousBrowse
            • 191.101.130.52
            FbEgLaQAtS.exeGet hashmaliciousBrowse
            • 191.101.130.52
            Delivery report.exeGet hashmaliciousBrowse
            • 191.101.130.52
            Delivery report.exe.exeGet hashmaliciousBrowse
            • 191.101.130.52
            REPORT.EXEGet hashmaliciousBrowse
            • 191.101.130.52
            2.exeGet hashmaliciousBrowse
            • 191.101.130.240
            2020ka2305.docGet hashmaliciousBrowse
            • 191.101.130.240
            2020ka2305.docGet hashmaliciousBrowse
            • 191.101.130.240
            3.exeGet hashmaliciousBrowse
            • 191.101.130.240
            Suvhviwivhrjbykcqcwltjbuuplxoiafsc.exeGet hashmaliciousBrowse
            • 104.37.175.247
            percarm7Get hashmaliciousBrowse
            • 191.96.140.169
            SecuriteInfo.com.Scr.MalPbsgen1.26772.exeGet hashmaliciousBrowse
            • 191.101.130.52
            SecuriteInfo.com.Trojan.GenericKD.49030156.343.exeGet hashmaliciousBrowse
            • 191.101.130.52
            QaADfQdjK6.exeGet hashmaliciousBrowse
            • 45.90.222.157
            q4Xn6vuQ0SGet hashmaliciousBrowse
            • 38.68.46.106
            New Order for April.xlsxGet hashmaliciousBrowse
            • 45.90.222.207
            PO90381.exeGet hashmaliciousBrowse
            • 104.37.172.204
            95669046.exeGet hashmaliciousBrowse
            • 191.101.130.122

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDINE.exe.log

            Download File
            Process:C:\Users\user\Desktop\ORDINE.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):425
            Entropy (8bit):5.340009400190196
            Encrypted:false
            SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
            MD5:CC144808DBAF00E03294347EADC8E779
            SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
            SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
            SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
            Malicious:true
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iexplore.exe.log

            Download File
            Process:C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):425
            Entropy (8bit):5.340009400190196
            Encrypted:false
            SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
            MD5:CC144808DBAF00E03294347EADC8E779
            SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
            SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
            SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
            Malicious:false
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):425
            Entropy (8bit):5.340009400190196
            Encrypted:false
            SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
            MD5:CC144808DBAF00E03294347EADC8E779
            SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
            SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
            SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
            Malicious:false
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

            C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe

            Download File
            Process:C:\Windows\SysWOW64\cmd.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):3145728
            Entropy (8bit):1.1807463156564255
            Encrypted:false
            SSDEEP:6144:Pnsnxlpl/4MgsaffkOiBxqwuhiowOskDnlat1JLfwyTeiB0PJo3zzn:fs3pZ4MgzffDwsbikcJpnfn
            MD5:30E619EED663B6696BA1269DEC11E1A9
            SHA1:04AD1454BB163C8E1C5820BA591AE613DD6F6D45
            SHA-256:FAADDCF1294C8358FC6CCC4C36ECDC9FCCD03AC345B3D022DB144798D611397D
            SHA-512:2C7FF7B8658137E4C1CE494B2944E41C51BE8C5D163DF07CC3B16736D3ABF591EA530D2B4B5FCA212FC96D72383A4E65BFE42491A938DC12B42E78B764439BB3
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... ..b............................~.... ........@.. ....................................@.................................0...K.......r............................................................................ ............... ..H............text........ ...................... ..`.rsrc...r...........................@..@.reloc...............L..............@..B................`.......H...........<.......3....4.............................................Ivan Meedev...(....*..-.*(....&*2~.....(....*..(....*.*..{....*..{....*:~.......(....*..{....*..{....*:~.......(....*6~......(....*..{....*..{....*..{....*..{....*..{....*..{....*.~....(....*.~S...(....*..{....*..{....*.~....(....*..{....*..{....*..{....*.~8...(....*..{....*6~H.....(....*6~I.....(....*..0..?............#E...v.c@#..... S@(o...Y(p...(.........#......t@#......[@(q...Y(p...($........#....

            C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe:Zone.Identifier

            Download File
            Process:C:\Windows\SysWOW64\cmd.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Preview:[ZoneTransfer]....ZoneId=0

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):1.1807463156564255
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            • Win32 Executable (generic) a (10002005/4) 49.78%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Generic Win/DOS Executable (2004/3) 0.01%
            • DOS Executable Generic (2002/1) 0.01%
            File name:ORDINE.exe
            File size:3145728
            MD5:30e619eed663b6696ba1269dec11e1a9
            SHA1:04ad1454bb163c8e1c5820ba591ae613dd6f6d45
            SHA256:faaddcf1294c8358fc6ccc4c36ecdc9fccd03ac345b3d022db144798d611397d
            SHA512:2c7ff7b8658137e4c1ce494b2944e41c51be8c5d163df07cc3b16736d3abf591ea530d2b4b5fca212fc96d72383a4e65bfe42491a938dc12b42e78b764439bb3
            SSDEEP:6144:Pnsnxlpl/4MgsaffkOiBxqwuhiowOskDnlat1JLfwyTeiB0PJo3zzn:fs3pZ4MgzffDwsbikcJpnfn
            TLSH:C3E5DE3C37F13B61EC9DC831468165246BEA0FA7DEA186D1D3EA19C7930D8F52D44A8B
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... ..b............................~.... ........@.. ....................................@................................

            File Icon

            Icon Hash:74f4d8cccaccdce4

            Static PE Info

            General

            Entrypoint:0x44a87e
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x62ECB720 [Fri Aug 5 06:22:24 2022 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x4a8300x4b.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x4c0000x2bf72.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x780000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x488840x48a00False0.42609052280550774data5.630156495500773IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0x4c0000x2bf720x2c000False0.217041015625data4.522066472641785IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x780000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x4c2c40x3b4bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
            RT_ICON0x4fe100x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
            RT_ICON0x606380x94a8data
            RT_ICON0x69ae00x5488data
            RT_ICON0x6ef680x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 49407, next used block 4294902528
            RT_ICON0x731900x25a8data
            RT_ICON0x757380x10a8data
            RT_ICON0x767e00x988data
            RT_ICON0x771680x468GLS_BINARY_LSB_FIRST
            RT_GROUP_ICON0x775d00x84data
            RT_VERSION0x776540x1f8dataEnglishUnited States
            RT_MANIFEST0x7784c0x726XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            Snort IDS Alerts

            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
            191.101.130.243192.168.2.57707497642035595 08/05/22-14:47:38.477674TCP2035595ET TROJAN Generic AsyncRAT Style SSL Cert770749764191.101.130.243192.168.2.5
            191.101.130.243192.168.2.57707497642030673 08/05/22-14:47:38.477674TCP2030673ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)770749764191.101.130.243192.168.2.5

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Aug 5, 2022 14:47:38.127145052 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:38.269309998 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:47:38.269445896 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:38.318298101 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:38.477674007 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:47:38.477732897 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:47:38.477982998 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:38.487781048 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:38.640578032 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:47:38.751085043 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:40.419425011 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:40.615670919 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:47:40.618067026 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:40.809494972 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:47:50.430208921 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:50.623672009 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:47:50.623825073 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:50.766381025 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:47:50.970876932 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:51.112742901 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:47:51.252288103 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:51.692173004 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:51.884382963 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:47:51.884573936 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:52.077028036 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:00.474582911 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:00.666841030 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:00.667256117 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:00.810467958 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:00.956156969 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:01.098112106 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:01.102432966 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:01.294476986 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:01.295002937 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:01.487618923 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:06.666898012 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:06.753413916 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:06.895541906 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:06.956677914 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:10.521596909 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:10.714154959 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:10.714251041 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:10.857007980 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:10.960084915 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:11.105015039 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:11.109167099 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:11.300544977 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:11.300617933 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:11.492717028 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:20.573885918 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:20.766634941 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:20.766736031 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:20.909015894 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:20.957745075 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:21.099809885 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:21.107994080 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:21.299247980 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:21.299333096 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:21.491667986 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:30.627182961 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:30.819617033 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:30.824776888 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:31.017733097 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:31.100992918 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:31.144403934 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:31.286057949 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:31.294070005 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:31.486768007 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:31.489630938 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:31.681834936 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:36.670231104 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:36.858855009 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:36.996824026 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:37.014642954 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:37.014746904 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:40.674314976 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:40.865524054 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:40.865680933 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:41.007802010 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:41.156017065 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:41.297467947 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:41.303443909 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:41.495160103 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:41.495237112 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:41.687614918 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:50.721977949 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:50.913625956 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:50.913796902 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:51.106523037 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:51.119471073 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:51.360080004 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:51.501856089 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:51.512048006 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:51.704071045 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:51.705694914 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:51.899034023 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:00.770054102 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:00.962053061 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:00.964544058 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:01.107496977 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:01.157732964 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:01.299637079 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:01.303498983 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:01.496954918 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:01.500613928 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:01.691972017 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:06.675004005 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:06.720757008 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:06.862704992 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:06.908261061 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:10.833259106 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:11.025088072 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:11.025204897 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:11.167483091 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:11.221127987 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:11.362684965 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:11.366894007 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:11.560379028 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:11.560462952 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:11.752779007 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:20.922787905 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:21.115556955 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:21.115643978 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:21.293649912 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:21.487680912 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:21.617325068 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:21.629530907 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:21.629695892 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:22.189565897 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:22.382327080 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:22.382452011 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:22.580148935 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:30.879983902 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:31.072783947 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:31.072985888 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:31.215612888 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:31.394804001 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:31.536561966 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:31.538902044 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:31.731264114 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:31.733195066 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:31.928631067 CEST770749764191.101.130.243192.168.2.5

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:14:47:18
            Start date:05/08/2022
            Path:C:\Users\user\Desktop\ORDINE.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\ORDINE.exe"
            Imagebase:0x960000
            File size:3145728 bytes
            MD5 hash:30E619EED663B6696BA1269DEC11E1A9
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
            Reputation:low

            General

            Target ID:6
            Start time:14:47:30
            Start date:05/08/2022
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            Imagebase:0xd90000
            File size:2688096 bytes
            MD5 hash:B3A917344F5610BEEC562556F11300FA
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000002.681364140.00000000051A3000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
            Reputation:moderate

            General

            Target ID:7
            Start time:14:47:32
            Start date:05/08/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexplore
            Imagebase:0x1100000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:8
            Start time:14:47:33
            Start date:05/08/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff77f440000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:9
            Start time:14:47:33
            Start date:05/08/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
            Imagebase:0x1100000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:10
            Start time:14:47:34
            Start date:05/08/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff77f440000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:11
            Start time:14:47:34
            Start date:05/08/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:cmd" /c copy "C:\Users\user\Desktop\ORDINE.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
            Imagebase:0x1100000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:12
            Start time:14:47:34
            Start date:05/08/2022
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
            Imagebase:0x320000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:13
            Start time:14:47:35
            Start date:05/08/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff77f440000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:14
            Start time:14:47:36
            Start date:05/08/2022
            Path:C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
            Imagebase:0x3c0000
            File size:3145728 bytes
            MD5 hash:30E619EED663B6696BA1269DEC11E1A9
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000002.522558294.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            Antivirus matches:
            • Detection: 100%, Avira
            • Detection: 100%, Joe Sandbox ML
            Reputation:low

            General

            Target ID:20
            Start time:14:48:00
            Start date:05/08/2022
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            Imagebase:0xd90000
            File size:2688096 bytes
            MD5 hash:B3A917344F5610BEEC562556F11300FA
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000014.00000002.534970060.0000000008E76000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000014.00000002.527812189.00000000069C1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
            Reputation:moderate

            General

            Target ID:21
            Start time:14:48:02
            Start date:05/08/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexplore
            Imagebase:0x1100000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:22
            Start time:14:48:03
            Start date:05/08/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff77f440000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:23
            Start time:14:48:03
            Start date:05/08/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
            Imagebase:0x1100000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:24
            Start time:14:48:04
            Start date:05/08/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff77f440000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:25
            Start time:14:48:04
            Start date:05/08/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:cmd" /c copy "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
            Imagebase:0x1100000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:26
            Start time:14:48:05
            Start date:05/08/2022
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
            Imagebase:0x320000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:27
            Start time:14:48:05
            Start date:05/08/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff77f440000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:34
            Start time:14:48:34
            Start date:05/08/2022
            Path:C:\Windows\System32\BackgroundTransferHost.exe
            Wow64 process (32bit):false
            Commandline:"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
            Imagebase:0x7ff6e0560000
            File size:36864 bytes
            MD5 hash:02BA81746B929ECC9DB6665589B68335
            Has elevated privileges:true
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            General

            Target ID:38
            Start time:14:49:01
            Start date:05/08/2022
            Path:C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
            Imagebase:0x3c0000
            File size:3145728 bytes
            MD5 hash:30E619EED663B6696BA1269DEC11E1A9
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:27%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:62.5%
              Total number of Nodes:56
              Total number of Limit Nodes:2
              execution_graph 14634 4c1c370 14637 4c1c386 14634->14637 14638 4c1b854 14637->14638 14642 4c1b86c 14637->14642 14639 4c1d5f0 CheckRemoteDebuggerPresent 14638->14639 14641 4c1d676 14639->14641 14641->14637 14643 4c1d7a0 OutputDebugStringW 14642->14643 14645 4c1d81f 14643->14645 14645->14637 14646 25a0a03 14647 25a0a26 14646->14647 14648 25a0a46 14647->14648 14650 4c1d9a0 14647->14650 14652 4c1d9cd 14650->14652 14651 4c1d9fb 14651->14648 14655 b7e7f1 14652->14655 14659 b7e800 14652->14659 14656 b7e820 14655->14656 14657 b7e910 14656->14657 14663 4bcaec8 14656->14663 14657->14651 14660 b7e820 14659->14660 14661 b7e910 14660->14661 14662 4bcaec8 12 API calls 14660->14662 14661->14651 14662->14660 14664 4bcaf01 14663->14664 14694 b7f140 14664->14694 14698 b7f13e 14664->14698 14665 4bcf2ae 14688 b7f510 SetThreadContext 14665->14688 14689 b7f508 SetThreadContext 14665->14689 14666 4bcf2f1 14680 b7f510 SetThreadContext 14666->14680 14681 b7f508 SetThreadContext 14666->14681 14667 4bcb4e6 14667->14665 14692 b7f5d0 ReadProcessMemory 14667->14692 14693 b7f5c8 ReadProcessMemory 14667->14693 14668 4bcc727 14686 b7f690 VirtualAllocEx 14668->14686 14687 b7f688 VirtualAllocEx 14668->14687 14669 4bcd081 14669->14665 14678 b7f731 WriteProcessMemory 14669->14678 14679 b7f738 WriteProcessMemory 14669->14679 14670 4bcd6f9 14671 4bce5ea 14670->14671 14690 b7f731 WriteProcessMemory 14670->14690 14691 b7f738 WriteProcessMemory 14670->14691 14682 b7f731 WriteProcessMemory 14671->14682 14683 b7f738 WriteProcessMemory 14671->14683 14672 4bce9a2 14672->14665 14673 4bced8d 14672->14673 14673->14666 14674 4bcf164 14673->14674 14676 b7f810 ResumeThread 14674->14676 14677 b7f80e ResumeThread 14674->14677 14675 4bcf189 14675->14656 14676->14675 14677->14675 14678->14670 14679->14670 14680->14675 14681->14675 14682->14672 14683->14672 14686->14669 14687->14669 14688->14666 14689->14666 14690->14670 14691->14670 14692->14668 14693->14668 14695 b7f1cd CreateProcessAsUserA 14694->14695 14697 b7f3e5 14695->14697 14697->14697 14699 b7f1cd CreateProcessAsUserA 14698->14699 14701 b7f3e5 14699->14701 14701->14701

