Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
k4r0jp3daA.exe

Overview

General Information

Sample name:k4r0jp3daA.exe
renamed because original name is a hash value
Original sample name:dd1be96e0ffa6d6edb22f3c8eab32a9b.exe
Analysis ID:1436921
MD5:dd1be96e0ffa6d6edb22f3c8eab32a9b
SHA1:6b3b9ce7c5098a432cd13f81b69d34485d9781e6
SHA256:d6512c7074736218fdcc7f19d797d34a85267e188bdac0fc2a1ad0393e8c0881
Tags:32exe
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Binary contains a suspicious time stamp
Found large amount of non-executed APIs
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • k4r0jp3daA.exe (PID: 4464 cmdline: "C:\Users\user\Desktop\k4r0jp3daA.exe" MD5: DD1BE96E0FFA6D6EDB22F3C8EAB32A9B)
    • conhost.exe (PID: 3812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: k4r0jp3daA.exeVirustotal: Detection: 19%Perma Link
Source: k4r0jp3daA.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: k4r0jp3daA.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: BthUdTask.pdbGCTL source: k4r0jp3daA.exe
Source: Binary string: BthUdTask.pdb source: k4r0jp3daA.exe
Source: k4r0jp3daA.exe, 00000000.00000002.1969078808.0000000000556000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBthUdTask.exej% vs k4r0jp3daA.exe
Source: k4r0jp3daA.exeBinary or memory string: OriginalFilenameBthUdTask.exej% vs k4r0jp3daA.exe
Source: k4r0jp3daA.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal48.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3812:120:WilError_03
Source: k4r0jp3daA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\k4r0jp3daA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: k4r0jp3daA.exeVirustotal: Detection: 19%
Source: unknownProcess created: C:\Users\user\Desktop\k4r0jp3daA.exe "C:\Users\user\Desktop\k4r0jp3daA.exe"
Source: C:\Users\user\Desktop\k4r0jp3daA.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\k4r0jp3daA.exeSection loaded: devobj.dllJump to behavior
Source: k4r0jp3daA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: k4r0jp3daA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: k4r0jp3daA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: k4r0jp3daA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: k4r0jp3daA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: k4r0jp3daA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: k4r0jp3daA.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: k4r0jp3daA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: BthUdTask.pdbGCTL source: k4r0jp3daA.exe
Source: Binary string: BthUdTask.pdb source: k4r0jp3daA.exe
Source: k4r0jp3daA.exeStatic PE information: 0x8262E41A [Wed Apr 27 12:10:02 2039 UTC]
Source: k4r0jp3daA.exeStatic PE information: real checksum: 0x167ce should be: 0x4063d
Source: k4r0jp3daA.exeStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\k4r0jp3daA.exeCode function: 0_2_00551FCD push ecx; ret 0_2_00551FE0
Source: C:\Users\user\Desktop\k4r0jp3daA.exeAPI coverage: 7.6 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\k4r0jp3daA.exeCode function: 0_2_00551FF9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00551FF9
Source: C:\Users\user\Desktop\k4r0jp3daA.exeCode function: 0_2_00551ED5 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00551ED5

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping1
System Time Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Timestomp		LSASS Memory2
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1436921 Sample: k4r0jp3daA.exe Startdate: 06/05/2024 Architecture: WINDOWS Score: 48 10 Multi AV Scanner detection for submitted file 2->10 6 k4r0jp3daA.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
k4r0jp3daA.exe12%ReversingLabsWin32.Trojan.Strictor
k4r0jp3daA.exe19%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1436921
Start date and time:2024-05-06 18:56:05 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 35s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:k4r0jp3daA.exe
renamed because original name is a hash value
Original Sample Name:dd1be96e0ffa6d6edb22f3c8eab32a9b.exe
Detection:MAL
Classification:mal48.winEXE@2/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 1
  • Number of non-executed functions: 6
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):4.7922053168971095
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:k4r0jp3daA.exe
File size:200'300 bytes
MD5:dd1be96e0ffa6d6edb22f3c8eab32a9b
SHA1:6b3b9ce7c5098a432cd13f81b69d34485d9781e6
SHA256:d6512c7074736218fdcc7f19d797d34a85267e188bdac0fc2a1ad0393e8c0881
SHA512:07da091bde8a1e7e207a86afdb8b14c30bc91fa420f63130dfa6f91edb6554fcb60e9e8669a44452c42f5a4a37465920a1d6125b4bcd79eb21c0e30da3e3ce50
SSDEEP:1536:S0AC/O580AC/O5o4RPNvKu0AC/O5V0AC/O5:b/OT/OtS/Ow/O
TLSH:0714E92965272922F28302F4FDBAF5701423AE650A36665F2D7C3B2BB53F152ECD1235
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ .P.A...A...A...'...A...'...A...'...A...'...A...A...A...'...A...',..A...'...A..Rich.A..........................PE..L.....b....

