Edit tour

Windows Analysis Report
LwNdQo4zIk.exe

Overview

General Information

Sample Name:	LwNdQo4zIk.exe
Analysis ID:	778226
MD5:	3ccd6b369eb1dde57d181e7550bd7268
SHA1:	aee399e263c838570c00133feab275b81009e12a
SHA256:	f5717aef9a4323816387603920b652a94ac0d9cedef36391cedd9cdcbfef7f60
Tags:	32exe
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Detected unpacking (changes PE section rights)

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for dropped file

Machine Learning detection for sample

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Drops PE files

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

LwNdQo4zIk.exe (PID: 1792 cmdline: C:\Users\user\Desktop\LwNdQo4zIk.exe MD5: 3CCD6B369EB1DDE57D181E7550BD7268)

rundll32.exe (PID: 5472 cmdline: "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.309288628.0000000002330000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.309087545.0000000002254000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: LwNdQo4zIk.exe

Virustotal: Detection: 49%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp	Virustotal: Detection: 64%			Perma Link

Machine Learning detection for sample

Source: LwNdQo4zIk.exe

Joe Sandbox ML: detected

Source: 0.2.LwNdQo4zIk.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen2

Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004A7759 CryptAcquireContextA,	0_2_004A7759
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004AB9D1 CryptDeriveKey,	0_2_004AB9D1
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004B01AF CryptExportKey,	0_2_004B01AF
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004B035E CryptDestroyKey,	0_2_004B035E
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004B056E CryptReleaseContext,	0_2_004B056E
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004BA67F CryptAcquireContextA,CryptAcquireContextA,	0_2_004BA67F
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004AF6E3 CryptExportKey,	0_2_004AF6E3
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004BA75C CryptEncrypt,CryptEncrypt,	0_2_004BA75C
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004BA7D8 CryptDestroyKey,CryptDestroyKey,	0_2_004BA7D8
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004BA80E CryptReleaseContext,CryptReleaseContext,	0_2_004BA80E
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004BA9DE CryptBinaryToStringA,CryptBinaryToStringA,	0_2_004BA9DE
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004C2A13 CryptBinaryToStringA,	0_2_004C2A13
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004AFA91 CryptExportKey,CryptExportKey,	0_2_004AFA91
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004A5B70 CryptBinaryToStringA,	0_2_004A5B70
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004AEB1B CryptGenKey,	0_2_004AEB1B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D96B6D8 CryptHashData,LoadLibraryW,	1_2_6D96B6D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D979484 CryptHashData,	1_2_6D979484
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D980486 CryptHashData,	1_2_6D980486
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D980CD9 CryptDestroyKey,	1_2_6D980CD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D987CD1 CryptReleaseContext,	1_2_6D987CD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D99140C CryptDeriveKey,	1_2_6D99140C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D97279D HttpSendRequestW,CryptReleaseContext,	1_2_6D97279D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D973F01 CryptHashData,	1_2_6D973F01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D968F2B CryptDeriveKey,	1_2_6D968F2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D9D9750 CryptHashData,	1_2_6D9D9750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D98AF62 CryptHashData,	1_2_6D98AF62
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D9646B5 CryptEncrypt,	1_2_6D9646B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D972EF8 GetProcAddress,CryptHashData,	1_2_6D972EF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D9EC13D CryptHashData,	1_2_6D9EC13D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D96C080 CryptHashData,	1_2_6D96C080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D97E812 CryptEncrypt,	1_2_6D97E812
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D989035 CryptReleaseContext,	1_2_6D989035
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D980283 CryptReleaseContext,GetProcAddress,GetProcAddress,	1_2_6D980283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D987ADA CryptDeriveKey,	1_2_6D987ADA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D96EAE5 CryptGetHashParam,	1_2_6D96EAE5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D98321F CryptHashData,	1_2_6D98321F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D971A58 CryptEncrypt,	1_2_6D971A58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D9B6A70 CryptEncrypt,	1_2_6D9B6A70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D96CA64 CryptEncrypt,	1_2_6D96CA64

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\LwNdQo4zIk.exe

Unpacked PE file: 0.2.LwNdQo4zIk.exe.400000.0.unpack

Source: LwNdQo4zIk.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\LwNdQo4zIk.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: C:\ruko\kusugu8-fu.pdb source: LwNdQo4zIk.exe
Source:	Binary string: >h6C:\ruko\kusugu8-fu.pdb source: LwNdQo4zIk.exe

Source: C:\Users\user\Desktop\LwNdQo4zIk.exe

Code function: 0_2_004B7085 InternetReadFile,

0_2_004B7085

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.309288628.0000000002330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.309087545.0000000002254000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: LwNdQo4zIk.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.309288628.0000000002330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.309087545.0000000002254000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004FA0B0	0_2_004FA0B0
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004B4115	0_2_004B4115
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004AB2C2	0_2_004AB2C2
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004C13A5	0_2_004C13A5
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004DE3A7	0_2_004DE3A7
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004A067F	0_2_004A067F
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004DD9E8	0_2_004DD9E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D99213A	1_2_6D99213A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D9A822C	1_2_6D9A822C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_6D96CA64	1_2_6D96CA64

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp 20DC61C5456EA5756F432AEBECF74660ACEBF5ACE0F7C8D1B360757ED79075D8

Source: LwNdQo4zIk.exe

Static PE information: Section: .data ZLIB complexity 0.9918356461560528

Source: LwNdQo4zIk.exe

Virustotal: Detection: 49%

Source: LwNdQo4zIk.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LwNdQo4zIk.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\LwNdQo4zIk.exe

Code function: 0_2_004B1333 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,

0_2_004B1333

Source: C:\Users\user\Desktop\LwNdQo4zIk.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot

Source: unknown	Process created: C:\Users\user\Desktop\LwNdQo4zIk.exe C:\Users\user\Desktop\LwNdQo4zIk.exe
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot	Jump to behavior

Source: C:\Users\user\Desktop\LwNdQo4zIk.exe

File created: C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp

Jump to behavior

Source: classification engine

Classification label: mal84.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\LwNdQo4zIk.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: LwNdQo4zIk.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\ruko\kusugu8-fu.pdb source: LwNdQo4zIk.exe
Source:	Binary string: >h6C:\ruko\kusugu8-fu.pdb source: LwNdQo4zIk.exe

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\LwNdQo4zIk.exe

Unpacked PE file: 0.2.LwNdQo4zIk.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\LwNdQo4zIk.exe

Unpacked PE file: 0.2.LwNdQo4zIk.exe.400000.0.unpack

Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004F7054 push 004E123Eh; ret	0_2_004F71C1
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004F0321 push 004ED2FBh; ret	0_2_004F0472
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004D6483 push 0046B803h; ret	0_2_004D6561
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004D85D5 push 004C899Fh; ret	0_2_004D867A
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004EB75E push 004D3CB3h; ret	0_2_004EB891
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004A7759 push dword ptr [004FCE43h]; ret	0_2_004A7A9F
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004EA92F push 004DAC2Fh; ret	0_2_004EAA73
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004F59CA push 004B1D5Fh; ret	0_2_004F5B00
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004AB9D1 push 0046C15Ah; ret	0_2_004ABA8F
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_0046FE63 push 00469E02h; ret	0_2_0046FFC0
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004C8FA2 push 004ADFCDh; ret	0_2_004C907D
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004C8FA2 push 004B29F4h; ret	0_2_004C947A
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_00491044 push 0046B803h; ret	0_2_00491087
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004F3042 push 004BACA2h; ret	0_2_004F30B2
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_0047E048 push 004F3C92h; ret	0_2_0047E101
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004A5057 push 004A4A45h; ret	0_2_004A5090
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004AC057 push 004A024Ch; ret	0_2_004AC0BA
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_00494069 push 0046CDFCh; ret	0_2_004941DE
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_0049B068 push 0046CDFCh; ret	0_2_0049B298
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_0046D063 push 0046AD57h; ret	0_2_0046D29E
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_0049806C push dword ptr [004FC7DBh]; ret	0_2_00498104
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004C5069 push 004ADFCDh; ret	0_2_004C50AC
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_0046F07F push dword ptr [004FD207h]; ret	0_2_0046F14E
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_0047B07B push 00469E02h; ret	0_2_0047B1AC
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004D300B push dword ptr [004FD567h]; ret	0_2_004D3029
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_00480001 push dword ptr [004FC7DBh]; ret	0_2_00480022
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004CD000 push 004A0557h; ret	0_2_004CD295
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004B8005 push 004AC2A1h; ret	0_2_004B8038
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_00474016 push 0046C15Ah; ret	0_2_004740C1
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004B701A push 004F3C92h; ret	0_2_004B7084
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	Code function: 0_2_004D1013 push 004B06B3h; ret	0_2_004D110A

Source: C:\Users\user\Desktop\LwNdQo4zIk.exe

File created: C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\LwNdQo4zIk.exe	API coverage: 9.2 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 3.4 %

Source: rundll32.exe, 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmp	Binary or memory string: NtSetInformationWorkerFactoryTpSetDefaultPoolStackInformationDosDateTimeToFileTimeSetCurrentDirectoryWHkOleRegisterObjectSetProgmanW
Source: LwNdQo4zIk.exe, 00000000.00000002.309915707.00000000030C0000.00000004.00001000.00020000.00000000.sdmp, Pyupydeoe.tmp.0.dr	Binary or memory string: #NtSetInformationWorkerFactoryTpSetDefaultPoolStackInformationDosDateTimeToFileTimeSetCurrentDirectoryWHkOleRegisterObjectSetProgmanWindowMicrosoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.ni.dllSystem.Collections.dllInkSeg.dll0123456789abcdefCNB_0336.DLLMicrosoft.Windows.Diagnosis.Commands.WriteDiagProgress.dllmsscp.dllOSProvider.dllapi-ms-win-core-localization-l1-1-0.dllmscorier.dll0123456789abcdef
Source: rundll32.exe, 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmp	Binary or memory string: SetProgmanW
Source: LwNdQo4zIk.exe, 00000000.00000002.309915707.00000000030C0000.00000004.00001000.00020000.00000000.sdmp, Pyupydeoe.tmp.0.dr	Binary or memory string: SetProgmanWindow

Source: C:\Users\user\Desktop\LwNdQo4zIk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\LwNdQo4zIk.exe

Code function: 0_2_004ADA35 GetLocalTime,

0_2_004ADA35

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	2 Process Injection	1 Rundll32	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	22 Software Packing	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LwNdQo4zIk.exe	49%	Virustotal		Browse
LwNdQo4zIk.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp	50%	ReversingLabs	Win32.Trojan.Lazy
C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp	64%	Virustotal		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.LwNdQo4zIk.exe.2330e67.1.unpack	100%	Avira	HEUR/AGEN.1215478	Download File
0.2.LwNdQo4zIk.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2	Download File
0.3.LwNdQo4zIk.exe.2450000.0.unpack	100%	Avira	HEUR/AGEN.1215478	Download File

Domains and IPs

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	778226
Start date and time:	2023-01-05 08:51:27 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	LwNdQo4zIk.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.evad.winEXE@3/1@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Not all processes where analyzed, report is missing behavior information

Joe Sandbox View / Context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp	file.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp

Download File

Process:	C:\Users\user\Desktop\LwNdQo4zIk.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	803328
Entropy (8bit):	6.89627808323015
Encrypted:	false
SSDEEP:	24576:l8Jr+SgWH5UB/VdYQ/N7WqpWaQxYZYBsFn:OJrSBYqLY
MD5:	C50C2F17112B6C6B0892CB2C1F502108
SHA1:	3DD1444384BF790F5AA90AE95EF7745FA4CFAF72
SHA-256:	20DC61C5456EA5756F432AEBECF74660ACEBF5ACE0F7C8D1B360757ED79075D8
SHA-512:	BFBFC3A13816A12E25C373F6739215B9DFF559FECFDF26C3358A452BDC833B6EAA64BBAE316F4B29B9E9CE802E9F50C66B533C8C3C1B372025A7F0B7D8B452F1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50% Antivirus: Virustotal, Detection: 64%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e:..![.@![.@![.@.,.A&[.@.,.A [.@L..A"[.@![.@5[.@.D.@([.@...A [.@...A [.@...A [.@Rich![.@................PE..L.....c...........!.........................................................p............@.............................@.......<................................{......................................................@............................text...p........................... ..`.rdata..............................@..@.data...01.......2..................@....reloc...{.......\|..................@..B........................................................................................................................................................................................................................................................................................................................................................................

