Edit tour

Windows Analysis Report
3gp.exe

Overview

General Information

Sample name:3gp.exe
Analysis ID:1667864
MD5:8c008e5354f8bbcb45525b242360a590
SHA1:188294fa1d6b7652f887ec0542b406bf24da8391
SHA256:5fb6629ea119fd2f4237bbf45121c24e7532bb56432f3e8fab744e655533e631
Tags:exeuser-FelloBoiYuuka
Infos:

Detection

Score:88
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to infect the boot sector
Disable Task Manager(disabletaskmgr)
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Found API chain indicative of debugger detection
Performs an instant shutdown (NtRaiseHardError)
Writes directly to the primary disk partition (DR0)
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • 3gp.exe (PID: 7788 cmdline: "C:\Users\user\Desktop\3gp.exe" MD5: 8C008E5354F8BBCB45525B242360A590)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: 3gp.exeAvira: detected
Source: 3gp.exeVirustotal: Detection: 66%Perma Link
Source: 3gp.exeReversingLabs: Detection: 58%
Source: C:\Users\user\Desktop\3gp.exeFile opened: z:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: x:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: v:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: t:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: r:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: p:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: n:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: l:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: j:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: h:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: f:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: b:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: y:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: w:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: u:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: s:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: q:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: o:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: m:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: k:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: i:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: g:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: e:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: a:Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeCode function: 0_2_00402698 GetDC,CreateCompatibleDC,GetSystemMetrics,GetSystemMetrics,CreateDIBSection,SelectObject,GetDC,BitBlt,BitBlt,ReleaseDC,DeleteDC,0_2_00402698

Operating System Destruction

barindex
Source: C:\Users\user\Desktop\3gp.exeCode function: 0_2_00401B60 CreateFileW on filename \\.\PhysicalDrive00_2_00401B60

System Summary

barindex
Source: C:\Users\user\Desktop\3gp.exeHard error raised: shutdownJump to behavior
Source: C:\Users\user\Desktop\3gp.exeCode function: 0_2_00403CDD MessageBoxW,MessageBoxW,ExitProcess,MessageBoxW,MessageBoxW,ExitProcess,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,Sleep,SleepEx,CreateThread,CreateThread,Sleep,SleepEx,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,CreateThread,CreateThread,CreateThread,CreateThread,Sleep,TerminateThread,TerminateThread,CloseHandle,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,CreateThread,CreateThread,Sleep,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,CreateThread,CreateThread,CreateThread,CreateThread,Sleep,TerminateThread,TerminateThread,CloseHandle,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,CreateThread,CreateThread,CreateThread,CreateThread,Sleep,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,CreateThread,CreateThread,Sleep,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,DeleteVolumeMountPointA,DeleteVolumeMountPointA,Sleep,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,RtlAdjustPrivilege,NtRaiseHardError,Sleep,0_2_00403CDD
Source: 3gp.exeStatic PE information: Number of sections : 18 > 10
Source: 3gp.exe, 00000000.00000000.1144442333.000000000040F000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename3gp( vs 3gp.exe
Source: 3gp.exeBinary or memory string: OriginalFilename3gp( vs 3gp.exe
Source: classification engineClassification label: mal88.rans.evad.winEXE@1/1@0/0
Source: 3gp.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\3gp.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 3gp.exeVirustotal: Detection: 66%
Source: 3gp.exeReversingLabs: Detection: 58%
Source: C:\Users\user\Desktop\3gp.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeSection loaded: mmdevapi.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeSection loaded: ksuser.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeSection loaded: avrt.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeSection loaded: audioses.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeSection loaded: midimap.dllJump to behavior
Source: C:\Users\user\Desktop\3gp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeCode function: 0_2_00403CDD MessageBoxW,MessageBoxW,ExitProcess,MessageBoxW,MessageBoxW,ExitProcess,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,Sleep,SleepEx,CreateThread,CreateThread,Sleep,SleepEx,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,CreateThread,CreateThread,CreateThread,CreateThread,Sleep,TerminateThread,TerminateThread,CloseHandle,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,CreateThread,CreateThread,Sleep,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,CreateThread,CreateThread,CreateThread,CreateThread,Sleep,TerminateThread,TerminateThread,CloseHandle,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,CreateThread,CreateThread,CreateThread,CreateThread,Sleep,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,CreateThread,CreateThread,Sleep,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,DeleteVolumeMountPointA,DeleteVolumeMountPointA,Sleep,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,RtlAdjustPrivilege,NtRaiseHardError,Sleep,0_2_00403CDD
Source: 3gp.exeStatic PE information: section name: .xdata
Source: 3gp.exeStatic PE information: section name: /4
Source: 3gp.exeStatic PE information: section name: /19
Source: 3gp.exeStatic PE information: section name: /31
Source: 3gp.exeStatic PE information: section name: /45
Source: 3gp.exeStatic PE information: section name: /57
Source: 3gp.exeStatic PE information: section name: /70
Source: 3gp.exeStatic PE information: section name: /81
Source: 3gp.exeStatic PE information: section name: /92
Source: C:\Users\user\Desktop\3gp.exeCode function: 0_2_00414C51 pushfq ; ret 0_2_00414C52
Source: C:\Users\user\Desktop\3gp.exeCode function: 0_2_00408516 push qword ptr [rbx+rbp-0Ah]; ret 0_2_00408529

Persistence and Installation Behavior

barindex
Source: C:\Users\user\Desktop\3gp.exeCode function: CreateFileW,CreateFileW,WriteFile,WriteFile, \\.\PhysicalDrive00_2_00401B60
Source: C:\Users\user\Desktop\3gp.exeFile written: \Device\Harddisk0\DR0 offset: 32768 length: 32768Jump to behavior

Boot Survival

barindex
Source: C:\Users\user\Desktop\3gp.exeCode function: CreateFileW,CreateFileW,WriteFile,WriteFile, \\.\PhysicalDrive00_2_00401B60
Source: C:\Users\user\Desktop\3gp.exeWindow / User API: foregroundWindowGot 1773Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe TID: 7792Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\3gp.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\3gp.exeThread delayed: delay time: 30000Jump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\3gp.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_0-1390
Source: C:\Users\user\Desktop\3gp.exeCode function: 0_2_00403CDD MessageBoxW,MessageBoxW,ExitProcess,MessageBoxW,MessageBoxW,ExitProcess,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,Sleep,SleepEx,CreateThread,CreateThread,Sleep,SleepEx,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,CreateThread,CreateThread,CreateThread,CreateThread,Sleep,TerminateThread,TerminateThread,CloseHandle,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,CreateThread,CreateThread,Sleep,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,CreateThread,CreateThread,CreateThread,CreateThread,Sleep,TerminateThread,TerminateThread,CloseHandle,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,CreateThread,CreateThread,CreateThread,CreateThread,Sleep,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,CreateThread,CreateThread,Sleep,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,DeleteVolumeMountPointA,DeleteVolumeMountPointA,Sleep,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,RtlAdjustPrivilege,NtRaiseHardError,Sleep,0_2_00403CDD
Source: C:\Users\user\Desktop\3gp.exeCode function: 0_2_004011B0 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,GetStartupInfoA,0_2_004011B0
Source: C:\Users\user\Desktop\3gp.exeCode function: 0_2_00406241 SetUnhandledExceptionFilter,0_2_00406241
Source: C:\Users\user\Desktop\3gp.exeCode function: 0_2_0040C548 SetUnhandledExceptionFilter,VirtualAlloc,0_2_0040C548
Source: C:\Users\user\Desktop\3gp.exeCode function: 0_2_004051B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,0_2_004051B0
Source: C:\Users\user\Desktop\3gp.exeCode function: 0_2_004050D0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_004050D0

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Users\user\Desktop\3gp.exeRegistry value created: DisableTaskMgr 1Jump to behavior
Source: C:\Users\user\Desktop\3gp.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryToolsJump to behavior
Source: C:\Users\user\Desktop\3gp.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgrJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media
1
Native API
3
Bootkit
1
DLL Side-Loading
3
Disable or Modify Tools
OS Credential Dumping1
System Time Discovery
Remote Services1
Screen Capture
Data ObfuscationExfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading
Boot or Logon Initialization Scripts121
Virtualization/Sandbox Evasion
LSASS Memory11
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information
Security Account Manager121
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Bootkit
NTDS1
Application Window Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA Secrets11
Peripheral Device Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1667864 Sample: 3gp.exe Startdate: 17/04/2025 Architecture: WINDOWS Score: 88 11 Antivirus / Scanner detection for submitted sample 2->11 13 Multi AV Scanner detection for submitted file 2->13 5 3gp.exe 3 2->5         started        process3 file4 9 \Device\Harddisk0\DR0, DOS/MBR 5->9 dropped 15 Writes directly to the primary disk partition (DR0) 5->15 17 Contains functionality to access PhysicalDrive, possible boot sector overwrite 5->17 19 Found API chain indicative of debugger detection 5->19 21 5 other signatures 5->21 signatures5