File Icon

Icon Hash:1b73e4b9f0f2512f

Static PE Info

General

Entrypoint:0x401c20
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0x8262E41A [Wed Apr 27 12:10:02 2039 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:ab106f86dfb187b013004b44c843d3e8

Entrypoint Preview

Instruction
call 00007F695948F325h
jmp 00007F695948EE5Eh
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push dword ptr [ebp+14h]
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
push 00401C60h
push 00403004h
call 00007F695948F418h
add esp, 18h
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
cmp ecx, dword ptr [00403004h]
jne 00007F695948F075h
retn 0000h
jmp 00007F695948F428h
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
cmp dword ptr [eax], E06D7363h
jne 00007F695948F09Dh
cmp dword ptr [eax+10h], 03h
jne 00007F695948F097h
mov eax, dword ptr [eax+14h]
cmp eax, 19930520h
je 00007F695948F087h
cmp eax, 19930521h
je 00007F695948F080h
cmp eax, 19930522h
je 00007F695948F079h
cmp eax, 01994000h
jne 00007F695948F078h
call dword ptr [0040407Ch]
xor eax, eax
pop ebp
retn 0004h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00401C70h
call dword ptr [0040406Ch]
xor eax, eax
ret
jmp dword ptr [004040ACh]
push 0000000Ch
push 00402230h
call 00007F695948F31Dh
xor ecx, ecx
mov eax, dword ptr [ebp+08h]
test eax, eax

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x40c00x64.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x6f68.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xd0000x1a0.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x12200x54.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x10080xa4.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x40000xbc.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x226c0x80.text
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x13900x1400c70598a3fa13fa9167cb258044a7bda8False0.5673828125data5.714004541895369IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x30000x37c0x200bcb053506e7c83e9b9455a0b5f85fd94False0.048828125data0.1833387916558982IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0x40000x5440x6008ab1f8ef3d5c1bb2806710ab2909c76fFalse0.4713541666666667data4.617165196695111IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat0x50000x1c0x2007e607e17746d317a6263a4e7308c1a98False0.048828125data0.21310128450968063IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x6f680x7000c9f51835ecbab625124c5aef60ebccd2False0.27926199776785715data3.836637267055723IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xd0000x1a00x200f3867169cf0a9df2cc72b9eeb74ffa01False0.822265625data5.428434944274974IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
MUI0xce900xd8dataEnglishUnited States0.5324074074074074
RT_ICON0x6b180x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5675675675675675
RT_ICON0x6c400x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.23699421965317918
RT_ICON0x71a80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.49193548387096775
RT_ICON0x74900x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.4174187725631769
RT_ICON0x7d380x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.375
RT_ICON0x83a00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.32116204690831557
RT_ICON0x92480x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2712765957446808
RT_ICON0x96b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.3013602251407129
RT_ICON0xa7580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.1808091286307054
RT_STRING0xcd880x108Matlab v4 mat-file (little endian) l, numeric, rows 0, columns 0EnglishUnited States0.5037878787878788
RT_GROUP_ICON0xcd000x84dataEnglishUnited States0.6439393939393939
RT_VERSION0x67680x3acdataEnglishUnited States0.45851063829787236
RT_MANIFEST0x63700x3f6XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.47830374753451677