GetConsoleAliasW, GetModuleHandleW, CreateDirectoryExW, ReadConsoleInputW, GetTempPathW, GetSystemDirectoryW, RemoveDirectoryW, OutputDebugStringA, GetProcAddress, LocalAlloc, GetBinaryTypeA, SearchPathA, VerifyVersionInfoA, SetProcessPriorityBoost, EndUpdateResourceA, FindNextFileW, FindFirstVolumeA, LocalShrink, GlobalFlags, _llseek, UpdateResourceA, CreateActCtxW, CopyFileW, AddConsoleAliasW, CreateMutexA, GetCurrentActCtx, GetDiskFreeSpaceA, MoveFileW, GetLogicalDriveStringsA, SetEvent, MoveFileExA, CreateMailslotA, WriteConsoleInputA, TerminateThread, GetCurrentProcess, RtlCaptureContext, InterlockedCompareExchange, GetFileTime, lstrcatA, FindFirstFileW, FreeEnvironmentStringsA, SetErrorMode, InterlockedExchangeAdd, MoveFileWithProgressA, GetTickCount, SetLastError, GetPrivateProfileStructW, VerSetConditionMask, LoadLibraryA, GetLastError, DeleteFileA, GetStartupInfoW, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleA, HeapFree, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, RaiseException, VirtualAlloc, HeapReAlloc, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, InitializeCriticalSectionAndSpinCount, RtlUnwind, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, ReadFile, HeapSize, CloseHandle, CreateFileA

GDI32.dll

SetBrushOrgEx

Possible Origin

Language of compilation system	Country where language is spoken	Map
Serbian	Italy

Target ID:	0
Start time:	08:52:18
Start date:	05/01/2023
Path:	C:\Users\user\Desktop\LwNdQo4zIk.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\LwNdQo4zIk.exe
Imagebase:	0x400000
File size:	1034752 bytes
MD5 hash:	3CCD6B369EB1DDE57D181E7550BD7268
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.309288628.0000000002330000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.309087545.0000000002254000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	08:52:23
Start date:	05/01/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot
Imagebase:	0xa0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25%
Total number of Nodes:	20
Total number of Limit Nodes:	2

Executed Functions

Function 004A7759 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 259
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32 ref: 004A7768

Strings

GetVolumeNameForVolumeMountPointW, xrefs: 004A7785
apihex86.dll, xrefs: 004A7899
CallWindowProcW, xrefs: 004A7A67
7~ , xrefs: 004A79F8
RtlCreateTimerQueue, xrefs: 004A7977, 004A8920
RasMigPlugin.dll, xrefs: 004A78DC, 004A79FD
NlsLexicons004a.dll, xrefs: 004A77D2, 004A7A79
msxml3r.dll, xrefs: 004A77C5
devrtl.dll, xrefs: 004A788C, 004A7A8C

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: AcquireContextCrypt
String ID: 7~ $CallWindowProcW$GetVolumeNameForVolumeMountPointW$NlsLexicons004a.dll$RasMigPlugin.dll$RtlCreateTimerQueue$apihex86.dll$devrtl.dll$msxml3r.dll
API String ID: 3951991833-1759118181
Opcode ID: 7358e2a6632d911ebb6615a09c023d6a935bae8a3ef6d7f88b02a29ff95ce42f
Instruction ID: 864f73d61dd2754cb24b74166d1be688390b549063db801f3636d54e48d93abe
Opcode Fuzzy Hash: 7358e2a6632d911ebb6615a09c023d6a935bae8a3ef6d7f88b02a29ff95ce42f
Instruction Fuzzy Hash: 36A16DB5E042099FCB00DFBAE9D41EE7BB0EB2A310F04817AD955E7762E3780955CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004AB9D1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptDeriveKey.ADVAPI32 ref: 004ABA09

Strings

wbemprox.dll, xrefs: 004AC259
FXSRES.DLL, xrefs: 004ABA80

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: CryptDerive
String ID: FXSRES.DLL$wbemprox.dll
API String ID: 963700953-864472841
Opcode ID: 6f48a9e3d8a845fa319f77717fccbb300e8f6d0b3750192ee9f2a256972f91a6
Instruction ID: f2ca315b04a59662c88b2711d1709a0820e6a57183890c9017ff3987399593be
Opcode Fuzzy Hash: 6f48a9e3d8a845fa319f77717fccbb300e8f6d0b3750192ee9f2a256972f91a6
Instruction Fuzzy Hash: B82102B1E003059FCB009FA8D9D53EEBBB1EB2A710F44827B895497752E3B90E54C788

Uniqueness

Uniqueness Score: -1.00%

Function 004EC46C Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 98
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000), ref: 004EC5C7

Strings

Wlh, xrefs: 004EC525
r&, xrefs: 004EC4BB
@Cqt, xrefs: 004EC5C7
NlsLexicons004a.dll, xrefs: 004EC4A7
FXSRES.DLL, xrefs: 004EC515
WriteFileEx, xrefs: 004EC4EB

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: CreateProcess
String ID: @Cqt$FXSRES.DLL$NlsLexicons004a.dll$Wlh$WriteFileEx$r&
API String ID: 963392458-1840894579
Opcode ID: c589032668075253d4b0997476dec812eb91138371010b571f4f34328cbe6b11
Instruction ID: 7c91f1378760e961f50db07e3ce39b7fa1196c614006467c9920f1ac7116d833
Opcode Fuzzy Hash: c589032668075253d4b0997476dec812eb91138371010b571f4f34328cbe6b11
Instruction Fuzzy Hash: EE31FE75E0021A9BDB00EFAAEAD06FE7BB0FF28304F40453AE505E7352E6394950CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0046FE63 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 90
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 0046FF46

Strings

Wlh, xrefs: 0046FF23
sbs_diasymreader.dll, xrefs: 0046FE8B
EtwpGetCpuSpeed, xrefs: 0046FE9D
hpfevw73.dll, xrefs: 0046FF90
ZwOpenFile, xrefs: 0046FFB1

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: LibraryLoad
String ID: EtwpGetCpuSpeed$Wlh$ZwOpenFile$hpfevw73.dll$sbs_diasymreader.dll
API String ID: 1029625771-530310043
Opcode ID: 84c2ea79aa9ae2472bf0d13afee29d124ec4b34a6d1f35d1e14fc466ec2a4c3b
Instruction ID: 5f9cf8e8bc6aefead99389c9af6ac2026223ccff36b1127e3ada00a722c668e2
Opcode Fuzzy Hash: 84c2ea79aa9ae2472bf0d13afee29d124ec4b34a6d1f35d1e14fc466ec2a4c3b
Instruction Fuzzy Hash: 4F319C75E40359DFD700DFB8FAC52EE7BB1EB2A310B48403A8944A7362E2790969C749

Uniqueness

Uniqueness Score: -1.00%

Function 0046F519 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0046F570

Strings

EtwpGetCpuSpeed, xrefs: 0046F588
devrtl.dll, xrefs: 0046F63E

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: LibraryLoad
String ID: EtwpGetCpuSpeed$devrtl.dll
API String ID: 1029625771-2582432514
Opcode ID: a285a531e5daf239845ba61c217765e189ae03a1582bac433da6b99f5ec81368
Instruction ID: ef33f599e64732a1e3375540842653c93bdef4a5e839f9d74011e57d83ba48f0
Opcode Fuzzy Hash: a285a531e5daf239845ba61c217765e189ae03a1582bac433da6b99f5ec81368
Instruction Fuzzy Hash: 5E318F64E44249DFCB00DFB8EAC55ED7BB1FB29320B00407AD45597722E3780A65CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004C978E Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 004C9796

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3992a863efe16b8f63359b138bfd13186a8977471c0d463d6497a29c7974d3d7
Instruction ID: 40f782e186dae421e2e5291fc41b6312c26cd0d01877086a23cfcd62d6540203
Opcode Fuzzy Hash: 3992a863efe16b8f63359b138bfd13186a8977471c0d463d6497a29c7974d3d7
Instruction Fuzzy Hash: 71A0243D300105C7C3014F30F5CD41C371143D030D710C5315403C404CC434D011D100

Uniqueness

Uniqueness Score: -1.00%

Function 004A6D6C Relevance: 1.3, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CharUpperBuffA.USER32(00000000,?,?), ref: 004A6DA3

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: c0d1f12392ce7b553b800283bae38bc47d464258fadfbfb328399a4a17ab7e07
Instruction ID: 9fdd92384781316f0075c6a200922c60cf00b03dd3c62785e9577931238c8af9
Opcode Fuzzy Hash: c0d1f12392ce7b553b800283bae38bc47d464258fadfbfb328399a4a17ab7e07
Instruction Fuzzy Hash: B4F0AE35D00108BFCF01AFE9D845A9DBFB1EF04318F1081A5A924AA2A1D7368A24EF44

Uniqueness

Uniqueness Score: -1.00%

Function 004FA970 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 004FA978

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: af609ad100646c7060bc4ecb92b57e4e724e07d0b9cf465bc3175297e7bdafd8
Instruction ID: 5c81a9e60f535cad76a1d6efa1db0b362f67b2df7e96e182e9237fcea45a1aa5
Opcode Fuzzy Hash: af609ad100646c7060bc4ecb92b57e4e724e07d0b9cf465bc3175297e7bdafd8
Instruction Fuzzy Hash: 85A012CDD1004000EE0410311801423102221E060BBD5C8B9680440124FA3CC018201E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004DD9E8 Relevance: 29.2, APIs: 1, Strings: 18, Instructions: 656COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 004DDD9E

Strings

audmigplugin.dll, xrefs: 004DE33E
apihex86.dll, xrefs: 004DDD7D, 004DE0B6
2;, xrefs: 004DDD78
cngprovider.dll, xrefs: 004DE2FF
NlsLexicons004a.dll, xrefs: 004DDD28
api-ms-win-core-io-l1-1-0.dll, xrefs: 004DDE6A
NetWkstaSetInfo, xrefs: 004DDAC8
System.Windows.Controls.Ribbon.dll, xrefs: 004DE187
Gs, xrefs: 004DDF6C
V*, xrefs: 004DE1AA
=kt, xrefs: 004DDCC0
wiawow64.exe, xrefs: 004DDBE1
dxtrans.dll, xrefs: 004DDF89
wbemprox.dll, xrefs: 004DDB11
api-ms-win-core-interlocked-l1-1-0.dll, xrefs: 004DDC4C, 004DE2F2
GetLocalManagedApplications, xrefs: 004DDC73
RtlInitializeGenericTable, xrefs: 004DDDFB
mfdvdec.dll, xrefs: 004DE37A

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: ErrorLast
String ID: Gs$=kt$GetLocalManagedApplications$NetWkstaSetInfo$NlsLexicons004a.dll$RtlInitializeGenericTable$System.Windows.Controls.Ribbon.dll$V*$api-ms-win-core-interlocked-l1-1-0.dll$api-ms-win-core-io-l1-1-0.dll$apihex86.dll$audmigplugin.dll$cngprovider.dll$dxtrans.dll$mfdvdec.dll$wbemprox.dll$wiawow64.exe$2;
API String ID: 1452528299-2589147596
Opcode ID: 8a7d02bacb0df8d7231105ae6d5741325e06c272fe29310aeabdff8e49e59cca
Instruction ID: 05d6b29f830936cf197503655dc14312dda97afb7d531475b55ca1f809a40a4b
Opcode Fuzzy Hash: 8a7d02bacb0df8d7231105ae6d5741325e06c272fe29310aeabdff8e49e59cca
Instruction Fuzzy Hash: 6642D275E04249CFCB00DFB9EAE12E97BB1EF29314B04817BC94597362E2790965CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 004A067F Relevance: 25.7, Strings: 20, Instructions: 654COMMON

Download Yara Rule

Strings

CallWindowProcW, xrefs: 004A08BD
Nqt, xrefs: 004A0FA6
TSpkg.dll, xrefs: 004A0B88
PSEvents.dll, xrefs: 004A0991, 004A0C12
EtwpGetCpuSpeed, xrefs: 004A0924, 004A0B4E
api-ms-win-core-io-l1-1-0.dll, xrefs: 004A0A63
scksp.dll, xrefs: 004A0B92
devrtl.dll, xrefs: 004A06AB, 004A06CB
System.Windows.Controls.Ribbon.dll, xrefs: 004A0A79
B\5, xrefs: 004A0847
ZwWow64QueryInformationProcess64, xrefs: 004A08C8, 004A098C, 004A0F1E
=kt, xrefs: 004A0E74
ddrerocA, xrefs: 004A0D1F, 004A0DEC, 004A0E47, 004A0E7B, 004A0EB5, 004A0F0A, 004A0FA3, 004A0DF2, 004A0EBD
ddre, xrefs: 004A0CDA
GetLocalManagedApplications, xrefs: 004A08FB
RasMigPlugin.dll, xrefs: 004A0AD6
GetP, xrefs: 004A0B98
rocA, xrefs: 004A0C38
FXSRES.DLL, xrefs: 004A0732, 004A0D1A, 004A0D30
$-7, xrefs: 004A0F05

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID:
String ID: $-7$=kt$B\5$CallWindowProcW$EtwpGetCpuSpeed$FXSRES.DLL$GetLocalManagedApplications$GetP$PSEvents.dll$RasMigPlugin.dll$System.Windows.Controls.Ribbon.dll$TSpkg.dll$ZwWow64QueryInformationProcess64$api-ms-win-core-io-l1-1-0.dll$ddre$ddrerocA$devrtl.dll$rocA$scksp.dll$Nqt
API String ID: 0-2063702746
Opcode ID: 7249d203baedaa77c33435596837b91bd44663c268df7ad3f61fe718c367cf2d
Instruction ID: b0def301be00dee447dbe5b571d51c378938ae4c4b3a571c5a6394b2bc8ae00e
Opcode Fuzzy Hash: 7249d203baedaa77c33435596837b91bd44663c268df7ad3f61fe718c367cf2d
Instruction Fuzzy Hash: F432F676E00248DFCB00DFB9EA941EA7BB2EF69724B05807EC85497362E3350965CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 004DE3A7 Relevance: 23.1, Strings: 18, Instructions: 612COMMON

Download Yara Rule

Strings

Wlh, xrefs: 004DE732
GetVolumeNameForVolumeMountPointW, xrefs: 004DEA43
apihex86.dll, xrefs: 004DE7D1
CallWindowProcW, xrefs: 004DE65F
GetAppCompatFlags2, xrefs: 004DE952
dpnathlp.dll, xrefs: 004DED84
api-ms-win-core-io-l1-1-0.dll, xrefs: 004DE756
NetWkstaSetInfo, xrefs: 004DE58D
penusa.dll, xrefs: 004DE815
f\r, xrefs: 004DE3CF
Gs, xrefs: 004DE8CE
=kt, xrefs: 004DE766
wiawow64.exe, xrefs: 004DEB6E, 004DEB73
api-ms-win-core-interlocked-l1-1-0.dll, xrefs: 004DE569, 004DEC9D
sbs_diasymreader.dll, xrefs: 004DE851
@/, xrefs: 004DE85C
qz., xrefs: 004DEBA8
RtlInitializeGenericTable, xrefs: 004DE4AE