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
3gp.exe67%VirustotalBrowse
3gp.exe58%ReversingLabsWin64.Trojan.Nekark
3gp.exe100%AviraTR/AD.Nekark.onzgh
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1667864
Start date and time:2025-04-17 21:12:27 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 38s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:
Sample name:3gp.exe
Detection:MAL
Classification:mal88.rans.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 13
  • Number of non-executed functions: 20
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Connection to analysis system has been lost, crash info: Unknown
  • Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 23.79.17.61, 23.4.43.62
  • Excluded domains from analysis (whitelisted): cac-ocsp.digicert.com.edgekey.net, fs.microsoft.com, ocsp.digicert.com, e3913.cd.akamaiedge.net, ocsp.edge.digicert.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net
TimeTypeDescription
15:13:34API Interceptor6x Sleep call for process: 3gp.exe modified
No context
No context
No context
No context
No context
Process:C:\Users\user\Desktop\3gp.exe
File Type:DOS/MBR boot sector
Category:dropped
Size (bytes):32768
Entropy (8bit):2.6140688932684544
Encrypted:false
SSDEEP:192:ZA9KensrHQum8AzN57idpL0aqF/gxyrqVg+oJ/7YL/oIoIn0un:W9KKslqidpL0amsqqVbbWEDn
MD5:BB4B2512514FA052B80C1EE618BD14D4
SHA1:01D445199F453DDB8DD51235E46D907D88733409
SHA-256:36C04C2BAA97CACDF0BCEC39CA2036D9F62FD849EDAE617BCE03FC967A3EF966
SHA-512:AE7E4F836894F36FFA3885B5D3DDE8F06D09D570E91F7D427C953440DCBA5115108BB3E98E9D52D59268A957C53A611FB145FE81FC85785AD86CA66938CAE5C4
Malicious:true
Reputation:low
Preview:..............}. ..........7s..8..".....rO...)........0P.D....XPSQWP.y}.........r.1....r..=.t.2.....8.X@..u._Y[X......}u...............;...t...........t.....<.u.. ,Hr.<.s...}..... ...1..+..6....(.x..".....h..7|.!.....(..4...t..N...1.@........uZ.78m...8.....8m...8......t+...t.;.....r.....<...r.....u#...u...u..........:}.....u. .t...D......u......t.....|...B....~<<~....~<........<~....B.<~....~<<~..............<~?..?~<.....B.B..@B~~......@...@....B.{@.~~.@.......P.d.<.P.........U....C.......@...?...@...>..*?...?...C..L>.......?...=.....-DT.!.@Argument domain error (DOMAIN).Argument singularity (SIGN)......Overflow range error (OVERFLOW).Partial loss of significance (PLOSS)....Total loss of significance (TLOSS)......The result is too small to be represented (UNDERFLOW).Unknown error....._matherr(): %s in %s(%g, %g) (retval=%g)...L...................,...<...Mingw-w64 runtime failure:......Address %p has no image-section. VirtualQuery failed for %d bytes at ad
File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):5.296758362030382
TrID:
  • Win64 Executable GUI (202006/5) 92.64%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • VXD Driver (31/22) 0.01%
File name:3gp.exe
File size:189'056 bytes
MD5:8c008e5354f8bbcb45525b242360a590
SHA1:188294fa1d6b7652f887ec0542b406bf24da8391
SHA256:5fb6629ea119fd2f4237bbf45121c24e7532bb56432f3e8fab744e655533e631
SHA512:d4ea624a1e520edf20b4e349a32c31b49857f73cccf6824c0ef599ddb4c4c44397726dc8c44cb783fbc32fb5b7c57c664b6c5fc3b6e40270b777c79642079e80
SSDEEP:1536:BOKohcywXeCVnhtd+wDnhd1kRfWKqs5ypmaClXRDageWfBfj5WdvkvcUvMFM7iNl:Hpnh71W+KYoDRBfj5WdccBRU1gemktyP
TLSH:D90407E776969C9BE911433805D6C335273EFB908BC34B072E2069361E13BD0BED665A
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....{.g....C.....'......T...D................@............................................... ............................
Icon Hash:d117324c74253aca
Entrypoint:0x4014d0
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:
Time Stamp:0x67A97BCF [Mon Feb 10 04:08:47 2025 UTC]
TLS Callbacks:0x4052e0
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:b5c90181d89f90dda2d6f2b29bf1618f
Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00007625h]
mov dword ptr [eax], 00000001h
call 00007F51F8B8722Fh
call 00007F51F8B8330Ah
nop
nop
dec eax
add esp, 28h
ret
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [000075F5h]
mov dword ptr [eax], 00000000h
call 00007F51F8B871FFh
call 00007F51F8B832DAh
nop
nop
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 70h
movaps ebp-10h, dqword ptr [xmm6]
dec eax
mov dword ptr [ebp+10h], ecx
mov dword ptr [ebp+18h], edx
movzx eax, byte ptr [ebp+1Ah]
mov byte ptr [ebp-19h], al
movzx eax, byte ptr [ebp+19h]
mov byte ptr [ebp-1Ah], al
movzx eax, byte ptr [ebp+18h]
mov byte ptr [ebp-1Bh], al
movzx eax, byte ptr [ebp-19h]
pxor xmm0, xmm0
cvtsi2ss xmm0, eax
movss xmm1, dword ptr [00007094h]
divss xmm0, xmm1
movd eax, xmm0
mov dword ptr [ebp-20h], eax
movzx eax, byte ptr [ebp-1Ah]
pxor xmm0, xmm0
cvtsi2ss xmm0, eax
movss xmm1, dword ptr [00007075h]
divss xmm0, xmm1
movd eax, xmm0
mov dword ptr [ebp-24h], eax
movzx eax, byte ptr [eax]
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xc0000xf5c.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000x1478.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x90000x390.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0xe0200x28.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xc3f80x358.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x53b00x5400a38abbf0d707b8ab4094a65a33acd09eFalse0.44884672619047616data5.990094457258481IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x70000x900x200800afdffff2b0727d5877de48d355e4eFalse0.11328125data0.6379346993823642IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0x80000xfb00x100027ee02e11092adaf46f55cc6d53ab6aeFalse0.409912109375COM executable for DOS4.670165023914094IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata0x90000x3900x400d5ea913a7a3c76c1e404fedd4dde6b26False0.4951171875data3.847732580028875IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata0xa0000x3740x40091bc88e7e63bb3a6c03660e214574a57False0.3623046875data3.9443421496510696IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss0xb0000xa600x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0xc0000xf5c0x1000bf91e9d0789d830dab059589ceadc27eFalse0.33203125data4.069800559994343IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT0xd0000x680x200088f8de9c7bfc11829d3ed60b187856bFalse0.072265625data0.2748254782599745IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0xe0000x680x2003d9f6d41d3fc682200d345ba64a9d400False0.060546875data0.19743807838821048IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0xf0000x14780x1600e009b57fdc546568472586457512dc6aFalse0.2853338068181818data3.6598208571764954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
/40x110000x6000x6000e78de464c68fa0acdd948f628d31a51False0.22786458333333334data1.6710394076117343IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/190x120000xdce60xde0081f8875f55347e5b738af306cde8c5e3False0.3779560810810811data5.951578477311184IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/310x200000x23c80x2400f668052ed1ec57583e4eff853b15bfc4False0.2138671875data4.605200814310725IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/450x230000x21a40x2200f666b4ece5949545a64815350fa43e5dFalse0.3050321691176471data5.610135942574295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/570x260000xcc80xe00ed498850cf239b23ca9c13d992e40156False0.3099888392857143data3.991934598130095IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/700x270000x4ce0x6006327078cd03de34e4da5925489a3fce4False0.2649739583333333data4.316064494959888IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/810x280000x37db0x3800b57acacb9539f6beb40d0e3e968eeeabFalse0.20375279017857142data2.3647523633362253IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/920x2c0000x5d00x60049fd23ba829765ce1a4cf16722003a1fFalse0.22721354166666666data1.5077615221213083IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0xf0f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.2781425891181989
RT_GROUP_ICON0x101980x14dataEnglishUnited States1.1
RT_VERSION0x101b00x2c8dataEnglishUnited States0.46207865168539325
DLLImport
ADVAPI32.dllRegCloseKey, RegCreateKeyExW, RegSetValueExW
GDI32.dllBitBlt, CreateBitmap, CreateCompatibleDC, CreateDIBSection, CreatePen, CreateSolidBrush, DeleteDC, DeleteObject, GetBitmapBits, Polygon, SelectObject, SetBitmapBits, StretchBlt, TextOutA
KERNEL32.dllCloseHandle, CreateFileW, CreateThread, DeleteCriticalSection, DeleteVolumeMountPointA, EnterCriticalSection, ExitProcess, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetProcAddress, GetStartupInfoA, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryW, QueryPerformanceCounter, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TerminateThread, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualProtect, VirtualQuery, WriteFile
MSIMG32.dllAlphaBlend
msvcrt.dll__C_specific_handler, __dllonexit, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _errno, _fmode, _initterm, _lock, _onexit, _unlock, _time64, abort, calloc, exit, fprintf, free, frexp, fwrite, malloc, memcpy, memset, rand, signal, srand, strlen, strncmp, vfprintf
USER32.dllDrawIcon, GetCursorInfo, GetDC, GetForegroundWindow, GetSystemMetrics, GetWindowRect, InvalidateRect, MessageBoxW, ReleaseDC, SetWindowPos
WINMM.dllwaveOutClose, waveOutOpen, waveOutPrepareHeader, waveOutUnprepareHeader, waveOutWrite
DescriptionData
CompanyNameRyan
FileVersion6.6.6.6
FileDescriptionBuy Ryans World Eggs from Dark Web 2025
InternalName3gp
LegalCopyrightRyan
LegalTrademarksRyan
OriginalFilename3gp
ProductName3gp
ProductVersion6.6.6.6
Translation0x0409 0x04e4
Language of compilation systemCountry where language is spokenMap
EnglishUnited States
No network behavior found
051015s020406080100

