Edit tour

Windows Analysis Report
rordendecompra_.exe

Overview

General Information

Sample name:	rordendecompra_.exe
Analysis ID:	1590213
MD5:	038582cff59bd7c92aa1d71b8ac632c7
SHA1:	ff4bfdc38ab995019c8685ea4bc63951e5f370ee
SHA256:	9b688c5929cea65ae3f69a22b3780fa3f45b434fce94a9ccd39392b8dc7003b5
Tags:	AgentTeslaexeuser-Porcupine
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

AI detected suspicious sample

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

rordendecompra_.exe (PID: 7332 cmdline: "C:\Users\user\Desktop\rordendecompra_.exe" MD5: 038582CFF59BD7C92AA1D71B8AC632C7)

RegAsm.exe (PID: 7392 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.fosna.net", "Username": "madamweb@fosna.net", "Password": "=A+N^@~c]~#I"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2073379878.0000000003E92000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2073379878.0000000003E92000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000003.2057539008.0000000003D91000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2057539008.0000000003D91000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.4494463965.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4494463965.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.4495787414.0000000002FE5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2071369397.0000000000633000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2071369397.0000000000633000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rordendecompra_.exe PID: 7332	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rordendecompra_.exe PID: 7332	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 7392	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7392	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.rordendecompra_.exe.3e90000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rordendecompra_.exe.3e90000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.rordendecompra_.exe.3e90000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rordendecompra_.exe.3e90000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34429:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3449b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34525:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345b7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34621:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34693:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34729:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347b9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.rordendecompra_.exe.3e90000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31623:$s2: GetPrivateProfileString 0x30cdb:$s3: get_OSFullName 0x3234c:$s5: remove_Key 0x324e3:$s5: remove_Key 0x3347a:$s6: FtpWebRequest 0x3440b:$s7: logins 0x3497d:$s7: logins 0x376f6:$s7: logins 0x37740:$s7: logins 0x39095:$s7: logins 0x382da:$s9: 1.85 (Hash, version 2, native byte-order)
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34429:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3449b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34525:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345b7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34621:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34693:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34729:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347b9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegAsm.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31623:$s2: GetPrivateProfileString 0x30cdb:$s3: get_OSFullName 0x3234c:$s5: remove_Key 0x324e3:$s5: remove_Key 0x3347a:$s6: FtpWebRequest 0x3440b:$s7: logins 0x3497d:$s7: logins 0x376f6:$s7: logins 0x37740:$s7: logins 0x39095:$s7: logins 0x382da:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 5 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegAsm.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.fosna.net", "Username": "madamweb@fosna.net", "Password": "=A+N^@~c]~#I"}

Multi AV Scanner detection for submitted file

Source: rordendecompra_.exe

Virustotal: Detection: 38%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: rordendecompra_.exe

Joe Sandbox ML: detected

Source: rordendecompra_.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.rordendecompra_.exe.3e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: rordendecompra_.exe	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: rordendecompra_.exe	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_
Source: rordendecompra_.exe	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: rordendecompra_.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: rordendecompra_.exe	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: RegAsm.exe, 00000002.00000002.4495787414.0000000003096000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4495787414.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4495787414.000000000307C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: rordendecompra_.exe, 00000000.00000002.2073379878.0000000003E92000.00000040.10000000.00040000.00000000.sdmp, rordendecompra_.exe, 00000000.00000003.2057539008.0000000003D91000.00000004.00000020.00020000.00000000.sdmp, rordendecompra_.exe, 00000000.00000003.2071369397.0000000000633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4495787414.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4494463965.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4495787414.000000000307C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: rordendecompra_.exe	String found in binary or memory: http://ocsps.ssl.com0?
Source: RegAsm.exe, 00000002.00000002.4495787414.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4495787414.000000000307C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rordendecompra_.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: rordendecompra_.exe, 00000000.00000002.2073379878.0000000003E92000.00000040.10000000.00040000.00000000.sdmp, rordendecompra_.exe, 00000000.00000003.2057539008.0000000003D91000.00000004.00000020.00020000.00000000.sdmp, rordendecompra_.exe, 00000000.00000003.2071369397.0000000000633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4494463965.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: rordendecompra_.exe	String found in binary or memory: https://www.ssl.com/repository0

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.rordendecompra_.exe.3e90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rordendecompra_.exe.3e90000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Source: C:\Users\user\Desktop\rordendecompra_.exe	Code function: 0_2_17192F9B NtAllocateVirtualMemory,NtProtectVirtualMemory,KiUserExceptionDispatcher,ChrCmpIA,KiUserExceptionDispatcher,NtProtectVirtualMemory,	0_2_17192F9B
Source: C:\Users\user\Desktop\rordendecompra_.exe	Code function: 0_2_02162BF2 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02162BF2
Source: C:\Users\user\Desktop\rordendecompra_.exe	Code function: 0_2_02162BDE NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_02162BDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044383C NtDelayExecution,	2_2_0044383C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00446535 NtProtectVirtualMemory,	2_2_00446535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00443274 NtCreateThreadEx,NtClose,	2_2_00443274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044637E NtAllocateVirtualMemory,	2_2_0044637E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445FC8 NtAllocateVirtualMemory,	2_2_00445FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044650C NtAllocateVirtualMemory,	2_2_0044650C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044659F NtProtectVirtualMemory,	2_2_0044659F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02D5A638	2_2_02D5A638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02D54A80	2_2_02D54A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02D5D8B0	2_2_02D5D8B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02D59E80	2_2_02D59E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02D53E68	2_2_02D53E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02D541B0	2_2_02D541B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_068322E8	2_2_068322E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06831140	2_2_06831140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06833A88	2_2_06833A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_068333A0	2_2_068333A0

Source: rordendecompra_.exe

Static PE information: invalid certificate

Source: rordendecompra_.exe, 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameacvm7qw909e.exe vs rordendecompra_.exe
Source: rordendecompra_.exe, 00000000.00000002.2073379878.0000000003ECE000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename3905be8d-577f-496a-8d1a-8aa930b08db2.exe4 vs rordendecompra_.exe
Source: rordendecompra_.exe, 00000000.00000003.2057539008.0000000003D91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename3905be8d-577f-496a-8d1a-8aa930b08db2.exe4 vs rordendecompra_.exe
Source: rordendecompra_.exe, 00000000.00000003.2071369397.0000000000633000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename3905be8d-577f-496a-8d1a-8aa930b08db2.exe4 vs rordendecompra_.exe
Source: rordendecompra_.exe	Binary or memory string: OriginalFilenameacvm7qw909e.exep vs rordendecompra_.exe

Source: rordendecompra_.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.rordendecompra_.exe.3e90000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rordendecompra_.exe.3e90000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1

Source: C:\Users\user\Desktop\rordendecompra_.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Mutant created: NULL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\rordendecompra_.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000002.00000002.4495787414.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4495787414.00000000030C6000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: rordendecompra_.exe

Virustotal: Detection: 38%

Source: unknown	Process created: C:\Users\user\Desktop\rordendecompra_.exe "C:\Users\user\Desktop\rordendecompra_.exe"
Source: C:\Users\user\Desktop\rordendecompra_.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\Desktop\rordendecompra_.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rordendecompra_.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Section loaded: vb6de.dll	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Section loaded: vb6de.dll	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\rordendecompra_.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: rordendecompra_.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: rordendecompra_.exe

Static file information: File size 2562416 > 1048576

Source: rordendecompra_.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1fa000

Source: rordendecompra_.exe

Static PE information: real checksum: 0x277934 should be: 0x27a551

Source: rordendecompra_.exe

Static PE information: section name: XXZ

Source: C:\Users\user\Desktop\rordendecompra_.exe	Code function: 0_2_16FC0C90 push dword ptr [edx-32004E4Eh]; retf	0_2_16FC0CAE
Source: C:\Users\user\Desktop\rordendecompra_.exe	Code function: 0_2_02162A18 push 00000003h; retf	0_2_02162A1F
Source: C:\Users\user\Desktop\rordendecompra_.exe	Code function: 0_2_02161EAB pushfd ; retf	0_2_02161EAC
Source: C:\Users\user\Desktop\rordendecompra_.exe	Code function: 0_2_02161EFB push eax; retf	0_2_02161F09
Source: C:\Users\user\Desktop\rordendecompra_.exe	Code function: 0_2_02163717 push cs; iretd	0_2_02163732
Source: C:\Users\user\Desktop\rordendecompra_.exe	Code function: 0_2_02164F0A push FFFFFFF5h; ret	0_2_02164F0C
Source: C:\Users\user\Desktop\rordendecompra_.exe	Code function: 0_2_0216389B push edi; retf	0_2_021638A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00443CFF push FFFFFFF5h; ret	2_2_00443D01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044250C push cs; iretd	2_2_00442527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004459C2 push ds; ret	2_2_004459D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445297 push esi; iretd	2_2_004452BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00442690 push edi; retf	2_2_0044269C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0683A7F4 pushad ; ret	2_2_0683BAFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06836C58 push eax; ret	2_2_06836E06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0683A762 pushad ; ret	2_2_0683A76A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0683D7B3 push ebp; ret	2_2_0683D7BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0683B708 push edi; ret	2_2_0683B716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0683B1A3 push edi; ret	2_2_0683B1AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0683B12C pushad ; ret	2_2_0683B13E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06839C80 push esi; ret	2_2_06839C8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06837CCB pushad ; iretd	2_2_06837CE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06839846 push ebp; ret	2_2_06839847

Source: rordendecompra_.exe

Static PE information: section name: XXZ entropy: 7.941526526197675

Source: C:\Users\user\Desktop\rordendecompra_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rordendecompra_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: rordendecompra_.exe, 00000000.00000002.2073379878.0000000003E92000.00000040.10000000.00040000.00000000.sdmp, rordendecompra_.exe, 00000000.00000003.2057539008.0000000003D91000.00000004.00000020.00020000.00000000.sdmp, rordendecompra_.exe, 00000000.00000003.2071369397.0000000000633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4495787414.0000000003096000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4495787414.0000000002FE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4494463965.0000000000402000.00000040.80000000.00040000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7400	Thread sleep count: 143 > 30			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7400	Thread sleep time: -143000s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed

Source: RegAsm.exe, 00000002.00000002.4495787414.0000000002FE5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegAsm.exe, 00000002.00000002.4494463965.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: vmware
Source: RegAsm.exe, 00000002.00000002.4494463965.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: RegAsm.exe, 00000002.00000002.4497080441.000000000636E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_02D57068 CheckRemoteDebuggerPresent,

2_2_02D57068

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\rordendecompra_.exe	Code function: 0_2_17193551 mov eax, dword ptr fs:[00000030h]	0_2_17193551
Source: C:\Users\user\Desktop\rordendecompra_.exe	Code function: 0_2_02162BF2 mov eax, dword ptr fs:[00000030h]	0_2_02162BF2
Source: C:\Users\user\Desktop\rordendecompra_.exe	Code function: 0_2_02166E72 mov eax, dword ptr fs:[00000030h]	0_2_02166E72
Source: C:\Users\user\Desktop\rordendecompra_.exe	Code function: 0_2_02166EDA mov eax, dword ptr fs:[00000030h]	0_2_02166EDA
Source: C:\Users\user\Desktop\rordendecompra_.exe	Code function: 0_2_02167056 mov eax, dword ptr fs:[00000030h]	0_2_02167056
Source: C:\Users\user\Desktop\rordendecompra_.exe	Code function: 0_2_021675AA mov ecx, dword ptr fs:[00000030h]	0_2_021675AA
Source: C:\Users\user\Desktop\rordendecompra_.exe	Code function: 0_2_021631C3 mov eax, dword ptr fs:[00000030h]	0_2_021631C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445C67 mov eax, dword ptr fs:[00000030h]	2_2_00445C67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445CCF mov eax, dword ptr fs:[00000030h]	2_2_00445CCF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004460AA mov eax, dword ptr fs:[00000030h]	2_2_004460AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445D4B mov eax, dword ptr fs:[00000030h]	2_2_00445D4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445E4B mov eax, dword ptr fs:[00000030h]	2_2_00445E4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445E56 mov eax, dword ptr fs:[00000030h]	2_2_00445E56
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445F82 mov eax, dword ptr fs:[00000030h]	2_2_00445F82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044639F mov ecx, dword ptr fs:[00000030h]	2_2_0044639F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445BAE mov eax, dword ptr fs:[00000030h]	2_2_00445BAE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\rordendecompra_.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\rordendecompra_.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: EF9008

Jump to behavior

Source: C:\Users\user\Desktop\rordendecompra_.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rordendecompra_.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.rordendecompra_.exe.3e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2073379878.0000000003E92000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2057539008.0000000003D91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4494463965.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2071369397.0000000000633000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rordendecompra_.exe PID: 7332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7392, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.rordendecompra_.exe.3e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2073379878.0000000003E92000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2057539008.0000000003D91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4494463965.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4495787414.0000000002FE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2071369397.0000000000633000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rordendecompra_.exe PID: 7332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7392, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.rordendecompra_.exe.3e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2073379878.0000000003E92000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2057539008.0000000003D91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4494463965.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2071369397.0000000000633000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rordendecompra_.exe PID: 7332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7392, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	1 Masquerading	1 OS Credential Dumping	531 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	25 Virtualization/Sandbox Evasion	LSASS Memory	25 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	211 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	34 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
rordendecompra_.exe	39%	Virustotal		Browse
rordendecompra_.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0	rordendecompra_.exe	false	high
http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q	rordendecompra_.exe	false	high
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	rordendecompra_.exe	false	high
http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0	rordendecompra_.exe	false	high
https://account.dyn.com/	rordendecompra_.exe, 00000000.00000002.2073379878.0000000003E92000.00000040.10000000.00040000.00000000.sdmp, rordendecompra_.exe, 00000000.00000003.2057539008.0000000003D91000.00000004.00000020.00020000.00000000.sdmp, rordendecompra_.exe, 00000000.00000003.2071369397.0000000000633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4494463965.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_	rordendecompra_.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000002.00000002.4495787414.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4495787414.000000000307C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ssl.com/repository0	rordendecompra_.exe	false	high
http://ocsps.ssl.com0?	rordendecompra_.exe	false	high
http://ip-api.com	RegAsm.exe, 00000002.00000002.4495787414.0000000003096000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4495787414.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4495787414.000000000307C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0	rordendecompra_.exe	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590213
Start date and time:	2025-01-13 18:31:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rordendecompra_.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 89% Number of executed functions: 28 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.60, 4.175.87.197
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ocsps.ssl.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:33:08	API Interceptor	116x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	findme.exe	Get hash	malicious	DCRat	Browse	ip-api.com/line/?fields=hosting
	tasAgNgjbJ.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=61439
	Solara.exe	Get hash	malicious	Python Stealer, Exela Stealer, Xmrig	Browse	ip-api.com/json
	resembleC2.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	ip-api.com/json/?fields=225545
	F0DgoRk0p1.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	fpY3HP2cnH.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	4287eV6mBc.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	aik1mr9TOq.exe	Get hash	malicious	Predator	Browse	ip-api.com/json/
	DUWPFaZd3a.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	ip-api.com/line/?fields=hosting
	tb4B9ni6vl.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	findme.exe	Get hash	malicious	DCRat	Browse	208.95.112.1
	tasAgNgjbJ.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	Solara.exe	Get hash	malicious	Python Stealer, Exela Stealer, Xmrig	Browse	208.95.112.1
	resembleC2.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	F0DgoRk0p1.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	fpY3HP2cnH.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	4287eV6mBc.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	aik1mr9TOq.exe	Get hash	malicious	Predator	Browse	208.95.112.1
	DUWPFaZd3a.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	208.95.112.1
	tb4B9ni6vl.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	findme.exe	Get hash	malicious	DCRat	Browse	208.95.112.1
	tasAgNgjbJ.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	Solara.exe	Get hash	malicious	Python Stealer, Exela Stealer, Xmrig	Browse	208.95.112.1
	resembleC2.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	F0DgoRk0p1.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	fpY3HP2cnH.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	4287eV6mBc.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	aik1mr9TOq.exe	Get hash	malicious	Predator	Browse	208.95.112.1
	DUWPFaZd3a.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	208.95.112.1
	tb4B9ni6vl.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\rordendecompra_.exe
File Type:	data
Category:	dropped
Size (bytes):	47
Entropy (8bit):	1.168829563685559
Encrypted:	false
SSDEEP:	3:/lSll2DQi:AoMi
MD5:	DAB633BEBCCE13575989DCFA4E2203D6
SHA1:	33186D50F04C5B5196C1FCC1FAD17894B35AC6C7
SHA-256:	1C00FBA1B82CD386E866547F33E1526B03F59E577449792D99C882DEF05A1D17
SHA-512:	EDDBB22D9FC6065B8F5376EC95E316E7569530EFAA9EA9BC641881D763B91084DCCC05BC793E8E29131D20946392A31BD943E8FC632D91EE13ABA7B0CD1C626F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.033138363978891
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	rordendecompra_.exe
File size:	2'562'416 bytes
MD5:	038582cff59bd7c92aa1d71b8ac632c7
SHA1:	ff4bfdc38ab995019c8685ea4bc63951e5f370ee
SHA256:	9b688c5929cea65ae3f69a22b3780fa3f45b434fce94a9ccd39392b8dc7003b5
SHA512:	6e72be1e887a305ae4636b063b9438a0c0cfe667387a235960f57b0853973a23e426508aeef9adc6891e6536a1c3bf2c41b00961f6aad32e0eb2f2b7d2f82a33
SSDEEP:	49152:dbdYAm4zEbdYAm4zXbdYAm4zKbdYAm4zFbdYAm4zB3An3AI3AJ3Aa:ddrWdrrdrAdr1drlA3AaAtAa
TLSH:	FFC5BEE262828BD3DC3B1F32EA26857012323DCD55D89F7A73CD77284B7029A951E51E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b.................p"..................."...............................'.....4y'....................................