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID:
String ID: Gs$=kt$CallWindowProcW$GetAppCompatFlags2$GetVolumeNameForVolumeMountPointW$NetWkstaSetInfo$RtlInitializeGenericTable$Wlh$api-ms-win-core-interlocked-l1-1-0.dll$api-ms-win-core-io-l1-1-0.dll$apihex86.dll$dpnathlp.dll$f\r$penusa.dll$qz.$sbs_diasymreader.dll$wiawow64.exe$@/
API String ID: 0-3626902700
Opcode ID: 73e04fddcb762fd17380410f4abe933b673318dbd42f076f8bd20773ad0de406
Instruction ID: 1f16049fa2c29bce1a5847f1875b2538c2141436720408383bd5407f2aa2cf9b
Opcode Fuzzy Hash: 73e04fddcb762fd17380410f4abe933b673318dbd42f076f8bd20773ad0de406
Instruction Fuzzy Hash: FB32E375E44249CFCB00DFBAEAD52E97BB1EF29324B04817BC85497362E2780965CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 004B4115 Relevance: 22.1, Strings: 17, Instructions: 851COMMON

Download Yara Rule

Strings

Wlh, xrefs: 004B4A14
GetVolumeNameForVolumeMountPointW, xrefs: 004B4066
wmploc.DLL, xrefs: 004B495B
GetAppCompatFlags2, xrefs: 004B4A53
RtlCreateTimerQueue, xrefs: 004B42B8
!O, xrefs: 004B44A9
api-ms-win-core-io-l1-1-0.dll, xrefs: 004B43E9
wabimp.dll, xrefs: 004B43E0
NetWkstaSetInfo, xrefs: 004B41B7
ZwOpenFile, xrefs: 004B41FE
f\r, xrefs: 004B4B96
sbs_diasymreader.dll, xrefs: 004B4451
HPBPRO.DLL, xrefs: 004B4739, 004B4A43
GetLocalManagedApplications, xrefs: 004B491A
mfdvdec.dll, xrefs: 004B4265
hpfevw73.dll, xrefs: 004B40E4, 004B490A
}hX, xrefs: 004B41C4

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID:
String ID: !O$GetAppCompatFlags2$GetLocalManagedApplications$GetVolumeNameForVolumeMountPointW$HPBPRO.DLL$NetWkstaSetInfo$RtlCreateTimerQueue$Wlh$ZwOpenFile$api-ms-win-core-io-l1-1-0.dll$f\r$hpfevw73.dll$mfdvdec.dll$sbs_diasymreader.dll$wabimp.dll$wmploc.DLL$}hX
API String ID: 0-1915777522
Opcode ID: f8de094187cb5aaad40c7fd6e50e254cc11a7612ad419f432a1d4f25ded614f1
Instruction ID: 328b9ea172c7fe457b9d8e4ebb097c87c45c34e4d7bc6dcb5dff0e99082a7081
Opcode Fuzzy Hash: f8de094187cb5aaad40c7fd6e50e254cc11a7612ad419f432a1d4f25ded614f1
Instruction Fuzzy Hash: DB62D466A44245CFCB00DFB9FE946EA7BB5EFAA320708417AC94497363D3740929C76C

Uniqueness

Uniqueness Score: -1.00%

Function 004C13A5 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 313COMMON

Download Yara Rule

Strings

VarDateFromUdate, xrefs: 004C13CC
Wlh, xrefs: 004C14CD
mh-, xrefs: 004C1B5F
n:, xrefs: 004C13C5
api-ms-win-core-interlocked-l1-1-0.dll, xrefs: 004C148E
RasMigPlugin.dll, xrefs: 004C1AAB, 004C1B6C
HPBPRO.DLL, xrefs: 004C1431, 004C14FA
GetLocalManagedApplications, xrefs: 004C19EB
hpfevw73.dll, xrefs: 004C18E3

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID:
String ID: GetLocalManagedApplications$HPBPRO.DLL$RasMigPlugin.dll$VarDateFromUdate$Wlh$api-ms-win-core-interlocked-l1-1-0.dll$hpfevw73.dll$mh-$n:
API String ID: 0-260067468
Opcode ID: 3c935833391de6bbd7c149d5be8d7fbfe6bdad8b8280ff32742df89f8bf0fbde
Instruction ID: e54fa58228523b3247f4f32c2abfc5b05b747a5a7893d848b3390674f79041b2
Opcode Fuzzy Hash: 3c935833391de6bbd7c149d5be8d7fbfe6bdad8b8280ff32742df89f8bf0fbde
Instruction Fuzzy Hash: BEC1B179E0024A9FCB00EFB9EAD46EE7BB1EB29310B44417ED905E7762E3740954CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004AB2C2 Relevance: 12.8, Strings: 10, Instructions: 320COMMON

Download Yara Rule

Strings

GetVolumeNameForVolumeMountPointW, xrefs: 004AB66C
GetAppCompatFlags2, xrefs: 004AB5CD
=kt, xrefs: 004AB654
api-ms-win-core-interlocked-l1-1-0.dll, xrefs: 004AB543
cngprovider.dll, xrefs: 004AB43E
wbemprox.dll, xrefs: 004AC259
FXSRES.DLL, xrefs: 004AB516, 004AB625
devrtl.dll, xrefs: 004AB42F
RtlInitializeGenericTable, xrefs: 004AB2FC
hpfevw73.dll, xrefs: 004AB38C

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID:
String ID: =kt$FXSRES.DLL$GetAppCompatFlags2$GetVolumeNameForVolumeMountPointW$RtlInitializeGenericTable$api-ms-win-core-interlocked-l1-1-0.dll$cngprovider.dll$devrtl.dll$hpfevw73.dll$wbemprox.dll
API String ID: 0-649141487
Opcode ID: 493700602ed97b5d97610bf3e21186bf99b99b127bb852215559cc7559145844
Instruction ID: 072a09430c11f9c01987f29cc09220e59e6ff7fea68ac1a75193fe07c1201d7e
Opcode Fuzzy Hash: 493700602ed97b5d97610bf3e21186bf99b99b127bb852215559cc7559145844
Instruction Fuzzy Hash: AFC1AE75E403099FCB00DFA9EAD56ED7BB1EB29324F00807ED914A7362E3790A55CB49

Uniqueness

Uniqueness Score: -1.00%

Function 004B035E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyKey.ADVAPI32(?), ref: 004B0419

Strings

Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll, xrefs: 004B0396
scksp.dll, xrefs: 004B03D7

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: CryptDestroy
String ID: Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll$scksp.dll
API String ID: 1712904745-3817965684
Opcode ID: 1ba5fc7c3a257f75d131fcd563011a084cbac11a3c79b3a35215e36621b5dd36
Instruction ID: 4c5c17772bd7d973cce85e30be1e16e5128337274f85ef7599db5a0952d93290
Opcode Fuzzy Hash: 1ba5fc7c3a257f75d131fcd563011a084cbac11a3c79b3a35215e36621b5dd36
Instruction Fuzzy Hash: 5511D525744281CFD7018BB9FE863E93FB1EF66220F44027A8954573A3C2A90D2AC72D

Uniqueness

Uniqueness Score: -1.00%

Function 004A5B70 Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

GetVolumeNameForVolumeMountPointW, xrefs: 004A5CC5
Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll, xrefs: 004A5C1A
wiawow64.exe, xrefs: 004A5BDA
scksp.dll, xrefs: 004A5D6E

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID:
String ID: GetVolumeNameForVolumeMountPointW$Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll$scksp.dll$wiawow64.exe
API String ID: 0-3473566360
Opcode ID: 6e13d59716830d3138c14c915df6980d24302d5b4ac7062b7bf4873156c791c9
Instruction ID: 0e9d8c79414aee5ed3024515340c28f1cd824f4c12ada021047b671772e94a30
Opcode Fuzzy Hash: 6e13d59716830d3138c14c915df6980d24302d5b4ac7062b7bf4873156c791c9
Instruction Fuzzy Hash: 9151BB69A44749CFC7009FA9FF956E93BB0EB3A320708407BC944D7322E2691965CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004AFA91 Relevance: 3.9, Strings: 3, Instructions: 114COMMON

Download Yara Rule

Strings

RtlCreateTimerQueue, xrefs: 004AFB12
dbgeng.dll, xrefs: 004AFBBC
devrtl.dll, xrefs: 004AFBB1

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID:
String ID: RtlCreateTimerQueue$dbgeng.dll$devrtl.dll
API String ID: 0-2281805483
Opcode ID: 058cc3f21566c971f2538abf272fc56e589d7fe5510ab598018e46a50b3f2ddd
Instruction ID: e24532da6f2a289c23c6f4941ae3d256a9864d5727f3a8b66d1e947845f9ad2f
Opcode Fuzzy Hash: 058cc3f21566c971f2538abf272fc56e589d7fe5510ab598018e46a50b3f2ddd
Instruction Fuzzy Hash: F0410267A402868FC7018FB5FE947E63FB4EB7A7607084176CD4497723D228091ACBAC

Uniqueness

Uniqueness Score: -1.00%

Function 004B7085 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

Wlh, xrefs: 004B7124
GetLocalManagedApplications, xrefs: 004B70D3
? , xrefs: 004B71D2

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID:
String ID: ? $GetLocalManagedApplications$Wlh
API String ID: 0-2048745350
Opcode ID: 509aebd62b0b127d20e357408734fc77926bca3ef38b1c5c4ecf77077112861c
Instruction ID: ce70d70ea4648ec9a429ac842834e08205dfe7c7a4c545f87cb37043a012fc17
Opcode Fuzzy Hash: 509aebd62b0b127d20e357408734fc77926bca3ef38b1c5c4ecf77077112861c
Instruction Fuzzy Hash: D741E375D443598FCB00DBB8EE955EA3BB2EB69310704413AC80097B23D2780D69CBAC

Uniqueness

Uniqueness Score: -1.00%

Function 004AEB1B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110encryptionCOMMON

Download Yara Rule

APIs

CryptGenKey.ADVAPI32(?), ref: 004AEB44

Strings

GetLocalManagedApplications, xrefs: 004AEB94

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: Crypt
String ID: GetLocalManagedApplications
API String ID: 993010335-2412223744
Opcode ID: 90a7d40cce46aeebd4316900c3109388bdbc03f19d3112e42ff80b423a353ba8
Instruction ID: e9d60645f25df3f8ea143010a32424c0cebbac4444ddfb102ce184d604e54b2e
Opcode Fuzzy Hash: 90a7d40cce46aeebd4316900c3109388bdbc03f19d3112e42ff80b423a353ba8
Instruction Fuzzy Hash: F4317B56A5024A8FCB10DF34FE993E63BA1EB7B3247044177C821977A6D22A0875C76D

Uniqueness

Uniqueness Score: -1.00%

Function 004B01AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50encryptionCOMMON

Download Yara Rule

APIs

CryptExportKey.ADVAPI32(?), ref: 004B01E1

Strings

ZwOpenFile, xrefs: 004B0237

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: CryptExport
String ID: ZwOpenFile
API String ID: 3389274496-3061432694
Opcode ID: cebb804deda6a707b31394c2998f1f8d664a7ab440c0c1b0ba3fe20e9c34a550
Instruction ID: 81dda3a31a3bbc86c7ccba9f2d4059ce5bca937f6ce77958a7017cd490775c64
Opcode Fuzzy Hash: cebb804deda6a707b31394c2998f1f8d664a7ab440c0c1b0ba3fe20e9c34a550
Instruction Fuzzy Hash: 47012663950245DBC300CBFCBE427EA7BB8EB653257044176DD04E3262E66A0D56C3A9

Uniqueness

Uniqueness Score: -1.00%

Function 004BA9DE Relevance: 3.1, APIs: 2, Instructions: 54encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,00000001,00000000,?), ref: 004BAA05
CryptBinaryToStringA.CRYPT32(?,?,00000001,?,?), ref: 004BAA35

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: BinaryCryptString
String ID:
API String ID: 80407269-0
Opcode ID: 9148eff3da48344e1d12db2789ff7db2dc651f2a83e9d144aa6a0a8387db3559
Instruction ID: cd48c6b3742682db978dee803b04635d8b977bde26e391758810dca5e7dd0092
Opcode Fuzzy Hash: 9148eff3da48344e1d12db2789ff7db2dc651f2a83e9d144aa6a0a8387db3559
Instruction Fuzzy Hash: A511FB75D00108FBDF019F94CC41BEDBB76FF08300F104266B921A22A0E77A8A60DB66

Uniqueness

Uniqueness Score: -1.00%

Function 004B1333 Relevance: 2.5, Strings: 2, Instructions: 49COMMON

Download Yara Rule

Strings

dxtrans.dll, xrefs: 004B13DC
RtlCreateTimerQueue, xrefs: 004B1373

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID:
String ID: RtlCreateTimerQueue$dxtrans.dll
API String ID: 0-3232145319
Opcode ID: 04208931043cb9ff03e743e6ffee993e5cc0e3cdd547e3fbb9fa17e028715fe2
Instruction ID: 3c92a60d07b910cd797c9cde1ab3375b2d7d7caab9db6e88fc5699dbf90eb3af
Opcode Fuzzy Hash: 04208931043cb9ff03e743e6ffee993e5cc0e3cdd547e3fbb9fa17e028715fe2
Instruction Fuzzy Hash: 0501E131A102098BE700AF7AEED5BE633A2EB18300F4000369D00C77A5E2665824C75D

Uniqueness

Uniqueness Score: -1.00%

Function 004B056E Relevance: 1.5, APIs: 1, Instructions: 48encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32 ref: 004B0571