Click to jump to process

051015s0.002040MB

Click to jump to process

  • File
  • Registry

Click to dive into process behavior distribution

Target ID:0
Start time:15:13:22
Start date:17/04/2025
Path:C:\Users\user\Desktop\3gp.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\3gp.exe"
Imagebase:0x400000
File size:189'056 bytes
MD5 hash:8C008E5354F8BBCB45525B242360A590
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:23.2%
Dynamic/Decrypted Code Coverage:0%
Signature Coverage:15%
Total number of Nodes:340
Total number of Limit Nodes:7
Show Legend
Hide Nodes/Edges
execution_graph 1697 404e40 1705 404e61 1697->1705 1698 404f32 signal 1701 404fb2 signal 1698->1701 1702 404ea7 1698->1702 1699 404f07 signal 1700 404f19 signal 1699->1700 1699->1702 1703 404eac 1700->1703 1706 404fd0 signal 1701->1706 1702->1698 1702->1699 1702->1703 1704 404f86 signal 1702->1704 1704->1702 1707 404fe4 signal 1704->1707 1705->1699 1705->1702 1705->1703 1708 404e91 signal 1705->1708 1706->1703 1707->1703 1708->1702 1708->1706 1751 401500 1752 4050d0 5 API calls 1751->1752 1753 401516 1752->1753 1754 4011b0 47 API calls 1753->1754 1755 40151b 1754->1755 1709 406241 SetUnhandledExceptionFilter 1384 4014d0 1389 4050d0 1384->1389 1386 4014e6 1393 4011b0 1386->1393 1388 4014eb 1390 405110 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 1389->1390 1391 4050f9 1389->1391 1392 40516d 1390->1392 1391->1386 1392->1386 1394 401490 GetStartupInfoA 1393->1394 1395 4011e5 1393->1395 1396 401411 1394->1396 1397 40120d Sleep 1395->1397 1398 401222 1395->1398 1396->1388 1397->1395 1398->1396 1399 40145c _initterm 1398->1399 1400 401255 1398->1400 1399->1400 1410 4048a0 1400->1410 1402 40127d SetUnhandledExceptionFilter 1453 404d50 1402->1453 1404 401336 malloc 1404->1396 1406 401364 1404->1406 1405 401299 1405->1404 1407 401370 strlen malloc memcpy 1406->1407 1407->1407 1408 4013a2 1407->1408 1408->1396 1409 401406 _cexit 1408->1409 1409->1396 1411 4048bb 1410->1411 1412 4048d0 1410->1412 1411->1402 1412->1411 1413 404a80 1412->1413 1418 40496c 1412->1418 1413->1411 1414 404a89 1413->1414 1416 404730 27 API calls 1414->1416 1421 404ab8 1414->1421 1415 404b8c 1417 4046c0 27 API calls 1415->1417 1416->1414 1419 404b98 1417->1419 1418->1411 1418->1415 1420 404af1 1418->1420 1424 4049bb 1418->1424 1425 404abd 1418->1425 1422 404c10 1419->1422 1423 404bad 1419->1423 1431 404730 27 API calls 1420->1431 1426 4049f4 1421->1426 1427 404ce0 1422->1427 1428 404c1b 1422->1428 1429 404bb4 1423->1429 1430 404c2f signal 1423->1430 1424->1418 1424->1426 1432 404b3f 1424->1432 1433 404b26 1424->1433 1459 404730 1424->1459 1425->1433 1437 404730 27 API calls 1425->1437 1426->1411 1442 404a43 VirtualQuery 1426->1442 1443 404cf9 signal 1427->1443 1452 404bf1 1427->1452 1434 404c1d 1428->1434 1440 404c60 1428->1440 1436 404ca7 1429->1436 1429->1440 1441 404bc5 1429->1441 1435 404cb8 signal 1430->1435 1430->1452 1431->1433 1439 404730 27 API calls 1432->1439 1512 4046c0 1433->1512 1434->1430 1434->1436 1435->1436 1436->1402 1437->1420 1445 404b69 1439->1445 1440->1436 1444 404c6e signal 1440->1444 1441->1436 1448 404bdb signal 1441->1448 1442->1445 1447 404a5c VirtualProtect 1442->1447 1443->1452 1449 404d1a signal 1444->1449 1444->1452 1451 4046c0 27 API calls 1445->1451 1447->1426 1450 404d30 signal 1448->1450 1448->1452 1449->1452 1450->1452 1451->1415 1452->1402 1455 404d5f 1453->1455 1454 404d8c 1454->1405 1455->1454 1567 4054d0 1455->1567 1457 404d87 1457->1454 1458 404e20 RtlAddFunctionTable 1457->1458 1458->1454 1462 404754 1459->1462 1460 404829 memcpy 1460->1424 1472 40c680 1460->1472 1461 404882 1464 4046c0 14 API calls 1461->1464 1462->1460 1462->1461 1465 4047c3 VirtualQuery 1462->1465 1474 404891 1464->1474 1466 4047f1 1465->1466 1467 404865 1465->1467 1466->1460 1470 404805 VirtualProtect 1466->1470 1467->1461 1469 4046c0 14 API calls 1467->1469 1468 4048bb 1468->1424 1469->1461 1470->1460 1471 404851 GetLastError 1470->1471 1473 4046c0 14 API calls 1471->1473 1473->1467 1474->1468 1478 40496c 1474->1478 1479 404a80 1474->1479 1475 404b8c 1477 4046c0 14 API calls 1475->1477 1476 404730 14 API calls 1476->1479 1480 404b98 1477->1480 1478->1468 1478->1475 1486 404b3f 1478->1486 1487 404abd 1478->1487 1488 404b26 1478->1488 1491 4049f4 1478->1491 1502 404af1 1478->1502 1505 404730 14 API calls 1478->1505 1479->1468 1479->1476 1479->1491 1481 404c10 1480->1481 1482 404bad 1480->1482 1483 404c1b 1481->1483 1494 404ce0 1481->1494 1484 404c2f signal 1482->1484 1493 404bb4 1482->1493 1489 404c1d 1483->1489 1498 404c60 1483->1498 1490 404cb8 signal 1484->1490 1511 404bf1 1484->1511 1485 404730 14 API calls 1485->1488 1497 404730 14 API calls 1486->1497 1487->1488 1495 404730 14 API calls 1487->1495 1496 4046c0 14 API calls 1488->1496 1489->1484 1492 404ca7 1489->1492 1490->1492 1491->1468 1500 404a43 VirtualQuery 1491->1500 1492->1424 1493->1492 1493->1498 1499 404bc5 1493->1499 1501 404cf9 signal 1494->1501 1494->1511 1495->1502 1496->1486 1504 404b69 1497->1504 1498->1492 1503 404c6e signal 1498->1503 1499->1492 1507 404bdb signal 1499->1507 1500->1504 1506 404a5c VirtualProtect 1500->1506 1501->1511 1502->1485 1508 404d1a signal 1503->1508 1503->1511 1510 4046c0 14 API calls 1504->1510 1505->1478 1506->1491 1509 404d30 signal 1507->1509 1507->1511 1508->1511 1509->1511 1510->1475 1511->1424 1513 4046e7 1512->1513 1514 404702 __iob_func 1513->1514 1517 40471b 1514->1517 1515 404829 memcpy 1515->1432 1527 40c680 1515->1527 1516 404882 1519 4046c0 13 API calls 1516->1519 1517->1515 1517->1516 1520 4047c3 VirtualQuery 1517->1520 1529 404891 1519->1529 1521 4047f1 1520->1521 1522 404865 1520->1522 1521->1515 1525 404805 VirtualProtect 1521->1525 1522->1516 1524 4046c0 13 API calls 1522->1524 1523 4048bb 1523->1432 1524->1516 1525->1515 1526 404851 GetLastError 1525->1526 1528 4046c0 13 API calls 1526->1528 1528->1522 1529->1523 1533 404a80 1529->1533 1544 40496c 1529->1544 1530 404b8c 1532 4046c0 13 API calls 1530->1532 1531 404730 13 API calls 