File Icon


Icon Hash:	71e0d49292c07033

Static PE Info

General

Entrypoint:	0x16fa1218
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x16fa0000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x62C6B19B [Thu Jul 7 10:12:43 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c8ba23b6b87d52f10b27f48f2f6aa725

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	11/05/2023 05:36:55 24/04/2026 11:16:53
Subject Chain	OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.1.3.6.1.4.1.311.60.2.1.2=British Columbia, OID.2.5.4.15=Private Organization, CN=Shift Technologies Inc., SERIALNUMBER=BC1191266, O=Shift (Shift Technologies Inc.), L=Victoria, S=British Columbia, C=CA
Version:	3
Thumbprint MD5:	11C502D9A1CA5ABB3AA172147439527F
Thumbprint SHA-1:	355FEF4F77C8B4CEEABABACF91834240A8D76435
Thumbprint SHA-256:	74AB22CFEFD4D99509F937DD200C2734DB8BBC73EFE97F1805DC8148A7B2A231
Serial:	3A9AEC951A144C96B362584F2535C97A

Entrypoint Preview

Instruction
push 16FA549Ch
call 00007FCD21338A43h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ch, bl
sub ebp, dword ptr [edx+1EFC80AAh]
inc ebp
pushfd
aaa
arpl di, sp
adc al, byte ptr [edx+00000095h]
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx+65h], dl
jc 00007FCD21338AB3h
pop edi
push edi
jbe 00007FCD21338AB4h
arpl word ptr [eax], ax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
pop es
push esi
fdivr st(0), st(2)
hlt
push ss
mov edx, 30BF4A44h
cmp dword ptr [ecx+7Dh], ebp
hlt
mov dh, byte ptr [esi]
mov bl, 87h
retn C45Ah
xor byte ptr [eax+ecx*2], bh
mov bh, D5h
inc esi
pop ss
adc byte ptr [ecx+4F3A10BAh], FFFFFFADh
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
cdq
inc eax
add byte ptr [eax], al
cmp dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [esi+72h], ah
insd
push esp
imul esi, dword ptr [eax+00h], 0001190Dh
inc edx
add byte ptr [edx], ah
add byte ptr [ebx], ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2283f8	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22b000	0x45e8c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x270000	0x1970
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x228000	0x16c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1f9bf4	0x1fa000	43bb5eb3cfbcf35193298502f3545cd8	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
XXZ	0x1fb000	0x2c3db	0x2d000	c3e2415ed4b5fee20661e25914a923db	False	0.9605685763888889	data	7.941526526197675	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x228000	0xadc	0x1000	10639f55f3b72ae015a5a50b95a74c48	False	0.267578125	data	3.7971487415138774	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x229000	0x1f1c	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x22b000	0x45e8c	0x46000	462bfbf9b294c8b8417a34ead002731b	False	0.08893345424107142	data	3.7739678802887693	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x22b178	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.4574468085106383
RT_ICON	0x22b5e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.2568011257035647
RT_ICON	0x22c688	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.187448132780083
RT_ICON	0x22ec30	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0			0.07970381986566855
RT_GROUP_ICON	0x270c58	0x3e	data			0.7903225806451613
RT_VERSION	0x270c98	0x1f4	data	German	Germany	0.5

Imports

DLL

Import

KERNEL32.DLL

GetProcAddress, RtlMoveMemory, GetModuleHandleW

MSVBVM60.DLL

__vbaVarSub, _CIcos, _adj_fptan, __vbaVarMove, __vbaVarVargNofree, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaRefVarAry, __vbaBoolVarNull, _CIsin, __vbaVargVarMove, __vbaVarCmpGt, __vbaChkstk, EVENT_SINK_AddRef, __vbaAryConstruct2, __vbaVarTstEq, DllFunctionCall, __vbaVarOr, __vbaRedimPreserve, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, __vbaNew, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaUbound, __vbaVarCat, __vbaI2Var, _CIlog, __vbaVar2Vec, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaAryLock, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaFpI2, __vbaVarCopy, _CIatan, __vbaStrMove, __vbaCastObj, __vbaStrVarCopy, _allmul, _CItan, __vbaAryUnlock, _CIexp, __vbaFreeObj, __vbaFreeStr

Possible Origin

Language of compilation system	Country where language is spoken	Map
German	Germany

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 18:32:01.856097937 CET	49708	80	192.168.2.5	208.95.112.1
Jan 13, 2025 18:32:01.860951900 CET	80	49708	208.95.112.1	192.168.2.5
Jan 13, 2025 18:32:01.861023903 CET	49708	80	192.168.2.5	208.95.112.1
Jan 13, 2025 18:32:01.862040043 CET	49708	80	192.168.2.5	208.95.112.1
Jan 13, 2025 18:32:01.866833925 CET	80	49708	208.95.112.1	192.168.2.5
Jan 13, 2025 18:32:02.348469973 CET	80	49708	208.95.112.1	192.168.2.5
Jan 13, 2025 18:32:02.392698050 CET	49708	80	192.168.2.5	208.95.112.1
Jan 13, 2025 18:32:41.441329002 CET	80	49708	208.95.112.1	192.168.2.5
Jan 13, 2025 18:32:41.441401005 CET	49708	80	192.168.2.5	208.95.112.1
Jan 13, 2025 18:33:42.363898993 CET	49708	80	192.168.2.5	208.95.112.1
Jan 13, 2025 18:33:42.673995018 CET	49708	80	192.168.2.5	208.95.112.1
Jan 13, 2025 18:33:43.283338070 CET	49708	80	192.168.2.5	208.95.112.1
Jan 13, 2025 18:33:44.486517906 CET	49708	80	192.168.2.5	208.95.112.1
Jan 13, 2025 18:33:46.892803907 CET	49708	80	192.168.2.5	208.95.112.1
Jan 13, 2025 18:33:51.705338001 CET	49708	80	192.168.2.5	208.95.112.1
Jan 13, 2025 18:34:01.314706087 CET	49708	80	192.168.2.5	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 18:32:01.842415094 CET	63868	53	192.168.2.5	1.1.1.1
Jan 13, 2025 18:32:01.850127935 CET	53	63868	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 18:32:01.842415094 CET	192.168.2.5	1.1.1.1	0x77a	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 18:32:01.850127935 CET	1.1.1.1	192.168.2.5	0x77a	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	208.95.112.1	80	7392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 18:32:01.862040043 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 13, 2025 18:32:02.348469973 CET	175	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 17:32:02 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	12:31:58
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\rordendecompra_.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rordendecompra_.exe"
Imagebase:	0x16fa0000
File size:	2'562'416 bytes
MD5 hash:	038582CFF59BD7C92AA1D71B8AC632C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2073379878.0000000003E92000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2073379878.0000000003E92000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2057539008.0000000003D91000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.2057539008.0000000003D91000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2071369397.0000000000633000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.2071369397.0000000000633000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:31:59
Start date:	13/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Imagebase:	0xc10000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4494463965.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4494463965.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4495787414.0000000002FE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	19.4%
Dynamic/Decrypted Code Coverage:	7.6%
Signature Coverage:	9.6%
Total number of Nodes:	301
Total number of Limit Nodes:	40

Executed Functions

Function 02162BF2 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 369
nativethreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 02162DDE
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 02162E0B
CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 02162FB6
NtGetContextThread.NTDLL(?,?), ref: 02162FD5
NtReadVirtualMemory.NTDLL(?,?,?,000001D8,?), ref: 02162FFB
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 02163025
NtUnmapViewOfSection.NTDLL(?,?), ref: 02163040
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 02163059
NtSetContextThread.NTDLL(?,00010003), ref: 0216308A
NtResumeThread.NTDLL(?,00000000), ref: 02163097

Strings

egas, xrefs: 02162F12
\Microsoft.NET\Framework\, xrefs: 02162F27
D, xrefs: 02162F91
e, xrefs: 02162F20
m.ex, xrefs: 02162F19

Memory Dump Source

Source File: 00000000.00000002.2073262366.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2160000_rordendecompra_.jbxd

Similarity

API ID: Section$ThreadView$ContextCreateMemoryVirtual$ProcessReadResumeUnmapWrite
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 1951729442-1087957892
Opcode ID: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
Instruction ID: 68b40c4fa309ddb6cc57953d8640641e8726fe68a9861ba6975aa42073485475
Opcode Fuzzy Hash: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
Instruction Fuzzy Hash: 92E126B2D40259AFDF10DFA4CC88AEDBBB9FF04B08F1440AAE525A7201D7349A65CF50

Function 02162BDE Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 356
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 02162DDE
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 02162E0B

Strings

egas, xrefs: 02162F12
\Microsoft.NET\Framework\, xrefs: 02162F27
D, xrefs: 02162F91
e, xrefs: 02162F20
m.ex, xrefs: 02162F19

Memory Dump Source

Source File: 00000000.00000002.2073262366.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2160000_rordendecompra_.jbxd

Similarity

API ID: Section$CreateView
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 1585966358-1087957892
Opcode ID: abf4be790fc250307d74c238f1d7acb35d85655ebd0ffe93a327740511ff9fb9
Instruction ID: 544e858f3b36a661e365923d2faa9eb30cf62968a9cbe25d80239a2869cc23a0
Opcode Fuzzy Hash: abf4be790fc250307d74c238f1d7acb35d85655ebd0ffe93a327740511ff9fb9
Instruction Fuzzy Hash: ACD115B1D40259AFDF10DFA4CC88AEDBBB9BF04B08F1440AAE525A7201D7349A65CF50

Function 17192F9B Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000100,00000000,00000100,00003000,00000040,?,NtQueryInformationProcess,17191CFF,?,NtQueryInformationProcess,17191D19,?,NtQueryInformationProcess,17191CE8,NtQueryInformationProcess), ref: 17193032
NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,00000040,171C83C8,?,NtQueryInformationProcess,17191CFF,?,NtQueryInformationProcess,17191D19,?,NtQueryInformationProcess,17191CE8,NtQueryInformationProcess,17191D8A), ref: 1719305D
NtProtectVirtualMemory.NTDLL(000000FF,1719A0EC,00000005,171C83C8,171C83C8,?,NtQueryInformationProcess,17191CFF,?,NtQueryInformationProcess,17191D19,?,NtQueryInformationProcess,17191CE8,NtQueryInformationProcess,17191D8A), ref: 17193159

Strings

NtQueryInformationProcess, xrefs: 17192FBD, 17192FD2, 17192FEA, 17193002

Memory Dump Source

Source File: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: MemoryVirtual$Protect$Allocate
String ID: NtQueryInformationProcess
API String ID: 955180148-2781105232
Opcode ID: c411959945b7e4a2294a56ec54bf4f922ba086a6c1a013068697352c6a0b3833
Instruction ID: 899471189f07993440e1c0b784385a96dcf88e19714af70216d2ef69d845ecb8
Opcode Fuzzy Hash: c411959945b7e4a2294a56ec54bf4f922ba086a6c1a013068697352c6a0b3833
Instruction Fuzzy Hash: 6E51A37590025AAFDB01CFE8CD41ADEFBBAFB84310F54532AD110A7194D774A642CBA2

Function 17195E3A Relevance: 221.2, APIs: 120, Strings: 6, Instructions: 739
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,Function_00001006,?,?,?,1719A12C,?,?,?,00000000,Function_00001006,?,?,?,1719A0EC), ref: 17195E57
__vbaStrCat.MSVBVM60(16FA724C,16FA7244,?,?,?,00000000,Function_00001006,?,?,?,1719A12C,?,?,?,00000000,Function_00001006), ref: 17195E73
__vbaStrMove.MSVBVM60(16FA724C,16FA7244,?,?,?,00000000,Function_00001006,?,?,?,1719A12C,?,?,?,00000000,Function_00001006), ref: 17195E7D
__vbaStrCat.MSVBVM60(bvm,00000000,16FA724C,16FA7244,?,?,?,00000000,Function_00001006,?,?,?,1719A12C), ref: 17195E88
__vbaStrMove.MSVBVM60(bvm,00000000,16FA724C,16FA7244,?,?,?,00000000,Function_00001006,?,?,?,1719A12C), ref: 17195E92
__vbaStrCat.MSVBVM60(16FA7264,00000000,bvm,00000000,16FA724C,16FA7244,?,?,?,00000000,Function_00001006,?,?,?,1719A12C), ref: 17195E9D
__vbaStrMove.MSVBVM60(16FA7264,00000000,bvm,00000000,16FA724C,16FA7244,?,?,?,00000000,Function_00001006,?,?,?,1719A12C), ref: 17195EA7
#644.MSVBVM60(00000000,16FA7264,00000000,bvm,00000000,16FA724C,16FA7244,?,?,?,00000000,Function_00001006,?,?,?,1719A12C), ref: 17195EAD
GetModuleHandleW.KERNEL32(00000000,00000000,16FA7264,00000000,bvm,00000000,16FA724C,16FA7244,?,?,?,00000000,Function_00001006), ref: 17195EB3
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000,00000000,16FA7264,00000000,bvm,00000000,16FA724C,16FA7244,?,?,?,00000000), ref: 17195ECB
__vbaStrCat.MSVBVM60(16FA727C,16FA7270), ref: 17195EDD
__vbaStrMove.MSVBVM60(16FA727C,16FA7270), ref: 17195EE7
__vbaStrCat.MSVBVM60(16FA7294,00000000,16FA727C,16FA7270), ref: 17195EF2
__vbaStrMove.MSVBVM60(16FA7294,00000000,16FA727C,16FA7270), ref: 17195EFC
__vbaStrCat.MSVBVM60(16FA72A8,00000000,16FA7294,00000000,16FA727C,16FA7270), ref: 17195F07
__vbaStrMove.MSVBVM60(16FA72A8,00000000,16FA7294,00000000,16FA727C,16FA7270), ref: 17195F11
__vbaStrCat.MSVBVM60(16FA72B8,00000000,16FA72A8,00000000,16FA7294,00000000,16FA727C,16FA7270), ref: 17195F1C
__vbaChkstk.MSVBVM60 ref: 17195F2E

