Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UIWrwFGMZ3.exe

Overview

General Information

Sample name:UIWrwFGMZ3.exe
renamed because original name is a hash value
Original sample name:a136aa371eb80d61a757fa41be426770.exe
Analysis ID:1393375
MD5:a136aa371eb80d61a757fa41be426770
SHA1:ff150eca8f4f5c34d73824b622089f32f5c39857
SHA256:d8674a668cb51fe0d8dc89740c03e95d1f659fb6cb66ec8c896e3b1af748662f
Tags:64CobaltStrikeexe
Infos:

Detection

CobaltStrike
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Found API chain indicative of debugger detection
Machine Learning detection for sample
Found large amount of non-executed APIs
PE file contains sections with non-standard names
Program does not show much activity (idle)
Tries to load missing DLLs

Classification

Process Tree

  • System is w10x64
  • UIWrwFGMZ3.exe (PID: 5196 cmdline: C:\Users\user\Desktop\UIWrwFGMZ3.exe MD5: A136AA371EB80D61A757FA41BE426770)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
UIWrwFGMZ3.exeJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.2.UIWrwFGMZ3.exe.400000.0.unpackJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security
      0.0.UIWrwFGMZ3.exe.400000.0.unpackJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: UIWrwFGMZ3.exeAvira: detected
        Multi AV Scanner detection for submitted file
        Source: UIWrwFGMZ3.exeReversingLabs: Detection: 95%
        Source: UIWrwFGMZ3.exeVirustotal: Detection: 80%Perma Link
        Machine Learning detection for sample
        Source: UIWrwFGMZ3.exeJoe Sandbox ML: detected
        Source: C:\Users\user\Desktop\UIWrwFGMZ3.exeSection loaded: apphelp.dllJump to behavior
        Source: classification engineClassification label: mal72.troj.evad.winEXE@1/0@0/0
        Source: C:\Users\user\Desktop\UIWrwFGMZ3.exeCode function: 0_2_00403340 StartServiceCtrlDispatcherA,0_2_00403340
        Source: C:\Users\user\Desktop\UIWrwFGMZ3.exeCode function: 0_2_00403340 StartServiceCtrlDispatcherA,0_2_00403340
        Source: C:\Users\user\Desktop\UIWrwFGMZ3.exeCode function: 0_2_0044B2D0 StartServiceCtrlDispatcherA,0_2_0044B2D0
        Source: C:\Users\user\Desktop\UIWrwFGMZ3.exeCode function: 0_2_004031D9 StartServiceCtrlDispatcherA,0_2_004031D9
        Source: UIWrwFGMZ3.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\UIWrwFGMZ3.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: UIWrwFGMZ3.exeReversingLabs: Detection: 95%
        Source: UIWrwFGMZ3.exeVirustotal: Detection: 80%
        Source: UIWrwFGMZ3.exeStatic PE information: section name: .xdata
        Source: C:\Users\user\Desktop\UIWrwFGMZ3.exeCode function: 0_2_00403340 StartServiceCtrlDispatcherA,0_2_00403340
        Source: C:\Users\user\Desktop\UIWrwFGMZ3.exeAPI coverage: 6.9 %
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

        Anti Debugging

        barindex
        Found API chain indicative of debugger detection
        Source: C:\Users\user\Desktop\UIWrwFGMZ3.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_0-969
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: C:\Users\user\Desktop\UIWrwFGMZ3.exeCode function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,GetProcAddress,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit,0_2_00401180
        Source: C:\Users\user\Desktop\UIWrwFGMZ3.exeCode function: 0_2_0044B3D8 SetUnhandledExceptionFilter,VirtualAllocEx,0_2_0044B3D8
        Source: C:\Users\user\Desktop\UIWrwFGMZ3.exeCode function: 0_2_004031F1 SetUnhandledExceptionFilter,0_2_004031F1
        Source: C:\Users\user\Desktop\UIWrwFGMZ3.exeCode function: 0_2_00402D80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,0_2_00402D80
        Source: C:\Users\user\Desktop\UIWrwFGMZ3.exeCode function: 0_2_00401740 CreateNamedPipeA,ConnectNamedPipe,WriteFile,WriteFile,CloseHandle,0_2_00401740
        Source: C:\Users\user\Desktop\UIWrwFGMZ3.exeCode function: 0_2_00402CB0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00402CB0

        Remote Access Functionality

        barindex
        Yara detected CobaltStrike
        Source: Yara matchFile source: UIWrwFGMZ3.exe, type: SAMPLE
        Source: Yara matchFile source: 0.2.UIWrwFGMZ3.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.0.UIWrwFGMZ3.exe.400000.0.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
        Service Execution        		3
        Windows Service        		3
        Windows Service        		1
        Virtualization/Sandbox Evasion        		OS Credential Dumping1
        System Time Discovery        		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        DLL Side-Loading        		1
        Process Injection        		1
        Process Injection        		LSASS Memory1
        Security Software Discovery        		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        DLL Side-Loading        		1
        DLL Side-Loading        		Security Account Manager1
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS2
        System Information Discovery        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        UIWrwFGMZ3.exe96%ReversingLabsWin64.Backdoor.CobaltStrike
        UIWrwFGMZ3.exe80%VirustotalBrowse
        UIWrwFGMZ3.exe100%AviraHEUR/AGEN.1343470
        UIWrwFGMZ3.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        No contacted domains info

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1393375
        Start date and time:2024-02-16 11:16:08 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 1m 45s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:2
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:UIWrwFGMZ3.exe
        renamed because original name is a hash value
        Original Sample Name:a136aa371eb80d61a757fa41be426770.exe
        Detection:MAL
        Classification:mal72.troj.evad.winEXE@1/0@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 2
        • Number of non-executed functions: 25
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Stop behavior analysis, all processes terminated

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe
        • Excluded domains from analysis (whitelisted): client.wns.windows.com

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
        Entropy (8bit):7.171559512178074
        TrID:
        • Win64 Executable (generic) (12005/4) 74.80%
        • Generic Win/DOS Executable (2004/3) 12.49%
        • DOS Executable Generic (2002/1) 12.47%
        • VXD Driver (31/22) 0.19%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
        File name:UIWrwFGMZ3.exe
        File size:289'280 bytes
        MD5:a136aa371eb80d61a757fa41be426770
        SHA1:ff150eca8f4f5c34d73824b622089f32f5c39857
        SHA256:d8674a668cb51fe0d8dc89740c03e95d1f659fb6cb66ec8c896e3b1af748662f
        SHA512:f711012a5900a7beb963e213ce55cc2621f9c3c2b998ab0b950389ecfd1fa2d9839fcba23511e1567fadaf347ce3b2668d2eaf724f6e180e5ba3101ae8ca89ff
        SSDEEP:6144:fK/br6Yfiu1RHz6Pt9MhykrjE3nb0l0fZNocDsCRLNY/kgY4:faKIXVz6Pt9MhykknRRmcQCRLNykE
        TLSH:D454BF19B8DB740DD9225B7ED1E16C33E2B67C6FB827E5040A2FDEA35A601440909BFD
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....u.Z........../......$...B................@.....................................6M........ ............................