              Executed Functions

              Function 00B72CA9 Relevance: 10.3, Strings: 4, Instructions: 5275COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 b72ca9-b72d0e 1 b72d10-b72d8a 0->1 1->1 2 b72d8c-b72e62 1->2 3 b72ed7-b72f02 2->3 4 b72e64-b72e90 2->4 5 b72f04-b73091 3->5 4->5 6 b72e92-b72ed6 4->6 23 b73097-b7328f 5->23 24 b781e0-b781f8 5->24 6->3 23->24 56 b73295-b733a8 23->56 27 b781fd-b78232 call b7c2ea call b78253 24->27 28 b781fa-b781fc 24->28 28->27 56->24 69 b733ae-b737f9 56->69 69->24 113 b737ff-b738d7 69->113 113->24 121 b738dd-b73d45 113->121 121->24 168 b73d4b-b73e25 121->168 168->24 176 b73e2b-b74462 168->176 176->24 238 b74468-b74591 176->238 238->24 250 b74597-b74b31 call b701ec 238->250 250->24 306 b74b37-b74b94 250->306 312 b74b96-b74ba2 306->312 313 b74be4-b74e7e 306->313 314 b74ba4-b74baa 312->314 315 b74bac-b74bb2 312->315 343 b74e84-b74e8d 313->343 344 b7532b-b757bc 313->344 316 b74bbc-b74be1 314->316 315->316 343->24 345 b74e93-b74eaa 343->345 344->24 442 b757c2-b75c8a 344->442 348 b75283-b75325 345->348 349 b74eb0-b74fa1 345->349 348->343 348->344 378 b74fa7-b74fad 349->378 379 b7508f-b750dd 349->379 378->24 380 b74fb3-b75089 378->380 390 b75141-b75168 379->390 391 b750df-b75110 379->391 380->378 380->379 393 b7516e-b7527e 390->393 391->390 397 b75112-b7513f 391->397 393->344 397->393 494 b75d65-b75e27 442->494 495 b75c90-b75d60 442->495 512 b75e2d-b75f18 494->512 495->512 522 b75f1e-b7616a 512->522 523 b77278-b77502 512->523 522->24 581 b76170-b7625f 522->581 523->24 574 b77508-b77535 523->574 574->24 576 b7753b-b77654 574->576 576->24 597 b7765a-b77938 576->597 581->24 603 b76265-b76310 581->603 597->24 671 b7793e-b77c32 597->671 618 b76312-b76318 603->618 619 b7632e-b7633c 603->619 618->24 621 b7631e-b7632c 618->621 625 b7633e-b7634c 619->625 621->625 629 b76352-b7635e 625->629 630 b76f2c-b770d3 625->630 629->630 634 b76364-b76370 629->634 680 b770d5-b77272 630->680 634->630 639 b76376-b7665d 634->639 639->24 726 b76663-b76734 639->726 671->24 756 b77c38-b77ef0 671->756 680->522 680->523 726->24 746 b7673a-b769d1 726->746 746->24 796 b769d7-b76c8c 746->796 756->24 810 b77ef6-b780bb 756->810 796->24 846 b76c92-b76f1d 796->846 810->24 848 b780c1-b781c0 810->848 846->24 885 b76f23-b76f27 846->885 868 b781c8-b781dd 848->868 885->680
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.447780798.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b70000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID: B$G$Kmk@$hj@
              • API String ID: 0-381675553
              • Opcode ID: 046e24262b06508755ebbecdf6769af34ae7101f09e1d466d71d9bc19ae8d6b2
              • Instruction ID: ee28850ab7e8bc9dfef438f82c3adff369a7c8526220aeec87c6de4b42135978
              • Opcode Fuzzy Hash: 046e24262b06508755ebbecdf6769af34ae7101f09e1d466d71d9bc19ae8d6b2
              • Instruction Fuzzy Hash: 3FB328709192188FCB55EF29DC8969DBBB1FB49204F0045EAD44CA3B64DF346E89CF1A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00B78F50 Relevance: 4.5, Instructions: 4541COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 886 b78f50-b79097 899 b7909d-b79228 886->899 900 b7db1a-b7db44 886->900 899->900 932 b7922e-b79306 899->932 903 b7db46-b7db64 900->903 904 b7db89-b7db8c 900->904 906 b7db66-b7db87 903->906 907 b7dbdc-b7dbf2 903->907 908 b7db8d-b7db9c 904->908 906->904 909 b7dbf4 907->909 910 b7dc09-b7dc44 907->910 911 b7dbd3-b7dbd8 908->911 912 b7db9e 908->912 909->910 913 b7dc46 910->913 914 b7dc9e 910->914 911->908 916 b7dbda-b7dbdb 911->916 912->911 917 b7dc88-b7dc9b 913->917 918 b7dc48-b7dc49 913->918 919 b7dca0-b7dca9 914->919 916->907 917->914 918->919 920 b7dc4b 918->920 920->917 932->900 940 b7930c-b797cb 932->940 940->900 979 b797d1-b798e2 940->979 979->900 989 b798e8-b79d9a 979->989 989->900 1026 b79da0-b79e6f 989->1026 1026->900 1033 b79e75-b7a368 1026->1033 1033->900 1075 b7a36e-b7a465 1033->1075 1075->900 1083 b7a46b-b7a99b call b7033c 1075->1083 1083->900 1126 b7a9a1-b7a9f4 1083->1126 1132 b7a9f6-b7a9ff 1126->1132 1133 b7aa3b-b7accd 1126->1133 1134 b7aa06-b7aa09 1132->1134 1135 b7aa01-b7aa04 1132->1135 1160 b7b115-b7b553 1133->1160 1161 b7acd3-b7acdc 1133->1161 1137 b7aa13-b7aa38 1134->1137 1135->1137 1160->900 1243 b7b559-b7b948 1160->1243 1161->900 1162 b7ace2-b7acf9 1161->1162 1166 b7b083-b7b10f 1162->1166 1167 b7acff-b7adc9 1162->1167 1166->1160 1166->1161 1187 b7aeb4-b7aeff 1167->1187 1188 b7adcf-b7add5 1167->1188 1200 b7af01-b7af2f 1187->1200 1201 b7af60-b7af87 1187->1201 1188->900 1190 b7addb-b7aeae 1188->1190 1190->1187 1190->1188 1200->1201 1206 b7af31-b7af5e 1200->1206 1202 b7af8d-b7b019 1201->1202 1222 b7b023-b7b07e 1202->1222 1206->1202 1222->1160 1279 b7ba3f-b7baeb 1243->1279 1280 b7b94e-b7ba3a 1243->1280 1293 b7baf1-b7bbe6 1279->1293 1280->1293 1302 b7cdb4-b7cf46 1293->1302 1303 b7bbec-b7bded 1293->1303 1302->900 1332 b7cf4c-b7cf79 1302->1332 1303->900 1343 b7bdf3-b7bed2 1303->1343 1332->900 1333 b7cf7f-b7d0b0 1332->1333 1333->900 1355 b7d0b6-b7d33f 1333->1355 1343->900 1361 b7bed8-b7bf73 1343->1361 1355->900 1404 b7d345-b7d58b 1355->1404 1373 b7bf75-b7bf7b 1361->1373 1374 b7bf91-b7bf9c 1361->1374 1373->900 1375 b7bf81-b7bf8f 1373->1375 1378 b7bf9e-b7bfac 1374->1378 1375->1378 1382 b7bfb2-b7bfbb 1378->1382 1383 b7cafc-b7cc4e 1378->1383 1382->1383 1388 b7bfc1-b7bfca 1382->1388 1420 b7cc50-b7cdae 1383->1420 1388->1383 1394 b7bfd0-b7c240 1388->1394 1394->900 1456 b7c246-b7c327 1394->1456 1404->900 1455 b7d591-b7d84d 1404->1455 1420->1302 1420->1303 1455->900 1500 b7d853-b7da0a 1455->1500 1456->900 1474 b7c32d-b7c59e 1456->1474 1474->900 1517 b7c5a4-b7c845 1474->1517 1500->900 1530 b7da10-b7dafa 1500->1530 1517->900 1555 b7c84b-b7caed 1517->1555 1548 b7db02-b7db17 1530->1548 1555->900 1577 b7caf3-b7caf7 1555->1577 1577->1420
              Memory Dump Source
              • Source File: 00000000.00000002.447780798.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b70000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 50256aed99e1ade7f45252af39da31cdcb99f83b303b83b29da882ab70509fef
              • Instruction ID: 3de7593e6a5034110b7d3af26a5016aa8d020dfb01e863c9e470cf6831a58375
              • Opcode Fuzzy Hash: 50256aed99e1ade7f45252af39da31cdcb99f83b303b83b29da882ab70509fef
              • Instruction Fuzzy Hash: 96A31970A046288FCB59EF28ED85698BBB1FF49205F0049EAD44CA3761DF346E88DF55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BD5720 Relevance: 4.4, Instructions: 4432COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1578 4bd5720-4bd578e 1583 4bd5794-4bd5839 1578->1583 1590 4bd583f-4bd59ca 1583->1590 1591 4bda348-4bda360 1583->1591 1590->1591 1615 4bd59d0-4bd5aa6 1590->1615 1594 4bda2e2 1591->1594 1596 4bda2dc-4bda2e0 1594->1596 1597 4bda2e6-4bda345 1594->1597 1596->1594 1615->1591 1623 4bd5aac-4bd5ee8 1615->1623 1623->1591 1656 4bd5eee-4bd5fbd 1623->1656 1656->1591 1663 4bd5fc3-4bd63a0 1656->1663 1663->1591 1695 4bd63a6-4bd6488 1663->1695 1695->1591 1703 4bd648e-4bd6a67 1695->1703 1703->1591 1752 4bd6a6d-4bd6b7e 1703->1752 1752->1591 1762 4bd6b84-4bd709e 1752->1762 1762->1591 1805 4bd70a4-4bd70fd 1762->1805 1811 4bd714d-4bd7420 1805->1811 1812 4bd70ff-4bd710b 1805->1812 1841 4bd786f-4bd7c6c 1811->1841 1842 4bd7426-4bd742f 1811->1842 1813 4bd710d-4bd7113 1812->1813 1814 4bd7115-4bd711b 1812->1814 1815 4bd7125-4bd714a 1813->1815 1814->1815 1841->1591 1922 4bd7c72-4bd8094 1841->1922 1842->1591 1843 4bd7435-4bd744c 1842->1843 1846 4bd77d4-4bd7869 1843->1846 1847 4bd7452-4bd7524 1843->1847 1846->1841 1846->1842 1869 4bd752a-4bd7530 1847->1869 1870 4bd75f1-4bd763f 1847->1870 1869->1591 1871 4bd7536-4bd75eb 1869->1871 1882 4bd7641-4bd766f 1870->1882 1883 4bd76a0-4bd76c7 1870->1883 1871->1869 1871->1870 1882->1883 1888 4bd7671-4bd769e 1882->1888 1884 4bd76cd-4bd77cf 1883->1884 1884->1841 1888->1884 1958 4bd809a-4bd814e 1922->1958 1959 4bd8153-4bd823a 1922->1959 1972 4bd8240-4bd8346 1958->1972 1959->1972 1983 4bd834c-4bd855c 1972->1983 1984 4bd9608-4bd9795 1972->1984 1983->1591 2028 4bd8562-4bd8631 1983->2028 1984->1591 2011 4bd979b-4bd97c8 1984->2011 2011->1591 2013 4bd97ce-4bd98f0 2011->2013 2013->1591 2031 4bd98f6-4bd9b9c 2013->2031 2028->1591 2046 4bd8637-4bd86ca 2028->2046 2031->1591 2083 4bd9ba2-4bd9e0f 2031->2083 2058 4bd86cc-4bd86d2 2046->2058 2059 4bd86e8-4bd86f6 2046->2059 2058->1591 2060 4bd86d8-4bd86e6 2058->2060 2064 4bd86f8-4bd8706 2059->2064 2060->2064 2067 4bd870c-4bd8715 2064->2067 2068 4bd9317-4bd94df 2064->2068 2067->2068 2073 4bd871b-4bd8724 2067->2073 2111 4bd94e1-4bd9602 2068->2111 2073->2068 2079 4bd872a-4bd89b1 2073->2079 2079->1591 2149 4bd89b7-4bd8abe 2079->2149 2083->1591 2143 4bd9e15-4bda093 2083->2143 2111->1983 2111->1984 2143->1591 2186 4bda099-4bda23b 2143->2186 2149->1591 2167 4bd8ac4-4bd8db2 2149->2167 2167->1591 2213 4bd8db8-4bd9069 2167->2213 2186->1591 2214 4bda241-4bda2d8 2186->2214 2213->1591 2240 4bd906f-4bd9308 2213->2240 2214->1596 2240->1591 2261 4bd930e-4bd9312 2240->2261 2261->2111
              Memory Dump Source
              • Source File: 00000000.00000002.455147888.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4bd0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 953969c73d597618a87c390a9fcb28881b1990cc918e30ddf7d738189bd4962f
              • Instruction ID: ef408332533e2e8de30c0d290037d01167b1649e22c8efe0da1c473d1fe8e7bb
              • Opcode Fuzzy Hash: 953969c73d597618a87c390a9fcb28881b1990cc918e30ddf7d738189bd4962f
              • Instruction Fuzzy Hash: 0B935D70E056288FCB14EF28DD9569CBBB2FF89205F0049EAD448A3751DB386E98CF55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BD0040 Relevance: 4.4, Instructions: 4412COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2262 4bd0040-4bd00ae 2267 4bd00b4-4bd0140 2262->2267 2273 4bd4b1c-4bd4b89 2267->2273 2274 4bd0146-4bd022f 2267->2274 2277 4bd4b8b-4bd4b8e 2273->2277 2278 4bd4bb1-4bd4bb2 2273->2278 2274->2273 2290 4bd0235-4bd031e 2274->2290 2279 4bd4bd0-4bd4bf5 2277->2279 2280 4bd4b90-4bd4bac 2277->2280 2280->2278 2290->2273 2298 4bd0324-4bd07ea 2290->2298 2298->2273 2337 4bd07f0-4bd08d0 2298->2337 2337->2273 2345 4bd08d6-4bd0dbf 2337->2345 2345->2273 2385 4bd0dc5-4bd0e8a 2345->2385 2385->2273 2392 4bd0e90-4bd1350 2385->2392 2392->2273 2431 4bd1356-4bd1455 2392->2431 2431->2273 2439 4bd145b-4bd195f 2431->2439 2439->2273 2483 4bd1965-4bd19be 2439->2483 2489 4bd1a0e-4bd1c53 2483->2489 2490 4bd19c0-4bd19cc 2483->2490 2513 4bd1c59-4bd1c62 2489->2513 2514 4bd20c7-4bd251a 2489->2514 2491 4bd19ce-4bd19d4 2490->2491 2492 4bd19d6-4bd19dc 2490->2492 2493 4bd19e6-4bd1a0b 2491->2493 2492->2493 2513->2273 2515 4bd1c68-4bd1c7f 2513->2515 2514->2273 2600 4bd2520-4bd2988 2514->2600 2518 4bd202e-4bd20c1 2515->2518 2519 4bd1c85-4bd1d71 2515->2519 2518->2513 2518->2514 2545 4bd1d77-4bd1d7d 2519->2545 2546 4bd1e40-4bd1e8e 2519->2546 2545->2273 2547 4bd1d83-4bd1e3a 2545->2547 2558 4bd1eef-4bd1f16 2546->2558 2559 4bd1e90-4bd1ebe 2546->2559 2547->2545 2547->2546 2560 4bd1f1c-4bd2029 2558->2560 2559->2558 2564 4bd1ec0-4bd1eed 2559->2564 2560->2514 2564->2560 2639 4bd298e-4bd2a40 2600->2639 2640 4bd2a45-4bd2afb 2600->2640 2653 4bd2b01-4bd2bff 2639->2653 2640->2653 2662 4bd2c05-4bd2de8 2653->2662 2663 4bd3dd7-4bd3f5b 2653->2663 2662->2273 2699 4bd2dee-4bd2ea9 2662->2699 2663->2273 2688 4bd3f61-4bd3f8e 2663->2688 2688->2273 2690 4bd3f94-4bd4097 2688->2690 2690->2273 2708 4bd409d-4bd4337 2690->2708 2699->2273 2715 4bd2eaf-4bd2f4a 2699->2715 2708->2273 2764 4bd433d-4bd45cc 2708->2764 2726 4bd2f4c-4bd2f52 2715->2726 2727 4bd2f68-4bd2f76 2715->2727 2726->2273 2729 4bd2f58-4bd2f66 2726->2729 2733 4bd2f78-4bd2f86 2727->2733 2729->2733 2737 4bd2f8c-4bd2f95 2733->2737 2738 4bd3ae8-4bd3c7a 2733->2738 2737->2738 2742 4bd2f9b-4bd2fa4 2737->2742 2777 4bd3c7c-4bd3dd1 2738->2777 2742->2738 2747 4bd2faa-4bd3252 2742->2747 2747->2273 2811 4bd3258-4bd332e 2747->2811 2764->2273 2824 4bd45d2-4bd484d 2764->2824 2777->2662 2777->2663 2811->2273 2827 4bd3334-4bd35cc 2811->2827 2824->2273 2864 4bd4853-4bd49f5 2824->2864 2827->2273 2869 4bd35d2-4bd3840 2827->2869 2864->2273 2892 4bd49fb-4bd4b19 2864->2892 2869->2273 2909 4bd3846-4bd3ad9 2869->2909 2909->2273 2933 4bd3adf-4bd3ae3 2909->2933 2933->2777
              Memory Dump Source
              • Source File: 00000000.00000002.455147888.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4bd0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 60f30037d08a6724cc40e481833ccea2fe49b571d8292a1919a5160116a0f093
              • Instruction ID: 4e5cff95738751e44760e0a67c080523fce465658243ae33fc8ec5aa9685b310
              • Opcode Fuzzy Hash: 60f30037d08a6724cc40e481833ccea2fe49b571d8292a1919a5160116a0f093
              • Instruction Fuzzy Hash: 13934D70E056288FCB58EF28E995698BBF2FF49305F0049EAD448A3751DB346E88CF55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BF5D40 Relevance: 4.4, Instructions: 4403COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2934 4bf5d40-4bf5e4a 2945 4bfa7ba-4bfa7c4 2934->2945 2946 4bf5e50-4bf5feb 2934->2946 2949 4bfa81c-4bfa81e 2945->2949 2950 4bfa7c6-4bfa800 2945->2950 2946->2945 2969 4bf5ff1-4bf6102 2946->2969 2952 4bfa860 2949->2952 2953 4bfa820-4bfa855 2949->2953 2954 4bfa862-4bfa86a 2950->2954 2955 4bfa802-4bfa80a 2950->2955 2952->2954 2953->2952 2969->2945 2979 4bf6108-4bf6526 2969->2979 2979->2945 3013 4bf652c-4bf65f1 2979->3013 3013->2945 3020 4bf65f7-4bf6ad6 3013->3020 3020->2945 3060 4bf6adc-4bf6bb2 3020->3060 3060->2945 3068 4bf6bb8-4bf6f98 3060->3068 3068->2945 3099 4bf6f9e-4bf70a9 3068->3099 3099->2945 3107 4bf70af-4bf7565 call 4bf583c 3099->3107 3107->2945 3146 4bf756b-4bf75c4 3107->3146 3152 4bf75c6-4bf75d2 3146->3152 3153 4bf7614-4bf7875 3146->3153 3154 4bf75dc-4bf75e2 3152->3154 3155 4bf75d4-4bf75da 3152->3155 3177 4bf787b-4bf7884 3153->3177 3178 4bf7cc9-4bf80ec 3153->3178 3156 4bf75ec-4bf7611 3154->3156 3155->3156 3177->2945 3179 4bf788a-4bf78a1 3177->3179 3178->2945 3258 4bf80f2-4bf8508 3178->3258 3183 4bf78a7-4bf7979 3179->3183 3184 4bf7c26-4bf7cc3 3179->3184 3205 4bf797f-4bf7985 3183->3205 3206 4bf7a38-4bf7a86 3183->3206 3184->3177 3184->3178 3205->2945 3208 4bf798b-4bf7a32 3205->3208 3217 4bf7a88-4bf7ab6 3206->3217 3218 4bf7ae7-4bf7b0e 3206->3218 3208->3205 3208->3206 3217->3218 3224 4bf7ab8-4bf7ae5 3217->3224 3220 4bf7b14-4bf7c0d 3218->3220 3247 4bf7c18-4bf7c21 3220->3247 3224->3220 3247->3178 3295 4bf850e-4bf85fb 3258->3295 3296 4bf8600-4bf86b6 3258->3296 3309 4bf86bc-4bf8780 3295->3309 3296->3309 3318 4bf99db-4bf9c2b 3309->3318 3319 4bf8786-4bf89a7 3309->3319 3318->2945 3358 4bf9c31-4bf9c5e 3318->3358 3319->2945 3361 4bf89ad-4bf8a85 3319->3361 3358->2945 3359 4bf9c64-4bf9d67 3358->3359 3359->2945 3378 4bf9d6d-4bf9fea 3359->3378 3361->2945 3377 4bf8a8b-4bf8b38 3361->3377 3393 4bf8b3a-4bf8b40 3377->3393 3394 4bf8b56-4bf8b64 3377->3394 3378->2945 3433 4bf9ff0-4bfa283 3378->3433 3393->2945 3395 4bf8b46-4bf8b54 3393->3395 3398 4bf8b66-4bf8b74 3394->3398 3395->3398 3402 4bf8b7a-4bf8b83 3398->3402 3403 4bf9707-4bf9893 3398->3403 3402->3403 3408 4bf8b89-4bf8b92 3402->3408 3445 4bf9895-4bf99d5 3403->3445 3408->3403 3412 4bf8b98-4bf8e54 3408->3412 3412->2945 3481 4bf8e5a-4bf8f28 3412->3481 3433->2945 3493 4bfa289-4bfa4eb 3433->3493 3445->3318 3445->3319 3481->2945 3497 4bf8f2e-4bf91c5 3481->3497 3493->2945 3531 4bfa4f1-4bfa691 3493->3531 3497->2945 3541 4bf91cb-4bf9480 3497->3541 3531->2945 3559 4bfa697-4bfa7b7 3531->3559 3541->2945 3584 4bf9486-4bf96f8 3541->3584 3584->2945 3605 4bf96fe-4bf9702 3584->3605 3605->3445
