Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LwNdQo4zIk.exe

Overview

General Information

Sample Name:LwNdQo4zIk.exe
Analysis ID:778226
MD5:3ccd6b369eb1dde57d181e7550bd7268
SHA1:aee399e263c838570c00133feab275b81009e12a
SHA256:f5717aef9a4323816387603920b652a94ac0d9cedef36391cedd9cdcbfef7f60
Tags:32exe
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Drops PE files
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • LwNdQo4zIk.exe (PID: 6072 cmdline: C:\Users\user\Desktop\LwNdQo4zIk.exe MD5: 3CCD6B369EB1DDE57D181E7550BD7268)
    • rundll32.exe (PID: 1568 cmdline: "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 5192 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 960 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.249983417.000000000217D000.00000040.00000800.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.250162242.0000000002260000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
  • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: LwNdQo4zIk.exeVirustotal: Detection: 49%Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmpReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmpVirustotal: Detection: 64%Perma Link
Machine Learning detection for sample
Source: LwNdQo4zIk.exeJoe Sandbox ML: detected
Source: 0.2.LwNdQo4zIk.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen2
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004A7759 CryptAcquireContextA,0_2_004A7759
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004AB9D1 CryptDeriveKey,0_2_004AB9D1
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004B01AF CryptExportKey,0_2_004B01AF
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004B035E CryptDestroyKey,0_2_004B035E
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004B056E CryptReleaseContext,0_2_004B056E
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004BA67F CryptAcquireContextA,CryptAcquireContextA,0_2_004BA67F
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004AF6E3 CryptExportKey,0_2_004AF6E3
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004BA75C CryptEncrypt,CryptEncrypt,0_2_004BA75C
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004BA7D8 CryptDestroyKey,CryptDestroyKey,0_2_004BA7D8
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004BA80E CryptReleaseContext,CryptReleaseContext,0_2_004BA80E
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004BA9DE CryptBinaryToStringA,CryptBinaryToStringA,0_2_004BA9DE
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004C2A13 CryptBinaryToStringA,0_2_004C2A13
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004AFA91 CryptExportKey,CryptExportKey,0_2_004AFA91
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004A5B70 CryptBinaryToStringA,0_2_004A5B70
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004AEB1B CryptGenKey,0_2_004AEB1B
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004A8D87 CryptBinaryToStringA,GetTempPathW,0_2_004A8D87
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D51140C CryptDeriveKey,1_2_6D51140C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D507CD1 CryptReleaseContext,1_2_6D507CD1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D500CD9 CryptDestroyKey,1_2_6D500CD9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D4F9484 CryptHashData,1_2_6D4F9484
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D500486 CryptHashData,1_2_6D500486
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D50AF62 CryptHashData,1_2_6D50AF62
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D4F3F01 CryptHashData,1_2_6D4F3F01
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D4E8F2B CryptDeriveKey,1_2_6D4E8F2B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D4F279D HttpSendRequestW,CryptReleaseContext,1_2_6D4F279D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D4E46B5 CryptEncrypt,1_2_6D4E46B5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D4FE812 CryptEncrypt,1_2_6D4FE812
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D509035 CryptReleaseContext,1_2_6D509035
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D4EC080 CryptHashData,1_2_6D4EC080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D4F1A58 CryptEncrypt,1_2_6D4F1A58
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D536A70 CryptEncrypt,1_2_6D536A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D4ECA64 CryptEncrypt,1_2_6D4ECA64
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D507ADA CryptDeriveKey,1_2_6D507ADA
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D4EEAE5 CryptGetHashParam,1_2_6D4EEAE5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D500283 CryptReleaseContext,GetProcAddress,GetProcAddress,1_2_6D500283

Compliance

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeUnpacked PE file: 0.2.LwNdQo4zIk.exe.400000.0.unpack
Source: LwNdQo4zIk.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
Source: Binary string: C:\ruko\kusugu8-fu.pdb source: LwNdQo4zIk.exe
Source: Binary string: >h6C:\ruko\kusugu8-fu.pdb source: LwNdQo4zIk.exe
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004B7085 InternetReadFile,0_2_004B7085

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.249983417.000000000217D000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.250162242.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: LwNdQo4zIk.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 00000000.00000002.249983417.000000000217D000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.250162242.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 960
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004FA0B00_2_004FA0B0
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004B41150_2_004B4115
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004AB2C20_2_004AB2C2
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004C13A50_2_004C13A5
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004DE3A70_2_004DE3A7
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004A067F0_2_004A067F
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004DD9E80_2_004DD9E8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D51213A1_2_6D51213A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D4ECA641_2_6D4ECA64
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D52822C1_2_6D52822C
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp 20DC61C5456EA5756F432AEBECF74660ACEBF5ACE0F7C8D1B360757ED79075D8
Source: LwNdQo4zIk.exeStatic PE information: Section: .data ZLIB complexity 0.9918356461560528
Source: LwNdQo4zIk.exeVirustotal: Detection: 49%
Source: LwNdQo4zIk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004B1333 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,0_2_004B1333
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot
Source: unknownProcess created: C:\Users\user\Desktop\LwNdQo4zIk.exe C:\Users\user\Desktop\LwNdQo4zIk.exe
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 960
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",UprsprhaotJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1568
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeFile created: C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmpJump to behavior
Source: classification engineClassification label: mal84.evad.winEXE@4/5@0/1
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
Source: LwNdQo4zIk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\ruko\kusugu8-fu.pdb source: LwNdQo4zIk.exe
Source: Binary string: >h6C:\ruko\kusugu8-fu.pdb source: LwNdQo4zIk.exe

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeUnpacked PE file: 0.2.LwNdQo4zIk.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeUnpacked PE file: 0.2.LwNdQo4zIk.exe.400000.0.unpack
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004F7054 push 004E123Eh; ret 0_2_004F71C1
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004F0321 push 004ED2FBh; ret 0_2_004F0472
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004D6483 push 0046B803h; ret 0_2_004D6561
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004D85D5 push 004C899Fh; ret 0_2_004D867A
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004EB75E push 004D3CB3h; ret 0_2_004EB891
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004A7759 push dword ptr [004FCE43h]; ret 0_2_004A7A9F
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004EA92F push 004DAC2Fh; ret 0_2_004EAA73
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004F59CA push 004B1D5Fh; ret 0_2_004F5B00
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004AB9D1 push 0046C15Ah; ret 0_2_004ABA8F
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_0046FE63 push 00469E02h; ret 0_2_0046FFC0
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004C8FA2 push 004ADFCDh; ret 0_2_004C907D
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004C8FA2 push 004B29F4h; ret 0_2_004C947A
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_00491044 push 0046B803h; ret 0_2_00491087
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004F3042 push 004BACA2h; ret 0_2_004F30B2
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_0047E048 push 004F3C92h; ret 0_2_0047E101
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004A5057 push 004A4A45h; ret 0_2_004A5090
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004AC057 push 004A024Ch; ret 0_2_004AC0BA
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_00494069 push 0046CDFCh; ret 0_2_004941DE
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_0049B068 push 0046CDFCh; ret 0_2_0049B298
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_0046D063 push 0046AD57h; ret 0_2_0046D29E
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_0049806C push dword ptr [004FC7DBh]; ret 0_2_00498104
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004C5069 push 004ADFCDh; ret 0_2_004C50AC
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_0046F07F push dword ptr [004FD207h]; ret 0_2_0046F14E
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_0047B07B push 00469E02h; ret 0_2_0047B1AC
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004D300B push dword ptr [004FD567h]; ret 0_2_004D3029
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_00480001 push dword ptr [004FC7DBh]; ret 0_2_00480022
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004CD000 push 004A0557h; ret 0_2_004CD295
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004B8005 push 004AC2A1h; ret 0_2_004B8038
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_00474016 push 0046C15Ah; ret 0_2_004740C1
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004B701A push 004F3C92h; ret 0_2_004B7084
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004D1013 push 004B06B3h; ret 0_2_004D110A
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeFile created: C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmpJump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeAPI coverage: 6.5 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 3.5 %
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 136000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: rundll32.exe, 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmp, rundll32.exe, 00000001.00000000.258771674.000000006D58B000.00000004.00000001.01000000.00000004.sdmpBinary or memory string: NtSetInformationWorkerFactoryTpSetDefaultPoolStackInformationDosDateTimeToFileTimeSetCurrentDirectoryWHkOleRegisterObjectSetProgmanW
Source: LwNdQo4zIk.exe, 00000000.00000002.250562734.00000000030D0000.00000004.00001000.00020000.00000000.sdmp, Pyupydeoe.tmp.0.drBinary or memory string: #NtSetInformationWorkerFactoryTpSetDefaultPoolStackInformationDosDateTimeToFileTimeSetCurrentDirectoryWHkOleRegisterObjectSetProgmanWindowMicrosoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.ni.dllSystem.Collections.dllInkSeg.dll0123456789abcdefCNB_0336.DLLMicrosoft.Windows.Diagnosis.Commands.WriteDiagProgress.dllmsscp.dllOSProvider.dllapi-ms-win-core-localization-l1-1-0.dllmscorier.dll0123456789abcdef
Source: rundll32.exe, 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmp, rundll32.exe, 00000001.00000000.258771674.000000006D58B000.00000004.00000001.01000000.00000004.sdmpBinary or memory string: SetProgmanW
Source: LwNdQo4zIk.exe, 00000000.00000002.250562734.00000000030D0000.00000004.00001000.00020000.00000000.sdmp, Pyupydeoe.tmp.0.drBinary or memory string: SetProgmanWindow
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\Desktop\LwNdQo4zIk.exeCode function: 0_2_004ADA35 GetLocalTime,0_2_004ADA35

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception2
Process Injection		11
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium2
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts2
Process Injection		LSASS Memory11
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
Ingress Tool Transfer		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Rundll32		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script22
Software Packing		LSA Secrets1
Remote System Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials3
System Information Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
LwNdQo4zIk.exe49%VirustotalBrowse
LwNdQo4zIk.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp50%ReversingLabsWin32.Trojan.Lazy
C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp64%VirustotalBrowse

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.LwNdQo4zIk.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.Gen2Download File
0.3.LwNdQo4zIk.exe.2380000.0.unpack100%AviraHEUR/AGEN.1215478Download File
0.2.LwNdQo4zIk.exe.2260e67.1.unpack100%AviraHEUR/AGEN.1215478Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:778226
Start date and time:2023-01-05 08:42:09 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 36s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:LwNdQo4zIk.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:18
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal84.evad.winEXE@4/5@0/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:Failed
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Override analysis time to 240s for sample files taking high CPU consumption

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 20.189.173.20
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, watson.telemetry.microsoft.com
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

TimeTypeDescription
08:43:03API Interceptor86x Sleep call for process: rundll32.exe modified
08:43:16API Interceptor1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmpfile.exeGet hashmaliciousBrowse

    Created / dropped Files

    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8e16aed3aa5676a94a41f4f83e9862e56aba6f4_82810a17_1425c040\Report.wer

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):65536
    Entropy (8bit):0.9238031503162372
    Encrypted:false
    SSDEEP:96:LPFHcXy6iX0iLoy1j95ax7JRFpXIW/a/z+HbHg/BQAS/YyNl4ttPMLUE+im2kMnj:LNcHiX0oXO5jed+C8/u7sZS274ItWc
    MD5:1BFEB11058C8F0BB373CB6CF153A0778
    SHA1:263132033BE2FBF13326D18014ED6CBA5679F552
    SHA-256:694A8F25313033647A0C215339A032A3940384A34D0E7D447C59E36756EBEEEA
    SHA-512:CDB59ECE2D4485EBD8222FE367BFDD6F1546421A09F44DA4F22E05512417ABF72660048006E577AF13B70A9AA18E176599FD0057E1C925E83B8D253A3441B0BB
    Malicious:false
    Reputation:low
    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.7.4.1.0.5.8.8.4.8.3.2.6.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.7.4.1.0.5.8.9.3.7.3.9.0.4.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.f.b.1.7.9.b.1.-.a.3.0.0.-.4.a.2.d.-.8.0.1.7.-.5.1.d.4.1.d.1.0.b.b.f.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.2.8.f.3.c.0.e.-.d.1.9.6.-.4.c.4.2.-.8.c.4.3.-.5.6.6.6.5.e.d.f.b.c.f.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.2.0.-.0.0.0.1.-.0.0.1.f.-.e.6.7.1.-.4.f.c.7.2.4.2.1.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F7A.tmp.dmp

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Mini DuMP crash report, 15 streams, Thu Jan 5 16:43:08 2023, 0x1205a4 type
    Category:dropped
    Size (bytes):99428
    Entropy (8bit):1.6906140255429625
    Encrypted:false
    SSDEEP:384:aoicjB5LbBGIyA59HVt1L62vdK7NUar8N4T43BK2ui:aYVbBGTYtVfLRdK7No3BFu
    MD5:50780291C9621B13A4FF8623A2BBE2BB
    SHA1:5A73D82C6DBF3E863F6AC117D9DE94D8CAAC23A2
    SHA-256:0C7A8AD55D77C57B7A192A76445261FFDDD8DD3896D429D08B878962E3246F2D
    SHA-512:2836EAA3E4558D345BAA04D466A04CA9CC6CEBF35DEA0A513DE9BDEA27ECCA0A346BAD5A0F310C8B67D40A74A11DEFC9D8DAFDBE85279C92E56BD539C228D9C6
    Malicious:false
    Reputation:low
    Preview:MDMP....... ..........c....................................$...............bD..........`.......8...........T...........0&..4^.......................!...................................................................U...........B......<"......GenuineIntelW...........T....... ......c.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA20B.tmp.WERInternalMetadata.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):5888
    Entropy (8bit):3.7191879909123386
    Encrypted:false
    SSDEEP:96:RtIU6o7r3GLt3inf06gY8QuSfGEapBCaM4Ur89bcnsfUN0m:Rrl7r3GLNif06gYTuS6Cprr89bcnsfUb
    MD5:6ADF754C003723A03EE3A377256262C0
    SHA1:10F5D103CACFDC38016B3A8D8CA16BEB0687476E
    SHA-256:CAA6CF56E6C7847994B0CEB900043FEC303314BD9FAACEE1B16464656D5FD1C4
    SHA-512:E620B88362E1B03905FEDF5C8670901D1E3BF2FCF317043BDD7646E7D8DC4E1B368F0E00B058DC71F0F56A33B7184D78D75654BBAF76C1E41F24F75FCC36B283
    Malicious:false
    Reputation:low
    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.6.8.<./.P.i.d.>.......

