Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
prog.exe

Overview

General Information

Sample name:prog.exe
Analysis ID:1542826
MD5:5f10f34b3ef012f1db5f21755cad4ab1
SHA1:439ab3bd92cd515b092607291ac054f3fad1359f
SHA256:f161b56490087b75b15207598c6e0526afd184e3f8e76ab6eff8eaa6f573b660
Tags:exeuser-aachum
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies power options to not sleep / hibernate
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses powercfg.exe to modify the power settings
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • prog.exe (PID: 1720 cmdline: "C:\Users\user\Desktop\prog.exe" MD5: 5F10F34B3EF012F1DB5F21755CAD4AB1)
    • prog.exe (PID: 5344 cmdline: "C:\Users\user\AppData\Local\Temp\prog.exe" MD5: D3ADC3EC7B76556B7FAC591C33F31EA9)
      • powershell.exe (PID: 5780 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 1400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 652 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • cmd.exe (PID: 5908 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • wusa.exe (PID: 4324 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
      • sc.exe (PID: 4592 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 1196 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 4996 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 5260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 1532 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 5032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 6948 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 3872 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 5232 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 1576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 7056 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 2072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 1292 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 5612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7092 cmdline: C:\Windows\system32\sc.exe delete "appdata" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 5828 cmdline: C:\Windows\system32\sc.exe create "appdata" binpath= "C:\ProgramData\win32\svhost.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 4072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 5776 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 5272 cmdline: C:\Windows\system32\sc.exe start "appdata" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 4416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svhost.exe (PID: 5560 cmdline: C:\ProgramData\win32\svhost.exe MD5: D3ADC3EC7B76556B7FAC591C33F31EA9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Change of critical system settings

barindex
Sigma detected: Disable power options
Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\prog.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\prog.exe, ParentProcessId: 5344, ParentProcessName: prog.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 3872, ProcessName: powercfg.exe

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\prog.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\prog.exe, ParentProcessId: 5344, ParentProcessName: prog.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 5780, ProcessName: powershell.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\prog.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\prog.exe, ParentProcessId: 5344, ParentProcessName: prog.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 5780, ProcessName: powershell.exe
Sigma detected: Startup Folder File Write
Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\prog.exe, ProcessId: 1720, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "appdata" binpath= "C:\ProgramData\win32\svhost.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "appdata" binpath= "C:\ProgramData\win32\svhost.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\prog.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\prog.exe, ParentProcessId: 5344, ParentProcessName: prog.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "appdata" binpath= "C:\ProgramData\win32\svhost.exe" start= "auto", ProcessId: 5828, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\prog.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\prog.exe, ParentProcessId: 5344, ParentProcessName: prog.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 5780, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

barindex
Sigma detected: Stop EventLog
Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\prog.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\prog.exe, ParentProcessId: 5344, ParentProcessName: prog.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 5776, ProcessName: sc.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: prog.exeAvira: detected
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\win32\svhost.exeReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\prog.exeReversingLabs: Detection: 73%
Multi AV Scanner detection for submitted file
Source: prog.exeReversingLabs: Detection: 97%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: prog.exeJoe Sandbox ML: detected
Source: prog.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: prog.exe, 00000000.00000002.2126289883.00000000006DA000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://discord.com/2
Source: prog.exe, 00000000.00000002.2126289883.00000000006DA000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://discord.com/6

System Summary

barindex
Uses powercfg.exe to modify the power settings
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\prog.exeCode function: 2_2_00007FF7B7AF1394 NtContinue,2_2_00007FF7B7AF1394
Source: C:\ProgramData\win32\svhost.exeCode function: 35_2_00007FF664861394 NtSetIoCompletion,35_2_00007FF664861394
Source: C:\Users\user\AppData\Local\Temp\prog.exeCode function: 2_2_00007FF7B7AF66282_2_00007FF7B7AF6628
Source: C:\Users\user\AppData\Local\Temp\prog.exeCode function: 2_2_00007FF7B7AF66282_2_00007FF7B7AF6628
Source: C:\ProgramData\win32\svhost.exeCode function: 35_2_00007FF66486662835_2_00007FF664866628
Source: C:\ProgramData\win32\svhost.exeCode function: 35_2_00007FF66486662835_2_00007FF664866628
Source: Joe Sandbox ViewDropped File: C:\ProgramData\win32\svhost.exe 25231BA6616C0C1BBC4DDA82BDD46AD067577E16971BAE412B1192B250B456DC
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\prog.exe 25231BA6616C0C1BBC4DDA82BDD46AD067577E16971BAE412B1192B250B456DC
Source: C:\ProgramData\win32\svhost.exeCode function: String function: 00007FF664861394 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\prog.exeCode function: String function: 00007FF7B7AF1394 appears 33 times
Source: prog.exe, 00000000.00000002.2126289883.00000000006DA000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSetup.exe^ vs prog.exe
Source: prog.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal100.spyw.evad.winEXE@52/7@0/0
Source: C:\Users\user\Desktop\prog.exeCode function: 0_2_0040135A GetSystemDirectoryA,PathAddBackslashA,GetWindowsDirectoryA,GetTempPathA,GetModuleFileNameA,GetEnvironmentVariableA,FindResourceA,SizeofResource,LoadResource,LockResource,GlobalAlloc,RtlMoveMemory,GlobalAlloc,RtlMoveMemory,GlobalFree,lstrcpynA,lstrcpyA,lstrlenA,lstrcpyA,lstrlenA,lstrcpyA,lstrcatA,lstrcpyA,CreateFileA,WriteFile,HeapAlloc,WriteFile,HeapFree,CreateFileA,GetFileSize,CloseHandle,HeapAlloc,WriteFile,HeapFree,CloseHandle,GlobalFree,SetFileAttributesA,lstrcpyA,PathFindFileNameA,ShellExecuteA,FreeResource,ExitProcess,ExitProcess,0_2_0040135A
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2072:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4416:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:528:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1576:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5612:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:320:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5032:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4072:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1400:120:WilError_03
Source: C:\Users\user\Desktop\prog.exeFile created: C:\Users\user\AppData\Local\Temp\prog.exeJump to behavior
Source: prog.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\prog.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\prog.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: prog.exeReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\prog.exeFile read: C:\Users\user\AppData\Local\Temp\prog.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\prog.exe "C:\Users\user\Desktop\prog.exe"
Source: C:\Users\user\Desktop\prog.exeProcess created: C:\Users\user\AppData\Local\Temp\prog.exe "C:\Users\user\AppData\Local\Temp\prog.exe"
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "appdata"
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "appdata" binpath= "C:\ProgramData\win32\svhost.exe" start= "auto"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "appdata"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\ProgramData\win32\svhost.exe C:\ProgramData\win32\svhost.exe
Source: C:\Users\user\Desktop\prog.exeProcess created: C:\Users\user\AppData\Local\Temp\prog.exe "C:\Users\user\AppData\Local\Temp\prog.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "appdata"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "appdata" binpath= "C:\ProgramData\win32\svhost.exe" start= "auto"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "appdata"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\prog.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\ProgramData\win32\svhost.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\prog.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: prog.exeStatic file information: File size 3030176 > 1048576
Source: prog.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x2c9800
Source: C:\Users\user\Desktop\prog.exeCode function: 0_2_004011CF LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleFileNameA,GetEnvironmentVariableA,0_2_004011CF
Source: prog.exe.0.drStatic PE information: section name: .00cfg
Source: svhost.exe.2.drStatic PE information: section name: .00cfg
Source: C:\Users\user\AppData\Local\Temp\prog.exeCode function: 2_2_00007FF7B7AF1394 push qword ptr [00007FF7B7AFE004h]; ret 2_2_00007FF7B7AF1403
Source: C:\ProgramData\win32\svhost.exeCode function: 35_2_00007FF664861394 push qword ptr [00007FF66486E004h]; ret 35_2_00007FF664861403
Source: C:\Users\user\AppData\Local\Temp\prog.exeFile created: C:\ProgramData\win32\svhost.exeJump to dropped file
Source: C:\Users\user\Desktop\prog.exeFile created: C:\Users\user\AppData\Local\Temp\prog.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\prog.exeFile created: C:\ProgramData\win32\svhost.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\prog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\prog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\prog.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_0-249
Source: C:\Users\user\Desktop\prog.exeCode function: 0_2_004012D9 rdtsc 0_2_004012D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4857Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4921Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\prog.exeAPI coverage: 6.8 %
Source: C:\ProgramData\win32\svhost.exeAPI coverage: 6.8 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2364Thread sleep count: 4857 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2364Thread sleep count: 4921 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6524Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: prog.exe, 00000000.00000002.2126359103.000000000086C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\yfhs
Source: C:\Users\user\Desktop\prog.exeAPI call chain: ExitProcess graph end nodegraph_0-199
Source: C:\Users\user\Desktop\prog.exeAPI call chain: ExitProcess graph end nodegraph_0-226
Source: C:\Users\user\Desktop\prog.exeAPI call chain: ExitProcess graph end nodegraph_0-251
Source: C:\Users\user\Desktop\prog.exeAPI call chain: ExitProcess graph end nodegraph_0-254
Source: C:\Users\user\Desktop\prog.exeAPI call chain: ExitProcess graph end nodegraph_0-167
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\prog.exeCode function: 0_2_004012D9 rdtsc 0_2_004012D9
Source: C:\Users\user\Desktop\prog.exeCode function: 0_2_004011CF LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleFileNameA,GetEnvironmentVariableA,0_2_004011CF
Source: C:\Users\user\Desktop\prog.exeCode function: 0_2_0040119D mov eax, dword ptr fs:[00000030h]0_2_0040119D
Source: C:\Users\user\Desktop\prog.exeCode function: 0_2_004011AF mov eax, dword ptr fs:[00000030h]0_2_004011AF
Source: C:\Users\user\Desktop\prog.exeCode function: 0_2_00401AE1 GetCommandLineA,GetModuleHandleA,GetProcessHeap,ExitProcess,0_2_00401AE1
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\prog.exeCode function: 2_2_00007FF7B7AF118B Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,2_2_00007FF7B7AF118B
Source: C:\Users\user\AppData\Local\Temp\prog.exeCode function: 2_2_00007FF7B7AF11D8 _initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,2_2_00007FF7B7AF11D8
Source: C:\ProgramData\win32\svhost.exeCode function: 35_2_00007FF66486118B Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,35_2_00007FF66486118B
Source: C:\ProgramData\win32\svhost.exeCode function: 35_2_00007FF6648611D8 _initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,35_2_00007FF6648611D8

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
Source: C:\Users\user\Desktop\prog.exeProcess created: C:\Users\user\AppData\Local\Temp\prog.exe "C:\Users\user\AppData\Local\Temp\prog.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies power options to not sleep / hibernate
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\prog.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Service Execution		1
Windows Service		1
Windows Service		1
Disable or Modify Tools		OS Credential Dumping121
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts11
Native API		1
DLL Side-Loading		11
Process Injection		21
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials11
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542826 Sample: prog.exe Startdate: 26/10/2024 Architecture: WINDOWS Score: 100 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Sigma detected: Stop EventLog 2->53 55 4 other signatures 2->55 8 prog.exe 9 2->8         started        12 svhost.exe 2->12         started        process3 file4 45 C:\Users\user\AppData\Local\Temp\prog.exe, PE32+ 8->45 dropped 59 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 8->59 14 prog.exe 1 2 8->14         started        61 Multi AV Scanner detection for dropped file 12->61 signatures5 process6 file7 47 C:\ProgramData\win32\svhost.exe, PE32+ 14->47 dropped 63 Multi AV Scanner detection for dropped file 14->63 65 Uses powercfg.exe to modify the power settings 14->65 67 Adds a directory exclusion to Windows Defender 14->67 69 Modifies power options to not sleep / hibernate 14->69 18 powershell.exe 23 14->18         started        21 cmd.exe 1 14->21         started        23 powercfg.exe 1 14->23         started        25 12 other processes 14->25 signatures8 process9 signatures10 57 Loading BitLocker PowerShell Module 18->57 27 WmiPrvSE.exe 18->27         started        29 conhost.exe 18->29         started        31 conhost.exe 21->31         started        33 wusa.exe 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        39 conhost.exe 25->39         started        41 conhost.exe 25->41         started        43 9 other processes 25->43 process11

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
prog.exe97%ReversingLabsWin32.Hacktool.Vbinder
prog.exe100%AviraHEUR/AGEN.1349575
prog.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\win32\svhost.exe74%ReversingLabsWin64.Trojan.MintZard
C:\Users\user\AppData\Local\Temp\prog.exe74%ReversingLabsWin64.Trojan.MintZard

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://discord.com/2prog.exe, 00000000.00000002.2126289883.00000000006DA000.00000004.00000001.01000000.00000003.sdmpfalse
    		unknown
    https://discord.com/6prog.exe, 00000000.00000002.2126289883.00000000006DA000.00000004.00000001.01000000.00000003.sdmpfalse
      		unknown

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1542826
      Start date and time:2024-10-26 16:28:09 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 6m 46s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:38
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:prog.exe
      Detection:MAL
      Classification:mal100.spyw.evad.winEXE@52/7@0/0
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 93%
      • Number of executed functions: 13
      • Number of non-executed functions: 24
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtCreateKey calls found.
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • VT rate limit hit for: prog.exe

      Simulations

      Behavior and APIs

      TimeTypeDescription
      10:29:17API Interceptor17x Sleep call for process: powershell.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      C:\Users\user\AppData\Local\Temp\prog.exeprog.exeGet hashmaliciousUnknownBrowse
        C:\ProgramData\win32\svhost.exeprog.exeGet hashmaliciousUnknownBrowse

          Created / dropped Files

          C:\ProgramData\win32\svhost.exe

          Download File
          Process:C:\Users\user\AppData\Local\Temp\prog.exe
          File Type:PE32+ executable (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):2663424
          Entropy (8bit):6.53722623620131
          Encrypted:false
          SSDEEP:49152:BMnw0O8lulPUtBbXmsGHePO2/cqKQBxLEHq86RM+uFVwYm6fYfOuFa1Y+PJq++W5:CnfxYW/b8em2/ctQBxGql2+Szm6fYfOo
          MD5:D3ADC3EC7B76556B7FAC591C33F31EA9
          SHA1:B7295FAE70F550AA2963DA196B08636094E26E93
          SHA-256:25231BA6616C0C1BBC4DDA82BDD46AD067577E16971BAE412B1192B250B456DC
          SHA-512:0EDD9263191B82E525DA655F76597BBD755174E8436E1E3A783A6A7F7064077E651A7D4DD36B3FD1B353BC435FF9D3ADE466D43327BA086DEE89B712CAB73985
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 74%
          Joe Sandbox View:
          • Filename: prog.exe, Detection: malicious, Browse
          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."...........(.....@..........@............................. )...........`.................................................0...<.....).P.....(...............).x...............................(.......8...............p............................text...v........................... ..`.rdata...+.......,..................@..@.data...`.'.......'.................@....pdata........(.......(.............@..@.00cfg........(.......(.............@..@.tls..........(.......(.............@....rsrc...P.....).......(.............@..@.reloc..x.....).......(.............@..B........................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):64
          Entropy (8bit):1.1940658735648508
          Encrypted:false
          SSDEEP:3:Nlllul3nqth:NllUa
          MD5:851531B4FD612B0BC7891B3F401A478F
          SHA1:483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
          SHA-256:383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
          SHA-512:A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
          Malicious:false
          Preview:@...e.................................&..............@..........