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 70aff45a6fd7951611b3732b4208190f89d1dfbd6fa1ea0f08147219fd2359da
Instruction ID: b5937936222b717d563e5530a57357b7f1f453a8bb7d3bd6666b10a2515b7fc7
Opcode Fuzzy Hash: 70aff45a6fd7951611b3732b4208190f89d1dfbd6fa1ea0f08147219fd2359da
Instruction Fuzzy Hash: 9601C066A1120E8FCB11DF38EAC91EA3BA1EB7A714304403BC841A7366E2354874CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 004AF6E3 Relevance: 1.5, APIs: 1, Instructions: 14encryptionCOMMON

Download Yara Rule

APIs

CryptExportKey.ADVAPI32 ref: 004AF6F2

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: CryptExport
String ID:
API String ID: 3389274496-0
Opcode ID: e1d6614823048c371383ea307966132602e77c05c50381d0c28b114809448871
Instruction ID: d4221534c5ad4299bc9651078f1103edbe157f8ce2e751151f42fad4eb23ba93
Opcode Fuzzy Hash: e1d6614823048c371383ea307966132602e77c05c50381d0c28b114809448871
Instruction Fuzzy Hash: C9D05E68185280AAC6008B74FE8AA652F649BA6610B4000B5B400492F3C2500929C369

Uniqueness

Uniqueness Score: -1.00%

Function 004ADA35 Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004ADA44

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: b700193c1c86c19e8c6d22a4e5633e12132d6af535861b2157dbeb9f2d8b37bb
Instruction ID: 6feaae2b9bacf522af987e2d2991633f8ff704f18c3771b7b1234a28f54250a2
Opcode Fuzzy Hash: b700193c1c86c19e8c6d22a4e5633e12132d6af535861b2157dbeb9f2d8b37bb
Instruction Fuzzy Hash: 71C04C7081020D4ACF00EB959D429BEB6BCAA40218B5005659911B5291EB61AB1085A6

Uniqueness

Uniqueness Score: -1.00%

Function 004FA0B0 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b097b0309f89a1192f476928ba68543a92d2c23d50abe5ed894ff1e227a05ad0
Instruction ID: e615807677afee63b5c35191c71010c5a06942e99dc5413fa01f24175c4ad080
Opcode Fuzzy Hash: b097b0309f89a1192f476928ba68543a92d2c23d50abe5ed894ff1e227a05ad0
Instruction Fuzzy Hash: E102E6B1B082254BDB0CCE18C59023DBBE2FBC9341F15496EE59AD7384C678D995CF8A

Uniqueness

Uniqueness Score: -1.00%

Function 004BA67F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 140ba7c6eeb16db4d3db3bcf8a08cd3e9114ae159abc6f95e2c3d7fa4b8f75a0
Instruction ID: 13098da43e41b6a377cc122102e0c61971807471e885c152087d7bc7652aa414
Opcode Fuzzy Hash: 140ba7c6eeb16db4d3db3bcf8a08cd3e9114ae159abc6f95e2c3d7fa4b8f75a0
Instruction Fuzzy Hash: 9FF0A470A5021CEFDB00CF84DD85BDDB7B1BB08304F100166EA40A7394D3B9A924DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004BA75C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83cf7fde548232ddf5e1cdd39e8808ef3593ba8cfcc81401b37a56e8730e95d4
Instruction ID: dbb2cebe213b8c7046f91811030d7f2f856ec0e24dc2b9e0c3ef74e2b6c3b591
Opcode Fuzzy Hash: 83cf7fde548232ddf5e1cdd39e8808ef3593ba8cfcc81401b37a56e8730e95d4
Instruction Fuzzy Hash: 6CE00979A0020DAEDF019FD5CD85DEEBFB6EB88714F100069EA1072160D6725D64DB66

Uniqueness

Uniqueness Score: -1.00%

Function 004BA7D8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1fc9cdc24ae54707d79819bf13c194b06eb89ae4313e78ba5d708260b8d7dd0
Instruction ID: 46d84c7a961612567cdf95ea1c411bd4849ccd9e57829e3575dbdf7af3a36cc4
Opcode Fuzzy Hash: f1fc9cdc24ae54707d79819bf13c194b06eb89ae4313e78ba5d708260b8d7dd0
Instruction Fuzzy Hash: 14E02D79A00219EFDB15DF85E8819AEBBB2FB8D304F1041A4F90067265C7759C62EF64

Uniqueness

Uniqueness Score: -1.00%

Function 004C2A13 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4533122f00e3f06e9b506e558a66b98a654bc9eb808e8eae4e1719417f7615b1
Instruction ID: c00efbd50bd566755fdbbb76191db873fa22e01bbac1f8a77da95ba4ad2c2029
Opcode Fuzzy Hash: 4533122f00e3f06e9b506e558a66b98a654bc9eb808e8eae4e1719417f7615b1
Instruction Fuzzy Hash: 7BC0125978024C8F4350CB289D86F6026A0D35531035440369584E3251E6A58518C708

Uniqueness

Uniqueness Score: -1.00%

Function 004BA80E Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 776217f08c024aac371037d3aae5d197dc6381f1f09d6c16ce85a6b876d4883d
Instruction ID: 03a5d180bc044da452250d385a0ae2c669391eeb9294f807430b15919c97f41c
Opcode Fuzzy Hash: 776217f08c024aac371037d3aae5d197dc6381f1f09d6c16ce85a6b876d4883d
Instruction Fuzzy Hash: CDB0923164020CFE9B488F80AEC08783A36E3C0B497100074A10011061C6744D20DB1A

Uniqueness

Uniqueness Score: -1.00%

Function 004EC93E Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 265fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000), ref: 004ECB42

Strings

GetVolumeNameForVolumeMountPointW, xrefs: 004ECA80
Q$L, xrefs: 004ECB12
RtlCreateTimerQueue, xrefs: 004ECC40
msxml3r.dll, xrefs: 004ECC03
NetWkstaSetInfo, xrefs: 004ECC11
ZwOpenFile, xrefs: 004ECC6E
System.Windows.Controls.Ribbon.dll, xrefs: 004ECB6D
Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll, xrefs: 004ED1B3
OO, xrefs: 004EC9D3
=kt, xrefs: 004ECB9E
FXSRES.DLL, xrefs: 004ECB77
6, xrefs: 004EC9D8
hpfevw73.dll, xrefs: 004ECA70
GJ&, xrefs: 004EC94E

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: CreateFile
String ID: 6$=kt$FXSRES.DLL$GJ&$GetVolumeNameForVolumeMountPointW$Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll$NetWkstaSetInfo$OO$Q$L$RtlCreateTimerQueue$System.Windows.Controls.Ribbon.dll$ZwOpenFile$hpfevw73.dll$msxml3r.dll
API String ID: 823142352-508587202
Opcode ID: 2b2ba3889522c386f2f1e895cc741aacfb6442b04e81d5ddaaa1edeff21a088b
Instruction ID: 509ea8cbe4a3591b9b0481434c525ec50f11f0bb41db308bb747d028baa70665
Opcode Fuzzy Hash: 2b2ba3889522c386f2f1e895cc741aacfb6442b04e81d5ddaaa1edeff21a088b
Instruction Fuzzy Hash: EB915556B402858FD7009F7AFED63E63BA1EB29325B04427BD944873A3D26D092AC31D

Uniqueness

Uniqueness Score: -1.00%

Function 0049974A Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 234libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 0049981A

Strings

GetVolumeNameForVolumeMountPointW, xrefs: 0049974A
CallWindowProcW, xrefs: 004998AE, 004999D9
Nqt, xrefs: 0049981A
Gr, xrefs: 00499814
Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll, xrefs: 00499A01
=kt, xrefs: 00499AB2
dxtrans.dll, xrefs: 00499A85
q:6, xrefs: 00499990
ap!, xrefs: 00499A7D
.6&, xrefs: 00499924
ZwOpenFile, xrefs: 0049991C

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: AddressProc
String ID: .6&$=kt$CallWindowProcW$GetVolumeNameForVolumeMountPointW$Gr$Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll$ZwOpenFile$ap!$dxtrans.dll$q:6$Nqt
API String ID: 190572456-734602352
Opcode ID: 950b0f4b12323d790cb6bf90020a46fece1815f7b96e198ff706f8a53d15e09b
Instruction ID: 263ed57c7c18ffc7593e93c871394e9c08e5bf1ba25744a908626f4c56d39ddc
Opcode Fuzzy Hash: 950b0f4b12323d790cb6bf90020a46fece1815f7b96e198ff706f8a53d15e09b
Instruction Fuzzy Hash: D2918A75E54209DFCB00EFB9EAD56ED7BB1EB29310F04407ED904A7322E2394A65CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004AA0DE Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 199COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 004AA114

Strings

CallWindowProcW, xrefs: 004AA137
GetAppCompatFlags2, xrefs: 004AA3A9
scksp.dll, xrefs: 004AA373
wabimp.dll, xrefs: 004AA0E5
ZwOpenFile, xrefs: 004AA291
f\r, xrefs: 004AA11A
System.Windows.Controls.Ribbon.dll, xrefs: 004AA203
Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll, xrefs: 004AA175
wiawow64.exe, xrefs: 004AA141
api-ms-win-core-interlocked-l1-1-0.dll, xrefs: 004AA259
, xrefs: 004AA3C0
WriteFileEx, xrefs: 004AA2F1
@Mqt, xrefs: 004AA114

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: ErrorLast
String ID: $@Mqt$CallWindowProcW$GetAppCompatFlags2$Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll$System.Windows.Controls.Ribbon.dll$WriteFileEx$ZwOpenFile$api-ms-win-core-interlocked-l1-1-0.dll$f\r$scksp.dll$wabimp.dll$wiawow64.exe
API String ID: 1452528299-2799414311
Opcode ID: b61d8796a8067f191c03d4fac042a00e920b0d0bde90d28ae46547eb1006d9fe
Instruction ID: 420889970987b465808a204f5afa47a40c4ff46ac239ef72e800e05bb5a3cca4
Opcode Fuzzy Hash: b61d8796a8067f191c03d4fac042a00e920b0d0bde90d28ae46547eb1006d9fe
Instruction Fuzzy Hash: 76712175E5024A9FCB00AFB9D9852ED7BF1EB2A310F44807B9944E7712E3780A51CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00473115 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 200libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 004732C5

Strings

audmigplugin.dll, xrefs: 00473218
jlU, xrefs: 00473350
CallWindowProcW, xrefs: 00473287, 004733CF
Nqt, xrefs: 004732C5
Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll, xrefs: 004732DD
api-ms-win-core-interlocked-l1-1-0.dll, xrefs: 004731BC
wbemprox.dll, xrefs: 00473363
NlsLexicons004a.dll, xrefs: 00473200
FXSRES.DLL, xrefs: 00473149, 00473291

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: AddressProc
String ID: CallWindowProcW$FXSRES.DLL$Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll$NlsLexicons004a.dll$api-ms-win-core-interlocked-l1-1-0.dll$audmigplugin.dll$jlU$wbemprox.dll$Nqt
API String ID: 190572456-246030322
Opcode ID: 138ca5923c9134c11a710964cd61249e36dcacce325fd96a7f04c88d8201ebe3
Instruction ID: 3d373285343c952007e9b153005274380f254a2b7baf0154feed43fe944716d1
Opcode Fuzzy Hash: 138ca5923c9134c11a710964cd61249e36dcacce325fd96a7f04c88d8201ebe3
Instruction Fuzzy Hash: FD719E75E4024ACFCB00DFB9EAC45ED7BB1EB29311B44817BD958A7312E3781A55CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004903D6 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 197libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 004903DD

Strings

audmigplugin.dll, xrefs: 004905E8
GetVolumeNameForVolumeMountPointW, xrefs: 004904C9
CallWindowProcW, xrefs: 00490534, 00490667
Nqt, xrefs: 004903DD
w$, xrefs: 004905E0
Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll, xrefs: 00490562
dxtrans.dll, xrefs: 0049065D
scksp.dll, xrefs: 004904F6, 00490610
mfdvdec.dll, xrefs: 004905A2

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: AddressProc
String ID: CallWindowProcW$GetVolumeNameForVolumeMountPointW$Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll$audmigplugin.dll$dxtrans.dll$mfdvdec.dll$scksp.dll$Nqt$w$
API String ID: 190572456-2145969444
Opcode ID: 0e0cdbeca731bc113a672962f4016a58f80191c65ce3b9106585f39f14e45c88
Instruction ID: f1698880332fac7afd10a60e64ee96bef3fb79fb49aebea202d8aa39a68c1d6a
Opcode Fuzzy Hash: 0e0cdbeca731bc113a672962f4016a58f80191c65ce3b9106585f39f14e45c88
Instruction Fuzzy Hash: E7715B79A002099FCB00EFA9EAD45EDBFB0FB29314F40407AE644E7356E3785995CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0049867D Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 151libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 0049870B

Strings

Wlh, xrefs: 004987B4
apihex86.dll, xrefs: 0049876B
Nqt, xrefs: 0049870B
api-ms-win-core-namedpipe-l1-1-0.dll, xrefs: 00498770
GetAppCompatFlags2, xrefs: 004987A5
NetWkstaSetInfo, xrefs: 0049884F
mfdvdec.dll, xrefs: 00498878
ZwOpenFile, xrefs: 004986AE
WriteFileEx, xrefs: 00498793