    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA26A.tmp.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):4616
    Entropy (8bit):4.436378949362253
    Encrypted:false
    SSDEEP:48:cvIwSD8zsYJgtWI98W4kWgc8sqYjw8fm8M4JCdsTFMFK+q8/4FfySy4SrS6d:uITfeHW49grsqYBJxFbhFryDW6d
    MD5:BD57B1779CA954969A44C07B14C99F29
    SHA1:5EFB3672ACAB54E84E6D9CBFF14EE6F534631DC6
    SHA-256:122D9C4B8656D30AB71091F342FA7A541AFF9B1822D6306404344BCEEEBB4C66
    SHA-512:3726035D23C0F86A97513B3875AEAF9001F85615C85F963EFB2802C6A543EED535BC64E96E1BC374B3FB1486AB71D3AC7CEA2DFCF0D70AC626B0424E1E72BC70
    Malicious:false
    Reputation:low
    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1854833" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

    C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp

    Download File
    Process:C:\Users\user\Desktop\LwNdQo4zIk.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):803328
    Entropy (8bit):6.89627808323015
    Encrypted:false
    SSDEEP:24576:l8Jr+SgWH5UB/VdYQ/N7WqpWaQxYZYBsFn:OJrSBYqLY
    MD5:C50C2F17112B6C6B0892CB2C1F502108
    SHA1:3DD1444384BF790F5AA90AE95EF7745FA4CFAF72
    SHA-256:20DC61C5456EA5756F432AEBECF74660ACEBF5ACE0F7C8D1B360757ED79075D8
    SHA-512:BFBFC3A13816A12E25C373F6739215B9DFF559FECFDF26C3358A452BDC833B6EAA64BBAE316F4B29B9E9CE802E9F50C66B533C8C3C1B372025A7F0B7D8B452F1
    Malicious:true
    Antivirus:
    • Antivirus: Joe Sandbox ML, Detection: 100%
    • Antivirus: ReversingLabs, Detection: 50%
    • Antivirus: Virustotal, Detection: 64%, Browse
    Joe Sandbox View:
    • Filename: file.exe, Detection: malicious, Browse
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e:..![.@![.@![.@.,.A&[.@.,.A [.@L..A"[.@![.@5[.@.D.@([.@...A [.@...A [.@...A [.@Rich![.@................PE..L.....c...........!.........................................................p............@.............................@.......<................................{......................................................@............................text...p........................... ..`.rdata..............................@..@.data...01.......2..................@....reloc...{.......|..................@..B........................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):7.853487844881012
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:LwNdQo4zIk.exe
    File size:1034752
    MD5:3ccd6b369eb1dde57d181e7550bd7268
    SHA1:aee399e263c838570c00133feab275b81009e12a
    SHA256:f5717aef9a4323816387603920b652a94ac0d9cedef36391cedd9cdcbfef7f60
    SHA512:00bd3bb981e2a5bd4c30241025f352e9e528d76300e67fcdbe89ee9e12ecbba73b291aebd9b73f73a8aaa32e2a8b2d1b4d49796cdc11a1b891a313cf0a9dcc03
    SSDEEP:24576:RFOWvM7bZBFpXlDpRjJ5JAXVm359Ov9UIrczuX:RguWRNpRjJPgAp9ucz
    TLSH:B7251201329194A7C1CA6A3C4930E7F02D7FBCF29D7CE187EB643A1E9E706B14A55687
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................;.Y.......Z.......L.......................K.......[.......^.....Rich............................PE..L....7.b...

    File Icon

    Icon Hash:9062e090c6e73144

    Static PE Info

    General

    Entrypoint:0x40600e
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    DLL Characteristics:TERMINAL_SERVER_AWARE
    Time Stamp:0x620337B3 [Wed Feb 9 03:40:35 2022 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:0
    File Version Major:5
    File Version Minor:0
    Subsystem Version Major:5
    Subsystem Version Minor:0
    Import Hash:7bca87c7309353055aed194207c93e99

    Entrypoint Preview

    Instruction
    call 00007FB8E8AE26A9h
    jmp 00007FB8E8ADCFCEh
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    mov edx, dword ptr [esp+0Ch]
    mov ecx, dword ptr [esp+04h]
    test edx, edx
    je 00007FB8E8ADD1BBh
    xor eax, eax
    mov al, byte ptr [esp+08h]
    test al, al
    jne 00007FB8E8ADD168h
    cmp edx, 00000100h
    jc 00007FB8E8ADD160h
    cmp dword ptr [0050CFACh], 00000000h
    je 00007FB8E8ADD157h
    jmp 00007FB8E8AE275Dh
    push edi
    mov edi, ecx
    cmp edx, 04h
    jc 00007FB8E8ADD183h
    neg ecx
    and ecx, 03h
    je 00007FB8E8ADD15Eh
    sub edx, ecx
    mov byte ptr [edi], al
    add edi, 01h
    sub ecx, 01h
    jne 00007FB8E8ADD148h
    mov ecx, eax
    shl eax, 08h
    add eax, ecx
    mov ecx, eax
    shl eax, 10h
    add eax, ecx
    mov ecx, edx
    and edx, 03h
    shr ecx, 02h
    je 00007FB8E8ADD158h
    rep stosd
    test edx, edx
    je 00007FB8E8ADD15Ch
    mov byte ptr [edi], al
    add edi, 01h
    sub edx, 01h
    jne 00007FB8E8ADD148h
    mov eax, dword ptr [esp+08h]
    pop edi
    ret
    mov eax, dword ptr [esp+04h]
    ret
    int3
    int3
    int3
    int3
    int3
    int3
    push ebp
    mov ebp, esp
    push edi
    push esi
    mov esi, dword ptr [ebp+0Ch]
    mov ecx, dword ptr [ebp+10h]
    mov edi, dword ptr [ebp+08h]
    mov eax, ecx
    mov edx, ecx
    add eax, esi
    cmp edi, esi
    jbe 00007FB8E8ADD15Ah
    cmp edi, eax
    jc 00007FB8E8ADD2FAh
    cmp ecx, 00000100h
    jc 00007FB8E8ADD171h
    cmp dword ptr [0050CFACh], 00000000h
    je 00007FB8E8ADD168h
    push edi
    push esi
    and edi, 0Fh

    Rich Headers

    Programming Language:
    • [ASM] VS2008 build 21022
    • [ C ] VS2008 build 21022
    • [IMP] VS2005 build 50727
    • [C++] VS2008 build 21022
    • [RES] VS2008 build 21022
    • [LNK] VS2008 build 21022

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x16dec0x3c.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x10d0000xbcb0.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x12200x1c.text
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x43a00x40.text
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x1d4.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x168500x16a00False0.5431198204419889data6.3410785244090935IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .data0x180000xf4fb40xd9e00False0.9918356461560528data7.991407419226785IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x10d0000xbcb00xbe00False0.38569078947368424data4.2370546659086274IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    AFX_DIALOG_LAYOUT0x1160a00x2data
    AFX_DIALOG_LAYOUT0x1160980x2data
    AFX_DIALOG_LAYOUT0x1160a80x2data
    AFX_DIALOG_LAYOUT0x1160b00x2data
    AFX_DIALOG_LAYOUT0x1160b80x2data
    RT_CURSOR0x1160c00x130Device independent bitmap graphic, 32 x 64 x 1, image size 0
    RT_CURSOR0x1162080x130Device independent bitmap graphic, 32 x 64 x 1, image size 0
    RT_CURSOR0x1163380xf0Device independent bitmap graphic, 24 x 48 x 1, image size 0
    RT_CURSOR0x1164280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
    RT_CURSOR0x1175000x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
    RT_ICON0x10d6e00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0SerbianItaly
    RT_ICON0x10dda80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SerbianItaly
    RT_ICON0x10e3100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SerbianItaly
    RT_ICON0x10f3b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SerbianItaly
    RT_ICON0x10f8600xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsSerbianItaly
    RT_ICON0x1107080x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsSerbianItaly
    RT_ICON0x110fb00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsSerbianItaly
    RT_ICON0x1116780x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsSerbianItaly
    RT_ICON0x111be00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600SerbianItaly
    RT_ICON0x1141880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224SerbianItaly
    RT_ICON0x1152300x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400SerbianItaly
    RT_ICON0x115bb80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088SerbianItaly
    RT_STRING0x117f180xeadataSerbianItaly
    RT_STRING0x1180080x348dataSerbianItaly
    RT_STRING0x1183500x682dataSerbianItaly
    RT_STRING0x1189d80x2d8dataSerbianItaly
    RT_GROUP_CURSOR0x1161f00x14data
    RT_GROUP_CURSOR0x117da80x14data
    RT_GROUP_CURSOR0x1174d00x30data
    RT_GROUP_ICON0x1160200x76dataSerbianItaly
    RT_GROUP_ICON0x10f8200x3edataSerbianItaly
    RT_VERSION0x117dc00x154Encore not stripped - version 79

    Imports

    DLLImport
    KERNEL32.dllGetConsoleAliasW, GetModuleHandleW, CreateDirectoryExW, ReadConsoleInputW, GetTempPathW, GetSystemDirectoryW, RemoveDirectoryW, OutputDebugStringA, GetProcAddress, LocalAlloc, GetBinaryTypeA, SearchPathA, VerifyVersionInfoA, SetProcessPriorityBoost, EndUpdateResourceA, FindNextFileW, FindFirstVolumeA, LocalShrink, GlobalFlags, _llseek, UpdateResourceA, CreateActCtxW, CopyFileW, AddConsoleAliasW, CreateMutexA, GetCurrentActCtx, GetDiskFreeSpaceA, MoveFileW, GetLogicalDriveStringsA, SetEvent, MoveFileExA, CreateMailslotA, WriteConsoleInputA, TerminateThread, GetCurrentProcess, RtlCaptureContext, InterlockedCompareExchange, GetFileTime, lstrcatA, FindFirstFileW, FreeEnvironmentStringsA, SetErrorMode, InterlockedExchangeAdd, MoveFileWithProgressA, GetTickCount, SetLastError, GetPrivateProfileStructW, VerSetConditionMask, LoadLibraryA, GetLastError, DeleteFileA, GetStartupInfoW, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleA, HeapFree, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, RaiseException, VirtualAlloc, HeapReAlloc, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, InitializeCriticalSectionAndSpinCount, RtlUnwind, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, ReadFile, HeapSize, CloseHandle, CreateFileA
    GDI32.dllSetBrushOrgEx

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    SerbianItaly

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:08:42:57
    Start date:05/01/2023
    Path:C:\Users\user\Desktop\LwNdQo4zIk.exe
    Wow64 process (32bit):true
    Commandline:C:\Users\user\Desktop\LwNdQo4zIk.exe
    Imagebase:0x400000
    File size:1034752 bytes
    MD5 hash:3CCD6B369EB1DDE57D181E7550BD7268
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Yara matches:
    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.249983417.000000000217D000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.250162242.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
    Reputation:low

    General

    Target ID:1
    Start time:08:43:03
    Start date:05/01/2023
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:"C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot
    Imagebase:0x1020000
    File size:61952 bytes
    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:3
    Start time:08:43:07
    Start date:05/01/2023
    Path:C:\Windows\SysWOW64\WerFault.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 960
    Imagebase:0xc90000
    File size:434592 bytes
    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:1%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:21.7%
      Total number of Nodes:23
      Total number of Limit Nodes:2
      execution_graph 18752 4c978e FindCloseChangeNotification 18753 4c979c 18752->18753 18764 4ec46c 18766 4ec49e 18764->18766 18765 4ec5ab CreateProcessW 18766->18765 18754 4a7759 CryptAcquireContextA 18755 4a7782 18754->18755 18767 46fe63 18768 46febf LoadLibraryA 18767->18768 18770 46ff5c 18768->18770 18771 4a6d6c 18772 4a6d8c 18771->18772 18773 4a6d9d CharUpperBuffA 18772->18773 18756 4ab9d1 18757 4ab9d5 CryptDeriveKey 18756->18757 18759 4aba16 18757->18759 18759->18759 18760 46f519 18761 46f525 18760->18761 18762 46f55b LoadLibraryA 18760->18762 18761->18762 18763 46f581 18762->18763 18774 4fa970 18775 4fa977 malloc 18774->18775 18776 4fa974 18774->18776