Imports

DLLImport
KERNEL32.dllCloseHandle, SetEvent, ResolveDelayLoadedAPI, CompareStringOrdinal, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetTickCount, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, GetLastError, OpenEventW, DelayLoadFailureHook, Sleep, SetUnhandledExceptionFilter, GetModuleHandleW
msvcrt.dll_controlfp, ?terminate@@YAXXZ, _except_handler4_common, _initterm, __setusermatherr, __p__fmode, memset, _exit, exit, __set_app_type, __wgetmainargs, _amsg_exit, __p__commode, _XcptFilter, _vsnwprintf, _cexit
ADVAPI32.dllRegQueryValueExW, RegCloseKey
DEVOBJ.dllDevObjGetClassDevs, DevObjUninstallDevice, DevObjOpenDevRegKey, DevObjCreateDeviceInfoList, DevObjEnumDeviceInfo, DevObjGetDeviceInstanceId, DevObjDestroyDeviceInfoList

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:18:56:48
Start date:06/05/2024
Path:C:\Users\user\Desktop\k4r0jp3daA.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\k4r0jp3daA.exe"
Imagebase:0x550000
File size:200'300 bytes
MD5 hash:DD1BE96E0FFA6D6EDB22F3C8EAB32A9B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:1
Start time:18:56:48
Start date:06/05/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6d64d0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:8.7%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:4.1%
    Total number of Nodes:121
    Total number of Limit Nodes:2
    execution_graph 474 551b46 475 551b61 474->475 476 551b5a _exit 474->476 477 551b6a _cexit 475->477 478 551b75 475->478 476->475 477->478 479 551281 480 55127d 479->480 480->479 481 551551 480->481 482 551576 480->482 483 551503 480->483 484 5515b6 482->484 485 55162a 482->485 490 551768 17 API calls 482->490 483->481 487 551531 _vsnwprintf 483->487 484->485 486 5515ba memset 484->486 489 5521d8 4 API calls 485->489 488 551510 _vsnwprintf 486->488 487->481 491 5515ec 488->491 492 551631 489->492 493 55159e 490->493 494 5515f3 OpenEventW 491->494 495 55161e 491->495 496 551768 17 API calls 493->496 497 551617 SetEvent 494->497 498 55160f GetLastError 494->498 499 551638 CloseHandle 495->499 500 5515aa 496->500 497->495 498->495 499->485 501 551768 17 API calls 500->501 501->484 442 551c70 443 551cad 442->443 444 551c82 442->444 444->443 445 551ca7 ?terminate@ 444->445 445->443 446 551c30 _except_handler4_common 447 551970 448 551975 447->448 456 551d3e GetModuleHandleW 448->456 450 551981 __set_app_type __p__fmode __p__commode 451 5519b9 450->451 452 5519c2 __setusermatherr 451->452 453 5519ce 451->453 452->453 458 551f6f _controlfp 453->458 455 5519d3 457 551d4f 456->457 457->450 458->455 502 551c20 505 551ed5 502->505 504 551c25 504->504 506 551efe GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 505->506 507 551efa 505->507 508 551f4d 506->508 507->506 507->508 508->504 362 551a13 363 551a1f 362->363 364 551a44 363->364 365 551a4b Sleep 363->365 366 551a63 _amsg_exit 364->366 368 551a6d 364->368 365->363 366->368 367 551aaf _initterm 369 551aca __IsNonwritableInCurrentImage 367->369 368->367 368->369 371 551a90 368->371 376 55156b 369->376 373 551b61 373->371 375 551b6a _cexit 373->375 374 551b2b exit _XcptFilter 375->371 380 55157a 376->380 377 5515b6 378 55162a 377->378 379 5515ba memset 377->379 395 5521d8 378->395 416 551510 379->416 380->377 380->378 398 551768 DevObjCreateDeviceInfoList 380->398 385 551631 385->373 385->374 387 5515f3 OpenEventW 390 551617 SetEvent 387->390 391 55160f GetLastError 387->391 388 55161e 419 551638 388->419 389 551768 17 API calls 393 5515aa 389->393 390->388 391->388 394 551768 17 API calls 393->394 394->377 422 551c60 395->422 397 5521e2 397->397 399 5517a8 398->399 400 55179c GetLastError 398->400 401 551911 399->401 402 5517b9 DevObjGetClassDevs 399->402 400->399 405 551c60 4 API calls 401->405 403 5517d1 402->403 404 5517cd 402->404 428 551644 GetLastError 403->428 404->401 408 5517df DevObjEnumDeviceInfo 404->408 409 551818 DevObjOpenDevRegKey 404->409 411 551644 GetLastError 404->411 412 55185f memset RegQueryValueExW 404->412 413 5518ad RegCloseKey 404->413 414 5518d2 CompareStringOrdinal 404->414 430 551660 404->430 407 55159e 405->407 407->389 408->404 408->409 409->404 410 55183e GetLastError 409->410 410->404 411->404 412->404 412->413 413->404 414->404 417 551531 _vsnwprintf 416->417 418 551551 416->418 417->418 418->387 418->388 420 551643 419->420 421 55163c CloseHandle 419->421 420->378 421->420 423 551c68 422->423 424 551c6b 422->424 423->397 427 551ff9 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 424->427 426 55212f 426->397 427->426 429 55164e 428->429 429->404 431 551698 430->431 432 5516a3 DevObjGetDeviceInstanceId 431->432 433 55173a DevObjUninstallDevice 431->433 434 5516c1 432->434 440 5516bd 432->440 435 55174e 433->435 436 55174a 433->436 437 551644 GetLastError 434->437 438 551644 GetLastError 435->438 439 551c60 4 API calls 436->439 437->440 438->436 441 551764 439->441 440->433 440->436 441->404 464 552138 465 55213d 464->465 468 55193c ResolveDelayLoadedAPI 465->468 467 55214a 468->467