1531->1533 1534 404b98 1532->1534 1533->1523 1533->1531 1553 4049f4 1533->1553 1536 404c10 1534->1536 1537 404bad 1534->1537 1535 404af1 1543 404730 13 API calls 1535->1543 1539 404ce0 1536->1539 1540 404c1b 1536->1540 1541 404bb4 1537->1541 1542 404c2f signal 1537->1542 1538 404abd 1546 404b26 1538->1546 1550 404730 13 API calls 1538->1550 1557 404cf9 signal 1539->1557 1566 404bf1 1539->1566 1547 404c1d 1540->1547 1554 404c60 1540->1554 1549 404ca7 1541->1549 1541->1554 1555 404bc5 1541->1555 1548 404cb8 signal 1542->1548 1542->1566 1543->1546 1544->1523 1544->1530 1544->1535 1544->1538 1545 404b3f 1544->1545 1544->1546 1544->1553 1560 404730 13 API calls 1544->1560 1552 404730 13 API calls 1545->1552 1551 4046c0 13 API calls 1546->1551 1547->1542 1547->1549 1548->1549 1549->1432 1550->1535 1551->1545 1559 404b69 1552->1559 1553->1523 1556 404a43 VirtualQuery 1553->1556 1554->1549 1558 404c6e signal 1554->1558 1555->1549 1562 404bdb signal 1555->1562 1556->1559 1561 404a5c VirtualProtect 1556->1561 1557->1566 1563 404d1a signal 1558->1563 1558->1566 1565 4046c0 13 API calls 1559->1565 1560->1544 1561->1553 1564 404d30 signal 1562->1564 1562->1566 1563->1566 1564->1566 1565->1530 1566->1432 1569 4054df 1567->1569 1568 4054f5 1568->1457 1569->1568 1570 40554b strncmp 1569->1570 1570->1569 1571 405560 1570->1571 1571->1457 1710 405850 1711 405870 1710->1711 1712 405861 1710->1712 1711->1712 1713 40588c EnterCriticalSection LeaveCriticalSection 1711->1713 1714 4058d0 1715 4058f0 EnterCriticalSection 1714->1715 1716 4058df 1714->1716 1717 405927 LeaveCriticalSection 1715->1717 1721 40590b 1715->1721 1719 405934 1717->1719 1718 405911 free LeaveCriticalSection 1718->1719 1721->1717 1721->1718 1758 406090 memcpy 1759 40c680 1758->1759 1760 401010 1762 401058 1760->1762 1761 40106b __set_app_type 1763 401075 1761->1763 1762->1761 1762->1763 1572 403cdd MessageBoxW 1573 403d32 MessageBoxW 1572->1573 1574 403d24 1572->1574 1575 403d6c CreateThread CreateThread CreateThread 1573->1575 1576 403d5e 1573->1576 1574->1573 1617 403c2a RegCreateKeyExW RegSetValueExW RegCloseKey 1575->1617 1661 401b60 CreateFileW WriteFile 1575->1661 1662 401be2 1575->1662 1665 401d62 1575->1665 1576->1575 1578 403e27 1618 403c2a RegCreateKeyExW RegSetValueExW RegCloseKey 1578->1618 1580 403e4f 1619 403c2a RegCreateKeyExW RegSetValueExW RegCloseKey 1580->1619 1582 403e77 27 API calls 1620 403139 1582->1620 1642 401dfa 1582->1642 1584 40404f SleepEx TerminateThread 1585 404082 CreateThread CreateThread 1584->1585 1622 403344 1585->1622 1675 4024c2 1585->1675 1676 40216f 1585->1676 1590 40413d TerminateThread 1591 404162 CreateThread 1590->1591 1626 40351f 1591->1626 1650 402698 1591->1650 1596 4041e8 CreateThread CreateThread 1630 4036e6 1596->1630 1645 4024c2 1596->1645 1647 4028e5 1596->1647 1601 4042a3 TerminateThread 1602 4042c8 CreateThread CreateThread 1601->1602 1634 40389a 1602->1634 1669 402b99 1602->1669 1673 4029bf 1602->1673 1607 404383 CreateThread 1638 403a4f 1607->1638 1652 402d28 1607->1652 1612 404409 DeleteVolumeMountPointA 1614 404440 RtlAdjustPrivilege NtRaiseHardError 1612->1614 1616 4044e6 1614->1616 1617->1578 1618->1580 1619->1582 1621 403145 1620->1621 1621->1584 1623 403350 1622->1623 1624 4033e0 memset 1623->1624 1625 403405 TerminateThread 1624->1625 1625->1590 1627 40352b 1626->1627 1628 4035bb memset 1627->1628 1629 4035e0 TerminateThread 1628->1629 1629->1596 1631 4036f2 1630->1631 1632 403782 memset 1631->1632 1633 4037a7 TerminateThread 1632->1633 1633->1601 1635 4038a6 1634->1635 1636 403936 memset 1635->1636 1637 40395b TerminateThread 1636->1637 1637->1607 1639 403a5b 1638->1639 1640 403aeb memset 1639->1640 1641 403b10 TerminateThread 1640->1641 1641->1612 1644 401e2f 1642->1644 1678 405ab0 1644->1678 1646 4024e5 1645->1646 1649 402901 strlen rand rand 1647->1649 1651 4026bb 1650->1651 1653 402d40 VirtualAlloc 1652->1653 1658 402dad 1653->1658 1655 402ea8 rand 1655->1658 1657 402f08 rand 1657->1658 1658->1655 1658->1657 1659 402f3f rand 1658->1659 1688 405cd0 1658->1688 1692 405dd0 1658->1692 1659->1658 1664 401c06 1662->1664 1663 401c2e rand 1663->1664 1664->1663 1666 401d7e rand rand 1665->1666 1668 401dea SleepEx 1666->1668 1668->1666 1670 402ba5 1669->1670 1671 402c42 6 API calls 1670->1671 1672 402d15 SleepEx 1670->1672 1671->1670 1672->1670 1674 4029e2 1673->1674 1677 402196 1676->1677 1679 405af8 1678->1679 1683 405b99 1678->1683 1680 405b1b frexp 1679->1680 1679->1683 1681 405b6d 1680->1681 1684 405ed0 1681->1684 1683->1644 1685 405fa9 1684->1685 1687 405f14 1684->1687 1685->1683 1686 405f98 _errno 1686->1685 1687->1685 1687->1686 1689 405d00 1688->1689 1691 405d07 1688->1691 1690 405d44 _errno 1689->1690 1689->1691 1690->1691 1691->1658 1693 405e00 1692->1693 1696 405e07 1692->1696 1694 405e81 _errno 1693->1694 1695 405e44 _errno 1693->1695 1693->1696 1694->1696 1695->1696 1696->1658 1724 4052e0 1725 4052f2 1724->1725 1727 405302 1725->1727 1728 405970 1725->1728 1729 4059c2 1728->1729 1730 405979 1728->1730 1733 4059e0 InitializeCriticalSection 1729->1733 1734 4059cc 1729->1734 1731 405994 1730->1731 1732 40597b 1730->1732 1736 40599e 1731->1736 1738 4057e0 3 API calls 1731->1738 1735 40598a 1732->1735 1740 4057e0 EnterCriticalSection 1732->1740 1733->1734 1734->1727 1735->1727 1736->1735 1737 4059a9 DeleteCriticalSection 1736->1737 1737->1735 1738->1736 1741 405801 1740->1741 1742 405834 1740->1742 1741->1742 1743 405810 TlsGetValue GetLastError 1741->1743 1743->1741 1744 406269 VirtualAlloc 1745 40c53e 1744->1745 1768 406329 LeaveCriticalSection 1769 4062a9 VirtualQuery 1770 4051b0 RtlCaptureContext RtlLookupFunctionEntry 1771 405290 1770->1771 1772 4051ed RtlVirtualUnwind 1770->1772 1773 405223 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess abort 1771->1773 1772->1773 1773->1771 1774 4052b0 1775 4052b8 1774->1775 1776 4052bd 1775->1776 1777 405970 5 API calls 1775->1777 1778 4052d5 1777->1778 1779 4045b3 1780 4045df __iob_func fprintf 1779->1780 1750 4062f9 RtlVirtualUnwind

