Edit tour

Windows Analysis Report
mwxZCB2H4p.exe

Overview

General Information

Sample name:	mwxZCB2H4p.exe renamed because original name is a hash value
Original sample name:	0--caa9e43f3ef3c754ca7097afdc8e58b7ec5a7ad5.exe
Analysis ID:	1546795
MD5:	4177c8eec4bc090b5d40d78cb9b2997c
SHA1:	caa9e43f3ef3c754ca7097afdc8e58b7ec5a7ad5
SHA256:	23d262493fcf4d1c896754ba8748ca6b1186db3f17304bcfa28b0b737917f771
Tags:	exeReversingLabsuser-NDA0E
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

mwxZCB2H4p.exe (PID: 5416 cmdline: "C:\Users\user\Desktop\mwxZCB2H4p.exe" MD5: 4177C8EEC4BC090B5D40D78CB9B2997C)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T15:55:35.388913+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.7	49763	TCP
2024-11-01T15:56:14.806860+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.7	49972	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: mwxZCB2H4p.exe

ReversingLabs: Detection: 52%

Machine Learning detection for sample

Source: mwxZCB2H4p.exe

Joe Sandbox ML: detected

Source: mwxZCB2H4p.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: PerformanceCounterInstaller.pdb source: mwxZCB2H4p.exe
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: mwxZCB2H4p.exe
Source:	Binary string: mshta.pdb\/ source: mwxZCB2H4p.exe
Source:	Binary string: dwtrig20.pdbsplab1\otools\BBT_TEMP\DWTRIG20O.pdb source: mwxZCB2H4p.exe, 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, mwxZCB2H4p.exe, 00000003.00000000.1276930809.0000000030001000.00000020.00000001.01000000.00000003.sdmp
Source:	Binary string: g:\Acro_root_at\Acrobat\Viewer\Win\output\acrobat\AcroRd32Exe.pdb source: mwxZCB2H4p.exe
Source:	Binary string: dwtrig20.pdbsplab1\otools\BBT_TEMP\DWTRIG20O.pdbpe0Xe0 source: mwxZCB2H4p.exe
Source:	Binary string: g:\acro_root_at\acrobat\systemsynchronizer\synchronizerapp\build\win\release\AdobeCollabSync.pdb source: mwxZCB2H4p.exe
Source:	Binary string: dwtrig20.pdb source: mwxZCB2H4p.exe
Source:	Binary string: dw20.pdb\devsplab1\otools\BBT_TEMP\DW20O.pdb source: mwxZCB2H4p.exe
Source:	Binary string: g:\acro_root_at\acrobat\installers\bootstrapexe_small\release\Setup.pdb source: mwxZCB2H4p.exe
Source:	Binary string: PerformanceCounterInstaller.pdbx2 source: mwxZCB2H4p.exe
Source:	Binary string: dw20.pdb source: mwxZCB2H4p.exe
Source:	Binary string: splab1\otools\BBT_TEMP\DWTRIG20O.pdb source: mwxZCB2H4p.exe
Source:	Binary string: mshta.pdb source: mwxZCB2H4p.exe
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: mwxZCB2H4p.exe
Source:	Binary string: \devsplab1\otools\BBT_TEMP\DW20O.pdb source: mwxZCB2H4p.exe

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.7:49763
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.7:49972

Source: mwxZCB2H4p.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: mwxZCB2H4p.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: mwxZCB2H4p.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: mwxZCB2H4p.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: mwxZCB2H4p.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: mwxZCB2H4p.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: mwxZCB2H4p.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: mwxZCB2H4p.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: mwxZCB2H4p.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: mwxZCB2H4p.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: mwxZCB2H4p.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: mwxZCB2H4p.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: mwxZCB2H4p.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: mwxZCB2H4p.exe	String found in binary or memory: http://www.7-zip.org/8
Source: mwxZCB2H4p.exe	String found in binary or memory: http://www.digicert.com/CPS0

Source: mwxZCB2H4p.exe, 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedwtrig20.exe vs mwxZCB2H4p.exe
Source: mwxZCB2H4p.exe	Binary or memory string: OriginalFilenamedwtrig20.exe vs mwxZCB2H4p.exe
Source: mwxZCB2H4p.exe	Binary or memory string: OriginalFilenameFirewall.exe vs mwxZCB2H4p.exe
Source: mwxZCB2H4p.exe	Binary or memory string: OriginalFilenamePerformanceCounterInstaller.exeX vs mwxZCB2H4p.exe
Source: mwxZCB2H4p.exe	Binary or memory string: OriginalFilenameMSHTA.EXEj% vs mwxZCB2H4p.exe
Source: mwxZCB2H4p.exe	Binary or memory string: OriginalFilenameSetup.exeF vs mwxZCB2H4p.exe
Source: mwxZCB2H4p.exe	Binary or memory string: OriginalFilenameAcroRd32.exeB vs mwxZCB2H4p.exe
Source: mwxZCB2H4p.exe	Binary or memory string: OriginalFilenameDW20.Exel& vs mwxZCB2H4p.exe
Source: mwxZCB2H4p.exe	Binary or memory string: OriginalFilenameAdobeCollabSync.exeb! vs mwxZCB2H4p.exe
Source: mwxZCB2H4p.exe	Binary or memory string: OriginalFilenameWCChromeNativeMessagingHost.exeB vs mwxZCB2H4p.exe
Source: mwxZCB2H4p.exe	Binary or memory string: OriginalFilename7zFM.exe, vs mwxZCB2H4p.exe
Source: mwxZCB2H4p.exe	Binary or memory string: OriginalFilename7z.exe, vs mwxZCB2H4p.exe

Source: mwxZCB2H4p.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: mwxZCB2H4p.exe	Binary or memory string: @p@*\AC:\Program Files\Microsoft Visual Studio\VB98\pjtbinder.vbp
Source: mwxZCB2H4p.exe	Binary or memory string: B*\AC:\virus\ash\ash.vbp\|$@"

Source: classification engine

Classification label: mal52.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\mwxZCB2H4p.exe

Code function: 3_2_300026B1 CoCreateInstance,CoCreateInstance,SysAllocString,SysAllocString,SysAllocString,SysFreeString,SysFreeString,SysFreeString,CoCreateInstance,SysAllocString,SysFreeString,

3_2_300026B1

Source: mwxZCB2H4p.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: mwxZCB2H4p.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.72%

Source: C:\Users\user\Desktop\mwxZCB2H4p.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mwxZCB2H4p.exe

ReversingLabs: Detection: 52%

Source: mwxZCB2H4p.exe	String found in binary or memory: -help
Source: mwxZCB2H4p.exe	String found in binary or memory: Check charset encoding and -scs switch.Cannot find listfilebsobbbtbdba-helph?asut012sea0-SeLockMemoryPrivilegeSeCreateSymbolicLinkPrivilegeSeRestorePrivilege

Source: C:\Users\user\Desktop\mwxZCB2H4p.exe

Section loaded: apphelp.dll

Jump to behavior

Source: mwxZCB2H4p.exe

Static file information: File size 6839806 > 1048576

Source: mwxZCB2H4p.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: PerformanceCounterInstaller.pdb source: mwxZCB2H4p.exe
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: mwxZCB2H4p.exe
Source:	Binary string: mshta.pdb\/ source: mwxZCB2H4p.exe
Source:	Binary string: dwtrig20.pdbsplab1\otools\BBT_TEMP\DWTRIG20O.pdb source: mwxZCB2H4p.exe, 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, mwxZCB2H4p.exe, 00000003.00000000.1276930809.0000000030001000.00000020.00000001.01000000.00000003.sdmp
Source:	Binary string: g:\Acro_root_at\Acrobat\Viewer\Win\output\acrobat\AcroRd32Exe.pdb source: mwxZCB2H4p.exe
Source:	Binary string: dwtrig20.pdbsplab1\otools\BBT_TEMP\DWTRIG20O.pdbpe0Xe0 source: mwxZCB2H4p.exe
Source:	Binary string: g:\acro_root_at\acrobat\systemsynchronizer\synchronizerapp\build\win\release\AdobeCollabSync.pdb source: mwxZCB2H4p.exe
Source:	Binary string: dwtrig20.pdb source: mwxZCB2H4p.exe
Source:	Binary string: dw20.pdb\devsplab1\otools\BBT_TEMP\DW20O.pdb source: mwxZCB2H4p.exe
Source:	Binary string: g:\acro_root_at\acrobat\installers\bootstrapexe_small\release\Setup.pdb source: mwxZCB2H4p.exe
Source:	Binary string: PerformanceCounterInstaller.pdbx2 source: mwxZCB2H4p.exe
Source:	Binary string: dw20.pdb source: mwxZCB2H4p.exe
Source:	Binary string: splab1\otools\BBT_TEMP\DWTRIG20O.pdb source: mwxZCB2H4p.exe
Source:	Binary string: mshta.pdb source: mwxZCB2H4p.exe
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: mwxZCB2H4p.exe
Source:	Binary string: \devsplab1\otools\BBT_TEMP\DW20O.pdb source: mwxZCB2H4p.exe

Source: mwxZCB2H4p.exe

Static PE information: real checksum: 0x11e87 should be: 0x694dde

Source: mwxZCB2H4p.exe

Static PE information: section name: .cdata

Source: C:\Users\user\Desktop\mwxZCB2H4p.exe

Code function: 3_2_30006501 push ecx; ret

3_2_30006511

Source: C:\Users\user\Desktop\mwxZCB2H4p.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_3-2699

Source: C:\Users\user\Desktop\mwxZCB2H4p.exe

API coverage: 8.0 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\mwxZCB2H4p.exe

Code function: 3_2_300063F9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_300063F9

Source: C:\Users\user\Desktop\mwxZCB2H4p.exe

Code function: 3_2_30005916 LocalAlloc,LocalAlloc,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LocalFree,LocalFree,LocalFree,

3_2_30005916

Source: C:\Users\user\Desktop\mwxZCB2H4p.exe

Code function: 3_2_30002406 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

3_2_30002406

Source: C:\Users\user\Desktop\mwxZCB2H4p.exe

Code function: 3_2_30006380 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,VirtualProtect,

3_2_30006380

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
mwxZCB2H4p.exe	53%	ReversingLabs	Win32.Trojan.Generic
mwxZCB2H4p.exe	100%	Joe Sandbox ML

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.7-zip.org/8	mwxZCB2H4p.exe	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546795
Start date and time:	2024-11-01 15:54:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mwxZCB2H4p.exe renamed because original name is a hash value
Original Sample Name:	0--caa9e43f3ef3c754ca7097afdc8e58b7ec5a7ad5.exe
Detection:	MAL
Classification:	mal52.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: mwxZCB2H4p.exe

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.190037533947677
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.72% Win32 Executable (generic) a (10002005/4) 49.68% Windows ActiveX control (116523/4) 0.58% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	mwxZCB2H4p.exe
File size:	6'839'806 bytes
MD5:	4177c8eec4bc090b5d40d78cb9b2997c
SHA1:	caa9e43f3ef3c754ca7097afdc8e58b7ec5a7ad5
SHA256:	23d262493fcf4d1c896754ba8748ca6b1186db3f17304bcfa28b0b737917f771
SHA512:	aef89a7419bd2ee0a77f3b048e47d92a7bcf0fd73afb3018115a672fc91add7e621bf6df1993ff8c3910affa94abe04a9f17774393b5701bd8829e9955b039f9
SSDEEP:	98304:CZiwIDQcgYOXwnS4rVk7r7fkZc86Z6srX:SuQYIdzP86Z6IX
TLSH:	CB664B02A3658673D06790B1C4966749A6327FB01F32C7DB6E447A19BE337C2993237B
File Content Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.........\|.............k.........M.....K.........7.....B.O.....Y.......2.......Y.........r...............M.....u.M.......O............

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x30006139
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x30000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x45F723E6 [Tue Mar 13 22:21:26 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	590291a24e818bb78c2fe32d715f214a

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
push 00000028h
push 300017B0h
call 00007FDE151F60E6h
xor edi, edi
push edi
call dword ptr [300010CCh]
cmp word ptr [eax], 5A4Dh
jne 00007FDE151F5D81h
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
cmp dword ptr [ecx], 00004550h
jne 00007FDE151F5D74h
movzx eax, word ptr [ecx+18h]
cmp eax, 0000010Bh
je 00007FDE151F5D81h
cmp eax, 0000020Bh
je 00007FDE151F5D67h
mov dword ptr [ebp-1Ch], edi
jmp 00007FDE151F5D89h
cmp dword ptr [ecx+00000084h], 0Eh
jbe 00007FDE151F5D54h
xor eax, eax
cmp dword ptr [ecx+000000F8h], edi
jmp 00007FDE151F5D70h
cmp dword ptr [ecx+74h], 0Eh
jbe 00007FDE151F5D44h
xor eax, eax
cmp dword ptr [ecx+000000E8h], edi
setne al
mov dword ptr [ebp-1Ch], eax
mov dword ptr [ebp-04h], edi
push 00000001h
call dword ptr [30001190h]
pop ecx
or dword ptr [300201E4h], FFFFFFFFh
or dword ptr [300201E8h], FFFFFFFFh
call dword ptr [3000118Ch]
mov ecx, dword ptr [300201CCh]
mov dword ptr [eax], ecx
call dword ptr [30001188h]
mov ecx, dword ptr [300201C8h]
mov dword ptr [eax], ecx
mov eax, dword ptr [30001184h]
mov eax, dword ptr [eax]
mov dword ptr [300201E0h], eax
call 00007FDE151F5FBCh
call 00007FDE151F60C4h
cmp dword ptr [300080C0h], edi
jne 00007FDE151F5D6Eh
push 30006548h
call dword ptr [30001180h]
pop ecx

Rich Headers

Programming Language:

[LNK] VS98 (6.0) imp/exp build 8168
[ C ] VS98 (6.0) build 8168
[C++] VS2003 (.NET) build 3077
[ASM] VS2003 (.NET) build 3077
[ C ] VS2003 (.NET) build 3077
[RES] VS2003 (.NET) build 3077
[LNK] VS2003 (.NET) build 3077

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6864	0xa0	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22000	0x580	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x7400	0x2560
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x737c	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1f0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x67ec	0x40	.text
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6402	0x6600	273f7f15956851f838164d5df593f6d7	False	0.5850949754901961	data	6.426240935560888	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x8000	0x181ec	0x200	cc485967ab028b459b4881bca5c07be6	False	0.177734375	data	1.1612375377911652	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.cdata	0x21000	0x4	0x200	1fd62ec5648b0294c196045987fa1c25	False	0.033203125	ISO-8859 text, with no line terminators	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x22000	0x580	0x600	8c6a160cff0e06a0654fd8276419303b	False	0.3287760416666667	data	3.129925877837548	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x22060	0x51c	data	English	United States	0.35932721712538224

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegSetValueExW, RegCreateKeyExW, RegDeleteKeyW, RegEnumKeyExW, RegOpenKeyExW, RegQueryValueExA, RegOpenKeyExA, FreeSid, CheckTokenMembership, AllocateAndInitializeSid, RegEnumValueW, RegQueryInfoKeyW, RegQueryValueExW, ConvertSidToStringSidA, AddAce, ConvertStringSecurityDescriptorToSecurityDescriptorW, GetSecurityDescriptorDacl, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, OpenThreadToken, OpenProcessToken, GetTokenInformation, CopySid, IsValidSid, InitializeAcl, AddAccessDeniedAce, AddAccessAllowedAce, GetLengthSid
KERNEL32.dll	EnterCriticalSection, LoadLibraryA, InterlockedExchange, FreeLibrary, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, VirtualProtect, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetCurrentThread, LocalAlloc, LocalFree, GetModuleFileNameA, GetShortPathNameA, OpenMutexA, CreateMutexA, GetCurrentProcess, GetModuleHandleA, GetProcAddress, MultiByteToWideChar, Sleep, GlobalAlloc, GlobalFree, CreateProcessW, CloseHandle, GetShortPathNameW, GetLongPathNameW, lstrcmpiW, GetSystemWindowsDirectoryW, GetLastError, GetFileAttributesW, WaitForSingleObject, GetModuleFileNameW, CreateEventW, lstrlenW, InterlockedDecrement, SetEvent, InterlockedIncrement, RaiseException, LeaveCriticalSection, SetLastError, VirtualFree, VirtualAlloc, InitializeCriticalSectionAndSpinCount, TlsAlloc, GetSystemDefaultLCID, TlsFree, DeleteCriticalSection, TlsSetValue, TlsGetValue
MSVCRT.dll	_wtol, _except_handler3, memmove, _c_exit, _XcptFilter, _cexit, exit, __p___winitenv, _amsg_exit, __wgetmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, __dllonexit, _onexit, _controlfp, _exit
ole32.dll	StringFromCLSID, CoUninitialize, CoInitializeEx, CoRegisterClassObject, StringFromIID, CoCreateInstance, CoRevokeClassObject, CoTaskMemFree
OLEAUT32.dll	SysAllocString, SysFreeString, LoadRegTypeLib, LoadTypeLib
SHELL32.dll	SHGetSpecialFolderPathW
USER32.dll	SystemParametersInfoW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	3
Start time:	10:55:16
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\mwxZCB2H4p.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\mwxZCB2H4p.exe"
Imagebase:	0x30000000
File size:	6'839'806 bytes
MD5 hash:	4177C8EEC4BC090B5D40D78CB9B2997C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	61.3%
Signature Coverage:	5.5%
Total number of Nodes:	762
Total number of Limit Nodes:	3

Executed Functions

Function 30006380 Relevance: 9.0, APIs: 6, Instructions: 38
memorytimethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 3000639B
GetCurrentProcessId.KERNEL32 ref: 300063A7
GetCurrentThreadId.KERNEL32 ref: 300063AF
GetTickCount.KERNEL32 ref: 300063B7
QueryPerformanceCounter.KERNEL32(?), ref: 300063C3
VirtualProtect.KERNELBASE(30021000,00000004,00000002,?), ref: 300063F0

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessProtectQuerySystemThreadTickVirtual
String ID:
API String ID: 3578144274-0
Opcode ID: 8fac02294d54af2d6f7fee8b6c82b2f61af91592e7622bcf66e16aa843629162
Instruction ID: 11df260ceae8b29d6280bedb760e1141b5dfc48cdb500731cde6777480af3357
Opcode Fuzzy Hash: 8fac02294d54af2d6f7fee8b6c82b2f61af91592e7622bcf66e16aa843629162
Instruction Fuzzy Hash: F1014F75C101549BFB109BB8DD48BDEB7F8BB0C381F814561E541F7110DBB0DA418BA0

Function 30006139 Relevance: 16.6, APIs: 11, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,300017B0,00000028), ref: 30006148
__set_app_type.MSVCRT ref: 300061A5
__p__fmode.MSVCRT ref: 300061BA
__p__commode.MSVCRT ref: 300061C8
__setusermatherr.MSVCRT ref: 300061F9
_initterm.MSVCRT ref: 3000620F
__wgetmainargs.MSVCRT ref: 3000623C
_amsg_exit.MSVCRT ref: 3000624E
_initterm.MSVCRT ref: 3000625E
exit.KERNELBASE ref: 3000628A
_cexit.MSVCRT ref: 30006290

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: _initterm$HandleModule__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_amsg_exit_cexitexit
String ID:
API String ID: 1764406085-0
Opcode ID: bade154c849e238a6eab98550b20835f2f85d151cc917bf1df54a5e3934e8471
Instruction ID: bf6d202744bdbe36a2cf98fbac99a3166b0b65f14fa59b0b048f0dbf8e54f7d3
Opcode Fuzzy Hash: bade154c849e238a6eab98550b20835f2f85d151cc917bf1df54a5e3934e8471
Instruction Fuzzy Hash: 9741AF78800604DFFB159FA4CD489DD3BB2FB48312F2441EAE111B72A2DB318A86CF21

Function 30002221 Relevance: 4.5, APIs: 3, Instructions: 35
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(?,?,00000000,00020019,?,?,?,?,30001E69,80000001,Software\Microsoft\PCHealth\ErrorReporting\DW\Debug,DWSensDebugBreak,?,?,?,3000210F), ref: 30002241
RegQueryValueExA.ADVAPI32(?,3000627C,00000000,00000000,?,00000004,?,?,?,30001E69,80000001,Software\Microsoft\PCHealth\ErrorReporting\DW\Debug,DWSensDebugBreak,?,?), ref: 30002260
RegCloseKey.ADVAPI32(?,?,?,?,30001E69,80000001,Software\Microsoft\PCHealth\ErrorReporting\DW\Debug,DWSensDebugBreak,?,?,?,3000210F,00000000,?,?), ref: 3000226F

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 98c5e58a032f2d10550f57ea51bbc8b568a3ed8696bcb13358c3998ac9c2ea1c
Instruction ID: e72310d2c5e027731adb2fe810c3166e07e7f25ed01ed102e14c04f490b609a7
Opcode Fuzzy Hash: 98c5e58a032f2d10550f57ea51bbc8b568a3ed8696bcb13358c3998ac9c2ea1c
Instruction Fuzzy Hash: AAF05475200218BFFF219FA5DC09FDA7BA8EF04791F108011BE05E50A0D7B1DA10EBA0

Function 30002101 Relevance: 3.1, APIs: 2, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 159a93b04ac6c9aba3a3ed6f4735b27782104efed9755a7ebdcefb46e9b5410c
Instruction ID: 44a0a38db409ce3025e8bfd26ec9bd1331b2172f26250e15b5dee6f97fd0f933
Opcode Fuzzy Hash: 159a93b04ac6c9aba3a3ed6f4735b27782104efed9755a7ebdcefb46e9b5410c
Instruction Fuzzy Hash: DE21277D200205B5FA245738CF46DEF26A9EBE2782FA080E5FF04C5496DA30CD82DE21

Function 3000496F Relevance: 3.0, APIs: 2, Instructions: 11
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteCriticalSection.KERNEL32(300200F8,300021D9,00000000,00000000,?,?,?,3000627C,?,?,?), ref: 30004974
TlsFree.KERNELBASE(?,?,?,?,3000627C,?,?,?), ref: 30004985

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: CriticalDeleteFreeSection
String ID:
API String ID: 3112490556-0
Opcode ID: 6dc21dcaa5d283431ffb9faf0a306f403c0327d64e99780780a8aa4b7ec5096c
Instruction ID: 56ce12f3485064a29cf6532e5026a44930fe97a4008e76d8c96593b9546f4703
Opcode Fuzzy Hash: 6dc21dcaa5d283431ffb9faf0a306f403c0327d64e99780780a8aa4b7ec5096c
Instruction Fuzzy Hash: 01C012744716044FF244573CCC8D5C53694B7013327500790F2B2F14F0D72048278B04

Non-executed Functions

Function 300026B1 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 229
commemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(3000184C,00000000,00000015,3000186C,?,00000000), ref: 300026EC
SysAllocString.OLEAUT32(EventSystem.EventSubscription), ref: 3000272A
SysAllocString.OLEAUT32(?), ref: 30002740
SysFreeString.OLEAUT32(00000000), ref: 30002760
SysFreeString.OLEAUT32(00000000), ref: 30002763
CoCreateInstance.OLE32(3000183C,00000000,00000015,3000185C,?), ref: 3000277B

Strings

EventSystem.EventSubscription, xrefs: 30002725, 300028B7
SubscriptionID=%s, xrefs: 3000270B

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: String$AllocCreateFreeInstance
String ID: EventSystem.EventSubscription$SubscriptionID=%s
API String ID: 391255401-1836528183
Opcode ID: 3d83a76a255706bcf4abe030a4f0e3d6d2d9a5bd4cd4973a09a8126a1786b128
Instruction ID: 41227285faa855c304defb8b0a60703584d52200c6c4e97aef916ce77eb8d749
Opcode Fuzzy Hash: 3d83a76a255706bcf4abe030a4f0e3d6d2d9a5bd4cd4973a09a8126a1786b128
Instruction Fuzzy Hash: E281307ED002159FEB24EFB4C88899DB7B9BF48350B6546A8E915EB211DB31AC41CF90

Function 30005916 Relevance: 10.6, APIs: 7, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,0000000C,00000400,00000010,00001000,?,?,00002000,30005E09,00000001,30006098,00000010,00000010,?,00000000,00000000), ref: 30005939
LocalAlloc.KERNEL32(00000040,00000014,00000001,0012FFFF,?,?,00002000,30005E09,00000001,30006098,00000010,00000010,?,00000000,00000000), ref: 30005961
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,?,00002000,30005E09,00000001,30006098,00000010,00000010,?,00000000,00000000,?,30004CD2,00000010), ref: 3000596E
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000001,00000000,?,?,00002000,30005E09,00000001,30006098,00000010,00000010,?,00000000,00000000), ref: 3000597F
LocalFree.KERNEL32(00000000,00000001,0012FFFF,?,?,00002000,30005E09,00000001,30006098,00000010,00000010,?,00000000,00000000,?,30004CD2), ref: 300059A4
LocalFree.KERNEL32(00000000,00000001,0012FFFF,?,?,00002000,30005E09,00000001,30006098,00000010,00000010,?,00000000,00000000,?,30004CD2), ref: 300059AF
LocalFree.KERNEL32(00000000,00000001,0012FFFF,?,?,00002000,30005E09,00000001,30006098,00000010,00000010,?,00000000,00000000,?,30004CD2), ref: 300059B6

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: Local$Free$AllocDescriptorSecurity$DaclInitialize
String ID:
API String ID: 3712409113-0
Opcode ID: c9b30897d8f73feb94afa50b6bcbe7dce1d5b194bd30bbd92d12ba6daf4119d9
Instruction ID: 6d4717670917b20b00d179ea403995bc306a8d0698cdd6a4691411a470fbc4be
Opcode Fuzzy Hash: c9b30897d8f73feb94afa50b6bcbe7dce1d5b194bd30bbd92d12ba6daf4119d9
Instruction Fuzzy Hash: 59218EF9600305EBFB109FEACD85B9BBBF8AF44753F5040A9F605A6190D7B48A41CE60

Function 300063F9 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,00000000), ref: 3000634A
UnhandledExceptionFilter.KERNEL32(?), ref: 30006354
GetCurrentProcess.KERNEL32(00000502), ref: 3000635F
TerminateProcess.KERNEL32(00000000), ref: 30006366

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 354abe4cd6caa003a76a7c6f5ba21e04975700cd376a9c4fd06629e8243cf827
Instruction ID: 126451782bbc3afa6ae03666b403dad4e627d47f2bead6f40a3433848d8bdfe1
Opcode Fuzzy Hash: 354abe4cd6caa003a76a7c6f5ba21e04975700cd376a9c4fd06629e8243cf827
Instruction Fuzzy Hash: 88111C75A1024C9FEB20DFA4CC49BDCBBB8FF09305F50442AE945AB250EBB49689CF51

Function 30002406 Relevance: 4.5, APIs: 3, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,3000627C,?,?), ref: 30002441
CheckTokenMembership.ADVAPI32(00000000,?,3000627C,?,?,3000627C,?,?,?), ref: 30002456
FreeSid.ADVAPI32(?,00000000,?,3000627C,?,?,3000627C,?,?,?), ref: 30002465

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: ea2cfc3c73d68b84c06b954f5b3b13817875cf840121ff583ff09447ae00360f
Instruction ID: 922f03299b2fbd1e9620aff8536e5e6cf7a744abbef11a0a434deb26c152cfa3
Opcode Fuzzy Hash: ea2cfc3c73d68b84c06b954f5b3b13817875cf840121ff583ff09447ae00360f
Instruction Fuzzy Hash: E9012175D0028DFEEB01DBE8CD85AEEBBB9BB18244F5440A9E551B3242D2709A04CB65

Function 30001E79 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 167
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StringFromCLSID.OLE32(?,?,00000000), ref: 30001EEF
StringFromCLSID.OLE32(3000180C,?), ref: 30001F12
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 30001F2C
RegCloseKey.ADVAPI32(?,?,LocalServer32,?,?,?,AppID,?,80000000,?,?,?), ref: 30002026
RegCloseKey.ADVAPI32(?,?,TypeLib,?,?), ref: 30002051
RegCloseKey.ADVAPI32(?), ref: 30002059
RegCloseKey.ADVAPI32(?,?,RunAs,Interactive User,80000000,?,?,?), ref: 30002096
CoTaskMemFree.OLE32(?), ref: 300020A4
CoTaskMemFree.OLE32(?), ref: 300020AC

Strings

AppID\%s, xrefs: 30001F7B
AppID, xrefs: 30001FDC
"%s" -%c, xrefs: 30001F49
Interactive User, xrefs: 30002075
LocalServer32, xrefs: 30002004
RunAs, xrefs: 3000207A
CLSID\%s, xrefs: 30001F68
TypeLib, xrefs: 30002035

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: Close$FreeFromStringTask$FileModuleName
String ID: "%s" -%c$AppID$AppID\%s$CLSID\%s$Interactive User$LocalServer32$RunAs$TypeLib
API String ID: 1964612919-1905851544
Opcode ID: 73fb0a845f269581708e1bdb3888685a042ec97372d097ec8d42131a2a167bb2
Instruction ID: b300817e288bff7ed11fea64dd388b2d1021db49372a0b9b3e5193d1c86140d8
Opcode Fuzzy Hash: 73fb0a845f269581708e1bdb3888685a042ec97372d097ec8d42131a2a167bb2
Instruction Fuzzy Hash: 9451407980061DAAFB219F78CC40EDA77BAAB88254F5045E5E51CE3212DB32DEA5CF50

Function 30002991 Relevance: 25.6, APIs: 17, Instructions: 139
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StringFromIID.OLE32(00000000,00000000,00000000,?,?,0000000C,?,30002B48,00000000,300014D4), ref: 300029B1
SysAllocString.OLEAUT32(00000000), ref: 300029CB
SysAllocString.OLEAUT32(?), ref: 300029DA
CoTaskMemFree.OLE32(00000000,?,?,0000000C,?,30002B48,00000000,300014D4), ref: 300029F6
StringFromIID.OLE32(?,300014DC,?,?,0000000C,?,30002B48,00000000,300014D4), ref: 30002A07
CoTaskMemFree.OLE32(00000000,?,?,0000000C,?,30002B48,00000000,300014D4), ref: 30002A21
StringFromIID.OLE32(?,00000000,?,?,0000000C,?,30002B48,00000000,300014D4), ref: 30002A32
SysAllocString.OLEAUT32(00000000), ref: 30002A46
SysAllocString.OLEAUT32(?), ref: 30002A52
CoTaskMemFree.OLE32(00000000,?,?,0000000C,?,30002B48,00000000,300014D4), ref: 30002A64
StringFromIID.OLE32(?,00000000,?,?,0000000C,?,30002B48,00000000,300014D4), ref: 30002A75
SysAllocString.OLEAUT32(00000000), ref: 30002A89
SysAllocString.OLEAUT32(?), ref: 30002AA6
SysAllocString.OLEAUT32(?), ref: 30002ABD
CoTaskMemFree.OLE32(00000000,?,?,0000000C,?,30002B48,00000000,300014D4), ref: 30002ADE
StringFromIID.OLE32(?,00000000,?,?,0000000C,?,30002B48,00000000,300014D4), ref: 30002AEF
SysAllocString.OLEAUT32(00000000), ref: 30002AFF

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: String$Alloc$From$FreeTask
String ID:
API String ID: 3125492871-0
Opcode ID: 021122a8d56543e6e2df7d89bcae87e04d228ca40fa73a6b8810de708ac65a38
Instruction ID: c67b52a70400e4d944c63056fdd597d3a4f8cc821544d1cc9237e83584b3cf1f
Opcode Fuzzy Hash: 021122a8d56543e6e2df7d89bcae87e04d228ca40fa73a6b8810de708ac65a38
Instruction Fuzzy Hash: D9513DB9600209EFEB21DF64C984BDA7BF8FF44781F6081A9E804E6160DB31DA50DF61

Function 3000547B Relevance: 22.6, APIs: 15, Instructions: 124
threadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 300054DF
OpenThreadToken.ADVAPI32(00000000), ref: 300054E6
GetLastError.KERNEL32 ref: 300054F0
GetCurrentProcess.KERNEL32(00000008,?,?,?,00000000), ref: 3000550D
OpenProcessToken.ADVAPI32(00000000), ref: 30005514
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 30005534
GetLastError.KERNEL32 ref: 30005536
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 3000556E
GetLengthSid.ADVAPI32(00000000), ref: 30005576
GlobalAlloc.KERNEL32(00000000,00000000), ref: 30005582
CopySid.ADVAPI32(?,00000000,00000000), ref: 30005596
IsValidSid.ADVAPI32(?), ref: 300055A2
CloseHandle.KERNEL32(?), ref: 300055BD
GlobalFree.KERNEL32(?), ref: 300055CC

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: Token$CurrentErrorGlobalInformationLastOpenProcessThread$AllocCloseCopyFreeHandleLengthValid
String ID:
API String ID: 1685494056-0
Opcode ID: bbacf4f8acd7ce60d5bd72377cc8d1dd0b7b52da9aaada4d9a0b4e366bafaa94
Instruction ID: 8038317eac703001a456c8241b2f5e933bba7c6799a77b8165797cddf32350fe
Opcode Fuzzy Hash: bbacf4f8acd7ce60d5bd72377cc8d1dd0b7b52da9aaada4d9a0b4e366bafaa94
Instruction Fuzzy Hash: B3413CB9A006489FFF208FE9CD54BDE7BBAAB04343F610469E545E3151DB719985CF10

Function 30006577 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 210
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 300065EE
LoadLibraryA.KERNEL32(?), ref: 30006673
GetLastError.KERNEL32 ref: 3000667F
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 300066B2

Strings

$, xrefs: 300065C3

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: e7b789e35a34ee0a92999283306c252fc26b4138143675a569f446f0ab1bf1a6
Instruction ID: 53b0dd82f978d45a4b28bee5d92a36e5cbf81014aa6f1ff23b0c3757a4ab81ce
Opcode Fuzzy Hash: e7b789e35a34ee0a92999283306c252fc26b4138143675a569f446f0ab1bf1a6
Instruction Fuzzy Hash: DC8139B8A10706AFEB10CFA8C984A9DB7F6AF48345F108069E945E7250EB70E945CF60

Function 30005C8E Relevance: 18.1, APIs: 12, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00020008,3002019C,3002019C,00000000,?,00000010,3002019C,00001000,00000010,?,00000400,00000000,00000010,?,?), ref: 30005CAC
OpenProcessToken.ADVAPI32(00000000), ref: 30005CB3
GetLastError.KERNEL32 ref: 30005CBD
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?,00000400), ref: 30005CDD
CloseHandle.KERNEL32(?), ref: 30005DDA

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: ProcessToken$CloseCurrentErrorHandleInformationLastOpen
String ID:
API String ID: 2078281146-0
Opcode ID: 8e0ceb67c9a3d0f612141c2c8957e0c46e9518817d706d51946e9e830ab5325c
Instruction ID: 688bee735191ca4cf46520ddbc36f584c11d40eca48ab4514dacb7e9af604686
Opcode Fuzzy Hash: 8e0ceb67c9a3d0f612141c2c8957e0c46e9518817d706d51946e9e830ab5325c
Instruction Fuzzy Hash: 00411AB990030AEFFB219BE4CD49B9F7BB9EF44392F5080A6E501A6150DB709A41DF64

Function 30002CE3 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 193
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\PCHealth\ErrorReporting\DW\Installed,00000000,00020019,?,?,?,00000000), ref: 30002D65
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000), ref: 30002D8A
GlobalAlloc.KERNEL32(00000040,?), ref: 30002DA6
GlobalAlloc.KERNEL32(00000040,?), ref: 30002DBB
RegEnumValueW.ADVAPI32(?,?,00000000,?,00000000,?,?,?), ref: 30002DF6
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 30002ED8
RegCloseKey.ADVAPI32(?), ref: 30002F02
GlobalFree.KERNEL32(?), ref: 30002F16
GlobalFree.KERNEL32(00000000), ref: 30002F1D

Strings

Software\Microsoft\PCHealth\ErrorReporting\DW\Installed, xrefs: 30002D3B

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: Global$AllocFree$CloseEnumFileInfoModuleNameOpenQueryValue
String ID: Software\Microsoft\PCHealth\ErrorReporting\DW\Installed
API String ID: 1931873285-2133074477
Opcode ID: f662a505219e7f4d2a257bcecd217b9e473783f98f83704c02b632d910dddbed
Instruction ID: 3507eca0f8456b23bc5a46b6c30e138068266594023367426bc09d4a0f2510e4
Opcode Fuzzy Hash: f662a505219e7f4d2a257bcecd217b9e473783f98f83704c02b632d910dddbed
Instruction Fuzzy Hash: 14615779D002689BEB11DFA8CD81AEEBBF9FF48741F10406AE909EB241D7708941CF50

Function 30002916 Relevance: 15.1, APIs: 10, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32(?), ref: 3000292A
SysFreeString.OLEAUT32(?), ref: 30002934
SysFreeString.OLEAUT32(?), ref: 3000293E
SysFreeString.OLEAUT32(?), ref: 30002948
SysFreeString.OLEAUT32(?), ref: 30002952
SysFreeString.OLEAUT32(?), ref: 3000295C
SysFreeString.OLEAUT32(?), ref: 30002966
SysFreeString.OLEAUT32(?), ref: 30002970
SysFreeString.OLEAUT32(?), ref: 30002979
SysFreeString.OLEAUT32(?), ref: 30002983

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: c00f409bc2b23f6e3adb3d0b6cc0e7478bed45dd5d19d85d8190bca927cda8dc
Instruction ID: d221ab350e67c414e6d36e4c5208e979429c06a0f8ed8f4d733d77d93c573bf7
Opcode Fuzzy Hash: c00f409bc2b23f6e3adb3d0b6cc0e7478bed45dd5d19d85d8190bca927cda8dc
Instruction Fuzzy Hash: 8701A5B9B2062667EA04DE7ACC44E17A7ECBF18691F404967A904E3640DB74E851CEB0

Function 30005B7C Relevance: 13.6, APIs: 9, Instructions: 105COMMON

Download Yara Rule

APIs

GetLengthSid.ADVAPI32(3002019C,00000400,3002019C,00000000), ref: 30005B97
CopySid.ADVAPI32(0000000C,?,30001780), ref: 30005BED
AddAce.ADVAPI32(00000000,00000002,00000000,00000000,00000014), ref: 30005C03
CopySid.ADVAPI32(?,?,3002019C), ref: 30005C19
AddAce.ADVAPI32(00000000,00000002,00000001,00000000,00000014), ref: 30005C29
CopySid.ADVAPI32(00000014,?,00000000), ref: 30005C40
AddAce.ADVAPI32(00000000,00000002,00000002,00000000,0000001C), ref: 30005C50
InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 30005C5B
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 30005C67

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: Copy$DescriptorSecurity$DaclInitializeLength
String ID:
API String ID: 2245498950-0
Opcode ID: 639bbe6597734c5f74fbb1456c11c0a5bcc8447c3d67d951aac975840b28cc5a
Instruction ID: 67b798cd6c03a02faf8c424ad62b1f5c0467c3b13d8f09795df420a43be88894
Opcode Fuzzy Hash: 639bbe6597734c5f74fbb1456c11c0a5bcc8447c3d67d951aac975840b28cc5a
Instruction Fuzzy Hash: F1313976900258AEEB10DBE8CC85FEEB7B9FF08704F004019F644AB294D7B4A945CBA4

Function 30002F3A Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 99sleepprocessCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,WatsonLaunchQueuedReportingInstanceVerification,00000000,?,00000000), ref: 30002FA1
SystemParametersInfoW.USER32(00000072,00000000,?,00000000), ref: 30002FEF
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000020,00000000,00000000,?,?), ref: 30003029
CloseHandle.KERNEL32(?), ref: 3000303C
CloseHandle.KERNEL32(?), ref: 30003041

Strings

"%s" -%c %u, xrefs: 30002FD0
WatsonLaunchQueuedReportingInstanceVerification, xrefs: 30002F7B

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: CloseHandle$CreateInfoParametersProcessSleepSystem
String ID: "%s" -%c %u$WatsonLaunchQueuedReportingInstanceVerification
API String ID: 814004605-2471467298
Opcode ID: 07d88c0d3db1c50fefa6e5078cac2ef5d0e52874d3c0daa446c7954740091923
Instruction ID: e4668d9b24eb9e519d74748c4eb0d9f513fc3556074953cb048c2130cceabf1e
Opcode Fuzzy Hash: 07d88c0d3db1c50fefa6e5078cac2ef5d0e52874d3c0daa446c7954740091923
Instruction Fuzzy Hash: 253181B6900249ABFB219FA8CC80FEEB7BCFB44785F004076FA14E6050D7749A458F61

Function 30002322 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetSystemWindowsDirectoryW.KERNEL32(?,00000104), ref: 30002349
GetLastError.KERNEL32 ref: 30002357
SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000001,00000000,00000000), ref: 30002365

Strings

QRegular, xrefs: 3000238A
QSignoff, xrefs: 300023A2
\PCHealth\ErrorRep\, xrefs: 3000237B
QHeadles, xrefs: 300023BA

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: DirectoryErrorFolderLastPathSpecialSystemWindows
String ID: QHeadles$QRegular$QSignoff$\PCHealth\ErrorRep\
API String ID: 1271361848-655368766
Opcode ID: 536bd71dacbe62af0b2105a362e94b31f11d990e2154188139f3f6b363005a17
Instruction ID: 89d0300be4e9681b0d304a197570d96af9c4878eaa698e89a0132c3bfcb723bb
Opcode Fuzzy Hash: 536bd71dacbe62af0b2105a362e94b31f11d990e2154188139f3f6b363005a17
Instruction Fuzzy Hash: 941191BDA00214AAFB20DBA5CD49EDF77ADAB80381F5440F1FA54E2051D778CB828E61

Function 30003653 Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,00000400,%s\%s,300030D6,?,?,?,?,?,?,300034EA,?,?,00000007), ref: 30003682
VirtualAlloc.KERNEL32(00000000,00010000,00002000,00000001,?,?,?,00000400,%s\%s,300030D6,?,?,?), ref: 300036A1
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000004,?,00000400,%s\%s,300030D6,?,?,?,?,?,?,300034EA,?), ref: 300036B6
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000400,%s\%s,300030D6,?,?,?,?,?,?,300034EA,?,?), ref: 300036C3
SetLastError.KERNEL32(E004000E,?,?,?,00000400,%s\%s,300030D6,?,?,?,?,?,?,300034EA,?,?), ref: 300036CE

Strings

%s\%s, xrefs: 30003657

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: Virtual$Alloc$ErrorFreeLastValue
String ID: %s\%s
API String ID: 4245389849-4073750446
Opcode ID: 9524400c63249e0ee33b440f964f39d0508656bb1c4c019a257f82fcc06b6753
Instruction ID: b9f88ce34c395662b239ff648255eb491fb56056d1d5681c363ea2ccccd03411
Opcode Fuzzy Hash: 9524400c63249e0ee33b440f964f39d0508656bb1c4c019a257f82fcc06b6753
Instruction Fuzzy Hash: 1F21B67A3517016BE3218F78CC45B96B7D8FF887A1F108429F685E7384D7B1E8518B58

Function 300030BF Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 173registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(300034EA,?,00000000,00020019,?,00000400,%s\%s,?,?,?,?,?,?,300034EA,?,?), ref: 30003140
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,00000001,?,?), ref: 300031CC
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000001,00000106,?,?,?,300034EA,?,?,00000007), ref: 300031F4
RegCloseKey.ADVAPI32(300034EA,?,?,?,300034EA,?,?,00000007), ref: 30003238
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,?), ref: 3000328E

Strings

%s\%s, xrefs: 300030E2

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: ByteCharMultiWide$CloseOpenQueryValue
String ID: %s\%s
API String ID: 2332129513-4073750446
Opcode ID: 150e814412e7ab463edfcb51dfc0dd6e459caf32c0aab5c59e2d8622d6e7dfe8
Instruction ID: 255e06dd66fd44ab97a1a15d1bdc8021275e37874a56ea5387ae4d6888743505
Opcode Fuzzy Hash: 150e814412e7ab463edfcb51dfc0dd6e459caf32c0aab5c59e2d8622d6e7dfe8
Instruction Fuzzy Hash: 4D514DB9900209AFFB12DFA4CD80AAEBBBDFF44381F5045A9E911A7241D7709A41CF94

Function 30005E72 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,00000010,?,?,Global\,?,?,00000010,00000000,00000000,00000010,00000010,?,30004C89,?,00000400), ref: 30005FAB

Strings

Global\, xrefs: 30005F31
Local\, xrefs: 30005F38, 30005F3F
1108160, xrefs: 30005F56

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: FreeLocal
String ID: 1108160$Global\$Local\
API String ID: 2826327444-498314252
Opcode ID: 01c80c257b6c1ffe170beffa19e21cced68ca84e4a3cd4397e78a4506520511a
Instruction ID: eda10ca7200ed2fa86937721c4ebc3f2d022d212f419d58223fac26495087823
Opcode Fuzzy Hash: 01c80c257b6c1ffe170beffa19e21cced68ca84e4a3cd4397e78a4506520511a
Instruction Fuzzy Hash: 5C3191FC50520AEAFB108B95CE45FEF7BAC9F81393F5040E5B84596191D7788E40CE60

Function 30001D53 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000,00000000,?,3000218E,?,00000000,00000000,?,?,?,3000627C,?,?,?), ref: 30001D59
LoadRegTypeLib.OLEAUT32(3000180C,00000001,00000000,00000000,300080D8), ref: 30001D78
LoadTypeLib.OLEAUT32(SENS.DLL,300080D8), ref: 30001D88
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,3000218E,?,00000000,00000000,?,?,?,3000627C,?,?,?), ref: 30001DB3
CoRegisterClassObject.OLE32(300014B4,00000000,00000004,00000001,?,?,3000218E,?,00000000,00000000,?,?,?,3000627C,?,?), ref: 30001DF0

Strings

SENS.DLL, xrefs: 30001D83

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: LoadType$ClassCreateEventInitializeObjectRegister
String ID: SENS.DLL
API String ID: 3188726877-4135673654
Opcode ID: 8b01ec1562faf7c9d63de80ac13c8446097a3c8949171a2ecb4b21d5e5c7b226
Instruction ID: 1556beaa34c13070fd5aba915cdacb4635af489b079b3a71bc8aa5fdbdc433ac
Opcode Fuzzy Hash: 8b01ec1562faf7c9d63de80ac13c8446097a3c8949171a2ecb4b21d5e5c7b226
Instruction Fuzzy Hash: 3811C83D6002516BF320276ECC8CEDB6AA8FBC5752B1005EAF616F3151DA304C42CF61

Function 30001C68 Relevance: 7.6, APIs: 5, Instructions: 71registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,0002000E,?,77331A70), ref: 30001C9A
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,00000000,80000000), ref: 30001CEF
RegCloseKey.ADVAPI32(?), ref: 30001CF8
RegDeleteKeyW.ADVAPI32(?,?), ref: 30001D0A

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: CloseDeleteEnumOpen
String ID:
API String ID: 4142876296-0
Opcode ID: 28eb97eb10d64a9cf1504055db17c6f866e193078e21b00a78a699924d4b62f2
Instruction ID: eb9f555dfa9584b00647773d30ffff7018d7e5b68c84de5dd35ab6f47b657501
Opcode Fuzzy Hash: 28eb97eb10d64a9cf1504055db17c6f866e193078e21b00a78a699924d4b62f2
Instruction Fuzzy Hash: E621BE3A550018ABFB328B99CC44EEE7BBAFB45381F20013AF144E2050C6758A448FA1

Function 30005380 Relevance: 7.6, APIs: 5, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 3000532C: GetLengthSid.ADVAPI32(00000010,00000400,00000000,?,?,30005397,?,00000000,00000400,?,00000000,00000000,00000000,?,3000562A,00000000), ref: 3000534D
Part of subcall function 3000532C: GetLengthSid.ADVAPI32(00000000,00000400,00000000,?,?,30005397,?,00000000,00000400,?,00000000,00000000,00000000,?,3000562A,00000000), ref: 3000536B

LocalAlloc.KERNEL32(00000040,00000000,?,?,00000000), ref: 3000539F
InitializeAcl.ADVAPI32(00000000,00000000,00000002), ref: 300053B0
AddAccessDeniedAce.ADVAPI32(?,00000002,?,00000400), ref: 300053D1
AddAccessAllowedAce.ADVAPI32(?,00000002,?,00000000), ref: 30005400
LocalFree.KERNEL32(?), ref: 3000541B

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: AccessLengthLocal$AllocAllowedDeniedFreeInitialize
String ID:
API String ID: 3760554596-0
Opcode ID: c3788279623d67b87988b983ba2f9ba8256efb3afb3f68182881f4a39f09d575
Instruction ID: 200db9d3af4f875376c74cd1e556da70e245ef8de6150f9a68792405cccb7285
Opcode Fuzzy Hash: c3788279623d67b87988b983ba2f9ba8256efb3afb3f68182881f4a39f09d575
Instruction Fuzzy Hash: 79216D7A600209EBEB108F99DD45ECF3BA5FF44396F508064FA05A6051D771DE90DFA0

Function 300024DA Relevance: 7.6, APIs: 5, Instructions: 68stringCOMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNEL32(?,00000000,00000104), ref: 30002534
GetShortPathNameW.KERNEL32(30002EF1,00000000,00000104), ref: 30002545
GetLongPathNameW.KERNEL32(?,00000000,00000104), ref: 3000255C
GetLongPathNameW.KERNEL32(30002EF1,00000000,00000104), ref: 3000256D
lstrcmpiW.KERNEL32(?,30002EF1), ref: 30002589

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: NamePath$LongShort$lstrcmpi
String ID:
API String ID: 246120216-0
Opcode ID: 681f5e6c64611c32aba7e03da15d2b8581963916148ab956dcdf59028344d6a9
Instruction ID: 0ef3a4fea0816cdb84ab855972c836ae1f07a1650c2eb8ea0b92b99d898f47c9
Opcode Fuzzy Hash: 681f5e6c64611c32aba7e03da15d2b8581963916148ab956dcdf59028344d6a9
Instruction Fuzzy Hash: 67211AB690011DBAEF10DB68CC00EDA77BDAB84791F1081B1AA09E2151D7719F968FA4

Function 30001B8D Relevance: 7.6, APIs: 5, Instructions: 60registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,00000000,00000000,?,?,30001FCC,80000000,?,?), ref: 30001BAB
lstrlenW.KERNEL32(80000000,77331A70,?,?,30001FCC,80000000,?,?,?), ref: 30001BCC
RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,80000000,?,?,?,30001FCC,80000000,?,?,?), ref: 30001BE1
RegCloseKey.ADVAPI32(?,?,?,30001FCC,80000000,?,?,?), ref: 30001BF0

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 7d46ea247ac5aee40a05e76a2a2bea65ee6952422e1f9ada60124291dfa35c86
Instruction ID: 916e8b37f432a8e7600be89b34e6340481100b41d0f624dbd16db17707b5ec0a
Opcode Fuzzy Hash: 7d46ea247ac5aee40a05e76a2a2bea65ee6952422e1f9ada60124291dfa35c86
Instruction Fuzzy Hash: 3A118C7A890245FFFB229F49CD49EDF7ABAFB85742F2005A4F901A2060D371CE50EA50

Function 300025FB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000020,00000000,00000000,?,?), ref: 30002680
CloseHandle.KERNEL32(?), ref: 30002693
CloseHandle.KERNEL32(?), ref: 30002698

Strings

"%s" -%c %u, xrefs: 30002655

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: "%s" -%c %u
API String ID: 2922976086-3398570252
Opcode ID: b8046e4fc200d74aa5204b274180d38b6f27edaa3ac3e17843fbbde8a947b1bd
Instruction ID: 87cb4e9514ecaa785e5d434f5ef3247a1c3dfa5b67e6179cf5ee4315f3ccb75c
Opcode Fuzzy Hash: b8046e4fc200d74aa5204b274180d38b6f27edaa3ac3e17843fbbde8a947b1bd
Instruction Fuzzy Hash: 24118E72D40158BBEB219F98DC44BDEBBBCEF08310F00042AFA09B2090DA715649CF95

Function 300033DA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,?,?,300035A0,?,?,?), ref: 30003405
RegQueryValueExW.ADVAPI32(?,DWReporteeName,00000000,?,?,?,?), ref: 3000342E
RegCloseKey.ADVAPI32(?), ref: 30003444

Strings

DWReporteeName, xrefs: 30003426

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: DWReporteeName
API String ID: 3677997916-1508577061
Opcode ID: d977a4c8ee013e26ca43423e26bfa5e68c1eeef2e4ee7c73f1beebc4b1840256
Instruction ID: a984096e3261fa005aa707964966b4786dee8c5b9d15361142fa8b44361b1762
Opcode Fuzzy Hash: d977a4c8ee013e26ca43423e26bfa5e68c1eeef2e4ee7c73f1beebc4b1840256
Instruction Fuzzy Hash: 2301047A900118BBEB02DFA4CC44BEEBBBCFF04681F0040A6FA05E9050E370EA559F95

Function 30003DA4 Relevance: 6.3, APIs: 5, Instructions: 84COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(300200F8,?,0000FFFF,?,?,?,00000000), ref: 30003DC7
VirtualFree.KERNEL32(?,?,00004000,?,?,?,300037C6), ref: 30003E33

Part of subcall function 30003B96: EnterCriticalSection.KERNEL32(300200F8,?,?,?,?,?,?,0000FFFF,?,?,00000000), ref: 30003BB5
Part of subcall function 30003B96: LeaveCriticalSection.KERNEL32(300200F8,?,?,?,?,?,?,?,0000FFFF,?,?,00000000), ref: 30003BCF

LeaveCriticalSection.KERNEL32(300200F8,?,?,?,300037C6), ref: 30003E5D
LeaveCriticalSection.KERNEL32(300200F8,?,?,?,300037C6), ref: 30003E85
LeaveCriticalSection.KERNEL32(300200F8,?,?,?,?,?,300037C6), ref: 30003E9F

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$FreeVirtual
String ID:
API String ID: 2516882-0
Opcode ID: 0c052424f8d9f771545d40fe34cc270a0bd482952c98fb90f340fc28b759a1e0
Instruction ID: f2db9b200dcc5711f0ea08f19900ffda23a02e18175b4ef754c55ceae3e05013
Opcode Fuzzy Hash: 0c052424f8d9f771545d40fe34cc270a0bd482952c98fb90f340fc28b759a1e0
Instruction Fuzzy Hash: BA21D57A6106018FE310CB2CDD84ADA73A8FBC4721F5446AEE99593691DB30E90ECF95

Function 30003A99 Relevance: 6.3, APIs: 5, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(300200F8,?,00000000,?,30003EF9,00000000,?,?,?,00000000,?,300044C0,?,?,00000000), ref: 30003AA1
VirtualFree.KERNEL32(?,?,00004000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 30003B0D
VirtualAlloc.KERNEL32(?,?,00001000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 30003B58
LeaveCriticalSection.KERNEL32(300200F8,?,?,?,?,?,?,?,?,?,?,00000000), ref: 30003B77
LeaveCriticalSection.KERNEL32(300200F8,?,?,?,?,?,?,?,?,?,?,00000000), ref: 30003B8A

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: CriticalSection$LeaveVirtual$AllocEnterFree
String ID:
API String ID: 863552159-0
Opcode ID: fca38df62bfb575a71c16dd66f06b67a695b7b4d00753fc22c4ab5b9f5456a2a
Instruction ID: e00e603d9185e8abf18b530c6392621ff5f1d3204beb55f3e7e74f52507c0826
Opcode Fuzzy Hash: fca38df62bfb575a71c16dd66f06b67a695b7b4d00753fc22c4ab5b9f5456a2a
Instruction Fuzzy Hash: 0321257A71021247F7124B38CD88BE9328DFF84685F1080B9F641DA686CB28C8448B98

Function 300059CA Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetSecurityDescriptorDacl.ADVAPI32(?,00000010,00000010,30004D02,00000000,00000000,00000010,30004D02,00000010,00000010), ref: 300059FA
LocalFree.KERNEL32(00000000), ref: 30005A13
LocalFree.KERNEL32(?), ref: 30005A16
LocalFree.KERNEL32(00000010,00000000,00000000,00000010,30004D02,00000010,00000010), ref: 30005A19

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: FreeLocal$DaclDescriptorSecurity
String ID:
API String ID: 3714201794-0
Opcode ID: e0306ccd0b35fc2a301d882c1de5dbd9e6b4d16a5a20948f9d55c1e3b7a5d8b1
Instruction ID: e40335537097e2948b3b2103fdde71d335907b32a0e4c0076524392238cf5652
Opcode Fuzzy Hash: e0306ccd0b35fc2a301d882c1de5dbd9e6b4d16a5a20948f9d55c1e3b7a5d8b1
Instruction Fuzzy Hash: 81F062B9A10108ABEB01CB98CCC0BDBBBFCAB49252F5001A6A504A2050D774DA40CEA1

Function 300020C2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000,300021AF,00000000,00000000,00000000,?,?,?,3000627C,?,?,?), ref: 300020C6

Part of subcall function 30001E79: StringFromCLSID.OLE32(?,?,00000000), ref: 30001EEF
Part of subcall function 30001E79: StringFromCLSID.OLE32(3000180C,?), ref: 30001F12
Part of subcall function 30001E79: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 30001F2C
Part of subcall function 30001E79: CoTaskMemFree.OLE32(?), ref: 300020A4
Part of subcall function 30001E79: CoTaskMemFree.OLE32(?), ref: 300020AC

CoUninitialize.OLE32(300014B4,Watson subscriber for SENS Network Events,?,?,?,?,3000627C,?,?,?), ref: 300020F8

Strings

Watson subscriber for SENS Network Events, xrefs: 300020D4

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: FreeFromStringTask$FileInitializeModuleNameUninitialize
String ID: Watson subscriber for SENS Network Events
API String ID: 1584965148-3738983962
Opcode ID: e2c056d69706eed87d56bfe5b39b6b2400910484a65b79807fd0323d1efeebec
Instruction ID: af8331119152a650146a984f67a689676209e4a95b598227ff06697a7a212e6c
Opcode Fuzzy Hash: e2c056d69706eed87d56bfe5b39b6b2400910484a65b79807fd0323d1efeebec
Instruction Fuzzy Hash: D1D0173D698381AAF6545BB8CF09BDA39986F84B81F4084A47B01E51A2DA60C100EE22

Function 30003B96 Relevance: 5.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(300200F8,?,?,?,?,?,?,0000FFFF,?,?,00000000), ref: 30003BB5
LeaveCriticalSection.KERNEL32(300200F8,?,?,?,?,?,?,?,0000FFFF,?,?,00000000), ref: 30003BCF
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000001,?,?,?,300037BA,?,?), ref: 30003C4B
LeaveCriticalSection.KERNEL32(300200F8,?,?,?,?,?,?,?,?,?,0000FFFF,?,?,00000000), ref: 30003D49

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: CriticalSection$Leave$EnterFreeVirtual
String ID:
API String ID: 2267935342-0
Opcode ID: 728efe143e63cd5dfd6e68cbe10b2b6f022ad2a7308aaab29b8a7bf41c000f84
Instruction ID: bd478a78a7565fdd4c45ed8706c6630f9bb78b3eb0a33067e612b5ce2d464e0f
Opcode Fuzzy Hash: 728efe143e63cd5dfd6e68cbe10b2b6f022ad2a7308aaab29b8a7bf41c000f84
Instruction Fuzzy Hash: 375137B98043019BF3018F24DC84F6EB3E8BF84342F1485AEF995A7190E735A959CF69

Function 30004858 Relevance: 5.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(300200F8,00007FFF,30004FB9,?,?,?,?,00000000,?,771AF3C0,300051C2,?,00002002,?,30004055,300080DC), ref: 30004866
SetLastError.KERNEL32(E004000E,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,30004821), ref: 3000488D
LeaveCriticalSection.KERNEL32(300200F8,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,30004821), ref: 30004898
LeaveCriticalSection.KERNEL32(300200F8,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,30004821), ref: 300048A9

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: CriticalSection$Leave$EnterErrorLast
String ID:
API String ID: 3832147951-0
Opcode ID: a547c38d3e82fc0d5d929008011d36a543578d0ac5cd688d511cab043366c5d6
Instruction ID: 50d2b7a500fdcc1b773caceb70cb364f6da780d052c4965e054e9844c57b8fb4
Opcode Fuzzy Hash: a547c38d3e82fc0d5d929008011d36a543578d0ac5cd688d511cab043366c5d6
Instruction Fuzzy Hash: BBF0A7791143116FF3109B68DD4CBDB37D8EF88210F008C85F955A6A01EA709C918F66

Function 300047FD Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(300200F8,?,3000491D,?,?,00000002,7686E690,30005CE7,?), ref: 3000480B

Part of subcall function 30003F7D: VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,00000400,?,?,00000000), ref: 30003FFA
Part of subcall function 30003F7D: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,00000000), ref: 3000400F

SetLastError.KERNEL32(E004000E), ref: 3000482D
LeaveCriticalSection.KERNEL32(300200F8), ref: 30004838
LeaveCriticalSection.KERNEL32(300200F8), ref: 30004849

Memory Dump Source

Source File: 00000003.00000002.1277743125.0000000030001000.00000020.00000001.01000000.00000003.sdmp, Offset: 30000000, based on PE: true

Associated: 00000003.00000002.1277729671.0000000030000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1277761355.0000000030022000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30000000_mwxZCB2H4p.jbxd

Similarity

API ID: CriticalSection$AllocLeaveVirtual$EnterErrorLast
String ID:
API String ID: 2428549816-0
Opcode ID: 138df1b8d120d82784380a66f96753ddfc1e43fd5c63ff8117a9bd88dce38967
Instruction ID: e7934647f06a53e503a8da4eda335cd5142fcf1bed391f07ad14e7b5b9de489f
Opcode Fuzzy Hash: 138df1b8d120d82784380a66f96753ddfc1e43fd5c63ff8117a9bd88dce38967
Instruction Fuzzy Hash: 45E06D7A514311ABF2149B68EE48FCB37D8AF98211F014895FA54A6A01DA309895CF65

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mwxZCB2H4p.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: mwxZCB2H4p.exePID: 5416, Parent PID: 4056

General

Chronological Activities

Disassembly

Analysis Process: mwxZCB2H4p.exePID: 5416, Parent PID: 4056COMMON

Execution Graph

Graph

Executed Functions

Function 30006380 Relevance: 9.0, APIs: 6, Instructions: 38memorytimethreadCOMMON

Windows Analysis Report
mwxZCB2H4p.exe

Function 30006380 Relevance: 9.0, APIs: 6, Instructions: 38
memorytimethreadCOMMON

Function 30006139 Relevance: 16.6, APIs: 11, Instructions: 100
COMMON

Function 30002221 Relevance: 4.5, APIs: 3, Instructions: 35
registryCOMMON

Function 30002101 Relevance: 3.1, APIs: 2, Instructions: 87
COMMON

Function 3000496F Relevance: 3.0, APIs: 2, Instructions: 11
COMMON

Function 300026B1 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 229
commemoryCOMMON

Function 30001E79 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 167
registryCOMMON

Function 30002991 Relevance: 25.6, APIs: 17, Instructions: 139
memoryCOMMON

Function 3000547B Relevance: 22.6, APIs: 15, Instructions: 124
threadmemoryCOMMON

Function 30006577 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 210
libraryCOMMON

Function 30005C8E Relevance: 18.1, APIs: 12, Instructions: 140
COMMON

Function 30002CE3 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 193
registrymemoryCOMMON

Function 30002916 Relevance: 15.1, APIs: 10, Instructions: 61
COMMON