    Callgraph

    Executed Functions

    Function 00551A13 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 99sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1969028390.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
    • Associated: 00000000.00000002.1969007534.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1969078808.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1969078808.0000000000556000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_550000_k4r0jp3daA.jbxd
    Similarity
    • API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
    • String ID: p3U$p3U
    • API String ID: 796493780-2547165855
    • Opcode ID: dd3a9485d190cc7b3a6efb61a561e6e756e3b48709e5c236d56603ecc7a6132f
    • Instruction ID: 5db6792bfb4c34d5e2080a690734a21ab2dbed5c6f1928073c76f646435dfb95
    • Opcode Fuzzy Hash: dd3a9485d190cc7b3a6efb61a561e6e756e3b48709e5c236d56603ecc7a6132f
    • Instruction Fuzzy Hash: 6331C130941B11DFCB229B64DC39B197FA0B754767F20052BED09862F0DA305B8CEB98
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 00551FF9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 13COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,0055212F,@0U), ref: 00552000
    • UnhandledExceptionFilter.KERNEL32(/!U,?,0055212F,@0U), ref: 00552009
    • GetCurrentProcess.KERNEL32(C0000409,?,0055212F,@0U), ref: 00552014
    • TerminateProcess.KERNEL32(00000000,?,0055212F,@0U), ref: 0055201B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1969028390.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
    • Associated: 00000000.00000002.1969007534.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1969078808.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1969078808.0000000000556000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_550000_k4r0jp3daA.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
    • String ID: /!U
    • API String ID: 3231755760-1540253783
    • Opcode ID: 0903301b26d5697a2741533ba79fa4431ce99ace1bd19de1f6a958716a823908
    • Instruction ID: 4ecbe6875dd6c5b3dd05d948044040919a715719882cd465bfeca535b41400a5
    • Opcode Fuzzy Hash: 0903301b26d5697a2741533ba79fa4431ce99ace1bd19de1f6a958716a823908
    • Instruction Fuzzy Hash: 42D0C932004304EBC7002BE1EC1CA093E38EB9426BF244000F30A8A0B1DA354485AF61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00551ED5 Relevance: 7.6, APIs: 5, Instructions: 51timethreadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 177 551ed5-551ef8 178 551efe-551f4b GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 177->178 179 551efa-551efc 177->179 181 551f55-551f5a 178->181 182 551f4d-551f53 178->182 179->178 180 551f62-551f6e 179->180 183 551f5c 181->183 182->181 182->183 183->180
    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00551F02
    • GetCurrentProcessId.KERNEL32 ref: 00551F11
    • GetCurrentThreadId.KERNEL32 ref: 00551F1A
    • GetTickCount.KERNEL32 ref: 00551F23
    • QueryPerformanceCounter.KERNEL32(?), ref: 00551F38
    Memory Dump Source
    • Source File: 00000000.00000002.1969028390.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
    • Associated: 00000000.00000002.1969007534.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1969078808.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1969078808.0000000000556000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_550000_k4r0jp3daA.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 54e7998a2086661876650a21882f3791dd8b2ad0415e850aba3feb26107eed57