        File Icon

        Icon Hash:00928e8e8686b000

        Static PE Info

        General

        Entrypoint:0x4014b0
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
        DLL Characteristics:
        Time Stamp:0x5AC5758D [Thu Apr 5 01:02:05 2018 UTC]
        TLS Callbacks:0x401aa0
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:bed5688a4a2b5ea6984115b458755e90

        Entrypoint Preview

        Instruction
        dec eax
        sub esp, 28h
        mov dword ptr [00048BB2h], 00000001h
        call 00007FBF3D4DEE72h
        call 00007FBF3D4DD33Dh
        nop
        nop
        dec eax
        add esp, 28h
        ret
        nop
        dec eax
        sub esp, 28h
        mov dword ptr [00048B92h], 00000000h
        call 00007FBF3D4DEE52h
        call 00007FBF3D4DD31Dh
        nop
        nop
        dec eax
        add esp, 28h
        ret
        nop
        push ebx
        dec eax
        sub esp, 00000500h
        dec eax
        mov ebx, dword ptr [edx+08h]
        mov dword ptr [esp+60h], 00100002h
        dec esp
        mov dword ptr [esp+28h], eax
        dec eax
        lea edx, dword ptr [esp+30h]
        dec eax
        mov ecx, ebx
        call dword ptr [00049E59h]
        test eax, eax
        dec esp
        mov eax, dword ptr [esp+28h]
        je 00007FBF3D4DD6A6h
        dec esp
        mov dword ptr [esp+000000B0h], eax
        dec eax
        lea edx, dword ptr [esp+30h]
        dec eax
        mov ecx, ebx
        call dword ptr [00049E9Ah]
        test eax, eax
        je 00007FBF3D4DD68Ch
        dec eax
        mov ecx, ebx
        call dword ptr [00049E65h]
        nop
        dec eax
        add esp, 00000500h
        pop ebx
        ret
        inc ecx
        push esp
        push ebp
        push edi
        push esi
        push ebx
        dec eax
        sub esp, 60h
        dec esp
        mov edi, ecx
        dec eax
        mov ebx, ecx
        dec ebp
        mov esp, eax
        inc ecx
        mov ecx, 00001000h
        dec esp
        lea eax, dword ptr [edi+00000080h]
        dec eax
        mov esi, edx
        mov dword ptr [esp+20h], 00000004h

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x4b0000xb74.idata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x480000x2a0.pdata
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x4d0000x28.tls
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x4b2c00x270.idata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x23b00x24009594d91e07d0d4236369d83675c4197fFalse0.5887586805555556data6.095576315109702IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .data0x40000x424900x4260041abbafe4c1f721904e00b305836c663False0.595820827448211data7.1738190773346835IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rdata0x470000x3100x400daf06c9d85ff7170d7e776400fd8fce1False0.455078125data4.209428955788983IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
        .pdata0x480000x2a00x400d65d8a0c7dfbe03b367bf5bc1e2dd11cFalse0.3740234375data3.136253727491666IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
        .xdata0x490000x25c0x4009695f74ddc6088e0acfe95bca2d506f7False0.2529296875data2.7859170736949133IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
        .bss0x4a0000xa600x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .idata0x4b0000xb740xc00ecf9e9379c6d6992b581387a062f8230False0.3372395833333333data4.3479190304641575IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .CRT0x4c0000x680x200ee595f3f4ad20a27916e0a529ce45fc5False0.0703125data0.2694448386073115IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .tls0x4d0000x480x200f95635aa2e8c9e0199150cdce2e9e9acFalse0.052734375data0.21776995545804623IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

        Imports

        DLLImport
        ADVAPI32.dllRegisterServiceCtrlHandlerA, SetServiceStatus, StartServiceCtrlDispatcherA
        KERNEL32.dllCloseHandle, ConnectNamedPipe, CreateFileA, CreateNamedPipeA, CreateProcessA, CreateThread, DeleteCriticalSection, EnterCriticalSection, ExitProcess, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentVariableA, GetLastError, GetModuleHandleA, GetProcAddress, GetStartupInfoA, GetSystemTimeAsFileTime, GetThreadContext, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryW, QueryPerformanceCounter, ReadFile, ResumeThread, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetThreadContext, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualAllocEx, VirtualProtect, VirtualProtectEx, VirtualQuery, WriteFile, WriteProcessMemory
        msvcrt.dll__C_specific_handler, __dllonexit, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _fmode, _initterm, _lock, _onexit, _snprintf, _unlock, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, signal, sprintf, strlen, strncmp, vfprintf

        Network Behavior

        No network behavior found

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:11:16:54
        Start date:16/02/2024
        Path:C:\Users\user\Desktop\UIWrwFGMZ3.exe
        Wow64 process (32bit):false
        Commandline:C:\Users\user\Desktop\UIWrwFGMZ3.exe
        Imagebase:0x400000
        File size:289'280 bytes
        MD5 hash:A136AA371EB80D61A757FA41BE426770
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        Disassembly

