Edit tour

Windows Analysis Report
3gp.exe

Overview

General Information

Sample name:	3gp.exe
Analysis ID:	1667864
MD5:	8c008e5354f8bbcb45525b242360a590
SHA1:	188294fa1d6b7652f887ec0542b406bf24da8391
SHA256:	5fb6629ea119fd2f4237bbf45121c24e7532bb56432f3e8fab744e655533e631
Tags:	exeuser-FelloBoiYuuka
Infos:

Detection

Score:	88
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Contains functionality to access PhysicalDrive, possible boot sector overwrite

Contains functionality to infect the boot sector

Disable Task Manager(disabletaskmgr)

Disables the Windows registry editor (regedit)

Disables the Windows task manager (taskmgr)

Found API chain indicative of debugger detection

Performs an instant shutdown (NtRaiseHardError)

Writes directly to the primary disk partition (DR0)

Checks for available system drives (often done to infect USB drives)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

3gp.exe (PID: 7788 cmdline: "C:\Users\user\Desktop\3gp.exe" MD5: 8C008E5354F8BBCB45525B242360A590)

cleanup

Joe Sandbox Signatures

• AV Detection
• Spreading
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• Operating System Destruction
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 3gp.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 3gp.exe	Virustotal: Detection: 66%			Perma Link
Source: 3gp.exe	ReversingLabs: Detection: 58%

Source: C:\Users\user\Desktop\3gp.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\3gp.exe

Code function: 0_2_00402698 GetDC,CreateCompatibleDC,GetSystemMetrics,GetSystemMetrics,CreateDIBSection,SelectObject,GetDC,BitBlt,BitBlt,ReleaseDC,DeleteDC,

0_2_00402698

Operating System Destruction

Contains functionality to access PhysicalDrive, possible boot sector overwrite

Source: C:\Users\user\Desktop\3gp.exe

Code function: 0_2_00401B60 CreateFileW on filename \\.\PhysicalDrive0

0_2_00401B60

System Summary

Performs an instant shutdown (NtRaiseHardError)

Source: C:\Users\user\Desktop\3gp.exe

Hard error raised: shutdown

Jump to behavior

Source: C:\Users\user\Desktop\3gp.exe

Code function: 0_2_00403CDD MessageBoxW,MessageBoxW,ExitProcess,MessageBoxW,MessageBoxW,ExitProcess,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,Sleep,SleepEx,CreateThread,CreateThread,Sleep,SleepEx,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,CreateThread,CreateThread,CreateThread,CreateThread,Sleep,TerminateThread,TerminateThread,CloseHandle,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,CreateThread,CreateThread,Sleep,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,CreateThread,CreateThread,CreateThread,CreateThread,Sleep,TerminateThread,TerminateThread,CloseHandle,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,CreateThread,CreateThread,CreateThread,CreateThread,Sleep,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,CreateThread,CreateThread,Sleep,TerminateThread,TerminateThread,CloseHandle,InvalidateRect,DeleteVolumeMountPointA,DeleteVolumeMountPointA,Sleep,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,RtlAdjustPrivilege,NtRaiseHardError,Sleep,

0_2_00403CDD

Source: 3gp.exe

Static PE information: Number of sections : 18 > 10

Source: 3gp.exe, 00000000.00000000.1144442333.000000000040F000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename3gp( vs 3gp.exe
Source: 3gp.exe	Binary or memory string: OriginalFilename3gp( vs 3gp.exe

Source: classification engine

Classification label: mal88.rans.evad.winEXE@1/1@0/0

Source: 3gp.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\3gp.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 3gp.exe	Virustotal: Detection: 66%
Source: 3gp.exe	ReversingLabs: Detection: 58%

Source: C:\Users\user\Desktop\3gp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3gp.exe	Section loaded: midimap.dll	Jump to behavior

Source: C:\Users\user\Desktop\3gp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\3gp.exe

0_2_00403CDD

Source: 3gp.exe	Static PE information: section name: .xdata
Source: 3gp.exe	Static PE information: section name: /4
Source: 3gp.exe	Static PE information: section name: /19
Source: 3gp.exe	Static PE information: section name: /31
Source: 3gp.exe	Static PE information: section name: /45
Source: 3gp.exe	Static PE information: section name: /57
Source: 3gp.exe	Static PE information: section name: /70
Source: 3gp.exe	Static PE information: section name: /81
Source: 3gp.exe	Static PE information: section name: /92

Source: C:\Users\user\Desktop\3gp.exe	Code function: 0_2_00414C51 pushfq ; ret		0_2_00414C52
Source: C:\Users\user\Desktop\3gp.exe	Code function: 0_2_00408516 push qword ptr [rbx+rbp-0Ah]; ret		0_2_00408529

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\3gp.exe

Code function: CreateFileW,CreateFileW,WriteFile,WriteFile, \\.\PhysicalDrive0

0_2_00401B60

Writes directly to the primary disk partition (DR0)

Source: C:\Users\user\Desktop\3gp.exe

File written: \Device\Harddisk0\DR0 offset: 32768 length: 32768

Jump to behavior

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\3gp.exe

Code function: CreateFileW,CreateFileW,WriteFile,WriteFile, \\.\PhysicalDrive0

0_2_00401B60

Source: C:\Users\user\Desktop\3gp.exe

Window / User API: foregroundWindowGot 1773

Jump to behavior

Source: C:\Users\user\Desktop\3gp.exe TID: 7792

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\3gp.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\3gp.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\3gp.exe

Thread delayed: delay time: 30000

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\3gp.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-1390

Source: C:\Users\user\Desktop\3gp.exe

0_2_00403CDD

Source: C:\Users\user\Desktop\3gp.exe	Code function: 0_2_004011B0 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,GetStartupInfoA,	0_2_004011B0
Source: C:\Users\user\Desktop\3gp.exe	Code function: 0_2_00406241 SetUnhandledExceptionFilter,	0_2_00406241
Source: C:\Users\user\Desktop\3gp.exe	Code function: 0_2_0040C548 SetUnhandledExceptionFilter,VirtualAlloc,	0_2_0040C548
Source: C:\Users\user\Desktop\3gp.exe	Code function: 0_2_004051B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	0_2_004051B0

Source: C:\Users\user\Desktop\3gp.exe

Code function: 0_2_004050D0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_004050D0