              Memory Dump Source
              • Source File: 00000000.00000002.455232420.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4bf0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fc4b0cf92089fa95db7f983ee5e3567781f80b209c4eef01270bb73998391737
              • Instruction ID: 88f16e189b14de41d7ea1dde94e3225bd13e3c3bb082aa595df54971eca4e8b6
              • Opcode Fuzzy Hash: fc4b0cf92089fa95db7f983ee5e3567781f80b209c4eef01270bb73998391737
              • Instruction Fuzzy Hash: 48935C70E146288FCB19EF29D98569CBBB2FB49305F0089EAD44CA3751DB346E88CF55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BCAEC8 Relevance: 4.1, Instructions: 4149COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 3606 4bcaec8-4bcb1bb 3636 4bcb1bd-4bcb1d7 3606->3636 3637 4bcb1da-4bcb4e1 3606->3637 3636->3637 4432 4bcb4e4 call b7f140 3637->4432 4433 4bcb4e4 call b7f13e 3637->4433 3671 4bcb4e6-4bcb4e8 3672 4bcb4ee-4bcbdc7 3671->3672 3673 4bcf2c3-4bcf2d1 3671->3673 3676 4bcf2d8 3672->3676 3782 4bcbdcd-4bcbffa 3672->3782 3673->3676 3679 4bcf2dd-4bcf2ec 3676->3679 4436 4bcf2ef call b7f510 3679->4436 4437 4bcf2ef call b7f508 3679->4437 3681 4bcf2f1 3683 4bcf2f6-4bcf305 3681->3683 4428 4bcf308 call b7f510 3683->4428 4429 4bcf308 call b7f508 3683->4429 3685 4bcf30a 3687 4bcf447-4bcf454 3685->3687 3782->3679 3809 4bcc000-4bcc209 3782->3809 3809->3676 3835 4bcc20f-4bcc722 3809->3835 4440 4bcc725 call b7f5d0 3835->4440 4441 4bcc725 call b7f5c8 3835->4441 3892 4bcc727-4bcd07c 4434 4bcd07f call b7f690 3892->4434 4435 4bcd07f call b7f688 3892->4435 4001 4bcd081-4bcd090 4002 4bcd6c5-4bcd6cc 4001->4002 4003 4bcd096-4bcd6bf 4001->4003 4004 4bcf2ae-4bcf2bc 4002->4004 4005 4bcd6d2-4bcd6f4 4002->4005 4003->4002 4004->3673 4426 4bcd6f7 call b7f731 4005->4426 4427 4bcd6f7 call b7f738 4005->4427 4008 4bcd6f9-4bcdc43 4137 4bcdc49-4bce1df 4008->4137 4220 4bce309-4bce5e4 4137->4220 4221 4bce1e5-4bce304 4137->4221 4220->4137 4274 4bce5ea-4bce99d 4220->4274 4438 4bce307 call b7f731 4221->4438 4439 4bce307 call b7f738 4221->4439 4430 4bce9a0 call b7f731 4274->4430 4431 4bce9a0 call b7f738 4274->4431 4315 4bce9a2-4bcebba 4340 4bcebbc-4bcebbf 4315->4340 4341 4bcebc5-4bced87 4315->4341 4340->4341 4341->3676 4363 4bced8d-4bcf15e 4341->4363 4363->3683 4408 4bcf164-4bcf184 4363->4408 4424 4bcf187 call b7f810 4408->4424 4425 4bcf187 call b7f80e 4408->4425 4410 4bcf189-4bcf2a9 4410->3687 4424->4410 4425->4410 4426->4008 4427->4008 4428->3685 4429->3685 4430->4315 4431->4315 4432->3671 4433->3671 4434->4001 4435->4001 4436->3681 4437->3681 4438->4220 4439->4220 4440->3892 4441->3892
              Memory Dump Source
              • Source File: 00000000.00000002.455059350.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4bc0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b4782974a9e274f1a8a80117317334b7363017b4a255702b678d8e37c51a3869
              • Instruction ID: 65319029c80d96037bb20c64b2fd8ed787e21480849be61362c1d995c954493f
              • Opcode Fuzzy Hash: b4782974a9e274f1a8a80117317334b7363017b4a255702b678d8e37c51a3869
              • Instruction Fuzzy Hash: B8835D70A105188FCB18EF79DD88BAEB7B2FB49205F0044EAD448A3754DB386E49DF59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BC18DB Relevance: 3.1, Instructions: 3145COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 4456 4bc18db-4bc193c 4462 4bc198c-4bc1b65 4456->4462 4463 4bc193e-4bc194a 4456->4463 4484 4bc1b6a-4bc1c60 4462->4484 4464 4bc194c-4bc1952 4463->4464 4465 4bc1954-4bc195a 4463->4465 4467 4bc1964-4bc1989 4464->4467 4465->4467 4493 4bc210b-4bc2549 4484->4493 4494 4bc1c66-4bc1c6f 4484->4494 4496 4bc4bb3-4bc4c54 4493->4496 4595 4bc254f-4bc29de 4493->4595 4495 4bc1c75-4bc1c8c 4494->4495 4494->4496 4502 4bc2055-4bc2105 4495->4502 4503 4bc1c92-4bc1da6 4495->4503 4504 4bc4c9c 4496->4504 4505 4bc4c56-4bc4c99 4496->4505 4502->4493 4502->4494 4543 4bc1dac-4bc1db2 4503->4543 4544 4bc1e89-4bc1ed7 4503->4544 4510 4bc4d14-4bc4d59 4504->4510 4505->4504 4505->4510 4516 4bc4dca-4bc4de6 4510->4516 4517 4bc4d5b-4bc4dc8 call 4bc4dfb 4510->4517 4521 4bc4e28 4516->4521 4522 4bc4de8-4bc4e03 call 4bc4e45 4516->4522 4517->4516 4521->4521 4522->4521 4543->4496 4545 4bc1db8-4bc1e83 4543->4545 4555 4bc1f38-4bc1f5f 4544->4555 4556 4bc1ed9-4bc1f07 4544->4556 4545->4543 4545->4544 4558 4bc1f65-4bc2050 4555->4558 4556->4555 4563 4bc1f09-4bc1f36 4556->4563 4558->4493 4563->4558 4637 4bc2aac-4bc2b60 4595->4637 4638 4bc29e4-4bc2aa7 4595->4638 4651 4bc2b66-4bc2c6c 4637->4651 4638->4651 4661 4bc3d7a-4bc403f 4651->4661 4662 4bc2c72-4bc2e3a 4651->4662 4661->4496 4714 4bc4045-4bc4072 4661->4714 4662->4496 4695 4bc2e40-4bc2efb 4662->4695 4695->4496 4711 4bc2f01-4bc2f9d 4695->4711 4725 4bc2f9f-4bc2fa5 4711->4725 4726 4bc2fbb-4bc2fc9 4711->4726 4714->4496 4715 4bc4078-4bc418e 4714->4715 4715->4496 4743 4bc4194-4bc43de 4715->4743 4725->4496 4727 4bc2fab-4bc2fb9 4725->4727 4732 4bc2fcb-4bc2fd9 4726->4732 4727->4732 4735 4bc2fdf-4bc2fe8 4732->4735 4736 4bc3ae9-4bc3c4f 4732->4736 4735->4736 4740 4bc2fee-4bc2ff7 4735->4740 4772 4bc3c51-4bc3d74 4736->4772 4740->4736 4745 4bc2ffd-4bc32b4 4740->4745 4743->4496 4797 4bc43e4-4bc465b 4743->4797 4745->4496 4814 4bc32ba-4bc33af 4745->4814 4772->4661 4772->4662 4797->4496 4838 4bc4661-4bc490d 4797->4838 4814->4496 4828 4bc33b5-4bc3608 4814->4828 4828->4496 4866 4bc360e-4bc3875 4828->4866 4838->4496 4881 4bc4913-4bc4a9b 4838->4881 4866->4496 4905 4bc387b-4bc3ada 4866->4905 4881->4496 4904 4bc4aa1-4bc4bb0 4881->4904 4905->4496 4936 4bc3ae0-4bc3ae4 4905->4936 4936->4772
              Memory Dump Source
              • Source File: 00000000.00000002.455059350.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4bc0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 27308b2045242e106966fa134e2c5ae7ab6e33d197f99882e061535eedbca43d
              • Instruction ID: 26e1d48a02b7ad73ab5742afff4748db811874e1f902a691fc6527dcaccb7f2a
              • Opcode Fuzzy Hash: 27308b2045242e106966fa134e2c5ae7ab6e33d197f99882e061535eedbca43d
              • Instruction Fuzzy Hash: A2638370E046288FCB15EF28DD8569DBBB1FF89205F0085EAD488A3751DB386E89CF55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00B7F140 Relevance: 1.8, APIs: 1, Instructions: 261processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 6198 b7f140-b7f1d9 6200 b7f22d-b7f24d 6198->6200 6201 b7f1db-b7f200 6198->6201 6204 b7f2a1-b7f2d2 6200->6204 6205 b7f24f-b7f274 6200->6205 6201->6200 6206 b7f202-b7f204 6201->6206 6215 b7f2d4-b7f2fc 6204->6215 6216 b7f329-b7f3e3 CreateProcessAsUserA 6204->6216 6205->6204 6213 b7f276-b7f278 6205->6213 6207 b7f227-b7f22a 6206->6207 6208 b7f206-b7f210 6206->6208 6207->6200 6210 b7f214-b7f223 6208->6210 6211 b7f212 6208->6211 6210->6210 6214 b7f225 6210->6214 6211->6210 6217 b7f29b-b7f29e 6213->6217 6218 b7f27a-b7f284 6213->6218 6214->6207 6215->6216 6224 b7f2fe-b7f300 6215->6224 6230 b7f3e5-b7f3eb 6216->6230 6231 b7f3ec-b7f460 6216->6231 6217->6204 6219 b7f286 6218->6219 6220 b7f288-b7f297 6218->6220 6219->6220 6220->6220 6223 b7f299 6220->6223 6223->6217 6225 b7f323-b7f326 6224->6225 6226 b7f302-b7f30c 6224->6226 6225->6216 6228 b7f310-b7f31f 6226->6228 6229 b7f30e 6226->6229 6228->6228 6232 b7f321 6228->6232 6229->6228 6230->6231 6240 b7f462-b7f466 6231->6240 6241 b7f470-b7f474 6231->6241 6232->6225 6240->6241 6244 b7f468 6240->6244 6242 b7f476-b7f47a 6241->6242 6243 b7f484-b7f488 6241->6243 6242->6243 6245 b7f47c 6242->6245 6246 b7f48a-b7f48e 6243->6246 6247 b7f498-b7f49c 6243->6247 6244->6241 6245->6243 6246->6247 6248 b7f490 6246->6248 6249 b7f4ae-b7f4b5 6247->6249 6250 b7f49e-b7f4a4 6247->6250 6248->6247 6251 b7f4b7-b7f4c6 6249->6251 6252 b7f4cc 6249->6252 6250->6249 6251->6252 6253 b7f4cd 6252->6253 6253->6253
              APIs
              • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 00B7F3D0
              Memory Dump Source
              • Source File: 00000000.00000002.447780798.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b70000_ORDINE.jbxd
              Similarity
              • API ID: CreateProcessUser
              • String ID:
              • API String ID: 2217836671-0
              • Opcode ID: a3e221874310d53380f00afdf7a951db5b40769c17058a7c299defbd2819cd26
              • Instruction ID: e3d55435d3e197ac445b8d2c48972085164f6b6e67fd7b1ffa168076c0f76ceb
              • Opcode Fuzzy Hash: a3e221874310d53380f00afdf7a951db5b40769c17058a7c299defbd2819cd26
              • Instruction Fuzzy Hash: F5A14A71E002199FDB10CF69D9817EEBBF2FF48314F0081A9E819A7291DB749985CF95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C00007 Relevance: 1.7, Instructions: 1722COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.455273835.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4c00000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e41a12ba6b3299ce64ccebbb8526686a92c453e1bac3edc776d67f3ca2e8a921
              • Instruction ID: b83b6b42b0e1e2c18d3302caf125b3305184a31c328b00854ab313dcad9ee2b8
              • Opcode Fuzzy Hash: e41a12ba6b3299ce64ccebbb8526686a92c453e1bac3edc776d67f3ca2e8a921
              • Instruction Fuzzy Hash: 80F22870D19218CFCB14EF29D889B99B7B1FB49304F0189AAD44CA3B54DB386D89CF59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BD5710 Relevance: 1.6, Instructions: 1594COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.455147888.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4bd0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c2376c65884ec811dd91a0299e2df8fe39e7bd8947af3e2690dd1ec25f04bf67
              • Instruction ID: aadb28c46754f21b47287e6927163136539c4a48068eaf688fbd165162eb8a86
              • Opcode Fuzzy Hash: c2376c65884ec811dd91a0299e2df8fe39e7bd8947af3e2690dd1ec25f04bf67
              • Instruction Fuzzy Hash: 17F21870E052288FCB58EF28D99969CBBB2FF49304F0049EAD448A3751DB346E98DF55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C1B854 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 04C1D667
              Memory Dump Source
              • Source File: 00000000.00000002.455321625.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4c10000_ORDINE.jbxd
              Similarity
              • API ID: CheckDebuggerPresentRemote
              • String ID:
              • API String ID: 3662101638-0
              • Opcode ID: 4c420ecd44a4cbef377bc3ab44f6c5a0f7d7982f842509391f68566ea318871f
              • Instruction ID: 6fe2b87ce4a66ec3ed342e2e31fb188a18a1d6b16698333168973f98b26caf18
              • Opcode Fuzzy Hash: 4c420ecd44a4cbef377bc3ab44f6c5a0f7d7982f842509391f68566ea318871f
              • Instruction Fuzzy Hash: 24214AB1904219CFCB00CF9AD884BEEFBF4AF49324F15846AE459B7250D778A945CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BD0006 Relevance: 1.5, Instructions: 1506COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.455147888.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4bd0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65e2745f5f6a82a185a6e0bf03f0363aff342fcfc6c56112d3313aa3e88d8407
              • Instruction ID: 5de5eee4853909d0078dee9228b2714bc9a64ec59546686f2bf8e01dd539e4d0
              • Opcode Fuzzy Hash: 65e2745f5f6a82a185a6e0bf03f0363aff342fcfc6c56112d3313aa3e88d8407
              • Instruction Fuzzy Hash: C7E22A70A052288FCB58EF28E99569CBBF1FF49304F1049EAD488A3751DB346E88DF55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BD56BE Relevance: 1.5, Instructions: 1502COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.455147888.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4bd0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5e1b711768ff8921ab25750d19854d8320aa6c37d53d1adacf48b422ee955af4
              • Instruction ID: ea8e8e329bf113b492115097c12bdaee122426dc7b102696c821efdb9e75b05f
              • Opcode Fuzzy Hash: 5e1b711768ff8921ab25750d19854d8320aa6c37d53d1adacf48b422ee955af4
              • Instruction Fuzzy Hash: 5DE21870A052288FCB58EF28D99569CBBB2FF49304F0049EAD448A3B51DB346E88DF55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BF5D31 Relevance: 1.5, Instructions: 1453COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.455232420.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4bf0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e27058f4e03c247893266caf83d080703f7ed6155a4d5a635f9a4f8539ef2601
              • Instruction ID: 055037d08d7b2b248b7c37b07b929f0fc070c8fbcab6627b73b1520cda64180a
              • Opcode Fuzzy Hash: e27058f4e03c247893266caf83d080703f7ed6155a4d5a635f9a4f8539ef2601
              • Instruction Fuzzy Hash: 64E22970E142288FCB19EF29D98969CBBB1FB49304F0089EAD44CA3751DB346E89DF55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A0393 Relevance: 3.8, Strings: 3, Instructions: 66COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 4442 25a0393-25a03b8 4444 25a03ba-25a03c0 4442->4444 4445 25a03d0-25a03d4 4442->4445 4448 25a03c2 4444->4448 4449 25a03c4-25a03ce 4444->4449 4446 25a03ee-25a03f2 4445->4446 4447 25a03d6-25a03dc 4445->4447 4453 25a03f9-25a03fb 4446->4453 4451 25a03de 4447->4451 4452 25a03e0-25a03ec 4447->4452 4448->4445 4449->4445 4451->4446 4452->4446
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID: xql$xql$xql
              • API String ID: 0-1985204717
              • Opcode ID: 6fd8c5cebdde77f4651e511df9e42e2d402dbb0c1a7c0603e7001da108187979
              • Instruction ID: 5d35742f1449d2907536465ebb57264c21b0d5dc77da6fc70f53dcba9cda89d4
              • Opcode Fuzzy Hash: 6fd8c5cebdde77f4651e511df9e42e2d402dbb0c1a7c0603e7001da108187979
              • Instruction Fuzzy Hash: F6118421A2D3D14FD7274628983236D7F612F93014B1E85E7C084CF6E7D6248C86C3AB