Part of subcall function 171999C2: __vbaChkstk.MSVBVM60(00000000,Function_00001006,00000000,16FA727C,16FA7270), ref: 171999DE
Part of subcall function 171999C2: __vbaVarDup.MSVBVM60(?,00000008,?,00000000,Function_00001006,00000000), ref: 171999F6
Part of subcall function 171999C2: #653.MSVBVM60(?,?,?,00000008,?,00000000,Function_00001006,00000000), ref: 17199A03
Part of subcall function 171999C2: __vbaI4Var.MSVBVM60(?,?,?,?,00000008,?,00000000,Function_00001006,00000000), ref: 17199A0C
Part of subcall function 171999C2: __vbaFreeVar.MSVBVM60 ref: 17199A28
Part of subcall function 171999C2: #632.MSVBVM60(?,?,00000001,00000002), ref: 17199A6D
Part of subcall function 171999C2: __vbaVarCat.MSVBVM60(?,?,00000008,?,?,00000001,00000002), ref: 17199A7E
Part of subcall function 171999C2: __vbaStrVarMove.MSVBVM60(00000000,?,?,00000008,?,?,00000001,00000002), ref: 17199A84
Part of subcall function 171999C2: __vbaStrMove.MSVBVM60(00000000,?,?,00000008,?,?,00000001,00000002), ref: 17199A8E
Part of subcall function 171999C2: __vbaFreeVarList.MSVBVM60(00000003,00000002,?,?,00000000,?,?,00000008,?,?,00000001,00000002), ref: 17199AA1
Part of subcall function 171999C2: __vbaFreeVar.MSVBVM60(17199AE4), ref: 17199ADE

__vbaStrMove.MSVBVM60 ref: 17195F46
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 17195F50
GetProcAddress.KERNEL32(00000000,?), ref: 17195F5C
__vbaFreeStrList.MSVBVM60(00000005,16FA72A8,00000000,16FA72B8,?,?,00000000,?,00000000), ref: 17195F7C
__vbaFreeVar.MSVBVM60(16FA72A8,00000000,16FA7294,00000000,16FA727C,16FA7270), ref: 17195F87
__vbaStrCat.MSVBVM60(16FA72D8,16FA72D0,16FA72A8,00000000,16FA7294,00000000,16FA727C,16FA7270), ref: 17195F96
__vbaStrMove.MSVBVM60(16FA72D8,16FA72D0,16FA72A8,00000000,16FA7294,00000000,16FA727C,16FA7270), ref: 17195FA0
__vbaStrCat.MSVBVM60(e%r,00000000,16FA72D8,16FA72D0,16FA72A8,00000000,16FA7294,00000000,16FA727C,16FA7270), ref: 17195FAB
__vbaStrMove.MSVBVM60(e%r,00000000,16FA72D8,16FA72D0,16FA72A8,00000000,16FA7294,00000000,16FA727C,16FA7270), ref: 17195FB5
__vbaStrCat.MSVBVM60(%n%,00000000,e%r,00000000,16FA72D8,16FA72D0,16FA72A8,00000000,16FA7294,00000000,16FA727C,16FA7270), ref: 17195FC0
__vbaStrMove.MSVBVM60(%n%,00000000,e%r,00000000,16FA72D8,16FA72D0,16FA72A8,00000000,16FA7294,00000000,16FA727C,16FA7270), ref: 17195FCA
__vbaStrCat.MSVBVM60(e%l,00000000,%n%,00000000,e%r,00000000,16FA72D8,16FA72D0,16FA72A8,00000000,16FA7294,00000000,16FA727C,16FA7270), ref: 17195FD5
__vbaStrMove.MSVBVM60(e%l,00000000,%n%,00000000,e%r,00000000,16FA72D8,16FA72D0,16FA72A8,00000000,16FA7294,00000000,16FA727C,16FA7270), ref: 17195FDF
__vbaStrCat.MSVBVM60(%3%2,00000000,e%l,00000000,%n%,00000000,e%r,00000000,16FA72D8,16FA72D0,16FA72A8,00000000,16FA7294,00000000,16FA727C,16FA7270), ref: 17195FEA
__vbaStrMove.MSVBVM60(%3%2,00000000,e%l,00000000,%n%,00000000,e%r,00000000,16FA72D8,16FA72D0,16FA72A8,00000000,16FA7294,00000000,16FA727C,16FA7270), ref: 17195FF4
__vbaStrCat.MSVBVM60(16FA72D8,00000000,%3%2,00000000,e%l,00000000,%n%,00000000,e%r,00000000,16FA72D8,16FA72D0,16FA72A8,00000000,16FA7294,00000000), ref: 17195FFF
__vbaChkstk.MSVBVM60 ref: 17196011

Part of subcall function 171972F9: __vbaChkstk.MSVBVM60(?,Function_00001006,00000000,16FA72D8,16FA72D0,16FA72A8,00000000,16FA7294,00000000,16FA727C,16FA7270), ref: 17197315
Part of subcall function 171972F9: __vbaVarVargNofree.MSVBVM60(?,00000008,?,?,Function_00001006,00000000), ref: 1719732D
Part of subcall function 171972F9: __vbaStrVarVal.MSVBVM60(?,00000000,?,00000008,?,?,Function_00001006,00000000), ref: 17197337
Part of subcall function 171972F9: #644.MSVBVM60(00000000,?,00000000,?,00000008,?,?,Function_00001006,00000000), ref: 1719733D
Part of subcall function 171972F9: __vbaVarMove.MSVBVM60 ref: 17197352
Part of subcall function 171972F9: __vbaFreeStr.MSVBVM60 ref: 1719735A

__vbaI4Var.MSVBVM60(?,?,00000008), ref: 1719604B
GetModuleHandleW.KERNEL32(00000000,?,?,00000008), ref: 17196051
__vbaFreeStrList.MSVBVM60(00000005,16FA72A8,16FA72D0,16FA72D8,00000000,?,00000000,?,?,00000008), ref: 17196071
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,%n%,00000000,e%r,00000000,16FA72D8,16FA72D0,16FA72A8,00000000,16FA7294,00000000,16FA727C,16FA7270), ref: 1719608D
__vbaStrCat.MSVBVM60(16FA731C,16FA7314,?,?,?,?,%n%,00000000,e%r,00000000,16FA72D8,16FA72D0,16FA72A8,00000000,16FA7294,00000000), ref: 1719609F
__vbaStrMove.MSVBVM60(16FA731C,16FA7314,?,?,?,?,%n%,00000000,e%r,00000000,16FA72D8,16FA72D0,16FA72A8,00000000,16FA7294,00000000), ref: 171960A9
__vbaStrCat.MSVBVM60(16FA7324,00000000,16FA731C,16FA7314,?,?,?,?,%n%,00000000,e%r,00000000,16FA72D8,16FA72D0,16FA72A8,00000000), ref: 171960B4
__vbaStrMove.MSVBVM60(16FA7324,00000000,16FA731C,16FA7314,?,?,?,?,%n%,00000000,e%r,00000000,16FA72D8,16FA72D0,16FA72A8,00000000), ref: 171960BE
__vbaStrCat.MSVBVM60(16FA710C,00000000,16FA7324,00000000,16FA731C,16FA7314,?,?,?,?,%n%,00000000,e%r,00000000,16FA72D8,16FA72D0), ref: 171960C9
__vbaStrMove.MSVBVM60(16FA710C,00000000,16FA7324,00000000,16FA731C,16FA7314,?,?,?,?,%n%,00000000,e%r,00000000,16FA72D8,16FA72D0), ref: 171960D3
__vbaStrCat.MSVBVM60(16FA7114,00000000,16FA710C,00000000,16FA7324,00000000,16FA731C,16FA7314,?,?,?,?,%n%,00000000,e%r,00000000), ref: 171960DE
__vbaStrMove.MSVBVM60(16FA7114,00000000,16FA710C,00000000,16FA7324,00000000,16FA731C,16FA7314,?,?,?,?,%n%,00000000,e%r,00000000), ref: 171960E8
__vbaStrCat.MSVBVM60(16FA711C,00000000,16FA7114,00000000,16FA710C,00000000,16FA7324,00000000,16FA731C,16FA7314,?,?,?,?,%n%,00000000), ref: 171960F3
__vbaStrMove.MSVBVM60(16FA711C,00000000,16FA7114,00000000,16FA710C,00000000,16FA7324,00000000,16FA731C,16FA7314,?,?,?,?,%n%,00000000), ref: 171960FD
__vbaStrCat.MSVBVM60(16FA7124,00000000,16FA711C,00000000,16FA7114,00000000,16FA710C,00000000,16FA7324,00000000,16FA731C,16FA7314), ref: 17196108
__vbaStrMove.MSVBVM60(16FA7124,00000000,16FA711C,00000000,16FA7114,00000000,16FA710C,00000000,16FA7324,00000000,16FA731C,16FA7314), ref: 17196112
__vbaStrCat.MSVBVM60(16FA712C,00000000,16FA7124,00000000,16FA711C,00000000,16FA7114,00000000,16FA710C,00000000,16FA7324,00000000,16FA731C,16FA7314), ref: 1719611D
__vbaStrMove.MSVBVM60(16FA712C,00000000,16FA7124,00000000,16FA711C,00000000,16FA7114,00000000,16FA710C,00000000,16FA7324,00000000,16FA731C,16FA7314), ref: 17196127
__vbaStrCat.MSVBVM60(16FA7324,00000000,16FA712C,00000000,16FA7124,00000000,16FA711C,00000000,16FA7114,00000000,16FA710C,00000000,16FA7324,00000000,16FA731C,16FA7314), ref: 17196132
__vbaStrMove.MSVBVM60(16FA7324,00000000,16FA712C,00000000,16FA7124,00000000,16FA711C,00000000,16FA7114,00000000,16FA710C,00000000,16FA7324,00000000,16FA731C,16FA7314), ref: 1719613C
__vbaStrCat.MSVBVM60(16FA7134,00000000,16FA7324,00000000,16FA712C,00000000,16FA7124,00000000,16FA711C,00000000,16FA7114,00000000,16FA710C,00000000,16FA7324,00000000), ref: 17196147
__vbaStrMove.MSVBVM60(16FA7134,00000000,16FA7324,00000000,16FA712C,00000000,16FA7124,00000000,16FA711C,00000000,16FA7114,00000000,16FA710C,00000000,16FA7324,00000000), ref: 17196151
__vbaStrCat.MSVBVM60(16FA710C,00000000,16FA7134,00000000,16FA7324,00000000,16FA712C,00000000,16FA7124,00000000,16FA711C,00000000,16FA7114,00000000,16FA710C,00000000), ref: 1719615C
__vbaStrMove.MSVBVM60(16FA710C,00000000,16FA7134,00000000,16FA7324,00000000,16FA712C,00000000,16FA7124,00000000,16FA711C,00000000,16FA7114,00000000,16FA710C,00000000), ref: 17196166
__vbaStrCat.MSVBVM60(16FA713C,00000000,16FA710C,00000000,16FA7134,00000000,16FA7324,00000000,16FA712C,00000000,16FA7124,00000000,16FA711C,00000000,16FA7114,00000000), ref: 17196171
__vbaStrMove.MSVBVM60(16FA713C,00000000,16FA710C,00000000,16FA7134,00000000,16FA7324,00000000,16FA712C,00000000,16FA7124,00000000,16FA711C,00000000,16FA7114,00000000), ref: 1719617B
__vbaStrCat.MSVBVM60(16FA7144,00000000,16FA713C,00000000,16FA710C,00000000,16FA7134,00000000,16FA7324,00000000,16FA712C,00000000,16FA7124,00000000,16FA711C,00000000), ref: 17196186
__vbaStrMove.MSVBVM60(16FA7144,00000000,16FA713C,00000000,16FA710C,00000000,16FA7134,00000000,16FA7324,00000000,16FA712C,00000000,16FA7124,00000000,16FA711C,00000000), ref: 17196190
__vbaStrCat.MSVBVM60(16FA710C,00000000,16FA7144,00000000,16FA713C,00000000,16FA710C,00000000,16FA7134,00000000,16FA7324,00000000,16FA712C,00000000,16FA7124,00000000), ref: 1719619B
__vbaStrMove.MSVBVM60(16FA710C,00000000,16FA7144,00000000,16FA713C,00000000,16FA710C,00000000,16FA7134,00000000,16FA7324,00000000,16FA712C,00000000,16FA7124,00000000), ref: 171961A5
__vbaStrToAnsi.MSVBVM60(00000000,00000000,16FA710C,00000000,16FA7144,00000000,16FA713C,00000000,16FA710C,00000000,16FA7134,00000000,16FA7324,00000000,16FA712C,00000000), ref: 171961AF
GetProcAddress.KERNEL32(00000000,00000000), ref: 171961BB
__vbaFreeStrList.MSVBVM60(0000000E,16FA72A8,16FA72D0,16FA72D8,00000000,?,00000000,?,?,?,?,?,16FA7314,16FA731C,00000000,00000000), ref: 171961FF
__vbaRedim.MSVBVM60(00000080,00000004,00000000,00000003,00000001,0000000F,00000000,00000000,16FA712C,00000000,16FA7124,00000000,16FA711C,00000000,16FA7114,00000000), ref: 1719621A
__vbaNew.MSVBVM60(16FA7168,16FA7328,?,?,?,?,?,?,?,00000000,16FA712C,00000000,16FA7124,00000000,16FA711C,00000000), ref: 1719622C
__vbaObjSet.MSVBVM60(16FA7324,00000000,16FA7168,16FA7328,?,?,?,?,?,?,?,00000000,16FA712C,00000000,16FA7124,00000000), ref: 17196236
__vbaCastObj.MSVBVM60(00000000,16FA7324,00000000,16FA7168,16FA7328,?,?,?,?,?,?,?,00000000,16FA712C,00000000,16FA7124), ref: 1719623C
__vbaObjSet.MSVBVM60(00000000,00000000,00000000,16FA7324,00000000,16FA7168,16FA7328,?,?,?,?,?,?,?,00000000,16FA712C), ref: 17196246
__vbaObjSetAddref.MSVBVM60(00000000,00000000,00000000,00000000,16FA7324,00000000,16FA7168,16FA7328,?,?,?,?,?,?,?,00000000), ref: 17196252
__vbaFreeObjList.MSVBVM60(00000002,16FA7324,00000000,00000000,00000000,00000000,00000000,16FA7324,00000000,16FA7168,16FA7328), ref: 17196261
__vbaObjSetAddref.MSVBVM60(16FA7324,171C92D0,00000000,16FA7168,16FA7328,?,?,?,?,?,?,?,00000000,16FA712C,00000000,16FA7124), ref: 17196274
#644.MSVBVM60(00000000,16FA7324,171C92D0,00000000,16FA7168,16FA7328,?,?,?,?,?,?,?,00000000,16FA712C,00000000), ref: 1719627A
__vbaFreeObj.MSVBVM60(00000000,16FA7324,171C92D0,00000000,16FA7168,16FA7328,?,?,?,?,?,?,?,00000000,16FA712C,00000000), ref: 17196285
#644.MSVBVM60(16FA7294,00000000,16FA7324,171C92D0,00000000,16FA7168,16FA7328,?,?,?,?,?,?,?,00000000,16FA712C), ref: 1719628E
__vbaAryLock.MSVBVM60(00000000,00000000,00000000,16FA7294,00000000,16FA7294,00000000,16FA7324,171C92D0,00000000,16FA7168), ref: 171962DE
#644.MSVBVM60(?,00000000,00000000,00000000,16FA7294,00000000,16FA7294,00000000,16FA7324,171C92D0,00000000,16FA7168), ref: 171962F6
__vbaAryUnlock.MSVBVM60(00000000,?,00000000,00000000,00000000,16FA7294,00000000,16FA7294,00000000,16FA7324,171C92D0,00000000,16FA7168), ref: 17196305
__vbaObjSetAddref.MSVBVM60(16FA7324,171C92D0,00000000,16FA7294,00000000,16FA7294,00000000,16FA7324,171C92D0,00000000,16FA7168), ref: 1719632C
#644.MSVBVM60(00000000,16FA7324,171C92D0,00000000,16FA7294,00000000,16FA7294,00000000,16FA7324,171C92D0,00000000,16FA7168), ref: 17196332
__vbaFreeObj.MSVBVM60(00000000,16FA7324,171C92D0,00000000,16FA7294,00000000,16FA7294,00000000,16FA7324,171C92D0,00000000,16FA7168), ref: 1719633D
#644.MSVBVM60(171C92CC,00000000,16FA7324,171C92D0,00000000,16FA7294,00000000,16FA7294,00000000,16FA7324,171C92D0,00000000,16FA7168), ref: 1719634B
__vbaAryLock.MSVBVM60(00000000,00000000,?,16FA7294,00000004,171C92CC,00000000,16FA7324,171C92D0,00000000,16FA7294,00000000,16FA7294,00000000,16FA7324,171C92D0), ref: 1719636D
#644.MSVBVM60(?,00000000,00000000,?,16FA7294,00000004,171C92CC,00000000,16FA7324,171C92D0,00000000,16FA7294,00000000,16FA7294,00000000,16FA7324), ref: 17196384
__vbaAryUnlock.MSVBVM60(00000000,?,00000000,00000000,?,16FA7294,00000004,171C92CC,00000000,16FA7324,171C92D0,00000000,16FA7294,00000000,16FA7294,00000000), ref: 17196393
#644.MSVBVM60(?,00000000,?,00000000,00000000,?,16FA7294,00000004,171C92CC,00000000,16FA7324,171C92D0,00000000,16FA7294,00000000,16FA7294), ref: 171963AB
__vbaRedim.MSVBVM60(00000080,00000004,171C9214,00000003,00000001,00000010,00000000,?,16FA7294,?,00000000,?,00000000,00000000,?,16FA7294), ref: 171963F0
#644.MSVBVM60(16FA7270,00000000,16FA7294,00000000,16FA7294,00000000,16FA7324,171C92D0,00000000,16FA7168), ref: 171963FC
#644.MSVBVM60(00000040,-0000000C,00000000,16FA7270,00000000,16FA7294,00000000,16FA7294,00000000,16FA7324,171C92D0,00000000,16FA7168), ref: 17196425
__vbaAryLock.MSVBVM60(00000000,?,-0000000C,00000040,-0000000C,00000000,16FA7270,00000000,16FA7294,00000000,16FA7294,00000000,16FA7324,171C92D0,00000000,16FA7168), ref: 17196459
__vbaStrCat.MSVBVM60(16FA7350,16FA7348,?,00000000,00000000,?,-0000000C,00000040,-0000000C,00000000,16FA7270,00000000,16FA7294,00000000,16FA7294,00000000), ref: 17196481
__vbaStrMove.MSVBVM60(16FA7350,16FA7348,?,00000000,00000000,?,-0000000C,00000040,-0000000C,00000000,16FA7270,00000000,16FA7294,00000000,16FA7294,00000000), ref: 1719648B
__vbaI4Str.MSVBVM60(00000000,16FA7350,16FA7348,?,00000000,00000000,?,-0000000C,00000040,-0000000C,00000000,16FA7270,00000000,16FA7294,00000000,16FA7294), ref: 17196491
VirtualProtect.KERNELBASE(00000000,00000000,00000000,16FA7350,16FA7348,?,00000000,00000000,?,-0000000C,00000040,-0000000C,00000000,16FA7270,00000000,16FA7294), ref: 171964A9
__vbaHresultCheckObj.MSVBVM60(00000000,171C92D0,16FA7328,0000002C), ref: 171964D1
__vbaAryUnlock.MSVBVM60(00000000), ref: 171964E9
__vbaFreeStr.MSVBVM60(00000000), ref: 171964F1
#644.MSVBVM60(16FA7270,00000000), ref: 171964FA
__vbaAryLock.MSVBVM60(00000000,00000000,00000000,-0000000C,16FA7270,00000000), ref: 17196564
#644.MSVBVM60(?,00000000,00000000,00000000,-0000000C,16FA7270,00000000), ref: 1719657C
__vbaAryUnlock.MSVBVM60(00000000,?,00000000,00000000,00000000,-0000000C,16FA7270,00000000), ref: 1719658B
#644.MSVBVM60(0424448B,00000000,00000000,-0000000C,16FA7270,00000000), ref: 171965B9
#644.MSVBVM60(408B008B,?,16FA7290,0424448B,00000000,00000000,-0000000C,16FA7270,00000000), ref: 171965E7
#644.MSVBVM60(20C4832C,?,16FA728C,408B008B,?,16FA7290,0424448B,00000000,00000000,-0000000C,16FA7270,00000000), ref: 17196615
#644.MSVBVM60(E02474FF,?,16FA7288,20C4832C,?,16FA728C,408B008B,?,16FA7290,0424448B,00000000,00000000,-0000000C,16FA7270,00000000), ref: 17196643
#644.MSVBVM60(0000E0FF,?,16FA7284,E02474FF,?,16FA7288,20C4832C,?,16FA728C,408B008B,?,16FA7290,0424448B,00000000,00000000,-0000000C), ref: 17196671
VirtualProtect.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000008,00000040,00000000,?,16FA7280,0000E0FF,?,16FA7284,E02474FF), ref: 171966DD
__vbaHresultCheckObj.MSVBVM60(00000000,171C92D0,16FA7328,00000020), ref: 17196705
__vbaAryLock.MSVBVM60(00000000,00000000), ref: 17196760
#644.MSVBVM60(?,00000000,00000000), ref: 17196778
__vbaAryUnlock.MSVBVM60(00000000,?,00000000,00000000), ref: 17196787
#644.MSVBVM60(171C92CC,00000000), ref: 171967AD
#644.MSVBVM60(0000E0FF,16FA7294,171C92CC,00000000), ref: 171967CC
#644.MSVBVM60(00000000,00000000,0000E0FF,16FA7294,171C92CC,00000000), ref: 171967EC
__vbaFreeVar.MSVBVM60(00000000,-00000004,00000000,00000000,00000000,0000E0FF,16FA7294,171C92CC,00000000), ref: 1719680C
__vbaAryDestruct.MSVBVM60(00000000,00000000,1719689E,00000000,-00000004,00000000,00000000,00000000,0000E0FF,16FA7294,171C92CC,00000000), ref: 17196898