    • Instruction ID: 93c3d6aff24aead6ad547ec1214baf9c5f42716caeb905065ec3a09ca19c7300
    • Opcode Fuzzy Hash: 54e7998a2086661876650a21882f3791dd8b2ad0415e850aba3feb26107eed57
    • Instruction Fuzzy Hash: 8E113D71D01308EBCB10DBB8D95C69EBBF4FF18316F614896E905D7260E7349A489F54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00551768 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 155registryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • DevObjCreateDeviceInfoList.DEVOBJ(00000000,00000000,00000000,00000000,00000000), ref: 0055178F
    • GetLastError.KERNEL32 ref: 0055179C
    • DevObjGetClassDevs.DEVOBJ(00000000,00000000,?,00000004,00000000,00000000), ref: 005517C3
    • DevObjEnumDeviceInfo.DEVOBJ(00000000,00000000,?,?,00000004,00000000,00000000), ref: 005517FF
    • DevObjOpenDevRegKey.DEVOBJ(00000000,00000024,00000001,00000000,00000001,00020019,?,00000004,00000000,00000000), ref: 0055182B
    • GetLastError.KERNEL32(?,00000004,00000000,00000000), ref: 0055183E
    • memset.MSVCRT ref: 00551870
    • RegQueryValueExW.ADVAPI32(00000000,Bluetooth_UniqueID,00000000,00000000,?,?), ref: 00551898
    • RegCloseKey.ADVAPI32(?), ref: 005518B3
    • CompareStringOrdinal.KERNEL32(?,000000FF,?,000000FF,00000001), ref: 005518E2
    • DevObjDestroyDeviceInfoList.DEVOBJ(00000000), ref: 00551923
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1969028390.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
    • Associated: 00000000.00000002.1969007534.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1969078808.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1969078808.0000000000556000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_550000_k4r0jp3daA.jbxd
    Similarity
    • API ID: DeviceInfo$ErrorLastList$ClassCloseCompareCreateDestroyDevsEnumOpenOrdinalQueryStringValuememset
    • String ID: $$0foo$Bluetooth_UniqueID
    • API String ID: 304487998-4127586434
    • Opcode ID: 5b852294db4d1d618d1cf424743715939a660c10e31d7fc7852614f1d9e3f793
    • Instruction ID: 9a7b82bc0a13548db6fe9aa51ae4ee859bcf9cfe7b96f4367ab254f71c5b45ad
    • Opcode Fuzzy Hash: 5b852294db4d1d618d1cf424743715939a660c10e31d7fc7852614f1d9e3f793
    • Instruction Fuzzy Hash: 76413C36A007249BDB3087288C54F9A7EB9FFC4722F210256FE18AB1D1DB709D4C9B94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00551281 Relevance: 17.9, APIs: 5, Strings: 5, Instructions: 403COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 73 551281-551292 74 551294-55129d 73->74 75 55127d-55127f 73->75 76 551307-55130b 74->76 77 55129f-5512a3 74->77 75->73 80 55130c-55130f 76->80 78 5512a5 77->78 79 551310-55131e 77->79 78->80 81 5512a8-5512b9 78->81 82 55131f-551324 79->82 80->79 81->82 83 5512bb-5512bc 81->83 84 551325-551379 82->84 83->82 85 5512be-5512c0 83->85 86 5513df-5513ed 84->86 87 55137b-55137c 84->87 85->84 88 5512c2-551305 85->88 89 5513ef-5513f5 86->89 87->86 90 55137e-551388 87->90 88->76 91 5513f6-551406 89->91 90->89 92 55138b-55138c 90->92 93 551407-55141d 91->93 92->89 94 55138e-551390 92->94 95 551420-551421 93->95 94->91 96 551392-551393 94->96 98 551447 95->98 99 551423 95->99 96->91 97 551395-5513a0 96->97 97->93 100 5513a3-5513a4 97->100 101 551449-55144b 98->101 102 5514aa-5514c5 98->102 103 551424-551428 99->103 100->93 104 5513a6-5513a8 100->104 105 55144d-55145a 101->105 106 5514cb-5514ec 102->106 103->105 107 55142a-551430 103->107 104->103 109 5513aa-5513b8 104->109 110 55145b-551468 105->110 111 551562 106->111 112 5514ef 106->112 108 551431 107->108 113 551433-551435 108->113 109->95 114 5513bb 109->114 110->106 116 55146a-5514a7 110->116 115 551564-551565 111->115 117 551554-551555 112->117 118 5514f1-551500 112->118 113->110 120 551437-551444 113->120 114->108 121 5513bd-5513cd 114->121 122 551566 115->122 116->102 117->115 119 551556-551557 117->119 123 551576-551585 118->123 124 551503 118->124 125 55155e-551560 119->125 120->98 121->113 126 5513cf-5513d0 121->126 129 551568-55156a 122->129 127 551587-55158c 123->127 128 5515b6-5515b8 123->128 124->129 130 551505-55152f 124->130 125->115 126->113 133 5513d2-5513de 126->133 131 55162a-551631 call 5521d8 127->131 134 551592-5515b1 call 551768 * 3 127->134 128->131 132 5515ba-5515f1 memset call 551510 128->132 130->122 135 551531-55154f _vsnwprintf 130->135 145 5515f3-55160d OpenEventW 132->145 146 55161e 132->146 133->86 134->128 137 551551-551553 135->137 138 551559 135->138 137->138 142 551555 137->142 138->125 142->115 147 551557 142->147 149 551617-551618 SetEvent 145->149 150 55160f-551615 GetLastError 145->150 151 551625 call 551638 146->151 147->125 149->146 150->146 151->131
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1969028390.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
    • Associated: 00000000.00000002.1969007534.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1969078808.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1969078808.0000000000556000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_550000_k4r0jp3daA.jbxd
    Similarity
    • API ID: _vsnwprintf
    • String ID: @$BTHLE$BTHLEDevice$Global\BTH_UNINSTALL_DEVICE_%s$bthenum
    • API String ID: 1036211903-1254234343
    • Opcode ID: 4f306057160719493ed7ba798ba3e0f3adfe0a9938640cdee5b8d6c1610460cf
    • Instruction ID: c01cbe93224db287168d6c2f1359c674f237f261be1820d8f833c33b6829de54
    • Opcode Fuzzy Hash: 4f306057160719493ed7ba798ba3e0f3adfe0a9938640cdee5b8d6c1610460cf
    • Instruction Fuzzy Hash: 77E154A280E7C01FD71387745D7A6917FB9AA53215B1E09DBC8C1CF4A3E2289C1EC366
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0055156B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 56COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 154 55156b-551585 call 552190 157 551587-55158c 154->157 158 5515b6-5515b8 154->158 159 55162a-551631 call 5521d8 157->159 161 551592-5515b1 call 551768 * 3 157->161 158->159 160 5515ba-5515f1 memset call 551510 158->160 168 5515f3-55160d OpenEventW 160->168 169 55161e-551625 call 551638 160->169 161->158 171 551617-551618 SetEvent 168->171 172 55160f-551615 GetLastError 168->172 169->159 171->169 172->169
    APIs
    • memset.MSVCRT ref: 005515C8
    • OpenEventW.KERNEL32(00000002,?,03FFFDD8), ref: 005515FD
    • GetLastError.KERNEL32 ref: 0055160F
      • Part of subcall function 00551768: DevObjCreateDeviceInfoList.DEVOBJ(00000000,00000000,00000000,00000000,00000000), ref: 0055178F
      • Part of subcall function 00551768: GetLastError.KERNEL32 ref: 0055179C