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A024B Relevance: 2.5, Strings: 2, Instructions: 40COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 4937 25a024b-25a0270 4939 25a0288-25a028c 4937->4939 4940 25a0272-25a0278 4937->4940 4943 25a028e-25a0294 4939->4943 4944 25a02a6-25a02aa 4939->4944 4941 25a027a 4940->4941 4942 25a027c-25a0286 4940->4942 4941->4939 4942->4939 4945 25a0298-25a02a4 4943->4945 4946 25a0296 4943->4946 4948 25a02b1-25a02b3 4944->4948 4945->4944 4946->4944
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID: xql$xql
              • API String ID: 0-2396326202
              • Opcode ID: 897bdeb358ae8d9b3887262091c5197f51476b7b9f8af7d9587a340e9509ba6e
              • Instruction ID: e7929c1119c24e48aa0d3bb4817305fd4f3a6f4fb5eccb3d90d45b9264b7db86
              • Opcode Fuzzy Hash: 897bdeb358ae8d9b3887262091c5197f51476b7b9f8af7d9587a340e9509ba6e
              • Instruction Fuzzy Hash: D4F0C821B1D3A10FC767026C993623E7FA11E8312031E83E7C481CB6E6DA20CC86C39B
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C0C100 Relevance: 2.2, Strings: 1, Instructions: 909COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 4950 4c0c100-4c0c288 call 4c1cba8 5137 4c0c28b call 25a0cc3 4950->5137 5138 4c0c28b call 25a0ce0 4950->5138 4967 4c0c28d-4c0c4c3 call 4c1cba8 4995 4c0c4c5 4967->4995 4996 4c0c4c8-4c0c536 call 4c1cba8 4967->4996 4995->4996 5003 4c0c546 4996->5003 5004 4c0c538-4c0c53a 4996->5004 5005 4c0c548-4c0cb95 5003->5005 5006 4c0c544 5004->5006 5141 4c0cb98 call 25a0f53 5005->5141 5142 4c0cb98 call 25a0f70 5005->5142 5006->5005 5086 4c0cb9a-4c0cda2 5111 4c0cda4 5086->5111 5112 4c0cda7-4c0cea7 5086->5112 5111->5112 5128 4c0cea9-4c0ceac 5112->5128 5129 4c0ceae 5112->5129 5130 4c0ceb0-4c0cf0e 5128->5130 5129->5130 5137->4967 5138->4967 5141->5086 5142->5086
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.455273835.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4c00000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID: ,Hyl
              • API String ID: 0-265354286
              • Opcode ID: 3127df096ce88beac04709f546dbaa41bf49eb3c4b61e374176a63bdbb4df435
              • Instruction ID: e2415d7bd8dd413d2dec4a50c387412b6b03100b600f1c4ff1dbfd736f053a3a
              • Opcode Fuzzy Hash: 3127df096ce88beac04709f546dbaa41bf49eb3c4b61e374176a63bdbb4df435
              • Instruction Fuzzy Hash: ED82BD70A10118CFCB58EF69D884B9DB7B2FB49308F0085A9D44DA3764DB34AD8ADF59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00B7F13E Relevance: 1.8, APIs: 1, Instructions: 262processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 6141 b7f13e-b7f1d9 6143 b7f22d-b7f24d 6141->6143 6144 b7f1db-b7f200 6141->6144 6147 b7f2a1-b7f2d2 6143->6147 6148 b7f24f-b7f274 6143->6148 6144->6143 6149 b7f202-b7f204 6144->6149 6158 b7f2d4-b7f2fc 6147->6158 6159 b7f329-b7f3e3 CreateProcessAsUserA 6147->6159 6148->6147 6156 b7f276-b7f278 6148->6156 6150 b7f227-b7f22a 6149->6150 6151 b7f206-b7f210 6149->6151 6150->6143 6153 b7f214-b7f223 6151->6153 6154 b7f212 6151->6154 6153->6153 6157 b7f225 6153->6157 6154->6153 6160 b7f29b-b7f29e 6156->6160 6161 b7f27a-b7f284 6156->6161 6157->6150 6158->6159 6167 b7f2fe-b7f300 6158->6167 6173 b7f3e5-b7f3eb 6159->6173 6174 b7f3ec-b7f460 6159->6174 6160->6147 6162 b7f286 6161->6162 6163 b7f288-b7f297 6161->6163 6162->6163 6163->6163 6166 b7f299 6163->6166 6166->6160 6168 b7f323-b7f326 6167->6168 6169 b7f302-b7f30c 6167->6169 6168->6159 6171 b7f310-b7f31f 6169->6171 6172 b7f30e 6169->6172 6171->6171 6175 b7f321 6171->6175 6172->6171 6173->6174 6183 b7f462-b7f466 6174->6183 6184 b7f470-b7f474 6174->6184 6175->6168 6183->6184 6187 b7f468 6183->6187 6185 b7f476-b7f47a 6184->6185 6186 b7f484-b7f488 6184->6186 6185->6186 6188 b7f47c 6185->6188 6189 b7f48a-b7f48e 6186->6189 6190 b7f498-b7f49c 6186->6190 6187->6184 6188->6186 6189->6190 6191 b7f490 6189->6191 6192 b7f4ae-b7f4b5 6190->6192 6193 b7f49e-b7f4a4 6190->6193 6191->6190 6194 b7f4b7-b7f4c6 6192->6194 6195 b7f4cc 6192->6195 6193->6192 6194->6195 6196 b7f4cd 6195->6196 6196->6196
              APIs
              • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 00B7F3D0
              Memory Dump Source
              • Source File: 00000000.00000002.447780798.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b70000_ORDINE.jbxd
              Similarity
              • API ID: CreateProcessUser
              • String ID:
              • API String ID: 2217836671-0
              • Opcode ID: 913d2f6b2491fbe8d07193e66a1e99c6b21b64fff61890df138086050e2ac933
              • Instruction ID: 1e220196283e602f1f8ffd348cf8548e6c3669955f4a7b022181b0dc617c8dbb
              • Opcode Fuzzy Hash: 913d2f6b2491fbe8d07193e66a1e99c6b21b64fff61890df138086050e2ac933
              • Instruction Fuzzy Hash: F8A13A71E002199FDB10CF69D9817EEBBF2FF48314F0081A9E819A7291DB749985CF95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00B7F731 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
              Download Yara Rule
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00B7F7C5
              Memory Dump Source
              • Source File: 00000000.00000002.447780798.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b70000_ORDINE.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: 308ace0b369e15be309b6fc58fc490c08e8cede8d325b56e11008bcfe0b8286e
              • Instruction ID: 471c87911a65e90bb63aec6c307e4ccf835dc9c9113b4a628e31cbb08b225d49
              • Opcode Fuzzy Hash: 308ace0b369e15be309b6fc58fc490c08e8cede8d325b56e11008bcfe0b8286e
              • Instruction Fuzzy Hash: 9C2127B59002599FDF14CFA9D884BEEBBF4FB48324F00842AE819A3340D778A945CF65
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00B7F738 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
              Download Yara Rule
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00B7F7C5
              Memory Dump Source
              • Source File: 00000000.00000002.447780798.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b70000_ORDINE.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: 21851c1698cb9f3adfab6a844a7f7aad16500cc9cf7a07860b6219e4f439ea4d
              • Instruction ID: aea50e09a8b737d1b888aadf6d0d10a8f3092350d5ec9e1570305546b5e9dc1d
              • Opcode Fuzzy Hash: 21851c1698cb9f3adfab6a844a7f7aad16500cc9cf7a07860b6219e4f439ea4d
              • Instruction Fuzzy Hash: 0E2125B1900259DFDB10CF9AC884BDEFBF4FB48324F00842AE918A3240D778A944CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00B7F5C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00B7F646
              Memory Dump Source
              • Source File: 00000000.00000002.447780798.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b70000_ORDINE.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: 67c5d6d4c0fc2986660340a595eddb5efaea2521fe63a28792dd4a48c3fba120
              • Instruction ID: 27e7ac1544d955b154965a95f47a1adca837602138bf649d8a1f1b4edf7f6323
              • Opcode Fuzzy Hash: 67c5d6d4c0fc2986660340a595eddb5efaea2521fe63a28792dd4a48c3fba120
              • Instruction Fuzzy Hash: 97214CB19002499FDB10CFA9C484BEEFBF4FF48324F148029E469A3250C3349945CF65
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00B7F508 Relevance: 1.6, APIs: 1, Instructions: 62threadinjectionCOMMON
              Download Yara Rule
              APIs
              • SetThreadContext.KERNELBASE(?,00000000), ref: 00B7F587
              Memory Dump Source
              • Source File: 00000000.00000002.447780798.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b70000_ORDINE.jbxd
              Similarity
              • API ID: ContextThread
              • String ID:
              • API String ID: 1591575202-0
              • Opcode ID: 5c702bb5a3839903c26b3a4a6311b39529fe6345ea17745b7e60d3ed2ef08c08
              • Instruction ID: 4862f3d1555b2ead62a6568f213462d1995e52f2d49e440d881378ded2f59a7b
              • Opcode Fuzzy Hash: 5c702bb5a3839903c26b3a4a6311b39529fe6345ea17745b7e60d3ed2ef08c08
              • Instruction Fuzzy Hash: CF2138B1D0021A8FCB10CF9AC8857EEFBF4FB48724F00816AD429A3240D778A945CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00B7F510 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
              Download Yara Rule
              APIs
              • SetThreadContext.KERNELBASE(?,00000000), ref: 00B7F587
              Memory Dump Source
              • Source File: 00000000.00000002.447780798.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b70000_ORDINE.jbxd
              Similarity
              • API ID: ContextThread
              • String ID:
              • API String ID: 1591575202-0
              • Opcode ID: 7c3cf0995fc921b53f64378fae4de198d44ad71423e45edf713e4e99216af999
              • Instruction ID: cc89015f913e0952173a941066a890e419857f176d7be608c291fe112c51ab23
              • Opcode Fuzzy Hash: 7c3cf0995fc921b53f64378fae4de198d44ad71423e45edf713e4e99216af999
              • Instruction Fuzzy Hash: 052138B1D0021A9FCB00CF9AC8847EEFBF4FB48724F00812AD418B3240D778A9448FA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00B7F688 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00B7F6FB
              Memory Dump Source
              • Source File: 00000000.00000002.447780798.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b70000_ORDINE.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 6386cd0d41924130eecf55cf70e2bd8bf18874602837df04f8f23378d3430e5a
              • Instruction ID: 35954a01fdd601ceae3720c36a8d2ce817912c4d6272bcccec10fa73504eda34
              • Opcode Fuzzy Hash: 6386cd0d41924130eecf55cf70e2bd8bf18874602837df04f8f23378d3430e5a
              • Instruction Fuzzy Hash: 41216AB28002898FCB11CFA9C884BDEBFF4EF49324F208459D569A7251C339A845CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00B7F5D0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
              Download Yara Rule
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00B7F646
              Memory Dump Source
              • Source File: 00000000.00000002.447780798.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b70000_ORDINE.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: fc48d1756e13c33147f11acd4181490a98053e6fb4c0c3c16f5c4b184c3ac0d3
              • Instruction ID: 3f17f2ffd3784c3f8034b28e05f912356dfc788b82c04b41ee503039008a61d7
              • Opcode Fuzzy Hash: fc48d1756e13c33147f11acd4181490a98053e6fb4c0c3c16f5c4b184c3ac0d3
              • Instruction Fuzzy Hash: 872117B19002499FCB10CF9AC884BDEFBF4FB48324F10842AE528A3250D378A545CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C1B86C Relevance: 1.6, APIs: 1, Instructions: 53COMMON
              Download Yara Rule
              APIs
              • OutputDebugStringW.KERNELBASE(00000000), ref: 04C1D810
              Memory Dump Source
              • Source File: 00000000.00000002.455321625.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4c10000_ORDINE.jbxd
              Similarity
              • API ID: DebugOutputString
              • String ID:
              • API String ID: 1166629820-0
              • Opcode ID: 29f23878c5620ffc81e9bfd405df26fc75a43d85f4c3cb99e34b0de061dd31f1
              • Instruction ID: 40ed1acdfaab38e6a7bb14e3a710e85f4396134d7be5bb2db73be91654b9eb41
              • Opcode Fuzzy Hash: 29f23878c5620ffc81e9bfd405df26fc75a43d85f4c3cb99e34b0de061dd31f1
              • Instruction Fuzzy Hash: 991144B1D006599BCB10CF9AD584B9EFBF4FB49324F00812AE819A3240C774A904CFE1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00B7F690 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00B7F6FB
              Memory Dump Source
              • Source File: 00000000.00000002.447780798.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b70000_ORDINE.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 38d648af407452f4172755ab4f3f657160c7070af7b5cfad78cfd65f2b9ebbc2
              • Instruction ID: afdf1cea25e9ec499184aa0db24c732b8e078702daadcde9faf19daf742a6fc3
              • Opcode Fuzzy Hash: 38d648af407452f4172755ab4f3f657160c7070af7b5cfad78cfd65f2b9ebbc2
              • Instruction Fuzzy Hash: 6D11F5B59002499FCB10CF9AD888BDFFBF4FB48324F108419E529A7250C375A944CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00B7F80E Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.447780798.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b70000_ORDINE.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: f7aa42c8a606848cf7561b3d3ee5bdd8dd5f7c317c7465c49b29203de4573d46
              • Instruction ID: 5c0a111b44d260ff8b394bc48cd4cca42d7f3a277f815d48eddbfedc237f4426
              • Opcode Fuzzy Hash: f7aa42c8a606848cf7561b3d3ee5bdd8dd5f7c317c7465c49b29203de4573d46
              • Instruction Fuzzy Hash: A71115B1800249CFDB20CF99D488BEEFBF4EB48324F20855AD469A7240C778A945CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00B7F810 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.447780798.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b70000_ORDINE.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: dc7bc50c47e0d6cdffdc00b342fe8578b530d0d443c4604de8d56ae7813dc2e6
              • Instruction ID: 357a74ae2b5f727c8400660493a3844bf7c395b5b476adc0718aec873fd38e08
              • Opcode Fuzzy Hash: dc7bc50c47e0d6cdffdc00b342fe8578b530d0d443c4604de8d56ae7813dc2e6
              • Instruction Fuzzy Hash: 9E1123B1800249CFCB10CF9AC888BDEFBF4EB48324F10856AD529A7240C774A944CFA6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A055F Relevance: 1.3, Strings: 1, Instructions: 79COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID: xql
              • API String ID: 0-109062218
              • Opcode ID: ee5bbd0675c3c8171ed5e3f5b4d3266c01e47469fffe09525ff6452134ed49c7
              • Instruction ID: 3af678482442b3b0897dfe566b86c2a0e89eef79dad463348b4019b17e6fe5ae
              • Opcode Fuzzy Hash: ee5bbd0675c3c8171ed5e3f5b4d3266c01e47469fffe09525ff6452134ed49c7
              • Instruction Fuzzy Hash: 7821A2747083808FCB169B78886566E7FF1BF8A218F5945EAC445CB7A2CA34CC05C792
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A0F70 Relevance: .1, Instructions: 76COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d5e67e8d25bba3eb5d7a887babe4dca00533708c1c2cb7743eee1b2dccb43d17
              • Instruction ID: ca7aa8339ed15aa512abf56c27a190ca9f1c03d7747887bbc014233546a6509d
              • Opcode Fuzzy Hash: d5e67e8d25bba3eb5d7a887babe4dca00533708c1c2cb7743eee1b2dccb43d17
              • Instruction Fuzzy Hash: 8D213831708256AFDB208E858D63B6F7B66BF95264F184029FD056B7C0CB31DC11C7AA