        Reset < >

          Execution Graph

          Execution Coverage:6.6%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:17.9%
          Total number of Nodes:263
          Total number of Limit Nodes:4
          execution_graph 1208 401c00 1211 401b50 1208->1211 1210 401c09 1212 401b64 1211->1212 1213 401be5 _onexit 1212->1213 1214 401b6f 1212->1214 1213->1210 1214->1210 1217 402d80 RtlCaptureContext RtlLookupFunctionEntry 1218 402e60 1217->1218 1219 402dbd RtlVirtualUnwind 1217->1219 1220 402df3 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess abort 1218->1220 1219->1220 1220->1218 1221 403108 memcpy 1222 44b4f8 1221->1222 1115 4014d0 1116 402cb0 5 API calls 1115->1116 1117 4014e3 1116->1117 1118 401180 38 API calls 1117->1118 1119 4014e8 1118->1119 1120 401ed0 1123 401ef2 1120->1123 1121 401f67 1122 401f4c signal 1122->1123 1124 402070 signal 1122->1124 1123->1121 1123->1122 1125 402003 signal 1123->1125 1126 401fbf signal 1123->1126 1124->1121 1125->1123 1127 4020c0 signal 1125->1127 1126->1123 1128 4020a0 signal 1126->1128 1128->1121 1131 4031d9 StartServiceCtrlDispatcherA 1223 403299 RtlAddFunctionTable 1224 40331a 1225 403321 LeaveCriticalSection 1224->1225 1226 40331d 1224->1226 1226->1225 1132 401060 1133 401099 1132->1133 1134 4010a9 __set_app_type 1133->1134 1135 4010b3 1133->1135 1134->1135 1227 401c20 1228 401c70 1227->1228 1229 401c2e 1227->1229 1233 401c7d 1228->1233 1237 401cf4 1228->1237 1230 401ca0 1229->1230 1231 401c35 signal 1229->1231 1234 401cb1 1230->1234 1230->1237 1239 401c53 1230->1239 1232 401d70 signal 1231->1232 1231->1239 1232->1239 1233->1231 1233->1239 1235 401cc3 signal 1234->1235 1234->1239 1236 401d96 signal 1235->1236 1235->1239 1236->1239 1238 401da7 signal 1237->1238 1237->1239 1240 401aa0 1241 401aaf 1240->1241 1242 403010 5 API calls 1241->1242 1243 401ac3 1241->1243 1242->1243 1244 403221 VirtualAllocEx 1138 4019e7 RegisterServiceCtrlHandlerA 1139 401a61 1138->1139 1140 401a51 1138->1140 1143 401905 GetTickCount 1140->1143 1144 403148 1143->1144 1145 401973 CreateThread 1144->1145 1245 4032a9 VirtualProtect 1146 4015ed 1147 401609 1146->1147 1148 40160f GetCurrentProcess 1146->1148 1147->1148 1149 40161a GetEnvironmentVariableA _snprintf CreateProcessA 1147->1149 1150 4016ca 1148->1150 1149->1150 1152 4016fe 1149->1152 1150->1152 1153 40154d VirtualAllocEx WriteProcessMemory 1150->1153 1154 4015e1 1153->1154 1155 4015a9 VirtualProtectEx 1153->1155 1154->1152 1157 4014f0 GetThreadContext 1155->1157 1158 401520 SetThreadContext 1157->1158 1159 401544 1157->1159 1158->1159 1160 40153a ResumeThread 1158->1160 1159->1154 1160->1159 963 4014b0 968 402cb0 963->968 965 4014c3 972 401180 965->972 967 4014c8 969 402cf0 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 968->969 970 402cd9 968->970 971 402d49 969->971 970->965 971->965 973 401472 GetStartupInfoA 972->973 974 4011af 972->974 976 401480 _initterm 973->976 975 401204 974->975 979 4011d6 974->979 977 401213 975->977 978 401434 _amsg_exit 975->978 1001 4013fb 976->1001 977->976 980 401221 977->980 978->980 981 40123a 978->981 982 4011ea Sleep 979->982 985 401420 979->985 980->981 983 401450 _initterm 980->983 1002 4024e0 981->1002 982->979 984 401202 982->984 983->981 984->975 985->977 985->978 992 40131f malloc 993 401344 992->993 994 40138f 992->994 995 401350 strlen malloc memcpy 993->995 1033 403340 994->1033 995->995 996 401384 995->996 996->994 997 401298 997->992 999 4013ce 1000 4013f0 _cexit 999->1000 999->1001 1000->1001 1001->967 1003 401265 SetUnhandledExceptionFilter 1002->1003 1004 402504 1002->1004 1021 401dc0 1003->1021 1004->1003 1005 402581 1004->1005 1012 402669 1004->1012 1005->1003 1006 40258a 1005->1006 1018 4025b6 1006->1018 1036 402290 1006->1036 1007 4027d7 1009 402220 19 API calls 1007->1009 1010 4027e3 1009->1010 1011 402290 19 API calls 1015 4026b9 1011->1015 1012->1003 1012->1007 1012->1015 1012->1018 1014 402603 VirtualQuery 1016 4027b9 1014->1016 1017 40261d VirtualProtect 1014->1017 1015->1011 1015->1012 1020 402290 19 API calls 1015->1020 1070 402220 1015->1070 1019 402220 19 API calls 1016->1019 1017->1018 1018->1003 1018->1014 1019->1007 1020->1012 1023 401dcf 1021->1023 1022 40127e 1027 402b10 1022->1027 1023->1022 1106 402870 1023->1106 1025 401e0a 1025->1022 1026 401ea5 RtlAddFunctionTable 1025->1026 1026->1022 1028 401283 GetProcAddress 1027->1028 1030 402b30 1027->1030 1028->997 1029 402bc0 LoadLibraryW 1029->1028 1030->1029 1031 402ba4 GetModuleHandleA 1030->1031 1031->1028 1032 402bbd 1031->1032 1032->1029 1111 402c90 1033->1111 1037 4022ad 1036->1037 1040 4022c0 1036->1040 1037->1006 1038 402497 1039 402220 10 API calls 1038->1039 1042 4024ad 1039->1042 1040->1038 1046 40231c 1040->1046 1047 402377 1040->1047 1041 402387 VirtualQuery 1043 4024ca 1041->1043 1041->1047 1044 402220 10 API calls 1042->1044 1045 402220 10 API calls 1043->1045 1044->1043 1056 4024de 1045->1056 1050 402342 VirtualQuery 1046->1050 1047->1041 1048 402425 VirtualProtect memcpy 1047->1048 1051 4023d5 VirtualProtect 1047->1051 1048->1037 1049 402461 1048->1049 1049->1037 1052 40246a VirtualProtect 1049->1052 1050->1042 1050->1047 1051->1047 1054 4023f9 GetLastError 1051->1054 1052->1006 1053 4024f9 1053->1006 1055 402220 10 API calls 1054->1055 1055->1047 1056->1053 1060 402581 1056->1060 1062 402669 1056->1062 1057 4027d7 1059 402220 10 API calls 1057->1059 1058 402290 10 API calls 1058->1060 1061 4027e3 1059->1061 1060->1053 1060->1058 1068 4025b6 1060->1068 1062->1053 1062->1057 1063 402290 10 API calls 1062->1063 1064 402220 10 API calls 1062->1064 1062->1068 1063->1062 1064->1062 1065 402603 VirtualQuery 1066 4027b9 1065->1066 1067 40261d VirtualProtect 1065->1067 1069 402220 10 API calls 1066->1069 1067->1068 1068->1053 1068->1065 1069->1057 1071 402247 1070->1071 1072 402262 __iob_func 1071->1072 1075 40227b 1072->1075 1073 4022ad 1073->1012 1074 402497 1076 402220 9 API calls 1074->1076 1075->1073 1075->1074 1082 40231c 1075->1082 1083 402377 1075->1083 1078 4024ad 1076->1078 1077 402387 VirtualQuery 1079 4024ca 1077->1079 1077->1083 1080 402220 9 API calls 1078->1080 1081 402220 9 API calls 1079->1081 1080->1079 1092 4024de 1081->1092 1086 402342 VirtualQuery 1082->1086 1083->1077 1084 402425 VirtualProtect memcpy 1083->1084 1087 4023d5 VirtualProtect 1083->1087 1084->1073 1085 402461 1084->1085 1085->1073 1088 40246a VirtualProtect 1085->1088 1086->1078 1086->1083 1087->1083 1090 4023f9 GetLastError 1087->1090 1088->1012 1089 4024f9 1089->1012 1091 402220 9 API calls 1090->1091 1091->1083 1092->1089 1093 402581 1092->1093 1099 402669 1092->1099 1093->1089 1095 402290 9 API calls 1093->1095 1098 4025b6 1093->1098 1094 4027d7 1096 402220 9 API calls 1094->1096 1095->1093 1097 4027e3 1096->1097 1098->1089 1101 402603 VirtualQuery 1098->1101 1099->1089 1099->1094 1099->1098 1100 402220 9 API calls 1099->1100 1105 402290 9 API calls 1099->1105 1100->1099 1102 4027b9 1101->1102 1103 40261d VirtualProtect 1101->1103 1104 402220 9 API calls 1102->1104 1103->1098 1104->1094 1105->1099 1109 402881 1106->1109 1107 4028ee 1107->1025 1108 4028d9 strncmp 1108->1107 1108->1109 1109->1107 1109->1108 1110 402900 1109->1110 1110->1025 1112 402c30 StartServiceCtrlDispatcherA 1111->1112 1112->999 1161 402f70 1162 402f90 EnterCriticalSection 1161->1162 1163 402f81 1161->1163 1164 402fc3 LeaveCriticalSection 1162->1164 1165 402fa9 1162->1165 1167 402fd0 1164->1167 1165->1164 1166 402faf free LeaveCriticalSection 1165->1166 1166->1167 1169 401a70 1170 401a78 1169->1170 1171 401a7d 1170->1171 1174 403010 1170->1174 1173 401a95 1175 403060 1174->1175 1176 403019 1174->1176 1177 403091 InitializeCriticalSection 1175->1177 1178 40306a 1175->1178 1179 403030 1176->1179 1180 40301b 1176->1180 1177->1178 1178->1173 1183 402e80 3 API calls 1179->1183 1185 40303a 1179->1185 1181 403020 1180->1181 1186 402e80 EnterCriticalSection 1180->1186 1181->1173 1182 403045 DeleteCriticalSection 1182->1181 1183->1185 1185->1181 1185->1182 1187 402ed4 1186->1187 1189 402ea1 1186->1189 1188 402eb0 TlsGetValue GetLastError 1188->1189 1189->1187 1189->1188 1192 402ef0 1193 402f14 1192->1193 1194 402f09 1192->1194 1193->1194 1195 402f2b EnterCriticalSection LeaveCriticalSection 1193->1195 1246 402130 1247 4021a0 1246->1247 1248 40213f __iob_func fprintf 1246->1248 1196 403271 CreateFileA 1197 4031f1 SetUnhandledExceptionFilter 1250 4018b2 malloc 1251 4018ce Sleep 1250->1251 1255 401812 CreateFileA 1251->1255 1254 4018e7 1256 40186d 1255->1256 1259 40188c 1255->1259 1256->1251 1256->1254 1257 40189b CloseHandle 1257->1256 1258 40186f ReadFile 1258->1257 1258->1259 1259->1257 1259->1258 1260 4021b2 1261 402150 __iob_func fprintf 1260->1261 1198 4017f5 1201 401740 CreateNamedPipeA 1198->1201 1202 4017b4 1201->1202 1203 40179e ConnectNamedPipe 1201->1203 1203->1202 1204 4017d3 1203->1204 1205 4017e2 CloseHandle 1204->1205 1206 4017b6 WriteFile 1204->1206 1205->1202 1206->1204 1206->1205 1207 4032f9 RtlVirtualUnwind 1262 403239 GetCurrentProcess