Callgraph

Hide Legend
  • Executed
  • Not Executed
  • Opacity -> Relevance
  • Disassembly available
callgraph 0 Function_00404540 1 Function_00405440 2 Function_00404E40 37 Function_00405000 2->37 3 Function_0040C540 4 Function_00406241 5 Function_00406341 6 Function_00403344 41 Function_00405A10 6->41 7 Function_0040C548 8 Function_00403A4F 8->41 9 Function_00405A50 10 Function_00414C51 11 Function_00404550 12 Function_00404D50 36 Function_00405600 12->36 75 Function_004054D0 12->75 95 Function_00405690 12->95 13 Function_00406350 104 Function_004050B0 13->104 14 Function_00405350 15 Function_00405850 16 Function_00415557 17 Function_00401859 18 Function_00404560 19 Function_00401B60 20 Function_00405360 20->0 54 Function_00404530 20->54 21 Function_00401160 22 Function_00404660 23 Function_00406060 24 Function_00401D62 25 Function_00405462 26 Function_00415262 27 Function_00406269 28 Function_0040216F 28->17 55 Function_00401530 28->55 94 Function_00405C90 28->94 29 Function_00405570 29->1 30 Function_00406070 31 Function_00404670 32 Function_0040C570 33 Function_00405970 79 Function_004057E0 33->79 34 Function_00401500 72 Function_004050D0 34->72 103 Function_004011B0 34->103 35 Function_00406000 36->1 38 Function_00401A08 39 Function_00408908 40 Function_00401010 40->0 40->11 42 Function_0040C510 43 Function_00405010 44 Function_00408516 45 Function_00401A1C 46 Function_0040351F 46->41 47 Function_00404521 48 Function_00402D28 67 Function_00405CD0 48->67 69 Function_00405DD0 48->69 48->94 49 Function_0040C528 50 Function_00406329 51 Function_00414028 52 Function_00403C2A 53 Function_00404730 53->29 53->37 53->41 53->53 61 Function_004046C0 53->61 62 Function_004055C0 53->62 53->95 55->9 88 Function_00405A80 55->88 56 Function_00405430 57 Function_00405730 57->1 90 Function_00405480 57->90 58 Function_00406131 59 Function_00408437 60 Function_00403139 60->41 61->29 61->37 61->41 61->53 61->61 61->62 61->95 62->1 63 Function_004024C2 64 Function_0040C4C8 65 Function_004139CA 66 Function_004019CC 67->18 70 Function_00405FD0 67->70 68 Function_004014D0 68->72 68->103 69->18 69->35 71 Function_00405ED0 73 Function_004058D0 74 Function_004056D0 74->1 74->90 75->1 76 Function_00403CDD 76->6 76->8 76->19 76->24 76->28 76->46 76->48 76->52 76->60 76->63 81 Function_00401BE2 76->81 82 Function_004028E5 76->82 83 Function_004036E6 76->83 87 Function_00401DFA 76->87 97 Function_00402698 76->97 98 Function_00402B99 76->98 99 Function_0040389A 76->99 111 Function_004029BF 76->111 77 Function_0040C4E0 78 Function_004019E0 80 Function_004052E0 80->33 83->41 84 Function_004045F1 85 Function_004019F4 86 Function_004062F9 87->17 87->55 87->94 105 Function_00405AB0 87->105 89 Function_00404680 91 Function_00401A81 92 Function_0040C588 93 Function_00406090 95->1 96 Function_00404690 98->91 99->41 100 Function_004048A0 100->37 100->41 100->53 100->61 100->62 101 Function_004046A0 102 Function_004062A9 103->12 103->13 103->30 103->37 103->100 103->104 104->20 105->71 106 Function_004051B0 107 Function_004052B0 107->33 108 Function_004045B3 109 Function_004019B8 110 Function_004139BB

Executed Functions

Control-flow Graph

APIs
  • MessageBoxW.USER32 ref: 00403D18
  • MessageBoxW.USER32 ref: 00403D52
  • CreateThread.KERNELBASE ref: 00403D9B
  • CreateThread.KERNELBASE ref: 00403DCC
  • CreateThread.KERNELBASE ref: 00403DFD
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403E85
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403E95
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403EA5
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403EB5
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403EC5
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403ED5
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403EE5
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403EF5
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403F05
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403F15
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403F25
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403F35
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403F45
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403F55
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403F65
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403F75
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403F85
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403F95
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403FA5
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403FB5
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403FC5
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403FD5
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403FE5
  • DeleteVolumeMountPointA.KERNEL32 ref: 00403FF5
  • DeleteVolumeMountPointA.KERNEL32 ref: 00404005
  • SleepEx.KERNELBASE ref: 00404013
  • CreateThread.KERNELBASE ref: 00404044
  • SleepEx.KERNELBASE ref: 0040405B
  • TerminateThread.KERNELBASE ref: 00404070
  • CreateThread.KERNELBASE ref: 004040CA
  • CreateThread.KERNELBASE ref: 004040FF
    • Part of subcall function 00403344: memset.MSVCRT ref: 004033F4
  • TerminateThread.KERNELBASE ref: 0040412B
  • TerminateThread.KERNELBASE ref: 00404150
  • CreateThread.KERNELBASE ref: 004041AA
    • Part of subcall function 0040351F: memset.MSVCRT ref: 004035CF
  • TerminateThread.KERNELBASE ref: 004041D6
  • CreateThread.KERNELBASE ref: 00404230
  • CreateThread.KERNELBASE ref: 00404265
    • Part of subcall function 004036E6: memset.MSVCRT ref: 00403796
  • TerminateThread.KERNELBASE ref: 00404291
  • TerminateThread.KERNELBASE ref: 004042B6
  • CreateThread.KERNELBASE ref: 00404310
  • CreateThread.KERNELBASE ref: 00404345
    • Part of subcall function 0040389A: memset.MSVCRT ref: 0040394A
  • TerminateThread.KERNELBASE ref: 00404371
  • CreateThread.KERNELBASE ref: 004043CB
    • Part of subcall function 00403A4F: memset.MSVCRT ref: 00403AFF
  • TerminateThread.KERNELBASE ref: 004043F7
  • DeleteVolumeMountPointA.KERNEL32 ref: 00404430
  • RtlAdjustPrivilege.NTDLL ref: 004044A9
  • NtRaiseHardError.NTDLL ref: 004044D6
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: DeleteMountPointVolume$Thread$Create$Terminate$memset$MessageSleep$AdjustErrorHardPrivilegeRaise
  • String ID: 3gp.exe by pankoza (Revived by Venra)$A:\$Are you sure? It will destroy this computer and it contains flashing lights - NOT for epilepsy$B:\$C:\$D:\$DisableCMD$DisableRegistryTools$DisableTaskMgr$E:\$F:\$F?i?n?a?l? ?W?a?r?n?i?n?g? - 3?p.e?e$G:\$H:\$I:\$J:\$K:\$L:\$M:\$N:\$NtRaiseHardError$O:\$P:\$Q:\$R:\$RtlAdjustPrivilege$S:\$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System$SOFTWARE\Policies\Microsoft\Windows\System$T:\$This is a Malware,Click yes to run.Click no to exit.$U:\$V:\$W:\$X:\$Y:\$Z:\$ntdll
  • API String ID: 2085617421-1852431110
  • Opcode ID: f6717d1c607b4c4f10f129ce4b4932e3818c89644568e5dcaecf2da2ab2c663d
  • Instruction ID: 421b19f512ad1648773f3d7da5dce2d04d130cff85abce6d5a9b95dfb94757ae
  • Opcode Fuzzy Hash: f6717d1c607b4c4f10f129ce4b4932e3818c89644568e5dcaecf2da2ab2c663d
  • Instruction Fuzzy Hash: E21296A5320A44D9EB50DB65FCA039A2761F788B98F44022ACF5D677B4DF7DC605C388