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0095D3EC Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.447473035.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_95d000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 71297153166f0dbd11edbfdef55dd22ac6ff4b08cbea4fabdc59a0823bc9eb83
              • Instruction ID: 6a80711fec0c0b2fecc93457b72c7fbb26f994de66159f472ed3afe347f423e3
              • Opcode Fuzzy Hash: 71297153166f0dbd11edbfdef55dd22ac6ff4b08cbea4fabdc59a0823bc9eb83
              • Instruction Fuzzy Hash: CA216AB1504200DFDF14DF11C9C0B26BB66FB94325F24C969DD094B296C33AE84ACBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A05A7 Relevance: .1, Instructions: 73COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6db182c303ca988a624a0342d2ac5497e2800f8704eb3361c2e9be392d1447e8
              • Instruction ID: 273904a2be0d306608d02c7c115f341a4e2b22c99046a8f37f4fa7ba7fd66fbe
              • Opcode Fuzzy Hash: 6db182c303ca988a624a0342d2ac5497e2800f8704eb3361c2e9be392d1447e8
              • Instruction Fuzzy Hash: E821B870B083944FC712DB78886566E7FF1AF8A214F0505AAD845DB7A2D6349D09C7A3
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A0F53 Relevance: .1, Instructions: 71COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abbf45e99e042158ff9c1078280f2213f27b1453bf8b9159a98cb9b88d5ddcab
              • Instruction ID: 2cf4d9bc5d310b12a1defd7c6f914b13e4763a47c9100aae61b84c37175fdbe5
              • Opcode Fuzzy Hash: abbf45e99e042158ff9c1078280f2213f27b1453bf8b9159a98cb9b88d5ddcab
              • Instruction Fuzzy Hash: 6821D83161C3D59FEF228E444863BAE7F31BF56214F15409AF9446B1D2C7319852C769
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A05C8 Relevance: .1, Instructions: 64COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 676b0ae4ef492f6950c237deac3e51d4b75919bae15414c32c6895a2d2739f33
              • Instruction ID: ccc0549f523c0f425b82f6b0e3f7d72ebaa422e29fc72b5823009d519facc220
              • Opcode Fuzzy Hash: 676b0ae4ef492f6950c237deac3e51d4b75919bae15414c32c6895a2d2739f33
              • Instruction Fuzzy Hash: BE11E430B002548FC720DBACC85666EBBE5AF89214F04416AD809DB791CB70EC048792
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0095D3E7 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.447473035.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_95d000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
              • Instruction ID: 17619b95fd61eb6effe720e42cd7871203172e28084bb7eab3e73dc8a1145212
              • Opcode Fuzzy Hash: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
              • Instruction Fuzzy Hash: 9D11A276405280DFDB11CF10D9C4B16BF72FB94325F24C5A9DC080B666C336D85ACBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A04CF Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d957c97d7acc25b5500d365bab98d33d8940a290bc88b1cdedf3b8a6adab7d06
              • Instruction ID: fe92edfc2f92e9657421a4c5869ac939ffb172bc32207073c7e5174e60ab4e38
              • Opcode Fuzzy Hash: d957c97d7acc25b5500d365bab98d33d8940a290bc88b1cdedf3b8a6adab7d06
              • Instruction Fuzzy Hash: A811496060D3D18FDB278B7408362A97F71BD93118B4E45EBC4C08F1E7D628884ACB1A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A0B7B Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 62a1c0858dc05e61858ff1a7acc46c6ff802963d12718ac144c608d25504651b
              • Instruction ID: 84552091ad00e00db08b6c3e61a85349bf55670d98d5f09ec21bfa0b7bc2ddd5
              • Opcode Fuzzy Hash: 62a1c0858dc05e61858ff1a7acc46c6ff802963d12718ac144c608d25504651b
              • Instruction Fuzzy Hash: 0301282171E3904FC32656650D6221FBB926F8611870E85AB8848CF292DE20C801C366
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A00A7 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c464937de540c6c2dfc49217043886415a7880033f172db6fce4abae05c8bc7
              • Instruction ID: c520eeb3d809dcd1a7773d67ab7d95245e5be7fc0da710e837f5ec367bb1cfa6
              • Opcode Fuzzy Hash: 1c464937de540c6c2dfc49217043886415a7880033f172db6fce4abae05c8bc7
              • Instruction Fuzzy Hash: 7001D43160D3805FC7224A188873BAB7F617F82610F2980E7D8808F6E3DA218C02C3A5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A00C8 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 431e870748953439ea90bf00838dd55cee3c4fddde001ea8071fce5c91017561
              • Instruction ID: a992f79c5cb11759ee3348ed2c4d6dac4c9b90a0855d6a0c413158991eacb605
              • Opcode Fuzzy Hash: 431e870748953439ea90bf00838dd55cee3c4fddde001ea8071fce5c91017561
              • Instruction Fuzzy Hash: 33F0CD31B142009FC324491D8933B3FB696BFD5A20F69802AAA418B794EA71CC0187EA
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A117D Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b2e91a1bf0c74ab2550a76defb5dce15dd99b4a28e4bcb43dbdadd1d54d467fd
              • Instruction ID: 0e01bc740a4780c3cc5b36dc04247febdf7f27200b4301d8a1e65f88b17ac709
              • Opcode Fuzzy Hash: b2e91a1bf0c74ab2550a76defb5dce15dd99b4a28e4bcb43dbdadd1d54d467fd
              • Instruction Fuzzy Hash: EA01D622B0DBE14FC7260368583109C6FA27F9705075EC2EBC489CF656DB248842C356
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A0CC3 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b09bc8ccafd10341ad16264e7df67bd875e174cca62f0ca4b158683b78b87f3
              • Instruction ID: 30f81ad6bea9e2ea91b2f5f1a46f3bf6b7de715a4cdd32855c4865c7c8c1a438
              • Opcode Fuzzy Hash: 0b09bc8ccafd10341ad16264e7df67bd875e174cca62f0ca4b158683b78b87f3
              • Instruction Fuzzy Hash: 08F0F637A192518FCB264B149435A9ABF71FFD6720319C0EBD444CB562D732D806C715
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A06D3 Relevance: .0, Instructions: 38COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ebd84547f420bf770da088a28e5fa90a271e56b80ae5e477837a9dbf28652b7e
              • Instruction ID: 3b52d96575b237df93d7199b4bf468b7d54f9667cfe13e90683d48f382f07caf
              • Opcode Fuzzy Hash: ebd84547f420bf770da088a28e5fa90a271e56b80ae5e477837a9dbf28652b7e
              • Instruction Fuzzy Hash: E0F0902170C2D44FC726572988655567FB69EC712031A80E7C449CF6B3DA65DC06C366
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A0CE0 Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 06c0a1ec0de8f9954f6abc438117160763d5270bf3925607296d849508ac9505
              • Instruction ID: b32637bb08aefb75e33c0ca79cea557001532aaa016d98f2ecbe003488a5b51a
              • Opcode Fuzzy Hash: 06c0a1ec0de8f9954f6abc438117160763d5270bf3925607296d849508ac9505
              • Instruction Fuzzy Hash: 39F02737B241119B47684A1D853661FBBDAEFD953032DC03AD80A8B750CB73DC01C79A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A067F Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 97ccfe0a18ad4a02d402b934abf1c87a52d2b6a13c21ec0372e51082f16fcae0
              • Instruction ID: 82e8b6c36f6dfaa6e20cc5575bc46567070d72d5ec73260010f8d2e6b8433f29
              • Opcode Fuzzy Hash: 97ccfe0a18ad4a02d402b934abf1c87a52d2b6a13c21ec0372e51082f16fcae0
              • Instruction Fuzzy Hash: 1DF08C20A4E3E14FC702D76848659917FB5AE8712830E40E7D488CB5F3DA688C06C362
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A07C9 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ec81a564ba4b0b4d5fd8d56e2cdf2f07e1128842fb9f09131416c41d8f1e0c2f
              • Instruction ID: 44119088015885bedf7629d657738f6b2020a0bc840a1c6709cd88a8d9199e11
              • Opcode Fuzzy Hash: ec81a564ba4b0b4d5fd8d56e2cdf2f07e1128842fb9f09131416c41d8f1e0c2f
              • Instruction Fuzzy Hash: 01F0922164D3C18FCB034B2488B65A43F716E8712531E40D7D081CF9B3DA2CA846C756
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A06F0 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 747e719ef67c3118a3c296357fd7dec1161b8ee658984a89c67b03e8f6e3eb52
              • Instruction ID: fbb57b762892408465bc5aec2910ae83b9afebcdbb63044500dca2ffa8720689
              • Opcode Fuzzy Hash: 747e719ef67c3118a3c296357fd7dec1161b8ee658984a89c67b03e8f6e3eb52
              • Instruction Fuzzy Hash: B8E0D835B144184B0724852D9536A2FB6DBAFC90313258075D50ECB764DF31DC4187A2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A13CD Relevance: .0, Instructions: 25COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5d23a53b2bd4eaee02e18c39177dd04373b7d887df1c4c8280728e3020c83e6e
              • Instruction ID: 9db67d473b2266ee4d897a2d0629f6eb52360908ca958c97e544e82e09e1be32
              • Opcode Fuzzy Hash: 5d23a53b2bd4eaee02e18c39177dd04373b7d887df1c4c8280728e3020c83e6e
              • Instruction Fuzzy Hash: 71E0ED2060D7A14FDB1A563848311A9BF727E8314975DC2EBC085CF193D62D8889C717
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A0517 Relevance: .0, Instructions: 25COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 701ff2f1fb7795a188959ca16e505d72a631571baa88a2c61a01a46cc89dfad4
              • Instruction ID: 398e1293f8ed67e2e38f81f1c1061fb747506a130ac36a2be3cf7a8b836770c8
              • Opcode Fuzzy Hash: 701ff2f1fb7795a188959ca16e505d72a631571baa88a2c61a01a46cc89dfad4
              • Instruction Fuzzy Hash: 46F0C22065E7D14FDB1787340C362697F32AA9711875E42DB84D0CF1E3DA29888ACB2B
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A0A03 Relevance: .0, Instructions: 25COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 971673e6b15444852820472d587088fb46547f09d7da4064505d1dcbd1fe71cc
              • Instruction ID: 1493e52ca76a03d9ef236e11cbd521adad18daf438a795c185b4e87b142bfe15
              • Opcode Fuzzy Hash: 971673e6b15444852820472d587088fb46547f09d7da4064505d1dcbd1fe71cc
              • Instruction Fuzzy Hash: DEE0E52571F3814FCB67472419755A93FB2AE8321835D84EBC086CFAA3DA398447E312
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A10CD Relevance: .0, Instructions: 24COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 63eccc9281d100d378920f549e4707d16741e3981776f2f05db28096f9c5cf37
              • Instruction ID: 6e5e0cefd6df867a48183a755d8d270e3597ca14c058b28275b2d8bb6100012d
              • Opcode Fuzzy Hash: 63eccc9281d100d378920f549e4707d16741e3981776f2f05db28096f9c5cf37
              • Instruction Fuzzy Hash: 37E0ED2070E7C14FD7175635083256A7F723E9310575EC1EBC485CBAA3DA298849D357
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A048B Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ccbbf11836b46785cb4ef5d9252a628fc1480a5a17f458565707fe9ec8003a53
              • Instruction ID: b72d04f1a640b0fa309b5e349fe3b8c691abff030a08383f0e43993f968446b2
              • Opcode Fuzzy Hash: ccbbf11836b46785cb4ef5d9252a628fc1480a5a17f458565707fe9ec8003a53
              • Instruction Fuzzy Hash: 42E0122060E7D14FCB17973409352697F717E9311875D46EE84C4CF2D7DA298846C717
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A092B Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8db813db1b7e136bdfe5b4770306e34cdb4aa16723f9007d2c6de247463cfe19
              • Instruction ID: fb5a024bed4db914e2d598a0506eb7b4c192d60e70a99e0f71036daff449f213
              • Opcode Fuzzy Hash: 8db813db1b7e136bdfe5b4770306e34cdb4aa16723f9007d2c6de247463cfe19
              • Instruction Fuzzy Hash: C8E0486698E3C44FCB2347B019B86993F709C2715871E05CFD8C58B8A3D58A884BD722
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A06A0 Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 73f95752162b86e8450e8b22f7cb9f3d8a76e16ef984d9a7cd8f50c525094183
              • Instruction ID: b613b996ee63f37b761d4d3ce819ffd09e019c29a0e25ef108d4d261e30a6816
              • Opcode Fuzzy Hash: 73f95752162b86e8450e8b22f7cb9f3d8a76e16ef984d9a7cd8f50c525094183
              • Instruction Fuzzy Hash: EEE0C231F105358B4718E64E852265AB79ABFCA13831894B5E80DCB7B2DE30DC008781
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A02B5 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 439616fb063f39b28f01ef480d62905dea5b8466986a26a5229d0f67f384386f
              • Instruction ID: 67b725bf8fc925c76f6f0955f40122b2c3fa644af79964c2dd45188186a7ad0a
              • Opcode Fuzzy Hash: 439616fb063f39b28f01ef480d62905dea5b8466986a26a5229d0f67f384386f
              • Instruction Fuzzy Hash: EDE08C82A0E3E00FD72353742C380987FB04A57285B4E00EFD4C2CB2A3D4480D8AC363
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A07E8 Relevance: .0, Instructions: 17COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f051360fd990055b70f2f7425878fe41591ec56d7ac7b159d75324b79ab693ed
              • Instruction ID: f13a204769eae17070ce620d3ab579953eca2c96e0514baeffaeafff31eb2a66
              • Opcode Fuzzy Hash: f051360fd990055b70f2f7425878fe41591ec56d7ac7b159d75324b79ab693ed
              • Instruction Fuzzy Hash: 43D05E34B1450ACF57548A29C562A2E77A67FC51293184064D0068BB60EF30E840C68A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 025A0950 Relevance: .0, Instructions: 5COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.448897771.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_25a0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a52f58b12e8763bc5de55ebe42dd3c993b19a80d930e3f6b3880a612370e6f14
              • Instruction ID: 1a54530c6308f668062832cfd55d5d7da87bf0ae7ccdae996245dc9e53f0fcbd
              • Opcode Fuzzy Hash: a52f58b12e8763bc5de55ebe42dd3c993b19a80d930e3f6b3880a612370e6f14
              • Instruction Fuzzy Hash: 5F90223000020C8B820833823808308330CA800000B800000A00C020000E8020000080
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 04C15CE8 Relevance: 4.6, Instructions: 4553COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.455321625.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4c10000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f6e42ad5e7b2398f0e3d431751c08db584c1db6fd757a20ef795cf14786c1a5a
              • Instruction ID: 2390565868f98d18964b459419f450b71527f43fec6dccff0bb9bed043319302
              • Opcode Fuzzy Hash: f6e42ad5e7b2398f0e3d431751c08db584c1db6fd757a20ef795cf14786c1a5a
              • Instruction Fuzzy Hash: BCA36374E05628CFCB15EF29D98569DB7B2FB8A305F0085E9D488A3721DB346E88CF45
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BF0040 Relevance: 4.4, Instructions: 4381COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.455232420.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_4bf0000_ORDINE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 44ffa0e3d0f2c0f457dbfa2810888558643546cb041170fb9b828787ee84cdd0
              • Instruction ID: 411cfda1a476ea32b287620aec0c69a5f2819c01fcd8a437f465ece1c5d169ca
              • Opcode Fuzzy Hash: 44ffa0e3d0f2c0f457dbfa2810888558643546cb041170fb9b828787ee84cdd0
              • Instruction Fuzzy Hash: C0935E70E056288FCB29EF29D985A9DBBB1FB44705F0089EAD44CA3711DB346E88CF55
              Uniqueness