      Executed Functions

      Function 004A7759 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 259encryptionCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 4a7759-4a7780 CryptAcquireContextA 1 4a77c2-4a77f5 0->1 2 4a7782-4a77c0 0->2 3 4a77fb-4a780b 1->3 4 4a88c6-4a88d8 1->4 2->1 5 4a781e-4a7872 call 4a73da 3->5 6 4a780d-4a7817 3->6 7 4a88da-4a88f1 4->7 8 4a8909-4a891a 4->8 13 4a7876-4a7942 5->13 14 4a7874 5->14 6->5 10 4a88f3-4a8907 7->10 11 4a8920-4a8929 7->11 8->11 10->8 15 4a7999-4a79aa 13->15 16 4a7944-4a7967 13->16 14->13 17 4a79ec-4a7a1d 15->17 18 4a79ac-4a79cc 15->18 19 4a7969-4a7987 16->19 20 4a798e-4a7992 16->20 23 4a7a1f 17->23 24 4a7a22-4a7a33 17->24 21 4a79ce 18->21 22 4a79d5-4a79ea 18->22 25 4a7989 19->25 26 4a798c 19->26 20->15 21->22 22->17 23->24 27 4a7a60-4a7a9f 24->27 28 4a7a35-4a7a49 24->28 25->26 26->20 27->4 29 4a7a4b 28->29 30 4a7a51-4a7a5b 28->30 29->30 30->27
      APIs
      • CryptAcquireContextA.ADVAPI32 ref: 004A7768
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AcquireContextCrypt
      • String ID: 7~ $CallWindowProcW$GetVolumeNameForVolumeMountPointW$NlsLexicons004a.dll$RasMigPlugin.dll$RtlCreateTimerQueue$apihex86.dll$devrtl.dll$msxml3r.dll
      • API String ID: 3951991833-1759118181
      • Opcode ID: 7358e2a6632d911ebb6615a09c023d6a935bae8a3ef6d7f88b02a29ff95ce42f
      • Instruction ID: 864f73d61dd2754cb24b74166d1be688390b549063db801f3636d54e48d93abe
      • Opcode Fuzzy Hash: 7358e2a6632d911ebb6615a09c023d6a935bae8a3ef6d7f88b02a29ff95ce42f
      • Instruction Fuzzy Hash: 36A16DB5E042099FCB00DFBAE9D41EE7BB0EB2A310F04817AD955E7762E3780955CB58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004AB9D1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79encryptionCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 182 4ab9d1-4ab9d3 183 4ab9d9-4ab9fc 182->183 184 4ab9d5-4ab9d7 182->184 185 4aba02-4aba14 CryptDeriveKey 183->185 184->183 184->185 186 4aba58-4aba73 185->186 187 4aba16-4aba25 185->187 189 4aba79-4aba8f 186->189 190 4ac237-4ac27c 186->190 187->186 188 4aba27-4aba48 187->188 191 4aba4a-4aba4d 188->191 192 4aba54 188->192 189->190 193 4ac281 190->193 191->192 192->186 193->193
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: CryptDerive
      • String ID: FXSRES.DLL$wbemprox.dll
      • API String ID: 963700953-864472841
      • Opcode ID: 6f48a9e3d8a845fa319f77717fccbb300e8f6d0b3750192ee9f2a256972f91a6
      • Instruction ID: f2ca315b04a59662c88b2711d1709a0820e6a57183890c9017ff3987399593be
      • Opcode Fuzzy Hash: 6f48a9e3d8a845fa319f77717fccbb300e8f6d0b3750192ee9f2a256972f91a6
      • Instruction Fuzzy Hash: B82102B1E003059FCB009FA8D9D53EEBBB1EB2A710F44827B895497752E3B90E54C788
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004EC46C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 98processCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 66 4ec46c-4ec4b9 call 4b06b3 69 4ec4bb-4ec4c0 66->69 70 4ec4d4-4ec50e call 4c89d8 66->70 71 4ec4c9-4ec4d2 69->71 72 4ec4c2-4ec4c7 69->72 75 4ec537-4ec551 70->75 76 4ec510-4ec530 70->76 71->70 72->71 77 4ec553-4ec56e 75->77 78 4ec571-4ec578 75->78 76->75 77->78 79 4ec57a-4ec57d 78->79 80 4ec582-4ec592 78->80 79->80 81 4ec59b-4ec59e 80->81 82 4ec594 80->82 83 4ec5ab-4ec5ce CreateProcessW 81->83 84 4ec5a0-4ec5a8 81->84 82->81 84->83
      APIs
      • CreateProcessW.KERNELBASE(00000000,?,00000000), ref: 004EC5C7
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: CreateProcess
      • String ID: FXSRES.DLL$NlsLexicons004a.dll$Wlh$WriteFileEx$r&
      • API String ID: 963392458-2991641650
      • Opcode ID: c589032668075253d4b0997476dec812eb91138371010b571f4f34328cbe6b11
      • Instruction ID: 7c91f1378760e961f50db07e3ce39b7fa1196c614006467c9920f1ac7116d833
      • Opcode Fuzzy Hash: c589032668075253d4b0997476dec812eb91138371010b571f4f34328cbe6b11
      • Instruction Fuzzy Hash: EE31FE75E0021A9BDB00EFAAEAD06FE7BB0FF28304F40453AE505E7352E6394950CB48
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0046FE63 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 90libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 85 46fe63-46febd 86 46feef-46ff17 85->86 87 46febf-46fee8 85->87 89 46ff32-46ff5a LoadLibraryA 86->89 90 46ff19-46ff2d 86->90 87->86 88 46feea 87->88 88->86 91 46ff64-46ff85 89->91 92 46ff5c-46ff62 89->92 90->89 93 46ff8b-46ffc0 91->93 92->91 92->93
      APIs
      • LoadLibraryA.KERNELBASE(?), ref: 0046FF46
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID: EtwpGetCpuSpeed$Wlh$ZwOpenFile$hpfevw73.dll$sbs_diasymreader.dll
      • API String ID: 1029625771-530310043
      • Opcode ID: 84c2ea79aa9ae2472bf0d13afee29d124ec4b34a6d1f35d1e14fc466ec2a4c3b
      • Instruction ID: 5f9cf8e8bc6aefead99389c9af6ac2026223ccff36b1127e3ada00a722c668e2
      • Opcode Fuzzy Hash: 84c2ea79aa9ae2472bf0d13afee29d124ec4b34a6d1f35d1e14fc466ec2a4c3b
      • Instruction Fuzzy Hash: 4F319C75E40359DFD700DFB8FAC52EE7BB1EB2A310B48403A8944A7362E2790969C749
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0046F519 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 171 46f519-46f523 172 46f525-46f54b 171->172 173 46f55b-46f57f LoadLibraryA 171->173 174 46f554 172->174 175 46f54d 172->175 176 46f581-46f583 173->176 177 46f5be-46f651 call 46c3b9 173->177 174->173 175->174 178 46f585-46f595 176->178 179 46f599-46f5b8 176->179 178->179 179->177
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID: EtwpGetCpuSpeed$devrtl.dll
      • API String ID: 1029625771-2582432514
      • Opcode ID: a285a531e5daf239845ba61c217765e189ae03a1582bac433da6b99f5ec81368
      • Instruction ID: ef33f599e64732a1e3375540842653c93bdef4a5e839f9d74011e57d83ba48f0
      • Opcode Fuzzy Hash: a285a531e5daf239845ba61c217765e189ae03a1582bac433da6b99f5ec81368
      • Instruction Fuzzy Hash: 5E318F64E44249DFCB00DFB8EAC55ED7BB1FB29320B00407AD45597722E3780A65CB59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004C978E Relevance: 1.5, APIs: 1, Instructions: 6COMMON
      Download Yara Rule
      APIs
      • FindCloseChangeNotification.KERNELBASE ref: 004C9796
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: ChangeCloseFindNotification
      • String ID:
      • API String ID: 2591292051-0
      • Opcode ID: 3992a863efe16b8f63359b138bfd13186a8977471c0d463d6497a29c7974d3d7
      • Instruction ID: 40f782e186dae421e2e5291fc41b6312c26cd0d01877086a23cfcd62d6540203
      • Opcode Fuzzy Hash: 3992a863efe16b8f63359b138bfd13186a8977471c0d463d6497a29c7974d3d7
      • Instruction Fuzzy Hash: 71A0243D300105C7C3014F30F5CD41C371143D030D710C5315403C404CC434D011D100
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004A6D6C Relevance: 1.3, APIs: 1, Instructions: 21COMMON
      Download Yara Rule
      APIs
      • CharUpperBuffA.USER32(00000000,?,?), ref: 004A6DA3
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: BuffCharUpper
      • String ID:
      • API String ID: 3964851224-0
      • Opcode ID: c0d1f12392ce7b553b800283bae38bc47d464258fadfbfb328399a4a17ab7e07
      • Instruction ID: 9fdd92384781316f0075c6a200922c60cf00b03dd3c62785e9577931238c8af9
      • Opcode Fuzzy Hash: c0d1f12392ce7b553b800283bae38bc47d464258fadfbfb328399a4a17ab7e07
      • Instruction Fuzzy Hash: B4F0AE35D00108BFCF01AFE9D845A9DBFB1EF04318F1081A5A924AA2A1D7368A24EF44
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004FA970 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: malloc
      • String ID:
      • API String ID: 2803490479-0
      • Opcode ID: af609ad100646c7060bc4ecb92b57e4e724e07d0b9cf465bc3175297e7bdafd8
      • Instruction ID: 5c81a9e60f535cad76a1d6efa1db0b362f67b2df7e96e182e9237fcea45a1aa5
      • Opcode Fuzzy Hash: af609ad100646c7060bc4ecb92b57e4e724e07d0b9cf465bc3175297e7bdafd8
      • Instruction Fuzzy Hash: 85A012CDD1004000EE0410311801423102221E060BBD5C8B9680440124FA3CC018201E
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 004DD9E8 Relevance: 29.2, APIs: 1, Strings: 18, Instructions: 656COMMON
      Download Yara Rule
      APIs
      • SetLastError.KERNEL32(0000007F), ref: 004DDD9E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: ErrorLast
      • String ID: Gs$=kt$GetLocalManagedApplications$NetWkstaSetInfo$NlsLexicons004a.dll$RtlInitializeGenericTable$System.Windows.Controls.Ribbon.dll$V*$api-ms-win-core-interlocked-l1-1-0.dll$api-ms-win-core-io-l1-1-0.dll$apihex86.dll$audmigplugin.dll$cngprovider.dll$dxtrans.dll$mfdvdec.dll$wbemprox.dll$wiawow64.exe$2;
      • API String ID: 1452528299-2589147596
      • Opcode ID: 8a7d02bacb0df8d7231105ae6d5741325e06c272fe29310aeabdff8e49e59cca
      • Instruction ID: 05d6b29f830936cf197503655dc14312dda97afb7d531475b55ca1f809a40a4b
      • Opcode Fuzzy Hash: 8a7d02bacb0df8d7231105ae6d5741325e06c272fe29310aeabdff8e49e59cca
      • Instruction Fuzzy Hash: 6642D275E04249CFCB00DFB9EAE12E97BB1EF29314B04817BC94597362E2790965CB5C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004A067F Relevance: 24.4, Strings: 19, Instructions: 654COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID:
      • String ID: $-7$=kt$B\5$CallWindowProcW$EtwpGetCpuSpeed$FXSRES.DLL$GetLocalManagedApplications$GetP$PSEvents.dll$RasMigPlugin.dll$System.Windows.Controls.Ribbon.dll$TSpkg.dll$ZwWow64QueryInformationProcess64$api-ms-win-core-io-l1-1-0.dll$ddre$ddrerocA$devrtl.dll$rocA$scksp.dll
      • API String ID: 0-401364481
      • Opcode ID: 7249d203baedaa77c33435596837b91bd44663c268df7ad3f61fe718c367cf2d
      • Instruction ID: b0def301be00dee447dbe5b571d51c378938ae4c4b3a571c5a6394b2bc8ae00e
      • Opcode Fuzzy Hash: 7249d203baedaa77c33435596837b91bd44663c268df7ad3f61fe718c367cf2d
      • Instruction Fuzzy Hash: F432F676E00248DFCB00DFB9EA941EA7BB2EF69724B05807EC85497362E3350965CB5C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004DE3A7 Relevance: 23.1, Strings: 18, Instructions: 612COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID:
      • String ID: Gs$=kt$CallWindowProcW$GetAppCompatFlags2$GetVolumeNameForVolumeMountPointW$NetWkstaSetInfo$RtlInitializeGenericTable$Wlh$api-ms-win-core-interlocked-l1-1-0.dll$api-ms-win-core-io-l1-1-0.dll$apihex86.dll$dpnathlp.dll$f\r$penusa.dll$qz.$sbs_diasymreader.dll$wiawow64.exe$@/
      • API String ID: 0-3626902700
      • Opcode ID: 73e04fddcb762fd17380410f4abe933b673318dbd42f076f8bd20773ad0de406
      • Instruction ID: 1f16049fa2c29bce1a5847f1875b2538c2141436720408383bd5407f2aa2cf9b
      • Opcode Fuzzy Hash: 73e04fddcb762fd17380410f4abe933b673318dbd42f076f8bd20773ad0de406
      • Instruction Fuzzy Hash: FB32E375E44249CFCB00DFBAEAD52E97BB1EF29324B04817BC85497362E2780965CB5C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004B4115 Relevance: 22.1, Strings: 17, Instructions: 851COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID:
      • String ID: !O$GetAppCompatFlags2$GetLocalManagedApplications$GetVolumeNameForVolumeMountPointW$HPBPRO.DLL$NetWkstaSetInfo$RtlCreateTimerQueue$Wlh$ZwOpenFile$api-ms-win-core-io-l1-1-0.dll$f\r$hpfevw73.dll$mfdvdec.dll$sbs_diasymreader.dll$wabimp.dll$wmploc.DLL$}hX
      • API String ID: 0-1915777522
      • Opcode ID: f8de094187cb5aaad40c7fd6e50e254cc11a7612ad419f432a1d4f25ded614f1
      • Instruction ID: 328b9ea172c7fe457b9d8e4ebb097c87c45c34e4d7bc6dcb5dff0e99082a7081
      • Opcode Fuzzy Hash: f8de094187cb5aaad40c7fd6e50e254cc11a7612ad419f432a1d4f25ded614f1
      • Instruction Fuzzy Hash: DB62D466A44245CFCB00DFB9FE946EA7BB5EFAA320708417AC94497363D3740929C76C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004C13A5 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 313COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID:
      • String ID: GetLocalManagedApplications$HPBPRO.DLL$RasMigPlugin.dll$VarDateFromUdate$Wlh$api-ms-win-core-interlocked-l1-1-0.dll$hpfevw73.dll$mh-$n:
      • API String ID: 0-260067468
      • Opcode ID: 3c935833391de6bbd7c149d5be8d7fbfe6bdad8b8280ff32742df89f8bf0fbde
      • Instruction ID: e54fa58228523b3247f4f32c2abfc5b05b747a5a7893d848b3390674f79041b2
      • Opcode Fuzzy Hash: 3c935833391de6bbd7c149d5be8d7fbfe6bdad8b8280ff32742df89f8bf0fbde
      • Instruction Fuzzy Hash: BEC1B179E0024A9FCB00EFB9EAD46EE7BB1EB29310B44417ED905E7762E3740954CB58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004A8D87 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 241COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: PathTemp
      • String ID: CallWindowProcW$EtwpGetCpuSpeed$GetAppCompatFlags2$RtlCreateTimerQueue$System.Windows.Controls.Ribbon.dll$VarDateFromUdate$api-ms-win-core-interlocked-l1-1-0.dll
      • API String ID: 2920410445-3674538805
      • Opcode ID: bdb5a9dbcb2d227e699cb6bd148ec75ce1ce944acc58910e764e36fd77b0c8f9
      • Instruction ID: ab31c8120063b0c2e11c4b581ae2722b5708b4cd45c7bde5b4b1a71e9c106ab1
      • Opcode Fuzzy Hash: bdb5a9dbcb2d227e699cb6bd148ec75ce1ce944acc58910e764e36fd77b0c8f9
      • Instruction Fuzzy Hash: 8381E366A402498FCB00CF7DEE953E93BB1EB3A320B04417AD959D7363E6780916CB5C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004AB2C2 Relevance: 12.8, Strings: 10, Instructions: 320COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID:
      • String ID: =kt$FXSRES.DLL$GetAppCompatFlags2$GetVolumeNameForVolumeMountPointW$RtlInitializeGenericTable$api-ms-win-core-interlocked-l1-1-0.dll$cngprovider.dll$devrtl.dll$hpfevw73.dll$wbemprox.dll
      • API String ID: 0-649141487
      • Opcode ID: 493700602ed97b5d97610bf3e21186bf99b99b127bb852215559cc7559145844
      • Instruction ID: 072a09430c11f9c01987f29cc09220e59e6ff7fea68ac1a75193fe07c1201d7e
      • Opcode Fuzzy Hash: 493700602ed97b5d97610bf3e21186bf99b99b127bb852215559cc7559145844
      • Instruction Fuzzy Hash: AFC1AE75E403099FCB00DFA9EAD56ED7BB1EB29324F00807ED914A7362E3790A55CB49
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004B035E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62encryptionCOMMON
      Download Yara Rule
      APIs