          Callgraph

          • Executed
          • Not Executed
          • Opacity -> Relevance
          • Disassembly available
          callgraph 0 Function_004021C0 1 Function_00401B40 2 Function_00403340 65 Function_00402C90 2->65 3 Function_00401740 4 Function_00401DC0 30 Function_00402870 4->30 46 Function_00402A00 4->46 48 Function_00402980 4->48 5 Function_00403141 6 Function_0044B348 7 Function_0044B3C8 8 Function_0040154D 31 Function_004014F0 8->31 9 Function_00402950 32 Function_004027F0 9->32 10 Function_00401B50 10->1 79 Function_00401B30 10->79 11 Function_004014D0 45 Function_00401180 11->45 84 Function_00402CB0 11->84 12 Function_00401ED0 23 Function_00402BE0 12->23 13 Function_004021D0 14 Function_0044B350 15 Function_0044B2D0 16 Function_00403159 17 Function_004031D9 18 Function_0044B358 19 Function_0044B3D8 20 Function_004471D8 21 Function_00401060 21->1 61 Function_00402210 21->61 22 Function_004024E0 22->9 64 Function_00402290 22->64 70 Function_00402220 22->70 83 Function_004030B0 22->83 24 Function_004020E0 25 Function_004021E0 26 Function_004019E7 53 Function_00401905 26->53 27 Function_004015ED 27->8 28 Function_00402F70 29 Function_00401A70 62 Function_00403010 29->62 30->32 33 Function_004021F0 34 Function_00402BF0 35 Function_00402EF0 36 Function_00403271 37 Function_004030F1 38 Function_004031F1 39 Function_0044B2F0 40 Function_004017F5 40->3 41 Function_004032F9 42 Function_0044B3F8 43 Function_00401C00 43->10 44 Function_00402E80 45->2 45->4 45->22 45->23 59 Function_00402B10 45->59 45->65 46->32 47 Function_00402200 48->32 49 Function_00402A80 49->32 71 Function_00402820 49->71 50 Function_00402D80 51 Function_00403181 52 Function_0044B400 54 Function_00403108 55 Function_0044B408 56 Function_0044B388 57 Function_0040170F 58 Function_00402910 58->32 59->49 60 Function_00401010 62->44 63 Function_00401B10 64->9 64->46 64->58 64->64 64->70 64->83 66 Function_00401812 67 Function_0044B390 68 Function_00403299 69 Function_0040331A 70->9 70->46 70->58 70->64 70->70 70->83 72 Function_00401B20 73 Function_00401C20 73->23 74 Function_00401AA0 74->62 75 Function_00403221 76 Function_004032A9 77 Function_0044B328 78 Function_004014B0 78->45 78->84 80 Function_00402130 81 Function_00402A30 81->32 81->71 82 Function_004019B0 85 Function_004018B2 85->57 85->66 86 Function_004021B2 87 Function_0044B3B0 88 Function_00403239 89 Function_00403339

          Executed Functions

          Function 00401180 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 187sleeplibrarystringCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          • _set_invalid_parameter_handler, xrefs: 00401283
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: malloc$AddressExceptionFilterInfoProcSleepStartupUnhandled_cexitmemcpystrlen
          • String ID: _set_invalid_parameter_handler
          • API String ID: 2757201259-2374863361
          • Opcode ID: b0a372eb5ca4ac5610d3cb0de3d76f7cfea6dfbf92ed50a95879fcaba9b905f0
          • Instruction ID: 318037ee67398d73b2b83a8d2a7792fd270537a9d239fd3b287c9e99641f0da3
          • Opcode Fuzzy Hash: b0a372eb5ca4ac5610d3cb0de3d76f7cfea6dfbf92ed50a95879fcaba9b905f0
          • Instruction Fuzzy Hash: 0171BEB121164086FB24DF66E98036A37A1FB48789F84443ADE0AA77B1DF3DC854C74D
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00403340 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 57 403340-403382 call 402c90 StartServiceCtrlDispatcherA
          APIs
          • StartServiceCtrlDispatcherA.ADVAPI32 ref: 00403375
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: CtrlDispatcherServiceStart
          • String ID: DceRpcSs
          • API String ID: 3789849863-292928688
          • Opcode ID: 7527f7f2403d99493e83a4aae31d37810d550e6e768f7178e42d0afe6e4b45c6
          • Instruction ID: 7a50f038d2bc12e3f4ade54b03f2f8eb6a66f5bf58781bd5b287879f0e18af1f
          • Opcode Fuzzy Hash: 7527f7f2403d99493e83a4aae31d37810d550e6e768f7178e42d0afe6e4b45c6
          • Instruction Fuzzy Hash: 30E08C62218F8492EB208B20F95934A73E4F788348F800232D38D923B4EF3CC259CB08
          Uniqueness