      • Part of subcall function 00551768: DevObjGetClassDevs.DEVOBJ(00000000,00000000,?,00000004,00000000,00000000), ref: 005517C3
      • Part of subcall function 00551768: DevObjDestroyDeviceInfoList.DEVOBJ(00000000), ref: 00551923
      • Part of subcall function 00551768: DevObjEnumDeviceInfo.DEVOBJ(00000000,00000000,?,?,00000004,00000000,00000000), ref: 005517FF
      • Part of subcall function 00551768: DevObjOpenDevRegKey.DEVOBJ(00000000,00000024,00000001,00000000,00000001,00020019,?,00000004,00000000,00000000), ref: 0055182B
      • Part of subcall function 00551768: GetLastError.KERNEL32(?,00000004,00000000,00000000), ref: 0055183E
      • Part of subcall function 00551768: memset.MSVCRT ref: 00551870
      • Part of subcall function 00551768: RegQueryValueExW.ADVAPI32(00000000,Bluetooth_UniqueID,00000000,00000000,?,?), ref: 00551898
      • Part of subcall function 00551768: RegCloseKey.ADVAPI32(?), ref: 005518B3
      • Part of subcall function 00551768: CompareStringOrdinal.KERNEL32(?,000000FF,?,000000FF,00000001), ref: 005518E2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1969028390.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
    • Associated: 00000000.00000002.1969007534.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1969078808.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1969078808.0000000000556000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_550000_k4r0jp3daA.jbxd
    Similarity
    • API ID: DeviceErrorInfoLast$ListOpenmemset$ClassCloseCompareCreateDestroyDevsEnumEventOrdinalQueryStringValue
    • String ID: BTHLE$BTHLEDevice$Global\BTH_UNINSTALL_DEVICE_%s$bthenum
    • API String ID: 670512523-2565694137
    • Opcode ID: 01d6db1d75bd8489109428e2ea081e80395bd5f8106c384d1600c62a4146c73c
    • Instruction ID: afd3ce987c8811816e2b1697ed204b04ca57f2077a9b704f43986be09034f366
    • Opcode Fuzzy Hash: 01d6db1d75bd8489109428e2ea081e80395bd5f8106c384d1600c62a4146c73c
    • Instruction Fuzzy Hash: D411E331A40F15A7CB20ABA4492DB9ABEA9FFC5713F144197AE0597241ED30CD48CB64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00551970 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 00551D3E: GetModuleHandleW.KERNEL32(00000000), ref: 00551D45
    • __set_app_type.MSVCRT ref: 00551982
    • __p__fmode.MSVCRT ref: 00551998
    • __p__commode.MSVCRT ref: 005519A6
    • __setusermatherr.MSVCRT ref: 005519C7
    Memory Dump Source
    • Source File: 00000000.00000002.1969028390.0000000000551000.00000020.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
    • Associated: 00000000.00000002.1969007534.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1969078808.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1969078808.0000000000556000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_550000_k4r0jp3daA.jbxd
    Similarity
    • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
    • String ID:
    • API String ID: 1632413811-0
    • Opcode ID: 8106a8696cec44d4e85ae4485e4086d21520da862b3f61f6fc4d481d05649ea0
    • Instruction ID: e6012de3ceb73c991a2535e357e6fcfec1bb2c277a55c86f90d9b6d076a9da52
    • Opcode Fuzzy Hash: 8106a8696cec44d4e85ae4485e4086d21520da862b3f61f6fc4d481d05649ea0
    • Instruction Fuzzy Hash: D3F0DA30501701DFC714AB70AD3D6043F70BB643B7B21461AE825862F0DF35918CEE14
    Uniqueness

    Uniqueness Score: -1.00%