      • CryptDestroyKey.ADVAPI32(?), ref: 004B0419
      Strings
      • Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll, xrefs: 004B0396
      • scksp.dll, xrefs: 004B03D7
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: CryptDestroy
      • String ID: Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll$scksp.dll
      • API String ID: 1712904745-3817965684
      • Opcode ID: 1ba5fc7c3a257f75d131fcd563011a084cbac11a3c79b3a35215e36621b5dd36
      • Instruction ID: 4c5c17772bd7d973cce85e30be1e16e5128337274f85ef7599db5a0952d93290
      • Opcode Fuzzy Hash: 1ba5fc7c3a257f75d131fcd563011a084cbac11a3c79b3a35215e36621b5dd36
      • Instruction Fuzzy Hash: 5511D525744281CFD7018BB9FE863E93FB1EF66220F44027A8954573A3C2A90D2AC72D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004A5B70 Relevance: 5.1, Strings: 4, Instructions: 136COMMON
      Download Yara Rule
      Strings
      • GetVolumeNameForVolumeMountPointW, xrefs: 004A5CC5
      • wiawow64.exe, xrefs: 004A5BDA
      • Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll, xrefs: 004A5C1A
      • scksp.dll, xrefs: 004A5D6E
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID:
      • String ID: GetVolumeNameForVolumeMountPointW$Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll$scksp.dll$wiawow64.exe
      • API String ID: 0-3473566360
      • Opcode ID: 6e13d59716830d3138c14c915df6980d24302d5b4ac7062b7bf4873156c791c9
      • Instruction ID: 0e9d8c79414aee5ed3024515340c28f1cd824f4c12ada021047b671772e94a30
      • Opcode Fuzzy Hash: 6e13d59716830d3138c14c915df6980d24302d5b4ac7062b7bf4873156c791c9
      • Instruction Fuzzy Hash: 9151BB69A44749CFC7009FA9FF956E93BB0EB3A320708407BC944D7322E2691965CB6D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004AFA91 Relevance: 3.9, Strings: 3, Instructions: 114COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID:
      • String ID: RtlCreateTimerQueue$dbgeng.dll$devrtl.dll
      • API String ID: 0-2281805483
      • Opcode ID: 058cc3f21566c971f2538abf272fc56e589d7fe5510ab598018e46a50b3f2ddd
      • Instruction ID: e24532da6f2a289c23c6f4941ae3d256a9864d5727f3a8b66d1e947845f9ad2f
      • Opcode Fuzzy Hash: 058cc3f21566c971f2538abf272fc56e589d7fe5510ab598018e46a50b3f2ddd
      • Instruction Fuzzy Hash: F0410267A402868FC7018FB5FE947E63FB4EB7A7607084176CD4497723D228091ACBAC
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004B7085 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID:
      • String ID: ? $GetLocalManagedApplications$Wlh
      • API String ID: 0-2048745350
      • Opcode ID: 509aebd62b0b127d20e357408734fc77926bca3ef38b1c5c4ecf77077112861c
      • Instruction ID: ce70d70ea4648ec9a429ac842834e08205dfe7c7a4c545f87cb37043a012fc17
      • Opcode Fuzzy Hash: 509aebd62b0b127d20e357408734fc77926bca3ef38b1c5c4ecf77077112861c
      • Instruction Fuzzy Hash: D741E375D443598FCB00DBB8EE955EA3BB2EB69310704413AC80097B23D2780D69CBAC
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004AEB1B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110encryptionCOMMON
      Download Yara Rule
      APIs
      Strings
      • GetLocalManagedApplications, xrefs: 004AEB94
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: Crypt
      • String ID: GetLocalManagedApplications
      • API String ID: 993010335-2412223744
      • Opcode ID: 90a7d40cce46aeebd4316900c3109388bdbc03f19d3112e42ff80b423a353ba8
      • Instruction ID: e9d60645f25df3f8ea143010a32424c0cebbac4444ddfb102ce184d604e54b2e
      • Opcode Fuzzy Hash: 90a7d40cce46aeebd4316900c3109388bdbc03f19d3112e42ff80b423a353ba8
      • Instruction Fuzzy Hash: F4317B56A5024A8FCB10DF34FE993E63BA1EB7B3247044177C821977A6D22A0875C76D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004B01AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50encryptionCOMMON
      Download Yara Rule
      APIs
      • CryptExportKey.ADVAPI32(?), ref: 004B01E1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: CryptExport
      • String ID: ZwOpenFile
      • API String ID: 3389274496-3061432694
      • Opcode ID: cebb804deda6a707b31394c2998f1f8d664a7ab440c0c1b0ba3fe20e9c34a550
      • Instruction ID: 81dda3a31a3bbc86c7ccba9f2d4059ce5bca937f6ce77958a7017cd490775c64
      • Opcode Fuzzy Hash: cebb804deda6a707b31394c2998f1f8d664a7ab440c0c1b0ba3fe20e9c34a550
      • Instruction Fuzzy Hash: 47012663950245DBC300CBFCBE427EA7BB8EB653257044176DD04E3262E66A0D56C3A9
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004BA9DE Relevance: 3.1, APIs: 2, Instructions: 54encryptionCOMMON
      Download Yara Rule
      APIs
      • CryptBinaryToStringA.CRYPT32(?,?,00000001,00000000,?), ref: 004BAA05
      • CryptBinaryToStringA.CRYPT32(?,?,00000001,?,?), ref: 004BAA35
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: BinaryCryptString
      • String ID:
      • API String ID: 80407269-0
      • Opcode ID: 9148eff3da48344e1d12db2789ff7db2dc651f2a83e9d144aa6a0a8387db3559
      • Instruction ID: cd48c6b3742682db978dee803b04635d8b977bde26e391758810dca5e7dd0092
      • Opcode Fuzzy Hash: 9148eff3da48344e1d12db2789ff7db2dc651f2a83e9d144aa6a0a8387db3559
      • Instruction Fuzzy Hash: A511FB75D00108FBDF019F94CC41BEDBB76FF08300F104266B921A22A0E77A8A60DB66
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004B1333 Relevance: 2.5, Strings: 2, Instructions: 49COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID:
      • String ID: RtlCreateTimerQueue$dxtrans.dll
      • API String ID: 0-3232145319
      • Opcode ID: 04208931043cb9ff03e743e6ffee993e5cc0e3cdd547e3fbb9fa17e028715fe2
      • Instruction ID: 3c92a60d07b910cd797c9cde1ab3375b2d7d7caab9db6e88fc5699dbf90eb3af
      • Opcode Fuzzy Hash: 04208931043cb9ff03e743e6ffee993e5cc0e3cdd547e3fbb9fa17e028715fe2
      • Instruction Fuzzy Hash: 0501E131A102098BE700AF7AEED5BE633A2EB18300F4000369D00C77A5E2665824C75D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004B056E Relevance: 1.5, APIs: 1, Instructions: 48encryptionCOMMON
      Download Yara Rule
      APIs
      • CryptReleaseContext.ADVAPI32 ref: 004B0571
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: ContextCryptRelease
      • String ID:
      • API String ID: 829835001-0
      • Opcode ID: 70aff45a6fd7951611b3732b4208190f89d1dfbd6fa1ea0f08147219fd2359da
      • Instruction ID: b5937936222b717d563e5530a57357b7f1f453a8bb7d3bd6666b10a2515b7fc7
      • Opcode Fuzzy Hash: 70aff45a6fd7951611b3732b4208190f89d1dfbd6fa1ea0f08147219fd2359da
      • Instruction Fuzzy Hash: 9601C066A1120E8FCB11DF38EAC91EA3BA1EB7A714304403BC841A7366E2354874CB5E
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004AF6E3 Relevance: 1.5, APIs: 1, Instructions: 14encryptionCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: CryptExport
      • String ID:
      • API String ID: 3389274496-0
      • Opcode ID: e1d6614823048c371383ea307966132602e77c05c50381d0c28b114809448871
      • Instruction ID: d4221534c5ad4299bc9651078f1103edbe157f8ce2e751151f42fad4eb23ba93
      • Opcode Fuzzy Hash: e1d6614823048c371383ea307966132602e77c05c50381d0c28b114809448871
      • Instruction Fuzzy Hash: C9D05E68185280AAC6008B74FE8AA652F649BA6610B4000B5B400492F3C2500929C369
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004ADA35 Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: LocalTime
      • String ID:
      • API String ID: 481472006-0
      • Opcode ID: b700193c1c86c19e8c6d22a4e5633e12132d6af535861b2157dbeb9f2d8b37bb
      • Instruction ID: 6feaae2b9bacf522af987e2d2991633f8ff704f18c3771b7b1234a28f54250a2
      • Opcode Fuzzy Hash: b700193c1c86c19e8c6d22a4e5633e12132d6af535861b2157dbeb9f2d8b37bb
      • Instruction Fuzzy Hash: 71C04C7081020D4ACF00EB959D429BEB6BCAA40218B5005659911B5291EB61AB1085A6
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004FA0B0 Relevance: .5, Instructions: 515COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b097b0309f89a1192f476928ba68543a92d2c23d50abe5ed894ff1e227a05ad0
      • Instruction ID: e615807677afee63b5c35191c71010c5a06942e99dc5413fa01f24175c4ad080
      • Opcode Fuzzy Hash: b097b0309f89a1192f476928ba68543a92d2c23d50abe5ed894ff1e227a05ad0
      • Instruction Fuzzy Hash: E102E6B1B082254BDB0CCE18C59023DBBE2FBC9341F15496EE59AD7384C678D995CF8A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004BA67F Relevance: .0, Instructions: 29COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 140ba7c6eeb16db4d3db3bcf8a08cd3e9114ae159abc6f95e2c3d7fa4b8f75a0
      • Instruction ID: 13098da43e41b6a377cc122102e0c61971807471e885c152087d7bc7652aa414
      • Opcode Fuzzy Hash: 140ba7c6eeb16db4d3db3bcf8a08cd3e9114ae159abc6f95e2c3d7fa4b8f75a0
      • Instruction Fuzzy Hash: 9FF0A470A5021CEFDB00CF84DD85BDDB7B1BB08304F100166EA40A7394D3B9A924DBA9
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004BA75C Relevance: .0, Instructions: 16COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 83cf7fde548232ddf5e1cdd39e8808ef3593ba8cfcc81401b37a56e8730e95d4
      • Instruction ID: dbb2cebe213b8c7046f91811030d7f2f856ec0e24dc2b9e0c3ef74e2b6c3b591
      • Opcode Fuzzy Hash: 83cf7fde548232ddf5e1cdd39e8808ef3593ba8cfcc81401b37a56e8730e95d4
      • Instruction Fuzzy Hash: 6CE00979A0020DAEDF019FD5CD85DEEBFB6EB88714F100069EA1072160D6725D64DB66
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004BA7D8 Relevance: .0, Instructions: 15COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f1fc9cdc24ae54707d79819bf13c194b06eb89ae4313e78ba5d708260b8d7dd0
      • Instruction ID: 46d84c7a961612567cdf95ea1c411bd4849ccd9e57829e3575dbdf7af3a36cc4
      • Opcode Fuzzy Hash: f1fc9cdc24ae54707d79819bf13c194b06eb89ae4313e78ba5d708260b8d7dd0
      • Instruction Fuzzy Hash: 14E02D79A00219EFDB15DF85E8819AEBBB2FB8D304F1041A4F90067265C7759C62EF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004C2A13 Relevance: .0, Instructions: 10COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4533122f00e3f06e9b506e558a66b98a654bc9eb808e8eae4e1719417f7615b1
      • Instruction ID: c00efbd50bd566755fdbbb76191db873fa22e01bbac1f8a77da95ba4ad2c2029
      • Opcode Fuzzy Hash: 4533122f00e3f06e9b506e558a66b98a654bc9eb808e8eae4e1719417f7615b1
      • Instruction Fuzzy Hash: 7BC0125978024C8F4350CB289D86F6026A0D35531035440369584E3251E6A58518C708
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004BA80E Relevance: .0, Instructions: 6COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 776217f08c024aac371037d3aae5d197dc6381f1f09d6c16ce85a6b876d4883d
      • Instruction ID: 03a5d180bc044da452250d385a0ae2c669391eeb9294f807430b15919c97f41c
      • Opcode Fuzzy Hash: 776217f08c024aac371037d3aae5d197dc6381f1f09d6c16ce85a6b876d4883d
      • Instruction Fuzzy Hash: CDB0923164020CFE9B488F80AEC08783A36E3C0B497100074A10011061C6744D20DB1A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004EC93E Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 265fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileW.KERNEL32(?,80000000,00000000), ref: 004ECB42
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: CreateFile
      • String ID: 6$=kt$FXSRES.DLL$GJ&$GetVolumeNameForVolumeMountPointW$Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll$NetWkstaSetInfo$Q$L$RtlCreateTimerQueue$System.Windows.Controls.Ribbon.dll$ZwOpenFile$hpfevw73.dll$msxml3r.dll
      • API String ID: 823142352-3613401781
      • Opcode ID: 2b2ba3889522c386f2f1e895cc741aacfb6442b04e81d5ddaaa1edeff21a088b
      • Instruction ID: 509ea8cbe4a3591b9b0481434c525ec50f11f0bb41db308bb747d028baa70665
      • Opcode Fuzzy Hash: 2b2ba3889522c386f2f1e895cc741aacfb6442b04e81d5ddaaa1edeff21a088b
      • Instruction Fuzzy Hash: EB915556B402858FD7009F7AFED63E63BA1EB29325B04427BD944873A3D26D092AC31D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00492F36 Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 354libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: Ab+$CallWindowProcW$GetLocalManagedApplications$Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll$NlsLexicons004a.dll$Wlh$ZwWow64QueryInformationProcess64$api-ms-win-core-interlocked-l1-1-0.dll$audmigplugin.dll$hpfevw73.dll$i+$sbs_diasymreader.dll
      • API String ID: 190572456-926755863
      • Opcode ID: e77b38a7da15ff53f6bb5755fdc8d6d81103b3f833a85d1c70a62d5a7bad19c8
      • Instruction ID: ea1665178910e91097ae4966b37785557c7ad2aeda5481a66344b7efcfe3a13d
      • Opcode Fuzzy Hash: e77b38a7da15ff53f6bb5755fdc8d6d81103b3f833a85d1c70a62d5a7bad19c8
      • Instruction Fuzzy Hash: 48D1B165E00249DFCB00EFB9EAD45E97FB1FF29310B04817AD944A7322E3780A65CB49
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004AA0DE Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 199COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: ErrorLast
      • String ID: $CallWindowProcW$GetAppCompatFlags2$Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll$System.Windows.Controls.Ribbon.dll$WriteFileEx$ZwOpenFile$api-ms-win-core-interlocked-l1-1-0.dll$f\r$scksp.dll$wabimp.dll$wiawow64.exe
      • API String ID: 1452528299-4186344764
      • Opcode ID: b61d8796a8067f191c03d4fac042a00e920b0d0bde90d28ae46547eb1006d9fe
      • Instruction ID: 420889970987b465808a204f5afa47a40c4ff46ac239ef72e800e05bb5a3cca4
      • Opcode Fuzzy Hash: b61d8796a8067f191c03d4fac042a00e920b0d0bde90d28ae46547eb1006d9fe
      • Instruction Fuzzy Hash: 76712175E5024A9FCB00AFB9D9852ED7BF1EB2A310F44807B9944E7712E3780A51CB59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0049974A Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 234libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(?), ref: 0049981A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: .6&$=kt$CallWindowProcW$GetVolumeNameForVolumeMountPointW$Gr$Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll$ZwOpenFile$ap!$dxtrans.dll$q:6
      • API String ID: 190572456-3556343019
      • Opcode ID: 950b0f4b12323d790cb6bf90020a46fece1815f7b96e198ff706f8a53d15e09b
      • Instruction ID: 263ed57c7c18ffc7593e93c871394e9c08e5bf1ba25744a908626f4c56d39ddc
      • Opcode Fuzzy Hash: 950b0f4b12323d790cb6bf90020a46fece1815f7b96e198ff706f8a53d15e09b
      • Instruction Fuzzy Hash: D2918A75E54209DFCB00EFB9EAD56ED7BB1EB29310F04407ED904A7322E2394A65CB58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00486F48 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 133libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(?), ref: 00487098
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: CallWindowProcW$I/$Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll$NlsLexicons004a.dll$RasMigPlugin.dll$api-ms-win-core-interlocked-l1-1-0.dll$api-ms-win-core-io-l1-1-0.dll$do?$|6"$<:
      • API String ID: 190572456-209848548
      • Opcode ID: bf27fcd42847fb5197262d75eddf66c7d5f92771749efef7d1e6af921960dbe3
      • Instruction ID: 6cc97ae514f6003da1727f33bd8b9b4488d92d5ffbf81007d42d317c9f806052
      • Opcode Fuzzy Hash: bf27fcd42847fb5197262d75eddf66c7d5f92771749efef7d1e6af921960dbe3
      • Instruction Fuzzy Hash: 9541AD75E54209DFCB00EFB9EAD16ED7BB0EB29310F14807ADA44E7312E2394955CB18
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00473115 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 200libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(?), ref: 004732C5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: CallWindowProcW$FXSRES.DLL$Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll$NlsLexicons004a.dll$api-ms-win-core-interlocked-l1-1-0.dll$audmigplugin.dll$jlU$wbemprox.dll
      • API String ID: 190572456-373396638
      • Opcode ID: 138ca5923c9134c11a710964cd61249e36dcacce325fd96a7f04c88d8201ebe3
      • Instruction ID: 3d373285343c952007e9b153005274380f254a2b7baf0154feed43fe944716d1
      • Opcode Fuzzy Hash: 138ca5923c9134c11a710964cd61249e36dcacce325fd96a7f04c88d8201ebe3
      • Instruction Fuzzy Hash: FD719E75E4024ACFCB00DFB9EAC45ED7BB1EB29311B44817BD958A7312E3781A55CB48
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004903D6 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: CallWindowProcW$GetVolumeNameForVolumeMountPointW$Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll$audmigplugin.dll$dxtrans.dll$mfdvdec.dll$scksp.dll$w$
      • API String ID: 190572456-2869733272
      • Opcode ID: 0e0cdbeca731bc113a672962f4016a58f80191c65ce3b9106585f39f14e45c88
      • Instruction ID: f1698880332fac7afd10a60e64ee96bef3fb79fb49aebea202d8aa39a68c1d6a
      • Opcode Fuzzy Hash: 0e0cdbeca731bc113a672962f4016a58f80191c65ce3b9106585f39f14e45c88
      • Instruction Fuzzy Hash: E7715B79A002099FCB00EFA9EAD45EDBFB0FB29314F40407AE644E7356E3785995CB49
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004ADCA6 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 192COMMON
      Download Yara Rule
      APIs
      • GetCurrentHwProfileA.ADVAPI32(?), ref: 004ADDA0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: CurrentProfile
      • String ID: :$GetAppCompatFlags2$HPBPRO.DLL$RasMigPlugin.dll$ZwOpenFile$api-ms-win-core-io-l1-1-0.dll$apihex86.dll$audmigplugin.dll
      • API String ID: 2104809126-1969880882
      • Opcode ID: 4b702680b03fc234487b07bd8c87f41f47697ba8cff0d6a04ae6b49fc321ce5d
      • Instruction ID: aaf4657ad79cad7b7a84321fb4fc84090805dc9e535b3567000e5a9a2ad8b6c4
      • Opcode Fuzzy Hash: 4b702680b03fc234487b07bd8c87f41f47697ba8cff0d6a04ae6b49fc321ce5d
      • Instruction Fuzzy Hash: DA718E75E1020ADFCB00DFB9D9D46EABBB1FB2A310F00417AD955A7722D3790A55CB48
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0049867D Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 151libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: GetAppCompatFlags2$NetWkstaSetInfo$Wlh$WriteFileEx$ZwOpenFile$api-ms-win-core-namedpipe-l1-1-0.dll$apihex86.dll$mfdvdec.dll
      • API String ID: 190572456-3635931473
      • Opcode ID: b43f78d7a9ca0ff4e9a1c68c9bcc8275b987b598861fa8c55ea487eb11309962
      • Instruction ID: d89402bae393aef703c32ad7198458f1212dd78998115b8bfac6aba418e54c21
      • Opcode Fuzzy Hash: b43f78d7a9ca0ff4e9a1c68c9bcc8275b987b598861fa8c55ea487eb11309962
      • Instruction Fuzzy Hash: D2517F71E5020A9FCB00DFA9EAD06EC7BB0EF29314F14407ED944E7352E2395A55CB49
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004CD000 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 202networkCOMMON
      Download Yara Rule
      APIs
      • InternetQueryOptionW.WININET(?), ref: 004CD0F1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: InternetOptionQuery
      • String ID: HPBPRO.DLL$NlsLexicons004a.dll$RtlInitializeGenericTable$Wlh$WriteFileEx$wabimp.dll$~N%
      • API String ID: 2202126096-1700376548
      • Opcode ID: 3be41d65dddcc7a9415b30e8ddcd0fe2837f5f22b7e86ad8b4cebec6cadade39
      • Instruction ID: 1f6483ca92b94503da3dd425239bc6d5f2a6660ff60c625d448469d08e61ab1e
      • Opcode Fuzzy Hash: 3be41d65dddcc7a9415b30e8ddcd0fe2837f5f22b7e86ad8b4cebec6cadade39
      • Instruction Fuzzy Hash: 5671162AE40249DFC7009FB9EED5BE53BB1EB25314B04417AD958D7363D2780A29CB5C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004B972C Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 200libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(?,?), ref: 004B988B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: P4&$Q&/$RtlInitializeGenericTable$api-ms-win-core-interlocked-l1-1-0.dll$apihex86.dll$dpnathlp.dll$scksp.dll
      • API String ID: 190572456-51915775
      • Opcode ID: e062b7dcc3efcd7fa60f5e3853cab8d5358fdc6befc702fa0fbbfd0189fd394c
      • Instruction ID: be7a2ec22074aa0e5b7b5717d0116898ab41938bb0cae7cc4e3ed169e44f8695
      • Opcode Fuzzy Hash: e062b7dcc3efcd7fa60f5e3853cab8d5358fdc6befc702fa0fbbfd0189fd394c
      • Instruction Fuzzy Hash: 8861E566E102498FC7009F79EEC46EA7BB5EF2A310B44417AD944D7322E2740D69CBAC
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00496469 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 196libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(?), ref: 0049657F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: CallWindowProcW$FXSRES.DLL$Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll$NetWkstaSetInfo$api-ms-win-core-io-l1-1-0.dll$audmigplugin.dll$dpnathlp.dll
      • API String ID: 190572456-817319936
      • Opcode ID: 8777019d2191e1aa40bc2a2141ff75f0a0523ad0a775bc6dcb96c41d10bfc21c
      • Instruction ID: 78e2aff218d11bfd34384a78dad3f64bd060e82e0c8a0ef5f0e60ce38db63009
      • Opcode Fuzzy Hash: 8777019d2191e1aa40bc2a2141ff75f0a0523ad0a775bc6dcb96c41d10bfc21c
      • Instruction Fuzzy Hash: 2E717E74E402099FDB00DFB9EAD56ED7BB0EB18324F44817AE544E7312E3795991CB48
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00476352 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 165libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(00000000), ref: 00476466
      Strings
      • RtlCreateTimerQueue, xrefs: 0047643F
      • FXSRES.DLL, xrefs: 004764E5
      • GetVolumeNameForVolumeMountPointW, xrefs: 0047647E
      • dpnathlp.dll, xrefs: 0047653B
      • Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll, xrefs: 0047646F
      • api-ms-win-core-interlocked-l1-1-0.dll, xrefs: 0047656F
      • 0K', xrefs: 00476359
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: 0K'$FXSRES.DLL$GetVolumeNameForVolumeMountPointW$Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll$RtlCreateTimerQueue$api-ms-win-core-interlocked-l1-1-0.dll$dpnathlp.dll
      • API String ID: 190572456-3647061771
      • Opcode ID: 0c5fb8a9b7ff7b2b80b91cf14ac07e4ac3ef1cabe6bd2389533f2cda667ad8ac
      • Instruction ID: 2d7d1640e88f5fae0fa9df824b272f517f4d9c5d8e2a04585298fcae2a55bc90
      • Opcode Fuzzy Hash: 0c5fb8a9b7ff7b2b80b91cf14ac07e4ac3ef1cabe6bd2389533f2cda667ad8ac
      • Instruction Fuzzy Hash: 12510965E406098FDB009F79EBD12E93BB2EF29310F45817AC94897367E3780969C74D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0046C96E Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 144libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(?), ref: 0046CA7E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: RtlCreateTimerQueue$System.Windows.Controls.Ribbon.dll$api-ms-win-core-interlocked-l1-1-0.dll$api-ms-win-core-io-l1-1-0.dll$f\r$wiawow64.exe$ 1.
      • API String ID: 190572456-803831450
      • Opcode ID: 27401d0d2726a9b191bfd9aa9ca358e754fce464cdde78d746d65144ab7bd141
      • Instruction ID: 586f1475809b64e79bf91d7602bd4fb8e1f1a0bca0285b548caa3de515fbf639
      • Opcode Fuzzy Hash: 27401d0d2726a9b191bfd9aa9ca358e754fce464cdde78d746d65144ab7bd141
      • Instruction Fuzzy Hash: 1641165A640244CFC3008FBAFED56F62BA4EF6A714304417BD958D7363E3240929C7AD
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0049CB8D Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 142libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(?), ref: 0049CC9E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: GetAppCompatFlags2$RasMigPlugin.dll$[`-$api-ms-win-core-io-l1-1-0.dll$inetmgr.dll$wabimp.dll$wiawow64.exe
      • API String ID: 190572456-2826785281
      • Opcode ID: 3e5e37e6993037c2112f34d00a5f71534c251473bd5735ab50b9216db42cd6b8
      • Instruction ID: 7f6660039ba0b0a5edd7626fbf2e16e18d4bd122dca507be7c7474acf0f0adbc
      • Opcode Fuzzy Hash: 3e5e37e6993037c2112f34d00a5f71534c251473bd5735ab50b9216db42cd6b8
      • Instruction Fuzzy Hash: B051AF75E9020A8BDF00DFB9DAD51EA7FB1EB29320F44413AD944A7366E3380965CB4D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00488A4B Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 133libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(00000000,ZwOpenFile), ref: 00488ACF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: ZwOpenFile$dpnathlp.dll$dxtrans.dll$f\r$mfdvdec.dll$wiawow64.exe$<4
      • API String ID: 190572456-4031156889
      • Opcode ID: 87ff3050cb803f3620d154755cad0e1055062b8ab163cf4b5157cd667f825b05
      • Instruction ID: cec6222b5558c424c60c96249a8bee6645661b902af6dedb69316337e7c192ca
      • Opcode Fuzzy Hash: 87ff3050cb803f3620d154755cad0e1055062b8ab163cf4b5157cd667f825b05
      • Instruction Fuzzy Hash: 8E41E176E002099FCB00EFB5EEC06ED7BB1EB28314F84447AE944E3312E6791959CB58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00475E7F Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 130libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(?), ref: 00475F10
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: Gs$ l!$CallWindowProcW$GetVolumeNameForVolumeMountPointW$RtlCreateTimerQueue$devrtl.dll$sbs_diasymreader.dll
      • API String ID: 190572456-3749725458
      • Opcode ID: 2a9b2fe46ff11a4cd53c2446707447e11faf562b3c106bb6e0bf6fbf8442fa74
      • Instruction ID: f9b845c565d1d2c4499e68e0035926e7720710a610bae81b9d4e3ae016c8e65f
      • Opcode Fuzzy Hash: 2a9b2fe46ff11a4cd53c2446707447e11faf562b3c106bb6e0bf6fbf8442fa74
      • Instruction Fuzzy Hash: 4541D335E506099BDB00DFB8DA956ED7BB1EF2A320F40817AD948E7362D3790961CB0C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004BEE73 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 177COMMON
      Download Yara Rule
      APIs
      • GetWindow.USER32(00000000,00000004), ref: 004BF04F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: Window
      • String ID: NlsLexicons004a.dll$RtlInitializeGenericTable$UL1$ZwWow64QueryInformationProcess64$dpnathlp.dll$f\r
      • API String ID: 2353593579-2788026660
      • Opcode ID: 6af17fa88e6043ff0283439b7960aba55dc2125369932a152d192dba6059aa02
      • Instruction ID: d460f44bfef44409b54e61af6e03222fe48379152e8145c738a281468faa2882
      • Opcode Fuzzy Hash: 6af17fa88e6043ff0283439b7960aba55dc2125369932a152d192dba6059aa02
      • Instruction Fuzzy Hash: 7E512976E402098FDB00AFB9EE952F93BB1EB28314F04447AC854D3362E3790A55CB2C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00498E2D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 170libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(00301B8D,00301B8D), ref: 00498F2B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: CallWindowProcW$RtlInitializeGenericTable$System.Windows.Controls.Ribbon.dll$WriteFileEx$dpnathlp.dll$wiawow64.exe
      • API String ID: 190572456-4191908884
      • Opcode ID: aca0db81d9a70d3fb8df1093616f84d8c4d7683ca1b5475a2f72694482d752b5
      • Instruction ID: 15c9af31283e7c40747ad27240f2f714e7542ab5e215db04892aa4ed3fa2777f
      • Opcode Fuzzy Hash: aca0db81d9a70d3fb8df1093616f84d8c4d7683ca1b5475a2f72694482d752b5
      • Instruction Fuzzy Hash: 27518BB6A403099FCB00DFB9EED56E97BB1FB29310B04413A9945E3362E7390955CB19
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00482FD0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 132libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(?), ref: 00483111
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: -'$EtwpGetCpuSpeed$HPBPRO.DLL$NetWkstaSetInfo$ZwOpenFile$api-ms-win-core-io-l1-1-0.dll
      • API String ID: 190572456-180757041
      • Opcode ID: 1e272512aef1d20e31126da55e679eee63f8f352c37fdef70afcbe5e8d61594f
      • Instruction ID: 61fb95de61d2a92b3995c0a4135dd394a1680a36254b9061aee5bfefedabe8c1
      • Opcode Fuzzy Hash: 1e272512aef1d20e31126da55e679eee63f8f352c37fdef70afcbe5e8d61594f
      • Instruction Fuzzy Hash: 2D41A975E503098FCB00DFB8EAC56ED7BB1EB28310F00807A9944EB326D2790A55CB48
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0047BF59 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 96libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: NetWkstaSetInfo$api-ms-win-core-interlocked-l1-1-0.dll$api-ms-win-core-io-l1-1-0.dll$apihex86.dll$sbs_diasymreader.dll$wabimp.dll
      • API String ID: 190572456-3339695696
      • Opcode ID: 0ff09e65453f982ee9059a0c83b7cb51e6290c07356edb876986f0fdf4a4ce43
      • Instruction ID: b1329f570959d4524df39849f4d8f556a4b86455694649fff2845b724b7808d7
      • Opcode Fuzzy Hash: 0ff09e65453f982ee9059a0c83b7cb51e6290c07356edb876986f0fdf4a4ce43
      • Instruction Fuzzy Hash: A5319C75E502499FCB00EFB9EED56EA7BB0EB29700B0480BAD944D3312E3790955CB6D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004DEDDF Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 211COMMON
      Download Yara Rule
      APIs
      • SetLastError.KERNEL32(0000007F), ref: 004DEEF6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: ErrorLast
      • String ID: 0a*$1S3$GetVolumeNameForVolumeMountPointW$NetWkstaSetInfo$NlsLexicons004a.dll$Z)
      • API String ID: 1452528299-350945722
      • Opcode ID: 9613c3a11280a06e50fe119deb8698aae6a7e3b3d669415238ac60aea0f0d1c6
      • Instruction ID: 173b5a384bb39133c974b2fcffde1257a0f740c980ea56048616c2a2008e4df3
      • Opcode Fuzzy Hash: 9613c3a11280a06e50fe119deb8698aae6a7e3b3d669415238ac60aea0f0d1c6
      • Instruction Fuzzy Hash: 6A81BF75E002099FCB00DFB9EAE56ED7BB1EF69310F1481BBD91497362D2784A64CB48
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0047AD6D Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 125libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: CallWindowProcW$WriteFileEx$devrtl.dll$dpnathlp.dll$inetmgr.dll
      • API String ID: 190572456-2723740466
      • Opcode ID: 72bd815e2ea1c7e7bf4c1e9a11f8aac9f49f2f4fc2fae22ca2ef0b385117ea19
      • Instruction ID: 45c91d88a968084f504f5b40377f5299c8ac4e2c7a555712a9c932f794a3ed46
      • Opcode Fuzzy Hash: 72bd815e2ea1c7e7bf4c1e9a11f8aac9f49f2f4fc2fae22ca2ef0b385117ea19
      • Instruction Fuzzy Hash: EE41A061E40249CFCB00DFB9EA912ED7BB1EF7A310B48417AD949D3362E2780965C74D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004BF9B4 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 121COMMON
      Download Yara Rule
      APIs
      • CharUpperBuffW.USER32(?,?), ref: 004BFACF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: BuffCharUpper
      • String ID: u5$EtwpGetCpuSpeed$GetAppCompatFlags2$System.Windows.Controls.Ribbon.dll$api-ms-win-core-io-l1-1-0.dll
      • API String ID: 3964851224-751922521
      • Opcode ID: e4a7a080d35a1bda451a368d3a76420545da68d3b0c8d208e7234316bf920882
      • Instruction ID: 71876c9c725b289ee84beb7b770499bf46ca1ddb4dea28d9e5b035f24e8f1ffb
      • Opcode Fuzzy Hash: e4a7a080d35a1bda451a368d3a76420545da68d3b0c8d208e7234316bf920882
      • Instruction Fuzzy Hash: 6C414A75E4020A9BCB00DFB5EAD45ED7FB0EF29310F14857AD945E3322E2385AA5CB48
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004950EA Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 108libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      • RtlInitializeGenericTable, xrefs: 004951D5
      • dpnathlp.dll, xrefs: 004951EF
      • Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll, xrefs: 00495243
      • scksp.dll, xrefs: 0049519A
      • RasMigPlugin.dll, xrefs: 00495264
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll$RasMigPlugin.dll$RtlInitializeGenericTable$dpnathlp.dll$scksp.dll
      • API String ID: 190572456-3821942772
      • Opcode ID: c67e63ac1a1bd716244e4eb48e14bec7b5c76f6484eeea1873dd6bf11fc2089b
      • Instruction ID: 0cc622f0d10128cc4ec125b743cd141e5e84cd1b78dacbd23a6895dbffd5522d
      • Opcode Fuzzy Hash: c67e63ac1a1bd716244e4eb48e14bec7b5c76f6484eeea1873dd6bf11fc2089b
      • Instruction Fuzzy Hash: 4141B575E4070A9BCB00AFBAE6D61ED7BB0EB29310F54413BD94497352E3380965CB8D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004C7683 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 93windowCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: IconLoad
      • String ID: !2$$GetAppCompatFlags2$System.Windows.Controls.Ribbon.dll$WriteFileEx$hpfevw73.dll
      • API String ID: 2457776203-3013433113
      • Opcode ID: 4004841eed7d9b324f471ff78b90535ca08352c73641601e7379af7bbb6d2a15
      • Instruction ID: 73ab5866575103e279124b0719fc094a4053c6411aa1317e4e67182a777a25ac
      • Opcode Fuzzy Hash: 4004841eed7d9b324f471ff78b90535ca08352c73641601e7379af7bbb6d2a15
      • Instruction Fuzzy Hash: 8731836AF456459FC740CFBDED90BA83FB1EB2931070880BED954E7362E6780A54CB58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00485E5B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 88libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(?,00000001), ref: 00485F43
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: 3I$PSEvents.dll$RasMigPlugin.dll$System.Windows.Controls.Ribbon.dll$mfdvdec.dll
      • API String ID: 190572456-3001546355
      • Opcode ID: ed5efcd7aaaf0b35c6da97be52052f9f0b2f4f16677fd9774e4bbacc18c7affe
      • Instruction ID: 56603f7191920956858d0ed37bef16e06a1ca7594ea4c4e37bb9acbc236e8839
      • Opcode Fuzzy Hash: ed5efcd7aaaf0b35c6da97be52052f9f0b2f4f16677fd9774e4bbacc18c7affe
      • Instruction Fuzzy Hash: 85316D75E406199BCB00AFA9DED06EEBBB1FB18310F00457ADA44A7351E3780A55CB88
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0048A63F Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 165libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: ZwOpenFile$inetmgr.dll$scksp.dll$yj'
      • API String ID: 190572456-1568361407
      • Opcode ID: d69b150830a1518217a1eae4d561175c49900a846425838c4300dcf47a6d1d00
      • Instruction ID: ef07b13d1d99affa26c6ce296e4d6fa7720a618206067c2f0eacbfd159cdb61b
      • Opcode Fuzzy Hash: d69b150830a1518217a1eae4d561175c49900a846425838c4300dcf47a6d1d00
      • Instruction Fuzzy Hash: 11510465E402098FDB00EFB8EAD05ED7BB0EB3A310F04857BD844E7362E2780965CB49
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0047D746 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 135libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(?), ref: 0047D7F9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: WriteFileEx$api-ms-win-core-io-l1-1-0.dll$dxtrans.dll$sbs_diasymreader.dll
      • API String ID: 190572456-1105857565
      • Opcode ID: a05e590cb87d8b219fe9381197e6fab523294f391e83d3708016a1190239def0
      • Instruction ID: d8d6c77eb36d917750cc31694d9e327978bec80bc6780a29df67510d93ccca69
      • Opcode Fuzzy Hash: a05e590cb87d8b219fe9381197e6fab523294f391e83d3708016a1190239def0
      • Instruction Fuzzy Hash: A5514975E502099BCB00EFA9DAD15EDBBB1FF29310F40417AE549E7311E3381A91CB49
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004DA02A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 121COMMON
      Download Yara Rule
      APIs
      • ShellExecuteExW.SHELL32(?), ref: 004DA0AE
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: ExecuteShell
      • String ID: ZwOpenFile$api-ms-win-core-interlocked-l1-1-0.dll$wmploc.DLL$}%;
      • API String ID: 587946157-3010588181
      • Opcode ID: ada2ede9d9efa5d487685b457b6b3e7b9a82c8ee1fedee9980ff5e225c333848
      • Instruction ID: f3049cc26fdf65618d1996f1d09277dc0458492589d39e311f8c4acd5cbd1bdf
      • Opcode Fuzzy Hash: ada2ede9d9efa5d487685b457b6b3e7b9a82c8ee1fedee9980ff5e225c333848
      • Instruction Fuzzy Hash: 4B41A175E0020A8FDB00DF69EAD06ED7BF1EB2A320F04857BD945A7352D3784964CB49
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004C786D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON
      Download Yara Rule
      APIs
      • GetStockObject.GDI32(00000000), ref: 004C792A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: ObjectStock
      • String ID: CallWindowProcW$RasMigPlugin.dll$ZwWow64QueryInformationProcess64$wbemprox.dll
      • API String ID: 3428563643-1069739028
      • Opcode ID: bcb54660717496e91d53ea9e7964a11ccba8ccdb5d07c82dad5319d3e6af4794
      • Instruction ID: 23306fa00bf0a22dc5f4b0ba74b163c49e1a502d805b9202fc59a27c1aff3a31
      • Opcode Fuzzy Hash: bcb54660717496e91d53ea9e7964a11ccba8ccdb5d07c82dad5319d3e6af4794
      • Instruction Fuzzy Hash: 9431DF6AA44255CFD7408F79FA856E96BA0EB39704B05407ECE64A7323E2240928CB6C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004B1A9A Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 235COMMON
      Download Yara Rule
      APIs
      • Process32NextW.KERNEL32(?,?), ref: 004B1BB3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: NextProcess32
      • String ID: GetAppCompatFlags2$NlsLexicons004a.dll$jlU
      • API String ID: 1850201408-3509816254
      • Opcode ID: 6b750cf77f285eb5bf2c5ff84f360669ba058dc9b78811f13a22a3bf81d75724
      • Instruction ID: fe7099a753a3362f5ce67a67023cdfa020222f2d062b64511a398e6984fe4e5d
      • Opcode Fuzzy Hash: 6b750cf77f285eb5bf2c5ff84f360669ba058dc9b78811f13a22a3bf81d75724
      • Instruction Fuzzy Hash: 6A7148A7A942458FCB009B78FEA57F92FB5EB26324F08017BD854D7362D2680D58C768
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004C45D3 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 127registryCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: Close
      • String ID: NlsLexicons004a.dll$RtlCreateTimerQueue$ws5
      • API String ID: 3535843008-3428923293
      • Opcode ID: 0ba40fdd6aa3c709b10cf640fcd9cd6ee546f59bf0d32b7effd132fad7f4ab21
      • Instruction ID: d1032accd18dd52a62887ea3e630660ca56d9afdd978b34d08ae8e34fcc50012
      • Opcode Fuzzy Hash: 0ba40fdd6aa3c709b10cf640fcd9cd6ee546f59bf0d32b7effd132fad7f4ab21
      • Instruction Fuzzy Hash: CD41D479E40249DFC700CFBDEE84AE97FB5EB69310B1581BAD864D7362D2740915CB18
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004B3F6D Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 109memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualProtect.KERNEL32(?), ref: 004B3FFB
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: ProtectVirtual
      • String ID: GetVolumeNameForVolumeMountPointW$hpfevw73.dll$mfdvdec.dll
      • API String ID: 544645111-2174157879
      • Opcode ID: 04b821e8a6eceb53acd325e6cb85a07378f908b2acef7872079e63e31a858ddd
      • Instruction ID: 85e22f7b5fc02527d53eb3966655b2d7f2954aa1a9289e34822caad6122cd53e
      • Opcode Fuzzy Hash: 04b821e8a6eceb53acd325e6cb85a07378f908b2acef7872079e63e31a858ddd
      • Instruction Fuzzy Hash: D2416F66A04249CFC701DFB8FE916F97BB5EF69310B0441BAC954A7363E2744A28C75C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00494069 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 105libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(?), ref: 004941A2
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: NetWkstaSetInfo$WriteFileEx$inetmgr.dll
      • API String ID: 190572456-481101705
      • Opcode ID: 0725b60063dc021a5549db0e2d410ccfa316986c7fc66416e13acb27001f1cdd
      • Instruction ID: 3390adc6ac023f0e1fc66dfe149eebb6da0f0a6ef91f876a88f443f5e40ec5e9
      • Opcode Fuzzy Hash: 0725b60063dc021a5549db0e2d410ccfa316986c7fc66416e13acb27001f1cdd
      • Instruction Fuzzy Hash: F441D175E002098FDF00DFA8E9956EEBFB1FB69310F444176D954977A2E3390992CB48
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004ED00E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99fileCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: FileRead
      • String ID: Gs$RtlInitializeGenericTable$jlU
      • API String ID: 2738559852-981784394
      • Opcode ID: 823e1dcf19d285d4bd569e073d0bd3212d073ac6b7608a317c68722cb841b301
      • Instruction ID: 3bbe37fc7f392fd5ef0392c747824183246433b28416b44ed5c175b6896b828e
      • Opcode Fuzzy Hash: 823e1dcf19d285d4bd569e073d0bd3212d073ac6b7608a317c68722cb841b301
      • Instruction Fuzzy Hash: 3831E16AA002499FD700DFB9EE856E67BB5FF29310B00013AD918D7322E3790866CB58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004AA5BC Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 64COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: ErrorLast
      • String ID: EtwpGetCpuSpeed$GetAppCompatFlags2$Wlh
      • API String ID: 1452528299-2078365344
      • Opcode ID: c8ce28d19551e3fc7d7be65f6f670caa4e7a389136db18d4adc62b6c3410e924
      • Instruction ID: 27f3cc80a7cffb45c2bb46245841d907c204607ec495aba33d5dc80b68facf54
      • Opcode Fuzzy Hash: c8ce28d19551e3fc7d7be65f6f670caa4e7a389136db18d4adc62b6c3410e924
      • Instruction Fuzzy Hash: FD11DF34A402099FCB00DF68DAD42EC3BB1EB29320F80423AD455DB765E37949A6CB49
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004BD943 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 90processCOMMON
      Download Yara Rule
      APIs
      • CreateToolhelp32Snapshot.KERNEL32(00000002), ref: 004BD968
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: CreateSnapshotToolhelp32
      • String ID: NlsLexicons004a.dll$scksp.dll
      • API String ID: 3332741929-3673066732
      • Opcode ID: 20d0d9d3ff3d912e6c1c85e58b40230c14d0478dfcbb23b20299ff70cfd926a7
      • Instruction ID: ed37f31bb527acc4fa013b0727943f79d6ba0fa87a1477efef9a413ea67b372e
      • Opcode Fuzzy Hash: 20d0d9d3ff3d912e6c1c85e58b40230c14d0478dfcbb23b20299ff70cfd926a7
      • Instruction Fuzzy Hash: 67318975E4020A9FCB00DFB8EAD52ED7BB0EB29710F0440BAD944E7352E2780A56CB48
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0047A4F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(?), ref: 0047A58C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: 0c;$NlsLexicons004a.dll
      • API String ID: 190572456-1864073278
      • Opcode ID: d5b6c9e844a1212bee7a262ec7b619d8934b7a1294a48baf09739441e49dff90
      • Instruction ID: f080d47f1ffe26e6def55263c599a7ac07bf9d01609a1821e5584af28ba73779
      • Opcode Fuzzy Hash: d5b6c9e844a1212bee7a262ec7b619d8934b7a1294a48baf09739441e49dff90
      • Instruction Fuzzy Hash: 34218D65E40349DFC7009FB4EE942EE3BB1EB29314704853AD908A7726E3394924CB4D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004ECCB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.249575251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd
      Similarity
      • API ID: FileSize
      • String ID: Gs$wabimp.dll
      • API String ID: 3433856609-3750025898
      • Opcode ID: f27c3ebde043736ec9d38eee2cba2a2addaec57fb36a783d6e35c399f37c458c
      • Instruction ID: 10265d35c55c96d79d7c00772aa9a04d514fb1581097d47e997d6394d3afa01c
      • Opcode Fuzzy Hash: f27c3ebde043736ec9d38eee2cba2a2addaec57fb36a783d6e35c399f37c458c
      • Instruction Fuzzy Hash: 6111B269A002449FC7009FB9EE907E53BF5EB68710B0041769418D3361D2A60966CB5D
      Uniqueness

      Uniqueness Score: -1.00%

      Execution Graph

      Execution Coverage:0.7%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:0%
      Total number of Nodes:17
      Total number of Limit Nodes:0
      execution_graph 8637 6d4e89ae 8638 6d4e89b2 8637->8638 8639 6d4e8d19 LoadLibraryA 8638->8639 8640 6d4e8d56 8639->8640 8641 6d52c036 8642 6d52c056 8641->8642 8643 6d52c067 CharUpperBuffA 8642->8643 8644 6d4eb6d8 8646 6d4eb6dc 8644->8646 8645 6d4eb7de LoadLibraryW 8646->8645 8648 6d4eb029 8649 6d4eb03e 8648->8649 8650 6d4eb19d 8649->8650 8651 6d5877b2 LoadLibraryW 8650->8651 8652 6d4ea423 8653 6d4ea42c LoadLibraryA 8652->8653 8655 6d4ea4d6 8653->8655

      Executed Functions

      Function 6D4E89AE Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 361libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.760115390.000000006D4E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4E0000, based on PE: true
      • Associated: 00000001.00000002.760104839.000000006D4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760361026.000000006D58A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760376524.000000006D58E000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760382995.000000006D58F000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6d4e0000_rundll32.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID: Brmf3wia.dll$DisplayExitWindowsWarnings$ElfDeregisterEventSource$J=y$RtlGetCompressionWorkSpaceSize$System.Data.DataSetExtensions.dll$UnRegisterTypeLibForUser$clrcompression.dll$compstui.dll$vsstrace.dll$xrWPcpst.dll$dO
      • API String ID: 1029625771-1583306414
      • Opcode ID: 052c7a7763f9c3b94600d0ff200ec15bc74ee57157e087971a1abb6b8c4fe20b
      • Instruction ID: c76c36b86c14e08960ac03b94289ae976706789617d4d101a85fbb15fd38066e
      • Opcode Fuzzy Hash: 052c7a7763f9c3b94600d0ff200ec15bc74ee57157e087971a1abb6b8c4fe20b
      • Instruction Fuzzy Hash: D9D1E265A542629FCF00EFB8C890BD97BF4EB6B353B06212BD964CBB06E3340905CB51
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6D4EA423 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 172libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 51 6d4ea423-6d4ea42a 52 6d4ea42c-6d4ea43f 51->52 53 6d4ea442-6d4ea444 51->53 52->53 54 6d4ea479-6d4ea498 53->54 55 6d4ea446-6d4ea472 53->55 56 6d4ea4ad-6d4ea4b7 54->56 57 6d4ea49a-6d4ea49f 54->57 55->54 58 6d4ea4bc-6d4ea4d4 LoadLibraryA 56->58 57->58 59 6d4ea4a1-6d4ea4a7 57->59 60 6d4ea4ff-6d4ea567 call 6d4e48dc 58->60 61 6d4ea4d6-6d4ea4fa 58->61 59->56 64 6d4ea57c-6d4ea5ec 60->64 65 6d4ea569-6d4ea577 60->65 61->60 66 6d4ea5ee-6d4ea608 64->66 67 6d4ea61d-6d4ea669 64->67 65->64 68 6d4ea60a 66->68 69 6d4ea610-6d4ea614 66->69 70 6d4ea66b 67->70 71 6d4ea672-6d4ea6a0 67->71 68->69 69->67 72 6d4ea616 69->72 70->71 72->67
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.760115390.000000006D4E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4E0000, based on PE: true
      • Associated: 00000001.00000002.760104839.000000006D4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760361026.000000006D58A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760376524.000000006D58E000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760382995.000000006D58F000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6d4e0000_rundll32.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID: >lj$Brmf3wia.dll$System.Data.DataSetExtensions.dll$UnRegisterTypeLibForUser$ZwSetInformationEnlistment$setup16.exe
      • API String ID: 1029625771-1428736741
      • Opcode ID: 2b6699046e915bd36d3e8bb905b24b2fca89290735ddc678873a4546a2898418
      • Instruction ID: 872791e93d87d54aa8c7461dcaa72c1c3a08611384ef7bb8450cf3239d52553c
      • Opcode Fuzzy Hash: 2b6699046e915bd36d3e8bb905b24b2fca89290735ddc678873a4546a2898418
      • Instruction Fuzzy Hash: 395120256552A1CFCF05EFB8C894BC93BF0EBAB342F0A212BD994ABB42E3740405C705
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6D52C036 Relevance: 1.3, APIs: 1, Instructions: 21COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 104 6d52c036-6d52c077 call 6d524a0d call 6d52bfc6 CharUpperBuffA
      APIs
      • CharUpperBuffA.USER32(00000000,?,?), ref: 6D52C06D
      Memory Dump Source
      • Source File: 00000001.00000002.760115390.000000006D4E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4E0000, based on PE: true
      • Associated: 00000001.00000002.760104839.000000006D4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760361026.000000006D58A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760376524.000000006D58E000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760382995.000000006D58F000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6d4e0000_rundll32.jbxd
      Similarity
      • API ID: BuffCharUpper
      • String ID:
      • API String ID: 3964851224-0
      • Opcode ID: c45f78681354ea7836e43fe77bf858aa840022954f70e1fc9146de38d4e93e47
      • Instruction ID: 83fcdec609486315b8a860b199017b461f5e237466b32586eac1a7abf8da3344
      • Opcode Fuzzy Hash: c45f78681354ea7836e43fe77bf858aa840022954f70e1fc9146de38d4e93e47
      • Instruction Fuzzy Hash: DAF0AE31C04108BFCF01DFA8C840A9CBBB1AF04318F1081A0E924A62A0D7328A24EF40
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 6D4E658E Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 372libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 267 6d4e658e-6d4e6597 268 6d4e65b9-6d4e65d2 267->268 269 6d4e6599-6d4e65b3 267->269 270 6d4e65fc-6d4e66fd LoadLibraryA call 6d4e3373 268->270 271 6d4e65d4-6d4e65f2 268->271 269->268 276 6d4e66ff-6d4e6716 270->276 277 6d4e671d-6d4e6735 270->277 272 6d4e65fa 271->272 273 6d4e65f4 271->273 272->270 273->272 276->277 278 6d4e6766-6d4e6790 277->278 279 6d4e6737-6d4e673a 277->279 282 6d4e679c-6d4e67e0 278->282 283 6d4e6792-6d4e6799 278->283 280 6d4e673c-6d4e674f 279->280 281 6d4e6755-6d4e6761 279->281 280->281 281->278 284 6d4e683b-6d4e684c 282->284 285 6d4e67e2-6d4e67ef 282->285 283->282 286 6d4e684e-6d4e686c 284->286 287 6d4e6888-6d4e688b 284->287 288 6d4e6834 285->288 289 6d4e67f1-6d4e67f4 285->289 292 6d4e686e-6d4e6873 286->292 293 6d4e688d-6d4e6890 286->293 287->293 288->284 290 6d4e6819-6d4e6820 289->290 291 6d4e67f6-6d4e6814 289->291 294 6d4e682b-6d4e682d 290->294 295 6d4e6822-6d4e6828 290->295 291->290 296 6d4e6875-6d4e687c 292->296 297 6d4e6881-6d4e6883 292->297 298 6d4e6895-6d4e68bd 293->298 299 6d4e6892 293->299 294->288 295->294 296->297 297->287 300 6d4e68ff 298->300 301 6d4e68bf-6d4e68c7 298->301 299->298 302 6d4e6901-6d4e6938 call 6d4e1aa8 300->302 303 6d4e68cf-6d4e68e2 301->303 304 6d4e68c9-6d4e68cd 301->304 308 6d4e699e-6d4e6a09 302->308 309 6d4e693a-6d4e6940 302->309 303->302 305 6d4e68e4-6d4e68f9 303->305 304->300 304->303 305->300 312 6d4e6a0b 308->312 313 6d4e6a12-6d4e6a8e call 6d4e3373 308->313 310 6d4e6979-6d4e697d 309->310 311 6d4e6942-6d4e6974 309->311 314 6d4e697f-6d4e6984 310->314 315 6d4e6986-6d4e699a 310->315 311->310 312->313 318 6d4e6ae2-6d4e6b2e call 6d57d83a 313->318 319 6d4e6a90-6d4e6adf 313->319 314->315 315->308 319->318
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.760115390.000000006D4E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4E0000, based on PE: true
      • Associated: 00000001.00000002.760104839.000000006D4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760361026.000000006D58A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760376524.000000006D58E000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760382995.000000006D58F000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6d4e0000_rundll32.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID: &"B$BRURD23A.DLL$Brmf3wia.dll$J=y$M!"$correngine.dll$metadata.dll$qEv$xrWPcpst.dll
      • API String ID: 1029625771-1892311120
      • Opcode ID: 5e441e757512a5d79b43df7fcfcd9a5b3a9aec0e4f23f3fe8f36707440bd1840
      • Instruction ID: af2e3af7721c72ac54191a730253d93839f975d5eacd67fd0f9b1e38ebed0fd8
      • Opcode Fuzzy Hash: 5e441e757512a5d79b43df7fcfcd9a5b3a9aec0e4f23f3fe8f36707440bd1840
      • Instruction Fuzzy Hash: 43D10F66A55262DFCF00EF79C8947C93BB4EB6B363F0A612BD95497B42E3740801CB81
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6D4F0621 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 291libraryloaderCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 364 6d4f0621-6d4f06c9 GetProcAddress 365 6d4f06cb-6d4f06ce 364->365 366 6d4f06f4-6d4f06f9 364->366 367 6d4f0748-6d4f079a 365->367 368 6d4f06d0-6d4f06ee 365->368 366->367 369 6d4f06fb-6d4f0709 366->369 372 6d4f079c-6d4f07a0 367->372 373 6d4f07a7-6d4f07aa 367->373 368->366 370 6d4f070b-6d4f0733 369->370 371 6d4f0735-6d4f0741 369->371 370->371 371->367 372->373 374 6d4f07ac 373->374 375 6d4f07b1-6d4f0853 call 6d4e1aa8 373->375 374->375 378 6d4f087f-6d4f0925 375->378 379 6d4f0855-6d4f0878 375->379 380 6d4f094c-6d4f0951 378->380 381 6d4f0927-6d4f0947 378->381 379->378 382 6d4f0969-6d4f0a20 380->382 383 6d4f0953-6d4f0964 380->383 381->380 384 6d4f0a2d-6d4f0a51 382->384 385 6d4f0a22-6d4f0a24 382->385 383->382 386 6d4f0966 383->386 389 6d4f0a5e-6d4f0a8b 384->389 390 6d4f0a53-6d4f0a59 384->390 387 6d4f0a28 385->387 388 6d4f0a26 385->388 386->382 387->384 388->387 390->389
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.760115390.000000006D4E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4E0000, based on PE: true
      • Associated: 00000001.00000002.760104839.000000006D4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760361026.000000006D58A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760376524.000000006D58E000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760382995.000000006D58F000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6d4e0000_rundll32.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: @BW$Brmf3wia.dll$ElfDeregisterEventSource$GetSidSubAuthorityCount$J=y$Microsoft.Office.Tools.Common.ni.dll$RaiseException$api-ms-win-core-synch-l1-1-0.dll$setup16.exe
      • API String ID: 190572456-1228767480
      • Opcode ID: b201d49f0db0126f404476429a8a79c67dbb461cdd49ee783e9505d40d242ae3
      • Instruction ID: 272d99a5782185f9f7f0819d452ff0cb23e634bf8d7859c75e1638bfcc23b930
      • Opcode Fuzzy Hash: b201d49f0db0126f404476429a8a79c67dbb461cdd49ee783e9505d40d242ae3
      • Instruction Fuzzy Hash: 97B1BF66E10266CFCF00EFB9C8847D97BF4EBAB312B06616BD9649BB15E3340905CB50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6D4F656E Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 226libraryloaderCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 418 6d4f656e-6d4f6675 GetProcAddress 419 6d4f6677-6d4f66b4 418->419 420 6d4f66b6-6d4f6715 418->420 419->420 421 6d4f6717-6d4f6719 420->421 422 6d4f6744-6d4f6762 420->422 423 6d4f671b-6d4f672e 421->423 424 6d4f6733-6d4f6740 421->424 425 6d4f6775-6d4f67d7 422->425 426 6d4f6764-6d4f676f 422->426 423->424 424->422 427 6d4f67d9 425->427 428 6d4f67e0-6d4f67f1 425->428 426->425 427->428 429 6d4f680d 428->429 430 6d4f67f3-6d4f67fe 428->430 431 6d4f680f-6d4f68a7 429->431 430->431 432 6d4f6800-6d4f6807 430->432 432->429
      APIs
      • GetProcAddress.KERNEL32(?), ref: 6D4F6663
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.760115390.000000006D4E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4E0000, based on PE: true
      • Associated: 00000001.00000002.760104839.000000006D4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760361026.000000006D58A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760376524.000000006D58E000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760382995.000000006D58F000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6d4e0000_rundll32.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: B]-$Brmf3wia.dll$CDQ$RtlTimeToTimeFields$X&G$m@P$qEv$xrWPcpst.dll
      • API String ID: 190572456-2119477608
      • Opcode ID: 81dd9881b5c50ef3f1b910db5bb01c2ad6da3855862ae4efd987f89cabb44702
      • Instruction ID: 89036cda5fab36ac45be3be9949ec9e90d9d4bfe014db76b776e7bc730aa9fe2
      • Opcode Fuzzy Hash: 81dd9881b5c50ef3f1b910db5bb01c2ad6da3855862ae4efd987f89cabb44702
      • Instruction Fuzzy Hash: 5D81DE65A15262DFCF00EFB8D8507D97BF5EBAF322B06612AD864DBB46E3340901CB51
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6D4FBD3A Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 365libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(?), ref: 6D4FBE38
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.760115390.000000006D4E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4E0000, based on PE: true
      • Associated: 00000001.00000002.760104839.000000006D4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760361026.000000006D58A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760376524.000000006D58E000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760382995.000000006D58F000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6d4e0000_rundll32.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: MessageBoxA$PhotoBase.dll$RtlTimeToTimeFields$clrcompression.dll$compstui.dll$niw$setup16.exe
      • API String ID: 190572456-3935080779
      • Opcode ID: 8ead38dd1164c7d6d79342ec879f98cb57c3e288f7c7e4c58245b69479e75cac
      • Instruction ID: 86ff5bceea573482e9056bc4d44240736259725156661b33ec81dc434d7a4af6
      • Opcode Fuzzy Hash: 8ead38dd1164c7d6d79342ec879f98cb57c3e288f7c7e4c58245b69479e75cac
      • Instruction Fuzzy Hash: 73E1CD25E10662DFCF00EFB9C8907DD7BF5EBAB312B06A16AD9249BB45E3340541CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6D4F24D5 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 155libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(?), ref: 6D4F25DD
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.760115390.000000006D4E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4E0000, based on PE: true
      • Associated: 00000001.00000002.760104839.000000006D4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760361026.000000006D58A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760376524.000000006D58E000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760382995.000000006D58F000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6d4e0000_rundll32.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: ElfDeregisterEventSource$MessageBoxA$PhotoBase.dll$RW5$System.Data.DataSetExtensions.dll$kE3$niw
      • API String ID: 190572456-2893548518
      • Opcode ID: eb93d98bcbe16ab5131855988aefeb3f00ae8e3fa6f0d7e289c514c784d9a0d1
      • Instruction ID: 8f9050bb06c495d84b748bc2288703a23cdc939cd83af0aaf066e5ceeacfe84d
      • Opcode Fuzzy Hash: eb93d98bcbe16ab5131855988aefeb3f00ae8e3fa6f0d7e289c514c784d9a0d1
      • Instruction Fuzzy Hash: 4351D3799542A69FCF01EFB8C490BDD7BF5EBAB312B06616BC854DBB15E33009028B11
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6D500E0F Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 224libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(?), ref: 6D501025
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.760115390.000000006D4E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4E0000, based on PE: true
      • Associated: 00000001.00000002.760104839.000000006D4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760361026.000000006D58A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760376524.000000006D58E000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760382995.000000006D58F000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6d4e0000_rundll32.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: Brmf3wia.dll$KBDTH1.DLL$Microsoft.Office.Tools.Common.ni.dll$PhotoBase.dll$f[T$vsstrace.dll
      • API String ID: 190572456-185306474
      • Opcode ID: 9730b8fc54590a386bcad98b098ee150c5a336744612aaba3c235abc6d2ede18
      • Instruction ID: 4664bfe7244922fa83005b5c29e8f31682f7100ec1913f2321d8a52328102e04
      • Opcode Fuzzy Hash: 9730b8fc54590a386bcad98b098ee150c5a336744612aaba3c235abc6d2ede18
      • Instruction Fuzzy Hash: 0B712666A642A1CFCF04AF79C8907D93BF5EBBB326B0A116BDC549BB46E3250405C711
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6D50928C Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.760115390.000000006D4E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4E0000, based on PE: true
      • Associated: 00000001.00000002.760104839.000000006D4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760361026.000000006D58A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760376524.000000006D58E000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760382995.000000006D58F000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6d4e0000_rundll32.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: &J7$*7I$HL?$ieframe.dll$qEv$setup16.exe
      • API String ID: 190572456-1028871580
      • Opcode ID: 02934c0eb4b031ef45a3fd34880cbc0cbb0736fe233bd53666ca5d6abff2310f
      • Instruction ID: 5dbf3478851a93f669b9a20b548d0ef8b4e6ed3dd6cf7351b7cd53acd52022a7
      • Opcode Fuzzy Hash: 02934c0eb4b031ef45a3fd34880cbc0cbb0736fe233bd53666ca5d6abff2310f
      • Instruction Fuzzy Hash: 0331FD55A54363CFDF04AB69C4567E93BB5EBAB363F0A611BCC468BF4AE3290401CB05
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6D4ED63A Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 226libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(?), ref: 6D4ED794
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.760115390.000000006D4E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4E0000, based on PE: true
      • Associated: 00000001.00000002.760104839.000000006D4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760361026.000000006D58A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760376524.000000006D58E000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760382995.000000006D58F000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6d4e0000_rundll32.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: -/:$DisplayExitWindowsWarnings$PhotoBase.dll$clrcompression.dll$vsstrace.dll
      • API String ID: 190572456-12260534
      • Opcode ID: f3d511b55728b6f26644480c54b2afb88839dbeff869f719ef52d6d979a7cf3c
      • Instruction ID: f4b04a18b76bab241b35de4f5097300fac483c52dd833443bda87f64174554fe
      • Opcode Fuzzy Hash: f3d511b55728b6f26644480c54b2afb88839dbeff869f719ef52d6d979a7cf3c
      • Instruction Fuzzy Hash: 8C819C65A503669FCF00EFB8D8847D97BF5EBAB312B06616BD924DBB02E3740941CB50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6D4FCABA Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 201libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.760115390.000000006D4E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4E0000, based on PE: true
      • Associated: 00000001.00000002.760104839.000000006D4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760361026.000000006D58A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760376524.000000006D58E000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760382995.000000006D58F000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6d4e0000_rundll32.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: 7$7$8y8$F?#$KBDTH1.DLL$MessageBoxA
      • API String ID: 190572456-3014115243
      • Opcode ID: d416635b984f4d77d7298053e0a82861b5589a0b921b878b756ea586865c1da8
      • Instruction ID: 6d231c7e01b78dc6b7852e54a6c35ce028495f891cc8bb9d2704c9b15c27b8ba
      • Opcode Fuzzy Hash: d416635b984f4d77d7298053e0a82861b5589a0b921b878b756ea586865c1da8
      • Instruction Fuzzy Hash: 767147269553A1CFCF00EFB8D890BC97BF5EBAB312B16215BD8249BB01E3740906CB11
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6D4F7A96 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.760115390.000000006D4E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4E0000, based on PE: true
      • Associated: 00000001.00000002.760104839.000000006D4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760361026.000000006D58A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760376524.000000006D58E000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760382995.000000006D58F000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6d4e0000_rundll32.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: >lj$ElfDeregisterEventSource$OEMHelpIns.dll$RaiseException$RtlQueryRegistryValues
      • API String ID: 190572456-1529482600
      • Opcode ID: 718b3bd43bdbab78ea27754dc0073cd36a2e5c38e761a1e0102de170fd4a5104
      • Instruction ID: 17b9939cf9cb58d0c1ae4b9e271be8b5e6fede81c92a1ccb5e736d110aec7c40
      • Opcode Fuzzy Hash: 718b3bd43bdbab78ea27754dc0073cd36a2e5c38e761a1e0102de170fd4a5104
      • Instruction Fuzzy Hash: C771DD62A54261CFCF00EF78D455BD93BB9EBAB323B06612BC9519BF56E3380905CB05
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6D5015DF Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 174libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.760115390.000000006D4E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4E0000, based on PE: true
      • Associated: 00000001.00000002.760104839.000000006D4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760361026.000000006D58A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760376524.000000006D58E000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760382995.000000006D58F000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6d4e0000_rundll32.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: CancelTimerQueueTimer$api-ms-win-core-synch-l1-1-0.dll$ieframe.dll$x!,$xrWPcpst.dll
      • API String ID: 190572456-2125260341
      • Opcode ID: 7fcac2c844e7255b3556785f83555eed830336de19cf45473ba7461cddb47e17
      • Instruction ID: a66f7aeb9a32991ac2cdd4da6129e597caa63eb0f09b9c5321c09eaa72f8d312
      • Opcode Fuzzy Hash: 7fcac2c844e7255b3556785f83555eed830336de19cf45473ba7461cddb47e17
      • Instruction Fuzzy Hash: 2D51FF65E143629FCF04EF78C8A4BD97BF4EB6B326F02626AD91597B56E33405008B42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6D4E83ED Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 299libraryCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.760115390.000000006D4E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4E0000, based on PE: true
      • Associated: 00000001.00000002.760104839.000000006D4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760361026.000000006D58A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760376524.000000006D58E000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760382995.000000006D58F000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6d4e0000_rundll32.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID: BRURD23A.DLL$ElfDeregisterEventSource$OEMHelpIns.dll$ieframe.dll
      • API String ID: 1029625771-3421191910
      • Opcode ID: 0c1703c32a61b249423745c2eb43f178837ea3ea4a696536f5e96425166f85c2
      • Instruction ID: c1a28c71d7fe8606b0ae48f38ab649af9f51308d2e076546de4ab9fb6d78ef6c
      • Opcode Fuzzy Hash: 0c1703c32a61b249423745c2eb43f178837ea3ea4a696536f5e96425166f85c2
      • Instruction Fuzzy Hash: FEB1CC21A142A29FCF01EFB8C8947DD7BF5EBAB312F0A616BC9549BB46E3340941C751
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6D4E437D Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(?), ref: 6D4E45D7
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.760115390.000000006D4E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4E0000, based on PE: true
      • Associated: 00000001.00000002.760104839.000000006D4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760361026.000000006D58A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760376524.000000006D58E000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760382995.000000006D58F000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6d4e0000_rundll32.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: CoGetInterceptorFromTypeInfo$g"$wf9$g<
      • API String ID: 190572456-4209002683
      • Opcode ID: da9628e505e2e063d4122af5427f47375679811bf1232a86e13bd3e87a386ef5
      • Instruction ID: 37eee2dc7e41dd354f43bbb2d40b899f574b42c4a7c760109d6dd1dcb27d9dd2
      • Opcode Fuzzy Hash: da9628e505e2e063d4122af5427f47375679811bf1232a86e13bd3e87a386ef5
      • Instruction Fuzzy Hash: BA7138276152609FDF019F7CD8847C93BF8DFAB662B0B116BD898D7B42E3640805CBA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6D4E94ED Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(?,00000001), ref: 6D4E95C0
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.760115390.000000006D4E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4E0000, based on PE: true
      • Associated: 00000001.00000002.760104839.000000006D4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760361026.000000006D58A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760376524.000000006D58E000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760382995.000000006D58F000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6d4e0000_rundll32.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: Brmf3wia.dll$Microsoft.Office.Tools.Common.ni.dll$PATHPING.EXE$sgp
      • API String ID: 190572456-3456285607
      • Opcode ID: e67f01f5b18cc8abdf8c945e5ace8647664647ee20bd2793dd66aa8553be143d
      • Instruction ID: b2d4baaa177cbb088f78f3fabd1d714fd0dfacd02e8b2fa47180c0adb44b8149
      • Opcode Fuzzy Hash: e67f01f5b18cc8abdf8c945e5ace8647664647ee20bd2793dd66aa8553be143d
      • Instruction Fuzzy Hash: 2D51D062A152A19FCF01EF79C4447893BF5EBAB352B0A617FD959D7B46F37108018780
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6D4F4563 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(?), ref: 6D4F466E
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.760115390.000000006D4E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4E0000, based on PE: true
      • Associated: 00000001.00000002.760104839.000000006D4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760361026.000000006D58A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760376524.000000006D58E000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760382995.000000006D58F000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6d4e0000_rundll32.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: 'UN$T9J=y$correngine.dll
      • API String ID: 190572456-3051324083
      • Opcode ID: 578b732515fabd629b04ddbe94910fc3171f49def8fb4a3261197643df508199
      • Instruction ID: b20c63ee13e308f27685eddd74fbff7abd018514e0bdf55fc1c47988c0914179
      • Opcode Fuzzy Hash: 578b732515fabd629b04ddbe94910fc3171f49def8fb4a3261197643df508199
      • Instruction Fuzzy Hash: 07218B34A102629FCF01EFB8C481BDDBBB5EF6F222F06556AC8259BB16E3750481CB55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6D4F9B93 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 144libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.760115390.000000006D4E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4E0000, based on PE: true
      • Associated: 00000001.00000002.760104839.000000006D4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760361026.000000006D58A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760376524.000000006D58E000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760382995.000000006D58F000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6d4e0000_rundll32.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: o ep$T9J=y
      • API String ID: 190572456-3186055922
      • Opcode ID: 7865fde4ad7ca7c91762730bcd806679c3996a76f1623fb07f3c60678e9b0524
      • Instruction ID: 17530cd5af2d4ad9b1969ca27e623c5064708839903ce4231f57fbb838a090dc
      • Opcode Fuzzy Hash: 7865fde4ad7ca7c91762730bcd806679c3996a76f1623fb07f3c60678e9b0524
      • Instruction Fuzzy Hash: 9A519B35A146669FCF00EFB9C884BCD7BB5EB6B312F06616AC9649BB51E3390941CB10
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6D4F2EF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.760115390.000000006D4E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4E0000, based on PE: true
      • Associated: 00000001.00000002.760104839.000000006D4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760361026.000000006D58A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760376524.000000006D58E000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760382995.000000006D58F000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6d4e0000_rundll32.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: RaiseException$correngine.dll
      • API String ID: 190572456-270107267
      • Opcode ID: 5f13eaeff498a12c87c37ac220f76efbb9ecefbf36aed24376513d1873b41bd3
      • Instruction ID: 0156209c5f90bf6a62b832cdcce8a433f4d7d0cb9b2076ea145e7d01a0b53879
      • Opcode Fuzzy Hash: 5f13eaeff498a12c87c37ac220f76efbb9ecefbf36aed24376513d1873b41bd3
      • Instruction Fuzzy Hash: 6421DE75A503619FCF00EBB9D894B8DBBF4EB9B322B56502BD514EBB02E3380944CB50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6D4F1889 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.760115390.000000006D4E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D4E0000, based on PE: true
      • Associated: 00000001.00000002.760104839.000000006D4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760361026.000000006D58A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760376524.000000006D58E000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.760382995.000000006D58F000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6d4e0000_rundll32.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: Eg5$^ !
      • API String ID: 190572456-1743815323
      • Opcode ID: 9c03512fba2e52a62185a250338516c09997fe54889207e770fb7d46ce9277cf
      • Instruction ID: 4f15c71e637dfa6de974c6720a92f577e6e68bc3668f45251a6657ab38295eb0
      • Opcode Fuzzy Hash: 9c03512fba2e52a62185a250338516c09997fe54889207e770fb7d46ce9277cf
      • Instruction Fuzzy Hash: C421B0A5E543609FCF00DF79C890BE87BF4EBAB312F06605BD85497B42E37409068B15
      Uniqueness

      Uniqueness Score: -1.00%