              Uniqueness Score: -1.00%

              Execution Graph

              Execution Coverage:16.9%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:6
              Total number of Limit Nodes:0
              execution_graph 10354 5154668 10355 5154686 10354->10355 10358 5153614 10355->10358 10357 51546bd 10359 5156188 LoadLibraryA 10358->10359 10361 5156264 10359->10361

              Executed Functions

              Function 0515617C Relevance: 1.6, APIs: 1, Instructions: 92libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1753 515617c-5156186 1754 5156191-51561df 1753->1754 1755 5156188-515618e 1753->1755 1756 51561e1-51561eb 1754->1756 1757 5156218-5156262 LoadLibraryA 1754->1757 1755->1754 1756->1757 1758 51561ed-51561ef 1756->1758 1764 5156264-515626a 1757->1764 1765 515626b-515629c 1757->1765 1759 51561f1-51561fb 1758->1759 1760 5156212-5156215 1758->1760 1762 51561fd 1759->1762 1763 51561ff-515620e 1759->1763 1760->1757 1762->1763 1763->1763 1767 5156210 1763->1767 1764->1765 1768 51562ac 1765->1768 1769 515629e-51562a2 1765->1769 1767->1760 1772 51562ad 1768->1772 1769->1768 1771 51562a4 1769->1771 1771->1768 1772->1772
              APIs
              • LoadLibraryA.KERNELBASE(?), ref: 05156252
              Memory Dump Source
              • Source File: 00000006.00000002.680151771.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5150000_vbc.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: e66b57ad9aab910b2166cdcf176c0456827b3dd1b3b48fb69b16dd15cfdd9f16
              • Instruction ID: d6e22dfd42e223a8239cadcc03d0434f937c64a57507c5a737c6f308bd6fc9a5
              • Opcode Fuzzy Hash: e66b57ad9aab910b2166cdcf176c0456827b3dd1b3b48fb69b16dd15cfdd9f16
              • Instruction Fuzzy Hash: 843157B0D04259CFCF14CF98C88579EBBB1FB48324F548129E825A7340D7B59441CF95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 05153614 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1773 5153614-51561df 1776 51561e1-51561eb 1773->1776 1777 5156218-5156262 LoadLibraryA 1773->1777 1776->1777 1778 51561ed-51561ef 1776->1778 1784 5156264-515626a 1777->1784 1785 515626b-515629c 1777->1785 1779 51561f1-51561fb 1778->1779 1780 5156212-5156215 1778->1780 1782 51561fd 1779->1782 1783 51561ff-515620e 1779->1783 1780->1777 1782->1783 1783->1783 1787 5156210 1783->1787 1784->1785 1788 51562ac 1785->1788 1789 515629e-51562a2 1785->1789 1787->1780 1792 51562ad 1788->1792 1789->1788 1791 51562a4 1789->1791 1791->1788 1792->1792
              APIs
              • LoadLibraryA.KERNELBASE(?), ref: 05156252
              Memory Dump Source
              • Source File: 00000006.00000002.680151771.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5150000_vbc.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 1a8b67bd3b05be6ac7d01533253238d67d8cd442f29a3f37da1b3f2108dc0c31
              • Instruction ID: 7e519e45a4ce7fa780cb96d406eeb07173bbd5c434a978852f067e803694059a
              • Opcode Fuzzy Hash: 1a8b67bd3b05be6ac7d01533253238d67d8cd442f29a3f37da1b3f2108dc0c31
              • Instruction Fuzzy Hash: 6D3145B0D04249DFDF14CFA9C8847AEBBB1BB48324F548529E826A7380D7B99845CF95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D4D3B4 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.679694969.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d4d000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d7aed2b38e4eb87691a5e50304542459aea490d894dd0969790cf2ce61141f3d
              • Instruction ID: c7c756858c3f8fa26f3e6d46f55a7121fad032f6d846ca748236341bbe751e43
              • Opcode Fuzzy Hash: d7aed2b38e4eb87691a5e50304542459aea490d894dd0969790cf2ce61141f3d
              • Instruction Fuzzy Hash: 6D2167B2604240DFDF01CF10C8C4F26BB62FB88324F28C569E9094B246C336E846CBB2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D4D4A0 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.679694969.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d4d000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b3dd86551a4608f4c7aacce1c049637d15f3d559af6e7b7312d84a969f1dc449
              • Instruction ID: f609d85ff3ed1f1a8a002743b8ac3581cdd63533e4539673ee50cf40a18e7557
              • Opcode Fuzzy Hash: b3dd86551a4608f4c7aacce1c049637d15f3d559af6e7b7312d84a969f1dc449
              • Instruction Fuzzy Hash: 132137B1504240DFDF05DF14D9C4B27BFA6FB98328F288569E9094B246C736D845CBB2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D4D49B Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.679694969.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d4d000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
              • Instruction ID: b55c445e096e020eeb42c5351b4cef8160e0a01bc66376208f3c4a40a8319048
              • Opcode Fuzzy Hash: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
              • Instruction Fuzzy Hash: 3B11B176804280CFDF12CF14D9C4B16BF72FB85324F2886A9D8050B616C336D85ACBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D4D3AF Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.679694969.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_d4d000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
              • Instruction ID: a13f895af6c86c6c56def0667db54d2467467493519a41f455f70cd280eb4c4a
              • Opcode Fuzzy Hash: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
              • Instruction Fuzzy Hash: 6611B676504280DFDF16CF10D9C4B16BF72FB94324F28C6A9D8494B656C33AE85ACBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Execution Graph

              Execution Coverage:30.4%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:45
              Total number of Limit Nodes:2
              execution_graph 11546 28ce800 11547 28ce820 11546->11547 11548 28ce910 11547->11548 11550 506aec8 11547->11550 11551 506af01 11550->11551 11584 28cf134 11551->11584 11588 28cf140 11551->11588 11552 506f2ae 11568 28cf508 SetThreadContext 11552->11568 11569 28cf510 SetThreadContext 11552->11569 11553 506f2f1 11580 28cf508 SetThreadContext 11553->11580 11581 28cf510 SetThreadContext 11553->11581 11554 506b4e6 11554->11552 11574 28cf5c8 ReadProcessMemory 11554->11574 11575 28cf5d0 ReadProcessMemory 11554->11575 11555 506c727 11566 28cf688 VirtualAllocEx 11555->11566 11567 28cf690 VirtualAllocEx 11555->11567 11556 506d6bf 11556->11552 11578 28cf738 WriteProcessMemory 11556->11578 11579 28cf731 WriteProcessMemory 11556->11579 11557 506d081 11557->11556 11570 28cf688 VirtualAllocEx 11557->11570 11571 28cf690 VirtualAllocEx 11557->11571 11558 506d6f9 11559 506e5ea 11558->11559 11572 28cf738 WriteProcessMemory 11558->11572 11573 28cf731 WriteProcessMemory 11558->11573 11582 28cf738 WriteProcessMemory 11559->11582 11583 28cf731 WriteProcessMemory 11559->11583 11560 506e9a2 11560->11552 11561 506ed8d 11560->11561 11561->11553 11562 506f164 11561->11562 11576 28cf808 ResumeThread 11562->11576 11577 28cf810 ResumeThread 11562->11577 11563 506f189 11563->11547 11566->11557 11567->11557 11568->11553 11569->11553 11570->11556 11571->11556 11572->11558 11573->11558 11574->11555 11575->11555 11576->11563 11577->11563 11578->11558 11579->11558 11580->11563 11581->11563 11582->11560 11583->11560 11586 28cf140 CreateProcessAsUserA 11584->11586 11587 28cf3e5 11586->11587 11590 28cf1cd CreateProcessAsUserA 11588->11590 11591 28cf3e5 11590->11591 11592 28ce7f2 11593 28ce820 11592->11593 11594 28ce910 11593->11594 11595 506aec8 12 API calls 11593->11595 11595->11593