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 48 4011b0-4011df 49 401490-401493 GetStartupInfoA 48->49 50 4011e5-401202 48->50 54 4014a0-4014b9 call 4060a8 49->54 51 401215-401220 50->51 52 401222-401230 51->52 53 401204-401207 51->53 57 401236-40123a 52->57 58 401447-401456 call 4060a0 52->58 55 401430-401441 53->55 56 40120d-401212 Sleep 53->56 68 4014be 54->68 55->57 55->58 56->51 57->54 62 401240-40124f 57->62 64 401255-401257 58->64 65 40145c-401477 _initterm 58->65 62->64 62->65 66 401480-401485 64->66 67 40125d-40126a 64->67 65->67 69 40147d 65->69 66->67 70 401278-4012c8 call 4048a0 SetUnhandledExceptionFilter call 404d50 call 406070 call 405000 67->70 71 40126c-401274 67->71 73 4014c6-4014ce call 4060b0 68->73 69->66 83 401317-40131e 70->83 84 4012ca-4012cc 70->84 71->70 85 401320-40132a 83->85 86 401336-40135e malloc 83->86 87 4012e2-4012e8 84->87 90 401330 85->90 91 401421-401426 85->91 86->68 92 401364-401366 86->92 88 4012d0-4012d2 87->88 89 4012ea-4012f8 87->89 95 401310 88->95 96 4012d4-4012d7 88->96 93 4012de 89->93 90->86 91->90 94 401370-4013a0 strlen malloc memcpy 92->94 93->87 94->94 97 4013a2-4013e3 call 4050b0 call 406350 94->97 95->83 98 401304-40130e 96->98 99 4012d9 96->99 104 4013e8-4013f6 97->104 98->95 100 401300-401302 98->100 99->93 100->95 100->98 104->73 105 4013fc-401404 104->105 106 401411-401420 105->106 107 401406-40140b _cexit 105->107 107->106
APIs
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: ExceptionFilterInfoSleepStartupUnhandled
  • String ID:
  • API String ID: 2839300629-0
  • Opcode ID: b399f9b96cd9a0e21b2b2af0855f4c7aea06473c65a509813155f3c9fe666c41
  • Instruction ID: 78ac57622a402afde6cfa7de486f4acfe649842de5f1a6eb5c872a50d0921759
  • Opcode Fuzzy Hash: b399f9b96cd9a0e21b2b2af0855f4c7aea06473c65a509813155f3c9fe666c41
  • Instruction Fuzzy Hash: 177189B5610A4486EB14DF16E89072A3361FB85B88F84802ADF5AB7BB1DF3DC844C748

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 162 401b60-401be1 CreateFileW WriteFile
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: File$CreateWrite
  • String ID: \\.\PhysicalDrive0
  • API String ID: 2263783195-1180397377
  • Opcode ID: 8fca62e712e81508a4edf1a2054da2d37b198ee5fecbae048ed223ca1521df36
  • Instruction ID: 43a91d72052d177055d3bf017d527d440c6ec69c362f6f2014a5696b5e9d6d24
  • Opcode Fuzzy Hash: 8fca62e712e81508a4edf1a2054da2d37b198ee5fecbae048ed223ca1521df36
  • Instruction Fuzzy Hash: 8DF017B1B14B0099F710CB55E89079A3765F388B88F404219EE9C5BBA8EF7DC3458B84

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 108 402b99-402ba1 109 402ba5-402d23 call 401a81 * 2 rand * 6 SleepEx 108->109
APIs
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: rand$Sleep
  • String ID:
  • API String ID: 1952133086-0
  • Opcode ID: bed4b1df6ebaf89e928bb5c1f5326dd4bc8eeddbbac1cdcb17614f73be939aaa
  • Instruction ID: 2576769f9b5c4b84ac239cafe3406b3ced767d8edc930c48b6deefc49395b817
  • Opcode Fuzzy Hash: bed4b1df6ebaf89e928bb5c1f5326dd4bc8eeddbbac1cdcb17614f73be939aaa
  • Instruction Fuzzy Hash: D741B7A5B11B048DEB44DBBAEC9036C37B1B74CB88F14452ADF1DA3768DE38C9518754

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 127 402d28-402da6 VirtualAlloc 131 402dad-402ea6 127->131 139 402ea8-402ed8 rand 131->139 140 402edb-402ee2 131->140 139->140 141 402fc1-402fcb 140->141 142 402fd1-403134 call 405cd0 call 405dd0 call 405c90 141->142 143 402ee7-402f06 141->143 142->131 145 402f36 143->145 146 402f08-402f2d rand 143->146 147 402f3b-402f3d 145->147 146->145 149 402f2f-402f34 146->149 150 402f7d-402fbd 147->150 151 402f3f-402f7a rand 147->151 149->147 150->141 151->150
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: rand$AllocVirtual
  • String ID: $VUUU
  • API String ID: 582084158-3673398558
  • Opcode ID: 964b06d0c9f4378193eb7246a672fadb6709da3b0760042e1595ee6909b5e1d6
  • Instruction ID: de4cf365dee69c7c39bff8ed67238c5dec25eb96ac7fa73e75597410adedeb05
  • Opcode Fuzzy Hash: 964b06d0c9f4378193eb7246a672fadb6709da3b0760042e1595ee6909b5e1d6
  • Instruction Fuzzy Hash: C6C13072B11A008FE744CBB9D89175D77F1B788788F148229DE0DE7B68DB39D9418B40

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 161 403c2a-403cdc RegCreateKeyExW RegSetValueExW RegCloseKey
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: CloseCreateValue
  • String ID: ?
  • API String ID: 1818849710-1684325040
  • Opcode ID: 7211a257557a6685ea2dfc38e6a7936bb5d556e66a507ddcb13aae33826164a0
  • Instruction ID: b5335d2200f35d3c3276ac64350694e498c02d28caa97ed0c00e5cb68f3769c5
  • Opcode Fuzzy Hash: 7211a257557a6685ea2dfc38e6a7936bb5d556e66a507ddcb13aae33826164a0
  • Instruction Fuzzy Hash: BF11E6B6710B40CAD750CF65E89079D37A0F348BC8F144519EF5C57B68DB39C6518B44

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 163 401be2-401c08 call 4060b8 call 4060c0 167 401c0d 163->167 168 401c16-401c50 rand 167->168 170 401c90-401c94 168->170 171 401c52-401c87 168->171 172 401cd4-401cd8 170->172 173 401c96-401ccb 170->173 171->170 174 401d19-401d1d 172->174 175 401cda-401d10 172->175 173->172 176 401d5d 174->176 177 401d1f-401d54 174->177 175->174 176->167 177->176
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: rand
  • String ID: d$d
  • API String ID: 415692148-195624457
  • Opcode ID: 2cd751266785fc2f06155eca1af298764e3c185b427285ce5e55ae82a3c51959
  • Instruction ID: cd877a206e47f7ce9ab2ea0778c8e91edf343604b99fed49cb28bc45db7f58cc
  • Opcode Fuzzy Hash: 2cd751266785fc2f06155eca1af298764e3c185b427285ce5e55ae82a3c51959
  • Instruction Fuzzy Hash: 6F410872B14604CEEB14CFA9E88475E37B1F38878CF108629DE19A7B68CB7ED5458B14

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 178 401d62-401da0 182 401da4-401df8 rand * 2 SleepEx 178->182
APIs
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: rand$Sleep
  • String ID:
  • API String ID: 1952133086-0
  • Opcode ID: 6244aa8ca0dff8c732aa208ba9d9da1a41060ab990c65b75ed1d9b407a557a12
  • Instruction ID: 3546931182feab2be36aab26608d7ad178e783d54ab1725da7a783458d21792a
  • Opcode Fuzzy Hash: 6244aa8ca0dff8c732aa208ba9d9da1a41060ab990c65b75ed1d9b407a557a12
  • Instruction Fuzzy Hash: 6A010C76B21A14DDE750DBA6EC9039C3771A78C748F041636DF1DA37A4DE398A018744

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 185 403344-403403 call 405a10 memset 189 403473-40347f 185->189 190 403481-40351e 189->190 191 403405-40346c 189->191 191->189
APIs
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: memset
  • String ID:
  • API String ID: 2221118986-0
  • Opcode ID: b9beda37cf95fcbf78f7cc4883f94e3a40eb5e7ab4e15f774edad987e420ac79
  • Instruction ID: d2d7b91a6dd10efdfadcd13d6288da4823e6bd2f58045921aaf7df80f0b7671c
  • Opcode Fuzzy Hash: b9beda37cf95fcbf78f7cc4883f94e3a40eb5e7ab4e15f774edad987e420ac79
  • Instruction Fuzzy Hash: 71416032311A848ED725CF29DC543C973EDE75A388F024126DA4CABB68EB7DC605C742

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 196 403a4f-403b0e call 405a10 memset 200 403b7e-403b8a 196->200 201 403b10-403b77 200->201 202 403b8c-403c29 200->202 201->200
APIs
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: memset
  • String ID:
  • API String ID: 2221118986-0
  • Opcode ID: 857d8ebf1d72d2ab9bc7ac762b5eeb88ef5afff791f96332b26c193a33340e32
  • Instruction ID: f17432bf06caeeb983adf0a7ca1da39633d290d8f1550efd88834424b6aa6e7e
  • Opcode Fuzzy Hash: 857d8ebf1d72d2ab9bc7ac762b5eeb88ef5afff791f96332b26c193a33340e32
  • Instruction Fuzzy Hash: 7B415E32311A808ED725CF69D8543C973EDE75A38CF42412ADA4CABB68EB7DC605C742