Strings

e%l, xrefs: 17195FD0
%n%, xrefs: 17195FBB
e%r, xrefs: 17195FA6
%3%2, xrefs: 17195FE5
bvm, xrefs: 17195E83
@, xrefs: 17196414

Memory Dump Source

Source File: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: __vba$Move$#644$Free$List$ChkstkLockUnlock$Addref$AddressAnsiCheckHandleHresultModuleProcProtectRedimVirtual$#632#653CastDestructNofreeVarg
String ID: %3%2$%n%$@$bvm$e%l$e%r
API String ID: 2498028126-645868286
Opcode ID: e2776fb98457be46fdc7b747b9a4618354c422bf207fe5efc05fb049c3858844
Instruction ID: d51c9d93b02eb97635e4af22cd336760aa6fd880357e2aac79f75c03e4c1e928
Opcode Fuzzy Hash: e2776fb98457be46fdc7b747b9a4618354c422bf207fe5efc05fb049c3858844
Instruction Fuzzy Hash: 65520ABAD00218AEDB10DBE4CC45FFEB7BEAF14345F5180A5E505A7290DA34BA49CF61

Function 17197886 Relevance: 154.0, APIs: 102, Instructions: 964
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,Function_00001006,?,?,?,1719A24C,00000000,?,00000000,171C92F4,171C92C4), ref: 171978A3
__vbaObjSetAddref.MSVBVM60(1719A0EC,?,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000,?,00000000,171C92F4,171C92C4), ref: 171978BC
__vbaHresultCheckObj.MSVBVM60(00000000,1719A0EC,16FA7B64,0000000C,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000,?,00000000), ref: 171978F3
__vbaObjSetAddref.MSVBVM60(?,1719A0EC,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000,?,00000000,171C92F4,171C92C4), ref: 1719791E

Part of subcall function 1719911C: __vbaChkstk.MSVBVM60(?,Function_00001006), ref: 17199138
Part of subcall function 1719911C: __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,Function_00001006), ref: 17199151
Part of subcall function 1719911C: __vbaVarMove.MSVBVM60 ref: 17199175
Part of subcall function 1719911C: __vbaHresultCheckObj.MSVBVM60(00000000,?,16FA7B64,0000000C), ref: 171991A7
Part of subcall function 1719911C: __vbaVarCmpGt.MSVBVM60(?,171C92BC,00008003,0000000B), ref: 171991F3
Part of subcall function 1719911C: __vbaVarOr.MSVBVM60(?,00000000,?,171C92BC,00008003,0000000B), ref: 171991FD
Part of subcall function 1719911C: __vbaBoolVarNull.MSVBVM60(00000000,?,00000000,?,171C92BC,00008003,0000000B), ref: 17199203
Part of subcall function 1719911C: __vbaFreeVar.MSVBVM60(00000000,?,00000000,?,171C92BC,00008003,0000000B), ref: 1719920F
Part of subcall function 1719911C: __vbaFreeObj.MSVBVM60(17199306,171C9220,00000040,?), ref: 17199300

__vbaStrVarMove.MSVBVM60(?,?,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000,?), ref: 17197931
__vbaStrMove.MSVBVM60(?,?,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000,?), ref: 1719793B
__vbaStrCopy.MSVBVM60(?,?,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000,?), ref: 17197948
__vbaFreeStr.MSVBVM60(?,?,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000,?), ref: 17197950
__vbaFreeObj.MSVBVM60(?,?,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000,?), ref: 17197958
__vbaFreeVar.MSVBVM60(?,?,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000,?), ref: 17197960
__vbaObjSetAddref.MSVBVM60(?,1719A0EC,?,?,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006,?,?,?,1719A24C), ref: 1719796C

Part of subcall function 1719911C: __vbaRedim.MSVBVM60(00000080,00000001,171C9220,00000011,00000001,-00000001,00000000,00000000,?,00000000,?,171C92BC,00008003,0000000B), ref: 17199238
Part of subcall function 1719911C: __vbaAryLock.MSVBVM60(?), ref: 1719924A
Part of subcall function 1719911C: __vbaHresultCheckObj.MSVBVM60(00000000,?,16FA7B64,0000000C), ref: 1719928A
Part of subcall function 1719911C: __vbaAryUnlock.MSVBVM60(?), ref: 171992A2
Part of subcall function 1719911C: __vbaVarMove.MSVBVM60(171C9220,00000040,?), ref: 171992C3

__vbaStrVarMove.MSVBVM60(?,?,00000000,?,1719A0EC,?,?,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006), ref: 1719797F
__vbaStrMove.MSVBVM60(?,?,00000000,?,1719A0EC,?,?,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006), ref: 17197989
__vbaStrCopy.MSVBVM60(?,?,00000000,?,1719A0EC,?,?,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006), ref: 17197996
__vbaFreeStr.MSVBVM60(?,?,00000000,?,1719A0EC,?,?,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006), ref: 1719799E
__vbaFreeObj.MSVBVM60(?,?,00000000,?,1719A0EC,?,?,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006), ref: 171979A6
__vbaFreeVar.MSVBVM60(?,?,00000000,?,1719A0EC,?,?,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006), ref: 171979AE
__vbaHresultCheckObj.MSVBVM60(00000000,1719A0EC,16FA7B64,0000000C,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000,?,00000000), ref: 171979E3
__vbaHresultCheckObj.MSVBVM60(00000000,1719A0EC,16FA7B64,0000000C,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000,?,00000000), ref: 17197A27
__vbaHresultCheckObj.MSVBVM60(00000000,1719A0EC,16FA7B64,0000000C,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000,?,00000000), ref: 17197A6B
__vbaObjSetAddref.MSVBVM60(?,1719A0EC,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000,?,00000000,171C92F4,171C92C4), ref: 17197A86
__vbaStrMove.MSVBVM60(00000000,?,1719A0EC,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000,?,00000000,171C92F4), ref: 17197A96
__vbaStrCopy.MSVBVM60(00000000,?,1719A0EC,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000,?,00000000,171C92F4), ref: 17197AA3
__vbaFreeStr.MSVBVM60(00000000,?,1719A0EC,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000,?,00000000,171C92F4), ref: 17197AAB
__vbaFreeObj.MSVBVM60(00000000,?,1719A0EC,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000,?,00000000,171C92F4), ref: 17197AB3
__vbaObjSetAddref.MSVBVM60(?,1719A0EC,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000,?), ref: 17197ABF
__vbaStrMove.MSVBVM60(00000000,?,1719A0EC,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000), ref: 17197ACF
__vbaStrCopy.MSVBVM60(00000000,?,1719A0EC,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000), ref: 17197ADC
__vbaFreeStr.MSVBVM60(00000000,?,1719A0EC,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000), ref: 17197AE4
__vbaFreeObj.MSVBVM60(00000000,?,1719A0EC,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000), ref: 17197AEC
__vbaObjSetAddref.MSVBVM60(?,1719A0EC,00000000,?,1719A0EC,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006), ref: 17197AF8
__vbaStrMove.MSVBVM60(00000000,?,1719A0EC,00000000,?,1719A0EC,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006), ref: 17197B08
__vbaStrCopy.MSVBVM60(00000000,?,1719A0EC,00000000,?,1719A0EC,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006), ref: 17197B15
__vbaFreeStr.MSVBVM60(00000000,?,1719A0EC,00000000,?,1719A0EC,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006), ref: 17197B1D
__vbaFreeObj.MSVBVM60(00000000,?,1719A0EC,00000000,?,1719A0EC,00000000,?,1719A0EC,?,?,?,00000000,Function_00001006), ref: 17197B25
__vbaHresultCheckObj.MSVBVM60(00000000,1719A0EC,16FA7B64,0000000C,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000,?,00000000), ref: 17197B5A
__vbaHresultCheckObj.MSVBVM60(00000000,1719A0EC,16FA7B64,0000000C,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000,?,00000000), ref: 17197B9E
__vbaHresultCheckObj.MSVBVM60(00000000,1719A0EC,16FA7B64,0000000C,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000,?,00000000), ref: 17197BE2
__vbaHresultCheckObj.MSVBVM60(00000000,1719A0EC,16FA7B64,0000000C,?,?,?,00000000,Function_00001006,?,?,?,1719A24C,00000000,?,00000000), ref: 17197C23
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,17193DC6,00000000,?,?,?,00000000,Function_00001006,?,?,?,1719A24C), ref: 17197C4D
__vbaAryLock.MSVBVM60(?,?,?,17193DC7), ref: 17197C5C
__vbaHresultCheckObj.MSVBVM60(00000000,?,16FA7B64,0000000C), ref: 17197C9C
__vbaHresultCheckObj.MSVBVM60(00000000,?,16FA7B64,0000000C), ref: 17197D40
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,0FFFFFFF,00000000), ref: 17197D81
__vbaAryLock.MSVBVM60(?,?), ref: 17197D90
__vbaHresultCheckObj.MSVBVM60(00000000,?,16FA7B64,0000000C), ref: 17197DD0
__vbaAryUnlock.MSVBVM60(?), ref: 17197DE8
__vbaAryUnlock.MSVBVM60(?), ref: 17197CB4

Part of subcall function 171987CD: __vbaChkstk.MSVBVM60(?,Function_00001006,?,?,?,17197E19,?,00004008,000000FF,?), ref: 171987E8
Part of subcall function 171987CD: __vbaVarVargNofree.MSVBVM60(?,?,?,?,Function_00001006,?,?,?,17197E19,?,00004008,000000FF,?), ref: 17198800
Part of subcall function 171987CD: __vbaStrVarCopy.MSVBVM60(00000000,?,?,?,?,Function_00001006,?,?,?,17197E19,?,00004008,000000FF,?), ref: 17198806
Part of subcall function 171987CD: __vbaStrMove.MSVBVM60(00000000,?,?,?,?,Function_00001006,?,?,?,17197E19,?,00004008,000000FF,?), ref: 17198810
Part of subcall function 171987CD: __vbaNew2.MSVBVM60(16FA56F4,00000000,00000000,?,?,?,?,Function_00001006,?,?,?,17197E19,?,00004008,000000FF,?), ref: 17198843
Part of subcall function 171987CD: __vbaHresultCheckObj.MSVBVM60(00000000,?,16FA7384,0000001C,?,?,?,?,Function_00001006,?,?,?,17197E19,?,00004008,000000FF), ref: 17198885
Part of subcall function 171987CD: __vbaStrToAnsi.MSVBVM60(?,00000000,00000018,00000000,?,?,?,?,Function_00001006,?,?,?,17197E19,?,00004008,000000FF), ref: 1719889E
Part of subcall function 171987CD: __vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,00000000,00000018,00000000,?,?,?,?,Function_00001006,?,?,?,17197E19), ref: 171988B2
Part of subcall function 171987CD: __vbaFreeStrList.MSVBVM60(00000002,00000000,?,?,00000000,00000000,?,00000000,00000018,00000000,?,?,?,?,Function_00001006), ref: 171988D0
Part of subcall function 171987CD: __vbaNew2.MSVBVM60(16FA56F4,00000000), ref: 171988F3