          Uniqueness Score: -1.00%

          Non-executed Functions

          Function 00402D80 Relevance: 12.0, APIs: 8, Instructions: 50COMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          • RtlCaptureContext.KERNEL32 ref: 00402D94
          • RtlLookupFunctionEntry.KERNEL32 ref: 00402DAB
          • RtlVirtualUnwind.KERNEL32 ref: 00402DED
          • SetUnhandledExceptionFilter.KERNEL32 ref: 00402E34
          • UnhandledExceptionFilter.KERNEL32 ref: 00402E41
          • GetCurrentProcess.KERNEL32 ref: 00402E47
          • TerminateProcess.KERNEL32 ref: 00402E55
          • abort.MSVCRT ref: 00402E5B
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
          • String ID:
          • API String ID: 4278921479-0
          • Opcode ID: bdc1670d61f3f05c46f661bd94edbceeca63a1545043c242b804e35035198d0a
          • Instruction ID: 9a84a3771183eb17e65e98b07f6ea2ba199639b94eb08401d2b209372502052d
          • Opcode Fuzzy Hash: bdc1670d61f3f05c46f661bd94edbceeca63a1545043c242b804e35035198d0a
          • Instruction Fuzzy Hash: 5321EDB1211F0099FB009F62F88838937B8FB09BA8F44012AEE4E17764EF78C565C749
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00402CB0 Relevance: 7.6, APIs: 5, Instructions: 53timethreadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          • GetSystemTimeAsFileTime.KERNEL32 ref: 00402CF5
          • GetCurrentProcessId.KERNEL32 ref: 00402D00
          • GetCurrentThreadId.KERNEL32 ref: 00402D08
          • GetTickCount.KERNEL32 ref: 00402D10
          • QueryPerformanceCounter.KERNEL32 ref: 00402D1D
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
          • String ID:
          • API String ID: 1445889803-0
          • Opcode ID: 48be2ab4c5675e879db3ed44584dbd5bc5692dedd5c3ee4df6a0a1b236680c94
          • Instruction ID: 3ad8e247dc9e9afe33551a7432814553c7a1696eb4dda08c4a0d7d3eb78b6156
          • Opcode Fuzzy Hash: 48be2ab4c5675e879db3ed44584dbd5bc5692dedd5c3ee4df6a0a1b236680c94
          • Instruction Fuzzy Hash: 30118EA6226B0082FB515F66F9087592260F74ABB5F081635EE9D067E0DF3CC885D308
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401740 Relevance: 6.1, APIs: 4, Instructions: 51pipeCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: NamedPipe$CloseConnectCreateHandle
          • String ID:
          • API String ID: 2614152119-0
          • Opcode ID: 5f2f5ab67ed47607b1e843feeba0e9a015e7d73eccdb9879b182398683444c08
          • Instruction ID: 4fa88da8361408ed63a749f6da1738ffd2df2849330db10deb59b862f14e0642
          • Opcode Fuzzy Hash: 5f2f5ab67ed47607b1e843feeba0e9a015e7d73eccdb9879b182398683444c08
          • Instruction Fuzzy Hash: 3F118E76314A4086E7218B26E84874BB7A4F789BA4F184331AE5947BE4DF7DC4498B88
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040154D Relevance: 4.5, APIs: 3, Instructions: 47memoryinjectionCOMMON
          Download Yara Rule
          APIs
          • VirtualAllocEx.KERNEL32 ref: 0040157A
          • WriteProcessMemory.KERNEL32 ref: 00401599
          • VirtualProtectEx.KERNEL32 ref: 004015C4
            • Part of subcall function 004014F0: GetThreadContext.KERNEL32 ref: 00401511
            • Part of subcall function 004014F0: SetThreadContext.KERNEL32 ref: 00401530
            • Part of subcall function 004014F0: ResumeThread.KERNEL32 ref: 0040153D
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: Thread$ContextVirtual$AllocMemoryProcessProtectResumeWrite
          • String ID:
          • API String ID: 2510746765-0
          • Opcode ID: ae08c347102d7d5dfe10a070809236c2d388cf82ffa6d06d58b3c81388422a18
          • Instruction ID: 9414fb0839375826d5528c20e6650ecd3a6b9920907ab9f45a809ffbb564a9b6
          • Opcode Fuzzy Hash: ae08c347102d7d5dfe10a070809236c2d388cf82ffa6d06d58b3c81388422a18
          • Instruction Fuzzy Hash: 2901BCA2305B8495DA10CB52F804B9AA325F799FD4F888131EF8D17B59DF7CC249C704
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0044B3D8 Relevance: .0, Instructions: 17COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 1e0358c3b0f62cfa1a40915f44721d3dfc4067871239ec3bca112f089a7434d2
          • Instruction ID: d01c4f3e8c9588702077c94b865a7f0a613ccd00b06854df6e8cab16fce9630e
          • Opcode Fuzzy Hash: 1e0358c3b0f62cfa1a40915f44721d3dfc4067871239ec3bca112f089a7434d2
          • Instruction Fuzzy Hash: C8D0128754D6C04AF2620F6A0CB60892F96E5B351430D804BAF4487383DA4DDC099346
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0044B2D0 Relevance: .0, Instructions: 16COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d98b28c2f7e1bac19cc36f8749e92c86bc2dcd4290ea3ce1904bf926163b9d17
          • Instruction ID: f782c4ef333fcd33edfa380da5978249da2a52e4c40075ef181b421d947972cd
          • Opcode Fuzzy Hash: d98b28c2f7e1bac19cc36f8749e92c86bc2dcd4290ea3ce1904bf926163b9d17
          • Instruction Fuzzy Hash: E9D09E8350E7C10BE7570E14087518C3F75E7A3910B8E41E78780C3393D54D5C0E836A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004031D9 Relevance: .0, Instructions: 4COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 2496287fbafa299db9c9d67c72dedb28f4cb8c00e808b10feb3c2f3a2ccc1f02
          • Instruction ID: 4e9ee0b5d030f14338f7aede54da990fe338611e35e2db0cf9badc0c60f2daf0
          • Opcode Fuzzy Hash: 2496287fbafa299db9c9d67c72dedb28f4cb8c00e808b10feb3c2f3a2ccc1f02
          • Instruction Fuzzy Hash: 14A00293469C0480D2400B10E81537A512CF306300F14E870511451061CA6CC004424C
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004031F1 Relevance: .0, Instructions: 4COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: a9b04620502fd0f51ffa892521524f1d97e8283cbbfbbacd0dd507db9cc177d5
          • Instruction ID: 946225d72c42167e57798b92370e1de663047c170142aa134749488d3958ed64
          • Opcode Fuzzy Hash: a9b04620502fd0f51ffa892521524f1d97e8283cbbfbbacd0dd507db9cc177d5
          • Instruction Fuzzy Hash: CBA00293449D00C0D2000F01E811374512CD316640F44A432891491031CB6CD181424C
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00402290 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 167COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 65 402290-4022ab 66 4022c0-4022c8 65->66 67 4022ad-4022bc 65->67 68 402497 66->68 69 4022ce-4022d7 66->69 73 40249e-4024a8 call 402220 68->73 70 4022e0-4022e7 69->70 71 4022e9-4022f7 70->71 72 4022fd-402306 70->72 71->72 74 402410-402417 71->74 72->70 75 402308-402316 call 402910 72->75 79 4024ad-4024c5 call 402220 73->79 78 402387-40239a VirtualQuery 74->78 75->73 85 40231c-402371 call 402a00 VirtualQuery 75->85 81 4023a0-4023a7 78->81 82 4024ca-4024f7 call 402220 78->82 79->82 86 402420-402423 81->86 87 4023a9-4023bf 81->87 98 402504-40255b call 402950 call 4030b0 82->98 99 4024f9-402503 82->99 85->79 100 402377-40237e 85->100 86->87 89 402425-40245b VirtualProtect memcpy 86->89 91 4023d0-4023d3 87->91 89->67 93 402461-402464 89->93 95 402380 91->95 96 4023d5-4023f7 VirtualProtect 91->96 93->67 97 40246a-402496 VirtualProtect 93->97 95->78 96->95 101 4023f9-40240d GetLastError call 