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c14qiz0m.w44.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l2k44ady.woi.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pya4eufh.ber.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xqt1u0o5.fl2.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\prog.exe

          Download File
          Process:C:\Users\user\Desktop\prog.exe
          File Type:PE32+ executable (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):2663424
          Entropy (8bit):6.53722623620131
          Encrypted:false
          SSDEEP:49152:BMnw0O8lulPUtBbXmsGHePO2/cqKQBxLEHq86RM+uFVwYm6fYfOuFa1Y+PJq++W5:CnfxYW/b8em2/ctQBxGql2+Szm6fYfOo
          MD5:D3ADC3EC7B76556B7FAC591C33F31EA9
          SHA1:B7295FAE70F550AA2963DA196B08636094E26E93
          SHA-256:25231BA6616C0C1BBC4DDA82BDD46AD067577E16971BAE412B1192B250B456DC
          SHA-512:0EDD9263191B82E525DA655F76597BBD755174E8436E1E3A783A6A7F7064077E651A7D4DD36B3FD1B353BC435FF9D3ADE466D43327BA086DEE89B712CAB73985
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 74%
          Joe Sandbox View:
          • Filename: prog.exe, Detection: malicious, Browse
          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."...........(.....@..........@............................. )...........`.................................................0...<.....).P.....(...............).x...............................(.......8...............p............................text...v........................... ..`.rdata...+.......,..................@..@.data...`.'.......'.................@....pdata........(.......(.............@..@.00cfg........(.......(.............@..@.tls..........(.......(.............@....rsrc...P.....).......(.............@..@.reloc..x.....).......(.............@..B........................................................................................................................................................................................................................................................................................................

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.70466082348244
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.94%
          • Win16/32 Executable Delphi generic (2074/23) 0.02%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • VXD Driver (31/22) 0.00%
          File name:prog.exe
          File size:3'030'176 bytes
          MD5:5f10f34b3ef012f1db5f21755cad4ab1
          SHA1:439ab3bd92cd515b092607291ac054f3fad1359f
          SHA256:f161b56490087b75b15207598c6e0526afd184e3f8e76ab6eff8eaa6f573b660
          SHA512:7f6473adb10d878b8c9cb9360c04ed843401d6eb69ca1df546e956e18032598cbdd1fffbdc45c0fe7d3927a6fa54ef77b9d2e10175e3ca15c6421cfa678d59ce
          SSDEEP:49152:ZtH86NYYGclfMk3iDPS6wcXLuankPBUJCBuB+zVma85E4xTz:ZtH8SHGc5MWiDdj7uakPBUJ1oV0EkTz
          TLSH:66E533E92109BF13DE29CFBC8FB281565E359E6251434162A7117FDA8473ECB50B2CE8
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Q......................,.............. ....@...........................-............................................

          File Icon

          Icon Hash:0f2b69d4d44d330f

          Static PE Info

          General

          Entrypoint:0x401ae1
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          DLL Characteristics:
          Time Stamp:0x51BC99EC [Sat Jun 15 16:44:28 2013 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:d5d9d937853db8b666bd4b525813d7bd

          Entrypoint Preview

          Instruction
          call 00007F04A88378D1h
          mov dword ptr [0040300Bh], eax
          push 00000000h
          call 00007F04A88378DDh
          mov dword ptr [00403013h], eax
          call 00007F04A88378DFh
          mov dword ptr [00403C70h], eax
          push 0000000Ah
          push dword ptr [0040300Bh]
          push 00000000h
          push dword ptr [00403013h]
          call 00007F04A8836D5Fh
          push 00000000h
          call 00007F04A8837888h
          int3
          jmp dword ptr [0040207Ch]
          jmp dword ptr [00402008h]
          jmp dword ptr [0040200Ch]
          jmp dword ptr [00402010h]
          jmp dword ptr [00402014h]
          jmp dword ptr [00402018h]
          jmp dword ptr [0040201Ch]
          jmp dword ptr [00402020h]
          jmp dword ptr [00402024h]
          jmp dword ptr [00402028h]
          jmp dword ptr [0040202Ch]
          jmp dword ptr [00402030h]
          jmp dword ptr [00402034h]
          jmp dword ptr [00402038h]
          jmp dword ptr [0040203Ch]
          jmp dword ptr [00402040h]
          jmp dword ptr [00402044h]
          jmp dword ptr [00402048h]
          jmp dword ptr [0040204Ch]
          jmp dword ptr [00402050h]
          jmp dword ptr [00402054h]
          jmp dword ptr [00402058h]
          jmp dword ptr [00402000h]

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x20bc0x50.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c9800.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x20000xbc.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000xc260xe00a941ede160cf12509be8dd37ae2b6a57False0.47935267857142855data5.1463325678068115IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x20000x4c00x600930587e8eece4537e4be6a4476dc03faFalse0.4055989583333333data4.212357479426224IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0x30000xd6f00x6007f95694b637a8e9d84e496462c4af938False0.16927083333333334data1.7255508052001818IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0x110000x2c98000x2c98006abea6dfb676b8546f495dafed3678eeunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0x112200x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.32180851063829785
          RT_ICON0x116880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.18785178236397748
          RT_ICON0x127300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.17074688796680498
          RT_ICON0x14cd80x42028Device independent bitmap graphic, 256 x 512 x 32, image size 00.020719294611947808
          RT_RCDATA0x56d000x283675data0.9986152648925781
          RT_RCDATA0x2da3780x96data0.9533333333333334
          RT_GROUP_ICON0x2da4100x3edata0.7903225806451613
          RT_GROUP_ICON0x2da4500x22data1.088235294117647
          RT_VERSION0x2da4740x38cPGP symmetric key encrypted data - Plaintext or unencrypted data0.42951541850220265

          Imports

          DLLImport
          shlwapi.dllPathFindFileNameA
          kernel32.dllLockResource, lstrlenA, CloseHandle, CreateFileA, ExitProcess, FindResourceA, FreeResource, GetCommandLineA, GetEnvironmentVariableA, GetFileSize, GetModuleFileNameA, GetModuleHandleA, GetProcAddress, GetProcessHeap, GetSystemDirectoryA, GetTempPathA, GetWindowsDirectoryA, GlobalAlloc, GlobalFree, HeapAlloc, HeapFree, LoadLibraryA, LoadResource, lstrcpynA, RtlMoveMemory, SetFileAttributesA, SizeofResource, WriteFile, lstrcatA, lstrcpyA
          user32.dllCreateWindowExA, DefWindowProcA, DispatchMessageA, GetMessageA, LoadCursorA, LoadIconA, MessageBoxA, PostQuitMessage, RegisterClassExA, SendMessageA, ShowWindow, TranslateMessage, UpdateWindow

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:10:29:05
          Start date:26/10/2024
          Path:C:\Users\user\Desktop\prog.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\prog.exe"
          Imagebase:0x400000
          File size:3'030'176 bytes
          MD5 hash:5F10F34B3EF012F1DB5F21755CAD4AB1
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:2
          Start time:10:29:10
          Start date:26/10/2024
          Path:C:\Users\user\AppData\Local\Temp\prog.exe
          Wow64 process (32bit):false
          Commandline:"C:\Users\user\AppData\Local\Temp\prog.exe"
          Imagebase:0x7ff7b7af0000
          File size:2'663'424 bytes
          MD5 hash:D3ADC3EC7B76556B7FAC591C33F31EA9
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Antivirus matches:
          • Detection: 74%, ReversingLabs
          Reputation:low
          Has exited:true

          General

          Target ID:3
          Start time:10:29:15
          Start date:26/10/2024
          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Imagebase:0x7ff7be880000
          File size:452'608 bytes
          MD5 hash:04029E121A0CFA5991749937DD22A1D9
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:4
          Start time:10:29:16
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:5
          Start time:10:29:18
          Start date:26/10/2024
          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Imagebase:0x7ff6ef0c0000
          File size:496'640 bytes
          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
          Has elevated privileges:true
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:6
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          Imagebase:0x7ff7c8fe0000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:7
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\sc.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\sc.exe stop UsoSvc
          Imagebase:0x7ff62b170000
          File size:72'192 bytes
          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate
          Has exited:true

          General

          Target ID:8
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:9
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:10
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\wusa.exe
          Wow64 process (32bit):false
          Commandline:wusa /uninstall /kb:890830 /quiet /norestart
          Imagebase:0x7ff7d66f0000
          File size:345'088 bytes
          MD5 hash:FBDA2B8987895780375FE0E6254F6198
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate
          Has exited:true

          General

          Target ID:11
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\sc.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
          Imagebase:0x7ff62b170000
          File size:72'192 bytes
          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate
          Has exited:true

          General

          Target ID:12
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:13
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\sc.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\sc.exe stop wuauserv
          Imagebase:0x7ff62b170000
          File size:72'192 bytes
          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:14
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:15
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\sc.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\sc.exe stop bits
          Imagebase:0x7ff62b170000
          File size:72'192 bytes
          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:16
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:17
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\sc.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\sc.exe stop dosvc
          Imagebase:0x7ff62b170000
          File size:72'192 bytes
          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:18
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:19
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\powercfg.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Imagebase:0x7ff7d2600000
          File size:96'256 bytes
          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:20
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\powercfg.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          Imagebase:0x7ff7d2600000
          File size:96'256 bytes
          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:21
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:22
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\powercfg.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Imagebase:0x7ff7d2600000
          File size:96'256 bytes
          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:23
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:24
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\powercfg.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          Imagebase:0x7ff7d2600000
          File size:96'256 bytes
          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:25
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:26
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\sc.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\sc.exe delete "appdata"
          Imagebase:0x7ff62b170000
          File size:72'192 bytes
          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:27
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:28
          Start time:10:29:19
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:29
          Start time:10:29:20
          Start date:26/10/2024
          Path:C:\Windows\System32\sc.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\sc.exe create "appdata" binpath= "C:\ProgramData\win32\svhost.exe" start= "auto"
          Imagebase:0x7ff62b170000
          File size:72'192 bytes
          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:30
          Start time:10:29:20
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:31
          Start time:10:29:20
          Start date:26/10/2024
          Path:C:\Windows\System32\sc.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\sc.exe stop eventlog
          Imagebase:0x7ff62b170000
          File size:72'192 bytes
          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:32
          Start time:10:29:20
          Start date:26/10/2024
          Path:C:\Windows\System32\sc.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\sc.exe start "appdata"
          Imagebase:0x7ff62b170000
          File size:72'192 bytes
          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:33
          Start time:10:29:20
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:34
          Start time:10:29:20
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:35
          Start time:10:29:20
          Start date:26/10/2024
          Path:C:\ProgramData\win32\svhost.exe
          Wow64 process (32bit):false
          Commandline:C:\ProgramData\win32\svhost.exe
          Imagebase:0x7ff664860000
          File size:2'663'424 bytes
          MD5 hash:D3ADC3EC7B76556B7FAC591C33F31EA9
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Antivirus matches:
          • Detection: 74%, ReversingLabs
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:64.4%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:59.3%
            Total number of Nodes:81
            Total number of Limit Nodes:10
            execution_graph 161 401ae1 GetCommandLineA GetModuleHandleA GetProcessHeap 164 401000 6 API calls 161->164 165 4010cc GetMessageA 164->165 166 4010e0 TranslateMessage DispatchMessageA 165->166 167 4010f4 ExitProcess 165->167 166->165 255 4018a8 lstrcpyA lstrcatA lstrcatA lstrcatA lstrcatA 256 401906 255->256 168 4010fb 169 401111 168->169 170 40110a 168->170 171 401117 169->171 172 40112f 169->172 179 40135a GetSystemDirectoryA PathAddBackslashA GetWindowsDirectoryA 170->179 223 4011cf 14 API calls 171->223 175 401142 DefWindowProcA 172->175 176 401135 PostQuitMessage 172->176 178 40111c SendMessageA 178->175 180 401395 GetTempPathA 179->180 181 4013af GetModuleFileNameA 180->181 182 4013cb GetEnvironmentVariableA 181->182 183 4013ed 182->183 224 401907 FindResourceA 183->224 185 40142a 186 401438 185->186 238 4011c4 185->238 235 401abe 186->235 190 401445 FindResourceA 191 401455 190->191 192 40145a SizeofResource 190->192 194 401887 191->194 195 40188e 191->195 192->191 193 401470 LoadResource 192->193 193->191 196 40148b LockResource 193->196 247 401157 lstrcpyA lstrcatA lstrcatA 194->247 199 401897 ExitProcess 195->199 200 40189c ExitProcess 195->200 196->191 198 40149f GlobalAlloc 196->198 198->191 202 4014ba RtlMoveMemory 198->202 203 4018a3 200->203 212 40150c 202->212 204 4014f9 GlobalAlloc 204->191 204->212 205 401515 RtlMoveMemory 206 401549 GlobalFree lstrcpynA 205->206 207 40159e lstrcpyA lstrlenA 206->207 206->212 207->212 208 4015c1 lstrcpyA lstrlenA 208->212 209 40163f lstrcpyA 210 40165f lstrcatA 209->210 211 401692 CreateFileA WriteFile 210->211 215 401677 210->215 214 4017cd CloseHandle GlobalFree SetFileAttributesA 211->214 211->215 212->204 212->205 212->206 212->208 212->209 213 401683 lstrcpyA 213->211 214->215 215->211 215->213 215->214 217 401866 FreeResource 215->217 218 401701 HeapAlloc WriteFile HeapFree 215->218 219 40174f CreateFileA GetFileSize CloseHandle 215->219 221 401824 lstrcpyA PathFindFileNameA 215->221 222 401854 ShellExecuteA 215->222 243 4012f7 215->243 217->190 217->191 218->214 219->214 220 40178d HeapAlloc WriteFile HeapFree 219->220 220->214 221->215 222->217 223->178 225 401925 SizeofResource 224->225 227 401920 224->227 225->227 228 40193b LoadResource 225->228 226 401b16 ExitProcess 227->226 228->227 229 401956 LockResource 228->229 229->227 230 40196a RtlMoveMemory 229->230 231 401993 230->231 232 4019a6 HeapAlloc RtlMoveMemory HeapAlloc RtlMoveMemory 231->232 233 401a09 GlobalAlloc RtlMoveMemory FreeResource 231->233 232->233 233->185 233->226 236 40143d 235->236 237 401ac7 MessageBoxA 235->237 236->190 237->236 249 40119d GetPEB 238->249 240 4011c9 252 4011af GetPEB 240->252 242 4011ce 242->186 244 401320 243->244 245 40132c lstrlenA 244->245 246 40134d 245->246 246->215 248 40119c 247->248 248->200 250 4011a9 249->250 250->240 251 401b16 ExitProcess 250->251 253 4011be 252->253 253->242 254 401b16 ExitProcess 253->254

            Callgraph

            Executed Functions

            Function 0040135A Relevance: 91.4, APIs: 43, Strings: 9, Instructions: 373COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 0 40135a-401431 GetSystemDirectoryA PathAddBackslashA GetWindowsDirectoryA GetTempPathA GetModuleFileNameA GetEnvironmentVariableA call 401907 11 401433 call 4011c4 0->11 12 401438-401443 call 401abe 0->12 11->12 16 401445-401453 FindResourceA 12->16 17 401455 16->17 18 40145a-401469 SizeofResource 16->18 19 40187e-401885 17->19 20 401470-401484 LoadResource 18->20 21 40146b 18->21 22 401887-40188c call 401157 19->22 23 40188e-401895 19->23 24 401486 20->24 25 40148b-401498 LockResource 20->25 21->19 30 40189c-40189e ExitProcess 22->30 29 401897 ExitProcess 23->29 23->30 24->19 27 40149a 25->27 28 40149f-4014b3 GlobalAlloc 25->28 27->19 32 4014b5 28->32 33 4014ba-401505 RtlMoveMemory call 401a90 GlobalAlloc 28->33 34 4018a3 30->34 32->19 37 401507 33->37 38 40150c-401513 33->38 37->19 39 401515-401526 RtlMoveMemory 38->39 40 401528-401541 38->40 41 401549-40159c GlobalFree lstrcpynA 39->41 40->41 42 4015b4-4015bf 41->42 43 40159e-4015b1 lstrcpyA lstrlenA 41->43 44 4015c1-4015d4 lstrcpyA lstrlenA 42->44 45 4015d7-4015dc 42->45 43->42 44->45 46 4015e6-4015e9 45->46 47 4015de-4015e4 45->47 49 4015f3-4015f6 46->49 50 4015eb-4015f1 46->50 48 40163f-401675 lstrcpyA lstrcatA 47->48 58 401692-4016d2 CreateFileA WriteFile 48->58 59 401677-401681 48->59 51 401600-401603 49->51 52 4015f8-4015fe 49->52 50->48 54 401605-40160b 51->54 55 40160d-401610 51->55 52->48 54->48 56 401612-401618 55->56 57 40161a-40161d 55->57 56->48 60 401627-40162a 57->60 61 40161f-401625 57->61 63 4016d8-4016e2 58->63 64 4017cd-4017f1 CloseHandle GlobalFree SetFileAttributesA 58->64 59->58 62 401683-40168d lstrcpyA 59->62 65 401634-401637 60->65 66 40162c-401632 60->66 61->48 62->58 63->64 69 4016e8-4016ef 63->69 67 4017f3-4017f8 call 4012f7 64->67 68 4017fd-401802 64->68 65->48 72 401639 65->72 66->48 67->68 74 401804-40180a 68->74 75 401866-401878 FreeResource 68->75 70 4016f1-4016fb 69->70 71 401746-40174d 69->71 70->64 76 401701-401741 HeapAlloc WriteFile HeapFree 70->76 71->64 77 40174f-40178b CreateFileA GetFileSize CloseHandle 71->77 72->48 78 401810-401813 74->78 79 40180c-40180e 74->79 75->16 75->19 76->64 77->64 80 40178d-4017c8 HeapAlloc WriteFile HeapFree 77->80 82 401815-401817 78->82 83 401819-40181c 78->83 81 401824-401849 lstrcpyA PathFindFileNameA 79->81 80->64 84 401852 81->84 85 40184b-401850 81->85 82->81 86 401822 83->86 87 40181e-401820 83->87 88 401854-401860 ShellExecuteA 84->88 85->88 86->81 87->81 88->75
            APIs
            • GetSystemDirectoryA.KERNEL32(C:\Windows\system32\,00001000), ref: 0040136B
            • PathAddBackslashA.SHLWAPI(C:\Windows\system32\), ref: 00401375
            • GetWindowsDirectoryA.KERNEL32(00404C84,00001000), ref: 00401385
            • GetTempPathA.KERNEL32(00001000,00405C84), ref: 0040139F
            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\,00000200), ref: 004013BB
            • GetEnvironmentVariableA.KERNEL32(APPDATA,00407C84,00001000), ref: 004013DD
              • Part of subcall function 00401907: FindResourceA.KERNEL32(00000000,00001001,0000000A), ref: 00401917
              • Part of subcall function 00401907: ExitProcess.KERNEL32(00000000,00000000,0000000A,00000000), ref: 00401B18
            • FindResourceA.KERNEL32(00000000,00000001,0000000A), ref: 0040144C
            • SizeofResource.KERNEL32(00000000,00000000,00000000,00000001,0000000A,00000001), ref: 00401462
            • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000001,0000000A,00000001), ref: 0040147D
            • ExitProcess.KERNEL32(?,?,?,?,004106BC,00000000,00406C84,C0000000,00000003,00000000,00000002,00000080,00000000,00406C84,prog.exe), ref: 00401897
            • ExitProcess.KERNEL32(00000000,?,?,?,?,004106BC,00000000,00406C84,C0000000,00000003,00000000,00000002,00000080,00000000,00406C84,prog.exe), ref: 0040189E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2125958239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2125938659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125975729.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126036558.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126289883.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_prog.jbxd
            Similarity
            • API ID: Resource$ExitProcess$DirectoryFindPath$BackslashEnvironmentFileLoadModuleNameSizeofSystemTempVariableWindows
            • String ID: APPDATA$C:\Dir1\SubDir$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$C:\Users\user\Desktop\$C:\Windows\system32\$open$prog.exe$u6(
            • API String ID: 1865746177-1020812695
            • Opcode ID: 0b4706bb5c93686d89f6ed56fbf093ccd5effdb974abd12bc2b349d010d1b901
            • Instruction ID: 87517960ec9dbd09822493e96d6633269da166b851f384452dd9e845d648968f
            • Opcode Fuzzy Hash: 0b4706bb5c93686d89f6ed56fbf093ccd5effdb974abd12bc2b349d010d1b901
            • Instruction Fuzzy Hash: 3ED18271A44205AFFB24AFA1DD42FA93AB4EB04715F20403BF501B51F1DBBD6A908B1E
            Function 004011CF Relevance: 47.3, APIs: 14, Strings: 13, Instructions: 53libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • LoadLibraryA.KERNEL32(Shell32.dll,0040111C), ref: 004011D4
            • GetProcAddress.KERNEL32(ShellExecuteA,Shell32.dll), ref: 004011E9
            • GetProcAddress.KERNEL32(SHGetSpecialFolderPathA,0040111C), ref: 004011FE
            • LoadLibraryA.KERNEL32(shlwapi.dll,SHGetSpecialFolderPathA,0040111C), ref: 0040120D
            • GetProcAddress.KERNEL32(PathFindFileNameA,shlwapi.dll), ref: 00401222
            • GetProcAddress.KERNEL32(PathAddBackslashA,PathFindFileNameA), ref: 00401237
            • LoadLibraryA.KERNEL32(advapi32.dll,PathAddBackslashA,PathFindFileNameA,shlwapi.dll,SHGetSpecialFolderPathA,0040111C), ref: 00401246
            • GetProcAddress.KERNEL32(RegCreateKeyExA,advapi32.dll), ref: 0040125B
            • GetProcAddress.KERNEL32(RegSetValueExA,RegCreateKeyExA), ref: 00401270
            • GetProcAddress.KERNEL32(RegCloseKey,RegSetValueExA), ref: 00401285
            • LoadLibraryA.KERNEL32(ntdll.dll,RegCloseKey,RegSetValueExA,RegCreateKeyExA,advapi32.dll,PathAddBackslashA,PathFindFileNameA,shlwapi.dll,SHGetSpecialFolderPathA,0040111C), ref: 00401294
            • GetProcAddress.KERNEL32(RtlDecompressBuffer,ntdll.dll), ref: 004012A9
            • GetModuleFileNameA.KERNEL32(00000000,0040BC84,00001000,RtlDecompressBuffer,ntdll.dll,RegCloseKey,RegSetValueExA,RegCreateKeyExA,advapi32.dll,PathAddBackslashA,PathFindFileNameA,shlwapi.dll,SHGetSpecialFolderPathA,0040111C), ref: 004012BF
            • GetEnvironmentVariableA.KERNEL32(ComSpec,0040FC84,00000500,00000000,0040BC84,00001000,RtlDecompressBuffer,ntdll.dll,RegCloseKey,RegSetValueExA,RegCreateKeyExA,advapi32.dll,PathAddBackslashA,PathFindFileNameA,shlwapi.dll,SHGetSpecialFolderPathA), ref: 004012D3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2125958239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2125938659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125975729.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126036558.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126289883.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_prog.jbxd
            Similarity
            • API ID: AddressProc$LibraryLoad$EnvironmentFileModuleNameVariable
            • String ID: ComSpec$PathAddBackslashA$PathFindFileNameA$RegCloseKey$RegCreateKeyExA$RegSetValueExA$RtlDecompressBuffer$SHGetSpecialFolderPathA$Shell32.dll$ShellExecuteA$advapi32.dll$ntdll.dll$shlwapi.dll
            • API String ID: 3647900824-1083084054
            • Opcode ID: ed63defba397cbb933b777222a0bacb8b6594ff129ae780b5b0ed5781ffeacf7
            • Instruction ID: a06bb1d97dbf063ac68fad512a01dcc274482fcad67705a1e8ff053d2cfa1aac
            • Opcode Fuzzy Hash: ed63defba397cbb933b777222a0bacb8b6594ff129ae780b5b0ed5781ffeacf7
            • Instruction Fuzzy Hash: AC11AA70A423046EE751BF32ED02BA93E75E790B45B20813BB440751F9E7FD19A19B1C
            Function 00401AE1 Relevance: 6.0, APIs: 4, Instructions: 15memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetCommandLineA.KERNEL32 ref: 00401AE1
            • GetModuleHandleA.KERNEL32(00000000), ref: 00401AED
            • GetProcessHeap.KERNEL32(00000000), ref: 00401AF7
              • Part of subcall function 00401000: LoadIconA.USER32(00403000,000001F4), ref: 0040104C
              • Part of subcall function 00401000: LoadCursorA.USER32(00000000,00007F00), ref: 0040105B
              • Part of subcall function 00401000: RegisterClassExA.USER32(00000030), ref: 0040106E
              • Part of subcall function 00401000: CreateWindowExA.USER32(00000000,WinClass32,WinClass32,00CF0000,?,?,?,?,00000000,00000000,00403000,00000000), ref: 004010AA
              • Part of subcall function 00401000: ShowWindow.USER32(00000001,?), ref: 004010BC
              • Part of subcall function 00401000: UpdateWindow.USER32(00000001), ref: 004010C7
              • Part of subcall function 00401000: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004010D6
              • Part of subcall function 00401000: TranslateMessage.USER32(?), ref: 004010E4
              • Part of subcall function 00401000: DispatchMessageA.USER32(?), ref: 004010ED
            • ExitProcess.KERNEL32(00000000,00000000,0000000A,00000000), ref: 00401B18
            Memory Dump Source
            • Source File: 00000000.00000002.2125958239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2125938659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125975729.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126036558.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126289883.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_prog.jbxd
            Similarity
            • API ID: MessageWindow$LoadProcess$ClassCommandCreateCursorDispatchExitHandleHeapIconLineModuleRegisterShowTranslateUpdate
            • String ID:
            • API String ID: 673778540-0
            • Opcode ID: cfbab243bfee9b5cb56ef1db76fa81e74447810506c232cb5a36ea3a31cdea14
            • Instruction ID: a064688063e39c940ae72a4b90be644b02f79907e5f24655d35d5466687fb791
            • Opcode Fuzzy Hash: cfbab243bfee9b5cb56ef1db76fa81e74447810506c232cb5a36ea3a31cdea14
            • Instruction Fuzzy Hash: FBD067749452006AE6217F71AE02B143E64E70074BF10407AB6057A1F5EB786A10670D
            Function 004011AF Relevance: 1.5, APIs: 1, Instructions: 8COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 132 4011af-4011bc GetPEB 133 4011c3 132->133 134 4011be 132->134 135 401b16-401b1d ExitProcess 133->135 134->135
            APIs
            • ExitProcess.KERNEL32(00000000,00000000,0000000A,00000000), ref: 00401B18
            Memory Dump Source
            • Source File: 00000000.00000002.2125958239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2125938659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125975729.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126036558.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126289883.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_prog.jbxd
            Similarity
            • API ID: ExitProcess
            • String ID:
            • API String ID: 621844428-0
            • Opcode ID: b282020c020ec24376e01dd257daea11e10f1f4ac2a3929f2a510d4130da15fc
            • Instruction ID: 363a1f89bed63b7dcc895a87b01cf0a5ad2b70b8edfb3c7b62b81fcb133e7216
            • Opcode Fuzzy Hash: b282020c020ec24376e01dd257daea11e10f1f4ac2a3929f2a510d4130da15fc
            • Instruction Fuzzy Hash: E7C09234268A84CAE219AB08C15AF1133B5BB40B45FA1846BB2152A8F293BCA810E44A
            Function 0040119D Relevance: 1.5, APIs: 1, Instructions: 8COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 128 40119d-4011a7 GetPEB 129 4011a9 128->129 130 4011ae 128->130 131 401b16-401b1d ExitProcess 129->131 130->131
            APIs
            • ExitProcess.KERNEL32(00000000,00000000,0000000A,00000000), ref: 00401B18
            Memory Dump Source
            • Source File: 00000000.00000002.2125958239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2125938659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125975729.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126036558.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126289883.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_prog.jbxd
            Similarity
            • API ID: ExitProcess
            • String ID:
            • API String ID: 621844428-0
            • Opcode ID: 016bcc260c57d67281d0a185370db58a258a073e77d6077e442bffbde582f7fc
            • Instruction ID: e0a2e36e3d8c8f3e554d3af8483bffc66267ff5874ff8d07cdc79a1876b45754
            • Opcode Fuzzy Hash: 016bcc260c57d67281d0a185370db58a258a073e77d6077e442bffbde582f7fc
            • Instruction Fuzzy Hash: 62B092306599809AE21AA318801AF917AB26F40B45FDAC4A7F206298F253BCA944D10A
            Function 00401907 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • FindResourceA.KERNEL32(00000000,00001001,0000000A), ref: 00401917
            • SizeofResource.KERNEL32(00000000,00000000), ref: 0040192D
            • ExitProcess.KERNEL32(00000000,00000000,0000000A,00000000), ref: 00401B18
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2125958239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2125938659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125975729.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126036558.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126289883.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_prog.jbxd
            Similarity
            • API ID: Resource$ExitFindProcessSizeof
            • String ID: u6(
            • API String ID: 1411291463-298994214
            • Opcode ID: b165bb457e95d8592b2aa645c08f3646812f0134a3116199941ac9cacd79966e
            • Instruction ID: d4e59189b2e6214e03afd5d0d5579af94f7f612efc73c1461bf72c218524a00d
            • Opcode Fuzzy Hash: b165bb457e95d8592b2aa645c08f3646812f0134a3116199941ac9cacd79966e
            • Instruction Fuzzy Hash: FD412BB1A54204EFFB00DF65ED81B693BB4EB54305F10407BF905BA2B1E7B46960DB19
            Function 00401000 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 67windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • LoadIconA.USER32(00403000,000001F4), ref: 0040104C
            • LoadCursorA.USER32(00000000,00007F00), ref: 0040105B
            • RegisterClassExA.USER32(00000030), ref: 0040106E
            • CreateWindowExA.USER32(00000000,WinClass32,WinClass32,00CF0000,?,?,?,?,00000000,00000000,00403000,00000000), ref: 004010AA
            • ShowWindow.USER32(00000001,?), ref: 004010BC
            • UpdateWindow.USER32(00000001), ref: 004010C7
            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004010D6
            • TranslateMessage.USER32(?), ref: 004010E4
            • DispatchMessageA.USER32(?), ref: 004010ED
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2125958239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2125938659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125975729.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126036558.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126289883.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_prog.jbxd
            Similarity
            • API ID: MessageWindow$Load$ClassCreateCursorDispatchIconRegisterShowTranslateUpdate
            • String ID: 0$WinClass32
            • API String ID: 282685165-2329282442
            • Opcode ID: 286dd39defc53bc53642eb2300d05e627e30782ba9ed8b70d4df91332c1cf868
            • Instruction ID: db64ee9f6a3c3da8bd2a7b60d0102d68ead382408d30bf1f106ff4c9428f50ce
            • Opcode Fuzzy Hash: 286dd39defc53bc53642eb2300d05e627e30782ba9ed8b70d4df91332c1cf868
            • Instruction Fuzzy Hash: F7213C70D44248AAEF11DFD0CD46BDDBFB8AB04708F20802AF600BA1E5D7B966459B5C
            Function 004010FB Relevance: 4.5, APIs: 3, Instructions: 30windowCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 114 4010fb-401108 115 401111-401115 114->115 116 40110a call 40135a 114->116 117 401117-40112d call 4011cf SendMessageA 115->117 118 40112f-401133 115->118 123 40110f 116->123 121 401142-401154 DefWindowProcA 117->121 118->121 122 401135-40113f PostQuitMessage 118->122 123->121
            APIs
            • SendMessageA.USER32(?,00009D99,00000000,00000000), ref: 00401128
            • DefWindowProcA.USER32(?,00000002,?,?), ref: 0040114E
              • Part of subcall function 0040135A: GetSystemDirectoryA.KERNEL32(C:\Windows\system32\,00001000), ref: 0040136B
              • Part of subcall function 0040135A: PathAddBackslashA.SHLWAPI(C:\Windows\system32\), ref: 00401375
              • Part of subcall function 0040135A: GetWindowsDirectoryA.KERNEL32(00404C84,00001000), ref: 00401385
              • Part of subcall function 0040135A: GetTempPathA.KERNEL32(00001000,00405C84), ref: 0040139F
              • Part of subcall function 0040135A: GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\,00000200), ref: 004013BB
              • Part of subcall function 0040135A: GetEnvironmentVariableA.KERNEL32(APPDATA,00407C84,00001000), ref: 004013DD
              • Part of subcall function 0040135A: FindResourceA.KERNEL32(00000000,00000001,0000000A), ref: 0040144C
              • Part of subcall function 0040135A: ExitProcess.KERNEL32(00000000,?,?,?,?,004106BC,00000000,00406C84,C0000000,00000003,00000000,00000002,00000080,00000000,00406C84,prog.exe), ref: 0040189E
            Memory Dump Source
            • Source File: 00000000.00000002.2125958239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2125938659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125975729.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126036558.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126289883.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_prog.jbxd
            Similarity
            • API ID: DirectoryPath$BackslashEnvironmentExitFileFindMessageModuleNameProcProcessResourceSendSystemTempVariableWindowWindows
            • String ID:
            • API String ID: 1588881643-0
            • Opcode ID: f65326d40c1053b06fdae5316820f508df888febf5844a30f467ce6d3140b480
            • Instruction ID: dbb62d9085e5d6b3fbefb86f4113f67887605609739cbfea317797e2dab6c195
            • Opcode Fuzzy Hash: f65326d40c1053b06fdae5316820f508df888febf5844a30f467ce6d3140b480
            • Instruction Fuzzy Hash: 51F01C31244209B6DF296E629C07B5A3762AB08719F10C03BFB197C0F297BDD561AA5E
            Function 00401ABE Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 125 401abe-401ac5 126 401ae0 125->126 127 401ac7-401adb MessageBoxA 125->127 127->126
            APIs
            • MessageBoxA.USER32(00000000,0040143D), ref: 00401ADB
            Memory Dump Source
            • Source File: 00000000.00000002.2125958239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2125938659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125975729.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126036558.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126289883.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_prog.jbxd
            Similarity
            • API ID: Message
            • String ID:
            • API String ID: 2030045667-0
            • Opcode ID: 2dae6f7468d55e854ba061b4820b56f038b0161a6d690cd2386f641b59654c62
            • Instruction ID: a94ce0f91df8c92c28126cd46e7bb928af6228ff25a2827e821d2225f10bdedb
            • Opcode Fuzzy Hash: 2dae6f7468d55e854ba061b4820b56f038b0161a6d690cd2386f641b59654c62
            • Instruction Fuzzy Hash: 4BC04C35211004AFEF429F90AD42F913BA1B384341F448035F208508B0D7F594F0AB1D

            Non-executed Functions

            Function 004012D9 Relevance: .0, Instructions: 17COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 153 4012d9-4012e0 154 4012e3-4012f0 153->154 154->154 155 4012f2-4012f4 154->155
            Memory Dump Source
            • Source File: 00000000.00000002.2125958239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2125938659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125975729.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126036558.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126289883.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_prog.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a9990774af4119fa70ef41400092c50f263bdf1d164bc37f887e3c0d7a250b32
            • Instruction ID: 0611be33569e033cf0bcc92f54b95211119f9e80a1ee943285cb6afbe40d6e6f
            • Opcode Fuzzy Hash: a9990774af4119fa70ef41400092c50f263bdf1d164bc37f887e3c0d7a250b32
            • Instruction Fuzzy Hash: 91C012B711004827CB08C549D8429D6B798E6B5265714411FF912EB291D97CE90185A4
            Function 004018A8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 22stringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 137 4018a8-401906 lstrcpyA lstrcatA * 4
            APIs
            • lstrcpyA.KERNEL32(0040DC84), ref: 004018AD
            • lstrcatA.KERNEL32(0040DC84,0040AC84,0040DC84), ref: 004018BC
            • lstrcatA.KERNEL32(0040DC84," ",0040DC84,0040AC84,0040DC84), ref: 004018CB
            • lstrcatA.KERNEL32(0040DC84,0040BC84,0040DC84," ",0040DC84,0040AC84,0040DC84), ref: 004018DA
            • lstrcatA.KERNEL32(0040DC84," >> NUL,0040DC84,0040BC84,0040DC84," ",0040DC84,0040AC84,0040DC84), ref: 004018E9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2125958239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2125938659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125975729.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126036558.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126289883.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_prog.jbxd
            Similarity
            • API ID: lstrcat$lstrcpy
            • String ID: " "$" >> NUL
            • API String ID: 2482611188-2884213582
            • Opcode ID: 8513afed51d29f5d4a89328734691a1c3423f533152e92d8ecba9f9dcbb9b028
            • Instruction ID: 98fcd78bc27786ddee7840aea87765605715515cd2fa121c906537a6fc253484
            • Opcode Fuzzy Hash: 8513afed51d29f5d4a89328734691a1c3423f533152e92d8ecba9f9dcbb9b028
            • Instruction Fuzzy Hash: CAE0A264BDD347B9F4A876E20E17F0825665B40F89F72417B7914341E66AFC7118802F
            Function 00401157 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 17stringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 139 401157-40119c lstrcpyA lstrcatA * 2
            APIs
            • lstrcpyA.KERNEL32(00410184,/c del ",0040188C,?,?,?,?,004106BC,00000000,00406C84,C0000000,00000003,00000000,00000002,00000080,00000000), ref: 00401161
            • lstrcatA.KERNEL32(00410184,0040BC84,00410184,/c del ",0040188C,?,?,?,?,004106BC,00000000,00406C84,C0000000,00000003,00000000,00000002), ref: 00401170
            • lstrcatA.KERNEL32(00410184," >> NUL,00410184,0040BC84,00410184,/c del ",0040188C,?,?,?,?,004106BC,00000000,00406C84,C0000000,00000003), ref: 0040117F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2125958239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2125938659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125975729.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2125997720.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126036558.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2126289883.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_prog.jbxd
            Similarity
            • API ID: lstrcat$lstrcpy
            • String ID: " >> NUL$/c del "
            • API String ID: 2482611188-2706327707
            • Opcode ID: cd28eb0aa4a3eae105e9b4c0d92c6737ded14966b8bac3c8ed0da2462ae44cb6
            • Instruction ID: 17b86c2f2bfb9d9544adc925f31abe5a394b04165ab65cbffe2899ad540e7a84
            • Opcode Fuzzy Hash: cd28eb0aa4a3eae105e9b4c0d92c6737ded14966b8bac3c8ed0da2462ae44cb6
            • Instruction Fuzzy Hash: 53D0C2747D534676E4747A910E17F8425645740F49F3101BB7514341E65EFE72C1401D

            Execution Graph

            Execution Coverage:4.8%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:21.4%
            Total number of Nodes:210
            Total number of Limit Nodes:2
            execution_graph 1217 7ff7b7af39d5 wcslen 1250 7ff7b7af153f 1217->1250 1252 7ff7b7af1394 1250->1252 1253 7ff7b7af9f40 malloc 1252->1253 1254 7ff7b7af13b8 1253->1254 1255 7ff7b7af13c6 NtContinue 1254->1255 1171 7ff7b7af1394 1175 7ff7b7af9f40 1171->1175 1173 7ff7b7af13b8 1174 7ff7b7af13c6 NtContinue 1173->1174 1176 7ff7b7af9f5e 1175->1176 1179 7ff7b7af9f8b 1175->1179 1176->1173 1177 7ff7b7afa033 1178 7ff7b7afa04f malloc 1177->1178 1180 7ff7b7afa070 1178->1180 1179->1176 1179->1177 1180->1176 1258 7ff7b7af1ad4 1262 7ff7b7af1a70 1258->1262 1259 7ff7b7af199e 1261 7ff7b7af1a0f 1259->1261 1266 7ff7b7af19e9 VirtualProtect 1259->1266 1260 7ff7b7af1b36 1263 7ff7b7af1ba0 4 API calls 1260->1263 1262->1259 1262->1260 1265 7ff7b7af1b5c 1262->1265 1264 7ff7b7af1b53 1263->1264 1266->1259 1267 7ff7b7af1fd0 1268 7ff7b7af2033 1267->1268 1269 7ff7b7af1fe4 1267->1269 1269->1268 1270 7ff7b7af1ffd EnterCriticalSection LeaveCriticalSection 1269->1270 1270->1268 1297 7ff7b7af1e10 1298 7ff7b7af1e2f 1297->1298 1299 7ff7b7af1e55 1298->1299 1300 7ff7b7af1ecc 1298->1300 1302 7ff7b7af1eb5 1298->1302 1299->1302 1305 7ff7b7af1f12 signal 1299->1305 1301 7ff7b7af1ed3 signal 1300->1301 1300->1302 1301->1302 1303 7ff7b7af1ee4 1301->1303 1303->1302 1304 7ff7b7af1eea signal 1303->1304 1304->1302 1305->1302 1350 7ff7b7af2050 1351 7ff7b7af20cf 1350->1351 1352 7ff7b7af205e EnterCriticalSection 1350->1352 1353 7ff7b7af20c2 LeaveCriticalSection 1352->1353 1354 7ff7b7af2079 1352->1354 1353->1351 1354->1353 1355 7ff7b7af20bd free 1354->1355 1355->1353 1427 7ff7b7af118b 1428 7ff7b7af1190 1427->1428 1429 7ff7b7af11b9 _amsg_exit 1427->1429 1428->1429 1430 7ff7b7af11a0 Sleep 1428->1430 1432 7ff7b7af11fa 1429->1432 1430->1428 1430->1429 1433 7ff7b7af1201 _initterm 1432->1433 1434 7ff7b7af121a 1432->1434 1433->1434 1435 7ff7b7af1880 5 API calls 1434->1435 1436 7ff7b7af1247 SetUnhandledExceptionFilter 1435->1436 1437 7ff7b7af126a 1436->1437 1438 7ff7b7af126f malloc 1437->1438 1439 7ff7b7af128b 1438->1439 1440 7ff7b7af12a0 strlen malloc memcpy 1439->1440 1440->1440 1441 7ff7b7af12d0 1440->1441 1442 7ff7b7af132d _cexit 1441->1442 1443 7ff7b7af1338 1441->1443 1442->1443 1358 7ff7b7af1f47 1359 7ff7b7af1e67 signal 1358->1359 1361 7ff7b7af1e99 1358->1361 1360 7ff7b7af1e7c 1359->1360 1359->1361 1360->1361 1362 7ff7b7af1e82 signal 1360->1362 1362->1361 1448 7ff7b7af2f88 1451 7ff7b7af14a9 1448->1451 1452 7ff7b7af1394 2 API calls 1451->1452 1453 7ff7b7af6585 1456 7ff7b7af2df0 1453->1456 1468 7ff7b7af2660 1456->1468 1458 7ff7b7af2e00 memset 1459 7ff7b7af2e3c 1458->1459 1470 7ff7b7af2690 1459->1470 1469 7ff7b7af266f 1468->1469 1469->1458 1469->1469 1507 7ff7b7af155d 1470->1507 1508 7ff7b7af1394 2 API calls 1507->1508 1271 7ff7b7af1ac3 1272 7ff7b7af1a70 1271->1272 1273 7ff7b7af199e 1272->1273 1274 7ff7b7af1b36 1272->1274 1279 7ff7b7af1b5c 1272->1279 1275 7ff7b7af1a0f 1273->1275 1277 7ff7b7af19e9 VirtualProtect 1273->1277 1276 7ff7b7af1ba0 4 API calls 1274->1276 1278 7ff7b7af1b53 1276->1278 1277->1273 1278->1278 1306 7ff7b7af2104 1307 7ff7b7af2111 EnterCriticalSection 1306->1307 1312 7ff7b7af2218 1306->1312 1308 7ff7b7af220b LeaveCriticalSection 1307->1308 1313 7ff7b7af212e 1307->1313 1308->1312 1309 7ff7b7af2272 1310 7ff7b7af214d TlsGetValue GetLastError 1310->1313 1311 7ff7b7af2241 DeleteCriticalSection 1311->1309 1312->1309 1312->1311 1314 7ff7b7af2230 free 1312->1314 1313->1308 1313->1310 1314->1311 1314->1314 1315 7ff7b7af1404 1316 7ff7b7af1394 2 API calls 1315->1316 1317 7ff7b7af1800 1318 7ff7b7af1812 1317->1318 1319 7ff7b7af1835 fprintf 1318->1319 1320 7ff7b7af1000 1321 7ff7b7af108b __set_app_type 1320->1321 1322 7ff7b7af1040 1320->1322 1323 7ff7b7af10b6 1321->1323 1322->1321 1324 7ff7b7af10e5 1323->1324 1326 7ff7b7af1e00 1323->1326 1327 7ff7b7afa4f0 __setusermatherr 1326->1327 1363 7ff7b7af1440 1364 7ff7b7af1394 2 API calls 1363->1364 1365 7ff7b7af144f 1364->1365 1366 7ff7b7af1394 2 API calls 1365->1366 1280 7ff7b7af1ab3 1281 7ff7b7af1a70 1280->1281 1281->1280 1282 7ff7b7af199e 1281->1282 1283 7ff7b7af1b36 1281->1283 1288 7ff7b7af1b5c 1281->1288 1284 7ff7b7af1a0f 1282->1284 1287 7ff7b7af19e9 VirtualProtect 1282->1287 1285 7ff7b7af1ba0 4 API calls 1283->1285 1286 7ff7b7af1b53 1285->1286 1287->1282 1509 7ff7b7af216f 1510 7ff7b7af2185 1509->1510 1511 7ff7b7af2178 InitializeCriticalSection 1509->1511 1511->1510 1512 7ff7b7af1a70 1514 7ff7b7af199e 1512->1514 1516 7ff7b7af1a7d 1512->1516 1513 7ff7b7af1a0f 1514->1513 1515 7ff7b7af19e9 VirtualProtect 1514->1515 1515->1514 1516->1512 1517 7ff7b7af1b5c 1516->1517 1518 7ff7b7af1b36 1516->1518 1519 7ff7b7af1ba0 4 API calls 1518->1519 1520 7ff7b7af1b53 1519->1520 1369 7ff7b7af6628 1372 7ff7b7af6635 1369->1372 1370 7ff7b7af6792 wcslen 1371 7ff7b7af67a8 1370->1371 1378 7ff7b7af67ec 1370->1378 1373 7ff7b7af67c0 _wcsnicmp 1371->1373 1372->1370 1374 7ff7b7af67d6 wcslen 1373->1374 1373->1378 1374->1373 1374->1378 1375 7ff7b7af6959 memset wcscpy wcscat 1376 7ff7b7af69ad 1375->1376 1401 7ff7b7af3350 memset 1376->1401 1378->1375 1402 7ff7b7af35c1 memset 1401->1402 1408 7ff7b7af33c3 1401->1408 1403 7ff7b7af35e6 1402->1403 1405 7ff7b7af362b wcscpy wcscat wcslen 1403->1405 1404 7ff7b7af343a memset 1404->1408 1406 7ff7b7af1422 2 API calls 1405->1406 1409 7ff7b7af3728 1406->1409 1407 7ff7b7af3493 wcscpy wcscat wcslen 1419 7ff7b7af1422 1407->1419 1408->1402 1408->1404 1408->1407 1416 7ff7b7af3579 1408->1416 1421 7ff7b7af145e 1408->1421 1411 7ff7b7af3767 1409->1411 1423 7ff7b7af1431 1409->1423 1417 7ff7b7af14c7 1411->1417 1416->1402 1418 7ff7b7af1394 2 API calls 1417->1418 1420 7ff7b7af1394 2 API calls 1419->1420 1422 7ff7b7af1394 2 API calls 1421->1422 1424 7ff7b7af1394 2 API calls 1423->1424 1525 7ff7b7af1e65 1526 7ff7b7af1e67 signal 1525->1526 1527 7ff7b7af1e7c 1526->1527 1529 7ff7b7af1e99 1526->1529 1528 7ff7b7af1e82 signal 1527->1528 1527->1529 1528->1529 1337 7ff7b7af15e4 1338 7ff7b7af1394 2 API calls 1337->1338 1339 7ff7b7af15f3 1338->1339 1340 7ff7b7af38e0 wcslen 1348 7ff7b7af157b 1340->1348 1349 7ff7b7af1394 2 API calls 1348->1349 1425 7ff7b7af2320 strlen 1426 7ff7b7af2337 1425->1426 1291 7ff7b7af219e 1292 7ff7b7af2272 1291->1292 1293 7ff7b7af21ab EnterCriticalSection 1291->1293 1294 7ff7b7af2265 LeaveCriticalSection 1293->1294 1295 7ff7b7af21c8 1293->1295 1294->1292 1295->1294 1296 7ff7b7af21e9 TlsGetValue GetLastError 1295->1296 1296->1295 1181 7ff7b7af11d8 1182 7ff7b7af11fa 1181->1182 1183 7ff7b7af1201 _initterm 1182->1183 1184 7ff7b7af121a 1182->1184 1183->1184 1194 7ff7b7af1880 1184->1194 1187 7ff7b7af126a 1188 7ff7b7af126f malloc 1187->1188 1189 7ff7b7af128b 1188->1189 1190 7ff7b7af12a0 strlen malloc memcpy 1189->1190 1190->1190 1191 7ff7b7af12d0 1190->1191 1192 7ff7b7af132d _cexit 1191->1192 1193 7ff7b7af1338 1191->1193 1192->1193 1195 7ff7b7af1247 SetUnhandledExceptionFilter 1194->1195 1196 7ff7b7af18a2 1194->1196 1195->1187 1196->1195 1197 7ff7b7af194d 1196->1197 1202 7ff7b7af1a20 1196->1202 1198 7ff7b7af1956 1197->1198 1199 7ff7b7af199e 1197->1199 1198->1199 1207 7ff7b7af1ba0 1198->1207 1199->1195 1201 7ff7b7af19e9 VirtualProtect 1199->1201 1201->1199 1202->1199 1203 7ff7b7af1b5c 1202->1203 1204 7ff7b7af1b36 1202->1204 1205 7ff7b7af1ba0 4 API calls 1204->1205 1206 7ff7b7af1b53 1205->1206 1210 7ff7b7af1bc2 1207->1210 1208 7ff7b7af1c04 memcpy 1208->1198 1210->1208 1211 7ff7b7af1c45 VirtualQuery 1210->1211 1212 7ff7b7af1cf4 1210->1212 1211->1212 1216 7ff7b7af1c72 1211->1216 1213 7ff7b7af1d23 GetLastError 1212->1213 1214 7ff7b7af1d37 1213->1214 1215 7ff7b7af1ca4 VirtualProtect 1215->1208 1215->1213 1216->1208 1216->1215

            Executed Functions

            Function 00007FF7B7AF118B Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 108sleepstringCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2219624638.00007FF7B7AF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B7AF0000, based on PE: true
            • Associated: 00000002.00000002.2219557953.00007FF7B7AF0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219667950.00007FF7B7AFB000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219696663.00007FF7B7AFE000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219722920.00007FF7B7AFF000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220223433.00007FF7B7D7B000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220249902.00007FF7B7D7D000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220276615.00007FF7B7D80000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ff7b7af0000_prog.jbxd
            Similarity
            • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
            • String ID: &$;*
            • API String ID: 2643109117-510990765
            • Opcode ID: f214d2cb23ad4a7d8a6f2e16a4dc08a5006247cdfdc4fc33eaf7806aa3e5334d
            • Instruction ID: 73feafeb122045342fb47cd477043d120384ccc8ca7bcf0a1774686a8848f550
            • Opcode Fuzzy Hash: f214d2cb23ad4a7d8a6f2e16a4dc08a5006247cdfdc4fc33eaf7806aa3e5334d
            • Instruction Fuzzy Hash: 52413F25A0964685F690BB2DE954B79A7A1AF67780FC04136CB0DCF7B9DE2DA4438330
            Function 00007FF7B7AF1394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • NtContinue.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7B7AF1156), ref: 00007FF7B7AF13F7
            Memory Dump Source
            • Source File: 00000002.00000002.2219624638.00007FF7B7AF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B7AF0000, based on PE: true
            • Associated: 00000002.00000002.2219557953.00007FF7B7AF0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219667950.00007FF7B7AFB000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219696663.00007FF7B7AFE000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219722920.00007FF7B7AFF000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220223433.00007FF7B7D7B000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220249902.00007FF7B7D7D000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220276615.00007FF7B7D80000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ff7b7af0000_prog.jbxd
            Similarity
            • API ID: Continue
            • String ID:
            • API String ID: 3935651977-0
            • Opcode ID: 59d44b6da759f21b666a868a4e6a88dd90aa5652e3e5bdc8205d5884860000a3
            • Instruction ID: 677519e4036d904a8ee44235549796d17ee32176b0cdb047c3695aa44e623c84
            • Opcode Fuzzy Hash: 59d44b6da759f21b666a868a4e6a88dd90aa5652e3e5bdc8205d5884860000a3
            • Instruction Fuzzy Hash: DBF0FF7294CB418AD650EB5DF85482AB761FB6A380B404836EB8D8B73DDF3CE051CB64

            Non-executed Functions

            Function 00007FF7B7AF6628 Relevance: 40.9, APIs: 22, Strings: 1, Instructions: 667COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 42 7ff7b7af6628-7ff7b7af662f 43 7ff7b7af6635-7ff7b7af66f6 42->43 44 7ff7b7af66fd-7ff7b7af673c call 7ff7b7af39b0 42->44 43->44 47 7ff7b7af6742-7ff7b7af6749 44->47 48 7ff7b7af80d0-7ff7b7af810c call 7ff7b7af1370 44->48 49 7ff7b7af6792-7ff7b7af67a2 wcslen 47->49 50 7ff7b7af674b-7ff7b7af678b 47->50 48->50 56 7ff7b7af8112 48->56 52 7ff7b7af68d8-7ff7b7af68da 49->52 53 7ff7b7af67a8-7ff7b7af67b7 49->53 50->49 57 7ff7b7af68e0-7ff7b7af68e7 52->57 55 7ff7b7af67c0-7ff7b7af67d0 _wcsnicmp 53->55 58 7ff7b7af67d6-7ff7b7af67ea wcslen 55->58 59 7ff7b7af68dc 55->59 56->49 60 7ff7b7af68ed-7ff7b7af68f4 57->60 61 7ff7b7af8117-7ff7b7af813d call 7ff7b7af99e0 call 7ff7b7af1370 57->61 58->55 62 7ff7b7af67ec 58->62 59->57 64 7ff7b7af68f6-7ff7b7af6952 60->64 65 7ff7b7af6959-7ff7b7af6a27 memset wcscpy wcscat call 7ff7b7af2f70 call 7ff7b7af3350 call 7ff7b7af14c7 _time64 srand _time64 memset 60->65 61->64 73 7ff7b7af8143 61->73 62->57 64->65 76 7ff7b7af6a2d-7ff7b7af6a34 65->76 77 7ff7b7af8148-7ff7b7af818a call 7ff7b7af1370 65->77 73->65 78 7ff7b7af6a36-7ff7b7af6a76 76->78 79 7ff7b7af6a7d-7ff7b7af6a8d wcslen 76->79 77->78 84 7ff7b7af8190 77->84 78->79 82 7ff7b7af6a8f-7ff7b7af6a9b 79->82 83 7ff7b7af6ac9-7ff7b7af6acb 79->83 85 7ff7b7af6aa0-7ff7b7af6ab0 _wcsnicmp 82->85 86 7ff7b7af6ad1-7ff7b7af6afb wcscat memset 83->86 84->79 87 7ff7b7af6ab2-7ff7b7af6ac5 wcslen 85->87 88 7ff7b7af6acd 85->88 89 7ff7b7af6b01-7ff7b7af6b44 rand 86->89 90 7ff7b7af6da0-7ff7b7af6da7 86->90 87->85 91 7ff7b7af6ac7 87->91 88->86 89->90 94 7ff7b7af6b4a-7ff7b7af6b51 89->94 92 7ff7b7af8195-7ff7b7af81e0 call 7ff7b7af1370 90->92 93 7ff7b7af6dad-7ff7b7af6db4 90->93 91->86 98 7ff7b7af6db6-7ff7b7af6e09 92->98 110 7ff7b7af81e6 92->110 93->98 99 7ff7b7af6e10-7ff7b7af6e3f wcscpy wcscat 93->99 95 7ff7b7af82f5-7ff7b7af8340 call 7ff7b7af1370 94->95 96 7ff7b7af6b57-7ff7b7af6b5e 94->96 100 7ff7b7af6b60-7ff7b7af6bb3 95->100 117 7ff7b7af8346 95->117 96->100 101 7ff7b7af6bba-7ff7b7af6be9 wcscpy wcscat 96->101 98->99 102 7ff7b7af6e45-7ff7b7af6e4c 99->102 103 7ff7b7af81eb-7ff7b7af8211 call 7ff7b7af9d30 call 7ff7b7af1370 99->103 100->101 108 7ff7b7af6bef-7ff7b7af6bf6 101->108 109 7ff7b7af834b-7ff7b7af8371 call 7ff7b7af9b10 call 7ff7b7af1370 101->109 106 7ff7b7af6e52-7ff7b7af6ef8 102->106 107 7ff7b7af6eff-7ff7b7af6f06 102->107 103->106 141 7ff7b7af8217 103->141 106->107 113 7ff7b7af821c-7ff7b7af825e call 7ff7b7af1370 107->113 114 7ff7b7af6f0c-7ff7b7af6f13 107->114 115 7ff7b7af6bfc-7ff7b7af6ca2 108->115 116 7ff7b7af6ca9-7ff7b7af6cb0 108->116 109->115 151 7ff7b7af8377 109->151 110->99 120 7ff7b7af6f15-7ff7b7af6f55 113->120 143 7ff7b7af8264 113->143 114->120 121 7ff7b7af6f5c-7ff7b7af6f63 114->121 115->116 122 7ff7b7af6cb6-7ff7b7af6cbd 116->122 123 7ff7b7af837c-7ff7b7af83be call 7ff7b7af1370 116->123 117->101 120->121 127 7ff7b7af6f69-7ff7b7af6f70 121->127 128 7ff7b7af8269-7ff7b7af82a3 memcpy call 7ff7b7af1370 121->128 129 7ff7b7af6d06-7ff7b7af6d0d 122->129 130 7ff7b7af6cbf-7ff7b7af6cff 122->130 123->130 144 7ff7b7af83c4 123->144 137 7ff7b7af6f76-7ff7b7af6f92 127->137 138 7ff7b7af711b-7ff7b7af7144 127->138 128->137 153 7ff7b7af82a9 128->153 139 7ff7b7af6d13-7ff7b7af6d1a 129->139 140 7ff7b7af83c9-7ff7b7af8403 memcpy call 7ff7b7af1370 129->140 130->129 147 7ff7b7af6fa0-7ff7b7af6fce 137->147 150 7ff7b7af7291-7ff7b7af72d2 call 7ff7b7af39b0 call 7ff7b7af145e 138->150 148 7ff7b7af6d20-7ff7b7af6d3c 139->148 149 7ff7b7af7268-7ff7b7af728a 139->149 140->148 159 7ff7b7af8409 140->159 141->107 143->121 144->129 155 7ff7b7af6fd0-7ff7b7af6ffa 147->155 156 7ff7b7af6ffc-7ff7b7af7114 147->156 157 7ff7b7af6d40-7ff7b7af6d6e 148->157 149->150 151->116 153->138 155->147 156->138 160 7ff7b7af6d74-7ff7b7af6d9e 157->160 161 7ff7b7af7149-7ff7b7af7261 157->161 159->149 160->157 161->149
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2219624638.00007FF7B7AF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B7AF0000, based on PE: true
            • Associated: 00000002.00000002.2219557953.00007FF7B7AF0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219667950.00007FF7B7AFB000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219696663.00007FF7B7AFE000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219722920.00007FF7B7AFF000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220223433.00007FF7B7D7B000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220249902.00007FF7B7D7D000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220276615.00007FF7B7D80000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ff7b7af0000_prog.jbxd
            Similarity
            • API ID: _time64wcslen$_wcsnicmpmemsetsrandwcscatwcscpy
            • String ID: X&
            • API String ID: 2454069949-221892188
            • Opcode ID: d1337906cd7b87a5fc8dec7907ca3527d0c29fd3263de3f14483aafe266232c2
            • Instruction ID: b1ff71dfc7fa985556312147f9044c2e06da097ce5638773dfc6ca50a3393bd1
            • Opcode Fuzzy Hash: d1337906cd7b87a5fc8dec7907ca3527d0c29fd3263de3f14483aafe266232c2
            • Instruction Fuzzy Hash: 29827B51C2C69288F351AB2DA8416B4E364AF77384FC45332DB8D9D6BAEF6C6147C324
            Function 00007FF7B7AF11D8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78stringCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2219624638.00007FF7B7AF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B7AF0000, based on PE: true
            • Associated: 00000002.00000002.2219557953.00007FF7B7AF0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219667950.00007FF7B7AFB000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219696663.00007FF7B7AFE000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219722920.00007FF7B7AFF000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220223433.00007FF7B7D7B000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220249902.00007FF7B7D7D000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220276615.00007FF7B7D80000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ff7b7af0000_prog.jbxd
            Similarity
            • API ID: malloc$ExceptionFilterUnhandled_cexit_inittermmemcpystrlen
            • String ID: &$;*
            • API String ID: 3825114775-510990765
            • Opcode ID: bb6b8f63c8978df2cb712fb4502542c6b0eedd4902725eabed431cc5bfcc8d57
            • Instruction ID: 56ac5bf3d7022b3efe920ff7d9f51b092c46e15e235803bc4dad205aa713dbb7
            • Opcode Fuzzy Hash: bb6b8f63c8978df2cb712fb4502542c6b0eedd4902725eabed431cc5bfcc8d57
            • Instruction Fuzzy Hash: 8441212591C64284F691BB1DE954A79A7A1AF677C0FC04232CB4DCF7B9DE2DA4438330
            Function 00007FF7B7AF3350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2219624638.00007FF7B7AF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B7AF0000, based on PE: true
            • Associated: 00000002.00000002.2219557953.00007FF7B7AF0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219667950.00007FF7B7AFB000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219696663.00007FF7B7AFE000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219722920.00007FF7B7AFF000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220223433.00007FF7B7D7B000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220249902.00007FF7B7D7D000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220276615.00007FF7B7D80000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ff7b7af0000_prog.jbxd
            Similarity
            • API ID: memset$wcscatwcscpywcslen
            • String ID: $0$0$@$@
            • API String ID: 4263182637-1413854666
            • Opcode ID: 62e16f804d0a78f42930f5485aab4d55bda2c88156d1efd01dd84db9e24e5fef
            • Instruction ID: ad9ae55401b58f791e232e7a93068b3fa1e61361d29d4d0bfde72532510c53f0
            • Opcode Fuzzy Hash: 62e16f804d0a78f42930f5485aab4d55bda2c88156d1efd01dd84db9e24e5fef
            • Instruction Fuzzy Hash: 53B1822191C6C185F361AB1DE4057EBF7B0FBA6384F804236DB889A6B9DF7DD1468B10
            Function 00007FF7B7AF2690 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 322COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2219624638.00007FF7B7AF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B7AF0000, based on PE: true
            • Associated: 00000002.00000002.2219557953.00007FF7B7AF0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219667950.00007FF7B7AFB000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219696663.00007FF7B7AFE000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219722920.00007FF7B7AFF000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220223433.00007FF7B7D7B000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220249902.00007FF7B7D7D000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220276615.00007FF7B7D80000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ff7b7af0000_prog.jbxd
            Similarity
            • API ID: wcslen$memsetwcscatwcscpywcsncmp
            • String ID: 0$X$`
            • API String ID: 329590056-2527496196
            • Opcode ID: 7bd2d40a281e62959ce0fd44c16303bd5a4e704b549ab88744f3f2b4b0171fba
            • Instruction ID: 1afe77b8153335d3b79ac60d0198bd1977c55a9cabce162aa6f062b75b06ff24
            • Opcode Fuzzy Hash: 7bd2d40a281e62959ce0fd44c16303bd5a4e704b549ab88744f3f2b4b0171fba
            • Instruction Fuzzy Hash: 53028322508B8185E761AB1DE4447AAB7A0FBA6794F804336DB9C4B7F9DF3CD186C710
            Function 00007FF7B7AF1BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • VirtualQuery.KERNEL32(?,?,?,?,00007FF7B7AFD3B0,00007FF7B7AFD3B0,?,?,00007FF7B7AF0000,?,00007FF7B7AF1991), ref: 00007FF7B7AF1C63
            • VirtualProtect.KERNEL32(?,?,?,?,00007FF7B7AFD3B0,00007FF7B7AFD3B0,?,?,00007FF7B7AF0000,?,00007FF7B7AF1991), ref: 00007FF7B7AF1CC7
            • memcpy.MSVCRT ref: 00007FF7B7AF1CE0
            • GetLastError.KERNEL32(?,?,?,?,00007FF7B7AFD3B0,00007FF7B7AFD3B0,?,?,00007FF7B7AF0000,?,00007FF7B7AF1991), ref: 00007FF7B7AF1D23
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2219624638.00007FF7B7AF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B7AF0000, based on PE: true
            • Associated: 00000002.00000002.2219557953.00007FF7B7AF0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219667950.00007FF7B7AFB000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219696663.00007FF7B7AFE000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219722920.00007FF7B7AFF000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220223433.00007FF7B7D7B000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220249902.00007FF7B7D7D000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220276615.00007FF7B7D80000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ff7b7af0000_prog.jbxd
            Similarity
            • API ID: Virtual$ErrorLastProtectQuerymemcpy
            • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
            • API String ID: 2595394609-2123141913
            • Opcode ID: f71d7c17d8efb8792bd36a77065ce856a453be169e7440349e6f230ab35daf72
            • Instruction ID: 80d45a693c73ca04b5720a45d3cfd30eda851451d17714ef7f82ea3bca1645e0
            • Opcode Fuzzy Hash: f71d7c17d8efb8792bd36a77065ce856a453be169e7440349e6f230ab35daf72
            • Instruction Fuzzy Hash: 8D418861A0954781EA91AF0DD454AB8AB60EB66BC4F944133CF0DCB7B9DE3CD543C720
            Function 00007FF7B7AF2104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Memory Dump Source
            • Source File: 00000002.00000002.2219624638.00007FF7B7AF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B7AF0000, based on PE: true
            • Associated: 00000002.00000002.2219557953.00007FF7B7AF0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219667950.00007FF7B7AFB000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219696663.00007FF7B7AFE000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219722920.00007FF7B7AFF000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220223433.00007FF7B7D7B000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220249902.00007FF7B7D7D000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220276615.00007FF7B7D80000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ff7b7af0000_prog.jbxd
            Similarity
            • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
            • String ID:
            • API String ID: 3326252324-0
            • Opcode ID: 30ded24aebec5e3133582754e9744752ca6952f0633bd4de7137b6fa68abc3ee
            • Instruction ID: 80556c6a555d6ac1184b440f713c51a22b16ee1f2159e1347b751d9b4aff2d54
            • Opcode Fuzzy Hash: 30ded24aebec5e3133582754e9744752ca6952f0633bd4de7137b6fa68abc3ee
            • Instruction Fuzzy Hash: 5F21C021A0994681F695A70DE96467D9360BF67B90FC50232CB0DCF6B8DF2CA9479224
            Function 00007FF7B7AF1E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 329 7ff7b7af1e10-7ff7b7af1e2d 330 7ff7b7af1e2f-7ff7b7af1e38 329->330 331 7ff7b7af1e3e-7ff7b7af1e48 329->331 330->331 332 7ff7b7af1f60-7ff7b7af1f69 330->332 333 7ff7b7af1ea3-7ff7b7af1ea8 331->333 334 7ff7b7af1e4a-7ff7b7af1e53 331->334 333->332 337 7ff7b7af1eae-7ff7b7af1eb3 333->337 335 7ff7b7af1e55-7ff7b7af1e60 334->335 336 7ff7b7af1ecc-7ff7b7af1ed1 334->336 335->333 340 7ff7b7af1f23-7ff7b7af1f2d 336->340 341 7ff7b7af1ed3-7ff7b7af1ee2 signal 336->341 338 7ff7b7af1eb5-7ff7b7af1eba 337->338 339 7ff7b7af1efb-7ff7b7af1f0a call 7ff7b7afa500 337->339 338->332 345 7ff7b7af1ec0 338->345 339->340 350 7ff7b7af1f0c-7ff7b7af1f10 339->350 343 7ff7b7af1f43-7ff7b7af1f45 340->343 344 7ff7b7af1f2f-7ff7b7af1f3f 340->344 341->340 346 7ff7b7af1ee4-7ff7b7af1ee8 341->346 343->332 344->343 345->340 347 7ff7b7af1f4e-7ff7b7af1f53 346->347 348 7ff7b7af1eea-7ff7b7af1ef9 signal 346->348 351 7ff7b7af1f5a 347->351 348->332 352 7ff7b7af1f55 350->352 353 7ff7b7af1f12-7ff7b7af1f21 signal 350->353 351->332 352->351 353->332
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2219624638.00007FF7B7AF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B7AF0000, based on PE: true
            • Associated: 00000002.00000002.2219557953.00007FF7B7AF0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219667950.00007FF7B7AFB000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219696663.00007FF7B7AFE000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219722920.00007FF7B7AFF000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220223433.00007FF7B7D7B000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220249902.00007FF7B7D7D000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220276615.00007FF7B7D80000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ff7b7af0000_prog.jbxd
            Similarity
            • API ID:
            • String ID: CCG
            • API String ID: 0-1584390748
            • Opcode ID: aac3cff987aa207af6683fbdf05d97adeeaddfa67e5404ea55e0566f274569b7
            • Instruction ID: ba69a1190d4ee3f66ccf85214a548ff97169a6ca2bab0ae42271e6b7ee98c295
            • Opcode Fuzzy Hash: aac3cff987aa207af6683fbdf05d97adeeaddfa67e5404ea55e0566f274569b7
            • Instruction Fuzzy Hash: 03216D22F0810642FBA4621CD540B7999819FA67A4FA48137DB0D8B2FCDF2CA8838360
            Function 00007FF7B7AF38E0 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2219624638.00007FF7B7AF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B7AF0000, based on PE: true
            • Associated: 00000002.00000002.2219557953.00007FF7B7AF0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219667950.00007FF7B7AFB000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219696663.00007FF7B7AFE000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219722920.00007FF7B7AFF000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220223433.00007FF7B7D7B000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220249902.00007FF7B7D7D000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220276615.00007FF7B7D80000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ff7b7af0000_prog.jbxd
            Similarity
            • API ID: wcslen
            • String ID: 0$@
            • API String ID: 4088430540-1545510068
            • Opcode ID: ef7ed66185c074b667720f16183e97d9ab3fb1e6636ca8cac5f9c7ec846e676b
            • Instruction ID: 82b4dc20fac9d44fabe80bc861506dc7d633732495f3a8227c3c94e3c67be8d3
            • Opcode Fuzzy Hash: ef7ed66185c074b667720f16183e97d9ab3fb1e6636ca8cac5f9c7ec846e676b
            • Instruction Fuzzy Hash: B0119D2252C68082E351EB18F44579AA7B4FFE9394F504125F78C87B68EF3DC146CB00
            Function 00007FF7B7AF1880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 362 7ff7b7af1880-7ff7b7af189c 363 7ff7b7af18a2-7ff7b7af18f9 call 7ff7b7af2420 call 7ff7b7af2660 362->363 364 7ff7b7af1a0f-7ff7b7af1a1f 362->364 363->364 369 7ff7b7af18ff-7ff7b7af1910 363->369 370 7ff7b7af1912-7ff7b7af191c 369->370 371 7ff7b7af193e-7ff7b7af1941 369->371 373 7ff7b7af194d-7ff7b7af1954 370->373 374 7ff7b7af191e-7ff7b7af1929 370->374 372 7ff7b7af1943-7ff7b7af1947 371->372 371->373 372->373 375 7ff7b7af1a20-7ff7b7af1a26 372->375 376 7ff7b7af1956-7ff7b7af1961 373->376 377 7ff7b7af199e-7ff7b7af19a6 373->377 374->373 378 7ff7b7af192b-7ff7b7af193a 374->378 381 7ff7b7af1a2c-7ff7b7af1a37 375->381 382 7ff7b7af1b87-7ff7b7af1b98 call 7ff7b7af1d40 375->382 379 7ff7b7af1970-7ff7b7af199c call 7ff7b7af1ba0 376->379 377->364 380 7ff7b7af19a8-7ff7b7af19c1 377->380 378->371 379->377 385 7ff7b7af19df-7ff7b7af19e7 380->385 381->377 386 7ff7b7af1a3d-7ff7b7af1a5f 381->386 389 7ff7b7af19d0-7ff7b7af19dd 385->389 390 7ff7b7af19e9-7ff7b7af1a0d VirtualProtect 385->390 391 7ff7b7af1a7d-7ff7b7af1a97 386->391 389->364 389->385 390->389 392 7ff7b7af1b74-7ff7b7af1b82 call 7ff7b7af1d40 391->392 393 7ff7b7af1a9d-7ff7b7af1afa 391->393 392->382 398 7ff7b7af1b22-7ff7b7af1b26 393->398 399 7ff7b7af1afc-7ff7b7af1b0e 393->399 402 7ff7b7af1a70-7ff7b7af1a77 398->402 403 7ff7b7af1b2c-7ff7b7af1b30 398->403 400 7ff7b7af1b10-7ff7b7af1b20 399->400 401 7ff7b7af1b5c-7ff7b7af1b6f call 7ff7b7af1d40 399->401 400->398 400->401 401->392 402->377 402->391 403->402 405 7ff7b7af1b36-7ff7b7af1b53 call 7ff7b7af1ba0 403->405 408 7ff7b7af1b57 405->408 408->408
            APIs
            • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7B7AF1247), ref: 00007FF7B7AF19F9
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2219624638.00007FF7B7AF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B7AF0000, based on PE: true
            • Associated: 00000002.00000002.2219557953.00007FF7B7AF0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219667950.00007FF7B7AFB000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219696663.00007FF7B7AFE000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219722920.00007FF7B7AFF000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220223433.00007FF7B7D7B000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220249902.00007FF7B7D7D000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220276615.00007FF7B7D80000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ff7b7af0000_prog.jbxd
            Similarity
            • API ID: ProtectVirtual
            • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
            • API String ID: 544645111-395989641
            • Opcode ID: 6188dcfb9ba409927f7d43b305952e2ca18d87eecd447261aab3e5aaa2c983f9
            • Instruction ID: 6438378cbd8d01b5cf828c6e4f810e4bdbd6d9b9b8382a73ed25aad5f253cd96
            • Opcode Fuzzy Hash: 6188dcfb9ba409927f7d43b305952e2ca18d87eecd447261aab3e5aaa2c983f9
            • Instruction Fuzzy Hash: B7515221B08546C5EB54AB2DD844B74AB71AB36794F844232DB1C8BBBCCE3CE583C720
            Function 00007FF7B7AF1800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 409 7ff7b7af1800-7ff7b7af1810 410 7ff7b7af1824 409->410 411 7ff7b7af1812-7ff7b7af1822 409->411 412 7ff7b7af182b-7ff7b7af1867 call 7ff7b7af2290 fprintf 410->412 411->412
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2219624638.00007FF7B7AF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B7AF0000, based on PE: true
            • Associated: 00000002.00000002.2219557953.00007FF7B7AF0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219667950.00007FF7B7AFB000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219696663.00007FF7B7AFE000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219722920.00007FF7B7AFF000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220223433.00007FF7B7D7B000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220249902.00007FF7B7D7D000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220276615.00007FF7B7D80000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ff7b7af0000_prog.jbxd
            Similarity
            • API ID: fprintf
            • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
            • API String ID: 383729395-3474627141
            • Opcode ID: d196cce22733da6664e8edb65b95f02763a682be6f02ab55e526d30871c6c29c
            • Instruction ID: 1bf2206dff34bc4516520814eb51a4e0456c88a631737bc12bd57cc74b4e8682
            • Opcode Fuzzy Hash: d196cce22733da6664e8edb65b95f02763a682be6f02ab55e526d30871c6c29c
            • Instruction Fuzzy Hash: DEF04411A1898582E651BB2CA9414B9E371EB7A7C5F909232DF4D9B6A9DF1CE1438310
            Function 00007FF7B7AF219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Memory Dump Source
            • Source File: 00000002.00000002.2219624638.00007FF7B7AF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7B7AF0000, based on PE: true
            • Associated: 00000002.00000002.2219557953.00007FF7B7AF0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219667950.00007FF7B7AFB000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219696663.00007FF7B7AFE000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2219722920.00007FF7B7AFF000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220223433.00007FF7B7D7B000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220249902.00007FF7B7D7D000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000002.00000002.2220276615.00007FF7B7D80000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ff7b7af0000_prog.jbxd
            Similarity
            • API ID: CriticalSection$EnterErrorLastLeaveValue
            • String ID:
            • API String ID: 682475483-0
            • Opcode ID: 0d3f40a56fc230f51008cd68afb882d42e2fa9fd450aedc21c851e2dc6c825f8
            • Instruction ID: c639aba9eb2e03b5628423919765a31285da53b7dcb6ada2db03e5a996ecbb6e
            • Opcode Fuzzy Hash: 0d3f40a56fc230f51008cd68afb882d42e2fa9fd450aedc21c851e2dc6c825f8
            • Instruction Fuzzy Hash: FC011E21A0994281F686AB0DED14678D260BF26BD0FC50232CB0D9F6BCDF2CF9539224

            Execution Graph

            Execution Coverage:4.8%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:0%
            Total number of Nodes:209
            Total number of Limit Nodes:2
            execution_graph 1437 7ff66486118b 1438 7ff6648611b9 _amsg_exit 1437->1438 1439 7ff664861190 1437->1439 1442 7ff6648611fa 1438->1442 1439->1438 1440 7ff6648611a0 Sleep 1439->1440 1440->1438 1440->1439 1443 7ff66486121a 1442->1443 1444 7ff664861201 _initterm 1442->1444 1445 7ff664861880 5 API calls 1443->1445 1444->1443 1446 7ff664861247 SetUnhandledExceptionFilter 1445->1446 1447 7ff66486126a 1446->1447 1448 7ff66486126f malloc 1447->1448 1449 7ff66486128b 1448->1449 1450 7ff6648612a0 strlen malloc memcpy 1449->1450 1450->1450 1451 7ff6648612d0 1450->1451 1452 7ff66486132d _cexit 1451->1452 1453 7ff664861338 1451->1453 1452->1453 1399 7ff664861f47 1400 7ff664861e67 signal 1399->1400 1401 7ff664861e99 1399->1401 1400->1401 1402 7ff664861e7c 1400->1402 1402->1401 1403 7ff664861e82 signal 1402->1403 1403->1401 1458 7ff664862f88 1461 7ff6648614a9 1458->1461 1462 7ff664861394 2 API calls 1461->1462 1223 7ff6648639d5 wcslen 1256 7ff66486153f 1223->1256 1258 7ff664861394 1256->1258 1259 7ff664869f40 malloc 1258->1259 1260 7ff6648613b8 1259->1260 1261 7ff6648613c6 NtSetIoCompletion 1260->1261 1213 7ff664861394 1217 7ff664869f40 1213->1217 1215 7ff6648613b8 1216 7ff6648613c6 NtSetIoCompletion 1215->1216 1218 7ff664869f5e 1217->1218 1221 7ff664869f8b 1217->1221 1218->1215 1219 7ff66486a033 1220 7ff66486a04f malloc 1219->1220 1222 7ff66486a070 1220->1222 1221->1218 1221->1219 1222->1218 1262 7ff664861ad4 1270 7ff664861a70 1262->1270 1263 7ff664861b36 1265 7ff664861ba0 4 API calls 1263->1265 1264 7ff66486199e 1266 7ff664861a0f 1264->1266 1268 7ff6648619e9 VirtualProtect 1264->1268 1267 7ff664861b53 1265->1267 1268->1264 1269 7ff664861b5c 1270->1263 1270->1264 1270->1269 1271 7ff664861fd0 1272 7ff664861fe4 1271->1272 1274 7ff664862033 1271->1274 1273 7ff664861ffd EnterCriticalSection LeaveCriticalSection 1272->1273 1272->1274 1273->1274 1308 7ff664861e10 1309 7ff664861e2f 1308->1309 1310 7ff664861e55 1309->1310 1311 7ff664861ecc 1309->1311 1313 7ff664861eb5 1309->1313 1310->1313 1316 7ff664861f12 signal 1310->1316 1312 7ff664861ed3 signal 1311->1312 1311->1313 1312->1313 1314 7ff664861ee4 1312->1314 1314->1313 1315 7ff664861eea signal 1314->1315 1315->1313 1316->1313 1406 7ff664862050 1407 7ff6648620cf 1406->1407 1408 7ff66486205e EnterCriticalSection 1406->1408 1409 7ff6648620c2 LeaveCriticalSection 1408->1409 1410 7ff664862079 1408->1410 1409->1407 1410->1409 1411 7ff6648620bd free 1410->1411 1411->1409 1275 7ff664861ac3 1276 7ff664861a70 1275->1276 1277 7ff664861b5c 1276->1277 1278 7ff664861b36 1276->1278 1281 7ff66486199e 1276->1281 1279 7ff664861ba0 4 API calls 1278->1279 1283 7ff664861b53 1279->1283 1280 7ff664861a0f 1281->1280 1282 7ff6648619e9 VirtualProtect 1281->1282 1282->1281 1283->1283 1463 7ff664866585 1466 7ff664862df0 1463->1466 1478 7ff664862660 1466->1478 1477 7ff664862e3c 1480 7ff664862690 1477->1480 1479 7ff66486266f memset 1478->1479 1479->1477 1517 7ff66486155d 1480->1517 1518 7ff664861394 2 API calls 1517->1518 1317 7ff664861404 1318 7ff664861394 2 API calls 1317->1318 1319 7ff664862104 1320 7ff664862111 EnterCriticalSection 1319->1320 1322 7ff664862218 1319->1322 1321 7ff66486220b LeaveCriticalSection 1320->1321 1326 7ff66486212e 1320->1326 1321->1322 1323 7ff664862272 1322->1323 1325 7ff664862241 DeleteCriticalSection 1322->1325 1327 7ff664862230 free 1322->1327 1324 7ff66486214d TlsGetValue GetLastError 1324->1326 1325->1323 1326->1321 1326->1324 1327->1325 1327->1327 1328 7ff664861800 1329 7ff664861812 1328->1329 1330 7ff664861835 fprintf 1329->1330 1331 7ff664861000 1332 7ff66486108b __set_app_type 1331->1332 1333 7ff664861040 1331->1333 1334 7ff6648610b6 1332->1334 1333->1332 1335 7ff6648610e5 1334->1335 1337 7ff664861e00 1334->1337 1338 7ff66486a4f0 __setusermatherr 1337->1338 1412 7ff664861440 1413 7ff664861394 2 API calls 1412->1413 1414 7ff66486144f 1413->1414 1415 7ff664861394 2 API calls 1414->1415 1339 7ff664866628 1341 7ff664866635 1339->1341 1340 7ff664866792 wcslen 1342 7ff6648667a8 1340->1342 1348 7ff6648667ec 1340->1348 1341->1340 1343 7ff6648667c0 _wcsnicmp 1342->1343 1344 7ff6648667d6 wcslen 1343->1344 1343->1348 1344->1343 1344->1348 1345 7ff664866959 memset wcscpy wcscat 1346 7ff6648669ad 1345->1346 1371 7ff664863350 memset 1346->1371 1348->1345 1372 7ff6648635c1 memset 1371->1372 1383 7ff6648633c3 1371->1383 1373 7ff6648635e6 1372->1373 1375 7ff66486362b wcscpy wcscat wcslen 1373->1375 1374 7ff66486343a memset 1374->1383 1376 7ff664861422 2 API calls 1375->1376 1377 7ff664863728 1376->1377 1379 7ff664863767 1377->1379 1393 7ff664861431 1377->1393 1378 7ff664863493 wcscpy wcscat wcslen 1389 7ff664861422 1378->1389 1387 7ff6648614c7 1379->1387 1383->1372 1383->1374 1383->1378 1386 7ff664863579 1383->1386 1391 7ff66486145e 1383->1391 1386->1372 1388 7ff664861394 2 API calls 1387->1388 1390 7ff664861394 2 API calls 1389->1390 1392 7ff664861394 2 API calls 1391->1392 1394 7ff664861394 2 API calls 1393->1394 1521 7ff664861ab3 1522 7ff664861a70 1521->1522 1522->1521 1523 7ff664861b36 1522->1523 1524 7ff66486199e 1522->1524 1529 7ff664861b5c 1522->1529 1525 7ff664861ba0 4 API calls 1523->1525 1526 7ff664861a0f 1524->1526 1528 7ff6648619e9 VirtualProtect 1524->1528 1527 7ff664861b53 1525->1527 1528->1524 1420 7ff66486216f 1421 7ff664862178 InitializeCriticalSection 1420->1421 1422 7ff664862185 1420->1422 1421->1422 1423 7ff664861a70 1424 7ff66486199e 1423->1424 1426 7ff664861a7d 1423->1426 1425 7ff664861a0f 1424->1425 1427 7ff6648619e9 VirtualProtect 1424->1427 1426->1423 1428 7ff664861b5c 1426->1428 1429 7ff664861b36 1426->1429 1427->1424 1430 7ff664861ba0 4 API calls 1429->1430 1431 7ff664861b53 1430->1431 1177 7ff6648611d8 1178 7ff6648611fa 1177->1178 1179 7ff66486121a 1178->1179 1180 7ff664861201 _initterm 1178->1180 1190 7ff664861880 1179->1190 1180->1179 1183 7ff66486126a 1184 7ff66486126f malloc 1183->1184 1185 7ff66486128b 1184->1185 1186 7ff6648612a0 strlen malloc memcpy 1185->1186 1186->1186 1187 7ff6648612d0 1186->1187 1188 7ff66486132d _cexit 1187->1188 1189 7ff664861338 1187->1189 1188->1189 1191 7ff664861247 SetUnhandledExceptionFilter 1190->1191 1192 7ff6648618a2 1190->1192 1191->1183 1192->1191 1193 7ff66486194d 1192->1193 1198 7ff664861a20 1192->1198 1194 7ff664861956 1193->1194 1195 7ff66486199e 1193->1195 1194->1195 1203 7ff664861ba0 1194->1203 1195->1191 1197 7ff6648619e9 VirtualProtect 1195->1197 1197->1195 1198->1195 1199 7ff664861b5c 1198->1199 1200 7ff664861b36 1198->1200 1201 7ff664861ba0 4 API calls 1200->1201 1202 7ff664861b53 1201->1202 1204 7ff664861bc2 1203->1204 1205 7ff664861c04 memcpy 1204->1205 1207 7ff664861c45 VirtualQuery 1204->1207 1208 7ff664861cf4 1204->1208 1205->1194 1207->1208 1212 7ff664861c72 1207->1212 1209 7ff664861d23 GetLastError 1208->1209 1210 7ff664861d37 1209->1210 1211 7ff664861ca4 VirtualProtect 1211->1205 1211->1209 1212->1205 1212->1211 1432 7ff664861e65 1433 7ff664861e67 signal 1432->1433 1434 7ff664861e7c 1433->1434 1436 7ff664861e99 1433->1436 1435 7ff664861e82 signal 1434->1435 1434->1436 1435->1436 1286 7ff6648615e4 1287 7ff664861394 2 API calls 1286->1287 1288 7ff6648615f3 1287->1288 1530 7ff66486219e 1531 7ff6648621ab EnterCriticalSection 1530->1531 1532 7ff664862272 1530->1532 1533 7ff6648621c8 1531->1533 1534 7ff664862265 LeaveCriticalSection 1531->1534 1533->1534 1535 7ff6648621e9 TlsGetValue GetLastError 1533->1535 1534->1532 1535->1533 1298 7ff6648638e0 wcslen 1306 7ff66486157b 1298->1306 1307 7ff664861394 2 API calls 1306->1307 1397 7ff664862320 strlen 1398 7ff664862337 1397->1398

            Executed Functions

            Function 00007FF66486118B Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 108sleepstringCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000023.00000002.2220394179.00007FF664861000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF664860000, based on PE: true
            • Associated: 00000023.00000002.2220373982.00007FF664860000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220410664.00007FF66486B000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220426642.00007FF66486E000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220444144.00007FF66486F000.00000008.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220678281.00007FF664AEB000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220703795.00007FF664AED000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220728924.00007FF664AF0000.00000002.00000001.01000000.00000007.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_35_2_7ff664860000_svhost.jbxd
            Similarity
            • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
            • String ID: &$;*
            • API String ID: 2643109117-510990765
            • Opcode ID: f214d2cb23ad4a7d8a6f2e16a4dc08a5006247cdfdc4fc33eaf7806aa3e5334d
            • Instruction ID: 1227347b97d11de3ea5d75b164597fbd27d2ab6455258aac5c402e9354ba3577
            • Opcode Fuzzy Hash: f214d2cb23ad4a7d8a6f2e16a4dc08a5006247cdfdc4fc33eaf7806aa3e5334d
            • Instruction Fuzzy Hash: 4C418C31E29686C5F681EB1BE9D93792BB0BF85794F105039DA1DCF7AADE2DE4418300
            Function 00007FF664861394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • NtSetIoCompletion.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF664861156), ref: 00007FF6648613F7
            Memory Dump Source
            • Source File: 00000023.00000002.2220394179.00007FF664861000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF664860000, based on PE: true
            • Associated: 00000023.00000002.2220373982.00007FF664860000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220410664.00007FF66486B000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220426642.00007FF66486E000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220444144.00007FF66486F000.00000008.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220678281.00007FF664AEB000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220703795.00007FF664AED000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220728924.00007FF664AF0000.00000002.00000001.01000000.00000007.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_35_2_7ff664860000_svhost.jbxd
            Similarity
            • API ID: Completion
            • String ID:
            • API String ID: 2005611694-0
            • Opcode ID: 59d44b6da759f21b666a868a4e6a88dd90aa5652e3e5bdc8205d5884860000a3
            • Instruction ID: 6e7b969d21170e0a400c11d0fcd39e97c1fc3a7b2e4d322aeda8d50f5d5e7558
            • Opcode Fuzzy Hash: 59d44b6da759f21b666a868a4e6a88dd90aa5652e3e5bdc8205d5884860000a3
            • Instruction Fuzzy Hash: 99F0627292CB42C6D650EB52FC9556A77B0FB99780F005839EA8C8AB25DF3CE1508B51

            Non-executed Functions

            Function 00007FF6648611D8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78stringCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000023.00000002.2220394179.00007FF664861000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF664860000, based on PE: true
            • Associated: 00000023.00000002.2220373982.00007FF664860000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220410664.00007FF66486B000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220426642.00007FF66486E000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220444144.00007FF66486F000.00000008.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220678281.00007FF664AEB000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220703795.00007FF664AED000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220728924.00007FF664AF0000.00000002.00000001.01000000.00000007.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_35_2_7ff664860000_svhost.jbxd
            Similarity
            • API ID: malloc$ExceptionFilterUnhandled_cexit_inittermmemcpystrlen
            • String ID: &$;*
            • API String ID: 3825114775-510990765
            • Opcode ID: bb6b8f63c8978df2cb712fb4502542c6b0eedd4902725eabed431cc5bfcc8d57
            • Instruction ID: c6690ca9af5028b1816dbcb536f5f92eeada5b1d2500bd20a3b756af6859eef5
            • Opcode Fuzzy Hash: bb6b8f63c8978df2cb712fb4502542c6b0eedd4902725eabed431cc5bfcc8d57
            • Instruction Fuzzy Hash: 0C416930A2DA82D4F681DB1AE9D93792BB0AF85794F104039D95ECF7AADF2DF4409300
            Function 00007FF664863350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000023.00000002.2220394179.00007FF664861000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF664860000, based on PE: true
            • Associated: 00000023.00000002.2220373982.00007FF664860000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220410664.00007FF66486B000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220426642.00007FF66486E000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220444144.00007FF66486F000.00000008.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220678281.00007FF664AEB000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220703795.00007FF664AED000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220728924.00007FF664AF0000.00000002.00000001.01000000.00000007.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_35_2_7ff664860000_svhost.jbxd
            Similarity
            • API ID: memset$wcscatwcscpywcslen
            • String ID: $0$0$@$@
            • API String ID: 4263182637-1413854666
            • Opcode ID: 62e16f804d0a78f42930f5485aab4d55bda2c88156d1efd01dd84db9e24e5fef
            • Instruction ID: e556d0b47007d4ca236c144977c73e4348a0cd98ef9d27f50dc1514b32ee3fcb
            • Opcode Fuzzy Hash: 62e16f804d0a78f42930f5485aab4d55bda2c88156d1efd01dd84db9e24e5fef
            • Instruction Fuzzy Hash: FBB1812191C7C2D5F361CB16E4893AAB7B0FF85348F100239EA889AAA9DF7DD545DB00
            Function 00007FF664862690 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 322COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000023.00000002.2220394179.00007FF664861000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF664860000, based on PE: true
            • Associated: 00000023.00000002.2220373982.00007FF664860000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220410664.00007FF66486B000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220426642.00007FF66486E000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220444144.00007FF66486F000.00000008.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220678281.00007FF664AEB000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220703795.00007FF664AED000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220728924.00007FF664AF0000.00000002.00000001.01000000.00000007.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_35_2_7ff664860000_svhost.jbxd
            Similarity
            • API ID: wcslen$memsetwcscatwcscpywcsncmp
            • String ID: 0$X$`
            • API String ID: 329590056-2527496196
            • Opcode ID: 7bd2d40a281e62959ce0fd44c16303bd5a4e704b549ab88744f3f2b4b0171fba
            • Instruction ID: af2bad395803308ccdab2340aa6d213f81aa7ac33ab458dbe532aaefff094f91
            • Opcode Fuzzy Hash: 7bd2d40a281e62959ce0fd44c16303bd5a4e704b549ab88744f3f2b4b0171fba
            • Instruction Fuzzy Hash: 36026D22918BC6C5E761CB15E8893AA77A0FB85794F504339DAAC8BBA9DF3CD145C700
            Function 00007FF664861BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • VirtualQuery.KERNEL32(?,?,?,?,00007FF66486D3B0,00007FF66486D3B0,?,?,00007FF664860000,?,00007FF664861991), ref: 00007FF664861C63
            • VirtualProtect.KERNEL32(?,?,?,?,00007FF66486D3B0,00007FF66486D3B0,?,?,00007FF664860000,?,00007FF664861991), ref: 00007FF664861CC7
            • memcpy.MSVCRT ref: 00007FF664861CE0
            • GetLastError.KERNEL32(?,?,?,?,00007FF66486D3B0,00007FF66486D3B0,?,?,00007FF664860000,?,00007FF664861991), ref: 00007FF664861D23
            Strings
            Memory Dump Source
            • Source File: 00000023.00000002.2220394179.00007FF664861000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF664860000, based on PE: true
            • Associated: 00000023.00000002.2220373982.00007FF664860000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220410664.00007FF66486B000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220426642.00007FF66486E000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220444144.00007FF66486F000.00000008.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220678281.00007FF664AEB000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220703795.00007FF664AED000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220728924.00007FF664AF0000.00000002.00000001.01000000.00000007.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_35_2_7ff664860000_svhost.jbxd
            Similarity
            • API ID: Virtual$ErrorLastProtectQuerymemcpy
            • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
            • API String ID: 2595394609-2123141913
            • Opcode ID: f71d7c17d8efb8792bd36a77065ce856a453be169e7440349e6f230ab35daf72
            • Instruction ID: 258a1878e1b85c37be53ecf03b5c9e5f2941aac4685fd328b60ca103738be152
            • Opcode Fuzzy Hash: f71d7c17d8efb8792bd36a77065ce856a453be169e7440349e6f230ab35daf72
            • Instruction Fuzzy Hash: CF418E61A29A47D1EAA18B47D8C46BC2BB0EF94BD4F55413ACE0DCB7A6DE3CE541C300
            Function 00007FF664862104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Memory Dump Source
            • Source File: 00000023.00000002.2220394179.00007FF664861000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF664860000, based on PE: true
            • Associated: 00000023.00000002.2220373982.00007FF664860000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220410664.00007FF66486B000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220426642.00007FF66486E000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220444144.00007FF66486F000.00000008.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220678281.00007FF664AEB000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220703795.00007FF664AED000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220728924.00007FF664AF0000.00000002.00000001.01000000.00000007.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_35_2_7ff664860000_svhost.jbxd
            Similarity
            • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
            • String ID:
            • API String ID: 3326252324-0
            • Opcode ID: 30ded24aebec5e3133582754e9744752ca6952f0633bd4de7137b6fa68abc3ee
            • Instruction ID: faea1be9e7cb411e4f9dfc94261ba985d912ee09698067f401fefbb5be05002a
            • Opcode Fuzzy Hash: 30ded24aebec5e3133582754e9744752ca6952f0633bd4de7137b6fa68abc3ee
            • Instruction Fuzzy Hash: 3721F921A29642D1FA95EB46E9C82B96370BF54B90F640678C91DCF6A8DF2CF8429300
            Function 00007FF664861E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 329 7ff664861e10-7ff664861e2d 330 7ff664861e2f-7ff664861e38 329->330 331 7ff664861e3e-7ff664861e48 329->331 330->331 332 7ff664861f60-7ff664861f69 330->332 333 7ff664861e4a-7ff664861e53 331->333 334 7ff664861ea3-7ff664861ea8 331->334 335 7ff664861ecc-7ff664861ed1 333->335 336 7ff664861e55-7ff664861e60 333->336 334->332 337 7ff664861eae-7ff664861eb3 334->337 340 7ff664861f23-7ff664861f2d 335->340 341 7ff664861ed3-7ff664861ee2 signal 335->341 336->334 338 7ff664861efb-7ff664861f0a call 7ff66486a500 337->338 339 7ff664861eb5-7ff664861eba 337->339 338->340 350 7ff664861f0c-7ff664861f10 338->350 339->332 345 7ff664861ec0 339->345 343 7ff664861f43-7ff664861f45 340->343 344 7ff664861f2f-7ff664861f3f 340->344 341->340 346 7ff664861ee4-7ff664861ee8 341->346 343->332 344->343 345->340 348 7ff664861eea-7ff664861ef9 signal 346->348 349 7ff664861f4e-7ff664861f53 346->349 348->332 351 7ff664861f5a 349->351 352 7ff664861f12-7ff664861f21 signal 350->352 353 7ff664861f55 350->353 351->332 352->332 353->351
            Strings
            Memory Dump Source
            • Source File: 00000023.00000002.2220394179.00007FF664861000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF664860000, based on PE: true
            • Associated: 00000023.00000002.2220373982.00007FF664860000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220410664.00007FF66486B000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220426642.00007FF66486E000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220444144.00007FF66486F000.00000008.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220678281.00007FF664AEB000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220703795.00007FF664AED000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220728924.00007FF664AF0000.00000002.00000001.01000000.00000007.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_35_2_7ff664860000_svhost.jbxd
            Similarity
            • API ID:
            • String ID: CCG
            • API String ID: 0-1584390748
            • Opcode ID: aac3cff987aa207af6683fbdf05d97adeeaddfa67e5404ea55e0566f274569b7
            • Instruction ID: 9ac19a5485777e0caa3cb8154ed0f96ef3d6c783ee1d05f21b0b292cccc43eb2
            • Opcode Fuzzy Hash: aac3cff987aa207af6683fbdf05d97adeeaddfa67e5404ea55e0566f274569b7
            • Instruction Fuzzy Hash: 4221AC21F28106C1FAE5865A95D43791AA29F897A4F24853DDE1DCF3DADE6CE8818240
            Function 00007FF6648638E0 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000023.00000002.2220394179.00007FF664861000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF664860000, based on PE: true
            • Associated: 00000023.00000002.2220373982.00007FF664860000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220410664.00007FF66486B000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220426642.00007FF66486E000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220444144.00007FF66486F000.00000008.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220678281.00007FF664AEB000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220703795.00007FF664AED000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220728924.00007FF664AF0000.00000002.00000001.01000000.00000007.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_35_2_7ff664860000_svhost.jbxd
            Similarity
            • API ID: wcslen
            • String ID: 0$@
            • API String ID: 4088430540-1545510068
            • Opcode ID: ef7ed66185c074b667720f16183e97d9ab3fb1e6636ca8cac5f9c7ec846e676b
            • Instruction ID: 95f63fc0c3b338549900181f40d4120c2d3f82e605169d2c915be6a2109c3ee8
            • Opcode Fuzzy Hash: ef7ed66185c074b667720f16183e97d9ab3fb1e6636ca8cac5f9c7ec846e676b
            • Instruction Fuzzy Hash: 94116A22528681C2E351DF15F48679AA7B4EFD4394F505128FA8D87BA9EF7DC14ACB00
            Function 00007FF664861880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 362 7ff664861880-7ff66486189c 363 7ff6648618a2-7ff6648618f9 call 7ff664862420 call 7ff664862660 362->363 364 7ff664861a0f-7ff664861a1f 362->364 363->364 369 7ff6648618ff-7ff664861910 363->369 370 7ff664861912-7ff66486191c 369->370 371 7ff66486193e-7ff664861941 369->371 372 7ff66486194d-7ff664861954 370->372 373 7ff66486191e-7ff664861929 370->373 371->372 374 7ff664861943-7ff664861947 371->374 377 7ff664861956-7ff664861961 372->377 378 7ff66486199e-7ff6648619a6 372->378 373->372 375 7ff66486192b-7ff66486193a 373->375 374->372 376 7ff664861a20-7ff664861a26 374->376 375->371 379 7ff664861a2c-7ff664861a37 376->379 380 7ff664861b87-7ff664861b98 call 7ff664861d40 376->380 382 7ff664861970-7ff66486199c call 7ff664861ba0 377->382 378->364 381 7ff6648619a8-7ff6648619c1 378->381 379->378 383 7ff664861a3d-7ff664861a5f 379->383 384 7ff6648619df-7ff6648619e7 381->384 382->378 387 7ff664861a7d-7ff664861a97 383->387 388 7ff6648619e9-7ff664861a0d VirtualProtect 384->388 389 7ff6648619d0-7ff6648619dd 384->389 392 7ff664861a9d-7ff664861afa 387->392 393 7ff664861b74-7ff664861b82 call 7ff664861d40 387->393 388->389 389->364 389->384 399 7ff664861afc-7ff664861b0e 392->399 400 7ff664861b22-7ff664861b26 392->400 393->380 401 7ff664861b5c-7ff664861b6c 399->401 402 7ff664861b10-7ff664861b20 399->402 403 7ff664861b2c-7ff664861b30 400->403 404 7ff664861a70-7ff664861a77 400->404 401->393 406 7ff664861b6f call 7ff664861d40 401->406 402->400 402->401 403->404 405 7ff664861b36-7ff664861b53 call 7ff664861ba0 403->405 404->378 404->387 409 7ff664861b57 405->409 406->393 409->409
            APIs
            • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF664861247), ref: 00007FF6648619F9
            Strings
            Memory Dump Source
            • Source File: 00000023.00000002.2220394179.00007FF664861000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF664860000, based on PE: true
            • Associated: 00000023.00000002.2220373982.00007FF664860000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220410664.00007FF66486B000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220426642.00007FF66486E000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220444144.00007FF66486F000.00000008.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220678281.00007FF664AEB000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220703795.00007FF664AED000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220728924.00007FF664AF0000.00000002.00000001.01000000.00000007.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_35_2_7ff664860000_svhost.jbxd
            Similarity
            • API ID: ProtectVirtual
            • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
            • API String ID: 544645111-395989641
            • Opcode ID: 6188dcfb9ba409927f7d43b305952e2ca18d87eecd447261aab3e5aaa2c983f9
            • Instruction ID: 61f8bb5c35569aea3c9dbadad3621257925e9cfe80eea9075070c5d188a2134f
            • Opcode Fuzzy Hash: 6188dcfb9ba409927f7d43b305952e2ca18d87eecd447261aab3e5aaa2c983f9
            • Instruction Fuzzy Hash: 5E517121F28556D6EB91CF27D9C47B82BB1AB14BA8F544239D92C8B799CF3CE581C700
            Function 00007FF664861800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 410 7ff664861800-7ff664861810 411 7ff664861812-7ff664861822 410->411 412 7ff664861824 410->412 413 7ff66486182b-7ff664861867 call 7ff664862290 fprintf 411->413 412->413
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000023.00000002.2220394179.00007FF664861000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF664860000, based on PE: true
            • Associated: 00000023.00000002.2220373982.00007FF664860000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220410664.00007FF66486B000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220426642.00007FF66486E000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220444144.00007FF66486F000.00000008.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220678281.00007FF664AEB000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220703795.00007FF664AED000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220728924.00007FF664AF0000.00000002.00000001.01000000.00000007.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_35_2_7ff664860000_svhost.jbxd
            Similarity
            • API ID: fprintf
            • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
            • API String ID: 383729395-3474627141
            • Opcode ID: d196cce22733da6664e8edb65b95f02763a682be6f02ab55e526d30871c6c29c
            • Instruction ID: 4db3c617e13c1d5fc17dc9acd269c32b6b2c320f5417d11defdc8831c391f437
            • Opcode Fuzzy Hash: d196cce22733da6664e8edb65b95f02763a682be6f02ab55e526d30871c6c29c
            • Instruction Fuzzy Hash: BEF0F611E28A55C2E291AB26A9810BDA371FB493C5F409239EF4DDB656DF2CF182C700
            Function 00007FF66486219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Memory Dump Source
            • Source File: 00000023.00000002.2220394179.00007FF664861000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF664860000, based on PE: true
            • Associated: 00000023.00000002.2220373982.00007FF664860000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220410664.00007FF66486B000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220426642.00007FF66486E000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220444144.00007FF66486F000.00000008.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220678281.00007FF664AEB000.00000004.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220703795.00007FF664AED000.00000002.00000001.01000000.00000007.sdmpDownload File
            • Associated: 00000023.00000002.2220728924.00007FF664AF0000.00000002.00000001.01000000.00000007.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_35_2_7ff664860000_svhost.jbxd
            Similarity
            • API ID: CriticalSection$EnterErrorLastLeaveValue
            • String ID:
            • API String ID: 682475483-0
            • Opcode ID: 0d3f40a56fc230f51008cd68afb882d42e2fa9fd450aedc21c851e2dc6c825f8
            • Instruction ID: 1a774e9d19ba889802ed541646ff8c8abd660bd47df8f61d371d2d1a95214ca3
            • Opcode Fuzzy Hash: 0d3f40a56fc230f51008cd68afb882d42e2fa9fd450aedc21c851e2dc6c825f8
            • Instruction Fuzzy Hash: E3011A21A1D642D2F685EB42ADC42B85270BF04B91F544179CA1DCFBA8DF2CF891C200