__vbaAryUnlock.MSVBVM60(?,17198467,?,00000000,?,?,?,?,?,?,?), ref: 17198433
__vbaAryDestruct.MSVBVM60(00000000,?,?,17198467,?,00000000,?,?,?,?,?,?,?), ref: 1719843E
__vbaFreeObj.MSVBVM60(00000000,?,?,17198467,?,00000000,?,?,?,?,?,?,?), ref: 17198446
__vbaFreeObj.MSVBVM60(00000000,?,?,17198467,?,00000000,?,?,?,?,?,?,?), ref: 1719844E
__vbaAryDestruct.MSVBVM60(00000000,?,00000000,?,?,17198467,?,00000000,?,?,?,?,?,?,?), ref: 17198459
__vbaFreeObj.MSVBVM60(00000000,?,00000000,?,?,17198467,?,00000000,?,?,?,?,?,?,?), ref: 17198461

Memory Dump Source

Source File: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: __vba$Free$CheckHresult$Move$Addref$Copy$Unlock$ChkstkLockRedim$DestructNew2$AnsiBoolErrorListNofreeNullSystemVarg
String ID:
API String ID: 734032644-0
Opcode ID: 77ada37600435c14b0776c34f452c47a9d07eeca87e0afe286bafba08aadfd5c
Instruction ID: 4ca39a6bd100f0123448f86a828ba880f91df1d622a6761c334c755e808df8d1
Opcode Fuzzy Hash: 77ada37600435c14b0776c34f452c47a9d07eeca87e0afe286bafba08aadfd5c
Instruction Fuzzy Hash: 5282CE75E10218AFDF00DBA4DC44FEEBBBABF18351F118169E115AB2A1D734A959CF20

Function 171987CD Relevance: 55.9, APIs: 37, Instructions: 361
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,Function_00001006,?,?,?,17197E19,?,00004008,000000FF,?), ref: 171987E8
__vbaVarVargNofree.MSVBVM60(?,?,?,?,Function_00001006,?,?,?,17197E19,?,00004008,000000FF,?), ref: 17198800
__vbaStrVarCopy.MSVBVM60(00000000,?,?,?,?,Function_00001006,?,?,?,17197E19,?,00004008,000000FF,?), ref: 17198806
__vbaStrMove.MSVBVM60(00000000,?,?,?,?,Function_00001006,?,?,?,17197E19,?,00004008,000000FF,?), ref: 17198810
__vbaNew2.MSVBVM60(16FA56F4,00000000,00000000,?,?,?,?,Function_00001006,?,?,?,17197E19,?,00004008,000000FF,?), ref: 17198843
__vbaHresultCheckObj.MSVBVM60(00000000,?,16FA7384,0000001C,?,?,?,?,Function_00001006,?,?,?,17197E19,?,00004008,000000FF), ref: 17198885
__vbaStrToAnsi.MSVBVM60(?,00000000,00000018,00000000,?,?,?,?,Function_00001006,?,?,?,17197E19,?,00004008,000000FF), ref: 1719889E
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,00000000,00000018,00000000,?,?,?,?,Function_00001006,?,?,?,17197E19), ref: 171988B2
__vbaFreeStrList.MSVBVM60(00000002,00000000,?,?,00000000,00000000,?,00000000,00000018,00000000,?,?,?,?,Function_00001006), ref: 171988D0
__vbaNew2.MSVBVM60(16FA56F4,00000000), ref: 171988F3
__vbaHresultCheckObj.MSVBVM60(00000000,?,16FA7384,0000001C), ref: 17198935
__vbaStrToAnsi.MSVBVM60(?,?,00000018,00000008), ref: 1719894E
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,?,00000018,00000008), ref: 17198962
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,00000000,?,?,00000018,00000008), ref: 17198980
__vbaNew2.MSVBVM60(16FA56F4,00000000), ref: 171989A3
__vbaHresultCheckObj.MSVBVM60(00000000,?,16FA7384,00000020), ref: 171989E5
__vbaStrToAnsi.MSVBVM60(?,?,00000018,00000000), ref: 171989FE
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,?,00000018,00000000), ref: 17198A12
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,00000000,?,?,00000018,00000000), ref: 17198A30
__vbaNew2.MSVBVM60(16FA56F4,00000000), ref: 17198A53
__vbaHresultCheckObj.MSVBVM60(00000000,?,16FA7384,00000020), ref: 17198A95
__vbaStrToAnsi.MSVBVM60(?,?,00000018,00000008), ref: 17198AAE
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,?,00000018,00000008), ref: 17198AC2
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,00000000,?,?,00000018,00000008), ref: 17198AE0
__vbaSetSystemError.MSVBVM60(?,00008003,00000000,00000000,?), ref: 17198B0A
__vbaLenBstr.MSVBVM60(?,00000000,?,00008003,00000000,00000000,?), ref: 17198B14
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000,?,00008003,00000000,00000000,?), ref: 17198B21
__vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,00000000,?,00000000,?,00008003,00000000,00000000,?), ref: 17198B32
__vbaStrToUnicode.MSVBVM60(?,?,00000000,00000000,?,?,00000000,?,00000000,?,00008003,00000000,00000000,?), ref: 17198B3E
__vbaFreeStr.MSVBVM60 ref: 17198B55
__vbaSetSystemError.MSVBVM60(00000000,00006610,00000000,00000000,00000000), ref: 17198B73
__vbaAryLock.MSVBVM60(?,?,00000000,00006610,00000000,00000000,00000000), ref: 17198B81
__vbaSetSystemError.MSVBVM60(00000000,00000000,00000001,00000000,?,00000000,?,?,00000000,00006610,00000000,00000000,00000000), ref: 17198BA9
__vbaAryUnlock.MSVBVM60(?,00000000,00000000,00000001,00000000,?,00000000,?,?,00000000,00006610,00000000,00000000,00000000), ref: 17198BB2
__vbaRedimPreserve.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000,?,00000000,00000000,00000001,00000000,?,00000000,?,?), ref: 17198BCC
__vbaFreeObj.MSVBVM60(17198C0D,?,00000000), ref: 17198BFF
__vbaFreeStr.MSVBVM60(17198C0D,?,00000000), ref: 17198C07

Memory Dump Source

Source File: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: __vba$ErrorSystem$Free$Ansi$CheckHresultListNew2$BstrChkstkCopyLockMoveNofreePreserveRedimUnicodeUnlockVarg
String ID:
API String ID: 1357747868-0
Opcode ID: cd57090dfca07d0c6fa429f4e0a4b0c489e103a28e820a2144611d2888af9cfd
Instruction ID: 85d89afd71b2bc617467e55200a763009efc59d73ca21d1883a578ff36235e6e
Opcode Fuzzy Hash: cd57090dfca07d0c6fa429f4e0a4b0c489e103a28e820a2144611d2888af9cfd
Instruction Fuzzy Hash: 0FD1E179D40349EEDF11DBE0CD45FEEBBBAAF08741F114026E501AA290D774AA49CB21

Function 171984FE Relevance: 39.2, APIs: 26, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,Function_00001006,?,?,?,17197E3B,?,?), ref: 1719851B
__vbaVarAdd.MSVBVM60(?,00000002,?,?,00006011,?,?,?,?,Function_00001006,?,?,?,17197E3B,?,?), ref: 1719858F
__vbaVarSub.MSVBVM60(?,00000002,00000000,?,00000002,?,?,00006011,?,?,?,?,Function_00001006), ref: 171985A0
__vbaI4Var.MSVBVM60(00000000,?,00000002,00000000,?,00000002,?,?,00006011,?,?,?,?,Function_00001006), ref: 171985A6
__vbaFreeVarList.MSVBVM60(00000002,?,?,00000000,?,00000002,00000000,?,00000002,?,?,00006011,?,?,?,?), ref: 171985B8
__vbaAryLock.MSVBVM60(?,?,?,?,?,?,Function_00001006,?,?,?,17197E3B,?,?), ref: 171985C9
#644.MSVBVM60(?,?,?,?,?,?,?,Function_00001006,?,?,?,17197E3B,?,?), ref: 171985DF
__vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,?,Function_00001006,?,?,?,17197E3B,?,?), ref: 171985EE
#644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,Function_00001006,?,?,?,17197E3B,?,?), ref: 171985F7
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000,?,00000000,00000000,?,?,?,?), ref: 1719861E
__vbaAryLock.MSVBVM60(?,?), ref: 1719862F
__vbaAryLock.MSVBVM60(?,?,?,?), ref: 1719863B
__vbaSetSystemError.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?), ref: 1719867A
__vbaAryUnlock.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?), ref: 17198683
__vbaAryUnlock.MSVBVM60(?,?,00000002,?,?,?,?,?,?,?,?,?), ref: 1719868C
__vbaVarMove.MSVBVM60 ref: 171986A7
__vbaVarTstEq.MSVBVM60(00008003,?), ref: 171986CA

Part of subcall function 1719847C: __vbaChkstk.MSVBVM60(?,Function_00001006,?,?,?,17198558,?,00006011,?,?,?,?,Function_00001006), ref: 17198497
Part of subcall function 1719847C: __vbaRefVarAry.MSVBVM60(?,?,?,?,?,Function_00001006,?,?,?,17198558,?,00006011,?,?,?,?), ref: 171984AC
Part of subcall function 1719847C: __vbaUbound.MSVBVM60(00000001,00000000,?,?,?,?,?,Function_00001006,?,?,?,17198558,?,00006011), ref: 171984B5
Part of subcall function 1719847C: __vbaVarMove.MSVBVM60(00000001,00000000,?,?,?,?,?,Function_00001006,?,?,?,17198558,?,00006011), ref: 171984CA

__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000,00008003,?), ref: 171986EF
__vbaAryLock.MSVBVM60(?,?,?,?,?,?,?,?,?), ref: 17198700
#644.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 17198716
__vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?), ref: 17198725
__vbaAryLock.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 17198731
#644.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 17198747
__vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 17198756
__vbaFreeVar.MSVBVM60(171987B8,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 171987A7
__vbaAryDestruct.MSVBVM60(00000000,?,171987B8,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 171987B2

Memory Dump Source

Source File: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: __vba$LockUnlock$#644$ChkstkFreeMoveRedim$DestructErrorListSystemUbound
String ID:
API String ID: 1237311878-0
Opcode ID: 0b6c55b4a15a0d8f16ab56eafac56ee06710d71b9524ec20e384955b4019f846
Instruction ID: 389457c25d997ca274eb22fc14732a3782216397689150cd66d76fcd64e35b01
Opcode Fuzzy Hash: 0b6c55b4a15a0d8f16ab56eafac56ee06710d71b9524ec20e384955b4019f846
Instruction Fuzzy Hash: 8D81D3B5E00208AEDF14DFE4DC85EEEBBBDAF08740F414055F505EB291DA75AA48CB20

Function 171973A0 Relevance: 27.1, APIs: 18, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,Function_00001006), ref: 171973BC

Part of subcall function 171972E1: __vbaChkstk.MSVBVM60(?,17196B2B,171968AD,?,00000008,?,00000000,Function_00001006,?,?,?,17196809,00000000,-00000004,00000000,00000000), ref: 171972E7

#644.MSVBVM60(?,171BF83C,?,?,?,?,Function_00001006), ref: 171973E5
__vbaSetSystemError.MSVBVM60(000000FF,00000000,?,00003000,00000040,?,00000000,00000004,?,171BF83C,?,?,?,?,Function_00001006), ref: 17197415
__vbaRedim.MSVBVM60(00000080,00000001,171C92C0,00000011,00000001,?,00000000,000000FF,00000000,?,00003000,00000040,?,00000000,00000004,?), ref: 1719743B
__vbaAryLock.MSVBVM60(?,00000000,?,171BF83C,?,?,?,?,Function_00001006), ref: 1719744F
#644.MSVBVM60(?,?,00000000,?,171BF83C,?,?,?,?,Function_00001006), ref: 17197465
__vbaAryUnlock.MSVBVM60(?,?,?,00000000,?,171BF83C,?,?,?,?,Function_00001006), ref: 17197471
__vbaAryLock.MSVBVM60(?,00000000,?,-00000004,?,?,?,?,00000000,?,171BF83C,?,?,?,?,Function_00001006), ref: 17197499
#644.MSVBVM60(?,?,00000000,?,-00000004,?,?,?,?,00000000,?,171BF83C,?,?,?,?), ref: 171974AF
__vbaAryUnlock.MSVBVM60(?,?,?,00000000,?,-00000004,?,?,?,?,00000000,?,171BF83C), ref: 171974BB
__vbaVarVargNofree.MSVBVM60(?,?,?,?,?,?,00000000,?,-00000004,?,?,?,?,00000000,?,171BF83C), ref: 171974D4
__vbaStrVarVal.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,?,-00000004,?,?,?,?,00000000), ref: 171974DE
#644.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,00000000,?,-00000004,?,?,?,?), ref: 171974E4
__vbaAryLock.MSVBVM60(?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,?,-00000004,?,?), ref: 171974F5
#644.MSVBVM60(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,?,-00000004,?), ref: 1719750B
__vbaAryUnlock.MSVBVM60(?,?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,?,-00000004), ref: 17197517
__vbaVarMove.MSVBVM60(?,?,?,00000000,?,?,?,?,?,00000000,?,00000000,?,?,?), ref: 1719754A
__vbaFreeStr.MSVBVM60(?,?,?,00000000,?,?,?,?,?,00000000,?,00000000,?,?,?), ref: 17197552

Memory Dump Source

Source File: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: __vba$#644$LockUnlock$Chkstk$ErrorFreeMoveNofreeRedimSystemVarg
String ID:
API String ID: 1386985410-0
Opcode ID: a95d0d4fba2a74412a7b20b2e6aa9aa172c6ef0b5f2a67b98ae7149d5db6653f
Instruction ID: adc49742321bd7ec3dcf3ddf55e6c4b39ddfc1e2f877dae1ff7ba3edd3181590
Opcode Fuzzy Hash: a95d0d4fba2a74412a7b20b2e6aa9aa172c6ef0b5f2a67b98ae7149d5db6653f
Instruction Fuzzy Hash: AF51E5B9A10248AFDF00DFE8DD85EEEBBBAFF14354F028425F501AB294D635A915CB50

Function 171971FE Relevance: 9.1, APIs: 6, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(00000000,Function_00001006,?,?,?,1719A148,?,?,?,?,00000000,Function_00001006,?,?,?,1719A0EC), ref: 17197219

Part of subcall function 171972E1: __vbaChkstk.MSVBVM60(?,17196B2B,171968AD,?,00000008,?,00000000,Function_00001006,?,?,?,17196809,00000000,-00000004,00000000,00000000), ref: 171972E7

#644.MSVBVM60(?,1719B005,?,?,?,00000000,Function_00001006,?,?,?,1719A148,?,?,?,?,00000000), ref: 1719723C
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000005,00000000,?,00000000,?,1719B005,?,?,?,00000000,Function_00001006), ref: 17197267
__vbaAryLock.MSVBVM60(?,?,?,17193DC7), ref: 17197278
#644.MSVBVM60(?,?,?,?,17193DC7), ref: 1719728E
__vbaAryUnlock.MSVBVM60(?,?,?,?,?,17193DC7), ref: 1719729A

Memory Dump Source

Source File: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: __vba$#644Chkstk$LockRedimUnlock
String ID:
API String ID: 2226984211-0
Opcode ID: fc0848561dbf00bc92909ff8100194582c6f139784444c7f18a3d716790ab473
Instruction ID: 37bd7c35f2e94e7cc22862e268e8d27b9fd0b99f387dd49455ff7d625fda52c2
Opcode Fuzzy Hash: fc0848561dbf00bc92909ff8100194582c6f139784444c7f18a3d716790ab473
Instruction Fuzzy Hash: 702106B5A00209ABDF00CBE8CD86FEEBBBDEF18741F154025F501BB294D675AA45CB61