Lowering of HIPS / PFW / Operating System Security Settings

Disable Task Manager(disabletaskmgr)

Source: C:\Users\user\Desktop\3gp.exe

Registry value created: DisableTaskMgr 1

Jump to behavior

Disables the Windows registry editor (regedit)

Source: C:\Users\user\Desktop\3gp.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools

Jump to behavior

Disables the Windows task manager (taskmgr)

Source: C:\Users\user\Desktop\3gp.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	3 Bootkit	1 DLL Side-Loading	3 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	Data Obfuscation	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	Boot or Logon Initialization Scripts	121 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	121 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Bootkit	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	11 Peripheral Device Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
3gp.exe	67%	Virustotal		Browse
3gp.exe	58%	ReversingLabs	Win64.Trojan.Nekark
3gp.exe	100%	Avira	TR/AD.Nekark.onzgh

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1667864
Start date and time:	2025-04-17 21:12:27 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:
Sample name:	3gp.exe
Detection:	MAL
Classification:	mal88.rans.evad.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 13 Number of non-executed functions: 20
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Connection to analysis system has been lost, crash info: Unknown
Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.79.17.61, 23.4.43.62
Excluded domains from analysis (whitelisted): cac-ocsp.digicert.com.edgekey.net, fs.microsoft.com, ocsp.digicert.com, e3913.cd.akamaiedge.net, ocsp.edge.digicert.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net

Simulations

Behavior and APIs

Time	Type	Description
15:13:34	API Interceptor	6x Sleep call for process: 3gp.exe modified

Process:	C:\Users\user\Desktop\3gp.exe
File Type:	DOS/MBR boot sector
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	2.6140688932684544
Encrypted:	false
SSDEEP:	192:ZA9KensrHQum8AzN57idpL0aqF/gxyrqVg+oJ/7YL/oIoIn0un:W9KKslqidpL0amsqqVbbWEDn
MD5:	BB4B2512514FA052B80C1EE618BD14D4
SHA1:	01D445199F453DDB8DD51235E46D907D88733409
SHA-256:	36C04C2BAA97CACDF0BCEC39CA2036D9F62FD849EDAE617BCE03FC967A3EF966
SHA-512:	AE7E4F836894F36FFA3885B5D3DDE8F06D09D570E91F7D427C953440DCBA5115108BB3E98E9D52D59268A957C53A611FB145FE81FC85785AD86CA66938CAE5C4
Malicious:	true
Reputation:	low
Preview:	..............}. ..........7s..8..".....rO...)........0P.D....XPSQWP.y}.........r.1....r..=.t.2.....8.X@..u._Y[X......}u...............;...t...........t.....<.u.. ,Hr.<.s...}..... ...1..+..6....(.x..".....h..7\|.!.....(..4...t..N...1.@........uZ.78m...8.....8m...8......t+...t.;.....r.....<...r.....u#...u...u..........:}.....u. .t...D......u......t.....\|...B....~<<~....~<........<~....B.<~....~<<~..............<~?..?~<.....B.B..@B~~......@...@....B.{@.~~.@.......P.d.<.P.........U....C.......@...?...@...>..*?...?...C..L>.......?...=.....-DT.!.@Argument domain error (DOMAIN).Argument singularity (SIGN)......Overflow range error (OVERFLOW).Partial loss of significance (PLOSS)....Total loss of significance (TLOSS)......The result is too small to be represented (UNDERFLOW).Unknown error....._matherr(): %s in %s(%g, %g) (retval=%g)...L...................,...<...Mingw-w64 runtime failure:......Address %p has no image-section. VirtualQuery failed for %d bytes at ad

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	5.296758362030382
TrID:	Win64 Executable GUI (202006/5) 92.64% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% VXD Driver (31/22) 0.01%
File name:	3gp.exe
File size:	189'056 bytes
MD5:	8c008e5354f8bbcb45525b242360a590
SHA1:	188294fa1d6b7652f887ec0542b406bf24da8391
SHA256:	5fb6629ea119fd2f4237bbf45121c24e7532bb56432f3e8fab744e655533e631
SHA512:	d4ea624a1e520edf20b4e349a32c31b49857f73cccf6824c0ef599ddb4c4c44397726dc8c44cb783fbc32fb5b7c57c664b6c5fc3b6e40270b777c79642079e80
SSDEEP:	1536:BOKohcywXeCVnhtd+wDnhd1kRfWKqs5ypmaClXRDageWfBfj5WdvkvcUvMFM7iNl:Hpnh71W+KYoDRBfj5WdccBRU1gemktyP
TLSH:	D90407E776969C9BE911433805D6C335273EFB908BC34B072E2069361E13BD0BED665A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....{.g....C.....'......T...D................@............................................... ............................

File Icon


Icon Hash:	d117324c74253aca

Static PE Info

General

Entrypoint:	0x4014d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:
Time Stamp:	0x67A97BCF [Mon Feb 10 04:08:47 2025 UTC]
TLS Callbacks:	0x4052e0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b5c90181d89f90dda2d6f2b29bf1618f

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00007625h]
mov dword ptr [eax], 00000001h
call 00007F51F8B8722Fh
call 00007F51F8B8330Ah
nop
nop
dec eax
add esp, 28h
ret
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [000075F5h]
mov dword ptr [eax], 00000000h
call 00007F51F8B871FFh
call 00007F51F8B832DAh
nop
nop
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 70h
movaps ebp-10h, dqword ptr [xmm6]
dec eax
mov dword ptr [ebp+10h], ecx
mov dword ptr [ebp+18h], edx
movzx eax, byte ptr [ebp+1Ah]
mov byte ptr [ebp-19h], al
movzx eax, byte ptr [ebp+19h]
mov byte ptr [ebp-1Ah], al
movzx eax, byte ptr [ebp+18h]
mov byte ptr [ebp-1Bh], al
movzx eax, byte ptr [ebp-19h]
pxor xmm0, xmm0
cvtsi2ss xmm0, eax
movss xmm1, dword ptr [00007094h]
divss xmm0, xmm1
movd eax, xmm0
mov dword ptr [ebp-20h], eax
movzx eax, byte ptr [ebp-1Ah]
pxor xmm0, xmm0
cvtsi2ss xmm0, eax
movss xmm1, dword ptr [00007075h]
divss xmm0, xmm1
movd eax, xmm0
mov dword ptr [ebp-24h], eax
movzx eax, byte ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc000	0xf5c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf000	0x1478	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x9000	0x390	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xe020	0x28	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc3f8	0x358	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x53b0	0x5400	a38abbf0d707b8ab4094a65a33acd09e	False	0.44884672619047616	data	5.990094457258481	IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x7000	0x90	0x200	800afdffff2b0727d5877de48d355e4e	False	0.11328125	data	0.6379346993823642	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x8000	0xfb0	0x1000	27ee02e11092adaf46f55cc6d53ab6ae	False	0.409912109375	COM executable for DOS	4.670165023914094	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x9000	0x390	0x400	d5ea913a7a3c76c1e404fedd4dde6b26	False	0.4951171875	data	3.847732580028875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0xa000	0x374	0x400	91bc88e7e63bb3a6c03660e214574a57	False	0.3623046875	data	3.9443421496510696	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0xb000	0xa60	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xc000	0xf5c	0x1000	bf91e9d0789d830dab059589ceadc27e	False	0.33203125	data	4.069800559994343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0xd000	0x68	0x200	088f8de9c7bfc11829d3ed60b187856b	False	0.072265625	data	0.2748254782599745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xe000	0x68	0x200	3d9f6d41d3fc682200d345ba64a9d400	False	0.060546875	data	0.19743807838821048	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf000	0x1478	0x1600	e009b57fdc546568472586457512dc6a	False	0.2853338068181818	data	3.6598208571764954	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
/4	0x11000	0x600	0x600	0e78de464c68fa0acdd948f628d31a51	False	0.22786458333333334	data	1.6710394076117343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0x12000	0xdce6	0xde00	81f8875f55347e5b738af306cde8c5e3	False	0.3779560810810811	data	5.951578477311184	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/31	0x20000	0x23c8	0x2400	f668052ed1ec57583e4eff853b15bfc4	False	0.2138671875	data	4.605200814310725	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/45	0x23000	0x21a4	0x2200	f666b4ece5949545a64815350fa43e5d	False	0.3050321691176471	data	5.610135942574295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/57	0x26000	0xcc8	0xe00	ed498850cf239b23ca9c13d992e40156	False	0.3099888392857143	data	3.991934598130095	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/70	0x27000	0x4ce	0x600	6327078cd03de34e4da5925489a3fce4	False	0.2649739583333333	data	4.316064494959888	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/81	0x28000	0x37db	0x3800	b57acacb9539f6beb40d0e3e968eeeab	False	0.20375279017857142	data	2.3647523633362253	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/92	0x2c000	0x5d0	0x600	49fd23ba829765ce1a4cf16722003a1f	False	0.22721354166666666	data	1.5077615221213083	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xf0f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.2781425891181989
RT_GROUP_ICON	0x10198	0x14	data	English	United States	1.1
RT_VERSION	0x101b0	0x2c8	data	English	United States	0.46207865168539325

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegCreateKeyExW, RegSetValueExW
GDI32.dll	BitBlt, CreateBitmap, CreateCompatibleDC, CreateDIBSection, CreatePen, CreateSolidBrush, DeleteDC, DeleteObject, GetBitmapBits, Polygon, SelectObject, SetBitmapBits, StretchBlt, TextOutA
KERNEL32.dll	CloseHandle, CreateFileW, CreateThread, DeleteCriticalSection, DeleteVolumeMountPointA, EnterCriticalSection, ExitProcess, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetProcAddress, GetStartupInfoA, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryW, QueryPerformanceCounter, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TerminateThread, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualProtect, VirtualQuery, WriteFile
MSIMG32.dll	AlphaBlend
msvcrt.dll	__C_specific_handler, __dllonexit, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _errno, _fmode, _initterm, _lock, _onexit, _unlock, _time64, abort, calloc, exit, fprintf, free, frexp, fwrite, malloc, memcpy, memset, rand, signal, srand, strlen, strncmp, vfprintf
USER32.dll	DrawIcon, GetCursorInfo, GetDC, GetForegroundWindow, GetSystemMetrics, GetWindowRect, InvalidateRect, MessageBoxW, ReleaseDC, SetWindowPos
WINMM.dll	waveOutClose, waveOutOpen, waveOutPrepareHeader, waveOutUnprepareHeader, waveOutWrite

Version Infos

Description	Data
CompanyName	Ryan
FileVersion	6.6.6.6
FileDescription	Buy Ryans World Eggs from Dark Web 2025
InternalName	3gp
LegalCopyright	Ryan
LegalTrademarks	Ryan
OriginalFilename	3gp
ProductName	3gp
ProductVersion	6.6.6.6
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• 3gp.exe

Click to jump to process

Memory Usage

• 3gp.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Target ID:	0
Start time:	15:13:22
Start date:	17/04/2025
Path:	C:\Users\user\Desktop\3gp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\3gp.exe"
Imagebase:	0x400000
File size:	189'056 bytes
MD5 hash:	8C008E5354F8BBCB45525B242360A590
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	23.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15%
Total number of Nodes:	340
Total number of Limit Nodes:	7

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00403CDD Relevance: 157.9, APIs: 52, Strings: 38, Instructions: 404
threadwindownativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxW.USER32 ref: 00403D18
MessageBoxW.USER32 ref: 00403D52
CreateThread.KERNELBASE ref: 00403D9B
CreateThread.KERNELBASE ref: 00403DCC
CreateThread.KERNELBASE ref: 00403DFD
DeleteVolumeMountPointA.KERNEL32 ref: 00403E85
DeleteVolumeMountPointA.KERNEL32 ref: 00403E95
DeleteVolumeMountPointA.KERNEL32 ref: 00403EA5
DeleteVolumeMountPointA.KERNEL32 ref: 00403EB5
DeleteVolumeMountPointA.KERNEL32 ref: 00403EC5
DeleteVolumeMountPointA.KERNEL32 ref: 00403ED5
DeleteVolumeMountPointA.KERNEL32 ref: 00403EE5
DeleteVolumeMountPointA.KERNEL32 ref: 00403EF5
DeleteVolumeMountPointA.KERNEL32 ref: 00403F05
DeleteVolumeMountPointA.KERNEL32 ref: 00403F15
DeleteVolumeMountPointA.KERNEL32 ref: 00403F25
DeleteVolumeMountPointA.KERNEL32 ref: 00403F35
DeleteVolumeMountPointA.KERNEL32 ref: 00403F45
DeleteVolumeMountPointA.KERNEL32 ref: 00403F55
DeleteVolumeMountPointA.KERNEL32 ref: 00403F65
DeleteVolumeMountPointA.KERNEL32 ref: 00403F75
DeleteVolumeMountPointA.KERNEL32 ref: 00403F85
DeleteVolumeMountPointA.KERNEL32 ref: 00403F95
DeleteVolumeMountPointA.KERNEL32 ref: 00403FA5
DeleteVolumeMountPointA.KERNEL32 ref: 00403FB5
DeleteVolumeMountPointA.KERNEL32 ref: 00403FC5
DeleteVolumeMountPointA.KERNEL32 ref: 00403FD5
DeleteVolumeMountPointA.KERNEL32 ref: 00403FE5
DeleteVolumeMountPointA.KERNEL32 ref: 00403FF5
DeleteVolumeMountPointA.KERNEL32 ref: 00404005
SleepEx.KERNELBASE ref: 00404013
CreateThread.KERNELBASE ref: 00404044
SleepEx.KERNELBASE ref: 0040405B
TerminateThread.KERNELBASE ref: 00404070
CreateThread.KERNELBASE ref: 004040CA
CreateThread.KERNELBASE ref: 004040FF

Part of subcall function 00403344: memset.MSVCRT ref: 004033F4

TerminateThread.KERNELBASE ref: 0040412B
TerminateThread.KERNELBASE ref: 00404150
CreateThread.KERNELBASE ref: 004041AA

Part of subcall function 0040351F: memset.MSVCRT ref: 004035CF

TerminateThread.KERNELBASE ref: 004041D6
CreateThread.KERNELBASE ref: 00404230
CreateThread.KERNELBASE ref: 00404265

Part of subcall function 004036E6: memset.MSVCRT ref: 00403796

TerminateThread.KERNELBASE ref: 00404291
TerminateThread.KERNELBASE ref: 004042B6
CreateThread.KERNELBASE ref: 00404310
CreateThread.KERNELBASE ref: 00404345

Part of subcall function 0040389A: memset.MSVCRT ref: 0040394A

TerminateThread.KERNELBASE ref: 00404371
CreateThread.KERNELBASE ref: 004043CB

Part of subcall function 00403A4F: memset.MSVCRT ref: 00403AFF

TerminateThread.KERNELBASE ref: 004043F7
DeleteVolumeMountPointA.KERNEL32 ref: 00404430
RtlAdjustPrivilege.NTDLL ref: 004044A9
NtRaiseHardError.NTDLL ref: 004044D6

Strings

DisableCMD, xrefs: 00403E5D
D:\, xrefs: 00403E97
Y:\, xrefs: 00403FE7
U:\, xrefs: 00403FA7
F?i?n?a?l? ?W?a?r?n?i?n?g? - 3?p.e?e, xrefs: 00403D38
M:\, xrefs: 00403F27
O:\, xrefs: 00403F47
DisableRegistryTools, xrefs: 00403E35
K:\, xrefs: 00403F07
Are you sure? It will destroy this computer and it contains flashing lights - NOT for epilepsy, xrefs: 00403D3F
F:\, xrefs: 00403EB7
C:\, xrefs: 00404422
SOFTWARE\Policies\Microsoft\Windows\System, xrefs: 00403E64
3gp.exe by pankoza (Revived by Venra), xrefs: 00403CFE
G:\, xrefs: 00403EC7
W:\, xrefs: 00403FC7
H:\, xrefs: 00403ED7
A:\, xrefs: 00403E77
S:\, xrefs: 00403F87
This is a Malware,Click yes to run.Click no to exit., xrefs: 00403D05
L:\, xrefs: 00403F17
E:\, xrefs: 00403EA7
NtRaiseHardError, xrefs: 00404450
N:\, xrefs: 00403F37
RtlAdjustPrivilege, xrefs: 00404477
I:\, xrefs: 00403EE7
Z:\, xrefs: 00403FF7
R:\, xrefs: 00403F77
J:\, xrefs: 00403EF7
P:\, xrefs: 00403F57
V:\, xrefs: 00403FB7
B:\, xrefs: 00403E87
T:\, xrefs: 00403F97
X:\, xrefs: 00403FD7
Q:\, xrefs: 00403F67
DisableTaskMgr, xrefs: 00403E0D
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00403E14, 00403E3C
ntdll, xrefs: 00404440, 00404467

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: DeleteMountPointVolume$Thread$Create$Terminate$memset$MessageSleep$AdjustErrorHardPrivilegeRaise
String ID: 3gp.exe by pankoza (Revived by Venra)$A:\$Are you sure? It will destroy this computer and it contains flashing lights - NOT for epilepsy$B:\$C:\$D:\$DisableCMD$DisableRegistryTools$DisableTaskMgr$E:\$F:\$F?i?n?a?l? ?W?a?r?n?i?n?g? - 3?p.e?e$G:\$H:\$I:\$J:\$K:\$L:\$M:\$N:\$NtRaiseHardError$O:\$P:\$Q:\$R:\$RtlAdjustPrivilege$S:\$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System$SOFTWARE\Policies\Microsoft\Windows\System$T:\$This is a Malware,Click yes to run.Click no to exit.$U:\$V:\$W:\$X:\$Y:\$Z:\$ntdll
API String ID: 2085617421-1852431110
Opcode ID: f6717d1c607b4c4f10f129ce4b4932e3818c89644568e5dcaecf2da2ab2c663d
Instruction ID: 421b19f512ad1648773f3d7da5dce2d04d130cff85abce6d5a9b95dfb94757ae
Opcode Fuzzy Hash: f6717d1c607b4c4f10f129ce4b4932e3818c89644568e5dcaecf2da2ab2c663d
Instruction Fuzzy Hash: E21296A5320A44D9EB50DB65FCA039A2761F788B98F44022ACF5D677B4DF7DC605C388

Function 004011B0 Relevance: 13.7, APIs: 9, Instructions: 188
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00401212
SetUnhandledExceptionFilter.KERNEL32 ref: 00401284
GetStartupInfoA.KERNEL32 ref: 00401493

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: ExceptionFilterInfoSleepStartupUnhandled
String ID:
API String ID: 2839300629-0
Opcode ID: b399f9b96cd9a0e21b2b2af0855f4c7aea06473c65a509813155f3c9fe666c41
Instruction ID: 78ac57622a402afde6cfa7de486f4acfe649842de5f1a6eb5c872a50d0921759
Opcode Fuzzy Hash: b399f9b96cd9a0e21b2b2af0855f4c7aea06473c65a509813155f3c9fe666c41
Instruction Fuzzy Hash: 177189B5610A4486EB14DF16E89072A3361FB85B88F84802ADF5AB7BB1DF3DC844C748

Function 00401B60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00401BA4
WriteFile.KERNELBASE ref: 00401BD5

Strings

\\.\PhysicalDrive0, xrefs: 00401B96

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: File$CreateWrite
String ID: \\.\PhysicalDrive0
API String ID: 2263783195-1180397377
Opcode ID: 8fca62e712e81508a4edf1a2054da2d37b198ee5fecbae048ed223ca1521df36
Instruction ID: 43a91d72052d177055d3bf017d527d440c6ec69c362f6f2014a5696b5e9d6d24
Opcode Fuzzy Hash: 8fca62e712e81508a4edf1a2054da2d37b198ee5fecbae048ed223ca1521df36
Instruction Fuzzy Hash: 8DF017B1B14B0099F710CB55E89079A3765F388B88F404219EE9C5BBA8EF7DC3458B84

Function 00402B99 Relevance: 10.6, APIs: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

rand.MSVCRT ref: 00402C46
rand.MSVCRT ref: 00402C54
rand.MSVCRT ref: 00402C62
rand.MSVCRT ref: 00402C70
rand.MSVCRT ref: 00402C7E
rand.MSVCRT ref: 00402C8C
SleepEx.KERNELBASE ref: 00402D21

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: rand$Sleep
String ID:
API String ID: 1952133086-0
Opcode ID: bed4b1df6ebaf89e928bb5c1f5326dd4bc8eeddbbac1cdcb17614f73be939aaa
Instruction ID: 2576769f9b5c4b84ac239cafe3406b3ced767d8edc930c48b6deefc49395b817
Opcode Fuzzy Hash: bed4b1df6ebaf89e928bb5c1f5326dd4bc8eeddbbac1cdcb17614f73be939aaa
Instruction Fuzzy Hash: D741B7A5B11B048DEB44DBBAEC9036C37B1B74CB88F14452ADF1DA3768DE38C9518754

Function 00402D28 Relevance: 9.3, APIs: 4, Strings: 2, Instructions: 284
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00402D90
rand.MSVCRT ref: 00402EA8
rand.MSVCRT ref: 00402F08
rand.MSVCRT ref: 00402F3F

Strings

, xrefs: 00403055
VUUU, xrefs: 00403117

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: rand$AllocVirtual
String ID: $VUUU
API String ID: 582084158-3673398558
Opcode ID: 964b06d0c9f4378193eb7246a672fadb6709da3b0760042e1595ee6909b5e1d6
Instruction ID: de4cf365dee69c7c39bff8ed67238c5dec25eb96ac7fa73e75597410adedeb05
Opcode Fuzzy Hash: 964b06d0c9f4378193eb7246a672fadb6709da3b0760042e1595ee6909b5e1d6
Instruction Fuzzy Hash: C6C13072B11A008FE744CBB9D89175D77F1B788788F148229DE0DE7B68DB39D9418B40

Function 00403C2A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE ref: 00403C8B
RegSetValueExW.KERNELBASE ref: 00403CC1
RegCloseKey.KERNELBASE ref: 00403CD4

Strings

?, xrefs: 00403C61

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: CloseCreateValue
String ID: ?
API String ID: 1818849710-1684325040
Opcode ID: 7211a257557a6685ea2dfc38e6a7936bb5d556e66a507ddcb13aae33826164a0
Instruction ID: b5335d2200f35d3c3276ac64350694e498c02d28caa97ed0c00e5cb68f3769c5
Opcode Fuzzy Hash: 7211a257557a6685ea2dfc38e6a7936bb5d556e66a507ddcb13aae33826164a0
Instruction Fuzzy Hash: BF11E6B6710B40CAD750CF65E89079D37A0F348BC8F144519EF5C57B68DB39C6518B44

Function 00401BE2 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

rand.MSVCRT ref: 00401C2E

Strings

d, xrefs: 00401D3E
d, xrefs: 00401D36

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: rand
String ID: d$d
API String ID: 415692148-195624457
Opcode ID: 2cd751266785fc2f06155eca1af298764e3c185b427285ce5e55ae82a3c51959
Instruction ID: cd877a206e47f7ce9ab2ea0778c8e91edf343604b99fed49cb28bc45db7f58cc
Opcode Fuzzy Hash: 2cd751266785fc2f06155eca1af298764e3c185b427285ce5e55ae82a3c51959
Instruction Fuzzy Hash: 6F410872B14604CEEB14CFA9E88475E37B1F38878CF108629DE19A7B68CB7ED5458B14

Function 00401D62 Relevance: 4.5, APIs: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

rand.MSVCRT ref: 00401DC0
rand.MSVCRT ref: 00401DCB
SleepEx.KERNELBASE ref: 00401DF6

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: rand$Sleep
String ID:
API String ID: 1952133086-0
Opcode ID: 6244aa8ca0dff8c732aa208ba9d9da1a41060ab990c65b75ed1d9b407a557a12
Instruction ID: 3546931182feab2be36aab26608d7ad178e783d54ab1725da7a783458d21792a
Opcode Fuzzy Hash: 6244aa8ca0dff8c732aa208ba9d9da1a41060ab990c65b75ed1d9b407a557a12
Instruction Fuzzy Hash: 6A010C76B21A14DDE750DBA6EC9039C3771A78C748F041636DF1DA37A4DE398A018744

Function 00403344 Relevance: 1.4, APIs: 1, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004033F4

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: b9beda37cf95fcbf78f7cc4883f94e3a40eb5e7ab4e15f774edad987e420ac79
Instruction ID: d2d7b91a6dd10efdfadcd13d6288da4823e6bd2f58045921aaf7df80f0b7671c
Opcode Fuzzy Hash: b9beda37cf95fcbf78f7cc4883f94e3a40eb5e7ab4e15f774edad987e420ac79
Instruction Fuzzy Hash: 71416032311A848ED725CF29DC543C973EDE75A388F024126DA4CABB68EB7DC605C742

Function 00403A4F Relevance: 1.4, APIs: 1, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00403AFF

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 857d8ebf1d72d2ab9bc7ac762b5eeb88ef5afff791f96332b26c193a33340e32
Instruction ID: f17432bf06caeeb983adf0a7ca1da39633d290d8f1550efd88834424b6aa6e7e
Opcode Fuzzy Hash: 857d8ebf1d72d2ab9bc7ac762b5eeb88ef5afff791f96332b26c193a33340e32
Instruction Fuzzy Hash: 7B415E32311A808ED725CF69D8543C973EDE75A38CF42412ADA4CABB68EB7DC605C742

Function 0040351F Relevance: 1.3, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004035CF

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 20f5b9d3701370e28be061ebf388b89d03a7fb938abd44eebe919a2889be7c73
Instruction ID: 0eb42c909f22b39fb3ac227c4661c7c9ba376f447fb5862a6ef319289eda7d40
Opcode Fuzzy Hash: 20f5b9d3701370e28be061ebf388b89d03a7fb938abd44eebe919a2889be7c73
Instruction Fuzzy Hash: F5419372311A808ED725CF65DC543C973ADF79A388F424126DA4C6BB68DB7DC605C742

Function 0040389A Relevance: 1.3, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040394A

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: cddc912215106c0004050911d2a0fc9cf73fa237fc715813aad3bfac56a45064
Instruction ID: 3cf2124913da3f9f3bb885f061b1a68bfec504a50f79d06d6e205b65f312a68c
Opcode Fuzzy Hash: cddc912215106c0004050911d2a0fc9cf73fa237fc715813aad3bfac56a45064
Instruction Fuzzy Hash: D6419472311A808ED725CF69D8443C973ADF75A38CF424126DA4CABB68DB7DC605C742

Function 004036E6 Relevance: 1.3, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00403796

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 35d9a75e36c45549ebc60a6e40d973d1981544736af9b317a109fc2b2e5e05e4
Instruction ID: 35474e681d0b66a7f7d04a4d953fcf72d1c5745857107db54df9ba823713d17c
Opcode Fuzzy Hash: 35d9a75e36c45549ebc60a6e40d973d1981544736af9b317a109fc2b2e5e05e4
Instruction Fuzzy Hash: 34418372311A808ED725CF69DC543C973ADF75A388F42412ADA4CABB68DB7DC604C742

Non-executed Functions

Function 004051B0 Relevance: 12.0, APIs: 8, Instructions: 50COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 004051C4
RtlLookupFunctionEntry.KERNEL32 ref: 004051DB
RtlVirtualUnwind.KERNEL32 ref: 0040521D
SetUnhandledExceptionFilter.KERNEL32 ref: 00405264
UnhandledExceptionFilter.KERNEL32 ref: 00405271
GetCurrentProcess.KERNEL32 ref: 00405277
TerminateProcess.KERNEL32 ref: 00405285
abort.MSVCRT ref: 0040528B

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
String ID:
API String ID: 4278921479-0
Opcode ID: ff45b62d241db6f5ea1aea59edd6f16fa99a40d0df223a6fe66588aefb6e30ad
Instruction ID: 25fc6909e29b4e95417f614b5c33a11a9872d60123a5f7b41ccc4f1590793f1b
Opcode Fuzzy Hash: ff45b62d241db6f5ea1aea59edd6f16fa99a40d0df223a6fe66588aefb6e30ad
Instruction Fuzzy Hash: 0A21E2B6611F14D9EB009B61FC8478937A4FB08B88F54022ADF8E67765EF38C149C788

Function 004050D0 Relevance: 7.6, APIs: 5, Instructions: 57timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00405115
GetCurrentProcessId.KERNEL32 ref: 00405120
GetCurrentThreadId.KERNEL32 ref: 00405128
GetTickCount.KERNEL32 ref: 00405130
QueryPerformanceCounter.KERNEL32 ref: 0040513D

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: a60ba0ea7b86fccdb4d38e94ab789422778c97745a52fac333567c819341baa4
Instruction ID: 474aebb865a922bf7f45cc38958ea0d35168d5ffa4ff13d5217199e50b7dada8
Opcode Fuzzy Hash: a60ba0ea7b86fccdb4d38e94ab789422778c97745a52fac333567c819341baa4
Instruction Fuzzy Hash: 00119E66B15B1082F7105B25BC087566260B788BA0F081731DFAD67BE4DA3CC886D708

Function 00402698 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

, xrefs: 00402879

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c5c470a484dc581b9b6dcf7c227f89c890f7e9d76b121dc6e1550b2b28fdf414
Instruction ID: 3109dc9dd5c7a1dbad247dbecdee40ffa763a6a6157e3766db0ad81d57627496
Opcode Fuzzy Hash: c5c470a484dc581b9b6dcf7c227f89c890f7e9d76b121dc6e1550b2b28fdf414
Instruction Fuzzy Hash: 4261F6B2211650CFD758CF25E8A0B9937A1F78C78CF015229FB4E97BA8DB39C9408B44

Function 0040C548 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7db98e2c7b428b35d1944fba2bd2ef3b03f5a4e191b1a2e570f445c1ed806732
Instruction ID: f1c65a4cc3559c3d2cb9a96a183eddcb15da2cb9866e883135a892d38d7d46bd
Opcode Fuzzy Hash: 7db98e2c7b428b35d1944fba2bd2ef3b03f5a4e191b1a2e570f445c1ed806732
Instruction Fuzzy Hash: EEE0124BA0D6E4DED756CBBC0CB909A1F91A5B6D4430D826F9240973C7E41C5C06D309

Function 00406241 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0058988867f548fb8db7b92ddbdc5952c2ea1db6c6f1724a72ab927fccb2ff4
Instruction ID: 34b778aa594fb4bf5df0920de41eb9d7cd4d82b8557aaa26fd4a2f10aaa11840
Opcode Fuzzy Hash: d0058988867f548fb8db7b92ddbdc5952c2ea1db6c6f1724a72ab927fccb2ff4
Instruction Fuzzy Hash: 83A00256449D20D0F2004B04FC513605129D306208F4421208218A1092853D91584148

Function 004048A0 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 296memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,?,?,0040BA28,0040BA20,00000001,00007FFCC289ADA0,?,?,0040B040,0040127D), ref: 00404A50
VirtualProtect.KERNEL32(?,?,?,?,0040BA28,0040BA20,00000001,00007FFCC289ADA0,?,?,0040B040,0040127D), ref: 00404A72

Strings

Unknown pseudo relocation protocol version %d., xrefs: 00404B8C
Unknown pseudo relocation bit size %d., xrefs: 00404B2B
VirtualQuery failed for %d bytes at address %p, xrefs: 00404871, 00404B75

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: Virtual$ProtectQuery
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p
API String ID: 1027372294-974437099
Opcode ID: b9cb1568e86008f7151227f2a03ecbdd5f003cd46209599a891d1b8cce046830
Instruction ID: c6235ab142aad07217fbf75c932c6786432c97e2c174046c722443d4952416d8
Opcode Fuzzy Hash: b9cb1568e86008f7151227f2a03ecbdd5f003cd46209599a891d1b8cce046830
Instruction Fuzzy Hash: DFA100E171661086FF109B36E94036B2261B7C4BA8F59853BCF0A777E8DA3CC885874D

Function 00404E40 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00404E98
signal.MSVCRT ref: 00404F0E
signal.MSVCRT ref: 00404F23
signal.MSVCRT ref: 00404F39
signal.MSVCRT ref: 00404FDA

Strings

CCG , xrefs: 00404E54

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: 716564e8a2b80ee75bfbfba09188a0311f70a186aded732a56afe85b23a2c2cc
Instruction ID: 903908b194603288eecf035ce4653fc6d432c70f785d3b052d766eb5124474ff
Opcode Fuzzy Hash: 716564e8a2b80ee75bfbfba09188a0311f70a186aded732a56afe85b23a2c2cc
Instruction Fuzzy Hash: B73161A070411505FE786269C15533B1082BBC9368F2A8A3BCB5AAB3D6CD7D8CE142DE

Function 004046C0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 00404707
VirtualQuery.KERNEL32 ref: 004047E6
VirtualProtect.KERNEL32 ref: 0040481F

Strings

Address %p has no image-section, xrefs: 00404737, 00404882
VirtualProtect failed with code 0x%x, xrefs: 00404857
Mingw-w64 runtime failure:, xrefs: 004046E7
VirtualQuery failed for %d bytes at address %p, xrefs: 00404871

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: Virtual$ProtectQuery__iob_func
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2215987729-1534286854
Opcode ID: fef36765d2ae227f793975cfe8f5dfbb2f452563e3977102a63c2e70ff5b9682
Instruction ID: 00935c47683e11de404532939d1e56a2432bb7804a55363c0f56d620b020dd7b
Opcode Fuzzy Hash: fef36765d2ae227f793975cfe8f5dfbb2f452563e3977102a63c2e70ff5b9682
Instruction Fuzzy Hash: C741AFB6700B8495EA10EF22EC44B5A7B64F789BD4F48852AEF0D277A4DB3CC546C748

Function 004045B3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 00404614
fprintf.MSVCRT ref: 0040463D

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00404624
Unknown error, xrefs: 004046B0

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 620453056-3474627141
Opcode ID: bfebf50a5e0bdc56dedd271859e40e9bce598c2c70fdc7dfa6d33084bdb6c709
Instruction ID: 88e260b63edd6a35d13c800e50dcc40cb3a7d31b88e08d9f0e746dfcc1f67888
Opcode Fuzzy Hash: bfebf50a5e0bdc56dedd271859e40e9bce598c2c70fdc7dfa6d33084bdb6c709
Instruction Fuzzy Hash: 4C11A763404E8486D6028F1CE8013DA7775FF9A759F659312EB8826164DB35C553C704

Function 00404660 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 00404614
fprintf.MSVCRT ref: 0040463D

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00404624
Argument singularity (SIGN), xrefs: 00404660

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 620453056-2468659920
Opcode ID: 84f026904f3a65521a5e2cd9d051576b2e7f83d7d3a2c1c403c7f20dc82f9000
Instruction ID: 0d4b609d9573cd88e4e68f567a3fa8c652428215d499041a9cf560810827ae21
Opcode Fuzzy Hash: 84f026904f3a65521a5e2cd9d051576b2e7f83d7d3a2c1c403c7f20dc82f9000
Instruction Fuzzy Hash: 9FF03063454E8882C602DF1CE80029BB370FF9EB99F699716EB893A564DF39C657C704

Function 00404670 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 00404614
fprintf.MSVCRT ref: 0040463D

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00404624
Overflow range error (OVERFLOW), xrefs: 00404670

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 620453056-4064033741
Opcode ID: c040ed5a1b79db636c051dd3c28cf8a5e206cfdcd8db8fa8729d2b575ba44009
Instruction ID: 39c93e5991ff5ccfebbd736dfd5b161ae84aa61eff9980cae91048d05e0a88c6
Opcode Fuzzy Hash: c040ed5a1b79db636c051dd3c28cf8a5e206cfdcd8db8fa8729d2b575ba44009
Instruction Fuzzy Hash: 24F03063454E8882C602DF1CE80029B7370FF9EB99F6A9716EB893A564DF39C657C704

Function 004045F1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 00404614
fprintf.MSVCRT ref: 0040463D

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00404624
Argument domain error (DOMAIN), xrefs: 004045F1

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 620453056-2713391170
Opcode ID: 7ffafb8e8f7d3f1bd4cc613b86182b569e246e7e05e7fd8588938ab5efa69fbe
Instruction ID: 6c22dc424e9945d69e1aee88cc223a7b890f194efbc20794b0e9b3f62f4f6dca
Opcode Fuzzy Hash: 7ffafb8e8f7d3f1bd4cc613b86182b569e246e7e05e7fd8588938ab5efa69fbe
Instruction Fuzzy Hash: DFF06223404E8886C201DF18E80039B7370FF5EB89F55A316EB8936524DB35C547C704

Function 00404680 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 00404614
fprintf.MSVCRT ref: 0040463D

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00404624
The result is too small to be represented (UNDERFLOW), xrefs: 00404680

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 620453056-2187435201
Opcode ID: 4f564ce4e496311235ecda956c5f42970c6be21ec000b3324fdbcbdb9e694510
Instruction ID: 392831bad74bd1008bf1916e88ae4f24056496b0e9aeb6ad09762c4d0ef2a38d
Opcode Fuzzy Hash: 4f564ce4e496311235ecda956c5f42970c6be21ec000b3324fdbcbdb9e694510
Instruction Fuzzy Hash: 2DF09063404E8882C202DF1CE80029B7370FF9EB89F699316EB893A464DF39C647C704

Function 00404690 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 00404614
fprintf.MSVCRT ref: 0040463D

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00404624
Total loss of significance (TLOSS), xrefs: 00404690

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 620453056-4273532761
Opcode ID: 6ce53c8179943af859efbe2bf5fb61be4fac53fc2efadbe14292cda9b2f31136
Instruction ID: 2dc8aab88547635c051045b2213bda2f2884677a8da84afb264f5079f3bb3db1
Opcode Fuzzy Hash: 6ce53c8179943af859efbe2bf5fb61be4fac53fc2efadbe14292cda9b2f31136
Instruction Fuzzy Hash: 65F01263454E4881C611DF18E80029B7370FF5E799F559316EB8936564DB39C657C704

Function 004046A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 00404614
fprintf.MSVCRT ref: 0040463D

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00404624
Partial loss of significance (PLOSS), xrefs: 004046A0

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 620453056-4283191376
Opcode ID: 6322ba2f13554e2750afaf9833ca9adaec1292ef760e6689808b350d182335d8
Instruction ID: 2ea1b0ea01480994e27431537b057518ee04353426bbbf9af3f84a18bf531812
Opcode Fuzzy Hash: 6322ba2f13554e2750afaf9833ca9adaec1292ef760e6689808b350d182335d8
Instruction Fuzzy Hash: A2F03063454E8886C602DF1CE80029B7370FF9EB99F699316EB893A564DF39C657C704

Function 004028E5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 57stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040294A
rand.MSVCRT ref: 00402951
rand.MSVCRT ref: 0040295C

Strings

3gp.exe, xrefs: 00402938

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: rand$strlen
String ID: 3gp.exe
API String ID: 3145821414-1007356019
Opcode ID: 3f3d27e67d71ee7f0741bfc8223fe423bdbef8eed44c5e0c9b0d92c842790407
Instruction ID: 22576e0253c2e6dfa25feb129cca70f56acbc7001922603f39cfce5c73cb1cb0
Opcode Fuzzy Hash: 3f3d27e67d71ee7f0741bfc8223fe423bdbef8eed44c5e0c9b0d92c842790407
Instruction Fuzzy Hash: 1D211DB5B11B04DEE704DBA6E89035C37B1B748788F10412ADF4DA77A4DF398A458744

Function 00404730 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 004047E6
VirtualProtect.KERNEL32 ref: 0040481F

Strings

Address %p has no image-section, xrefs: 00404737, 00404882

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: Virtual$ProtectQuery
String ID: Address %p has no image-section
API String ID: 1027372294-867041741
Opcode ID: b1ab362ea6a4374ff2986bced96e7655b3a414d6a7e7079c2d10e9749bcc72d1
Instruction ID: 3182b95def515999964183ba5f104c846b7909eaceb3b7a6cede84c01a3be87d
Opcode Fuzzy Hash: b1ab362ea6a4374ff2986bced96e7655b3a414d6a7e7079c2d10e9749bcc72d1
Instruction Fuzzy Hash: 2441E5A7709BC495EA219F26AC44B5A7B20F786B94F488627DF48273D1DB3CC846C708

Function 00405AB0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

frexp.MSVCRT ref: 00405B24

Strings

VUUU, xrefs: 00405C33
VUUU, xrefs: 00405B6F

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: frexp
String ID: VUUU$VUUU
API String ID: 3902379758-3149182767
Opcode ID: 973b4a54913d20571b7c2183e130cb9f57cc6f331f375e3861e7c23cf783b1c0
Instruction ID: 9ebd97a494bf3b67c1b15fb8886d8952af78ca4961469f5247ee5ee561547883
Opcode Fuzzy Hash: 973b4a54913d20571b7c2183e130cb9f57cc6f331f375e3861e7c23cf783b1c0
Instruction Fuzzy Hash: C5412B72A38F448DD617A7389462327A3A9EF923C0F51D317B647756B6EF38E4834908

Function 00405DD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00405E44

Strings

sin, xrefs: 00405E58, 00405EA3

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: _errno
String ID: sin
API String ID: 2918714741-3083047850
Opcode ID: d549eceecc20da34e85efafcfe779af5b2686b49ed61382d980443b78c6c6fd0
Instruction ID: 363f52ae50af334f41db1504484ad6e86cf6cfdbd70908793d8b02c1b888b243
Opcode Fuzzy Hash: d549eceecc20da34e85efafcfe779af5b2686b49ed61382d980443b78c6c6fd0
Instruction Fuzzy Hash: 98219A72528E8082D7429F24F84136BB321FBC5364F04932ABBE626AD8DF3DC151CA48

Function 004058D0 Relevance: 5.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 004058F9
free.MSVCRT ref: 0040594B
LeaveCriticalSection.KERNEL32 ref: 00405957

Memory Dump Source

Source File: 00000000.00000002.1321341430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1321184424.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321449983.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321666808.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1321772939.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1322338361.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3gp.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: 064c83539a0a356646893c263a24c51502f83ddc24258fe00dcd045ca57930e5
Instruction ID: 06693a49032cb395490b1bb8c501ecdf1b31fa2966c8ade3d2e43b5ca151631e
Opcode Fuzzy Hash: 064c83539a0a356646893c263a24c51502f83ddc24258fe00dcd045ca57930e5
Instruction Fuzzy Hash: 41011EE1712A04C6DF18DB55E88472623A1FB58BA0F844436CB1EA77A0EB3CC995CB5C

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3gp.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\Harddisk0\DR0

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: 3gp.exePID: 7788, Parent PID: 3964

General

File Activities

File Opened

File Written

Windows Analysis Report
3gp.exe

Function 00403CDD Relevance: 157.9, APIs: 52, Strings: 38, Instructions: 404
threadwindownativeCOMMON

Function 004011B0 Relevance: 13.7, APIs: 9, Instructions: 188
sleepCOMMON

Function 00401B60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
fileCOMMON

Function 00402B99 Relevance: 10.6, APIs: 7, Instructions: 107
COMMON

Function 00402D28 Relevance: 9.3, APIs: 4, Strings: 2, Instructions: 284
memoryCOMMON

Function 00403C2A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
registryCOMMON

Function 00401BE2 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94
COMMON