              Executed Functions

              Function 05075720 Relevance: 4.4, Instructions: 4432COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2078 5075720-507578e 2083 5075794-5075839 2078->2083 2090 507583f-50759ca 2083->2090 2091 507a348-507a360 2083->2091 2090->2091 2115 50759d0-5075aa6 2090->2115 2094 507a2e2 2091->2094 2096 507a2e6-507a345 2094->2096 2097 507a2dc-507a2e0 2094->2097 2097->2094 2115->2091 2123 5075aac-5075ee8 2115->2123 2123->2091 2156 5075eee-5075fbd 2123->2156 2156->2091 2163 5075fc3-50763a0 2156->2163 2163->2091 2195 50763a6-5076488 2163->2195 2195->2091 2203 507648e-5076a67 2195->2203 2203->2091 2252 5076a6d-5076b7e 2203->2252 2252->2091 2262 5076b84-507709e 2252->2262 2262->2091 2305 50770a4-50770fd 2262->2305 2311 50770ff-507710b 2305->2311 2312 507714d-5077420 2305->2312 2313 5077115-507711b 2311->2313 2314 507710d-5077113 2311->2314 2341 5077426-507742f 2312->2341 2342 507786f-5077c6c 2312->2342 2315 5077125-507714a 2313->2315 2314->2315 2341->2091 2343 5077435-507744c 2341->2343 2342->2091 2422 5077c72-5078094 2342->2422 2346 50777d4-5077869 2343->2346 2347 5077452-5077524 2343->2347 2346->2341 2346->2342 2369 50775f1-507763f 2347->2369 2370 507752a-5077530 2347->2370 2382 5077641-507766f 2369->2382 2383 50776a0-50776c7 2369->2383 2370->2091 2371 5077536-50775eb 2370->2371 2371->2369 2371->2370 2382->2383 2388 5077671-507769e 2382->2388 2384 50776cd-50777cf 2383->2384 2384->2342 2388->2384 2458 5078153-507823a 2422->2458 2459 507809a-507814e 2422->2459 2472 5078240-5078346 2458->2472 2459->2472 2483 507834c-507855c 2472->2483 2484 5079608-5079795 2472->2484 2483->2091 2528 5078562-5078631 2483->2528 2484->2091 2511 507979b-50797c8 2484->2511 2511->2091 2513 50797ce-50798f0 2511->2513 2513->2091 2531 50798f6-5079b9c 2513->2531 2528->2091 2546 5078637-50786ca 2528->2546 2531->2091 2583 5079ba2-5079e0f 2531->2583 2558 50786cc-50786d2 2546->2558 2559 50786e8-50786f6 2546->2559 2558->2091 2560 50786d8-50786e6 2558->2560 2564 50786f8-5078706 2559->2564 2560->2564 2567 5079317-50794df 2564->2567 2568 507870c-5078715 2564->2568 2611 50794e1-5079602 2567->2611 2568->2567 2573 507871b-5078724 2568->2573 2573->2567 2579 507872a-50789b1 2573->2579 2579->2091 2649 50789b7-5078abe 2579->2649 2583->2091 2643 5079e15-507a093 2583->2643 2611->2483 2611->2484 2643->2091 2686 507a099-507a23b 2643->2686 2649->2091 2667 5078ac4-5078db2 2649->2667 2667->2091 2713 5078db8-5079069 2667->2713 2686->2091 2714 507a241-507a2d8 2686->2714 2713->2091 2740 507906f-5079308 2713->2740 2714->2097 2740->2091 2761 507930e-5079312 2740->2761 2761->2611
              Memory Dump Source
              • Source File: 0000000E.00000002.528345455.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_5070000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cc9065daf784cbba02e65ded90096d14ae6affb9130ae0c1005a8d973ba60442
              • Instruction ID: 6e4f59c369663b7b3382a2a85efc84019b2b64110a76a319c94087b4b07c680f
              • Opcode Fuzzy Hash: cc9065daf784cbba02e65ded90096d14ae6affb9130ae0c1005a8d973ba60442
              • Instruction Fuzzy Hash: 8D932C70E041288FCB58EF28D98569DBBB2FF89305F0045EAD448A3751DB386E99CF59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 05070040 Relevance: 4.4, Instructions: 4412COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2762 5070040-50700ae 2767 50700b4-5070140 2762->2767 2773 5070146-507022f 2767->2773 2774 5074b1c-5074b89 2767->2774 2773->2774 2790 5070235-507031e 2773->2790 2777 5074bb1-5074bb2 2774->2777 2778 5074b8b-5074b8e 2774->2778 2779 5074bd0-5074bf5 2778->2779 2780 5074b90-5074bac 2778->2780 2780->2777 2790->2774 2798 5070324-50707ea 2790->2798 2798->2774 2837 50707f0-50708d0 2798->2837 2837->2774 2845 50708d6-5070dbf 2837->2845 2845->2774 2885 5070dc5-5070e8a 2845->2885 2885->2774 2892 5070e90-5071350 2885->2892 2892->2774 2931 5071356-5071455 2892->2931 2931->2774 2939 507145b-507195f 2931->2939 2939->2774 2983 5071965-50719be 2939->2983 2989 50719c0-50719cc 2983->2989 2990 5071a0e-5071c53 2983->2990 2991 50719d6-50719dc 2989->2991 2992 50719ce-50719d4 2989->2992 3013 50720c7-507251a 2990->3013 3014 5071c59-5071c62 2990->3014 2993 50719e6-5071a0b 2991->2993 2992->2993 3013->2774 3100 5072520-5072988 3013->3100 3014->2774 3015 5071c68-5071c7f 3014->3015 3018 5071c85-5071d71 3015->3018 3019 507202e-50720c1 3015->3019 3045 5071d77-5071d7d 3018->3045 3046 5071e40-5071e8e 3018->3046 3019->3013 3019->3014 3045->2774 3047 5071d83-5071e3a 3045->3047 3058 5071e90-5071ebe 3046->3058 3059 5071eef-5071f16 3046->3059 3047->3045 3047->3046 3058->3059 3064 5071ec0-5071eed 3058->3064 3060 5071f1c-5072029 3059->3060 3060->3013 3064->3060 3139 5072a45-5072afb 3100->3139 3140 507298e-5072a40 3100->3140 3153 5072b01-5072bff 3139->3153 3140->3153 3162 5073dd7-5073f5b 3153->3162 3163 5072c05-5072de8 3153->3163 3162->2774 3188 5073f61-5073f8e 3162->3188 3163->2774 3199 5072dee-5072ea9 3163->3199 3188->2774 3190 5073f94-5074097 3188->3190 3190->2774 3208 507409d-5074337 3190->3208 3199->2774 3215 5072eaf-5072f4a 3199->3215 3208->2774 3264 507433d-50745cc 3208->3264 3226 5072f4c-5072f52 3215->3226 3227 5072f68-5072f76 3215->3227 3226->2774 3229 5072f58-5072f66 3226->3229 3233 5072f78-5072f86 3227->3233 3229->3233 3237 5072f8c-5072f95 3233->3237 3238 5073ae8-5073c7a 3233->3238 3237->3238 3242 5072f9b-5072fa4 3237->3242 3277 5073c7c-5073dd1 3238->3277 3242->3238 3247 5072faa-5073252 3242->3247 3247->2774 3311 5073258-507332e 3247->3311 3264->2774 3324 50745d2-507484d 3264->3324 3277->3162 3277->3163 3311->2774 3327 5073334-50735cc 3311->3327 3324->2774 3364 5074853-50749f5 3324->3364 3327->2774 3369 50735d2-5073840 3327->3369 3364->2774 3392 50749fb-5074b19 3364->3392 3369->2774 3409 5073846-5073ad9 3369->3409 3409->2774 3433 5073adf-5073ae3 3409->3433 3433->3277
              Memory Dump Source
              • Source File: 0000000E.00000002.528345455.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_5070000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: decf11e5fd73aa96b9754c109d77f58a55e691fd426f4fe722f20111e218a200
              • Instruction ID: 196a793f4cd3921a7316c38422c1bdb99006148f20808f51653c1d60c6752bb7
              • Opcode Fuzzy Hash: decf11e5fd73aa96b9754c109d77f58a55e691fd426f4fe722f20111e218a200
              • Instruction Fuzzy Hash: 4F930970E042288FCB55EF28E98569CBBB2FF49205F4045EAD448A3751DF386E89CF59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 05095D40 Relevance: 4.4, Instructions: 4403COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 3434 5095d40-5095e4a 3445 509a7ba-509a7c4 3434->3445 3446 5095e50-5095feb 3434->3446 3449 509a81c-509a81e 3445->3449 3450 509a7c6-509a800 3445->3450 3446->3445 3469 5095ff1-5096102 3446->3469 3453 509a860 3449->3453 3454 509a820-509a855 3449->3454 3451 509a862-509a86a 3450->3451 3452 509a802-509a80a 3450->3452 3453->3451 3454->3453 3469->3445 3479 5096108-5096526 3469->3479 3479->3445 3513 509652c-50965f1 3479->3513 3513->3445 3520 50965f7-5096ad6 3513->3520 3520->3445 3560 5096adc-5096bb2 3520->3560 3560->3445 3568 5096bb8-5096f98 3560->3568 3568->3445 3599 5096f9e-50970a9 3568->3599 3599->3445 3607 50970af-5097565 call 509583c 3599->3607 3607->3445 3646 509756b-50975c4 3607->3646 3652 5097614-5097875 3646->3652 3653 50975c6-50975d2 3646->3653 3677 5097cc9-50980ec 3652->3677 3678 509787b-5097884 3652->3678 3654 50975dc-50975e2 3653->3654 3655 50975d4-50975da 3653->3655 3656 50975ec-5097611 3654->3656 3655->3656 3677->3445 3758 50980f2-5098508 3677->3758 3678->3445 3679 509788a-50978a1 3678->3679 3682 50978a7-5097979 3679->3682 3683 5097c26-5097cc3 3679->3683 3705 5097a38-5097a86 3682->3705 3706 509797f-5097985 3682->3706 3683->3677 3683->3678 3717 5097a88-5097ab6 3705->3717 3718 5097ae7-5097b0e 3705->3718 3706->3445 3707 509798b-5097a32 3706->3707 3707->3705 3707->3706 3717->3718 3724 5097ab8-5097ae5 3717->3724 3720 5097b14-5097c0d 3718->3720 3747 5097c18-5097c21 3720->3747 3724->3720 3747->3677 3795 509850e-50985fb 3758->3795 3796 5098600-50986b6 3758->3796 3809 50986bc-5098780 3795->3809 3796->3809 3818 50999db-5099c2b 3809->3818 3819 5098786-50989a7 3809->3819 3818->3445 3858 5099c31-5099c5e 3818->3858 3819->3445 3861 50989ad-5098a85 3819->3861 3858->3445 3860 5099c64-5099d67 3858->3860 3860->3445 3878 5099d6d-5099fea 3860->3878 3861->3445 3876 5098a8b-5098b38 3861->3876 3892 5098b3a-5098b40 3876->3892 3893 5098b56-5098b64 3876->3893 3878->3445 3933 5099ff0-509a283 3878->3933 3892->3445 3895 5098b46-5098b54 3892->3895 3899 5098b66-5098b74 3893->3899 3895->3899 3903 5098b7a-5098b83 3899->3903 3904 5099707-5099893 3899->3904 3903->3904 3908 5098b89-5098b92 3903->3908 3945 5099895-50999d5 3904->3945 3908->3904 3912 5098b98-5098e54 3908->3912 3912->3445 3981 5098e5a-5098f28 3912->3981 3933->3445 3993 509a289-509a4eb 3933->3993 3945->3818 3945->3819 3981->3445 3998 5098f2e-50991c5 3981->3998 3993->3445 4031 509a4f1-509a691 3993->4031 3998->3445 4041 50991cb-5099480 3998->4041 4031->3445 4059 509a697-509a7b7 4031->4059 4041->3445 4084 5099486-50996f8 4041->4084 4084->3445 4105 50996fe-5099702 4084->4105 4105->3945
              Memory Dump Source
              • Source File: 0000000E.00000002.528492296.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_5090000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f3b271e4d1e19aa86f4812ae473ee9e939f6803f3e3f6ca235e7850521e1d3fe
              • Instruction ID: 89717c1a9ef21e79823510714b07f7ac8413b4c7e20fce8f8483454b07486fcc
              • Opcode Fuzzy Hash: f3b271e4d1e19aa86f4812ae473ee9e939f6803f3e3f6ca235e7850521e1d3fe
              • Instruction Fuzzy Hash: 7B936D70E142288FCB15EF28E98669CBBB2FB89311F0085E9D44CA3755DB385E89CF55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 05095D3F Relevance: 1.4, Instructions: 1445COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528492296.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_5090000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ef21b918565216674ce1ea3cd385a9561d78e9731df5bd3cb709bdc7856aca90
              • Instruction ID: 97a2c260c4f1102d1d5ec32293ed0fe259bba67ce08a14665e5089b719c623e7
              • Opcode Fuzzy Hash: ef21b918565216674ce1ea3cd385a9561d78e9731df5bd3cb709bdc7856aca90
              • Instruction Fuzzy Hash: 58E20970E142288FCB19EF29D98A69CBBB2FB49310F0085E9D44CA3755DB346E89CF55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F90398 Relevance: 2.5, Strings: 2, Instructions: 37COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 5442 4f90398-4f903b8 5443 4f903ba-4f903c0 5442->5443 5444 4f903d0-4f903d4 5442->5444 5447 4f903c2 5443->5447 5448 4f903c4-4f903ce 5443->5448 5445 4f903ee-4f903f2 5444->5445 5446 4f903d6-4f903dc 5444->5446 5452 4f903f9-4f903fb 5445->5452 5449 4f903de 5446->5449 5450 4f903e0-4f903ec 5446->5450 5447->5444 5448->5444 5449->5445 5450->5445
              Strings
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID: xql$xql
              • API String ID: 0-2396326202
              • Opcode ID: 612d395b37262e13ff63f0a30964d6ebc70fb4ce66c0480977451482588a65ce
              • Instruction ID: 526b3bd57214da26be688594ccae87da04b3219a2ac6e8b6dd4589d910d1c400
              • Opcode Fuzzy Hash: 612d395b37262e13ff63f0a30964d6ebc70fb4ce66c0480977451482588a65ce
              • Instruction Fuzzy Hash: FAF09032F0D2519FEB27062C5815A2A77E20BA6514F2E81BBC181CBB66DD758C47C3A2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F90250 Relevance: 2.5, Strings: 2, Instructions: 37COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 5430 4f90250-4f90270 5431 4f90288-4f9028c 5430->5431 5432 4f90272-4f90278 5430->5432 5435 4f9028e-4f90294 5431->5435 5436 4f902a6-4f902aa 5431->5436 5433 4f9027a 5432->5433 5434 4f9027c-4f90286 5432->5434 5433->5431 5434->5431 5437 4f90298-4f902a4 5435->5437 5438 4f90296 5435->5438 5440 4f902b1-4f902b3 5436->5440 5437->5436 5438->5436
              Strings
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID: xql$xql
              • API String ID: 0-2396326202
              • Opcode ID: 14fec1085abb0ddb2ba52b8da70f3c10b92e64d0f63f873c9dae2d9b9e3bbd75
              • Instruction ID: 68d9edcb45985c9622b5bb63cb0d5434e458b50000ab64447d1f795b6780a20e
              • Opcode Fuzzy Hash: 14fec1085abb0ddb2ba52b8da70f3c10b92e64d0f63f873c9dae2d9b9e3bbd75
              • Instruction Fuzzy Hash: E3F0E923F0C7514FEBAE016C5D2156A77E28FC752472E42BBC441CBB56ED215C478392
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028CF134 Relevance: 1.8, APIs: 1, Instructions: 264processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 5644 28cf134-28cf1d9 5647 28cf22d-28cf24d 5644->5647 5648 28cf1db-28cf200 5644->5648 5652 28cf24f-28cf274 5647->5652 5653 28cf2a1-28cf2d2 5647->5653 5648->5647 5651 28cf202-28cf204 5648->5651 5654 28cf206-28cf210 5651->5654 5655 28cf227-28cf22a 5651->5655 5652->5653 5660 28cf276-28cf278 5652->5660 5662 28cf329-28cf3e3 CreateProcessAsUserA 5653->5662 5663 28cf2d4-28cf2fc 5653->5663 5656 28cf214-28cf223 5654->5656 5657 28cf212 5654->5657 5655->5647 5656->5656 5661 28cf225 5656->5661 5657->5656 5664 28cf27a-28cf284 5660->5664 5665 28cf29b-28cf29e 5660->5665 5661->5655 5675 28cf3ec-28cf460 5662->5675 5676 28cf3e5-28cf3eb 5662->5676 5663->5662 5671 28cf2fe-28cf300 5663->5671 5666 28cf288-28cf297 5664->5666 5667 28cf286 5664->5667 5665->5653 5666->5666 5670 28cf299 5666->5670 5667->5666 5670->5665 5673 28cf302-28cf30c 5671->5673 5674 28cf323-28cf326 5671->5674 5677 28cf30e 5673->5677 5678 28cf310-28cf31f 5673->5678 5674->5662 5687 28cf470-28cf474 5675->5687 5688 28cf462-28cf466 5675->5688 5676->5675 5677->5678 5678->5678 5679 28cf321 5678->5679 5679->5674 5690 28cf484-28cf488 5687->5690 5691 28cf476-28cf47a 5687->5691 5688->5687 5689 28cf468 5688->5689 5689->5687 5693 28cf498-28cf49c 5690->5693 5694 28cf48a-28cf48e 5690->5694 5691->5690 5692 28cf47c 5691->5692 5692->5690 5695 28cf4ae-28cf4b5 5693->5695 5696 28cf49e-28cf4a4 5693->5696 5694->5693 5697 28cf490 5694->5697 5698 28cf4cc 5695->5698 5699 28cf4b7-28cf4c6 5695->5699 5696->5695 5697->5693 5701 28cf4cd 5698->5701 5699->5698 5701->5701
              APIs
              • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 028CF3D0
              Memory Dump Source
              • Source File: 0000000E.00000002.521817889.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_28c0000_iexplore.jbxd
              Similarity
              • API ID: CreateProcessUser
              • String ID:
              • API String ID: 2217836671-0
              • Opcode ID: 04806d0d801466eb25b2b00833ae0358320e109526a1bbdbb8ba3392309918ce
              • Instruction ID: 710ef2ae2a69d521de8cfc6fc5d23bbe12d49d6402c976f43a18e63d9f5790b2
              • Opcode Fuzzy Hash: 04806d0d801466eb25b2b00833ae0358320e109526a1bbdbb8ba3392309918ce
              • Instruction Fuzzy Hash: 16A17A79E002199FEB10CF68C8817DDBBB2FF58318F14816AE918E7690D7749985CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028CF140 Relevance: 1.8, APIs: 1, Instructions: 261processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 5702 28cf140-28cf1d9 5704 28cf22d-28cf24d 5702->5704 5705 28cf1db-28cf200 5702->5705 5709 28cf24f-28cf274 5704->5709 5710 28cf2a1-28cf2d2 5704->5710 5705->5704 5708 28cf202-28cf204 5705->5708 5711 28cf206-28cf210 5708->5711 5712 28cf227-28cf22a 5708->5712 5709->5710 5717 28cf276-28cf278 5709->5717 5719 28cf329-28cf3e3 CreateProcessAsUserA 5710->5719 5720 28cf2d4-28cf2fc 5710->5720 5713 28cf214-28cf223 5711->5713 5714 28cf212 5711->5714 5712->5704 5713->5713 5718 28cf225 5713->5718 5714->5713 5721 28cf27a-28cf284 5717->5721 5722 28cf29b-28cf29e 5717->5722 5718->5712 5732 28cf3ec-28cf460 5719->5732 5733 28cf3e5-28cf3eb 5719->5733 5720->5719 5728 28cf2fe-28cf300 5720->5728 5723 28cf288-28cf297 5721->5723 5724 28cf286 5721->5724 5722->5710 5723->5723 5727 28cf299 5723->5727 5724->5723 5727->5722 5730 28cf302-28cf30c 5728->5730 5731 28cf323-28cf326 5728->5731 5734 28cf30e 5730->5734 5735 28cf310-28cf31f 5730->5735 5731->5719 5744 28cf470-28cf474 5732->5744 5745 28cf462-28cf466 5732->5745 5733->5732 5734->5735 5735->5735 5736 28cf321 5735->5736 5736->5731 5747 28cf484-28cf488 5744->5747 5748 28cf476-28cf47a 5744->5748 5745->5744 5746 28cf468 5745->5746 5746->5744 5750 28cf498-28cf49c 5747->5750 5751 28cf48a-28cf48e 5747->5751 5748->5747 5749 28cf47c 5748->5749 5749->5747 5752 28cf4ae-28cf4b5 5750->5752 5753 28cf49e-28cf4a4 5750->5753 5751->5750 5754 28cf490 5751->5754 5755 28cf4cc 5752->5755 5756 28cf4b7-28cf4c6 5752->5756 5753->5752 5754->5750 5758 28cf4cd 5755->5758 5756->5755 5758->5758
              APIs
              • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 028CF3D0
              Memory Dump Source
              • Source File: 0000000E.00000002.521817889.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_28c0000_iexplore.jbxd
              Similarity
              • API ID: CreateProcessUser
              • String ID:
              • API String ID: 2217836671-0
              • Opcode ID: 2bfc59c6fb2adc0de301dc045c745b27920ad2dc489f261b98259ba5fc434ab8
              • Instruction ID: b2f5b458c000d7b5e912c44aca43e1be2edbfd3f1ed587f3b4e20b8166987c65
              • Opcode Fuzzy Hash: 2bfc59c6fb2adc0de301dc045c745b27920ad2dc489f261b98259ba5fc434ab8
              • Instruction Fuzzy Hash: 9EA16A79E002199FEB10CF68C8817DEBBB2FF48318F14816AE918E7690D7749985CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028CF731 Relevance: 1.6, APIs: 1, Instructions: 66injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 6054 28cf731-28cf789 6056 28cf799-28cf7d2 WriteProcessMemory 6054->6056 6057 28cf78b-28cf797 6054->6057 6058 28cf7db-28cf7fc 6056->6058 6059 28cf7d4-28cf7da 6056->6059 6057->6056 6059->6058
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 028CF7C5
              Memory Dump Source
              • Source File: 0000000E.00000002.521817889.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_28c0000_iexplore.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: 5ff62a81e235348c92bb445e3762bf098f0d845f2fda7ff7f68dd22caa06f2f3
              • Instruction ID: a0180c756f3d31ddbfe7752cf57d5155d45e2ed8b90fd447da50319189e4c57a
              • Opcode Fuzzy Hash: 5ff62a81e235348c92bb445e3762bf098f0d845f2fda7ff7f68dd22caa06f2f3
              • Instruction Fuzzy Hash: DD2114B5900259DFDB10CF9AD884BDEBBF4FB48324F10842AE918E7640D778A955CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028CF738 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
              Download Yara Rule
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 028CF7C5
              Memory Dump Source
              • Source File: 0000000E.00000002.521817889.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_28c0000_iexplore.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: 91d93c021386195ffed28d8879ac6ef35ab7a6232a52b533e0b358fca8a48a5b
              • Instruction ID: 9ef9509db4760ea9c4d2930a44587cf4c68a6bafdccc139e215b971c83b0ee7f
              • Opcode Fuzzy Hash: 91d93c021386195ffed28d8879ac6ef35ab7a6232a52b533e0b358fca8a48a5b
              • Instruction Fuzzy Hash: 272125B5900259DFDB10CF9AC884BDEBBF4FB48324F10842AE918E3640D778A944CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028CF508 Relevance: 1.6, APIs: 1, Instructions: 60threadinjectionCOMMON
              Download Yara Rule
              APIs
              • SetThreadContext.KERNELBASE(?,00000000), ref: 028CF587
              Memory Dump Source
              • Source File: 0000000E.00000002.521817889.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_28c0000_iexplore.jbxd
              Similarity
              • API ID: ContextThread
              • String ID:
              • API String ID: 1591575202-0
              • Opcode ID: e88b084b388ede754e5697e8e82bb41981eceea43cebea5c084d8f7ce0ef4bc3
              • Instruction ID: 42521828962f1e7a19b1187f66005c5fcd0ae5284bad523e2f6b3d02d0c40f07
              • Opcode Fuzzy Hash: e88b084b388ede754e5697e8e82bb41981eceea43cebea5c084d8f7ce0ef4bc3
              • Instruction Fuzzy Hash: A52156B5D002199FDB10CF9AC884BDEFBF4FB08224F10812AE518E3640D778AA45CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028CF5C8 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
              Download Yara Rule
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 028CF646
              Memory Dump Source
              • Source File: 0000000E.00000002.521817889.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_28c0000_iexplore.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: f12cdd4403a1e4e8b90a1381d9457421835205f2f518681bf9806e19de828f1d
              • Instruction ID: a40543f998801be94064aa1b897514f3861d615f34a52407db4d32850f544229
              • Opcode Fuzzy Hash: f12cdd4403a1e4e8b90a1381d9457421835205f2f518681bf9806e19de828f1d
              • Instruction Fuzzy Hash: BD2127B59002599FCB10DF9AC584BDEBBF4FB48324F10842AE518E7251D3789645CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028CF510 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
              Download Yara Rule
              APIs
              • SetThreadContext.KERNELBASE(?,00000000), ref: 028CF587
              Memory Dump Source
              • Source File: 0000000E.00000002.521817889.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_28c0000_iexplore.jbxd
              Similarity
              • API ID: ContextThread
              • String ID:
              • API String ID: 1591575202-0
              • Opcode ID: f4731f15da0cacddcd1f46e77adf99b67100e2a7bc11b70f2768962463d4ccd2
              • Instruction ID: a5b7d1fdf4d813d7077b48637be55291dd03af0f4068d55010b8de7f0a3b511e
              • Opcode Fuzzy Hash: f4731f15da0cacddcd1f46e77adf99b67100e2a7bc11b70f2768962463d4ccd2
              • Instruction Fuzzy Hash: 1E2136B5D002199FDB10CF9AC984BDEFBF4FB48224F54812AE518E3640D778A944CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028CF5D0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
              Download Yara Rule
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 028CF646
              Memory Dump Source
              • Source File: 0000000E.00000002.521817889.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_28c0000_iexplore.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: 69b02db60425da78afa3be523a1946e42504ea249cf1571424f5729a2dda5e40
              • Instruction ID: 3555b9fc96cd276b092fb687214fd10efdd10a3dfd1795075bcf49b4afc05c26
              • Opcode Fuzzy Hash: 69b02db60425da78afa3be523a1946e42504ea249cf1571424f5729a2dda5e40
              • Instruction Fuzzy Hash: 812117B59002499FDB10DF9AC984BDFFBF4FB48324F14842AE918A3251D378A544CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028CF688 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 028CF6FB
              Memory Dump Source
              • Source File: 0000000E.00000002.521817889.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_28c0000_iexplore.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: f2aad7f3ed0122c35c8b1ecaabeac44db5e9637f62377f71eb32910f1ace0c80
              • Instruction ID: 2760014d034ea96d4f794d16f23fe5482c6df8c6f7e2b5265b79cf11961315d7
              • Opcode Fuzzy Hash: f2aad7f3ed0122c35c8b1ecaabeac44db5e9637f62377f71eb32910f1ace0c80
              • Instruction Fuzzy Hash: E61116B5900259DFCB10CF99D884BDEBBF4FB48324F208419E528A7650C375A554CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028CF690 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 028CF6FB
              Memory Dump Source
              • Source File: 0000000E.00000002.521817889.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_28c0000_iexplore.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: a3188b3c5a760e3b2f65f32f8dc788348dd695fca754c5104b4b618528e7f024
              • Instruction ID: 991e0f89d9cc40d55538f109ecd3187bbd4c4cd13e96daf0a642a883e5b6835d
              • Opcode Fuzzy Hash: a3188b3c5a760e3b2f65f32f8dc788348dd695fca754c5104b4b618528e7f024
              • Instruction Fuzzy Hash: 121125B59002499FCB10CF9AD884BDFBBF4FB48324F20841AE528A7250C375A544CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028CF808 Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000E.00000002.521817889.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_28c0000_iexplore.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 801a0e0257a4b1e927e08195714bd468515ca3f804737a3952322d057552a0c3
              • Instruction ID: a83a98037a990c82b4746104dbfac2832973fee0c696c5a01a42dc0e153c1be0
              • Opcode Fuzzy Hash: 801a0e0257a4b1e927e08195714bd468515ca3f804737a3952322d057552a0c3
              • Instruction Fuzzy Hash: E71133B58002498FDB10DF99C848BDEBBF4EB48328F20841AD518A7640C378A544CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028CF810 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000E.00000002.521817889.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_28c0000_iexplore.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 74d58f288e4b677212db18bb1b74ef315f67aafeab811885de42375fa083bc69
              • Instruction ID: 734146f28e5fd267b6902828761dd474e23fd3fc04fce19f3f534caf1e460e8f
              • Opcode Fuzzy Hash: 74d58f288e4b677212db18bb1b74ef315f67aafeab811885de42375fa083bc69
              • Instruction Fuzzy Hash: AB1112B59002498FDB20CF9AD588BDEFBF4EB48328F20841AD518A7640C778A944CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F90564 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID: xql
              • API String ID: 0-109062218
              • Opcode ID: c27baa7d4fe15385a7298734984d74949589639bcd026ffb3f0c74b6e1f768dc
              • Instruction ID: 9c6c5dcad15dd6b3c1a02ac026d943e5855c0cd9a20f5f81fc43a60f0f1e4efd
              • Opcode Fuzzy Hash: c27baa7d4fe15385a7298734984d74949589639bcd026ffb3f0c74b6e1f768dc
              • Instruction Fuzzy Hash: 98210A74B083808FDB52CB78C85456E7FF1AF4A214F1905EAC141DB762CB349C05C7A2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F90F70 Relevance: .1, Instructions: 76COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 96e30ca9342de4c6a060ff20c2ad5f4ffb455e7de875ca22e3c476e299319b19
              • Instruction ID: b1d056f8e374bdd582feae15fcdd1acd8ef994a73504f1e18faf545f85af0236
              • Opcode Fuzzy Hash: 96e30ca9342de4c6a060ff20c2ad5f4ffb455e7de875ca22e3c476e299319b19
              • Instruction Fuzzy Hash: 7E210732B08216AFEF218E858942B6F7396EB94714F188029FE155B740CF31ED1297A2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00EAD3EC Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.513781503.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_ead000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5f9e933f4fd19cb307b457ea248e44fa8f3ea534417c71d9d1c2cf5adf4d51c5
              • Instruction ID: 6e2b86bd741b1922f898221d41f5dc757ac03935a4678b641b45e3d4bc226b58
              • Opcode Fuzzy Hash: 5f9e933f4fd19cb307b457ea248e44fa8f3ea534417c71d9d1c2cf5adf4d51c5
              • Instruction Fuzzy Hash: 1C2121B1508204DFDB00DF10CDC0B66BB61FB9C328F24C569E90A5FA46C33AF806CAA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F90F57 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8375f9dbbbc733fb9d5148dc8841a54570ff4094885a8a084994292b94dbb9f0
              • Instruction ID: d9f68a4151bda42c9e690902bf1439d4f7edf2325b1ea4177d9ced778d634d0d
              • Opcode Fuzzy Hash: 8375f9dbbbc733fb9d5148dc8841a54570ff4094885a8a084994292b94dbb9f0
              • Instruction Fuzzy Hash: 11210832A08395AFFF224E048842BAB7BB2EF51314F14805AF91547192DB31AD17D792
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F905B5 Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0c7743823f9bbe7c752b5a135699cd05e2410b503e1fd31fd4b64b6fc3d5f4b4
              • Instruction ID: ec9b2ca954ce3de4a48bb37a74e9bb3ded449b43f0855bdf24f01dd67ef2e47a
              • Opcode Fuzzy Hash: 0c7743823f9bbe7c752b5a135699cd05e2410b503e1fd31fd4b64b6fc3d5f4b4
              • Instruction Fuzzy Hash: 5821E771B042958FCB21DB68C8556AEBFF5EF8A310F0401AAE445DB752CB71ED05CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F905C8 Relevance: .1, Instructions: 64COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4d49974ee5e183173b7ce395e5099a6b21413b8819e74fb5a72210b19a5ccaa0
              • Instruction ID: cd9b579babc349887243d18dce61cdd8e14803b02620de35cbf6514b35296a1a
              • Opcode Fuzzy Hash: 4d49974ee5e183173b7ce395e5099a6b21413b8819e74fb5a72210b19a5ccaa0
              • Instruction Fuzzy Hash: A111B471B042558FCB20DBA9C85566EBBF5EF89210F04016AD909EB751DF70ED058B92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F90B85 Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e882bfc4ed305890a4103aa10cacfeabe966ec8dc465eca356db72e7dee8e6b4
              • Instruction ID: 6dd06dd3636101dac8de0b94f56aa867a12ce3dbcca90f34655131c4f45b9c2d
              • Opcode Fuzzy Hash: e882bfc4ed305890a4103aa10cacfeabe966ec8dc465eca356db72e7dee8e6b4
              • Instruction Fuzzy Hash: FB010432B0C2504FAB194E6A186145BB7D7ABD522835E41BB9909CB316DF30DC078392
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00EAD3E7 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.513781503.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_ead000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
              • Instruction ID: 7eb8b4c0a8161b00f0b9dfbec3c6ae5536c7d379afc9ab53d7ff2afe710e5f1c
              • Opcode Fuzzy Hash: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
              • Instruction Fuzzy Hash: 6711B476404280DFDB11CF10D9C4B56BF71FB99324F24C5A9D8095B616C336E856CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F9081C Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f56f834df1f77bd51ee0f43bf1ef3033bf85915c4cb841f20a193ba1ff0226a9
              • Instruction ID: 165de22538df50a1932cce38d39b29d1223468bde91ac4346c53e2479acc7c66
              • Opcode Fuzzy Hash: f56f834df1f77bd51ee0f43bf1ef3033bf85915c4cb841f20a193ba1ff0226a9
              • Instruction Fuzzy Hash: FAF0C872B0D2904FDB164668586142A7FE6ABC612430D41FFD545CB352DE259C0683A7
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F900C8 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4c1df996d3009688474deeae9d49b660d75c166b5e9ba071962c42c83ec9bdf1
              • Instruction ID: a1fd41e39d4404264d17aea08f59f0bb978d99f808fb86a298278f32ff38ee3b
              • Opcode Fuzzy Hash: 4c1df996d3009688474deeae9d49b660d75c166b5e9ba071962c42c83ec9bdf1
              • Instruction Fuzzy Hash: E0F02131F041006FEB34490D8922B2B72D75FD5624F2D8036E9018F754DD71DC4287D2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F91180 Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 062d8e198d19a3aa64e272bedddc69aca6746970b55d0be61ca357bc7561d5b6
              • Instruction ID: a6c33da2fd7d131afd09f282e04c363a75b1e5e0f589623197b0e0d593ce383d
              • Opcode Fuzzy Hash: 062d8e198d19a3aa64e272bedddc69aca6746970b55d0be61ca357bc7561d5b6
              • Instruction Fuzzy Hash: DFF02422F082035BFB6901091A201AA77EA5BC261034E427B8809D7347D9205C838782
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F90CE0 Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3c81d208b6d9375bb3ebd9e8fd5d676c771eab80ff6245b62925618c55ef4d22
              • Instruction ID: 11ae6e955033120b2cc8fa7d401cb4e8dbba82943abd9f5f3f7a4495bba6b327
              • Opcode Fuzzy Hash: 3c81d208b6d9375bb3ebd9e8fd5d676c771eab80ff6245b62925618c55ef4d22
              • Instruction Fuzzy Hash: 1CF02736F040129F9F784A1E851441AB6EADFD563032DC037D9098B710CE71FC028792
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F900C7 Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d6b9e43e4177650cbb26183789a900cd7e7b2a40962f714dc94b81a87c5001cb
              • Instruction ID: 2d8aae80a7ee14a1f76cb52998a532ca91280d115012c4f20b5715943e5f85dd
              • Opcode Fuzzy Hash: d6b9e43e4177650cbb26183789a900cd7e7b2a40962f714dc94b81a87c5001cb
              • Instruction Fuzzy Hash: 74F0E232B04200AFEB34490D8822F37B7E29FD0B20F24802AE9419B660DD71EC428A91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F906F0 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f2a4f61aa9a5908ca0006b0b2d686310590955633ad4f316647342a0371a3db1
              • Instruction ID: 2e94437d6b05a42df28736922c57f2112ae502785a5d2791e6bb891c385d42c7
              • Opcode Fuzzy Hash: f2a4f61aa9a5908ca0006b0b2d686310590955633ad4f316647342a0371a3db1
              • Instruction Fuzzy Hash: 78E0D836B044184F1B74852D952582BB2DB9FC91303258075D50DCB724EE31EC4287A3
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F90CDF Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 894e66a4a6f7b930301cded0ba719f1c4bb65aebb3ea7abf649948e5cf205308
              • Instruction ID: 3025064887e50e63b2b9db82c1678ecf09153da9fb13e2d0a07f6ebf5a111325
              • Opcode Fuzzy Hash: 894e66a4a6f7b930301cded0ba719f1c4bb65aebb3ea7abf649948e5cf205308
              • Instruction Fuzzy Hash: BBE06D3AF045169FEF384A1E9010866BBE9DFD5630329816BD8098B620CE72AC429A41
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F910D0 Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8ebdf28722bb973cebc97b70ba289df097d41a42bcf2e7d924a53deccbe71007
              • Instruction ID: 499df1f2bc939b6c7cda49a5d18d62a17e799dac6b45371fb6f59fa7cc9469e1
              • Opcode Fuzzy Hash: 8ebdf28722bb973cebc97b70ba289df097d41a42bcf2e7d924a53deccbe71007
              • Instruction Fuzzy Hash: 93E01225A0E3C25FFB1706310A720763BF52E8310530E40E784818BA63E92A9C4BE727
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F90444 Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 13abbbf61a97121965c289e3c55b00aaedcc4ba8ccd562ec333ec0021fa5aba9
              • Instruction ID: 3806c363a93d21160e2ccea1c6a2351b0583ca3690378a21b8cc28896851d504
              • Opcode Fuzzy Hash: 13abbbf61a97121965c289e3c55b00aaedcc4ba8ccd562ec333ec0021fa5aba9
              • Instruction Fuzzy Hash: 44F0E524A4E3E18FDB17873448250667FB2AE8311431E81EBC0C1CF1A7DA298C4AC727
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F913D0 Relevance: .0, Instructions: 24COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8434e92008b5c8b16e61d7485ac8a5ebcd271c37662c14b1296303756d1a863a
              • Instruction ID: b0d9372eae9deb9ab16e9239db324c106383f1f9d744a66fca52bfba416c649f
              • Opcode Fuzzy Hash: 8434e92008b5c8b16e61d7485ac8a5ebcd271c37662c14b1296303756d1a863a
              • Instruction Fuzzy Hash: 94E04F30B0D3A24FFF1B0A2509211A63B72AA8310435E41F78081CF257E93D9C47CB53
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F90400 Relevance: .0, Instructions: 24COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c0bb2cfda792c6e829c695193a019016a1b5f94efbe18a5ef3c8a00863f1e8d
              • Instruction ID: cf3f9a00d6f68bb1b7aa5a73cd9befebfc21a4fff84257937b8edc007ba0d79a
              • Opcode Fuzzy Hash: 6c0bb2cfda792c6e829c695193a019016a1b5f94efbe18a5ef3c8a00863f1e8d
              • Instruction Fuzzy Hash: 35E01A25A0E3D04FEF5B46340C250A63F72AE9310435E41EB84C1CE253E9295D47D723
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F90A08 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bc8521b3d472fe1360477a7e3329900824114e0e986df8785fac48774d9a2b08
              • Instruction ID: a6ccdc12533aad609cfad31b8cdb0b7ee4810dd58492d2413b300d869323d866
              • Opcode Fuzzy Hash: bc8521b3d472fe1360477a7e3329900824114e0e986df8785fac48774d9a2b08
              • Instruction Fuzzy Hash: F7E04F2160E3C04FCB4B47305D754997FB1AE8320138E41EBC085CB2A3DD24484AD753
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F906A0 Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 92d358a18f862e41f2247e2320ed717827e3b3c1ac5a504b45df698f7d86a013
              • Instruction ID: 9d196d4312f385cd832dffdd7b612f0d6650ba712880ddb4c91719a5e0a55916
              • Opcode Fuzzy Hash: 92d358a18f862e41f2247e2320ed717827e3b3c1ac5a504b45df698f7d86a013
              • Instruction Fuzzy Hash: ADE0C231F045259F5B18DA4E8510456B7DAAFC912031890B5E90DCB732DF30EC024781
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F90520 Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2515e03639221c6ae0d09efb355aa8a297eb27c69f560d9f48acc5daac32629b
              • Instruction ID: ce01db3ab06e0bd4715f78c51e0b2ba1dfcb4dbe431ed9a627bac0a9deacd7b3
              • Opcode Fuzzy Hash: 2515e03639221c6ae0d09efb355aa8a297eb27c69f560d9f48acc5daac32629b
              • Instruction Fuzzy Hash: 00E04625A1E3E14EEF978B384C201697F725E9300434E42E7C0D1CE2A3D9294D8ACB23
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F902BC Relevance: .0, Instructions: 18COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6be0552059c14b326111a59ef807a388af8b88013a413f4aaa44865c8120619b
              • Instruction ID: 4d51b8e8e4b9d3de024ed73bd3cd96d3b8802f7807f4e610cd731ffe1335aa95
              • Opcode Fuzzy Hash: 6be0552059c14b326111a59ef807a388af8b88013a413f4aaa44865c8120619b
              • Instruction Fuzzy Hash: F2D05E1624D3D00FD75363342C2A1992FA09A4714030A01EBD081EF2A3D4041D0B8763
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F907E8 Relevance: .0, Instructions: 17COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b27fb38c4d81191db5054870f358752f354fab3ca189063068ca588ef651f2f3
              • Instruction ID: 6511f48d5db26386b0c7cb264542666a3230fbe56ea2ec19c1bec07a2a5a7414
              • Opcode Fuzzy Hash: b27fb38c4d81191db5054870f358752f354fab3ca189063068ca588ef651f2f3
              • Instruction Fuzzy Hash: 8BD05E34F04509CF6B548A29C51182977E76FC51243184064D1068BB60EE30FC818A82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F9093C Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fd7762a692d578838df675354233568aa03da62bde7182acbff0ca2407fdfde9
              • Instruction ID: 23d917d88445df4305c6905387185a16a458c21adfbdb5b867df16b6f2b10ec6
              • Opcode Fuzzy Hash: fd7762a692d578838df675354233568aa03da62bde7182acbff0ca2407fdfde9
              • Instruction Fuzzy Hash: 50D012A648E3C41FCB0347B02C6AAD83FB0EE37010F0E04DBD495CA0A3E089080BCB22
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04F90950 Relevance: .0, Instructions: 5COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000E.00000002.528038649.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_14_2_4f90000_iexplore.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b90244cfa0ae9a6261f1ef2a65e7b1bde1d0ac66831d971cc9aa2f889d52afaf
              • Instruction ID: 95c92dbf9ab58932405b79f4c23d07447f13a240c49579e8f5c02259b5153b0f
              • Opcode Fuzzy Hash: b90244cfa0ae9a6261f1ef2a65e7b1bde1d0ac66831d971cc9aa2f889d52afaf
              • Instruction Fuzzy Hash: 7990223000020C8FC20023823808308330CE200000F880802A00C800000A8020000082
              Uniqueness

              Uniqueness Score: -1.00%