Function 1719A06D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaChkstk.MSVBVM60(?,Function_00001006,?,?,?,1719A135,?,?,?,?,00000000,Function_00001006,?,?,?,1719A0EC), ref: 1719A088
__vbaSetSystemError.MSVBVM60(000000FF,00000022,00000030,00000004,?,?,?,?,Function_00001006,?,?,?,1719A135,?), ref: 1719A0B0

Strings

0, xrefs: 1719A09A

Memory Dump Source

Source File: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: __vba$ChkstkErrorSystem
String ID: 0
API String ID: 2242893769-4108050209
Opcode ID: e697e3059928526fb09dc0e6926304a1f2f2f47a550df531f21981402d365cf4
Instruction ID: b64977349c141e4e999be7d30dd104d7cfbfb2c64d18f4469f0c5743361f994b
Opcode Fuzzy Hash: e697e3059928526fb09dc0e6926304a1f2f2f47a550df531f21981402d365cf4
Instruction Fuzzy Hash: D2E09BB9940348BAD710DBD4CD46F9EBA7CD705B91F905155B110A71C4C6757E08C671

Function 16FA1218 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(VB5!6&VB6DE.DLL), ref: 16FA121D

Strings

VB5!6&VB6DE.DLL, xrefs: 16FA1218, 16FA125A

Memory Dump Source

Source File: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: #100
String ID: VB5!6&VB6DE.DLL
API String ID: 1341478452-1903704572
Opcode ID: c815869deec8e191f6565e00a7c7d8dcb182e171ecfbf67b4a4e4521b5462729
Instruction ID: b84ba37bf23aabecea390a3708c94acaa7b8c5ed53437f57ba3af0ad28d9b5d0
Opcode Fuzzy Hash: c815869deec8e191f6565e00a7c7d8dcb182e171ecfbf67b4a4e4521b5462729
Instruction Fuzzy Hash: 9C11522A88E3C15FC3179B708C255867FB2AE5325572A06EBD4D0CF5A3D21D588EC762

Non-executed Functions

Function 17193551 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c8c976c0652a69813e2c1c168428e6ee8c55dde765d194094190c2dca66623
Instruction ID: 39197ae16b88f38ac2ee3a6e99b606391a59034fbc860c81385f6b8d5b94a197
Opcode Fuzzy Hash: c7c8c976c0652a69813e2c1c168428e6ee8c55dde765d194094190c2dca66623
Instruction Fuzzy Hash: 2E01FFB2700206ABE720DF08C140996BFB2FB2D760FC26032D40587B14E321EC82CA01

Function 021631C3 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073262366.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2160000_rordendecompra_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b399b04e11d1ff954b26d47aa0a54e719ae22316263aa56bc50ae1b8ddb9bc6
Instruction ID: fdd3a321bbc083f50f83883b9142f69690866fb637d0f4c5f6d65edd74331ba9
Opcode Fuzzy Hash: 0b399b04e11d1ff954b26d47aa0a54e719ae22316263aa56bc50ae1b8ddb9bc6
Instruction Fuzzy Hash: 7DF039326905649BC730DB5DC84997EB3E9FB90A7072A4499E8A997A00C330FC608A90

Function 021675AA Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073262366.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2160000_rordendecompra_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e608a09c53be72fe80f3d40ea380c068c882c54bc8eb40e23fc33053e393b6
Instruction ID: 07c2e5acfac4aaa05d71ae35a1f79d4574da1332b4e07bb2196f171c286e60c6
Opcode Fuzzy Hash: 22e608a09c53be72fe80f3d40ea380c068c882c54bc8eb40e23fc33053e393b6
Instruction Fuzzy Hash: EFC00234292940CBD24DDA14C2A8AB8B322EB9474CFA5506CD41B0F6D1AB366A23CA80

Function 02167056 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073262366.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2160000_rordendecompra_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65cedfb4e9b775bd9a7481590de2045a9073ba88d3b6e0b39f6c12834087620b
Instruction ID: d075b7f7f6394f7db4873929bf8cd5138b50b76dc4d719a039d76045825f7676
Opcode Fuzzy Hash: 65cedfb4e9b775bd9a7481590de2045a9073ba88d3b6e0b39f6c12834087620b
Instruction Fuzzy Hash: 5DB002315A5490CFD2999F06D15CA7477B8F700645F5654E0F52A9FDA1C3689911CB00

Function 02166E72 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073262366.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2160000_rordendecompra_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f12cd29bcc833d0884cc67a00d0b8ef1146f38bf92796a30ee0731e79fce1c12
Instruction ID: 049e9b97c5dff90f07dbc21cf5f5d41e9fa09f32e655283f92d23f3b4509e0d6
Opcode Fuzzy Hash: f12cd29bcc833d0884cc67a00d0b8ef1146f38bf92796a30ee0731e79fce1c12
Instruction Fuzzy Hash: 32B00175266984CFC296CB0AC294F9173B8FB04B41F4618F0E4059BAA2C378AD10CA11

Function 02166EDA Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073262366.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2160000_rordendecompra_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6116854fbb54b05bb97ad96660f12a07e0695a1790f1bf423a30ad418027d6dc
Instruction ID: 964f706650ced8da505f29dd85ad780e404a394fc7a64e40fdab450f609e9b9b
Opcode Fuzzy Hash: 6116854fbb54b05bb97ad96660f12a07e0695a1790f1bf423a30ad418027d6dc
Instruction Fuzzy Hash: 6CB00135266980CFC296CB0AC694F5073B8FB04A4AF4614F0E4058BA62C338A944CA00

Function 171938F2 Relevance: 22.6, APIs: 15, Instructions: 122COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,Function_00001006,?,?,Function_00001006), ref: 1719390E
__vbaRedim.MSVBVM60(00000080,00000001,00000011,00000001,00004000,00000000,?,?,?,?,Function_00001006), ref: 17193947
__vbaVarVargNofree.MSVBVM60(00000003), ref: 17193979
__vbaVarAdd.MSVBVM60(?,00000000,00000003), ref: 17193983
__vbaVarSub.MSVBVM60(?,00000002,00000000,?,00000000,00000003), ref: 17193991
__vbaI4Var.MSVBVM60(00000000,?,00000002,00000000,?,00000000,00000003), ref: 17193997
__vbaFreeVar.MSVBVM60(00000000,?,00000002,00000000,?,00000000,00000003), ref: 171939BA
__vbaAryLock.MSVBVM60(?,171C9344,00000000,?,00000002,00000000,?,00000000,00000003), ref: 17193A01
#644.MSVBVM60(?,?,171C9344,00000000,?,00000002,00000000,?,00000000,00000003), ref: 17193A1D
__vbaAryUnlock.MSVBVM60(?,?,?,171C9344,00000000,?,00000002,00000000,?,00000000,00000003), ref: 17193A29
__vbaVarMove.MSVBVM60(?,?,?,171C9344,00000000,?,00000002,00000000,?,00000000,00000003), ref: 17193A41
__vbaVarVargNofree.MSVBVM60(00000003,?,?,?,171C9344,00000000,?,00000002,00000000,?,00000000,00000003), ref: 17193A62
__vbaVarAdd.MSVBVM60(?,00000000,00000003,?,?,?,171C9344,00000000,?,00000002,00000000,?,00000000,00000003), ref: 17193A6C
__vbaI4Var.MSVBVM60(00000000,?,00000000,00000003,?,?,?,171C9344,00000000,?,00000002,00000000,?,00000000,00000003), ref: 17193A72
__vbaFreeVar.MSVBVM60(00000000,?,00000000,00000003,?,?,?,171C9344,00000000,?,00000002,00000000,?,00000000,00000003), ref: 17193A83

Memory Dump Source

Source File: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: __vba$FreeNofreeVarg$#644ChkstkLockMoveRedimUnlock
String ID:
API String ID: 972117415-0
Opcode ID: 612a3058fa6dcbd4251af5396ecd36be616abc54f832e040b52b4301bf890ec4
Instruction ID: 5f92486ebce527ae00bed8f8c6fa2cabd23e704a2a3ab4c8048b68c267053aa7
Opcode Fuzzy Hash: 612a3058fa6dcbd4251af5396ecd36be616abc54f832e040b52b4301bf890ec4
Instruction Fuzzy Hash: 4351F379E00248AFDB00CFE8C985FDDBBBAEB08314F51C159E515AB294DB34A949CF50

Function 1719911C Relevance: 21.1, APIs: 14, Instructions: 136COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,Function_00001006), ref: 17199138
__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,Function_00001006), ref: 17199151
__vbaVarMove.MSVBVM60 ref: 17199175
__vbaHresultCheckObj.MSVBVM60(00000000,?,16FA7B64,0000000C), ref: 171991A7
__vbaVarCmpGt.MSVBVM60(?,171C92BC,00008003,0000000B), ref: 171991F3
__vbaVarOr.MSVBVM60(?,00000000,?,171C92BC,00008003,0000000B), ref: 171991FD
__vbaBoolVarNull.MSVBVM60(00000000,?,00000000,?,171C92BC,00008003,0000000B), ref: 17199203
__vbaFreeVar.MSVBVM60(00000000,?,00000000,?,171C92BC,00008003,0000000B), ref: 1719920F
__vbaRedim.MSVBVM60(00000080,00000001,171C9220,00000011,00000001,-00000001,00000000,00000000,?,00000000,?,171C92BC,00008003,0000000B), ref: 17199238
__vbaAryLock.MSVBVM60(?), ref: 1719924A
__vbaHresultCheckObj.MSVBVM60(00000000,?,16FA7B64,0000000C), ref: 1719928A
__vbaAryUnlock.MSVBVM60(?), ref: 171992A2
__vbaVarMove.MSVBVM60(171C9220,00000040,?), ref: 171992C3
__vbaFreeObj.MSVBVM60(17199306,171C9220,00000040,?), ref: 17199300

Memory Dump Source

Source File: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: __vba$CheckFreeHresultMove$AddrefBoolChkstkLockNullRedimUnlock
String ID:
API String ID: 4045727025-0
Opcode ID: 8ab3676f3014e0d3ae81725dad3715223bb197007f8df93986cfe2ada9980fcb
Instruction ID: 1f1d380975cefff686adbfa781522d1db7b447e1c40ec8ae39a6452c1d10ad36
Opcode Fuzzy Hash: 8ab3676f3014e0d3ae81725dad3715223bb197007f8df93986cfe2ada9980fcb
Instruction Fuzzy Hash: 4D510275D00218AEDB10DBE4CC84FEDBBBABB08355F558169E105BB291D774A949CB20

Function 17197748 Relevance: 19.6, APIs: 13, Instructions: 76COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,Function_00001006), ref: 17197764
__vbaStrCopy.MSVBVM60(?,?,?,?,Function_00001006), ref: 1719777C
__vbaVarDup.MSVBVM60 ref: 17197795
#606.MSVBVM60(00000104,?), ref: 171977A3
__vbaStrMove.MSVBVM60(00000104,?), ref: 171977AD
__vbaFreeVar.MSVBVM60(00000104,?), ref: 171977B5

Part of subcall function 1719AB52: __vbaChkstk.MSVBVM60(00004008,Function_00001006,?,?,?,171977D0,00004008,00000104,?), ref: 1719AB6D
Part of subcall function 1719AB52: __vbaVarVargNofree.MSVBVM60(?,?,?,00004008,Function_00001006,?,?,?,171977D0,00004008,00000104,?), ref: 1719AB85
Part of subcall function 1719AB52: __vbaStrVarVal.MSVBVM60(?,00000000,?,?,?,00004008,Function_00001006,?,?,?,171977D0,00004008,00000104,?), ref: 1719AB8F
Part of subcall function 1719AB52: #644.MSVBVM60(00000000,?,00000000,?,?,?,00004008,Function_00001006,?,?,?,171977D0,00004008,00000104,?), ref: 1719AB95
Part of subcall function 1719AB52: __vbaFreeStr.MSVBVM60(00000000,?,00000000,?,?,?,00004008,Function_00001006,?,?,?,171977D0,00004008,00000104,?), ref: 1719ABA0

__vbaSetSystemError.MSVBVM60(?,?,00000104,?,00004008,00000104,?), ref: 171977FF
#616.MSVBVM60(?,00000000,?,?,00000104,?,00004008,00000104,?), ref: 17197816
__vbaStrMove.MSVBVM60(?,00000000,?,?,00000104,?,00004008,00000104,?), ref: 17197820
__vbaStrCopy.MSVBVM60(?,?,00000104,?,00004008,00000104,?), ref: 1719782F
__vbaStrCopy.MSVBVM60(?,?,00000104,?,00004008,00000104,?), ref: 1719783A
__vbaFreeStr.MSVBVM60(17197872,?,?,00000104,?,00004008,00000104,?), ref: 17197864
__vbaFreeStr.MSVBVM60(17197872,?,?,00000104,?,00004008,00000104,?), ref: 1719786C

Memory Dump Source

Source File: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: __vba$Free$Copy$ChkstkMove$#606#616#644ErrorNofreeSystemVarg
String ID:
API String ID: 3132523529-0
Opcode ID: 36d6af28e7d6c8a3012537ca2398e5325b30cdabd7c32e1b608951b1d1c5f3d7
Instruction ID: 7a703be05e48959e6736f35600cb6da69d0bbef91aa48e461b14cde0bd3d3a01
Opcode Fuzzy Hash: 36d6af28e7d6c8a3012537ca2398e5325b30cdabd7c32e1b608951b1d1c5f3d7
Instruction Fuzzy Hash: 5731C879D0024DAACF00DFE1CD91AEEBBBAEF14381F518425E116A7194DB356A4ACF90

Function 171999C2 Relevance: 16.6, APIs: 11, Instructions: 78COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_00001006,00000000,16FA727C,16FA7270), ref: 171999DE
__vbaVarDup.MSVBVM60(?,00000008,?,00000000,Function_00001006,00000000), ref: 171999F6
#653.MSVBVM60(?,?,?,00000008,?,00000000,Function_00001006,00000000), ref: 17199A03
__vbaI4Var.MSVBVM60(?,?,?,?,00000008,?,00000000,Function_00001006,00000000), ref: 17199A0C
__vbaFreeVar.MSVBVM60 ref: 17199A28
#632.MSVBVM60(?,?,00000001,00000002), ref: 17199A6D
__vbaVarCat.MSVBVM60(?,?,00000008,?,?,00000001,00000002), ref: 17199A7E
__vbaStrVarMove.MSVBVM60(00000000,?,?,00000008,?,?,00000001,00000002), ref: 17199A84
__vbaStrMove.MSVBVM60(00000000,?,?,00000008,?,?,00000001,00000002), ref: 17199A8E
__vbaFreeVarList.MSVBVM60(00000003,00000002,?,?,00000000,?,?,00000008,?,?,00000001,00000002), ref: 17199AA1
__vbaFreeVar.MSVBVM60(17199AE4), ref: 17199ADE

Memory Dump Source

Source File: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: __vba$Free$Move$#632#653ChkstkList
String ID:
API String ID: 1058303707-0
Opcode ID: 0478f2dd5627254154f6a1a7f72cc7d7e2afdd880c67e6b0986df746334587fe
Instruction ID: ed589f9cd38006fcb4ee57163f207fc3c18a65e7e9d24d0e99b134b120b537d7
Opcode Fuzzy Hash: 0478f2dd5627254154f6a1a7f72cc7d7e2afdd880c67e6b0986df746334587fe
Instruction Fuzzy Hash: 2531FAB6C0020DABDB00DBE4DC85EEEBBBDEB18741F518426E111A7190EB74A609CB50