402220 96->101 98->99 108 40255d-402561 98->108 100->91 100->95 101->74 109 402650-402656 108->109 110 402567-40256f 108->110 111 402581-402584 109->111 112 40265c-402663 109->112 110->111 113 402571-40257b 110->113 111->99 116 40258a 111->116 112->111 114 402669-40266f 112->114 113->111 115 402638-402642 113->115 117 402675-40267c 114->117 118 4027d7-4027e3 call 402220 114->118 115->114 120 402644-40264b 115->120 119 402591-4025b4 call 402290 116->119 117->99 121 402682-402689 117->121 129 4025b6-4025be 119->129 120->109 124 402693-4026ac 121->124 127 402706-402711 124->127 128 4026ae 124->128 130 402713-402720 127->130 131 402735-402742 127->131 132 4026b0-4026b3 128->132 133 4026d1-4026d4 128->133 129->99 134 4025c4-4025d6 129->134 135 402724-402733 call 402290 130->135 131->135 136 402744 131->136 137 402789-402791 132->137 138 4026b9-4026cc call 402220 132->138 140 4026da-4026dd 133->140 141 40275c-402766 133->141 139 4025f3-402601 134->139 155 4026f8-4026ff 135->155 144 4027a6-4027a9 136->144 145 402746-402749 136->145 137->131 142 402793-4027a4 137->142 138->133 147 4025e0-4025ed 139->147 148 402603-402617 VirtualQuery 139->148 140->138 149 4026df-4026e5 140->149 141->131 150 402768-402771 141->150 151 40274b-40275a call 402290 142->151 152 402775-402784 call 402290 144->152 153 4027ab-4027ae 144->153 145->151 145->155 147->99 147->139 156 4027b9-4027d2 call 402220 148->156 157 40261d-402636 VirtualProtect 148->157 158 4026e9-4026f3 call 402290 149->158 150->152 151->155 152->155 153->155 160 4027b4 153->160 155->124 159 402701 155->159 156->118 157->147 158->155 159->129 160->158
          APIs
          • VirtualQuery.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040236C
          • VirtualQuery.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00402395
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: QueryVirtual
          • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
          • API String ID: 1804819252-2123141913
          • Opcode ID: 97f26b1402937554779867b219853c55e0c900d5b410e1d66ce3602d51d3e7b0
          • Instruction ID: 6b27b0b72396b4d8dbd1d603326d304d7e0961a0150d632aa749f5195bc7e613
          • Opcode Fuzzy Hash: 97f26b1402937554779867b219853c55e0c900d5b410e1d66ce3602d51d3e7b0
          • Instruction Fuzzy Hash: A751DDB230064096EB219F56F9047AA6720F785BD8F488437EF0957790EB7CC989C708
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401905 Relevance: 17.5, APIs: 2, Strings: 8, Instructions: 28threadCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 167 401905-40199a GetTickCount call 403148 CreateThread
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: CountCreateThreadTick
          • String ID: %c%c%c%c%c%c%c%c%cMSSE-%d-server$.$\$\$e$i$p$p
          • API String ID: 515558314-592031345
          • Opcode ID: 64fe618ce4dd9ba912bb33909fd03aed9b13325c3914286c0c92c2d1e9950f48
          • Instruction ID: 6120f76ce27bf93f8e03b3705ee541387970c104b5e0bc3059510fa2f0e87fda
          • Opcode Fuzzy Hash: 64fe618ce4dd9ba912bb33909fd03aed9b13325c3914286c0c92c2d1e9950f48
          • Instruction Fuzzy Hash: E40136B1608740C6F3248F11F85974B7BA1F3C4759F50411AD74906AA8CBBEC149CF48
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401ED0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 121COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 170 401ed0-401eec 171 401f80-401f84 170->171 172 401ef2-401ef7 170->172 171->172 175 401f8a 171->175 173 401f40-401f45 172->173 174 401ef9-401efe 172->174 176 401fa0-401fa5 173->176 177 401f47 173->177 178 401f04 174->178 179 402035-402037 174->179 180 401f90-401f9b 175->180 176->180 181 401fa7 176->181 182 401f4c-401f5c signal 177->182 183 401ff1-401ff6 178->183 184 401f0a-401f0f 178->184 179->182 186 402040-402045 181->186 187 401fad-401fb2 181->187 188 402070-402086 signal 182->188 189 401f62-401f65 182->189 183->180 190 401ff8-401ffd 183->190 184->180 185 401f11-401f16 184->185 185->177 191 401f18 185->191 192 402003-402013 signal 186->192 193 402047-40204c 186->193 187->180 194 401fb4-401fb9 187->194 195 401f73-401f79 188->195 196 40208c-402099 call 402be0 188->196 197 401f20-401f2a 189->197 198 401f67-401f6e 189->198 190->192 190->197 191->197 204 4020c0-4020cf signal 192->204 205 402019-40201c 192->205 193->197 199 402052 193->199 194->197 202 401fbf-401fcf signal 194->202 196->195 200 402060-402062 197->200 201 401f30-401f38 197->201 198->195 199->180 200->195 201->173 206 4020a0-4020b4 signal 202->206 207 401fd5-401fd8 202->207 205->197 210 402022-402034 205->210 206->195 207->197 211 401fde-401ff0 207->211
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: signal
          • String ID: CCG
          • API String ID: 1946981877-1584390748
          • Opcode ID: 24ce4fa498ee314677384d647fe7db41d206477dfe8cc1bf00b5f5a1e8966524
          • Instruction ID: db69408671f36d8f3fd6657219cd9bd840f4a52729d0f1b63c4ef04d01393e85
          • Opcode Fuzzy Hash: 24ce4fa498ee314677384d647fe7db41d206477dfe8cc1bf00b5f5a1e8966524
          • Instruction Fuzzy Hash: 0D31C732B041054AEA292638985937A11015B8D3B8F5D873BFE29E73F5CF7CCCC1924A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004015ED Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 70processCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 214 4015ed-401607 215 401609-40160d 214->215 216 40160f-401615 GetCurrentProcess 214->216 215->216 217 40161a-4016c8 GetEnvironmentVariableA _snprintf CreateProcessA 215->217 218 4016d2-4016d5 216->218 219 4016ca 217->219 220 4016ff-40170e 217->220 218->220 221 4016d7-4016fe call 40154d 218->221 219->218 221->220
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: Process$CreateCurrentEnvironmentVariable_snprintf
          • String ID: %s\System32\%s$h$windir
          • API String ID: 3047511472-1023121253
          • Opcode ID: c0ad191fb36521e5689878f1154f04104308760e91afde34a6aa7bdbb750ce90
          • Instruction ID: b0790a8a8fae0320f71c26f4d2eada2cb5ab52d8da2da71e6c87533e1a2a29b8
          • Opcode Fuzzy Hash: c0ad191fb36521e5689878f1154f04104308760e91afde34a6aa7bdbb750ce90
          • Instruction Fuzzy Hash: CE217F72208AC4D2E7209F65F84079BB3A1F789798F944126AF8917B98CF7DC54ACB44