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 207 40351f-4035de call 405a10 memset 211 40363a-403646 207->211 212 4035e0-403633 211->212 213 403648-4036e5 211->213 212->211
APIs
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: memset
  • String ID:
  • API String ID: 2221118986-0
  • Opcode ID: 20f5b9d3701370e28be061ebf388b89d03a7fb938abd44eebe919a2889be7c73
  • Instruction ID: 0eb42c909f22b39fb3ac227c4661c7c9ba376f447fb5862a6ef319289eda7d40
  • Opcode Fuzzy Hash: 20f5b9d3701370e28be061ebf388b89d03a7fb938abd44eebe919a2889be7c73
  • Instruction Fuzzy Hash: F5419372311A808ED725CF65DC543C973ADF79A388F424126DA4C6BB68DB7DC605C742

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 218 40389a-403959 call 405a10 memset 222 4039a3-4039af 218->222 223 4039b1-403a4e 222->223 224 40395b-40399c 222->224 224->222
APIs
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: memset
  • String ID:
  • API String ID: 2221118986-0
  • Opcode ID: cddc912215106c0004050911d2a0fc9cf73fa237fc715813aad3bfac56a45064
  • Instruction ID: 3cf2124913da3f9f3bb885f061b1a68bfec504a50f79d06d6e205b65f312a68c
  • Opcode Fuzzy Hash: cddc912215106c0004050911d2a0fc9cf73fa237fc715813aad3bfac56a45064
  • Instruction Fuzzy Hash: D6419472311A808ED725CF69D8443C973ADF75A38CF424126DA4CABB68DB7DC605C742

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 229 4036e6-4037a5 call 405a10 memset 233 4037ee-4037fa 229->233 234 4037a7-4037e7 233->234 235 4037fc-403899 233->235 234->233
APIs
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: memset
  • String ID:
  • API String ID: 2221118986-0
  • Opcode ID: 35d9a75e36c45549ebc60a6e40d973d1981544736af9b317a109fc2b2e5e05e4
  • Instruction ID: 35474e681d0b66a7f7d04a4d953fcf72d1c5745857107db54df9ba823713d17c
  • Opcode Fuzzy Hash: 35d9a75e36c45549ebc60a6e40d973d1981544736af9b317a109fc2b2e5e05e4
  • Instruction Fuzzy Hash: 34418372311A808ED725CF69DC543C973ADF75A388F42412ADA4CABB68DB7DC604C742

Non-executed Functions

APIs
  • RtlCaptureContext.KERNEL32 ref: 004051C4
  • RtlLookupFunctionEntry.KERNEL32 ref: 004051DB
  • RtlVirtualUnwind.KERNEL32 ref: 0040521D
  • SetUnhandledExceptionFilter.KERNEL32 ref: 00405264
  • UnhandledExceptionFilter.KERNEL32 ref: 00405271
  • GetCurrentProcess.KERNEL32 ref: 00405277
  • TerminateProcess.KERNEL32 ref: 00405285
  • abort.MSVCRT ref: 0040528B
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
  • String ID:
  • API String ID: 4278921479-0
  • Opcode ID: ff45b62d241db6f5ea1aea59edd6f16fa99a40d0df223a6fe66588aefb6e30ad
  • Instruction ID: 25fc6909e29b4e95417f614b5c33a11a9872d60123a5f7b41ccc4f1590793f1b
  • Opcode Fuzzy Hash: ff45b62d241db6f5ea1aea59edd6f16fa99a40d0df223a6fe66588aefb6e30ad
  • Instruction Fuzzy Hash: 0A21E2B6611F14D9EB009B61FC8478937A4FB08B88F54022ADF8E67765EF38C149C788
APIs
  • GetSystemTimeAsFileTime.KERNEL32 ref: 00405115
  • GetCurrentProcessId.KERNEL32 ref: 00405120
  • GetCurrentThreadId.KERNEL32 ref: 00405128
  • GetTickCount.KERNEL32 ref: 00405130
  • QueryPerformanceCounter.KERNEL32 ref: 0040513D
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
  • String ID:
  • API String ID: 1445889803-0
  • Opcode ID: a60ba0ea7b86fccdb4d38e94ab789422778c97745a52fac333567c819341baa4
  • Instruction ID: 474aebb865a922bf7f45cc38958ea0d35168d5ffa4ff13d5217199e50b7dada8
  • Opcode Fuzzy Hash: a60ba0ea7b86fccdb4d38e94ab789422778c97745a52fac333567c819341baa4
  • Instruction Fuzzy Hash: 00119E66B15B1082F7105B25BC087566260B788BA0F081731DFAD67BE4DA3CC886D708
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID: 0-3916222277
  • Opcode ID: c5c470a484dc581b9b6dcf7c227f89c890f7e9d76b121dc6e1550b2b28fdf414
  • Instruction ID: 3109dc9dd5c7a1dbad247dbecdee40ffa763a6a6157e3766db0ad81d57627496
  • Opcode Fuzzy Hash: c5c470a484dc581b9b6dcf7c227f89c890f7e9d76b121dc6e1550b2b28fdf414
  • Instruction Fuzzy Hash: 4261F6B2211650CFD758CF25E8A0B9937A1F78C78CF015229FB4E97BA8DB39C9408B44
Memory Dump Source
  • Source File: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: 7db98e2c7b428b35d1944fba2bd2ef3b03f5a4e191b1a2e570f445c1ed806732
  • Instruction ID: f1c65a4cc3559c3d2cb9a96a183eddcb15da2cb9866e883135a892d38d7d46bd
  • Opcode Fuzzy Hash: 7db98e2c7b428b35d1944fba2bd2ef3b03f5a4e191b1a2e570f445c1ed806732
  • Instruction Fuzzy Hash: EEE0124BA0D6E4DED756CBBC0CB909A1F91A5B6D4430D826F9240973C7E41C5C06D309
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: d0058988867f548fb8db7b92ddbdc5952c2ea1db6c6f1724a72ab927fccb2ff4
  • Instruction ID: 34b778aa594fb4bf5df0920de41eb9d7cd4d82b8557aaa26fd4a2f10aaa11840
  • Opcode Fuzzy Hash: d0058988867f548fb8db7b92ddbdc5952c2ea1db6c6f1724a72ab927fccb2ff4
  • Instruction Fuzzy Hash: 83A00256449D20D0F2004B04FC513605129D306208F4421208218A1092853D91584148
APIs
  • VirtualQuery.KERNEL32(?,?,?,?,0040BA28,0040BA20,00000001,00007FFCC289ADA0,?,?,0040B040,0040127D), ref: 00404A50
  • VirtualProtect.KERNEL32(?,?,?,?,0040BA28,0040BA20,00000001,00007FFCC289ADA0,?,?,0040B040,0040127D), ref: 00404A72
Strings
  • Unknown pseudo relocation protocol version %d., xrefs: 00404B8C
  • Unknown pseudo relocation bit size %d., xrefs: 00404B2B
  • VirtualQuery failed for %d bytes at address %p, xrefs: 00404871, 00404B75
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: Virtual$ProtectQuery
  • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p
  • API String ID: 1027372294-974437099
  • Opcode ID: b9cb1568e86008f7151227f2a03ecbdd5f003cd46209599a891d1b8cce046830
  • Instruction ID: c6235ab142aad07217fbf75c932c6786432c97e2c174046c722443d4952416d8
  • Opcode Fuzzy Hash: b9cb1568e86008f7151227f2a03ecbdd5f003cd46209599a891d1b8cce046830
  • Instruction Fuzzy Hash: DFA100E171661086FF109B36E94036B2261B7C4BA8F59853BCF0A777E8DA3CC885874D
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: signal
  • String ID: CCG
  • API String ID: 1946981877-1584390748
  • Opcode ID: 716564e8a2b80ee75bfbfba09188a0311f70a186aded732a56afe85b23a2c2cc
  • Instruction ID: 903908b194603288eecf035ce4653fc6d432c70f785d3b052d766eb5124474ff
  • Opcode Fuzzy Hash: 716564e8a2b80ee75bfbfba09188a0311f70a186aded732a56afe85b23a2c2cc
  • Instruction Fuzzy Hash: B73161A070411505FE786269C15533B1082BBC9368F2A8A3BCB5AAB3D6CD7D8CE142DE
APIs
Strings
  • Address %p has no image-section, xrefs: 00404737, 00404882
  • VirtualProtect failed with code 0x%x, xrefs: 00404857
  • Mingw-w64 runtime failure:, xrefs: 004046E7
  • VirtualQuery failed for %d bytes at address %p, xrefs: 00404871
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: Virtual$ProtectQuery__iob_func
  • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
  • API String ID: 2215987729-1534286854
  • Opcode ID: fef36765d2ae227f793975cfe8f5dfbb2f452563e3977102a63c2e70ff5b9682
  • Instruction ID: 00935c47683e11de404532939d1e56a2432bb7804a55363c0f56d620b020dd7b
  • Opcode Fuzzy Hash: fef36765d2ae227f793975cfe8f5dfbb2f452563e3977102a63c2e70ff5b9682
  • Instruction Fuzzy Hash: C741AFB6700B8495EA10EF22EC44B5A7B64F789BD4F48852AEF0D277A4DB3CC546C748
APIs
Strings
  • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00404624
  • Unknown error, xrefs: 004046B0
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: __iob_funcfprintf
  • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
  • API String ID: 620453056-3474627141
  • Opcode ID: bfebf50a5e0bdc56dedd271859e40e9bce598c2c70fdc7dfa6d33084bdb6c709
  • Instruction ID: 88e260b63edd6a35d13c800e50dcc40cb3a7d31b88e08d9f0e746dfcc1f67888
  • Opcode Fuzzy Hash: bfebf50a5e0bdc56dedd271859e40e9bce598c2c70fdc7dfa6d33084bdb6c709
  • Instruction Fuzzy Hash: 4C11A763404E8486D6028F1CE8013DA7775FF9A759F659312EB8826164DB35C553C704
APIs
Strings
  • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00404624
  • Argument singularity (SIGN), xrefs: 00404660
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: __iob_funcfprintf
  • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
  • API String ID: 620453056-2468659920
  • Opcode ID: 84f026904f3a65521a5e2cd9d051576b2e7f83d7d3a2c1c403c7f20dc82f9000
  • Instruction ID: 0d4b609d9573cd88e4e68f567a3fa8c652428215d499041a9cf560810827ae21
  • Opcode Fuzzy Hash: 84f026904f3a65521a5e2cd9d051576b2e7f83d7d3a2c1c403c7f20dc82f9000
  • Instruction Fuzzy Hash: 9FF03063454E8882C602DF1CE80029BB370FF9EB99F699716EB893A564DF39C657C704
APIs
Strings
  • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00404624
  • Overflow range error (OVERFLOW), xrefs: 00404670
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: __iob_funcfprintf
  • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
  • API String ID: 620453056-4064033741
  • Opcode ID: c040ed5a1b79db636c051dd3c28cf8a5e206cfdcd8db8fa8729d2b575ba44009
  • Instruction ID: 39c93e5991ff5ccfebbd736dfd5b161ae84aa61eff9980cae91048d05e0a88c6
  • Opcode Fuzzy Hash: c040ed5a1b79db636c051dd3c28cf8a5e206cfdcd8db8fa8729d2b575ba44009
  • Instruction Fuzzy Hash: 24F03063454E8882C602DF1CE80029B7370FF9EB99F6A9716EB893A564DF39C657C704
APIs
Strings
  • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00404624
  • Argument domain error (DOMAIN), xrefs: 004045F1
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: __iob_funcfprintf
  • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
  • API String ID: 620453056-2713391170
  • Opcode ID: 7ffafb8e8f7d3f1bd4cc613b86182b569e246e7e05e7fd8588938ab5efa69fbe
  • Instruction ID: 6c22dc424e9945d69e1aee88cc223a7b890f194efbc20794b0e9b3f62f4f6dca
  • Opcode Fuzzy Hash: 7ffafb8e8f7d3f1bd4cc613b86182b569e246e7e05e7fd8588938ab5efa69fbe
  • Instruction Fuzzy Hash: DFF06223404E8886C201DF18E80039B7370FF5EB89F55A316EB8936524DB35C547C704
APIs
Strings
  • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00404624
  • The result is too small to be represented (UNDERFLOW), xrefs: 00404680
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: __iob_funcfprintf
  • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
  • API String ID: 620453056-2187435201
  • Opcode ID: 4f564ce4e496311235ecda956c5f42970c6be21ec000b3324fdbcbdb9e694510
  • Instruction ID: 392831bad74bd1008bf1916e88ae4f24056496b0e9aeb6ad09762c4d0ef2a38d
  • Opcode Fuzzy Hash: 4f564ce4e496311235ecda956c5f42970c6be21ec000b3324fdbcbdb9e694510
  • Instruction Fuzzy Hash: 2DF09063404E8882C202DF1CE80029B7370FF9EB89F699316EB893A464DF39C647C704
APIs
Strings
  • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00404624
  • Total loss of significance (TLOSS), xrefs: 00404690
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: __iob_funcfprintf
  • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
  • API String ID: 620453056-4273532761
  • Opcode ID: 6ce53c8179943af859efbe2bf5fb61be4fac53fc2efadbe14292cda9b2f31136
  • Instruction ID: 2dc8aab88547635c051045b2213bda2f2884677a8da84afb264f5079f3bb3db1
  • Opcode Fuzzy Hash: 6ce53c8179943af859efbe2bf5fb61be4fac53fc2efadbe14292cda9b2f31136
  • Instruction Fuzzy Hash: 65F01263454E4881C611DF18E80029B7370FF5E799F559316EB8936564DB39C657C704
APIs
Strings
  • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00404624
  • Partial loss of significance (PLOSS), xrefs: 004046A0
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: __iob_funcfprintf
  • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
  • API String ID: 620453056-4283191376
  • Opcode ID: 6322ba2f13554e2750afaf9833ca9adaec1292ef760e6689808b350d182335d8
  • Instruction ID: 2ea1b0ea01480994e27431537b057518ee04353426bbbf9af3f84a18bf531812
  • Opcode Fuzzy Hash: 6322ba2f13554e2750afaf9833ca9adaec1292ef760e6689808b350d182335d8
  • Instruction Fuzzy Hash: A2F03063454E8886C602DF1CE80029B7370FF9EB99F699316EB893A564DF39C657C704
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: rand$strlen
  • String ID: 3gp.exe
  • API String ID: 3145821414-1007356019
  • Opcode ID: 3f3d27e67d71ee7f0741bfc8223fe423bdbef8eed44c5e0c9b0d92c842790407
  • Instruction ID: 22576e0253c2e6dfa25feb129cca70f56acbc7001922603f39cfce5c73cb1cb0
  • Opcode Fuzzy Hash: 3f3d27e67d71ee7f0741bfc8223fe423bdbef8eed44c5e0c9b0d92c842790407
  • Instruction Fuzzy Hash: 1D211DB5B11B04DEE704DBA6E89035C37B1B748788F10412ADF4DA77A4DF398A458744
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: Virtual$ProtectQuery
  • String ID: Address %p has no image-section
  • API String ID: 1027372294-867041741
  • Opcode ID: b1ab362ea6a4374ff2986bced96e7655b3a414d6a7e7079c2d10e9749bcc72d1
  • Instruction ID: 3182b95def515999964183ba5f104c846b7909eaceb3b7a6cede84c01a3be87d
  • Opcode Fuzzy Hash: b1ab362ea6a4374ff2986bced96e7655b3a414d6a7e7079c2d10e9749bcc72d1
  • Instruction Fuzzy Hash: 2441E5A7709BC495EA219F26AC44B5A7B20F786B94F488627DF48273D1DB3CC846C708
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: frexp
  • String ID: VUUU$VUUU
  • API String ID: 3902379758-3149182767
  • Opcode ID: 973b4a54913d20571b7c2183e130cb9f57cc6f331f375e3861e7c23cf783b1c0
  • Instruction ID: 9ebd97a494bf3b67c1b15fb8886d8952af78ca4961469f5247ee5ee561547883
  • Opcode Fuzzy Hash: 973b4a54913d20571b7c2183e130cb9f57cc6f331f375e3861e7c23cf783b1c0
  • Instruction Fuzzy Hash: C5412B72A38F448DD617A7389462327A3A9EF923C0F51D317B647756B6EF38E4834908
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: _errno
  • String ID: sin
  • API String ID: 2918714741-3083047850
  • Opcode ID: d549eceecc20da34e85efafcfe779af5b2686b49ed61382d980443b78c6c6fd0
  • Instruction ID: 363f52ae50af334f41db1504484ad6e86cf6cfdbd70908793d8b02c1b888b243
  • Opcode Fuzzy Hash: d549eceecc20da34e85efafcfe779af5b2686b49ed61382d980443b78c6c6fd0
  • Instruction Fuzzy Hash: 98219A72528E8082D7429F24F84136BB321FBC5364F04932ABBE626AD8DF3DC151CA48
APIs
Memory Dump Source
  • Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_3gp.jbxd
Similarity
  • API ID: CriticalSection$EnterLeavefree
  • String ID:
  • API String ID: 4020351045-0
  • Opcode ID: 064c83539a0a356646893c263a24c51502f83ddc24258fe00dcd045ca57930e5
  • Instruction ID: 06693a49032cb395490b1bb8c501ecdf1b31fa2966c8ade3d2e43b5ca151631e
  • Opcode Fuzzy Hash: 064c83539a0a356646893c263a24c51502f83ddc24258fe00dcd045ca57930e5
  • Instruction Fuzzy Hash: 41011EE1712A04C6DF18DB55E88472623A1FB58BA0F844436CB1EA77A0EB3CC995CB5C