Function 171970DC Relevance: 15.1, APIs: 10, Instructions: 82COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000008,Function_00001006,?,?,?,1719A7DE,00000008,171C83C8,171C81B0,00000000,?,00000000,16FA7FB8,00000000,?,00000000), ref: 171970F7
__vbaVarVargNofree.MSVBVM60(?,?,?,00000008,Function_00001006,?,?,?,1719A7DE,00000008,171C83C8,171C81B0,00000000,?,00000000,16FA7FB8), ref: 17197118
__vbaStrVarVal.MSVBVM60(00000000,00000000,?,?,?,00000008,Function_00001006,?,?,?,1719A7DE,00000008,171C83C8,171C81B0,00000000,?), ref: 17197122
#644.MSVBVM60(00000000,00000000,00000000,?,?,?,00000008,Function_00001006,?,?,?,1719A7DE,00000008,171C83C8,171C81B0,00000000), ref: 17197128
__vbaSetSystemError.MSVBVM60(?,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,00000000,00000000,?,?,?,00000008,Function_00001006,?), ref: 1719714D
__vbaFreeStr.MSVBVM60(?,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,00000000,00000000,?,?,?,00000008,Function_00001006,?), ref: 1719715B
__vbaAryLock.MSVBVM60(1719A0EC,?,?,?,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,00000000,00000000), ref: 17197188
__vbaSetSystemError.MSVBVM60(17193DC7,0000A164,?,?,00000000,1719A0EC,?,?,?,C0000000,00000003,00000000,00000002,00000080,00000000,00000000), ref: 171971AF
__vbaAryUnlock.MSVBVM60(1719A0EC,17193DC7,0000A164,?,?,00000000,1719A0EC,?,?,?,C0000000,00000003,00000000,00000002,00000080,00000000), ref: 171971B8
__vbaSetSystemError.MSVBVM60(17193DC7,?,?,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,00000000,00000000,?,?,?,00000008), ref: 171971C5

Memory Dump Source

Source File: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: __vba$ErrorSystem$#644ChkstkFreeLockNofreeUnlockVarg
String ID:
API String ID: 2579818117-0
Opcode ID: 2edc5fbf1d6df60609c6affc9eafff4747e48040afd22fc9461c567db0b86c0d
Instruction ID: c934549a4414bb21b41991f856f9b2308e9c1f92a5943ca0aaefa88fb1ca3da5
Opcode Fuzzy Hash: 2edc5fbf1d6df60609c6affc9eafff4747e48040afd22fc9461c567db0b86c0d
Instruction Fuzzy Hash: EA31EC79900209AFDF15DFA4CD86FAEBBB9EF04741F518015F501BB290DA35B914CB61

Function 17198FD9 Relevance: 13.6, APIs: 9, Instructions: 91COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_00001006), ref: 17198FF5
__vbaObjSetAddref.MSVBVM60(?,171C8358,?,?,?,00000000,Function_00001006), ref: 1719900E
__vbaHresultCheckObj.MSVBVM60(00000000,?,16FA7B64,0000000C), ref: 17199040

Part of subcall function 17198F0F: __vbaChkstk.MSVBVM60(?,Function_00001006), ref: 17198F2B
Part of subcall function 17198F0F: __vbaVarDup.MSVBVM60 ref: 17198F51
Part of subcall function 17198F0F: __vbaVarVargNofree.MSVBVM60(?), ref: 17198F60
Part of subcall function 17198F0F: __vbaI4Var.MSVBVM60(00000000,?), ref: 17198F66
Part of subcall function 17198F0F: #606.MSVBVM60(00000000,00000000,?), ref: 17198F6C
Part of subcall function 17198F0F: __vbaVarMove.MSVBVM60(00000000,00000000,?), ref: 17198F81
Part of subcall function 17198F0F: __vbaFreeVar.MSVBVM60(00000000,00000000,?), ref: 17198F89

__vbaStrVarMove.MSVBVM60(?,?,00004003), ref: 1719907D
__vbaStrMove.MSVBVM60(?,?,00004003), ref: 17199087
__vbaFreeVar.MSVBVM60(?,?,00004003), ref: 1719908F
#644.MSVBVM60(?,?,?,00004003), ref: 17199097
__vbaHresultCheckObj.MSVBVM60(00000000,?,16FA7B64,0000000C), ref: 171990CF
__vbaFreeObj.MSVBVM60(17199108), ref: 17199102

Memory Dump Source

Source File: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: __vba$FreeMove$CheckChkstkHresult$#606#644AddrefNofreeVarg
String ID:
API String ID: 1673250073-0
Opcode ID: 336fcb78d4622bf7c04782afed48e484cfaf1dd15d348fe59f64884af5f2a336
Instruction ID: 9910d53aa2eb21936c37aed9a2e4304aecf92ec26650ec494736e58a07754bdf
Opcode Fuzzy Hash: 336fcb78d4622bf7c04782afed48e484cfaf1dd15d348fe59f64884af5f2a336
Instruction Fuzzy Hash: 2631C1B5D0020AEFDB50DBD4DC84FEEBBBABF14351F508026E221A61A4D738A54ACF51

Function 17199324 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_00001006), ref: 17199340
#698.MSVBVM60(?,?), ref: 171993C9
__vbaVarCat.MSVBVM60(?,?,00000008,?,?), ref: 171993DA
__vbaStrVarMove.MSVBVM60(00000000,?,?,00000008,?,?), ref: 171993E0
__vbaStrMove.MSVBVM60(00000000,?,?,00000008,?,?), ref: 171993EA
__vbaFreeVarList.MSVBVM60(00000002,?,?,00000000,?,?,00000008,?,?), ref: 171993F9

Strings

@, xrefs: 17199370

Memory Dump Source

Source File: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: __vba$Move$#698ChkstkFreeList
String ID: @
API String ID: 2118762426-2766056989
Opcode ID: 818568e46a51220863f274f91ccb83e2665b9891240dd249de07dcbdd87f5d26
Instruction ID: 4381788544769475434dada1147c6649bbdd5ff73714481c5c45037660334b30
Opcode Fuzzy Hash: 818568e46a51220863f274f91ccb83e2665b9891240dd249de07dcbdd87f5d26
Instruction Fuzzy Hash: 6631E5B5D00258AFDB01DFE4C980EEEBBB9FB49341F11812AE505EB244D734A94ACF91

Function 171937C4 Relevance: 12.1, APIs: 8, Instructions: 78COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,Function_00001006), ref: 171937E0

Part of subcall function 171938F2: __vbaChkstk.MSVBVM60(?,Function_00001006,?,?,Function_00001006), ref: 1719390E
Part of subcall function 171938F2: __vbaRedim.MSVBVM60(00000080,00000001,00000011,00000001,00004000,00000000,?,?,?,?,Function_00001006), ref: 17193947
Part of subcall function 171938F2: __vbaVarVargNofree.MSVBVM60(00000003), ref: 17193979
Part of subcall function 171938F2: __vbaVarAdd.MSVBVM60(?,00000000,00000003), ref: 17193983
Part of subcall function 171938F2: __vbaVarSub.MSVBVM60(?,00000002,00000000,?,00000000,00000003), ref: 17193991
Part of subcall function 171938F2: __vbaI4Var.MSVBVM60(00000000,?,00000002,00000000,?,00000000,00000003), ref: 17193997
Part of subcall function 171938F2: __vbaFreeVar.MSVBVM60(00000000,?,00000002,00000000,?,00000000,00000003), ref: 171939BA
Part of subcall function 171938F2: __vbaAryLock.MSVBVM60(?,171C9344,00000000,?,00000002,00000000,?,00000000,00000003), ref: 17193A01
Part of subcall function 171938F2: #644.MSVBVM60(?,?,171C9344,00000000,?,00000002,00000000,?,00000000,00000003), ref: 17193A1D
Part of subcall function 171938F2: __vbaAryUnlock.MSVBVM60(?,?,?,171C9344,00000000,?,00000002,00000000,?,00000000,00000003), ref: 17193A29
Part of subcall function 171938F2: __vbaVarMove.MSVBVM60(?,?,?,171C9344,00000000,?,00000002,00000000,?,00000000,00000003), ref: 17193A41

__vbaI4Var.MSVBVM60(?,?,00000002), ref: 17193811
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002), ref: 17193823
#644.MSVBVM60(?), ref: 17193844
#644.MSVBVM60(171C8170,?,?,?), ref: 1719385E
#644.MSVBVM60(17191CA3,?,?,171C8170,?,?,?), ref: 17193880
#644.MSVBVM60(?,?,?,17191CA3,?,?,171C8170,?,?,?), ref: 17193897
#644.MSVBVM60(?,?,?,?,17191CA3,?,?,171C8170,?,?,?), ref: 171938A3

Memory Dump Source

Source File: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: __vba$#644$ChkstkFree$ListLockMoveNofreeRedimUnlockVarg
String ID:
API String ID: 3502731674-0
Opcode ID: 85f91cff89cf540e93122d6d5ad8be78acd39e64ae7663d38d600759f3e9501b
Instruction ID: de2e1a0a022e2721cfe5aaff1adf8d2e18546322417531a5c2030a898ee5f83b
Opcode Fuzzy Hash: 85f91cff89cf540e93122d6d5ad8be78acd39e64ae7663d38d600759f3e9501b
Instruction Fuzzy Hash: 5131F0B9D0024CAFCF01DFE4CC46AEEBBBDEF04740F014126E515AA264DB34AA09CB91

Function 17198F0F Relevance: 10.5, APIs: 7, Instructions: 39COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,Function_00001006), ref: 17198F2B
__vbaVarDup.MSVBVM60 ref: 17198F51
__vbaVarVargNofree.MSVBVM60(?), ref: 17198F60
__vbaI4Var.MSVBVM60(00000000,?), ref: 17198F66
#606.MSVBVM60(00000000,00000000,?), ref: 17198F6C
__vbaVarMove.MSVBVM60(00000000,00000000,?), ref: 17198F81
__vbaFreeVar.MSVBVM60(00000000,00000000,?), ref: 17198F89

Memory Dump Source

Source File: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: __vba$#606ChkstkFreeMoveNofreeVarg
String ID:
API String ID: 892074751-0
Opcode ID: f51742f32ca7d73c334945cbc99caecbfcf2ca31e693eca3327f540d84baf5d9
Instruction ID: 74712322ea11974bf14931e2b99eb4ae4db78d6c4998bdae3fec71c52b0ebcd5
Opcode Fuzzy Hash: f51742f32ca7d73c334945cbc99caecbfcf2ca31e693eca3327f540d84baf5d9
Instruction Fuzzy Hash: 4601DA7890134CAACB00DBE5DE45EEEBBBEAF14785F518425E409A7184DB746A0DCB50

Function 171972F9 Relevance: 9.0, APIs: 6, Instructions: 34COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,Function_00001006,00000000,16FA72D8,16FA72D0,16FA72A8,00000000,16FA7294,00000000,16FA727C,16FA7270), ref: 17197315
__vbaVarVargNofree.MSVBVM60(?,00000008,?,?,Function_00001006,00000000), ref: 1719732D
__vbaStrVarVal.MSVBVM60(?,00000000,?,00000008,?,?,Function_00001006,00000000), ref: 17197337
#644.MSVBVM60(00000000,?,00000000,?,00000008,?,?,Function_00001006,00000000), ref: 1719733D
__vbaVarMove.MSVBVM60 ref: 17197352
__vbaFreeStr.MSVBVM60 ref: 1719735A

Memory Dump Source

Source File: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: __vba$#644ChkstkFreeMoveNofreeVarg
String ID:
API String ID: 2413382268-0
Opcode ID: 720de130fc8bf2c767d50a2ebad3745f3b632382cccf20ef4a16386e59e318cc
Instruction ID: 239509aa06582f314886da1ce7c268191b8b3ed03ca76dc65789a8ccbe718ea3
Opcode Fuzzy Hash: 720de130fc8bf2c767d50a2ebad3745f3b632382cccf20ef4a16386e59e318cc
Instruction Fuzzy Hash: 58F04979C00308AACB10DBA0CC80FEEBB7DAF14691F418529E001B6284DA346A0ACBA1

Function 17196AF4 Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,Function_00001006,?,?,?,17196809,00000000,-00000004,00000000,00000000,00000000,0000E0FF,16FA7294,171C92CC,00000000), ref: 17196B0F

Part of subcall function 171972E1: __vbaChkstk.MSVBVM60(?,17196B2B,171968AD,?,00000008,?,00000000,Function_00001006,?,?,?,17196809,00000000,-00000004,00000000,00000000), ref: 171972E7

#644.MSVBVM60(?,171968AD,?,00000008,?,00000000,Function_00001006,?,?,?,17196809,00000000,-00000004,00000000,00000000,00000000), ref: 17196B3B
#644.MSVBVM60(00000001,?,171968AD,?,00000008,?,00000000,Function_00001006,?,?,?,17196809,00000000,-00000004,00000000,00000000), ref: 17196B4A
#644.MSVBVM60(?,00000000,00000001,?,171968AD,?,00000008,?,00000000,Function_00001006,?,?,?,17196809,00000000,-00000004), ref: 17196B66
#644.MSVBVM60(00000000,?,00000004,?,00000000,00000001,?,171968AD,?,00000008,?,00000000,Function_00001006), ref: 17196B8D

Memory Dump Source

Source File: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: #644$Chkstk__vba
String ID:
API String ID: 1305800526-0
Opcode ID: eb1d0733d04137dfd517f3d15ee17f3b0a9edf601ef26b63d72791f788e9ba9c
Instruction ID: 0f626f6a01fc4a3be45d2b3cc760d527317fb6a4cd78405c7f504ced9ab94c9b
Opcode Fuzzy Hash: eb1d0733d04137dfd517f3d15ee17f3b0a9edf601ef26b63d72791f788e9ba9c
Instruction Fuzzy Hash: B4115EB5900204AFDB10CFE4CE86FAEBFBEEB047A0F514565F001BA254D635AE01CB24

Function 1719AB52 Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00004008,Function_00001006,?,?,?,171977D0,00004008,00000104,?), ref: 1719AB6D
__vbaVarVargNofree.MSVBVM60(?,?,?,00004008,Function_00001006,?,?,?,171977D0,00004008,00000104,?), ref: 1719AB85
__vbaStrVarVal.MSVBVM60(?,00000000,?,?,?,00004008,Function_00001006,?,?,?,171977D0,00004008,00000104,?), ref: 1719AB8F
#644.MSVBVM60(00000000,?,00000000,?,?,?,00004008,Function_00001006,?,?,?,171977D0,00004008,00000104,?), ref: 1719AB95
__vbaFreeStr.MSVBVM60(00000000,?,00000000,?,?,?,00004008,Function_00001006,?,?,?,171977D0,00004008,00000104,?), ref: 1719ABA0

Memory Dump Source

Source File: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: __vba$#644ChkstkFreeNofreeVarg
String ID:
API String ID: 1831340853-0
Opcode ID: 489c18ccc671fca6acc20d7362923864f8296d025c86dbefb69793828b58324c
Instruction ID: 5bd1f858acf45bf8796b1ffcff248a6682d3f4114e99a48704add8b6b7d1e1a5
Opcode Fuzzy Hash: 489c18ccc671fca6acc20d7362923864f8296d025c86dbefb69793828b58324c
Instruction Fuzzy Hash: A0F082B5800348BACB10DB90CD81EEFBB7EEB10691F414519F102A7184DA34BA09C6A0

Function 1719847C Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,Function_00001006,?,?,?,17198558,?,00006011,?,?,?,?,Function_00001006), ref: 17198497
__vbaRefVarAry.MSVBVM60(?,?,?,?,?,Function_00001006,?,?,?,17198558,?,00006011,?,?,?,?), ref: 171984AC
__vbaUbound.MSVBVM60(00000001,00000000,?,?,?,?,?,Function_00001006,?,?,?,17198558,?,00006011), ref: 171984B5
__vbaVarMove.MSVBVM60(00000001,00000000,?,?,?,?,?,Function_00001006,?,?,?,17198558,?,00006011), ref: 171984CA

Memory Dump Source

Source File: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: __vba$ChkstkMoveUbound
String ID:
API String ID: 2614284155-0
Opcode ID: 4ef72a9ac3e5adfe2f7deeadf6a45ec7f668060420f1e6786ae12d953e03ebc2
Instruction ID: 21f18408836a8b6dac7d626c0dcae752b48950f0cc296069febac1264d02b304
Opcode Fuzzy Hash: 4ef72a9ac3e5adfe2f7deeadf6a45ec7f668060420f1e6786ae12d953e03ebc2
Instruction Fuzzy Hash: C7F05874890348BEDB20CF81CC41F8EBBB9FB14692F409129F400A7190D7B56904CA60

Function 16FA57B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,Function_00001006), ref: 17193E90
__vbaStrCopy.MSVBVM60(?,?,?,?,Function_00001006), ref: 17193EC2