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004024E0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 203memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 228 4024e0-4024f7 229 402504-40255b call 402950 call 4030b0 228->229 230 4024f9-402503 228->230 229->230 235 40255d-402561 229->235 236 402650-402656 235->236 237 402567-40256f 235->237 238 402581-402584 236->238 239 40265c-402663 236->239 237->238 240 402571-40257b 237->240 238->230 243 40258a 238->243 239->238 241 402669-40266f 239->241 240->238 242 402638-402642 240->242 244 402675-40267c 241->244 245 4027d7-4027e3 call 402220 241->245 242->241 247 402644-40264b 242->247 246 402591-4025b4 call 402290 243->246 244->230 248 402682-402689 244->248 256 4025b6-4025be 246->256 247->236 251 402693-4026ac 248->251 254 402706-402711 251->254 255 4026ae 251->255 257 402713-402720 254->257 258 402735-402742 254->258 259 4026b0-4026b3 255->259 260 4026d1-4026d4 255->260 256->230 261 4025c4-4025d6 256->261 262 402724-402733 call 402290 257->262 258->262 263 402744 258->263 264 402789-402791 259->264 265 4026b9-4026cc call 402220 259->265 267 4026da-4026dd 260->267 268 40275c-402766 260->268 266 4025f3-402601 261->266 282 4026f8-4026ff 262->282 271 4027a6-4027a9 263->271 272 402746-402749 263->272 264->258 269 402793-4027a4 264->269 265->260 274 4025e0-4025ed 266->274 275 402603-402617 VirtualQuery 266->275 267->265 276 4026df-4026e5 267->276 268->258 277 402768-402771 268->277 278 40274b-40275a call 402290 269->278 279 402775-402784 call 402290 271->279 280 4027ab-4027ae 271->280 272->278 272->282 274->230 274->266 283 4027b9-4027d2 call 402220 275->283 284 40261d-402636 VirtualProtect 275->284 285 4026e9-4026f3 call 402290 276->285 277->279 278->282 279->282 280->282 287 4027b4 280->287 282->251 286 402701 282->286 283->245 284->274 285->282 286->256 287->285
          APIs
          • VirtualQuery.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,00401265), ref: 00402611
          • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,00401265), ref: 00402634
          Strings
          • Unknown pseudo relocation bit size %d., xrefs: 004026B9
          • VirtualQuery failed for %d bytes at address %p, xrefs: 004024B9, 004024CA, 004027C0
          • Unknown pseudo relocation protocol version %d., xrefs: 004027D7
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: Virtual$ProtectQuery
          • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p
          • API String ID: 1027372294-974437099
          • Opcode ID: b1c6513d31bef49b90232bc7519321856cafb76f5d924fc51e488fe78390e61b
          • Instruction ID: ac751373bb6016ae1c0c1b14da338d16a11fc8c5c8dbf2c4df87221a09125f5c
          • Opcode Fuzzy Hash: b1c6513d31bef49b90232bc7519321856cafb76f5d924fc51e488fe78390e61b
          • Instruction Fuzzy Hash: 3971D0B2B1066486EB20CF65EA4879D3320B705BA4F58462BDE1827BD4DBBDC942D709
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401C20 Relevance: 7.6, APIs: 5, Instructions: 98COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 294 401c20-401c2c 295 401c70-401c75 294->295 296 401c2e-401c33 294->296 299 401d40 295->299 300 401c7b 295->300 297 401ca0-401ca5 296->297 298 401c35-401c4d signal 296->298 301 401d62-401d69 297->301 302 401cab 297->302 303 401d70-401d7e signal 298->303 304 401c53-401c5b 298->304 308 401d50-401d55 299->308 305 401cf4-401cf9 300->305 306 401c7d-401c82 300->306 302->308 309 401cb1-401cb6 302->309 310 401c66-401c6b 303->310 312 401d84-401d91 call 402be0 303->312 304->310 311 401c5d-401c64 304->311 305->301 313 401cfb-401d00 305->313 306->301 307 401c88-401c8d 306->307 307->298 314 401c8f-401c99 307->314 316 401d02-401d15 call 403178 308->316 317 401d57-401d5c 308->317 309->301 315 401cbc-401cc1 309->315 311->310 312->310 313->314 313->316 315->314 319 401cc3-401cd6 signal 315->319 326 401da7-401db1 signal 316->326 327 401d1b-401d23 316->327 317->301 317->314 323 401d96-401da2 signal 319->323 324 401cdc-401ce4 319->324 323->310 324->310 328 401ce6-401cef 324->328 327->310 329 401d29-401d32 327->329 328->310 329->310
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: signal
          • String ID:
          • API String ID: 1946981877-0
          • Opcode ID: 1dc70c61ad4406744572be8a8bcc7dc9339d554f7800b83e7f8eb4deaa115525
          • Instruction ID: c2db7b0a0c15ea86410ce5c669bf1f3cfa8bd7397b57d7f0b0744f5874c12759
          • Opcode Fuzzy Hash: 1dc70c61ad4406744572be8a8bcc7dc9339d554f7800b83e7f8eb4deaa115525
          • Instruction Fuzzy Hash: 9821A1A07581110BFF385179859D33B51528B8D399F29883B9A0AEA3F5E83CDEC1021E
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00402130 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 337 402130-40213d 338 4021a0-4021ad 337->338 339 40213f-402196 __iob_func fprintf 337->339
          APIs
          Strings
          • Unknown error, xrefs: 0040213F
          • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00402165
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: __iob_funcfprintf
          • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
          • API String ID: 620453056-3474627141
          • Opcode ID: 996bdd8a5a1e2895ba4269387ef838eeb6378477693cc57770bb9de35255ed2a
          • Instruction ID: 9b0c4986f61a261a0429ca0893e1d4a2002861317688d8b97b9ee0410bb34c9e
          • Opcode Fuzzy Hash: 996bdd8a5a1e2895ba4269387ef838eeb6378477693cc57770bb9de35255ed2a
          • Instruction Fuzzy Hash: 23F08CB2615B44A5DA109F16E940B983B75F349BDAFA84126EF4C13354DB38C543C708
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004021C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 343 4021c0-4021c7 __iob_func fprintf
          APIs
          Strings
          • Argument domain error (DOMAIN), xrefs: 004021C0
          • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00402165
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: __iob_funcfprintf
          • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
          • API String ID: 620453056-2713391170
          • Opcode ID: d034213095adc8b4bb58d4a15a71db9e24f69ae3d05f595f7e7fec88e0236dde
          • Instruction ID: c23ab854dbc7de984e070a6e11cd726992515df3062f89a75d417ee89949bdde
          • Opcode Fuzzy Hash: d034213095adc8b4bb58d4a15a71db9e24f69ae3d05f595f7e7fec88e0236dde
          • Instruction Fuzzy Hash: 12E039B7214B44D5D610AF06E8403983364F348BE9FA8016AEF8C177A4DB38C683C708
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004021D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 345 4021d0-4021d7 __iob_func fprintf
          APIs
          Strings
          • Argument singularity (SIGN), xrefs: 004021D0
          • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00402165
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: __iob_funcfprintf
          • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
          • API String ID: 620453056-2468659920
          • Opcode ID: c799ec1a3e1338c3d31c393597856a99d6980e4374ba0598a10507cfafa0ae40
          • Instruction ID: 11aa6dba8e6b54cc3571cb3d7b53d0e79da72fdf4a2a28f1a26e18beb7ba021a
          • Opcode Fuzzy Hash: c799ec1a3e1338c3d31c393597856a99d6980e4374ba0598a10507cfafa0ae40
          • Instruction Fuzzy Hash: B4E039B7214B4095D610AF46E8403983364F348BE9FA8016BDF8C577A5CB38C687C708
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004021E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON
          Download Yara Rule
          APIs
          Strings
          • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00402165
          • Overflow range error (OVERFLOW), xrefs: 004021E0
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: __iob_funcfprintf
          • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
          • API String ID: 620453056-4064033741
          • Opcode ID: de0d9c3187d6ea9a4917212241895e43ea117ce9ee5fc97370b3f36df3c325bd
          • Instruction ID: 2d0c1f638fb5d7e96108bc8b5f6782aabc3d7318b283c414e336eb59d3fd173a
          • Opcode Fuzzy Hash: de0d9c3187d6ea9a4917212241895e43ea117ce9ee5fc97370b3f36df3c325bd
          • Instruction Fuzzy Hash: F8E039B7214B40D5D610AF06E8403983364F348BE9FA8016AEF8C177A4CB38C683C708
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004021F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON
          Download Yara Rule
          APIs
          Strings
          • The result is too small to be represented (UNDERFLOW), xrefs: 004021F0
          • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00402165
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: __iob_funcfprintf
          • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
          • API String ID: 620453056-2187435201
          • Opcode ID: 8ccabfdba6191da19fce9cd45b659bad605eeb5bf4fea05bcad9d5b60f5af25a
          • Instruction ID: 19c09f7b7dd4036bc136c3ae6bb8412c36ab44d4891dc6b44e64e51e102cd2a1
          • Opcode Fuzzy Hash: 8ccabfdba6191da19fce9cd45b659bad605eeb5bf4fea05bcad9d5b60f5af25a
          • Instruction Fuzzy Hash: 93E039B7214B40D5D610AF46E8403987364F348BE9FA8016AEF8C177A4CB38C683C708
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00402200 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON
          Download Yara Rule
          APIs
          Strings
          • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00402165
          • Total loss of significance (TLOSS), xrefs: 00402200
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: __iob_funcfprintf
          • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
          • API String ID: 620453056-4273532761
          • Opcode ID: 4e3734c96b1cc1be9d79af8ebe5d8e3055b1b7bce16b64c98255b0a85d8c754e
          • Instruction ID: ca3823a317c9d599b5bb82d166aab22c58fac28646045c75376859ce293798c5
          • Opcode Fuzzy Hash: 4e3734c96b1cc1be9d79af8ebe5d8e3055b1b7bce16b64c98255b0a85d8c754e
          • Instruction Fuzzy Hash: EDE039B7214B4095D610AF06E8403987364F348BE9FA8016ADF8C277A4CB38C683C708
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004021B2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 341 4021b2-4021b9 __iob_func fprintf
          APIs
          Strings
          • Partial loss of significance (PLOSS), xrefs: 004021B2
          • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00402165
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: __iob_funcfprintf
          • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
          • API String ID: 620453056-4283191376
          • Opcode ID: 78fe60d56ecc694f7f3fa112dee7f5359788333258c7ab2f1b519b6ce5e3c634
          • Instruction ID: 58f7718fcec5e559fe8a66bc38a8870f7a031c4cdcbca339665b880eaf407f95
          • Opcode Fuzzy Hash: 78fe60d56ecc694f7f3fa112dee7f5359788333258c7ab2f1b519b6ce5e3c634
          • Instruction Fuzzy Hash: 41E039B7214B40D5D611AF06E8403983364F348BE9FA8016AEF8C177A4CB38C683C708
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00402B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59libraryCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: HandleLibraryLoadModule
          • String ID: msvcrt.dll
          • API String ID: 4133054770-370904613
          • Opcode ID: ed6b392c1aebea3e3af8ac6eb70e1acb8ae40ff84d12263b33d1fa2ce8dbabee
          • Instruction ID: 4bf9c93d904c3b74598b1f3552f6534f0f2a578839ee00deb276795eeb159ce1
          • Opcode Fuzzy Hash: ed6b392c1aebea3e3af8ac6eb70e1acb8ae40ff84d12263b33d1fa2ce8dbabee
          • Instruction Fuzzy Hash: DB11DD515095A849EF281F20C6AE3773BB75781701FCCC433CA48223E2DBBE6A88C60D
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00402220 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
          Download Yara Rule
          APIs
          • __iob_func.MSVCRT ref: 00402267
          • VirtualQuery.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040236C
          • VirtualQuery.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00402395
          Strings
          • Address %p has no image-section, xrefs: 00402297
          • Mingw-w64 runtime failure:, xrefs: 00402247
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: QueryVirtual$__iob_func
          • String ID: Address %p has no image-section$Mingw-w64 runtime failure:
          • API String ID: 830446740-3215938747
          • Opcode ID: f2cdc05be243ce17f847bec74f6d441ce72e8309ab02f6f257d4b7568c9a77d1
          • Instruction ID: 06040a0908b4341de05184119e5940d5cbd5e502a546f0ffef2bc623b9acb848
          • Opcode Fuzzy Hash: f2cdc05be243ce17f847bec74f6d441ce72e8309ab02f6f257d4b7568c9a77d1
          • Instruction Fuzzy Hash: B601A232604B4860E620AB52B84079AAF28A79E7D9F98413AEE4817B95DA3CC246C704
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004019E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21registryCOMMON
          Download Yara Rule
          APIs
          • RegisterServiceCtrlHandlerA.ADVAPI32 ref: 00401A3F
            • Part of subcall function 00401905: GetTickCount.KERNEL32 ref: 00401909
            • Part of subcall function 00401905: CreateThread.KERNEL32 ref: 00401992
          • ExitProcess.KERNEL32 ref: 00401A5A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: CountCreateCtrlExitHandlerProcessRegisterServiceThreadTick
          • String ID: DceRpcSs
          • API String ID: 1761743205-292928688
          • Opcode ID: 89942db9bcf78920eb13ebd79d10b620e6dc0a0b9e9d360eb8d54a144b26e412
          • Instruction ID: 8e33c2ed1b275edfab18a91a64b060908cbf26f084f4d0da67490182a45befc5
          • Opcode Fuzzy Hash: 89942db9bcf78920eb13ebd79d10b620e6dc0a0b9e9d360eb8d54a144b26e412
          • Instruction Fuzzy Hash: 51F0ACF01467409AF704DF21FE5D31637A0B708306F818519C20A667A0DBBD8169CB9A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00402F70 Relevance: 5.0, APIs: 4, Instructions: 42COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2079272928.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2079193707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079311289.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079395869.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2079417226.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_UIWrwFGMZ3.jbxd
          Similarity
          • API ID: CriticalSection$EnterLeavefree
          • String ID:
          • API String ID: 4020351045-0
          • Opcode ID: a1c66e5ed66bbf265f5e92b6afb1d2da43240c1463eb880eb35f05d680710a77
          • Instruction ID: bc4115a160f2f5e2bb9b390c3d50c264a5e579d65519aedf21714552345b4fd6
          • Opcode Fuzzy Hash: a1c66e5ed66bbf265f5e92b6afb1d2da43240c1463eb880eb35f05d680710a77
          • Instruction Fuzzy Hash: 89017CE1311B0282EF08CB55E98432A23B1F798BD4F554836CA09973E0DFBCC895E349
          Uniqueness

          Uniqueness Score: -1.00%