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: AddressProc
String ID: GetAppCompatFlags2$NetWkstaSetInfo$Wlh$WriteFileEx$ZwOpenFile$api-ms-win-core-namedpipe-l1-1-0.dll$apihex86.dll$mfdvdec.dll$Nqt
API String ID: 190572456-3534082631
Opcode ID: b43f78d7a9ca0ff4e9a1c68c9bcc8275b987b598861fa8c55ea487eb11309962
Instruction ID: d89402bae393aef703c32ad7198458f1212dd78998115b8bfac6aba418e54c21
Opcode Fuzzy Hash: b43f78d7a9ca0ff4e9a1c68c9bcc8275b987b598861fa8c55ea487eb11309962
Instruction Fuzzy Hash: D2517F71E5020A9FCB00DFA9EAD06EC7BB0EF29314F14407ED944E7352E2395A55CB49

Uniqueness

Uniqueness Score: -1.00%

Function 004B972C Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 200libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 004B988B

Strings

P4&, xrefs: 004B9843
Q&/, xrefs: 004B98A7
apihex86.dll, xrefs: 004B97FD
Nqt, xrefs: 004B988B
dpnathlp.dll, xrefs: 004B98FE
api-ms-win-core-interlocked-l1-1-0.dll, xrefs: 004B993A
scksp.dll, xrefs: 004B976E, 004B9848
RtlInitializeGenericTable, xrefs: 004B98AC

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: AddressProc
String ID: P4&$Q&/$RtlInitializeGenericTable$api-ms-win-core-interlocked-l1-1-0.dll$apihex86.dll$dpnathlp.dll$scksp.dll$Nqt
API String ID: 190572456-2587095828
Opcode ID: e062b7dcc3efcd7fa60f5e3853cab8d5358fdc6befc702fa0fbbfd0189fd394c
Instruction ID: be7a2ec22074aa0e5b7b5717d0116898ab41938bb0cae7cc4e3ed169e44f8695
Opcode Fuzzy Hash: e062b7dcc3efcd7fa60f5e3853cab8d5358fdc6befc702fa0fbbfd0189fd394c
Instruction Fuzzy Hash: 8861E566E102498FC7009F79EEC46EA7BB5EF2A310B44417AD944D7322E2740D69CBAC

Uniqueness

Uniqueness Score: -1.00%

Function 00496469 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 196libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 0049657F

Strings

audmigplugin.dll, xrefs: 00496597
CallWindowProcW, xrefs: 0049660B, 004966FA
Nqt, xrefs: 0049657F
Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll, xrefs: 00496479, 00496548
dpnathlp.dll, xrefs: 004966D0
api-ms-win-core-io-l1-1-0.dll, xrefs: 0049651F
FXSRES.DLL, xrefs: 004966B3
NetWkstaSetInfo, xrefs: 00496495

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: AddressProc
String ID: CallWindowProcW$FXSRES.DLL$Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll$NetWkstaSetInfo$api-ms-win-core-io-l1-1-0.dll$audmigplugin.dll$dpnathlp.dll$Nqt
API String ID: 190572456-2030639918
Opcode ID: 8777019d2191e1aa40bc2a2141ff75f0a0523ad0a775bc6dcb96c41d10bfc21c
Instruction ID: 78e2aff218d11bfd34384a78dad3f64bd060e82e0c8a0ef5f0e60ce38db63009
Opcode Fuzzy Hash: 8777019d2191e1aa40bc2a2141ff75f0a0523ad0a775bc6dcb96c41d10bfc21c
Instruction Fuzzy Hash: 2E717E74E402099FDB00DFB9EAD56ED7BB0EB18324F44817AE544E7312E3795991CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00476352 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 165libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000), ref: 00476466

Strings

GetVolumeNameForVolumeMountPointW, xrefs: 0047647E
Nqt, xrefs: 00476466
Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll, xrefs: 0047646F
dpnathlp.dll, xrefs: 0047653B
api-ms-win-core-interlocked-l1-1-0.dll, xrefs: 0047656F
RtlCreateTimerQueue, xrefs: 0047643F
0K', xrefs: 00476359
FXSRES.DLL, xrefs: 004764E5

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: AddressProc
String ID: 0K'$FXSRES.DLL$GetVolumeNameForVolumeMountPointW$Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll$RtlCreateTimerQueue$api-ms-win-core-interlocked-l1-1-0.dll$dpnathlp.dll$Nqt
API String ID: 190572456-836657864
Opcode ID: 0c5fb8a9b7ff7b2b80b91cf14ac07e4ac3ef1cabe6bd2389533f2cda667ad8ac
Instruction ID: 2d7d1640e88f5fae0fa9df824b272f517f4d9c5d8e2a04585298fcae2a55bc90
Opcode Fuzzy Hash: 0c5fb8a9b7ff7b2b80b91cf14ac07e4ac3ef1cabe6bd2389533f2cda667ad8ac
Instruction Fuzzy Hash: 12510965E406098FDB009F79EBD12E93BB2EF29310F45817AC94897367E3780969C74D

Uniqueness

Uniqueness Score: -1.00%

Function 0046C96E Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 144libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 0046CA7E

Strings

Nqt, xrefs: 0046CA7E
wiawow64.exe, xrefs: 0046CADA
api-ms-win-core-interlocked-l1-1-0.dll, xrefs: 0046CA47
RtlCreateTimerQueue, xrefs: 0046CACA, 0046CACF, 0046CAD2
1., xrefs: 0046C9B6
api-ms-win-core-io-l1-1-0.dll, xrefs: 0046CB12
f\r, xrefs: 0046CA1A, 0046CB2E
System.Windows.Controls.Ribbon.dll, xrefs: 0046C996

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: AddressProc
String ID: RtlCreateTimerQueue$System.Windows.Controls.Ribbon.dll$api-ms-win-core-interlocked-l1-1-0.dll$api-ms-win-core-io-l1-1-0.dll$f\r$wiawow64.exe$ 1.$Nqt
API String ID: 190572456-2152620153
Opcode ID: 27401d0d2726a9b191bfd9aa9ca358e754fce464cdde78d746d65144ab7bd141
Instruction ID: 586f1475809b64e79bf91d7602bd4fb8e1f1a0bca0285b548caa3de515fbf639
Opcode Fuzzy Hash: 27401d0d2726a9b191bfd9aa9ca358e754fce464cdde78d746d65144ab7bd141
Instruction Fuzzy Hash: 1641165A640244CFC3008FBAFED56F62BA4EF6A714304417BD958D7363E3240929C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 0049CB8D Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 142libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 0049CC9E

Strings

Nqt, xrefs: 0049CC9E
inetmgr.dll, xrefs: 0049CBE2
GetAppCompatFlags2, xrefs: 0049CC38
wiawow64.exe, xrefs: 0049CB95
[`-, xrefs: 0049CBD3
RasMigPlugin.dll, xrefs: 0049CD2F
api-ms-win-core-io-l1-1-0.dll, xrefs: 0049CC7F
wabimp.dll, xrefs: 0049CC71

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: AddressProc
String ID: GetAppCompatFlags2$RasMigPlugin.dll$[`-$api-ms-win-core-io-l1-1-0.dll$inetmgr.dll$wabimp.dll$wiawow64.exe$Nqt
API String ID: 190572456-1239910560
Opcode ID: 3e5e37e6993037c2112f34d00a5f71534c251473bd5735ab50b9216db42cd6b8
Instruction ID: 7f6660039ba0b0a5edd7626fbf2e16e18d4bd122dca507be7c7474acf0f0adbc
Opcode Fuzzy Hash: 3e5e37e6993037c2112f34d00a5f71534c251473bd5735ab50b9216db42cd6b8
Instruction Fuzzy Hash: B051AF75E9020A8BDF00DFB9DAD51EA7FB1EB29320F44413AD944A7366E3380965CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00488A4B Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 133libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,ZwOpenFile), ref: 00488ACF

Strings

Nqt, xrefs: 00488ACF
<4, xrefs: 00488B30
wiawow64.exe, xrefs: 00488A4C
dxtrans.dll, xrefs: 00488BD7
dpnathlp.dll, xrefs: 00488BEC
mfdvdec.dll, xrefs: 00488B7F
ZwOpenFile, xrefs: 00488A5A, 00488A5F, 00488B25
f\r, xrefs: 00488AE7

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: AddressProc
String ID: ZwOpenFile$dpnathlp.dll$dxtrans.dll$f\r$mfdvdec.dll$wiawow64.exe$<4$Nqt
API String ID: 190572456-1549795477
Opcode ID: 87ff3050cb803f3620d154755cad0e1055062b8ab163cf4b5157cd667f825b05
Instruction ID: cec6222b5558c424c60c96249a8bee6645661b902af6dedb69316337e7c192ca
Opcode Fuzzy Hash: 87ff3050cb803f3620d154755cad0e1055062b8ab163cf4b5157cd667f825b05
Instruction Fuzzy Hash: 8E41E176E002099FCB00EFB5EEC06ED7BB1EB28314F84447AE944E3312E6791959CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004CD000 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 202networkCOMMON

Download Yara Rule

APIs

InternetQueryOptionW.WININET(?), ref: 004CD0F1

Strings

Wlh, xrefs: 004CD0AA
NlsLexicons004a.dll, xrefs: 004CD1D2
HPBPRO.DLL, xrefs: 004CD192
~N%, xrefs: 004CD1CD
wabimp.dll, xrefs: 004CD083
RtlInitializeGenericTable, xrefs: 004CD01A, 004CD096
WriteFileEx, xrefs: 004CD00A

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: InternetOptionQuery
String ID: HPBPRO.DLL$NlsLexicons004a.dll$RtlInitializeGenericTable$Wlh$WriteFileEx$wabimp.dll$~N%
API String ID: 2202126096-1700376548
Opcode ID: 3be41d65dddcc7a9415b30e8ddcd0fe2837f5f22b7e86ad8b4cebec6cadade39
Instruction ID: 1f6483ca92b94503da3dd425239bc6d5f2a6660ff60c625d448469d08e61ab1e
Opcode Fuzzy Hash: 3be41d65dddcc7a9415b30e8ddcd0fe2837f5f22b7e86ad8b4cebec6cadade39
Instruction Fuzzy Hash: 5671162AE40249DFC7009FB9EED5BE53BB1EB25314B04417AD958D7363D2780A29CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0048A63F Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 165libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 0048A664

Strings

Nqt, xrefs: 0048A664
yj', xrefs: 0048A7B7
inetmgr.dll, xrefs: 0048A7CD
scksp.dll, xrefs: 0048A7BF
`gqt, xrefs: 0048A6D0
ZwOpenFile, xrefs: 0048A79C

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: AddressProc
String ID: ZwOpenFile$`gqt$inetmgr.dll$scksp.dll$yj'$Nqt
API String ID: 190572456-634381080
Opcode ID: d69b150830a1518217a1eae4d561175c49900a846425838c4300dcf47a6d1d00
Instruction ID: ef07b13d1d99affa26c6ce296e4d6fa7720a618206067c2f0eacbfd159cdb61b
Opcode Fuzzy Hash: d69b150830a1518217a1eae4d561175c49900a846425838c4300dcf47a6d1d00
Instruction Fuzzy Hash: 11510465E402098FDB00EFB8EAD05ED7BB0EB3A310F04857BD844E7362E2780965CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0047D746 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 135libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 0047D7F9

Strings

Nqt, xrefs: 0047D7F9
dxtrans.dll, xrefs: 0047D87E
@Cqt, xrefs: 0047D84C
sbs_diasymreader.dll, xrefs: 0047D8EB
api-ms-win-core-io-l1-1-0.dll, xrefs: 0047D824
WriteFileEx, xrefs: 0047D7B1

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: AddressProc
String ID: @Cqt$WriteFileEx$api-ms-win-core-io-l1-1-0.dll$dxtrans.dll$sbs_diasymreader.dll$Nqt
API String ID: 190572456-3126933523
Opcode ID: a05e590cb87d8b219fe9381197e6fab523294f391e83d3708016a1190239def0
Instruction ID: d8d6c77eb36d917750cc31694d9e327978bec80bc6780a29df67510d93ccca69
Opcode Fuzzy Hash: a05e590cb87d8b219fe9381197e6fab523294f391e83d3708016a1190239def0
Instruction Fuzzy Hash: A5514975E502099BCB00EFA9DAD15EDBBB1FF29310F40417AE549E7311E3381A91CB49

Uniqueness

Uniqueness Score: -1.00%

Function 004950EA Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 108libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00495168

Strings

Nqt, xrefs: 00495168
Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll, xrefs: 00495243
dpnathlp.dll, xrefs: 004951EF
RasMigPlugin.dll, xrefs: 00495264
scksp.dll, xrefs: 0049519A
RtlInitializeGenericTable, xrefs: 004951D5

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: AddressProc
String ID: Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll$RasMigPlugin.dll$RtlInitializeGenericTable$dpnathlp.dll$scksp.dll$Nqt
API String ID: 190572456-1022013135
Opcode ID: c67e63ac1a1bd716244e4eb48e14bec7b5c76f6484eeea1873dd6bf11fc2089b
Instruction ID: 0cc622f0d10128cc4ec125b743cd141e5e84cd1b78dacbd23a6895dbffd5522d
Opcode Fuzzy Hash: c67e63ac1a1bd716244e4eb48e14bec7b5c76f6484eeea1873dd6bf11fc2089b
Instruction Fuzzy Hash: 4141B575E4070A9BCB00AFBAE6D61ED7BB0EB29310F54413BD94497352E3380965CB8D

Uniqueness

Uniqueness Score: -1.00%

Function 004BF9B4 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 121COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004BFACF

Strings

GetAppCompatFlags2, xrefs: 004BF9B4
EtwpGetCpuSpeed, xrefs: 004BFB0F
api-ms-win-core-io-l1-1-0.dll, xrefs: 004BF9CD
u5, xrefs: 004BFB53
System.Windows.Controls.Ribbon.dll, xrefs: 004BFB79

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: BuffCharUpper
String ID: u5$EtwpGetCpuSpeed$GetAppCompatFlags2$System.Windows.Controls.Ribbon.dll$api-ms-win-core-io-l1-1-0.dll
API String ID: 3964851224-751922521
Opcode ID: e4a7a080d35a1bda451a368d3a76420545da68d3b0c8d208e7234316bf920882
Instruction ID: 71876c9c725b289ee84beb7b770499bf46ca1ddb4dea28d9e5b035f24e8f1ffb
Opcode Fuzzy Hash: e4a7a080d35a1bda451a368d3a76420545da68d3b0c8d208e7234316bf920882
Instruction Fuzzy Hash: 6C414A75E4020A9BCB00DFB5EAD45ED7FB0EF29310F14857AD945E3322E2385AA5CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004C7683 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 93windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 004C7714

Strings

GetAppCompatFlags2, xrefs: 004C7696
!2$, xrefs: 004C779C
hpfevw73.dll, xrefs: 004C76B3
System.Windows.Controls.Ribbon.dll, xrefs: 004C768C
WriteFileEx, xrefs: 004C7792

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: IconLoad
String ID: !2$$GetAppCompatFlags2$System.Windows.Controls.Ribbon.dll$WriteFileEx$hpfevw73.dll
API String ID: 2457776203-3013433113
Opcode ID: 4004841eed7d9b324f471ff78b90535ca08352c73641601e7379af7bbb6d2a15
Instruction ID: 73ab5866575103e279124b0719fc094a4053c6411aa1317e4e67182a777a25ac
Opcode Fuzzy Hash: 4004841eed7d9b324f471ff78b90535ca08352c73641601e7379af7bbb6d2a15
Instruction Fuzzy Hash: 8731836AF456459FC740CFBDED90BA83FB1EB2931070880BED954E7362E6780A54CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004DA02A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 121COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 004DA0AE

Strings

}%;, xrefs: 004DA1B8
wmploc.DLL, xrefs: 004DA13A
api-ms-win-core-interlocked-l1-1-0.dll, xrefs: 004DA0CF
ZwOpenFile, xrefs: 004DA1A8

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: ExecuteShell
String ID: ZwOpenFile$api-ms-win-core-interlocked-l1-1-0.dll$wmploc.DLL$}%;
API String ID: 587946157-3010588181
Opcode ID: ada2ede9d9efa5d487685b457b6b3e7b9a82c8ee1fedee9980ff5e225c333848
Instruction ID: f3049cc26fdf65618d1996f1d09277dc0458492589d39e311f8c4acd5cbd1bdf
Opcode Fuzzy Hash: ada2ede9d9efa5d487685b457b6b3e7b9a82c8ee1fedee9980ff5e225c333848
Instruction Fuzzy Hash: 4B41A175E0020A8FDB00DF69EAD06ED7BF1EB2A320F04857BD945A7352D3784964CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00494069 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 105libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 004941A2

Strings

Nqt, xrefs: 004941A2
inetmgr.dll, xrefs: 0049415D
NetWkstaSetInfo, xrefs: 0049414C
WriteFileEx, xrefs: 00494088

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: AddressProc
String ID: NetWkstaSetInfo$WriteFileEx$inetmgr.dll$Nqt
API String ID: 190572456-3048739813
Opcode ID: 0725b60063dc021a5549db0e2d410ccfa316986c7fc66416e13acb27001f1cdd
Instruction ID: 3390adc6ac023f0e1fc66dfe149eebb6da0f0a6ef91f876a88f443f5e40ec5e9
Opcode Fuzzy Hash: 0725b60063dc021a5549db0e2d410ccfa316986c7fc66416e13acb27001f1cdd
Instruction Fuzzy Hash: F441D175E002098FDF00DFA8E9956EEBFB1FB69310F444176D954977A2E3390992CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004C786D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000000), ref: 004C792A

Strings

ZwWow64QueryInformationProcess64, xrefs: 004C78EE
CallWindowProcW, xrefs: 004C78E4, 004C7998
wbemprox.dll, xrefs: 004C7955
RasMigPlugin.dll, xrefs: 004C7896

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: ObjectStock
String ID: CallWindowProcW$RasMigPlugin.dll$ZwWow64QueryInformationProcess64$wbemprox.dll
API String ID: 3428563643-1069739028
Opcode ID: bcb54660717496e91d53ea9e7964a11ccba8ccdb5d07c82dad5319d3e6af4794
Instruction ID: 23306fa00bf0a22dc5f4b0ba74b163c49e1a502d805b9202fc59a27c1aff3a31
Opcode Fuzzy Hash: bcb54660717496e91d53ea9e7964a11ccba8ccdb5d07c82dad5319d3e6af4794
Instruction Fuzzy Hash: 9431DF6AA44255CFD7408F79FA856E96BA0EB39704B05407ECE64A7323E2240928CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 004AA5BC Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 004AA5BF

Strings

Wlh, xrefs: 004AA651
GetAppCompatFlags2, xrefs: 004AA66A
EtwpGetCpuSpeed, xrefs: 004AA5DF
@Mqt, xrefs: 004AA5BF

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: ErrorLast
String ID: @Mqt$EtwpGetCpuSpeed$GetAppCompatFlags2$Wlh
API String ID: 1452528299-2437382692
Opcode ID: c8ce28d19551e3fc7d7be65f6f670caa4e7a389136db18d4adc62b6c3410e924
Instruction ID: 27f3cc80a7cffb45c2bb46245841d907c204607ec495aba33d5dc80b68facf54
Opcode Fuzzy Hash: c8ce28d19551e3fc7d7be65f6f670caa4e7a389136db18d4adc62b6c3410e924
Instruction Fuzzy Hash: FD11DF34A402099FCB00DF68DAD42EC3BB1EB29320F80423AD455DB765E37949A6CB49

Uniqueness

Uniqueness Score: -1.00%

Function 004B1A9A Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 235COMMON

Download Yara Rule

APIs

Process32NextW.KERNEL32(?,?), ref: 004B1BB3

Strings

jlU, xrefs: 004B1C2C
GetAppCompatFlags2, xrefs: 004B18D7
NlsLexicons004a.dll, xrefs: 004B1B89

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: NextProcess32
String ID: GetAppCompatFlags2$NlsLexicons004a.dll$jlU
API String ID: 1850201408-3509816254
Opcode ID: 6b750cf77f285eb5bf2c5ff84f360669ba058dc9b78811f13a22a3bf81d75724
Instruction ID: fe7099a753a3362f5ce67a67023cdfa020222f2d062b64511a398e6984fe4e5d
Opcode Fuzzy Hash: 6b750cf77f285eb5bf2c5ff84f360669ba058dc9b78811f13a22a3bf81d75724
Instruction Fuzzy Hash: 6A7148A7A942458FCB009B78FEA57F92FB5EB26324F08017BD854D7362D2680D58C768

Uniqueness

Uniqueness Score: -1.00%

Function 004C45D3 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 127registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 004C4629

Strings

ws5, xrefs: 004C47CC
RtlCreateTimerQueue, xrefs: 004C468C
NlsLexicons004a.dll, xrefs: 004C47F3

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: Close
String ID: NlsLexicons004a.dll$RtlCreateTimerQueue$ws5
API String ID: 3535843008-3428923293
Opcode ID: 0ba40fdd6aa3c709b10cf640fcd9cd6ee546f59bf0d32b7effd132fad7f4ab21
Instruction ID: d1032accd18dd52a62887ea3e630660ca56d9afdd978b34d08ae8e34fcc50012
Opcode Fuzzy Hash: 0ba40fdd6aa3c709b10cf640fcd9cd6ee546f59bf0d32b7effd132fad7f4ab21
Instruction Fuzzy Hash: CD41D479E40249DFC700CFBDEE84AE97FB5EB69310B1581BAD864D7362D2740915CB18

Uniqueness

Uniqueness Score: -1.00%

Function 004ED00E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?), ref: 004ED07B

Strings

Gs, xrefs: 004ED024
jlU, xrefs: 004ED0E7
RtlInitializeGenericTable, xrefs: 004ED042

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: FileRead
String ID: Gs$RtlInitializeGenericTable$jlU
API String ID: 2738559852-981784394
Opcode ID: 823e1dcf19d285d4bd569e073d0bd3212d073ac6b7608a317c68722cb841b301
Instruction ID: 3bbe37fc7f392fd5ef0392c747824183246433b28416b44ed5c175b6896b828e
Opcode Fuzzy Hash: 823e1dcf19d285d4bd569e073d0bd3212d073ac6b7608a317c68722cb841b301
Instruction Fuzzy Hash: 3831E16AA002499FD700DFB9EE856E67BB5FF29310B00013AD918D7322E3790866CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0047A4F6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 0047A58C

Strings

Nqt, xrefs: 0047A58C
0c;, xrefs: 0047A5B2
NlsLexicons004a.dll, xrefs: 0047A57F

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: AddressProc
String ID: 0c;$NlsLexicons004a.dll$Nqt
API String ID: 190572456-3050484845
Opcode ID: d5b6c9e844a1212bee7a262ec7b619d8934b7a1294a48baf09739441e49dff90
Instruction ID: f080d47f1ffe26e6def55263c599a7ac07bf9d01609a1821e5584af28ba73779
Opcode Fuzzy Hash: d5b6c9e844a1212bee7a262ec7b619d8934b7a1294a48baf09739441e49dff90
Instruction Fuzzy Hash: 34218D65E40349DFC7009FB4EE942EE3BB1EB29314704853AD908A7726E3394924CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 004BD943 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 90processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002), ref: 004BD968

Strings

NlsLexicons004a.dll, xrefs: 004BDA32
scksp.dll, xrefs: 004BD9C0

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: CreateSnapshotToolhelp32
String ID: NlsLexicons004a.dll$scksp.dll
API String ID: 3332741929-3673066732
Opcode ID: 20d0d9d3ff3d912e6c1c85e58b40230c14d0478dfcbb23b20299ff70cfd926a7
Instruction ID: ed37f31bb527acc4fa013b0727943f79d6ba0fa87a1477efef9a413ea67b372e
Opcode Fuzzy Hash: 20d0d9d3ff3d912e6c1c85e58b40230c14d0478dfcbb23b20299ff70cfd926a7
Instruction Fuzzy Hash: 67318975E4020A9FCB00DFB8EAD52ED7BB0EB29710F0440BAD944E7352E2780A56CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004BA64E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 004BA65D
GetTickCount.KERNEL32 ref: 004BA672

Strings

0vt, xrefs: 004BA672

Memory Dump Source

Source File: 00000000.00000002.308636603.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LwNdQo4zIk.jbxd

Similarity

API ID: CountCounterPerformanceQueryTick
String ID: 0vt
API String ID: 3881823799-3114708698
Opcode ID: 6d3a1a6efbe516c650128eb2034792e7b45b2cf039f25268abe0ca7f5dd13f93
Instruction ID: 041fac8532e129302a055075b57edf370340bab4589eba28654d4201e989bfa7
Opcode Fuzzy Hash: 6d3a1a6efbe516c650128eb2034792e7b45b2cf039f25268abe0ca7f5dd13f93
Instruction Fuzzy Hash: F7E0ECB0C15208DBCB00DF60D9895ADB7B4E604311B104173D852D2260EB319A20DE59

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 5472, Parent PID: 1792COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	17
Total number of Limit Nodes:	0

Executed Functions

Function 6D9689AE Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 361
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 6D968D2C

Strings

dO, xrefs: 6D968E5C
0hlN, xrefs: 6D968C0D
vsstrace.dll, xrefs: 6D968A80, 6D968BD7
bhlag, xrefs: 6D968E65
clrcompression.dll, xrefs: 6D968A7B, 6D968DC1
UnRegisterTypeLibForUser, xrefs: 6D968E04
DisplayExitWindowsWarnings, xrefs: 6D968AB3
p?o, xrefs: 6D968D9C
xrWPcpst.dll, xrefs: 6D968BE1
ElfDeregisterEventSource, xrefs: 6D9689BC
compstui.dll, xrefs: 6D968C36
RtlGetCompressionWorkSpaceSize, xrefs: 6D968A93
Brmf3wia.dll, xrefs: 6D968ADE
System.Data.DataSetExtensions.dll, xrefs: 6D968C77

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID: 0hlN$Brmf3wia.dll$DisplayExitWindowsWarnings$ElfDeregisterEventSource$RtlGetCompressionWorkSpaceSize$System.Data.DataSetExtensions.dll$UnRegisterTypeLibForUser$bhlag$clrcompression.dll$compstui.dll$p?o$vsstrace.dll$xrWPcpst.dll$dO
API String ID: 1029625771-63786393
Opcode ID: 4af1f2d58ca49fce96b394ae24799fc4f4f679a50f925c15ec974a47f680adad
Instruction ID: 0b46041870c8912e9e63673fe9a26ce488359d16701f3837f49ba7fabccc0f72
Opcode Fuzzy Hash: 4af1f2d58ca49fce96b394ae24799fc4f4f679a50f925c15ec974a47f680adad
Instruction Fuzzy Hash: 52D1AC66A5A3828FDF04DFB8D9907D93BB0EB6F318B04C22E991487786E3640507CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6D96A423 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 172
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 6D96A4C1

Strings

>lj, xrefs: 6D96A672
setup16.exe, xrefs: 6D96A43A
ZwSetInformationEnlistment, xrefs: 6D96A50D
UnRegisterTypeLibForUser, xrefs: 6D96A5FF
lag, xrefs: 6D96A449
Brmf3wia.dll, xrefs: 6D96A58F
System.Data.DataSetExtensions.dll, xrefs: 6D96A556

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID: >lj$Brmf3wia.dll$System.Data.DataSetExtensions.dll$UnRegisterTypeLibForUser$ZwSetInformationEnlistment$lag$setup16.exe
API String ID: 1029625771-3660322804
Opcode ID: 2666618648ebff708d50c729eb54ff28726354351d8dbbd0be87d60bc713db8b
Instruction ID: b9fc5f410048864ec00616c529bfd68b69b13161c621e70ee9a35bad31f1ae84
Opcode Fuzzy Hash: 2666618648ebff708d50c729eb54ff28726354351d8dbbd0be87d60bc713db8b
Instruction Fuzzy Hash: 1451CD26A5E3818FDF018FB8D9947C93BB1EBAE308F05C16ED655AB782E3640447C721

Uniqueness

Uniqueness Score: -1.00%

Function 6D9AC036 Relevance: 1.3, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CharUpperBuffA.USER32(00000000,?,?), ref: 6D9AC06D

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: c2f963b714e7d77b31bac4ed5a5013999aad52d8b75af7b9bab3e6addd6e8797
Instruction ID: 9cb1a922730d3c80d7d65d6f6d840cc3a9a40fd58a40f5d9cf6103951d3af578
Opcode Fuzzy Hash: c2f963b714e7d77b31bac4ed5a5013999aad52d8b75af7b9bab3e6addd6e8797
Instruction Fuzzy Hash: E0F0AE32D0410CBFCF019FA8C840A8CBBB1AF04318F14C1A4A928A6260D7328A20EF40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6D972EF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 6D972F0B

Strings

correngine.dll, xrefs: 6D972F73
RaiseException, xrefs: 6D972EFF

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: RaiseException$correngine.dll
API String ID: 190572456-270107267
Opcode ID: 4bb3f6d51d1abe4bdeb7ebd8d8d332ae930514dd76603a215a5240e0f300feb0
Instruction ID: a9fe1d3c58c99efbecde3c3e72d81a8be980704cac4f78de76ca2286985220b0
Opcode Fuzzy Hash: 4bb3f6d51d1abe4bdeb7ebd8d8d332ae930514dd76603a215a5240e0f300feb0
Instruction Fuzzy Hash: AE21FE36A593419FCF00CBB9D984B99BBB0EB9E328B54C22EE500E7742E3340943CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6D96658E Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 372
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 6D96660A

Strings

A"B, xrefs: 6D966857
xrWPcpst.dll, xrefs: 6D96667D
0hlN, xrefs: 6D966A85
M!", xrefs: 6D966A60
BRURD23A.DLL, xrefs: 6D96697F
correngine.dll, xrefs: 6D966819
4b', xrefs: 6D966779
qEv, xrefs: 6D96684E
Brmf3wia.dll, xrefs: 6D966AB2
metadata.dll, xrefs: 6D966A65

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID: 0hlN$4b'$A"B$BRURD23A.DLL$Brmf3wia.dll$M!"$correngine.dll$metadata.dll$qEv$xrWPcpst.dll
API String ID: 1029625771-3674605508
Opcode ID: 75bafdd2451f32f7bd3d36b97f0012972d449503bb6d9c0ea1f21d92b8189f55
Instruction ID: 53161fb48d59c70141ef67f7ad07219bd0883cb66939bc60570ed90be1addbd1
Opcode Fuzzy Hash: 75bafdd2451f32f7bd3d36b97f0012972d449503bb6d9c0ea1f21d92b8189f55
Instruction Fuzzy Hash: 99D1DF66A5E3828FCF009FB999947D93BB0EB6B328B08C26ED85497781E3740507CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6D970621 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 291
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 6D970648

Strings

@BW, xrefs: 6D970701
ElfDeregisterEventSource, xrefs: 6D97091C
bhlag, xrefs: 6D970878
setup16.exe, xrefs: 6D970A37
api-ms-win-core-synch-l1-1-0.dll, xrefs: 6D970866
RaiseException, xrefs: 6D970754
Microsoft.Office.Tools.Common.ni.dll, xrefs: 6D970947
GetSidSubAuthorityCount, xrefs: 6D9709B7
lN, xrefs: 6D970860
Brmf3wia.dll, xrefs: 6D970632

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: @BW$Brmf3wia.dll$ElfDeregisterEventSource$GetSidSubAuthorityCount$Microsoft.Office.Tools.Common.ni.dll$RaiseException$api-ms-win-core-synch-l1-1-0.dll$bhlag$lN$setup16.exe
API String ID: 190572456-3866897338
Opcode ID: dc125b66c5a6dad7c997aac72fb227319fef7050d0c2c4d5964e17b336fe6ccb
Instruction ID: 92e7eed8400139e1767605d3ba52d6e1148eebbf79fb64182f530c987939936e
Opcode Fuzzy Hash: dc125b66c5a6dad7c997aac72fb227319fef7050d0c2c4d5964e17b336fe6ccb
Instruction Fuzzy Hash: 7FB1BA6AA593468FCF00CFB9D9847D97BB0EB6E318B04C26ED9289B745E3350907CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6D976574 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 223
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(?), ref: 6D976663

Strings

m@P, xrefs: 6D976636
RtlTimeToTimeFields, xrefs: 6D976871
lN, xrefs: 6D97669A
B]-, xrefs: 6D976729
CDQ, xrefs: 6D976802
qEv, xrefs: 6D976744
X&G, xrefs: 6D976791
&!`, xrefs: 6D9766A2
xrWPcpst.dll, xrefs: 6D976814
Brmf3wia.dll, xrefs: 6D976652

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: &!`$B]-$Brmf3wia.dll$CDQ$RtlTimeToTimeFields$X&G$m@P$qEv$xrWPcpst.dll$lN
API String ID: 190572456-4068470198
Opcode ID: dc706024609b38d6df31855b9a7f2508e39c233c20b8335d659e1cccd421f9c9
Instruction ID: 151b6590fa4b4b09a60417fa70443999803da64bfb6e8f7df7d09b82e6f8b6d3
Opcode Fuzzy Hash: dc706024609b38d6df31855b9a7f2508e39c233c20b8335d659e1cccd421f9c9
Instruction Fuzzy Hash: 1581AD66A1A3429FCF009FB8DA547D93BB1EB6E328B04C66ED864D7786E3340503CB55

Uniqueness

Uniqueness Score: -1.00%

Function 6D97BD3A Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 365libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 6D97BE38

Strings

setup16.exe, xrefs: 6D97C11A
PhotoBase.dll, xrefs: 6D97BEE3
clrcompression.dll, xrefs: 6D97C165
RtlTimeToTimeFields, xrefs: 6D97C1DE
compstui.dll, xrefs: 6D97C193
MessageBoxA, xrefs: 6D97C148
lag, xrefs: 6D97C2AB
lN, xrefs: 6D97C20A

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: MessageBoxA$PhotoBase.dll$RtlTimeToTimeFields$clrcompression.dll$compstui.dll$lN$lag$setup16.exe
API String ID: 190572456-3070735637
Opcode ID: 673977db5249738788952c49549bcaf0aae0d80f1c6c8133703780aedd53cb30
Instruction ID: e7ccbf5e9aae3f439fad47704fecc75ffd9b332ebf6834258ca10f810f4404a3
Opcode Fuzzy Hash: 673977db5249738788952c49549bcaf0aae0d80f1c6c8133703780aedd53cb30
Instruction Fuzzy Hash: 53E1B766A197469BCF00DFB8CA907D93BB1EFAB328B04C26DD9249B781E3744543CB41

Uniqueness

Uniqueness Score: -1.00%

Function 6D980E0F Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 224libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 6D981025

Strings

FHn, xrefs: 6D980E84
vsstrace.dll, xrefs: 6D980E47
PhotoBase.dll, xrefs: 6D980EC4
lN, xrefs: 6D9810F9
Microsoft.Office.Tools.Common.ni.dll, xrefs: 6D980EB7
f[T, xrefs: 6D980F56
KBDTH1.DLL, xrefs: 6D980F4B
Brmf3wia.dll, xrefs: 6D981008

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: Brmf3wia.dll$FHn$KBDTH1.DLL$Microsoft.Office.Tools.Common.ni.dll$PhotoBase.dll$f[T$vsstrace.dll$lN
API String ID: 190572456-4117702296
Opcode ID: 5b7799951d83a136172537e123edfd0b6f2fbbca7544d2025da8ff034eb25321
Instruction ID: 245fbff8f93b8b2c73b0cc94d31693574005f989f2ed292bfb90ef3c0abe3155
Opcode Fuzzy Hash: 5b7799951d83a136172537e123edfd0b6f2fbbca7544d2025da8ff034eb25321
Instruction Fuzzy Hash: 4371E067A6E3818FCF018E74D9807D93BB1EBBB728B09C66DD858A7786E3250407C711

Uniqueness

Uniqueness Score: -1.00%

Function 6D977A96 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 183libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 6D977B10

Strings

ElfDeregisterEventSource, xrefs: 6D977A99
j4b', xrefs: 6D977AEF
>lj, xrefs: 6D977CE1
OEMHelpIns.dll, xrefs: 6D977B00
bhlag, xrefs: 6D977C96
RaiseException, xrefs: 6D977B4B
lN, xrefs: 6D977B75
RtlQueryRegistryValues, xrefs: 6D977C82

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: j4b'$>lj$ElfDeregisterEventSource$OEMHelpIns.dll$RaiseException$RtlQueryRegistryValues$bhlag$lN
API String ID: 190572456-497976401
Opcode ID: 88c0aa325397d3dffc7a42321fe2f236d9aaa251aaeafe9d4ddafdc7be6bc2a7
Instruction ID: d3a4608f0fcc58b73732710eb1bb5df9ec92ac6fe794b36a37c20d0b041b9b35
Opcode Fuzzy Hash: 88c0aa325397d3dffc7a42321fe2f236d9aaa251aaeafe9d4ddafdc7be6bc2a7
Instruction Fuzzy Hash: 2D717466A59302DBCF00DF78D6957D93BB1EBAB328B04C22EC95497B85E3384507C715

Uniqueness

Uniqueness Score: -1.00%

Function 6D9724D5 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 6D9725DD

Strings

ElfDeregisterEventSource, xrefs: 6D972559
hlN, xrefs: 6D972566
kE3, xrefs: 6D9724EF
PhotoBase.dll, xrefs: 6D9724DA
4b', xrefs: 6D97263B
MessageBoxA, xrefs: 6D9726AB
RW5, xrefs: 6D972630
System.Data.DataSetExtensions.dll, xrefs: 6D972620, 6D97269E

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: 4b'$ElfDeregisterEventSource$MessageBoxA$PhotoBase.dll$RW5$System.Data.DataSetExtensions.dll$hlN$kE3
API String ID: 190572456-225836787
Opcode ID: 6e9696b2264ef535d1d3d762024afd46d07bfed8e7cb5867fa2dfd957622a998
Instruction ID: 7e66daaaef427ba50bc62ef9361a65874bb1d270535e985f60a64649bb8f074a
Opcode Fuzzy Hash: 6e9696b2264ef535d1d3d762024afd46d07bfed8e7cb5867fa2dfd957622a998
Instruction Fuzzy Hash: 7051AA6A9693468FCF11DFA8C5A07D97BB1EBAE328B00C16EC954DB745E3304543CB21

Uniqueness

Uniqueness Score: -1.00%

Function 6D9815DF Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 174libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 6D9816E2

Strings

FHn, xrefs: 6D981684
ieframe.dll, xrefs: 6D981806
x!,, xrefs: 6D981756
api-ms-win-core-synch-l1-1-0.dll, xrefs: 6D981616
CancelTimerQueueTimer, xrefs: 6D98166A
lag, xrefs: 6D9817B8
xrWPcpst.dll, xrefs: 6D981734

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: CancelTimerQueueTimer$FHn$api-ms-win-core-synch-l1-1-0.dll$ieframe.dll$lag$x!,$xrWPcpst.dll
API String ID: 190572456-19324304
Opcode ID: e9eecd787e21da3dbca6e647737f316a4d8022afe793cceb7767af00028ddb6f
Instruction ID: 56d061a68ce3e8643e9121fa34fd6973c368dc0f8d11c37aed272215e53eece7
Opcode Fuzzy Hash: e9eecd787e21da3dbca6e647737f316a4d8022afe793cceb7767af00028ddb6f
Instruction Fuzzy Hash: A4519766E283469BCF00DF78CA94BD93BB0EB6B328B04C26DD955A3786E3344543CB45

Uniqueness

Uniqueness Score: -1.00%

Function 6D965760 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 141libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 6D96586A

Strings

ElfDeregisterEventSource, xrefs: 6D96592E
I:B, xrefs: 6D96584D
RtlTimeToTimeFields, xrefs: 6D965767
lN, xrefs: 6D9658AB
api-ms-win-core-synch-l1-1-0.dll, xrefs: 6D965945
DisplayExitWindowsWarnings, xrefs: 6D965893
RtlQueryRegistryValues, xrefs: 6D96583D

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: DisplayExitWindowsWarnings$ElfDeregisterEventSource$I:B$RtlQueryRegistryValues$RtlTimeToTimeFields$api-ms-win-core-synch-l1-1-0.dll$lN
API String ID: 190572456-3450814590
Opcode ID: 9e3c35d6e05c494ae07e2e67b2f909b62b2e3bcda95ec19c52ee05a769ebfc32
Instruction ID: 3599d67ea31229c11aa2d614dc830c16046153d5d6c8a5fd982118c28175157a
Opcode Fuzzy Hash: 9e3c35d6e05c494ae07e2e67b2f909b62b2e3bcda95ec19c52ee05a769ebfc32
Instruction Fuzzy Hash: A551DF62E5A3428FDF048F75C9903E97BB1FB6A318B48C22DC81597B46E3350507CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6D96D63A Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 226libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 6D96D794

Strings

hlN, xrefs: 6D96D65E
vsstrace.dll, xrefs: 6D96D750
-/:, xrefs: 6D96D7FA
PhotoBase.dll, xrefs: 6D96D860
clrcompression.dll, xrefs: 6D96D7E2
DisplayExitWindowsWarnings, xrefs: 6D96D7B1

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: -/:$DisplayExitWindowsWarnings$PhotoBase.dll$clrcompression.dll$hlN$vsstrace.dll
API String ID: 190572456-3767241438
Opcode ID: 58d1b0d44d102e6878c48b684ea7dd2c50492cb86519a509f7ebf9fde856cb1c
Instruction ID: a817e7ef3ce25c5dc0657c102f84a2f5fb80701e7b6f9a4aa3837346683cffec
Opcode Fuzzy Hash: 58d1b0d44d102e6878c48b684ea7dd2c50492cb86519a509f7ebf9fde856cb1c
Instruction Fuzzy Hash: F7819E66A593469FCF00DFB8D9847D97BB0EBAE318B04826ED924DB702E3740543CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6D97CABA Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 199libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 6D97CAC7

Strings

F?#, xrefs: 6D97CBBE
0hlN, xrefs: 6D97CC0E
7$7, xrefs: 6D97CC14
MessageBoxA, xrefs: 6D97CCC5
KBDTH1.DLL, xrefs: 6D97CD35
8y8, xrefs: 6D97CBC3

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: 0hlN$7$7$8y8$F?#$KBDTH1.DLL$MessageBoxA
API String ID: 190572456-1703494151
Opcode ID: e54f82e7f74b9a871a257243acf98be97b31bcffe8435eb88158ec7d936eb0e9
Instruction ID: f3a2e83eb6adda28e4f23f882ec0ce5c0d81f79abb87acc4d855215986987170
Opcode Fuzzy Hash: e54f82e7f74b9a871a257243acf98be97b31bcffe8435eb88158ec7d936eb0e9
Instruction Fuzzy Hash: 7471BC6795E3418FCF01DFB8C9947C93BB1EBAB228B04C25EE8249B741E3640643CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6D97C337 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 6D97C456

Strings

>lj, xrefs: 6D97C578
OEMHelpIns.dll, xrefs: 6D97C3B0
@x%, xrefs: 6D97C423
lN, xrefs: 6D97C566
System.Web.DynamicData.Design.dll, xrefs: 6D97C349
GetSidSubAuthorityCount, xrefs: 6D97C50A

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: >lj$@x%$GetSidSubAuthorityCount$OEMHelpIns.dll$System.Web.DynamicData.Design.dll$lN
API String ID: 190572456-4072339296
Opcode ID: 087cac2b92d95b5cf2ea7e90a5d82637454ac1399d97f9420c5bdbb5ad72b903
Instruction ID: d76cc8825a379b9fd00b44dc3a8ca28082f37658ab07cf4089992f949efdb5b5
Opcode Fuzzy Hash: 087cac2b92d95b5cf2ea7e90a5d82637454ac1399d97f9420c5bdbb5ad72b903
Instruction Fuzzy Hash: 24517666A5E3818FCF01CFB8D5947D93BB1EB6F218B04C26E995497B82E3304543CB12

Uniqueness

Uniqueness Score: -1.00%

Function 6D98928C Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 6D9892DC

Strings

ieframe.dll, xrefs: 6D9892F2
setup16.exe, xrefs: 6D989393
qEv, xrefs: 6D989313
HL?, xrefs: 6D98939A
*7I, xrefs: 6D989299
&J7, xrefs: 6D989343

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: &J7$*7I$HL?$ieframe.dll$qEv$setup16.exe
API String ID: 190572456-1028871580
Opcode ID: 49bbc44a965baa2b2c14bba27beafbc4c3663b0d2927fee4198c447967f16263
Instruction ID: 918e42d973a5f46467f090395c57a4f246b4de082f69043958459a479524582f
Opcode Fuzzy Hash: 49bbc44a965baa2b2c14bba27beafbc4c3663b0d2927fee4198c447967f16263
Instruction Fuzzy Hash: A231C366A5D342DFDF019B68D5623E93B71EBAF72CB08C61E884587B87E3690403C705

Uniqueness

Uniqueness Score: -1.00%

Function 6D9683ED Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 299libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 6D96855D

Strings

ElfDeregisterEventSource, xrefs: 6D968460
OEMHelpIns.dll, xrefs: 6D9686AD
BRURD23A.DLL, xrefs: 6D9686F5
ieframe.dll, xrefs: 6D968508
lN, xrefs: 6D96863D

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID: BRURD23A.DLL$ElfDeregisterEventSource$OEMHelpIns.dll$ieframe.dll$lN
API String ID: 1029625771-1011742970
Opcode ID: f299b51f0f78d16eb56148553f78e70fac80c2b4ed3be049958111a7bb92e0f5
Instruction ID: 0396cb8aacc5321659c7a9975e1f646896c0de3be91568575d5734d6ae09cf0e
Opcode Fuzzy Hash: f299b51f0f78d16eb56148553f78e70fac80c2b4ed3be049958111a7bb92e0f5
Instruction Fuzzy Hash: 85B1A926A6A3828FCF059FB8C9947D97BB1EB6F318B08C26EC94497786E3350543C711

Uniqueness

Uniqueness Score: -1.00%

Function 6D96437D Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 6D9645D7

Strings

g", xrefs: 6D96443E
CoGetInterceptorFromTypeInfo, xrefs: 6D964514
wf9, xrefs: 6D964504
g<, xrefs: 6D964415

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: CoGetInterceptorFromTypeInfo$g"$wf9$g<
API String ID: 190572456-4209002683
Opcode ID: 6ac25ad9cb4c8ada80554f05f46443c76dd9ca14df1b54bfec4c784f15f99e06
Instruction ID: 3efd60557acc6742583dd5cd65a80da70597bb200a11134434b47c033ce412ca
Opcode Fuzzy Hash: 6ac25ad9cb4c8ada80554f05f46443c76dd9ca14df1b54bfec4c784f15f99e06
Instruction Fuzzy Hash: FA71F62B61E3908FDB018A7CD8947D93BF8DBAF618B05C26ED854D7742E3650407CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D9694ED Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00000001), ref: 6D9695C0

Strings

PATHPING.EXE, xrefs: 6D969596
Microsoft.Office.Tools.Common.ni.dll, xrefs: 6D96964A
Brmf3wia.dll, xrefs: 6D96969B

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: Brmf3wia.dll$Microsoft.Office.Tools.Common.ni.dll$PATHPING.EXE
API String ID: 190572456-915997367
Opcode ID: 6468b4177abfc66c3ba5904422cf6290b9a11c0707fb98f22000a60b66015a7e
Instruction ID: 43394338dd7d68aaf1f4f537f3ca74288b036c7f690fca495eeb00fe639edd3b
Opcode Fuzzy Hash: 6468b4177abfc66c3ba5904422cf6290b9a11c0707fb98f22000a60b66015a7e
Instruction Fuzzy Hash: 2151BE62A2E3819FCF018F7985947893BB1EBAF318B09C27DD95897B46E3710843C791

Uniqueness

Uniqueness Score: -1.00%

Function 6D979B93 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 144libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 6D979BFF

Strings

FHn, xrefs: 6D979D0C
lN, xrefs: 6D979CDD

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: FHn$lN
API String ID: 190572456-2710608911
Opcode ID: 9fd157ec86c26ef0f4c63501a5a258019b5df9e1da640f6e98e4ba86e57b572c
Instruction ID: a54af28f5e7906821c79b0eedd40241cb512fc799c74d90437aa417f0bac07a9
Opcode Fuzzy Hash: 9fd157ec86c26ef0f4c63501a5a258019b5df9e1da640f6e98e4ba86e57b572c
Instruction Fuzzy Hash: 0F519926A197069FCF00DFB9C9807C97BB1EB6E328B04C26ED564AB392E3350543CB10

Uniqueness

Uniqueness Score: -1.00%

Function 6D974563 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?), ref: 6D97466E

Strings

'UN, xrefs: 6D974604
correngine.dll, xrefs: 6D9745A0

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: 'UN$correngine.dll
API String ID: 190572456-1488156376
Opcode ID: fdd64613e09e3c4ba326c214a4bb9867594ed6c03a5618c98eb303b615039a17
Instruction ID: 305407285b153240281096881bb59fb8894533f7ca1f06368952d80c3eafc645
Opcode Fuzzy Hash: fdd64613e09e3c4ba326c214a4bb9867594ed6c03a5618c98eb303b615039a17
Instruction Fuzzy Hash: ED218975A19381CBCF01DFB8C580BDC7BB1EB6E218B05826EC8209BB46E3714083CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6D971889 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 6D9718E6

Strings

Eg5, xrefs: 6D971963
^ !, xrefs: 6D97196F

Memory Dump Source

Source File: 00000001.00000002.689640906.000000006D961000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D960000, based on PE: true

Associated: 00000001.00000002.689637078.000000006D960000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689773460.000000006DA0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689810579.000000006DA0E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.689826505.000000006DA0F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d960000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: Eg5$^ !
API String ID: 190572456-1743815323
Opcode ID: e584dcef19a3c8321ee41feefdb5219ab120011cbf563e1bff2a24192f9ee4dd
Instruction ID: 9cc3199e9cec92b0f9ea260046fc7dda3f4cbb8532388d54e77e806a3e3cd6b6
Opcode Fuzzy Hash: e584dcef19a3c8321ee41feefdb5219ab120011cbf563e1bff2a24192f9ee4dd
Instruction Fuzzy Hash: 6D219A66A5A3409FDF10CF79C8907E87BB4EBAB308F04C15EA814A3642E3784907CB25

Uniqueness

Uniqueness Score: -1.00%

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.853487844881012
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LwNdQo4zIk.exe
File size:	1034752
MD5:	3ccd6b369eb1dde57d181e7550bd7268
SHA1:	aee399e263c838570c00133feab275b81009e12a
SHA256:	f5717aef9a4323816387603920b652a94ac0d9cedef36391cedd9cdcbfef7f60
SHA512:	00bd3bb981e2a5bd4c30241025f352e9e528d76300e67fcdbe89ee9e12ecbba73b291aebd9b73f73a8aaa32e2a8b2d1b4d49796cdc11a1b891a313cf0a9dcc03
SSDEEP:	24576:RFOWvM7bZBFpXlDpRjJ5JAXVm359Ov9UIrczuX:RguWRNpRjJPgAp9ucz
TLSH:	B7251201329194A7C1CA6A3C4930E7F02D7FBCF29D7CE187EB643A1E9E706B14A55687
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................;.Y.......Z.......L.......................K.......[.......^.....Rich............................PE..L....7.b...

Entrypoint:	0x40600e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x620337B3 [Wed Feb 9 03:40:35 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	7bca87c7309353055aed194207c93e99

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x16dec	0x3c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10d000	0xbcb0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1220	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x43a0	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1d4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x16850	0x16a00	False	0.5431198204419889	data	6.3410785244090935	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x18000	0xf4fb4	0xd9e00	False	0.9918356461560528	data	7.991407419226785	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x10d000	0xbcb0	0xbe00	False	0.38569078947368424	data	4.2370546659086274	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country
AFX_DIALOG_LAYOUT	0x1160a0	0x2	data
AFX_DIALOG_LAYOUT	0x116098	0x2	data
AFX_DIALOG_LAYOUT	0x1160a8	0x2	data
AFX_DIALOG_LAYOUT	0x1160b0	0x2	data
AFX_DIALOG_LAYOUT	0x1160b8	0x2	data
RT_CURSOR	0x1160c0	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0
RT_CURSOR	0x116208	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0
RT_CURSOR	0x116338	0xf0	Device independent bitmap graphic, 24 x 48 x 1, image size 0
RT_CURSOR	0x116428	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_CURSOR	0x117500	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x10d6e0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Serbian	Italy
RT_ICON	0x10dda8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Serbian	Italy
RT_ICON	0x10e310	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Serbian	Italy
RT_ICON	0x10f3b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Serbian	Italy
RT_ICON	0x10f860	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Serbian	Italy
RT_ICON	0x110708	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Serbian	Italy
RT_ICON	0x110fb0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Serbian	Italy
RT_ICON	0x111678	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Serbian	Italy
RT_ICON	0x111be0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Serbian	Italy
RT_ICON	0x114188	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Serbian	Italy
RT_ICON	0x115230	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Serbian	Italy
RT_ICON	0x115bb8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Serbian	Italy
RT_STRING	0x117f18	0xea	data	Serbian	Italy
RT_STRING	0x118008	0x348	data	Serbian	Italy
RT_STRING	0x118350	0x682	data	Serbian	Italy
RT_STRING	0x1189d8	0x2d8	data	Serbian	Italy
RT_GROUP_CURSOR	0x1161f0	0x14	data
RT_GROUP_CURSOR	0x117da8	0x14	data
RT_GROUP_CURSOR	0x1174d0	0x30	data
RT_GROUP_ICON	0x116020	0x76	data	Serbian	Italy
RT_GROUP_ICON	0x10f820	0x3e	data	Serbian	Italy
RT_VERSION	0x117dc0	0x154	Encore not stripped - version 79

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LwNdQo4zIk.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: LwNdQo4zIk.exePID: 1792, Parent PID: 3528

General

Chronological Activities

Analysis Process: rundll32.exePID: 5472, Parent PID: 1792

General

Chronological Activities

Windows Analysis Report
LwNdQo4zIk.exe

Function 004A7759 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 259
encryptionCOMMON

Function 004AB9D1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79
encryptionCOMMON

Function 004EC46C Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 98
processCOMMON

Function 0046FE63 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 90
libraryCOMMON

Function 0046F519 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81
libraryCOMMON