Strings

Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 17193EBA

Memory Dump Source

Source File: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: __vba$ChkstkCopy
String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 4177765151-63410773
Opcode ID: 972c47899b109f3b3e0380e0df78953c3676f9bfa8957202362d632691d50783
Instruction ID: 7fe30b07628489fb5f7d42ceafce9c3056c00e20ef9b406c9f9e262caa408b8e
Opcode Fuzzy Hash: 972c47899b109f3b3e0380e0df78953c3676f9bfa8957202362d632691d50783
Instruction Fuzzy Hash: 96018639509384BFC712CF64CC55B9A7FB5EF42640F058196F4409B1A1C7389D19CB51

Function 16FA57D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,Function_00001006), ref: 17193F1B
__vbaStrCopy.MSVBVM60(?,?,?,?,Function_00001006), ref: 17193F4D

Strings

Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype), xrefs: 17193F45

Memory Dump Source

Source File: 00000000.00000002.2073480716.0000000016FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 16FA0000, based on PE: true

Associated: 00000000.00000002.2073459973.0000000016FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073506583.0000000016FA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073522819.0000000016FA8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073688996.00000000171C8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073705566.00000000171C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.00000000171CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2073720013.0000000017210000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fa0000_rordendecompra_.jbxd

Similarity

API ID: __vba$ChkstkCopy
String ID: Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)
API String ID: 4177765151-1112895469
Opcode ID: e21ef735cc25e5b13d53a4a9d4ee8e197001a62aab00d067be0cc7e80368440a
Instruction ID: 2dceb5d3d59f90bbbc2898a5e340148dda0b0584e03b6f8ffa3429c56f8d4bc7
Opcode Fuzzy Hash: e21ef735cc25e5b13d53a4a9d4ee8e197001a62aab00d067be0cc7e80368440a
Instruction Fuzzy Hash: BAF03438500348FFCB10DF58CD85B9ABBB8EF40795F418469F405AB294C778A919CB92

Analysis Process: RegAsm.exePID: 7392, Parent PID: 7332COMMON

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	60.9%
Signature Coverage:	0%
Total number of Nodes:	23
Total number of Limit Nodes:	3

Executed Functions

Function 06831140 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06831816
$]q, xrefs: 06831863
$]q, xrefs: 0683184B
$]q, xrefs: 0683186F
$]q, xrefs: 06831822
$]q, xrefs: 0683183F

Memory Dump Source

Source File: 00000002.00000002.4497525280.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: db9fa9d9020ae35a89ad855674e6aa44657015e1030d8d0af5392c8985826b40
Instruction ID: d8e7d7ff7ac358d85364e859bdeeb3e7b5dd1a83b1ee9748ff4ca9d0c74a128f
Opcode Fuzzy Hash: db9fa9d9020ae35a89ad855674e6aa44657015e1030d8d0af5392c8985826b40
Instruction Fuzzy Hash: 79324E31E106198FDB14DF78D89499DB7B2FF89300F20D6AAD449A7224EF30AD85CB91

Function 06833A88 Relevance: 3.0, Strings: 2, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06833DF3
$]q, xrefs: 06833DFF

Memory Dump Source

Source File: 00000002.00000002.4497525280.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 10c75406eb95d83ef30157c9956f4a80a549b08c21f918185386002b3f9c143a
Instruction ID: fa1bb7e36f40f951da2d8608a026b383f32f89f5d45c0d67fb9dbebde51f97e5
Opcode Fuzzy Hash: 10c75406eb95d83ef30157c9956f4a80a549b08c21f918185386002b3f9c143a
Instruction Fuzzy Hash: 50029A30B002699FDB98DF68D490AAEB7E2EF84304F148569D505EB395DB39EC46CBC1

Function 02D5A638 Relevance: 2.8, Instructions: 2802COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4495596329.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8415c45c58ef48a51dccb9e9a7ed3ebfc26f0abd38dced36909dd3cf509cb838
Instruction ID: cc4cadab3f544ba3ed1f52b1ff219c11c3f585eb1dceccb7bfd6db967271c267
Opcode Fuzzy Hash: 8415c45c58ef48a51dccb9e9a7ed3ebfc26f0abd38dced36909dd3cf509cb838
Instruction Fuzzy Hash: 5F53EA31D10B1A8ACB51EF68C8406A9F7B1FF99300F15D79AE45877221EF70AAD5CB81

Function 02D5D8B0 Relevance: 2.3, Instructions: 2306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4495596329.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c5b487ed30076b880deae86b3ac65ce9597dab17582f2e1efc129707817c9d
Instruction ID: f6b3334f4c1e82ab2207b0fd8f90c2ea755f22bbe2851507136af81b721c5fa7
Opcode Fuzzy Hash: 32c5b487ed30076b880deae86b3ac65ce9597dab17582f2e1efc129707817c9d
Instruction Fuzzy Hash: 2C332031D107598EDB11EF68C8806ADF7B1FF99300F15C79AD459AB221EB70AAC5CB81

Function 02D57068 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 02D570DF

Memory Dump Source

Source File: 00000002.00000002.4495596329.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d50000_RegAsm.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: cf1bf19ce47cc00a21b47471b86509dbb886d6dde47db9f1bb139338a096de9d
Instruction ID: 3836bed5779b358d7886054620d26be8dd32a0c53eee19d0f52b29c4cef1aca3
Opcode Fuzzy Hash: cf1bf19ce47cc00a21b47471b86509dbb886d6dde47db9f1bb139338a096de9d
Instruction Fuzzy Hash: 032148B18002598FDB10CF9AC584BEEFBF4AF49310F24845AE859A3350D778A944CFA1

Function 00445FC8 Relevance: 1.5, APIs: 1, Instructions: 15memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF), ref: 00445FD0

Memory Dump Source

Source File: 00000002.00000002.4494463965.0000000000442000.00000040.80000000.00040000.00000000.sdmp, Offset: 00442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_442000_RegAsm.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b351929d1fa472c679804f86bae459197247e42cd6acfc9b4eea4f151430fdae
Instruction ID: e50c2ac94710a6cf04eacaf9c5dc19499d7648d2dcc9f26762587f4de926560b
Opcode Fuzzy Hash: b351929d1fa472c679804f86bae459197247e42cd6acfc9b4eea4f151430fdae
Instruction Fuzzy Hash: 8CD0A771408447DBFF11C7848458DE837A06B11328B6501829023C20E2D528D64F971B

Function 02D53E68 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\V6m, xrefs: 02D540B3

Memory Dump Source

Source File: 00000002.00000002.4495596329.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d50000_RegAsm.jbxd

Similarity

API ID:
String ID: \V6m
API String ID: 0-1924247956
Opcode ID: 93b3647daaaffcc1f99131ceed690a5dd32e4cfd0accfb77157d04efd65c44d0
Instruction ID: 2c3e2b3c8c41c58153e3b2f52d1fa5856b6b350ff801adc6da4e59e20276e046
Opcode Fuzzy Hash: 93b3647daaaffcc1f99131ceed690a5dd32e4cfd0accfb77157d04efd65c44d0
Instruction Fuzzy Hash: C6915E70E00219DFDF50CFA9D98579DBBF2AF88314F248129E815A7394DBB49C85CB92

Function 068322E8 Relevance: .8, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4497525280.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d305e2a0d16f5fefcf730eb4d2beb1da9f3d38240bec819a27d35d08cca0a9d0
Instruction ID: b24fd4f58d9f6e11c430de9a9820374b9a9ba592408136fd13dcbb8fcf1ca0c2
Opcode Fuzzy Hash: d305e2a0d16f5fefcf730eb4d2beb1da9f3d38240bec819a27d35d08cca0a9d0
Instruction Fuzzy Hash: 1F629D34A002189FDB54DF68D5A4BADB7F2EF88314F148469D906EB364DB35ED46CB80

Function 02D59E80 Relevance: .6, Instructions: 622COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4495596329.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c1c4bcfe4e290a618bb6b5ad3bd172f65e47f4df23de76e6c2c051dbd7f54e
Instruction ID: 7a0d25ec603663c7837bc8e1b1e596555d0b2491b2ecbf2ecd01cca127dec26b
Opcode Fuzzy Hash: 41c1c4bcfe4e290a618bb6b5ad3bd172f65e47f4df23de76e6c2c051dbd7f54e
Instruction Fuzzy Hash: 82325D31A002299FDF14DFA8D984BADBBB2EF88310F248565E809DB395DB75DC41CB91

Function 02D54A80 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4495596329.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc20edf82b0bd52c18024208a1000744dbb5f8c7f666d14af65774f0a037f3df
Instruction ID: b81aaf0a6d2114d0ca2fbad08da34d5572f0631372f100fe5618ea8a247c184f
Opcode Fuzzy Hash: bc20edf82b0bd52c18024208a1000744dbb5f8c7f666d14af65774f0a037f3df
Instruction Fuzzy Hash: FCB16F74E00619CFDF10CFA9D9817ADBBF2AF88318F148529D815E7354EBB49885CB92

Function 0683A94B Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0683A9CE
GetCurrentThread.KERNEL32 ref: 0683AA0B
GetCurrentProcess.KERNEL32 ref: 0683AA48
GetCurrentThreadId.KERNEL32 ref: 0683AAA1

Memory Dump Source

Source File: 00000002.00000002.4497525280.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6cd7f43a37694174e883e5762e6287fd5c3725ec521efaf46b94c5c08203d5f8
Instruction ID: 14f0862dbc79ba173038da79a7a63b164d15154f8bb303a710935a28b30ebbf7
Opcode Fuzzy Hash: 6cd7f43a37694174e883e5762e6287fd5c3725ec521efaf46b94c5c08203d5f8
Instruction Fuzzy Hash: 2C5157B0D002498FDB58DFA9D948BAEBBF5EF48304F208459D119B7350D7389988CFA5

Function 0683A950 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0683A9CE
GetCurrentThread.KERNEL32 ref: 0683AA0B
GetCurrentProcess.KERNEL32 ref: 0683AA48
GetCurrentThreadId.KERNEL32 ref: 0683AAA1

Memory Dump Source

Source File: 00000002.00000002.4497525280.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0f8d0327a33b2fa65f0ba4a8ba2967623df21e532acfe963dcee274aea40024c
Instruction ID: c58070394030ed245813dedfb952d3f46fdf81f260de2c4c9385d8958bcf95fc
Opcode Fuzzy Hash: 0f8d0327a33b2fa65f0ba4a8ba2967623df21e532acfe963dcee274aea40024c
Instruction Fuzzy Hash: B15156B0D002498FDB58DFA9D948BAEBBF5EF48304F208459D519B7360D7389988CFA5

Function 02D57060 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 02D570DF

Memory Dump Source

Source File: 00000002.00000002.4495596329.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d50000_RegAsm.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 6ec6813ecce97b8c5f8ee7286da0a406d2e520b2b9e2182cb652e457f991f352
Instruction ID: d081c38a7a121be57462d8c59f6112fa9b13798503a9cd2a776993dce1fde2f3
Opcode Fuzzy Hash: 6ec6813ecce97b8c5f8ee7286da0a406d2e520b2b9e2182cb652e457f991f352
Instruction Fuzzy Hash: 5D2139B18002598FDB10DF9AD984BEEFBF4AF49320F24845AE859B3350D778A944CF61

Function 0683AB90 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0683AC1F

Memory Dump Source

Source File: 00000002.00000002.4497525280.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5867e5d96b3278545af5e69eb99f18e6a5deaf67b18b7c365c5491650677aa89
Instruction ID: 98fa8115163e6f4f76ddb89487a39e353a54b78b8fc3f37b1b9ed7469a0ff8a5
Opcode Fuzzy Hash: 5867e5d96b3278545af5e69eb99f18e6a5deaf67b18b7c365c5491650677aa89
Instruction Fuzzy Hash: 5721E2B5D002589FDB10CFAAD984AEEBBF5EF48310F14841AE958A3350D378A955CFA1

Function 0683AB98 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0683AC1F

Memory Dump Source

Source File: 00000002.00000002.4497525280.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 43eaf35cbb3248559dc0b62a94de8ed4d05059b0f40655c262b9f8fae6b546a7
Instruction ID: 45b53c3a0887d3fbf218926b38ae2117dcccfb20a1f08200c7e5fca5adcce799
Opcode Fuzzy Hash: 43eaf35cbb3248559dc0b62a94de8ed4d05059b0f40655c262b9f8fae6b546a7
Instruction Fuzzy Hash: F021E4B59002489FDB10CF9AD984ADEBBF4EB48310F14841AE918A3310D378A944CFA1

Function 02D0D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4495307090.0000000002D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d0d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f226aab7161dd2bf5a8903652870f512660c293af9f4447da6923eeacf52acb
Instruction ID: 3c66b007fdd6e99f030b69e60baf7f0bbb5f447c2357f5a7c5a8565aef15e43f
Opcode Fuzzy Hash: 2f226aab7161dd2bf5a8903652870f512660c293af9f4447da6923eeacf52acb
Instruction Fuzzy Hash: F1210071604200DFDB14CF64D9C0F26BB66EB84314F30C56AD84E4B3A6C33AD806CA62

Function 02D0D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4495307090.0000000002D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d0d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5701a9043aa553e81718a3cb2b46362aa74ba59eb49cd1fa4414ef9d42198f1
Instruction ID: aa202c94f4ebd09e44280704353b773a1a3dee707163bf84e74ff8e0f49f7a4b
Opcode Fuzzy Hash: f5701a9043aa553e81718a3cb2b46362aa74ba59eb49cd1fa4414ef9d42198f1
Instruction Fuzzy Hash: 232180755093C08FCB12CF24D9D4B15BF71EB46214F28C5DBD8898B6A7C33A984ACB62

Non-executed Functions

Function 068333A0 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$]q, xrefs: 0683393C
$]q, xrefs: 06833505
$]q, xrefs: 06833952
$]q, xrefs: 06833930
$]q, xrefs: 0683389D
$]q, xrefs: 06833511
$]q, xrefs: 06833891
$]q, xrefs: 06833946
$]q, xrefs: 068334D4
$]q, xrefs: 068334E0

Memory Dump Source

Source File: 00000002.00000002.4497525280.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6830000_RegAsm.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-2843079600
Opcode ID: 164e575eef77031537f276d312c104dc587a90e5709e7f827a9cac8b3d66d8a4
Instruction ID: 4c75361e203a155a5ac29199699e94030bd3aa6d35692aa432b37d5bedb91ab3
Opcode Fuzzy Hash: 164e575eef77031537f276d312c104dc587a90e5709e7f827a9cac8b3d66d8a4
Instruction Fuzzy Hash: B7122A30A00269CFDB68DF69C894AADB7B2FF89304F208569D509EB364DB349D45CF91

Function 02D541B0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\V6m, xrefs: 02D54467

Memory Dump Source

Source File: 00000002.00000002.4495596329.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d50000_RegAsm.jbxd

Similarity

API ID:
String ID: \V6m
API String ID: 0-1924247956
Opcode ID: 388b363d915903ace2656a854c423c05faa95164dabd25d067a8657e4348d3ba
Instruction ID: 23a32c37a951aa49f5a1eff1be87630665cc404c0b796262eeb06f3609160e9b
Opcode Fuzzy Hash: 388b363d915903ace2656a854c423c05faa95164dabd25d067a8657e4348d3ba
Instruction Fuzzy Hash: 79B16E70E00229CFDF10CFA9D98579DBBF2AF88318F148129D855A7354EBB49C85CB92

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rordendecompra_.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
rordendecompra_.exe

Function 02162BF2 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 369
nativethreadprocessCOMMON

Function 02162BDE Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 356
nativeCOMMON

Function 17192F9B Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
nativememoryCOMMON

Function 17195E3A Relevance: 221.2, APIs: 120, Strings: 6, Instructions: 739
librarymemoryloaderCOMMON

Function 17197886 Relevance: 154.0, APIs: 102, Instructions: 964
COMMON

Function 171987CD Relevance: 55.9, APIs: 37, Instructions: 361
COMMON

Function 171984FE Relevance: 39.2, APIs: 26, Instructions: 206
COMMON

Function 171973A0 Relevance: 27.1, APIs: 18, Instructions: 144
COMMON

Function 171971FE Relevance: 9.1, APIs: 6, Instructions: 67
COMMON

Function 1719A06D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
COMMON

Function 16FA1218 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Function 06831140 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON