Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8082-svc-x86.exe

Overview

General Information

Sample Name:8082-svc-x86.exe
Analysis ID:780207
MD5:8fc088eec229a693f2d754c67a2e506a
SHA1:0043b6ba9f8edfd83d00bbce364797d4c65b3b75
SHA256:deeb89a16aa2b7b63504602de422f508c196b8be3289e57f3b9d74337d585425
Tags:45139105143exeopendir
Infos:

Detection

CobaltStrike
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected CobaltStrike
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs
Program does not show much activity (idle)

Classification

Process Tree

  • System is w10x64
  • 8082-svc-x86.exe (PID: 3396 cmdline: C:\Users\user\Desktop\8082-svc-x86.exe MD5: 8FC088EEC229A693F2D754C67A2E506A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
8082-svc-x86.exeCobaltStrike_Resources_Artifact32_v3_14_to_v4_xCobalt Strike\'s resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0gssincla@google.com
  • 0xe07:$pushFmtStr: C7 44 24 28 5C 00 00 00 C7 44 24 24 65 00 00 00 C7 44 24 20 70 00 00 00 C7 44 24 1C 69 00 00 00 C7 44 24 18 70 00 00 00 F7 F1 C7 44 24 14 5C 00 00 00 C7 44 24 10 2E 00 00 00 C7 44 24 0C 5C 00 ...
  • 0x44a68:$fmtStr: %c%c%c%c%c%c%c%c%cMSSE-%d-server
8082-svc-x86.exeCobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_xCobalt Strike\'s resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x)gssincla@google.com
  • 0xbc2:$decoderFunc: 89 C8 BF 04 00 00 00 99 F7 FF 8B 7D E0 8A 04 17 30
8082-svc-x86.exeJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmpCobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_xCobalt Strike\'s resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x)gssincla@google.com
    • 0x7c2:$decoderFunc: 89 C8 BF 04 00 00 00 99 F7 FF 8B 7D E0 8A 04 17 30
    00000000.00000000.295977191.0000000000401000.00000020.00000001.01000000.00000003.sdmpCobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_xCobalt Strike\'s resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x)gssincla@google.com
    • 0x7c2:$decoderFunc: 89 C8 BF 04 00 00 00 99 F7 FF 8B 7D E0 8A 04 17 30

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.2.8082-svc-x86.exe.400000.0.unpackCobaltStrike_Resources_Artifact32_v3_14_to_v4_xCobalt Strike\'s resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0gssincla@google.com
    • 0xe07:$pushFmtStr: C7 44 24 28 5C 00 00 00 C7 44 24 24 65 00 00 00 C7 44 24 20 70 00 00 00 C7 44 24 1C 69 00 00 00 C7 44 24 18 70 00 00 00 F7 F1 C7 44 24 14 5C 00 00 00 C7 44 24 10 2E 00 00 00 C7 44 24 0C 5C 00 ...
    • 0x44a68:$fmtStr: %c%c%c%c%c%c%c%c%cMSSE-%d-server
    0.2.8082-svc-x86.exe.400000.0.unpackCobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_xCobalt Strike\'s resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x)gssincla@google.com
    • 0xbc2:$decoderFunc: 89 C8 BF 04 00 00 00 99 F7 FF 8B 7D E0 8A 04 17 30
    0.2.8082-svc-x86.exe.400000.0.unpackJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security
      0.0.8082-svc-x86.exe.400000.0.unpackCobaltStrike_Resources_Artifact32_v3_14_to_v4_xCobalt Strike\'s resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0gssincla@google.com
      • 0xe07:$pushFmtStr: C7 44 24 28 5C 00 00 00 C7 44 24 24 65 00 00 00 C7 44 24 20 70 00 00 00 C7 44 24 1C 69 00 00 00 C7 44 24 18 70 00 00 00 F7 F1 C7 44 24 14 5C 00 00 00 C7 44 24 10 2E 00 00 00 C7 44 24 0C 5C 00 ...
      • 0x44a68:$fmtStr: %c%c%c%c%c%c%c%c%cMSSE-%d-server
      0.0.8082-svc-x86.exe.400000.0.unpackCobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_xCobalt Strike\'s resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x)gssincla@google.com
      • 0xbc2:$decoderFunc: 89 C8 BF 04 00 00 00 99 F7 FF 8B 7D E0 8A 04 17 30
      Click to see the 1 entries

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: 8082-svc-x86.exeAvira: detected
      Multi AV Scanner detection for submitted file
      Source: 8082-svc-x86.exeReversingLabs: Detection: 92%
      Machine Learning detection for sample
      Source: 8082-svc-x86.exeJoe Sandbox ML: detected
      Source: 0.0.8082-svc-x86.exe.400000.0.unpackAvira: Label: TR/Hijacker.Gen
      Source: 0.2.8082-svc-x86.exe.400000.0.unpackAvira: Label: TR/Hijacker.Gen
      Source: 8082-svc-x86.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
      Source: 8082-svc-x86.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
      Source: 8082-svc-x86.exe, type: SAMPLEMatched rule: CobaltStrike_Resources_Artifact32_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 888bae8d89c03c1d529b04f9e4a051140ce3d7b39bc9ea021ad9fc7c9f467719
      Source: 8082-svc-x86.exe, type: SAMPLEMatched rule: CobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x), reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 871390255156ce35221478c7837c52d926dfd581173818620b738b4b029e6fd9
      Source: 0.2.8082-svc-x86.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Resources_Artifact32_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 888bae8d89c03c1d529b04f9e4a051140ce3d7b39bc9ea021ad9fc7c9f467719
      Source: 0.2.8082-svc-x86.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x), reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 871390255156ce35221478c7837c52d926dfd581173818620b738b4b029e6fd9
      Source: 0.0.8082-svc-x86.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Resources_Artifact32_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 888bae8d89c03c1d529b04f9e4a051140ce3d7b39bc9ea021ad9fc7c9f467719
      Source: 0.0.8082-svc-x86.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x), reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 871390255156ce35221478c7837c52d926dfd581173818620b738b4b029e6fd9
      Source: 00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: CobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x), reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 871390255156ce35221478c7837c52d926dfd581173818620b738b4b029e6fd9
      Source: 00000000.00000000.295977191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: CobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x), reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 871390255156ce35221478c7837c52d926dfd581173818620b738b4b029e6fd9
      Source: 8082-svc-x86.exeReversingLabs: Detection: 92%
      Source: C:\Users\user\Desktop\8082-svc-x86.exeCode function: 0_2_00402F5A StartServiceCtrlDispatcherA,0_2_00402F5A
      Source: C:\Users\user\Desktop\8082-svc-x86.exeCode function: 0_2_00402F50 StartServiceCtrlDispatcherA,0_2_00402F50
      Source: 8082-svc-x86.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\8082-svc-x86.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\8082-svc-x86.exeCode function: 0_2_00402F5A StartServiceCtrlDispatcherA,0_2_00402F5A
      Source: classification engineClassification label: mal68.troj.winEXE@1/0@0/0
      Source: C:\Users\user\Desktop\8082-svc-x86.exeCode function: 0_2_00401BC9 _winmajor,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,0_2_00401BC9
      Source: C:\Users\user\Desktop\8082-svc-x86.exeCode function: 0_2_00402F5A StartServiceCtrlDispatcherA,0_2_00402F5A
      Source: C:\Users\user\Desktop\8082-svc-x86.exeAPI coverage: 4.7 %
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Users\user\Desktop\8082-svc-x86.exeCode function: 0_2_00401BC9 _winmajor,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,0_2_00401BC9
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Users\user\Desktop\8082-svc-x86.exeCode function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,GetProcAddress,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit,0_2_00401180
      Source: C:\Users\user\Desktop\8082-svc-x86.exeCode function: 0_2_00402B60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,0_2_00402B60
      Source: C:\Users\user\Desktop\8082-svc-x86.exeCode function: 0_2_00402A90 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00402A90
      Source: C:\Users\user\Desktop\8082-svc-x86.exeCode function: 0_2_004017FC CreateNamedPipeA,ConnectNamedPipe,WriteFile,CloseHandle,0_2_004017FC

      Remote Access Functionality

      barindex
      Yara detected CobaltStrike
      Source: Yara matchFile source: 8082-svc-x86.exe, type: SAMPLE
      Source: Yara matchFile source: 0.2.8082-svc-x86.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.0.8082-svc-x86.exe.400000.0.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts2
      Service Execution      		3
      Windows Service      		3
      Windows Service      		1
      Software Packing      		OS Credential Dumping1
      System Time Discovery      		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default Accounts1
      Native API      		Boot or Logon Initialization Scripts1
      Process Injection      		1
      Process Injection      		LSASS Memory2
      System Information Discovery      		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      8082-svc-x86.exe93%ReversingLabsWin32.Trojan.CobaltStrike
      8082-svc-x86.exe100%AviraTR/Crypt.XPACK.Gen
      8082-svc-x86.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      0.0.8082-svc-x86.exe.400000.0.unpack100%AviraTR/Hijacker.GenDownload File
      0.2.8082-svc-x86.exe.400000.0.unpack100%AviraTR/Hijacker.GenDownload File

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox Version:36.0.0 Rainbow Opal
      Analysis ID:780207
      Start date and time:2023-01-08 16:02:38 +01:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 2m 32s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:8082-svc-x86.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:1
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal68.troj.winEXE@1/0@0/0
      EGA Information:
      • Successful, ratio: 100%
      HDC Information:
      • Successful, ratio: 100% (good quality ratio 41.8%)
      • Quality average: 28.8%
      • Quality standard deviation: 39.3%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 3
      • Number of non-executed functions: 15
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Stop behavior analysis, all processes terminated

      Warnings

      • VT rate limit hit for: 8082-svc-x86.exe

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
      Entropy (8bit):6.668168868781468
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • VXD Driver (31/22) 0.00%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:8082-svc-x86.exe
      File size:285696
      MD5:8fc088eec229a693f2d754c67a2e506a
      SHA1:0043b6ba9f8edfd83d00bbce364797d4c65b3b75
      SHA256:deeb89a16aa2b7b63504602de422f508c196b8be3289e57f3b9d74337d585425
      SHA512:8108f5d1e8dceea2276c89b5bf964e463fe466f25e115f80bb798f83e7619e7c4b40321e695b41570cc5136bc63b2fba90f1a34e4d05949d87ccf309a9d90ee8
      SSDEEP:6144:uQJAy6O5fo59McMv/0pWHV77hLB5FPfPfPfP8DRDNpGxnT:uQN6O5w8/XVXhLB5FPfPfPfP8D9NpgnT
      TLSH:D154CF87C75D0CA2F06A3A389EE77D676A19EBE1E30E0D4ED2BB27A50D06797441C701
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......^................. ...X...............0....@.................................g......... ............................

      File Icon

      Icon Hash:00828e8e8686b000

      Static PE Info

      General

      Entrypoint:0x4014b0
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
      DLL Characteristics:
      Time Stamp:0x5EDED50D [Tue Jun 9 00:17:17 2020 UTC]
      TLS Callbacks:0x401bd0, 0x401b80
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:de77f3139eaf74f1b255ab7be0b6605f

      Entrypoint Preview

      Instruction
      sub esp, 0Ch
      mov dword ptr [00447040h], 00000001h
      call 00007F50D8FB4E23h
      add esp, 0Ch
      jmp 00007F50D8FB350Bh
      lea esi, dword ptr [esi+00000000h]
      sub esp, 0Ch
      mov dword ptr [00447040h], 00000000h
      call 00007F50D8FB4E03h
      add esp, 0Ch
      jmp 00007F50D8FB34EBh
      nop
      nop
      nop
      nop
      nop
      nop
      push ebp
      mov ebp, esp
      sub esp, 18h
      mov eax, dword ptr [00445420h]
      test eax, eax
      je 00007F50D8FB388Eh
      mov dword ptr [esp], 00446020h
      call dword ptr [004481CCh]
      mov edx, 00000000h
      sub esp, 04h
      test eax, eax
      je 00007F50D8FB3868h
      mov dword ptr [esp+04h], 0044602Eh
      mov dword ptr [esp], eax
      call dword ptr [004481D0h]
      sub esp, 08h
      mov edx, eax
      test edx, edx
      je 00007F50D8FB385Bh
      mov dword ptr [esp], 00445420h
      call edx
      leave
      ret
      lea esi, dword ptr [esi+00h]
      push ebp
      mov ebp, esp
      pop ebp
      ret
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      push ebp
      mov ebp, esp
      sub esp, 10h
      mov edx, dword ptr [0040300Ch]
      mov eax, dword ptr [ebp+08h]
      test edx, edx
      jle 00007F50D8FB3872h
      cmp dword ptr [00403010h], 00000000h
      jle 00007F50D8FB3869h
      mov ecx, dword ptr [004481CCh]
      mov dword ptr [eax+edx], ecx
      mov edx, dword ptr [000000D0h]

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x480000x8a0.idata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x4a0000x18.tls
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x481800x130.idata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x1fd40x2000False0.563720703125data5.933774570860191IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .data0x30000x424240x42600False0.5399489465630886data6.670005359968773IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rdata0x460000x3240x400False0.4970703125data4.535472821564213IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
      .bss0x470000x47c0x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .idata0x480000x8a00xa00False0.373046875data4.745754334582236IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .CRT0x490000x340x200False0.068359375Matlab v4 mat-file (little endian) `\035@, numeric, rows 4198416, columns 00.2655385886073115IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .tls0x4a0000x200x200False0.05078125data0.22482003450968063IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

      Imports

      DLLImport
      ADVAPI32.dllRegisterServiceCtrlHandlerA, SetServiceStatus, StartServiceCtrlDispatcherA
      KERNEL32.dllCloseHandle, ConnectNamedPipe, CreateFileA, CreateNamedPipeA, CreateProcessA, CreateThread, DeleteCriticalSection, EnterCriticalSection, ExitProcess, FreeLibrary, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentVariableA, GetLastError, GetModuleHandleA, GetProcAddress, GetStartupInfoA, GetSystemTimeAsFileTime, GetThreadContext, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, QueryPerformanceCounter, ReadFile, ResumeThread, SetThreadContext, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualAllocEx, VirtualProtect, VirtualProtectEx, VirtualQuery, WriteFile, WriteProcessMemory
      msvcrt.dll__dllonexit, __getmainargs, __initenv, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _fmode, _initterm, _iob, _lock, _onexit, _snprintf, _unlock, _winmajor, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, signal, sprintf, strlen, strncmp, vfprintf

      Network Behavior

      No network behavior found

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:16:03:33
      Start date:08/01/2023
      Path:C:\Users\user\Desktop\8082-svc-x86.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\Desktop\8082-svc-x86.exe
      Imagebase:0x400000
      File size:285696 bytes
      MD5 hash:8FC088EEC229A693F2D754C67A2E506A
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: CobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x, Description: Cobalt Strike\'s resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x), Source: 00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: gssincla@google.com
      • Rule: CobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x, Description: Cobalt Strike\'s resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x), Source: 00000000.00000000.295977191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: gssincla@google.com
      Reputation:low

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:4.3%
        Dynamic/Decrypted Code Coverage:0%
        Signature Coverage:17.7%
        Total number of Nodes:339
        Total number of Limit Nodes:2
        execution_graph 1006 401180 1007 40119e 1006->1007 1008 401473 GetStartupInfoA 1007->1008 1010 4011ee 1007->1010 1009 401484 _initterm 1008->1009 1012 4014a7 exit 1009->1012 1011 401233 1010->1011 1013 401208 Sleep 1010->1013 1014 401433 _amsg_exit 1011->1014 1015 401243 1011->1015 1013->1010 1016 40144d 1014->1016 1020 401268 1014->1020 1015->1009 1017 401250 1015->1017 1018 401450 _initterm 1016->1018 1017->1018 1017->1020 1019 402370 25 API calls 1021 40129d SetUnhandledExceptionFilter 1019->1021 1020->1019 1022 402920 2 API calls 1021->1022 1023 4012b7 GetProcAddress 1022->1023 1030 4012cf 1023->1030 1024 401344 malloc 1025 4013a7 1024->1025 1026 40136e 1024->1026 1028 402a70 4 API calls 1025->1028 1027 401370 strlen malloc memcpy 1026->1027 1027->1025 1027->1027 1029 4013be 1028->1029 1031 402f50 5 API calls 1029->1031 1030->1024 1032 4013ea 1031->1032 1032->1012 1033 4013fd 1032->1033 1034 401411 1033->1034 1035 401407 _cexit 1033->1035 1035->1034 1036 401b80 1037 401b8b 1036->1037 1039 401b90 1037->1039 1041 402d90 1037->1041 1040 401bb8 1042 402de0 1041->1042 1043 402d9c 1041->1043 1044 402e10 InitializeCriticalSection 1042->1044 1049 402d9e 1042->1049 1046 402db0 1043->1046 1043->1049 1044->1049 1045 402da3 1045->1040 1047 402db9 1046->1047 1048 402bf0 4 API calls 1046->1048 1047->1045 1050 402dc3 DeleteCriticalSection 1047->1050 1048->1047 1049->1040 1049->1045 1052 402bf0 EnterCriticalSection 1049->1052 1050->1045 1053 402c45 LeaveCriticalSection 1052->1053 1055 402c11 1052->1055 1053->1045 1054 402c20 TlsGetValue GetLastError 1054->1055 1055->1053 1055->1054 1056 401002 __getmainargs 1057 4018c7 1060 4017fc CreateNamedPipeA 1057->1060 1061 401864 ConnectNamedPipe 1060->1061 1062 40187e 1060->1062 1061->1062 1063 4018aa 1061->1063 1064 401880 WriteFile 1063->1064 1065 4018b5 CloseHandle 1063->1065 1064->1063 1064->1065 1065->1062 1066 401bc9 1067 401c14 LoadLibraryA 1066->1067 1072 401be3 1066->1072 1068 401ce3 1067->1068 1069 401c3b GetProcAddress GetProcAddress 1067->1069 1069->1068 1070 401c7e 1069->1070 1071 401cc3 FreeLibrary 1070->1071 1073 401c8c 1070->1073 1071->1068 1074 402d90 6 API calls 1072->1074 1075 401c08 1072->1075 1074->1075 1076 4014d0 1079 402a90 1076->1079 1080 402ae0 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 1079->1080 1081 4014e2 1079->1081 1080->1081 1082 401690 1083 4016a3 1082->1083 1084 4016a8 GetCurrentProcess 1082->1084 1083->1084 1085 4016b3 GetEnvironmentVariableA _snprintf CreateProcessA 1083->1085 1086 401776 1084->1086 1085->1086 1087 4017a1 1085->1087 1086->1087 1089 4015e3 VirtualAllocEx WriteProcessMemory 1086->1089 1090 401688 1089->1090 1091 40164b VirtualProtectEx 1089->1091 1090->1087 1093 401585 GetThreadContext 1091->1093 1094 4015b6 SetThreadContext 1093->1094 1095 4015dc 1093->1095 1094->1095 1096 4015d2 ResumeThread 1094->1096 1095->1090 1096->1095 1097 402691 1098 4026a0 strlen 1097->1098 1099 4026ba 1098->1099 1101 402713 1098->1101 1100 4026fb strncmp 1099->1100 1099->1101 1100->1099 1100->1101 1102 401996 malloc 1103 4019b3 Sleep 1102->1103 1107 4018e6 CreateFileA 1103->1107 1106 4019d2 1108 401948 1107->1108 1109 401974 1107->1109 1108->1103 1108->1106 1110 40194a ReadFile 1109->1110 1111 40197f CloseHandle 1109->1111 1110->1109 1110->1111 1111->1108 860 401419 861 401420 860->861 862 401243 861->862 863 401433 _amsg_exit 861->863 865 401250 862->865 866 401484 _initterm 862->866 864 40144d 863->864 870 401268 863->870 867 401450 _initterm 864->867 865->867 865->870 868 4014a7 exit 866->868 887 402370 870->887 874 4012cf 875 401344 malloc 874->875 876 4013aa 875->876 877 40136e 875->877 912 402a70 876->912 878 401370 strlen malloc memcpy 877->878 878->878 880 4013a7 878->880 880->876 881 4013be 917 402f50 881->917 883 4013ea 883->868 884 4013fd 883->884 885 401411 884->885 886 401407 _cexit 884->886 886->885 888 40129d SetUnhandledExceptionFilter 887->888 890 402390 887->890 906 402920 888->906 889 4023fc 889->888 892 40240c 889->892 890->888 890->889 891 4024e5 890->891 891->888 893 402605 891->893 897 402523 891->897 904 402435 891->904 892->904 921 402130 892->921 894 4020d0 23 API calls 893->894 896 402615 894->896 897->891 898 402130 23 API calls 897->898 903 402130 23 API calls 897->903 958 4020d0 fwrite vfprintf abort 897->958 898->891 900 40246f VirtualQuery 901 402491 VirtualProtect 900->901 902 4025e2 900->902 901->904 905 4020d0 23 API calls 902->905 903->897 904->888 904->900 905->893 907 4012b7 GetProcAddress 906->907 909 402932 906->909 907->874 908 4029c0 LoadLibraryW 908->907 909->908 910 4029a4 GetModuleHandleA 909->910 910->907 911 4029bd 910->911 911->908 913 402a7a 912->913 916 402a20 912->916 913->881 995 401e50 916->995 918 402f5a 917->918 919 402a70 4 API calls 918->919 920 402f67 StartServiceCtrlDispatcherA 919->920 920->883 922 402312 921->922 929 40214d 921->929 922->892 923 4021ef VirtualQuery 925 402216 923->925 926 402349 923->926 927 40221f memcpy 925->927 933 40224d VirtualProtect memcpy 925->933 928 4020d0 13 API calls 926->928 932 402233 927->932 944 402361 928->944 929->923 930 402339 929->930 935 4021a5 VirtualQuery 929->935 931 4020d0 13 API calls 930->931 931->926 932->892 933->932 934 402294 933->934 934->932 937 402299 VirtualProtect 934->937 938 4021e2 935->938 939 402319 935->939 936 402382 936->892 937->892 938->923 941 4022ca VirtualProtect 938->941 940 4020d0 13 API calls 939->940 940->930 941->923 942 4022fc GetLastError 941->942 943 4020d0 13 API calls 942->943 943->922 944->936 949 4023fc 944->949 952 4024e5 944->952 945 402605 946 4020d0 13 API calls 945->946 948 402615 946->948 947 402130 13 API calls 947->949 949->936 949->947 950 402435 949->950 950->936 953 40246f VirtualQuery 950->953 951 4020d0 13 API calls 951->952 952->936 952->945 952->950 952->951 956 402130 13 API calls 952->956 954 402491 VirtualProtect 953->954 955 4025e2 953->955 954->950 957 4020d0 13 API calls 955->957 956->952 957->945 964 402130 958->964 959 402312 959->891 960 4021ef VirtualQuery 962 402216 960->962 963 402349 960->963 965 40221f memcpy 962->965 970 40224d VirtualProtect memcpy 962->970 966 4020d0 10 API calls 963->966 964->959 964->960 967 402339 964->967 972 4021a5 VirtualQuery 964->972 969 402233 965->969 981 402361 966->981 968 4020d0 10 API calls 967->968 968->963 969->891 970->969 971 402294 970->971 971->969 974 402299 VirtualProtect 971->974 975 4021e2 972->975 976 402319 972->976 973 402382 973->891 974->891 975->960 978 4022ca VirtualProtect 975->978 977 4020d0 10 API calls 976->977 977->967 978->960 979 4022fc GetLastError 978->979 980 4020d0 10 API calls 979->980 980->959 981->973 982 4024e5 981->982 987 4023fc 981->987 982->973 983 402605 982->983 988 4020d0 10 API calls 982->988 989 402130 10 API calls 982->989 993 402435 982->993 984 4020d0 10 API calls 983->984 986 402615 984->986 985 402130 10 API calls 985->987 987->973 987->985 987->993 988->982 989->982 990 40246f VirtualQuery 991 402491 VirtualProtect 990->991 992 4025e2 990->992 991->993 994 4020d0 10 API calls 992->994 993->973 993->990 994->983 998 401d90 995->998 997 401e5f 997->881 999 401da5 998->999 1000 401e30 _onexit 999->1000 1001 401db2 _lock 999->1001 1000->997 1002 401dcb 1001->1002 1003 401ddc __dllonexit 1002->1003 1004 401e06 1003->1004 1005 401e17 _unlock 1004->1005 1005->997 1112 401059 1113 401098 1112->1113 1114 4010f0 __set_app_type 1113->1114 1115 4010a6 __set_app_type 1113->1115 1116 4010b2 1114->1116 1115->1116 1117 4010e3 1116->1117 1120 402050 1116->1120 1121 402f10 __setusermatherr 1120->1121 1122 402f5a 1123 402a70 4 API calls 1122->1123 1124 402f67 StartServiceCtrlDispatcherA 1123->1124 1125 402a1c 1126 402a20 1125->1126 1127 401e50 4 API calls 1126->1127 1128 402a4e 1127->1128 1129 401b9c 1130 401ba0 1129->1130 1131 402d90 6 API calls 1130->1131 1132 401bb8 1131->1132 1133 402b60 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess abort 1134 402060 1135 402076 1134->1135 1136 40207d fprintf 1134->1136 1135->1136 1137 402c60 1138 402c84 calloc 1137->1138 1139 402c76 1137->1139 1138->1139 1140 402c9e EnterCriticalSection LeaveCriticalSection 1138->1140 1141 402fa0 1146 4014f0 1141->1146 1144 401e50 4 API calls 1145 402fb7 1144->1145 1147 4014ff GetModuleHandleA 1146->1147 1149 40152e 1146->1149 1148 401518 GetProcAddress 1147->1148 1147->1149 1148->1149 1149->1144 1150 4010e9 1151 4010f0 __set_app_type 1150->1151 1152 4010b2 1151->1152 1153 4010e3 1152->1153 1154 402050 __setusermatherr 1152->1154 1155 40115c 1154->1155 1156 402dac 1157 402db0 1156->1157 1158 402bf0 4 API calls 1157->1158 1161 402db9 1157->1161 1158->1161 1159 402da3 1160 402dc3 DeleteCriticalSection 1160->1159 1161->1159 1161->1160 1162 401e70 1163 401e84 1162->1163 1164 401f02 signal 1163->1164 1166 401e90 signal 1163->1166 1169 401ead 1163->1169 1168 401f77 signal 1164->1168 1164->1169 1165 401f40 signal 1167 401f95 signal 1165->1167 1165->1169 1166->1169 1170 401fc0 signal 1166->1170 1171 401eb1 1167->1171 1168->1171 1169->1164 1169->1165 1169->1171 1170->1171 1172 402cf0 1173 402d01 1172->1173 1174 402d08 EnterCriticalSection 1172->1174 1175 402d3f LeaveCriticalSection 1174->1175 1176 402d22 1174->1176 1178 402d4f 1175->1178 1176->1175 1177 402d28 free LeaveCriticalSection 1176->1177 1177->1178 1180 401ab0 1181 401ac3 SetServiceStatus 1180->1181 1182 401abe 1180->1182 1183 401aef 1181->1183 1182->1181 1182->1183 1184 4014b0 1185 402a90 5 API calls 1184->1185 1186 4014c2 1185->1186 1187 401af1 RegisterServiceCtrlHandlerA 1188 401b76 1187->1188 1189 401b5d 1187->1189 1192 4019f4 GetTickCount sprintf CreateThread 1189->1192 1197 402dfc 1198 402e00 1197->1198 1199 402da3 1198->1199 1200 402bf0 4 API calls 1198->1200 1200->1199 1201 401f3c 1202 401f40 signal 1201->1202 1203 401f95 signal 1202->1203 1207 401edc 1202->1207 1204 401ebf 1203->1204 1205 401f02 signal 1206 401f77 signal 1205->1206 1205->1207 1206->1204 1207->1202 1207->1204 1207->1205 1208 40223c 1209 4021f6 VirtualQuery 1208->1209 1211 402216 1209->1211 1212 402349 1209->1212 1213 40221f memcpy 1211->1213 1216 40224d VirtualProtect memcpy 1211->1216 1214 4020d0 23 API calls 1212->1214 1215 402233 1213->1215 1220 402361 1214->1220 1216->1215 1217 402294 1216->1217 1217->1215 1219 402299 VirtualProtect 1217->1219 1218 402382 1220->1218 1225 4023fc 1220->1225 1228 4024e5 1220->1228 1221 402605 1222 4020d0 23 API calls 1221->1222 1224 402615 1222->1224 1223 402130 23 API calls 1223->1225 1225->1218 1225->1223 1226 402435 1225->1226 1226->1218 1229 40246f VirtualQuery 1226->1229 1227 4020d0 23 API calls 1227->1228 1228->1218 1228->1221 1228->1226 1228->1227 1232 402130 23 API calls 1228->1232 1230 402491 VirtualProtect 1229->1230 1231 4025e2 1229->1231 1230->1226 1233 4020d0 23 API calls 1231->1233 1232->1228 1233->1221

        Callgraph

        • Executed
        • Not Executed
        • Opacity -> Relevance
        • Disassembly available
        callgraph 0 Function_00401540 1 Function_004020C0 2 Function_00401E42 3 Function_00402647 4 Function_004018C7 41 Function_004017FC 4->41 5 Function_00401D49 6 Function_00401BC9 57 Function_00402D90 6->57 7 Function_0040204C 8 Function_00402F50 31 Function_00402A70 8->31 9 Function_00402050 10 Function_00401E50 55 Function_00401D90 10->55 11 Function_00402650 12 Function_00401550 13 Function_004020D0 13->13 29 Function_00402770 13->29 52 Function_00402810 13->52 71 Function_00402130 13->71 72 Function_00402E30 13->72 73 Function_00402730 13->73 14 Function_004014D0 53 Function_00402A90 14->53 15 Function_00401059 15->1 15->9 45 Function_00401D80 15->45 16 Function_004028D9 17 Function_00402F5A 17->31 18 Function_00402B60 19 Function_00401D60 20 Function_00402060 21 Function_00402C60 22 Function_00402E60 23 Function_004029E0 24 Function_004015E3 50 Function_00401585 24->50 25 Function_004018E6 26 Function_00402A69 27 Function_004010E9 27->1 27->9 27->45 28 Function_00402370 28->13 28->29 28->71 28->72 65 Function_00402620 29->65 30 Function_00401D70 31->10 32 Function_00401E70 32->23 33 Function_004014F0 34 Function_00402BF0 35 Function_00402CF0 36 Function_004029F0 37 Function_00401AF1 38 Function_004019F4 37->38 39 Function_00401D75 40 Function_00402A7C 40->10 42 Function_00402DFC 42->34 43 Function_00402000 44 Function_00401180 44->8 44->23 44->28 44->31 46 Function_00402E80 44->46 66 Function_00402920 44->66 44->72 47 Function_00401B80 47->57 48 Function_00401002 49 Function_00402D82 51 Function_0040288C 52->65 54 Function_00401690 54->24 55->30 55->45 56 Function_00402890 56->11 56->65 57->34 58 Function_00402691 58->65 59 Function_00401996 59->25 68 Function_004017A9 59->68 60 Function_00402797 60->65 61 Function_00401419 61->8 61->23 61->28 61->31 61->66 62 Function_0040291C 63 Function_00402A1C 63->10 64 Function_00401B9C 64->57 66->56 67 Function_00402FA0 67->10 67->33 68->12 69 Function_0040272C 70 Function_00402DAC 70->34 71->13 71->29 71->52 71->71 71->72 71->73 73->11 73->65 74 Function_00401AB0 75 Function_004014B0 75->53 76 Function_00402831 76->11 76->65 77 Function_00401F3C 78 Function_0040223C 78->13 78->29 78->71 78->72

        Executed Functions

        Function 00401180 Relevance: 19.7, APIs: 13, Instructions: 199sleeplibrarystringCOMMON
        Download Yara Rule

        Control-flow Graph

        C-Code - Quality: 37%
        			E00401180() {
				void* _v16;
				signed int _v48;
				void* _v52;
				char _v96;
				signed int _v112;
				void* _v113;
				void* _v116;
				intOrPtr _v132;
				int _v136;
				void* _v144;
				void* _v148;
				void* _v152;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t47;
				signed int _t49;
				void* _t52;
				intOrPtr* _t56;
				_Unknown_base(*)()* _t58;
				void* _t59;
				_Unknown_base(*)()* _t60;
				void* _t64;
				void* _t66;
				int _t72;
				void* _t76;
				signed char* _t79;
				int _t85;
				intOrPtr _t86;
				signed int _t87;
				signed int _t93;
				void* _t94;
				signed int _t95;
				char* _t98;
				signed int _t99;
				signed int _t101;
				void* _t102;
				void* _t103;
				char* _t104;
				void* _t105;
				int _t107;
				void* _t108;
				void* _t109;
				signed int _t113;
				intOrPtr* _t114;
				void* _t115;
				void* _t116;

				L0:
				while(1) {
					L0:
					_t108 = _t109;
					_t94 =  &_v96;
					_t102 = _t94;
					memset(_t102, 0, 0x11 << 2);
					_t103 = _t102 + 0x11;
					_t47 = E00402E30(0x30);
					_t49 =  &_v113 & 0xfffffff0;
					 *_t49 = 0xcccccccc;
					 *((intOrPtr*)(_t49 + 4)) = 0xcccccccc;
					 *((intOrPtr*)(_t49 + 8)) = 0xcccccccc;
					 *((intOrPtr*)(_t49 + 0xc)) = 0xcccccccc;
					 *((intOrPtr*)(_t49 + 0x10)) = 0xcccccccc;
					 *((intOrPtr*)(_t49 + 0x14)) = 0xcccccccc;
					 *((intOrPtr*)(_t49 + 0x18)) = 0xcccccccc;
					 *((intOrPtr*)(_t49 + 0x1c)) = 0xcccccccc;
					_t113 = _t109 - 0x0000007c + 0xc - _t47 & 0xfffffff0;
					if( *0x447040 != 0) {
						 *_t113 = _t94;
						GetStartupInfoA(??);
						_t113 = _t113 - 4;
					}
					_t105 = Sleep;
					_t85 =  *((intOrPtr*)( *[fs:0x18] + 4));
					while(1) {
						L4:
						_v132 = 0;
						_v136 = _t85;
						 *_t113 = 0x447464;
						_t52 = E00402E80();
						_t114 = _t113 - 0xc;
						if(_t52 == 0) {
							break;
						}
						L2:
						if(_t52 == _t85) {
							L33:
							_t86 = 1;
							if( *0x447468 != 1) {
								L6:
								if( *0x447468 == 0) {
									 *0x447468 = 1;
									_v136 = 0x449018;
									 *_t114 = 0x44900c;
									L00402ED8();
								} else {
									 *0x447000 = 1;
								}
								if( *0x447468 == 1) {
									goto L36;
								}
							} else {
								L34:
								 *_t114 = 0x1f;
								L00402ED0();
								if( *0x447468 == 1) {
									L35:
									L36:
									_v136 = 0x449008;
									 *_t114 = 0x449000;
									L00402ED8();
									 *0x447468 = 2;
								}
							}
							L41:
						} else {
							L3:
							 *_t114 = 0x3e8;
							Sleep(??);
							_t113 = _t114 - 4;
							continue;
						}
						L9:
						if(_t86 == 0) {
							asm("lock xchg [0x447464], ebx");
						}
						_t56 =  *0x4460d4; // 0x401bd0
						if(_t56 != 0) {
							_v132 = 0;
							_v136 = 2;
							 *_t114 = 0;
							 *_t56();
							_t114 = _t114 - 0xc;
						}
						E00402370(_t86, _t103, _t105);
						 *_t114 = E00401E70; // executed
						_t58 = SetUnhandledExceptionFilter(??); // executed
						_t115 = _t114 - 4;
						 *0x447048 = _t58;
						_t59 = E00402920();
						 *(_t115 + 4) = "_set_invalid_parameter_handler";
						_v144 = _t59;
						_t60 = GetProcAddress(??, ??);
						_t116 = _t115 - 8;
						if(_t60 != 0) {
							_v144 = 0x401000;
							_t60 =  *_t60();
						}
						E004029E0(_t60);
						if( *0x447040 != 0) {
							L16:
							_t93 = 0;
							_t79 =  *_acmdln;
							while(1) {
								L20:
								_t99 =  *_t79 & 0x000000ff;
								if(_t99 <= 0x20) {
									goto L17;
								}
								L21:
								_t93 =  ==  ? _t93 ^ 0x00000001 : _t93;
								L19:
								_t79 =  &(_t79[1]);
								L20:
								_t99 =  *_t79 & 0x000000ff;
								if(_t99 <= 0x20) {
									goto L17;
								}
								goto L25;
								L17:
								if(_t99 != 0) {
									L18:
									if(_t93 == 0) {
										while(1) {
											L23:
											_t79 =  &(_t79[1]);
											_t101 =  *_t79 & 0x000000ff;
											if(_t101 > 0x20) {
												goto L24;
											}
											L22:
											if(_t101 != 0) {
												continue;
											}
											goto L24;
										}
									} else {
										goto L19;
									}
								}
								L24:
								 *0x4473e4 = _t79;
								 *0x4473ec = 0x400000;
								_t81 =  !=  ? _v48 & 0x0000ffff : 0xa;
								 *0x4473e8 =  !=  ? _v48 & 0x0000ffff : 0xa;
								goto L25;
							}
						}
						L25:
						_t95 =  *0x447004;
						_t87 = 0;
						_v112 = _t95;
						_t64 = malloc(4 + _t95 * 4);
						_t104 =  *0x447008;
						_v116 = _t64;
						if(_v112 > 0) {
							L26:
							do {
								L27:
								_t28 = strlen( *(_t104 + _t87 * 4)) + 1; // 0x1
								_t107 = _t28;
								_t76 = malloc(_t107);
								 *(_v116 + _t87 * 4) = _t76;
								_t98 =  *(_t104 + _t87 * 4);
								_t87 = _t87 + 1;
								_v136 = _t107;
								_v144 = _t76;
								 *(_t116 + 4) = _t98;
								memcpy(??, ??, ??);
							} while (_t87 != _v112);
							_t87 = _t87 << 2;
						}
						L29:
						_t66 = _v116;
						 *((intOrPtr*)(_t66 + _t87)) = 0;
						 *0x447008 = _t66;
						E00402A70();
						 *__imp____initenv =  *0x44700c;
						_v136 =  *0x44700c;
						 *(_t116 + 4) =  *0x447008;
						_t72 = E00402F50( *0x447004); // executed
						_t106 =  *0x447014;
						 *0x447010 = _t72;
						if( *0x447014 == 0) {
							L39:
							exit(_t72); // executed
							L40:
							 *0x447040 = 1;
							E00402A90(_t87, _t104, _t106, _t108);
							goto L0;
						}
						L30:
						if( *0x447000 == 0) {
							L00402EC8();
							_t72 =  *0x447010;
						}
						return _t72;
					}
					L5:
					_t86 = 0;
					if( *0x447468 == 1) {
						goto L34;
					} else {
						goto L6;
					}
					goto L9;
				}
			}



















































        0x00401180
        0x00401180
        0x00401181
        0x00401183
        0x0040118c
        0x00401190
        0x00401195
        0x00401195
        0x00401199
        0x004011a4
        0x004011a7
        0x004011ad
        0x004011b4
        0x004011bb
        0x004011c2
        0x004011c9
        0x004011d0
        0x004011d7
        0x004011de
        0x004011e8
        0x00401473
        0x00401476
        0x0040147c
        0x0040147c
        0x004011f4
        0x004011fa
        0x00401214
        0x00401214
        0x00401214
        0x0040121c
        0x00401220
        0x00401227
        0x0040122c
        0x00401231
        0x00000000
        0x00000000
        0x00401200
        0x00401202
        0x00401420
        0x00401425
        0x0040142d
        0x00401243
        0x0040124a
        0x00401484
        0x0040148e
        0x00401496
        0x0040149d
        0x00401250
        0x00401250
        0x00401250
        0x00401262
        0x00000000
        0x00000000
        0x00401433
        0x00401433
        0x00401433
        0x0040143a
        0x00401447
        0x00000000
        0x00401450
        0x00401450
        0x00401458
        0x0040145f
        0x00401464
        0x00401464
        0x00401447
        0x00000000
        0x00401208
        0x00401208
        0x00401208
        0x0040120f
        0x00401211
        0x00000000
        0x00401211
        0x00401268
        0x0040126a
        0x0040126c
        0x0040126c
        0x00401273
        0x0040127a
        0x0040127c
        0x00401284
        0x0040128c
        0x00401293
        0x00401295
        0x00401295
        0x00401298
        0x0040129d
        0x004012a4
        0x004012aa
        0x004012ad
        0x004012b2
        0x004012b7
        0x004012bf
        0x004012c2
        0x004012c8
        0x004012cd
        0x004012cf
        0x004012d6
        0x004012d6
        0x004012d8
        0x004012e4
        0x004012e6
        0x004012eb
        0x004012ed
        0x004012fc
        0x004012fc
        0x004012fc
        0x00401302
        0x00000000
        0x00000000
        0x00401304
        0x0040130c
        0x004012f9
        0x004012f9
        0x004012fc
        0x004012fc
        0x00401302
        0x00000000
        0x00000000
        0x00000000
        0x004012f1
        0x004012f3
        0x004012f5
        0x004012f7
        0x00401315
        0x00401315
        0x00401315
        0x00401318
        0x0040131e
        0x00000000
        0x00000000
        0x00401311
        0x00401313
        0x00000000
        0x00000000
        0x00000000
        0x00401313
        0x00000000
        0x00000000
        0x00000000
        0x004012f7
        0x00401320
        0x00401328
        0x00401332
        0x0040133c
        0x0040133f
        0x00000000
        0x0040133f
        0x004012fc
        0x00401344
        0x00401344
        0x0040134a
        0x00401353
        0x00401359
        0x0040135e
        0x00401364
        0x0040136c
        0x00000000
        0x00401370
        0x00401370
        0x0040137b
        0x0040137b
        0x00401381
        0x00401389
        0x0040138c
        0x0040138f
        0x00401392
        0x00401396
        0x00401399
        0x0040139d
        0x004013a2
        0x004013a7
        0x004013a7
        0x004013aa
        0x004013aa
        0x004013ad
        0x004013b4
        0x004013b9
        0x004013c9
        0x004013d0
        0x004013d9
        0x004013e5
        0x004013ea
        0x004013f2
        0x004013f7
        0x004014a7
        0x004014aa
        0x004014b0
        0x004014b3
        0x004014bd
        0x00000000
        0x004014c2
        0x004013fd
        0x00401405
        0x00401407
        0x0040140c
        0x0040140c
        0x00401418
        0x00401418
        0x00401233
        0x00401238
        0x0040123d
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x0040123d

        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.296313654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296324809.0000000000403000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296367475.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296373209.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_8082-svc-x86.jbxd
        Yara matches
        Similarity
        • API ID: malloc$AddressExceptionFilterInfoProcSleepStartupUnhandled_cexitmemcpystrlen
        • String ID:
        • API String ID: 2757201259-0
        • Opcode ID: 0ffb76ae5e95da41bc83b8d6e0988bcfad65103e7296106b01b609385fb0784f
        • Instruction ID: b520ae0778044b0131384eb691c383f65b5ab2fd8959a08a1c2ef0303cb6f7f4
        • Opcode Fuzzy Hash: 0ffb76ae5e95da41bc83b8d6e0988bcfad65103e7296106b01b609385fb0784f
        • Instruction Fuzzy Hash: 658190B5A083008FD710EF69D98575A7BE4FB46344F00843EE884AB3B2D7789845CB9A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00402F50 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 54 402f50-402f99 call 402a70 StartServiceCtrlDispatcherA
        C-Code - Quality: 79%
        			E00402F50(struct _SERVICE_TABLE_ENTRY _a4) {
				void* _v16;
				intOrPtr _v28;
				void _v32;
				signed int _t27;
				signed int _t28;

				_t16 =  &_a4;
				_t28 = _t27 & 0xfffffff0;
				_t2 = _t16 - 4; // 0x1b66
				_push( *_t2);
				E00402A70();
				memset( &_v32, 0, 4 << 2);
				_v28 = E00401AF1;
				_v32 = "DceRpcSs";
				 *((intOrPtr*)(_t28 - 0x20 + 0xc)) =  &_v32; // executed
				StartServiceCtrlDispatcherA( &_a4); // executed
				_push(0);
				return 0;
			}








        0x00402f50
        0x00402f54
        0x00402f57
        0x00402f57
        0x00402f62
        0x00402f71
        0x00402f76
        0x00402f7d
        0x00402f84
        0x00402f87
        0x00402f8f
        0x00402f99

        APIs
        • StartServiceCtrlDispatcherA.ADVAPI32 ref: 00402F87
        Memory Dump Source
        • Source File: 00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.296313654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296324809.0000000000403000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296367475.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296373209.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_8082-svc-x86.jbxd
        Yara matches
        Similarity
        • API ID: CtrlDispatcherServiceStart
        • String ID:
        • API String ID: 3789849863-0
        • Opcode ID: e3b383bff927e7d42cf873172becb8e24fa9f11f50487d90cb0a5020072ce581
        • Instruction ID: 2b2b9dc17f267bd0b3883f6c39bae23263766987c534d6c7352ccb13fdade522
        • Opcode Fuzzy Hash: e3b383bff927e7d42cf873172becb8e24fa9f11f50487d90cb0a5020072ce581
        • Instruction Fuzzy Hash: 5BF0E5B1D14208ABCF04DFA5CD0A5AEBFF4EB49320F00052DDB10A7190EB722258CBDA
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00402F5A Relevance: 1.5, APIs: 1, Instructions: 23COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 58 402f5a-402f62 call 402a70 60 402f67-402f99 StartServiceCtrlDispatcherA 58->60
        C-Code - Quality: 53%
        			E00402F5A(void* __ecx) {
				void* _v12;
				intOrPtr _v24;
				void _v28;
				void* _t20;

				E00402A70();
				memset( &_v28, 0, 4 << 2);
				_v24 = E00401AF1;
				_v28 = "DceRpcSs";
				 *((intOrPtr*)(_t20 - 0x20 + 0xc)) =  &_v28; // executed
				StartServiceCtrlDispatcherA(??); // executed
				_push(0);
				return 0;
			}







        0x00402f62
        0x00402f71
        0x00402f76
        0x00402f7d
        0x00402f84
        0x00402f87
        0x00402f8f
        0x00402f99

        APIs
        • StartServiceCtrlDispatcherA.ADVAPI32 ref: 00402F87
        Memory Dump Source
        • Source File: 00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.296313654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296324809.0000000000403000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296367475.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296373209.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_8082-svc-x86.jbxd
        Yara matches
        Similarity
        • API ID: CtrlDispatcherServiceStart
        • String ID:
        • API String ID: 3789849863-0
        • Opcode ID: 45f20d8f2023f6e05191cf7aca1cb58d873fd4a14c5f560c92751c7b1dc670ab
        • Instruction ID: 4779078c75c81b69a7b3b677dac00df4aaf53bcda390081b606efbad01e9f719
        • Opcode Fuzzy Hash: 45f20d8f2023f6e05191cf7aca1cb58d873fd4a14c5f560c92751c7b1dc670ab
        • Instruction Fuzzy Hash: 3BE092B1D102089ADF04DBA5C80A4AEBFF4EB48310F40042EDB00A7140E77112588AEA
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 00402A90 Relevance: 7.6, APIs: 5, Instructions: 51timethreadCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • GetSystemTimeAsFileTime.KERNEL32 ref: 00402AE7
        • GetCurrentProcessId.KERNEL32 ref: 00402AFC
        • GetCurrentThreadId.KERNEL32 ref: 00402B04
        • GetTickCount.KERNEL32 ref: 00402B0C
        • QueryPerformanceCounter.KERNEL32 ref: 00402B1B
        Memory Dump Source
        • Source File: 00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.296313654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296324809.0000000000403000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296367475.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296373209.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_8082-svc-x86.jbxd
        Yara matches
        Similarity
        • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
        • String ID:
        • API String ID: 1445889803-0
        • Opcode ID: e11e2206374be67b3c3da8bbd86505e7a4505088eba51d33521fae351598e200
        • Instruction ID: 78646b3e1d5c86e1c06f6e21d60100cb63da4833f97e07ed5814b01204404a61
        • Opcode Fuzzy Hash: e11e2206374be67b3c3da8bbd86505e7a4505088eba51d33521fae351598e200
        • Instruction Fuzzy Hash: 3F1129B88083048FC710EF69D54821EBBF0BB89345F44493EEA8597350EE75EA558F86
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00402B60 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • SetUnhandledExceptionFilter.KERNEL32 ref: 00402BAF
        • UnhandledExceptionFilter.KERNEL32 ref: 00402BBF
        • GetCurrentProcess.KERNEL32 ref: 00402BC8
        • TerminateProcess.KERNEL32 ref: 00402BD9
        • abort.MSVCRT ref: 00402BE2
        Memory Dump Source
        • Source File: 00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.296313654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296324809.0000000000403000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296367475.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296373209.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_8082-svc-x86.jbxd
        Yara matches
        Similarity
        • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
        • String ID:
        • API String ID: 520269711-0
        • Opcode ID: 3e07c674600e018cf393241923143bfb6f93070fd9807a6625289886196aa4f4
        • Instruction ID: 859cebbddd7a6eb95a4514aeef559e0a0fcf99abc68438dd33cb2a701fdc42d7
        • Opcode Fuzzy Hash: 3e07c674600e018cf393241923143bfb6f93070fd9807a6625289886196aa4f4
        • Instruction Fuzzy Hash: FA01E4B8808604CFD700EFA9E94964C7BF0BB06305F00843EED8887321EBB49445DF9A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004015E3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50memoryinjectionCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 256 4015e3-401649 VirtualAllocEx WriteProcessMemory 257 401688-40168f 256->257 258 40164b-401683 VirtualProtectEx call 401585 256->258 258->257
        APIs
        • VirtualAllocEx.KERNEL32 ref: 00401617
        • WriteProcessMemory.KERNEL32 ref: 0040163B
        • VirtualProtectEx.KERNEL32 ref: 00401665
          • Part of subcall function 00401585: GetThreadContext.KERNEL32 ref: 004015AA
          • Part of subcall function 00401585: SetThreadContext.KERNEL32 ref: 004015C6
          • Part of subcall function 00401585: ResumeThread.KERNEL32 ref: 004015D5
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.296313654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296324809.0000000000403000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296367475.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296373209.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_8082-svc-x86.jbxd
        Yara matches
        Similarity
        • API ID: Thread$ContextVirtual$AllocMemoryProcessProtectResumeWrite
        • String ID:
        • API String ID: 2510746765-3916222277
        • Opcode ID: 98fd60b40e763cf1c0588a2a92284ca64f11d97fa3fc4fe119ce37cc8a3a9acc
        • Instruction ID: 51bf41b5267f32c2ee6501d1ff25d8f8f9f1cdb80aa5cf9e2f437c3fc7dc1d03
        • Opcode Fuzzy Hash: 98fd60b40e763cf1c0588a2a92284ca64f11d97fa3fc4fe119ce37cc8a3a9acc
        • Instruction Fuzzy Hash: F511C6B58087099FCB00EF69D88468EFBF4FB88350F41892EE99997211D7749548CF92
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00401BC9 Relevance: 6.1, APIs: 4, Instructions: 85libraryloaderCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 260 401bc9-401be1 261 401be3-401bea 260->261 262 401c14-401c35 LoadLibraryA 260->262 263 401bf6-401bf9 261->263 264 401bec 261->264 265 401d33-401d47 262->265 266 401c3b-401c78 GetProcAddress * 2 262->266 267 401d03-401d0e 263->267 268 401bff-401c02 263->268 264->263 269 401ce3-401d00 265->269 266->265 270 401c7e-401c86 266->270 273 401d14-401d18 267->273 274 401c08-401c11 267->274 268->274 275 401ca2-401cbe call 402d90 268->275 271 401cc3-401ce0 FreeLibrary 270->271 272 401c88-401c8a 270->272 271->269 272->271 276 401c8c-401c9f 272->276 278 401d1a 273->278 279 401d1c-401d25 273->279 275->274 278->279 279->273 281 401d27-401d30 279->281
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.296313654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296324809.0000000000403000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296367475.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296373209.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_8082-svc-x86.jbxd
        Yara matches
        Similarity
        • API ID: AddressLibraryProc$FreeLoad
        • String ID:
        • API String ID: 2256533930-0
        • Opcode ID: a4febda0ee608bfac65e10639c290dac84c1ac7c0ebcb305557fb0bc80f4c26b
        • Instruction ID: 011540b2cccecd24dea3a42fb47be6b9ee2a79e2c3b2965efcde817b5523d879
        • Opcode Fuzzy Hash: a4febda0ee608bfac65e10639c290dac84c1ac7c0ebcb305557fb0bc80f4c26b
        • Instruction Fuzzy Hash: 633186785093008BE710DF28E98871A7BF0FB42305F44853ED4449B3A1D77DE885CB9A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004017FC Relevance: 6.1, APIs: 4, Instructions: 57pipeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 282 4017fc-401862 CreateNamedPipeA 283 401864-40187c ConnectNamedPipe 282->283 284 4018bf-4018c6 282->284 285 4018b1-4018b3 283->285 286 40187e 283->286 287 401880-4018a8 WriteFile 285->287 288 4018b5-4018be CloseHandle 285->288 286->284 287->288 289 4018aa-4018af 287->289 288->284 289->285
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.296313654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296324809.0000000000403000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296367475.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296373209.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_8082-svc-x86.jbxd
        Yara matches
        Similarity
        • API ID: NamedPipe$CloseConnectCreateHandle
        • String ID:
        • API String ID: 2614152119-0
        • Opcode ID: 0465db1befb23027c4cea89d0b6a898aca4ec2e125c6b86e4828439d6905d31f
        • Instruction ID: 17bb8fcc64f172d170a250cdf5790c7dd978b5f6bce225f89b3aa58ccb4e35f0
        • Opcode Fuzzy Hash: 0465db1befb23027c4cea89d0b6a898aca4ec2e125c6b86e4828439d6905d31f
        • Instruction Fuzzy Hash: 1C21F7B18083059BE700AF69C88875FBBF4FB84754F00C92EE99497291D77995488FD6
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004019F4 Relevance: 22.8, APIs: 3, Strings: 10, Instructions: 31threadCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 61 4019f4-401aa8 GetTickCount sprintf CreateThread
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.296313654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296324809.0000000000403000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296367475.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296373209.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_8082-svc-x86.jbxd
        Yara matches
        Similarity
        • API ID: CountCreateThreadTicksprintf
        • String ID: .$\$\$\$\$e$h`D$i$p$p
        • API String ID: 1367138260-11489786
        • Opcode ID: f0429da66f0d8fd4b02aeebdf8207271749dda62c489663ccaaecb582acfca4a
        • Instruction ID: 2f42d98f885511b68772a3f57ad8eadf19c4ba70bd4210558800798ab69ab24e
        • Opcode Fuzzy Hash: f0429da66f0d8fd4b02aeebdf8207271749dda62c489663ccaaecb582acfca4a
        • Instruction Fuzzy Hash: E4016CB4408341DFE300EF15D91871FBEE1AB84749F10891DE5982A290C7BE864DCF9B
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004020D0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 185fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 62 4020d0-402147 fwrite vfprintf abort 64 402312-402314 62->64 65 40214d-402152 62->65 66 402154-402159 65->66 67 402169-402171 66->67 68 40215b-402163 66->68 67->66 70 402173-40217f call 402730 67->70 68->67 69 402240-402246 68->69 71 4021f6-402210 VirtualQuery 69->71 79 402185-4021dc call 402810 VirtualQuery 70->79 80 402339-402344 call 4020d0 70->80 73 402216-40221d 71->73 74 402349-402380 call 4020d0 71->74 76 402248-40224b 73->76 77 40221f-40222e memcpy 73->77 89 402390-4023d6 call 402770 call 402e30 74->89 90 402382-402389 74->90 76->77 84 40224d-402292 VirtualProtect memcpy 76->84 82 402233-40223a 77->82 92 4021e2-4021e9 79->92 93 402319-402334 call 4020d0 79->93 80->74 84->82 87 402294-402297 84->87 87->82 91 402299-4022c0 VirtualProtect 87->91 89->90 104 4023d8-4023e0 89->104 94 4022c1-4022c4 92->94 95 4021ef 92->95 93->80 94->95 98 4022ca-4022f6 VirtualProtect 94->98 95->71 98->95 101 4022fc-40230d GetLastError call 4020d0 98->101 101->64 105 4024d0-4024d4 104->105 106 4023e6-4023ed 104->106 107 402400-402406 105->107 108 4024da-4024df 105->108 106->107 109 4023ef-4023f6 106->109 107->90 113 40240c 107->113 108->107 110 4024e5-4024eb 108->110 111 4024bc-4024c3 109->111 112 4023fc 109->112 115 4024f1-4024fa 110->115 116 402605-402615 call 4020d0 110->116 111->110 114 4024c5-4024ca 111->114 112->107 117 402411-402433 call 402130 113->117 114->105 115->90 119 402500-402517 115->119 127 402435-40243d 117->127 122 402519-40251c 119->122 123 40255a-402563 119->123 125 402590-40259c 122->125 126 40251e-402521 122->126 128 4025c0-4025d0 123->128 129 402565-402575 123->129 132 40259f-4025a7 call 402130 125->132 133 402523-402535 call 4020d0 126->133 134 40253a-402543 126->134 127->90 135 402443-40244d 127->135 130 4025d3-4025e0 call 402130 128->130 129->130 131 402577-40257a 129->131 143 4025ac-4025b5 130->143 131->132 136 40257c-40257f 131->136 132->143 133->134 134->129 140 402545-402558 134->140 141 402462-40246d 135->141 142 402581-40258e call 402130 136->142 136->143 140->142 145 402450-40245c 141->145 146 40246f-40248b VirtualQuery 141->146 142->143 143->119 150 4025bb 143->150 145->90 145->141 147 402491-4024ba VirtualProtect 146->147 148 4025e2-402600 call 4020d0 146->148 147->145 148->116 150->127
        C-Code - Quality: 19%
        			E004020D0(void* __ebx, char* __ecx, signed int __edx, void* __edi, void* __esi, int _a4, char _a8) {
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				char _v32;
				signed int _v36;
				signed int _v52;
				void* _v60;
				char* _v64;
				intOrPtr _v68;
				char** _v76;
				char* _v88;
				void* _v96;
				char** _v104;
				char* _v116;
				char** _v124;
				signed int _v128;
				signed int _v140;
				char* _v144;
				char** _v148;
				void* _v213;
				char* _v232;
				signed int _v236;
				char** _v240;
				int _t118;
				signed int _t119;
				int _t122;
				void* _t127;
				long _t134;
				char** _t138;
				long _t154;
				intOrPtr _t159;
				long _t161;
				void* _t162;
				void* _t164;
				int _t176;
				long _t177;
				signed int _t179;
				char* _t181;
				char* _t182;
				signed int _t184;
				void* _t185;
				intOrPtr* _t186;
				char* _t189;
				intOrPtr _t192;
				char _t198;
				intOrPtr* _t201;
				signed int _t202;
				signed int _t209;
				signed int _t211;
				signed int _t214;
				signed int _t217;
				signed int _t225;
				intOrPtr _t232;
				signed int _t233;
				signed int* _t237;
				void* _t241;
				char* _t243;
				void* _t248;
				char** _t249;
				char** _t250;
				void* _t251;
				char** _t252;

				_t196 = __edx;
				_t189 = __ecx;
				_t249 = _t248 - 0x18;
				_v20 = 0x1b;
				_t181 =  &_a8;
				_v24 = 1;
				 *_t249 = "Mingw-w64 runtime failure:\n";
				_v16 = __imp___iob + 0x40;
				fwrite(__ebx, ??, ??, ??);
				_v20 = _t181;
				_v24 = _a4;
				 *_t249 = __imp___iob + 0x40;
				_t118 = vfprintf(??, ??, ??);
				abort();
				_t243 = _t189;
				_push(__edi);
				_push(__esi);
				_push(_t181);
				_t182 = _t118;
				_t250 = _t249 - 0x6c;
				_t190 =  *0x447058;
				_v124 = _t196;
				if(_t190 <= 0) {
					L22:
					_t228 = 0;
					goto L6;
				} else {
					_t179 =  *0x447054;
					_t241 = 0;
					do {
						_t196 =  *(_t179 + 4);
						if(_t182 < _t196) {
							goto L5;
						} else {
							_t214 =  *(_t179 + 8);
							if(_t182 < _t196) {
								_t228 = VirtualQuery;
								L10:
								_v144 = 0x1c;
								_v148 =  &_v116;
								 *_t250 = _t182;
								_t161 = VirtualQuery(??, ??, ??);
								_t250 = _t250 - 0xc;
								if(_t161 == 0) {
									L25:
									_v144 = _t182;
									_v148 = 0x1c;
									 *_t250 = "  VirtualQuery failed for %d bytes at address %p";
									E004020D0(_t182, _t190, _t196, _t214, _t228);
									_push(_t243);
									_push(_t214);
									_push(_t228);
									_push(_t182);
									_t251 = _t250 - 0x4c;
									_t122 =  *0x447050;
									__eflags = _t122;
									if(__eflags == 0) {
										 *0x447050 = 1;
										_t127 = E00402E30(0x0000001e + (E00402770(__eflags) + _t123 * 0x00000002) * 0x00000004 & 0xfffffff0);
										 *0x447058 = 0;
										_t252 = _t251 - _t127;
										 *0x447054 =  &_v213 & 0xfffffff0;
										_t122 = 0;
										__eflags = 0x446324 - 7;
										if(0x446324 <= 7) {
											goto L27;
										} else {
											__eflags = 0x446324 - 0xb;
											_t184 = 0x446324;
											if(0x446324 <= 0xb) {
												L44:
												_t216 =  *_t184;
												__eflags =  *_t184;
												if( *_t184 != 0) {
													goto L33;
												} else {
													_t83 = _t184 + 4; // 0x0
													_t231 =  *_t83;
													__eflags =  *_t83;
													if( *_t83 != 0) {
														goto L33;
													} else {
														goto L46;
													}
												}
											} else {
												_t122 =  *0x446324; // 0x0
												__eflags = _t122;
												if(_t122 != 0) {
													L33:
													__eflags = _t184 - 0x446324;
													if(_t184 >= 0x446324) {
														goto L27;
													} else {
														do {
															_t69 = _t184 + 4; // 0x0
															_t122 =  *_t69 + 0x400000;
															_t198 =  *_t122 +  *_t184;
															_t184 = _t184 + 8;
															_v32 = _t198;
															L1();
															__eflags = _t184 - 0x446324;
														} while (_t184 < 0x446324);
														goto L36;
													}
												} else {
													_t122 =  *0x446328; // 0x0
													__eflags = _t122;
													if(_t122 == 0) {
														_t122 =  *0x44632c; // 0x0
														__eflags = _t122;
														if(_t122 != 0) {
															L46:
															_t84 = _t184 + 8; // 0x0
															_t138 =  *_t84;
															__eflags = _t138 - 1;
															if(_t138 != 1) {
																L66:
																_v240 = _t138;
																 *_t252 = "  Unknown pseudo relocation protocol version %d.\n";
																E004020D0(_t184, _t190, _t196, _t216, _t231);
																0;
																0;
																_t201 = _v240;
																__eflags =  *_t201 - 0x5a4d;
																if( *_t201 != 0x5a4d) {
																	L68:
																	asm("repe ret");
																}
																_t108 = _t201 + 0x3c; // 0x40003ca1
																_t201 = _t201 +  *_t108;
																__eflags =  *_t201 - 0x4550;
																if( *_t201 != 0x4550) {
																	goto L68;
																}
																__eflags =  *((short*)(_t201 + 0x18)) - 0x10b;
																_t111 =  *((short*)(_t201 + 0x18)) == 0x10b;
																__eflags = _t111;
																return 0 | _t111;
															} else {
																_t186 = _t184 + 0xc;
																__eflags = _t186 - 0x446324;
																if(_t186 < 0x446324) {
																	do {
																		_t85 = _t186 + 8; // 0x0
																		_t202 =  *_t85 & 0x000000ff;
																		_t192 =  *_t186;
																		_t86 = _t186 + 4; // 0x0
																		_t122 = 0x400000 +  *_t86;
																		__eflags = _t202 - 0x10;
																		_t232 =  *((intOrPtr*)(_t192 + 0x400000));
																		if(_t202 == 0x10) {
																			_t217 =  *0x400000 & 0x0000ffff;
																			__eflags = _t217 & 0x00008000;
																			if((_t217 & 0x00008000) != 0) {
																				_t220 = (_t217 | 0xffff0000) - _t192 - 0x400000;
																				_t233 = _t232 + (_t217 | 0xffff0000) - _t192 - 0x400000;
																				__eflags = _t233;
																				_v36 = _t233;
																				goto L64;
																			} else {
																				goto L55;
																			}
																		} else {
																			__eflags = _t202 - 0x20;
																			if(_t202 == 0x20) {
																				_t209 =  *0x400000 - _t192 - 0x400000 + _t232;
																				__eflags = _t209;
																				_v36 = _t209;
																				goto L60;
																			} else {
																				__eflags = _t202 - 8;
																				if(_t202 != 8) {
																					_v240 = _t202;
																					 *_t252 = "  Unknown pseudo relocation bit size %d.\n";
																					_v36 = 0;
																					_t122 = E004020D0(_t186, _t192, _t202, _t220, _t232);
																				}
																				_t217 =  *_t122 & 0x000000ff;
																				__eflags = _t217 & 0x00000080;
																				if((_t217 & 0x00000080) == 0) {
																					L55:
																					_t220 = _t217 - _t192 - 0x400000;
																					__eflags = _t202 - 0x10;
																					_v36 = _t232 + _t217 - _t192 - 0x400000;
																					if(_t202 == 0x10) {
																						L64:
																						L1();
																					} else {
																						__eflags = _t202 - 0x20;
																						if(_t202 == 0x20) {
																							L60:
																							L1();
																						} else {
																							__eflags = _t202 - 8;
																							if(_t202 == 8) {
																								goto L58;
																							}
																						}
																					}
																				} else {
																					_t220 = (_t217 | 0xffffff00) - _t192 - 0x400000;
																					_v36 = _t232 + (_t217 | 0xffffff00) - _t192 - 0x400000;
																					L58:
																					L1();
																				}
																			}
																		}
																		_t186 = _t186 + 0xc;
																		__eflags = _t186 - 0x446324;
																	} while (_t186 < 0x446324);
																	L36:
																	_t190 =  *0x447058;
																	__eflags =  *0x447058;
																	if( *0x447058 > 0) {
																		_t185 = 0;
																		_t231 = 0;
																		_t216 = VirtualQuery;
																		do {
																			_t122 =  *0x447054 + _t185;
																			__eflags =  *_t122;
																			if( *_t122 == 0) {
																				goto L38;
																			} else {
																				_t196 =  &_v64;
																				_v236 = 0x1c;
																				_v240 =  &_v64;
																				 *_t252 =  *(_t122 + 4);
																				_t134 = VirtualQuery(??, ??, ??);
																				_t252 = _t252 - 0xc;
																				__eflags = _t134;
																				if(_t134 == 0) {
																					_t184 = _t185 +  *0x447054;
																					__eflags = _t184;
																					_v236 =  *(_t184 + 4);
																					 *_t252 = "  VirtualQuery failed for %d bytes at address %p";
																					_v240 =  *((intOrPtr*)( *(_t184 + 8) + 8));
																					_t138 = E004020D0(_t184, _t190,  &_v64, _t216, _t231);
																					goto L66;
																				} else {
																					_v232 =  &_v32;
																					_v236 =  *( *0x447054 + _t185);
																					_v240 = _v52;
																					 *_t252 = _v64;
																					_t122 = VirtualProtect(??, ??, ??, ??);
																					_t252 = _t252 - 0x10;
																					goto L38;
																				}
																			}
																			goto L71;
																			L38:
																			_t231 = _t231 + 1;
																			_t185 = _t185 + 0xc;
																			__eflags = _t231 -  *0x447058;
																		} while (_t231 <  *0x447058);
																	}
																}
																goto L27;
															}
														} else {
															_t184 = 0x446330;
															goto L44;
														}
													} else {
														goto L33;
													}
												}
											}
										}
									} else {
										L27:
										return _t122;
									}
								} else {
									_t162 = _v96;
									if(_t162 != 4) {
										__eflags = _t162 - 0x40;
										if(_t162 == 0x40) {
											goto L12;
										} else {
											_t225 =  &_v60;
											_v140 = _t225;
											_v144 = 0x40;
											_v148 = _v104;
											 *_t250 = _v116;
											VirtualProtect(??, ??, ??, ??);
											_t250 = _t250 - 0x10;
											_v144 = _t243;
											 *_t250 = _t182;
											_v148 = _v124;
											memcpy(??, ??, ??);
											_t164 = _v96;
											__eflags = _t164 - 0x40;
											if(_t164 == 0x40) {
												goto L13;
											} else {
												__eflags = _t164 - 4;
												if(_t164 == 4) {
													goto L13;
												} else {
													_v140 = _t225;
													_v144 = _v60;
													_v148 = _v104;
													 *_t250 = _v116;
													return VirtualProtect(??, ??, ??, ??);
												}
											}
										}
									} else {
										L12:
										_v144 = _t243;
										 *_t250 = _t182;
										_v148 = _v124;
										_t164 = memcpy(??, ??, ??);
										L13:
										return _t164;
									}
								}
							} else {
								goto L5;
							}
						}
						goto L71;
						L5:
						_t241 = _t241 + 1;
						_t179 = _t179 + 0xc;
						_t261 = _t241 - _t190;
					} while (_t241 != _t190);
					L6:
					 *_t250 = _t182;
					_t119 = E00402730(_t261);
					_t262 = _t119;
					_t214 = _t119;
					if(_t119 == 0) {
						L24:
						_v148 = _t182;
						 *_t250 = "Address %p has no image-section";
						E004020D0(_t182, _t190, _t196, _t214, _t228);
						goto L25;
					} else {
						_t211 = _t228 + _t228 * 2 << 2;
						_t237 =  *0x447054 + _t211;
						_t237[2] = _t119;
						 *_t237 = 0;
						_v128 = _t211;
						_t237[1] = E00402810(_t262) +  *((intOrPtr*)(_t214 + 0xc));
						_t228 = VirtualQuery;
						_v148 =  &_v88;
						_v144 = 0x1c;
						 *_t250 =  *( *0x447054 + _v128 + 4);
						_t154 = VirtualQuery(??, ??, ??);
						_t250 = _t250 - 0xc;
						_t196 = _v128;
						if(_t154 == 0) {
							_v144 =  *((intOrPtr*)( *0x447054 + _t196 + 4));
							 *_t250 = "  VirtualQuery failed for %d bytes at address %p";
							_v148 =  *((intOrPtr*)(_t214 + 8));
							E004020D0(_t182, _t190, _t196, _t214, VirtualQuery);
							goto L24;
						} else {
							_t159 = _v68;
							if(_t159 != 4) {
								__eflags = _t159 - 0x40;
								if(_t159 == 0x40) {
									goto L9;
								} else {
									_t196 = _t196 +  *0x447054;
									_v144 = 0x40;
									_v148 = _v76;
									_v140 = _t196;
									 *_t250 = _v88;
									_t176 = VirtualProtect(??, ??, ??, ??);
									_t250 = _t250 - 0x10;
									__eflags = _t176;
									if(_t176 != 0) {
										goto L9;
									} else {
										_t177 = GetLastError();
										 *_t250 = "  VirtualProtect failed with code 0x%x";
										_v148 = _t177;
										E004020D0(_t182, _t190, _t196, _t214, VirtualQuery);
										goto L22;
									}
								}
							} else {
								L9:
								 *0x447058 =  *0x447058 + 1;
								goto L10;
							}
						}
					}
				}
				L71:
			}

































































        0x004020d0
        0x004020d0
        0x004020d1
        0x004020d9
        0x004020e1
        0x004020e5
        0x004020ed
        0x004020f7
        0x004020fb
        0x00402104
        0x00402108
        0x00402114
        0x00402117
        0x0040211c
        0x00402131
        0x00402133
        0x00402134
        0x00402135
        0x00402136
        0x00402138
        0x0040213b
        0x00402141
        0x00402147
        0x00402312
        0x00402312
        0x00000000
        0x0040214d
        0x0040214d
        0x00402152
        0x00402154
        0x00402154
        0x00402159
        0x00000000
        0x0040215b
        0x0040215b
        0x00402163
        0x00402240
        0x004021f6
        0x004021fa
        0x00402202
        0x00402206
        0x00402209
        0x0040220b
        0x00402210
        0x00402349
        0x00402349
        0x0040234d
        0x00402355
        0x0040235c
        0x00402370
        0x00402373
        0x00402374
        0x00402375
        0x00402376
        0x00402379
        0x0040237e
        0x00402380
        0x00402390
        0x004023ac
        0x004023b1
        0x004023bb
        0x004023c4
        0x004023ce
        0x004023d3
        0x004023d6
        0x00000000
        0x004023d8
        0x004023d8
        0x004023db
        0x004023e0
        0x004024d0
        0x004024d0
        0x004024d2
        0x004024d4
        0x00000000
        0x004024da
        0x004024da
        0x004024da
        0x004024dd
        0x004024df
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x004024df
        0x004023e6
        0x004023e6
        0x004023eb
        0x004023ed
        0x00402400
        0x00402400
        0x00402406
        0x00000000
        0x0040240c
        0x00402411
        0x00402411
        0x00402419
        0x0040241d
        0x0040241f
        0x00402422
        0x00402428
        0x0040242d
        0x0040242d
        0x00000000
        0x00402411
        0x004023ef
        0x004023ef
        0x004023f4
        0x004023f6
        0x004024bc
        0x004024c1
        0x004024c3
        0x004024e5
        0x004024e5
        0x004024e5
        0x004024e8
        0x004024eb
        0x00402605
        0x00402605
        0x00402609
        0x00402610
        0x0040261b
        0x0040261f
        0x00402620
        0x00402626
        0x0040262b
        0x0040262d
        0x0040262d
        0x0040262d
        0x00402630
        0x00402630
        0x00402633
        0x00402639
        0x00000000
        0x00000000
        0x0040263d
        0x00402643
        0x00402643
        0x00402646
        0x004024f1
        0x004024f1
        0x004024f4
        0x004024fa
        0x00402500
        0x00402500
        0x00402500
        0x00402509
        0x0040250b
        0x0040250b
        0x0040250e
        0x00402511
        0x00402517
        0x0040255a
        0x0040255d
        0x00402563
        0x004025c8
        0x004025ce
        0x004025ce
        0x004025d0
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00402519
        0x00402519
        0x0040251c
        0x0040259a
        0x0040259a
        0x0040259c
        0x00000000
        0x0040251e
        0x0040251e
        0x00402521
        0x00402523
        0x00402527
        0x0040252e
        0x00402535
        0x00402535
        0x0040253a
        0x0040253d
        0x00402543
        0x00402565
        0x00402567
        0x0040256f
        0x00402572
        0x00402575
        0x004025d3
        0x004025db
        0x00402577
        0x00402577
        0x0040257a
        0x0040259f
        0x004025a7
        0x0040257c
        0x0040257c
        0x0040257f
        0x00000000
        0x00000000
        0x0040257f
        0x0040257a
        0x00402545
        0x0040254d
        0x00402555
        0x00402581
        0x00402589
        0x00402589
        0x00402543
        0x0040251c
        0x004025ac
        0x004025af
        0x004025af
        0x00402435
        0x00402435
        0x0040243b
        0x0040243d
        0x00402443
        0x00402445
        0x00402447
        0x00402462
        0x00402467
        0x0040246b
        0x0040246d
        0x00000000
        0x0040246f
        0x0040246f
        0x00402472
        0x0040247a
        0x00402481
        0x00402484
        0x00402486
        0x00402489
        0x0040248b
        0x004025e2
        0x004025e2
        0x004025eb
        0x004025f5
        0x004025fc
        0x00402600
        0x00000000
        0x00402491
        0x00402494
        0x004024a0
        0x004024a7
        0x004024ae
        0x004024b1
        0x004024b7
        0x00000000
        0x004024b7
        0x0040248b
        0x00000000
        0x00402450
        0x00402450
        0x00402453
        0x00402456
        0x00402456
        0x00402462
        0x0040243d
        0x00000000
        0x004024fa
        0x004024c5
        0x004024c5
        0x00000000
        0x004024c5
        0x00000000
        0x00000000
        0x00000000
        0x004023f6
        0x004023ed
        0x004023e0
        0x00402382
        0x00402382
        0x00402389
        0x00402389
        0x00402216
        0x00402216
        0x0040221d
        0x00402248
        0x0040224b
        0x00000000
        0x0040224d
        0x00402251
        0x0040225b
        0x0040225f
        0x00402267
        0x0040226f
        0x00402272
        0x00402274
        0x0040227b
        0x0040227f
        0x00402282
        0x00402286
        0x0040228b
        0x0040228f
        0x00402292
        0x00000000
        0x00402294
        0x00402294
        0x00402297
        0x00000000
        0x00402299
        0x0040229d
        0x004022a1
        0x004022a9
        0x004022b1
        0x004022c0
        0x004022c0
        0x00402297
        0x00402292
        0x0040221f
        0x0040221f
        0x00402223
        0x00402227
        0x0040222a
        0x0040222e
        0x00402233
        0x0040223a
        0x0040223a
        0x0040221d
        0x00000000
        0x00000000
        0x00000000
        0x00402163
        0x00000000
        0x00402169
        0x00402169
        0x0040216c
        0x0040216f
        0x0040216f
        0x00402173
        0x00402173
        0x00402176
        0x0040217b
        0x0040217d
        0x0040217f
        0x00402339
        0x00402339
        0x0040233d
        0x00402344
        0x00000000
        0x00402185
        0x0040218e
        0x00402191
        0x00402193
        0x00402196
        0x0040219c
        0x004021ac
        0x004021b3
        0x004021b9
        0x004021c2
        0x004021ce
        0x004021d1
        0x004021d3
        0x004021d8
        0x004021dc
        0x00402322
        0x00402329
        0x00402330
        0x00402334
        0x00000000
        0x004021e2
        0x004021e2
        0x004021e9
        0x004022c1
        0x004022c4
        0x00000000
        0x004022ca
        0x004022ce
        0x004022d4
        0x004022dc
        0x004022e4
        0x004022e8
        0x004022eb
        0x004022f1
        0x004022f4
        0x004022f6
        0x00000000
        0x004022fc
        0x004022fc
        0x00402302
        0x00402309
        0x0040230d
        0x00000000
        0x0040230d
        0x004022f6
        0x004021ef
        0x004021ef
        0x004021ef
        0x00000000
        0x004021ef
        0x004021e9
        0x004021dc
        0x0040217f
        0x00000000

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.296313654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296324809.0000000000403000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296367475.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296373209.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_8082-svc-x86.jbxd
        Yara matches
        Similarity
        • API ID: QueryVirtual$abortfwritememcpyvfprintf
        • String ID: @
        • API String ID: 3828011698-2766056989
        • Opcode ID: 93006dcd21ba69e671770125f9119b73fbb8d255dfd776e40f17d5aa7b61a50d
        • Instruction ID: aca6899d8914c0cf2448bce2c6322e4ffc347bd34cb22077acd01095762b5043
        • Opcode Fuzzy Hash: 93006dcd21ba69e671770125f9119b73fbb8d255dfd776e40f17d5aa7b61a50d
        • Instruction Fuzzy Hash: DB712EB59093019FD700EF69D68851BFBE0FF85344F11896EE988A7391D7B8D844CB8A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00402370 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 192memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 153 402370-402380 154 402390-4023d6 call 402770 call 402e30 153->154 155 402382-402389 153->155 154->155 160 4023d8-4023e0 154->160 161 4024d0-4024d4 160->161 162 4023e6-4023ed 160->162 163 402400-402406 161->163 164 4024da-4024df 161->164 162->163 165 4023ef-4023f6 162->165 163->155 169 40240c 163->169 164->163 166 4024e5-4024eb 164->166 167 4024bc-4024c3 165->167 168 4023fc 165->168 171 4024f1-4024fa 166->171 172 402605-402615 call 4020d0 166->172 167->166 170 4024c5-4024ca 167->170 168->163 173 402411-402433 call 402130 169->173 170->161 171->155 175 402500-402517 171->175 183 402435-40243d 173->183 178 402519-40251c 175->178 179 40255a-402563 175->179 181 402590-40259c 178->181 182 40251e-402521 178->182 184 4025c0-4025d0 179->184 185 402565-402575 179->185 188 40259f-4025a7 call 402130 181->188 189 402523-402535 call 4020d0 182->189 190 40253a-402543 182->190 183->155 191 402443-40244d 183->191 186 4025d3-4025e0 call 402130 184->186 185->186 187 402577-40257a 185->187 199 4025ac-4025b5 186->199 187->188 192 40257c-40257f 187->192 188->199 189->190 190->185 196 402545-402558 190->196 197 402462-40246d 191->197 198 402581-40258e call 402130 192->198 192->199 196->198 201 402450-40245c 197->201 202 40246f-40248b VirtualQuery 197->202 198->199 199->175 206 4025bb 199->206 201->155 201->197 203 402491-4024ba VirtualProtect 202->203 204 4025e2-402600 call 4020d0 202->204 203->201 204->172 206->183
        C-Code - Quality: 56%
        			E00402370(void* __ebx, signed int __edi, void* __esi) {
				void* _v16;
				char _v32;
				signed int _v36;
				signed int _v52;
				void* _v61;
				char* _v64;
				char* _v80;
				signed int _v84;
				char** _v88;
				int _t50;
				void* _t55;
				long _t63;
				char** _t67;
				signed int _t80;
				void* _t81;
				void* _t82;
				char* _t85;
				char _t91;
				intOrPtr* _t94;
				signed int _t95;
				signed int _t102;
				signed int _t105;
				intOrPtr _t115;
				void* _t120;
				void* _t121;
				char** _t122;

				_t103 = __edi;
				_push(__edi);
				_push(__esi);
				_push(__ebx);
				_t121 = _t120 - 0x4c;
				_t50 =  *0x447050;
				if(_t50 == 0) {
					 *0x447050 = 1;
					_t55 = E00402E30(0x0000001e + (E00402770(__eflags) + _t51 * 0x00000002) * 0x00000004 & 0xfffffff0);
					 *0x447058 = 0;
					_t122 = _t121 - _t55;
					 *0x447054 =  &_v61 & 0xfffffff0;
					_t50 = 0;
					__eflags = 0x446324 - 7;
					if(0x446324 <= 7) {
						goto L1;
					} else {
						__eflags = 0x446324 - 0xb;
						_t80 = 0x446324;
						if(0x446324 <= 0xb) {
							L18:
							_t103 =  *_t80;
							__eflags =  *_t80;
							if( *_t80 != 0) {
								goto L7;
							} else {
								_t21 = _t80 + 4; // 0x0
								_t114 =  *_t21;
								__eflags =  *_t21;
								if( *_t21 != 0) {
									goto L7;
								} else {
									goto L20;
								}
							}
						} else {
							_t50 =  *0x446324; // 0x0
							__eflags = _t50;
							if(_t50 != 0) {
								L7:
								__eflags = _t80 - 0x446324;
								if(_t80 >= 0x446324) {
									goto L1;
								} else {
									do {
										_t7 = _t80 + 4; // 0x0
										_t91 =  *((intOrPtr*)( *_t7 + 0x400000)) +  *_t80;
										_t80 = _t80 + 8;
										_v32 = _t91;
										_t50 = E00402130( *_t7 + 0x400000, _t80, 4,  &_v32, _t103, 0x400000);
										__eflags = _t80 - 0x446324;
									} while (_t80 < 0x446324);
									goto L10;
								}
							} else {
								_t50 =  *0x446328; // 0x0
								__eflags = _t50;
								if(_t50 == 0) {
									_t50 =  *0x44632c; // 0x0
									__eflags = _t50;
									if(_t50 != 0) {
										L20:
										_t22 = _t80 + 8; // 0x0
										_t67 =  *_t22;
										__eflags = _t67 - 1;
										if(_t67 != 1) {
											L40:
											_v88 = _t67;
											 *_t122 = "  Unknown pseudo relocation protocol version %d.\n";
											E004020D0(_t80, _t83, _t89, _t103, _t114);
											0;
											0;
											_t94 = _v88;
											__eflags =  *_t94 - 0x5a4d;
											if( *_t94 != 0x5a4d) {
												L42:
												asm("repe ret");
											}
											_t46 = _t94 + 0x3c; // 0x40003ca1
											_t94 = _t94 +  *_t46;
											__eflags =  *_t94 - 0x4550;
											if( *_t94 != 0x4550) {
												goto L42;
											}
											__eflags =  *((short*)(_t94 + 0x18)) - 0x10b;
											_t49 =  *((short*)(_t94 + 0x18)) == 0x10b;
											__eflags = _t49;
											return 0 | _t49;
										} else {
											_t82 = _t80 + 0xc;
											__eflags = _t82 - 0x446324;
											if(_t82 < 0x446324) {
												do {
													_t23 = _t82 + 8; // 0x0
													_t95 =  *_t23 & 0x000000ff;
													_t85 =  *_t82;
													_t24 = _t82 + 4; // 0x0
													_t50 = 0x400000 +  *_t24;
													__eflags = _t95 - 0x10;
													_t115 =  *((intOrPtr*)(_t85 + 0x400000));
													if(_t95 == 0x10) {
														_t105 =  *0x400000 & 0x0000ffff;
														__eflags = _t105 & 0x00008000;
														if((_t105 & 0x00008000) != 0) {
															_t103 = (_t105 | 0xffff0000) - _t85 - 0x400000;
															_t116 = _t115 + (_t105 | 0xffff0000) - _t85 - 0x400000;
															__eflags = _t116;
															_v36 = _t116;
															goto L38;
														} else {
															goto L29;
														}
													} else {
														__eflags = _t95 - 0x20;
														if(_t95 == 0x20) {
															_t102 =  *0x400000 - _t85 - 0x400000 + _t115;
															__eflags = _t102;
															_v36 = _t102;
															goto L34;
														} else {
															__eflags = _t95 - 8;
															if(_t95 != 8) {
																_v88 = _t95;
																 *_t122 = "  Unknown pseudo relocation bit size %d.\n";
																_v36 = 0;
																_t50 = E004020D0(_t82, _t85, _t95, _t103, _t115);
															}
															_t105 =  *_t50 & 0x000000ff;
															__eflags = _t105 & 0x00000080;
															if((_t105 & 0x00000080) == 0) {
																L29:
																_t103 = _t105 - _t85 - 0x400000;
																_t116 = _t115 + _t105 - _t85 - 0x400000;
																__eflags = _t95 - 0x10;
																_v36 = _t115 + _t105 - _t85 - 0x400000;
																if(_t95 == 0x10) {
																	L38:
																	_t50 = E00402130(_t50, _t82, 2,  &_v36, _t103, _t116);
																} else {
																	__eflags = _t95 - 0x20;
																	if(_t95 == 0x20) {
																		L34:
																		_t50 = E00402130(_t50, _t82, 4,  &_v36, _t103, _t116);
																	} else {
																		__eflags = _t95 - 8;
																		if(_t95 == 8) {
																			goto L32;
																		}
																	}
																}
															} else {
																_t103 = (_t105 | 0xffffff00) - _t85 - 0x400000;
																_t116 = _t115 + (_t105 | 0xffffff00) - _t85 - 0x400000;
																_v36 = _t115 + (_t105 | 0xffffff00) - _t85 - 0x400000;
																L32:
																_t50 = E00402130(_t50, _t82, 1,  &_v36, _t103, _t116);
															}
														}
													}
													_t82 = _t82 + 0xc;
													__eflags = _t82 - 0x446324;
												} while (_t82 < 0x446324);
												L10:
												_t83 =  *0x447058;
												__eflags =  *0x447058;
												if( *0x447058 > 0) {
													_t81 = 0;
													_t114 = 0;
													_t103 = VirtualQuery;
													do {
														_t50 =  *0x447054 + _t81;
														__eflags =  *_t50;
														if( *_t50 == 0) {
															goto L12;
														} else {
															_t89 =  &_v64;
															_v84 = 0x1c;
															_v88 =  &_v64;
															 *_t122 =  *(_t50 + 4);
															_t63 = VirtualQuery(??, ??, ??);
															_t122 = _t122 - 0xc;
															__eflags = _t63;
															if(_t63 == 0) {
																_t80 = _t81 +  *0x447054;
																__eflags = _t80;
																_v84 =  *(_t80 + 4);
																 *_t122 = "  VirtualQuery failed for %d bytes at address %p";
																_v88 =  *((intOrPtr*)( *(_t80 + 8) + 8));
																_t67 = E004020D0(_t80, _t83,  &_v64, _t103, _t114);
																goto L40;
															} else {
																_v80 =  &_v32;
																_v84 =  *( *0x447054 + _t81);
																_v88 = _v52;
																 *_t122 = _v64;
																_t50 = VirtualProtect(??, ??, ??, ??);
																_t122 = _t122 - 0x10;
																goto L12;
															}
														}
														goto L45;
														L12:
														_t114 = _t114 + 1;
														_t81 = _t81 + 0xc;
														__eflags = _t114 -  *0x447058;
													} while (_t114 <  *0x447058);
												}
											}
											goto L1;
										}
									} else {
										_t80 = 0x446330;
										goto L18;
									}
								} else {
									goto L7;
								}
							}
						}
					}
				} else {
					L1:
					return _t50;
				}
				L45:
			}





























        0x00402370
        0x00402373
        0x00402374
        0x00402375
        0x00402376
        0x00402379
        0x00402380
        0x00402390
        0x004023ac
        0x004023b1
        0x004023bb
        0x004023c4
        0x004023ce
        0x004023d3
        0x004023d6
        0x00000000
        0x004023d8
        0x004023d8
        0x004023db
        0x004023e0
        0x004024d0
        0x004024d0
        0x004024d2
        0x004024d4
        0x00000000
        0x004024da
        0x004024da
        0x004024da
        0x004024dd
        0x004024df
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x004024df
        0x004023e6
        0x004023e6
        0x004023eb
        0x004023ed
        0x00402400
        0x00402400
        0x00402406
        0x00000000
        0x0040240c
        0x00402411
        0x00402411
        0x0040241d
        0x0040241f
        0x00402422
        0x00402428
        0x0040242d
        0x0040242d
        0x00000000
        0x00402411
        0x004023ef
        0x004023ef
        0x004023f4
        0x004023f6
        0x004024bc
        0x004024c1
        0x004024c3
        0x004024e5
        0x004024e5
        0x004024e5
        0x004024e8
        0x004024eb
        0x00402605
        0x00402605
        0x00402609
        0x00402610
        0x0040261b
        0x0040261f
        0x00402620
        0x00402626
        0x0040262b
        0x0040262d
        0x0040262d
        0x0040262d
        0x00402630
        0x00402630
        0x00402633
        0x00402639
        0x00000000
        0x00000000
        0x0040263d
        0x00402643
        0x00402643
        0x00402646
        0x004024f1
        0x004024f1
        0x004024f4
        0x004024fa
        0x00402500
        0x00402500
        0x00402500
        0x00402509
        0x0040250b
        0x0040250b
        0x0040250e
        0x00402511
        0x00402517
        0x0040255a
        0x0040255d
        0x00402563
        0x004025c8
        0x004025ce
        0x004025ce
        0x004025d0
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00402519
        0x00402519
        0x0040251c
        0x0040259a
        0x0040259a
        0x0040259c
        0x00000000
        0x0040251e
        0x0040251e
        0x00402521
        0x00402523
        0x00402527
        0x0040252e
        0x00402535
        0x00402535
        0x0040253a
        0x0040253d
        0x00402543
        0x00402565
        0x00402567
        0x0040256d
        0x0040256f
        0x00402572
        0x00402575
        0x004025d3
        0x004025db
        0x00402577
        0x00402577
        0x0040257a
        0x0040259f
        0x004025a7
        0x0040257c
        0x0040257c
        0x0040257f
        0x00000000
        0x00000000
        0x0040257f
        0x0040257a
        0x00402545
        0x0040254d
        0x00402553
        0x00402555
        0x00402581
        0x00402589
        0x00402589
        0x00402543
        0x0040251c
        0x004025ac
        0x004025af
        0x004025af
        0x00402435
        0x00402435
        0x0040243b
        0x0040243d
        0x00402443
        0x00402445
        0x00402447
        0x00402462
        0x00402467
        0x0040246b
        0x0040246d
        0x00000000
        0x0040246f
        0x0040246f
        0x00402472
        0x0040247a
        0x00402481
        0x00402484
        0x00402486
        0x00402489
        0x0040248b
        0x004025e2
        0x004025e2
        0x004025eb
        0x004025f5
        0x004025fc
        0x00402600
        0x00000000
        0x00402491
        0x00402494
        0x004024a0
        0x004024a7
        0x004024ae
        0x004024b1
        0x004024b7
        0x00000000
        0x004024b7
        0x0040248b
        0x00000000
        0x00402450
        0x00402450
        0x00402453
        0x00402456
        0x00402456
        0x00402462
        0x0040243d
        0x00000000
        0x004024fa
        0x004024c5
        0x004024c5
        0x00000000
        0x004024c5
        0x00000000
        0x00000000
        0x00000000
        0x004023f6
        0x004023ed
        0x004023e0
        0x00402382
        0x00402382
        0x00402389
        0x00402389
        0x00000000

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.296313654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296324809.0000000000403000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296367475.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296373209.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_8082-svc-x86.jbxd
        Yara matches
        Similarity
        • API ID: Virtual$ProtectQuery
        • String ID: $cD$$cD$$cD$$cD$$cD$$cD$0cD
        • API String ID: 1027372294-123262353
        • Opcode ID: 422152fc3e2ab2d39da954a347a7a2ad36ea1e08fe0062b0fe507bfb3673c2e6
        • Instruction ID: 59a3b36286f1a3366d46ed1ab76a93ddc316b4582b38701594b4db6fa2c03e34
        • Opcode Fuzzy Hash: 422152fc3e2ab2d39da954a347a7a2ad36ea1e08fe0062b0fe507bfb3673c2e6
        • Instruction Fuzzy Hash: 76618F759012109BDB10DF28DE8875AB7E1BB86304F05853BDC48AB3D9D7BC98458B9A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00401690 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71processCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 209 401690-4016a1 210 4016a3-4016a6 209->210 211 4016a8-4016ae GetCurrentProcess 209->211 210->211 212 4016b3-401774 GetEnvironmentVariableA _snprintf CreateProcessA 210->212 213 401779-40177b 211->213 214 4017a1-4017a8 212->214 215 401776 212->215 213->214 216 40177d-40179c call 4015e3 213->216 215->213 216->214
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.296313654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296324809.0000000000403000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296367475.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296373209.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_8082-svc-x86.jbxd
        Yara matches
        Similarity
        • API ID: Process$CreateCurrentEnvironmentVariable_snprintf
        • String ID: D$K`D
        • API String ID: 3047511472-746765810
        • Opcode ID: 5c77ac82240fef1a811d18193f32444bcb938975824a7bfa1f90382f051c0384
        • Instruction ID: 087531ef9b2ac5c7c348af1f11106e8387f3d0ce3da55d58f29aeccee2579a31
        • Opcode Fuzzy Hash: 5c77ac82240fef1a811d18193f32444bcb938975824a7bfa1f90382f051c0384
        • Instruction Fuzzy Hash: 073114B49083059FEB00DF55C88438EFBF4BF89314F00882EE98867260C7B99949CF86
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00401E70 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 218 401e70-401e82 219 401e84-401e89 218->219 220 401ec7-401ecc 218->220 223 401ef4-401ef9 219->223 224 401e8b 219->224 221 401f35-401f37 220->221 222 401ece-401ed3 220->222 229 401e90-401ea7 signal 221->229 225 401f02-401f19 signal 222->225 226 401ed5-401eda 222->226 227 401f40-401f57 signal 223->227 228 401efb-401f00 223->228 224->229 233 401f77-401f90 signal 225->233 234 401f1b-401f1d 225->234 226->224 232 401edc-401ee3 226->232 230 401f95-401fae signal 227->230 231 401f59-401f5b 227->231 228->225 228->232 235 401fc0-401fdb signal 229->235 236 401ead-401eaf 229->236 240 401ebf-401ec4 230->240 231->232 237 401f61-401f74 231->237 238 401fb3-401fb5 232->238 239 401ee9-401ef1 232->239 233->240 234->232 242 401f1f-401f32 234->242 235->240 241 401fe1-401fee call 4029e0 235->241 236->232 243 401eb1-401eba 236->243 238->240 239->223 241->240 243->240
        C-Code - Quality: 60%
        			E00401E70(intOrPtr* _a4) {
				intOrPtr _v16;
				intOrPtr _v40;
				intOrPtr* _t20;
				intOrPtr _t21;
				void* _t23;
				intOrPtr* _t24;

				_t24 = _t23 - 0x24;
				_t20 = _a4;
				_t12 =  *((intOrPtr*)( *_t20));
				if(_t12 > 0xc0000091) {
					if(_t12 == 0xc0000094) {
						_t21 = 0;
						goto L3;
					} else {
						if(_t12 == 0xc0000096) {
							goto L14;
						} else {
							if(_t12 == 0xc0000093) {
								goto L2;
							} else {
								goto L10;
							}
							goto L6;
						}
					}
				} else {
					if(_t12 < 0xc000008d) {
						if(_t12 == 0xc0000005) {
							_v40 = 0;
							 *_t24 = 0xb;
							L00402F08();
							if(_t12 == 1) {
								_v40 = 1;
								 *_t24 = 0xb;
								L00402F08();
								_t13 = 0xffffffff;
								goto L6;
							} else {
								if(_t12 == 0) {
									goto L10;
								} else {
									 *_t24 = 0xb;
									 *_t12();
									return 0xffffffff;
								}
							}
						} else {
							if(_t12 != 0xc000001d) {
								goto L10;
							} else {
								L14:
								_v40 = 0;
								 *_t24 = 4;
								L00402F08();
								if(_t12 == 1) {
									_v40 = 1;
									 *_t24 = 4;
									L00402F08();
									_t13 = 0xffffffff;
									goto L6;
								} else {
									if(_t12 == 0) {
										goto L10;
									} else {
										 *_t24 = 4;
										 *_t12();
										return 0xffffffff;
									}
								}
							}
						}
					} else {
						L2:
						_t21 = 1;
						L3:
						_v40 = 0;
						 *_t24 = 8;
						L00402F08();
						if(_t12 == 1) {
							_v40 = 1;
							 *_t24 = 8;
							L00402F08();
							_t13 = 0xffffffff;
							if(_t21 != 0) {
								_v16 = 0xffffffff;
								E004029E0(0xffffffff);
								_t13 = _v16;
							}
						} else {
							if(_t12 == 0) {
								L10:
								_t12 =  *0x447048;
								if( *0x447048 != 0) {
									_a4 = _t20;
									_t24 = _t24 + 0x24;
									_pop(_t20);
									goto __eax;
								}
								_t13 = 0;
							} else {
								 *_t24 = 8;
								 *_t12();
								_t13 = 0xffffffff;
							}
						}
						L6:
						return _t13;
					}
				}
			}









        0x00401e72
        0x00401e75
        0x00401e7b
        0x00401e82
        0x00401ecc
        0x00401f35
        0x00000000
        0x00401ece
        0x00401ed3
        0x00000000
        0x00401ed5
        0x00401eda
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00401eda
        0x00401ed3
        0x00401e84
        0x00401e89
        0x00401ef9
        0x00401f40
        0x00401f48
        0x00401f4f
        0x00401f57
        0x00401f95
        0x00401f9d
        0x00401fa4
        0x00401fa9
        0x00000000
        0x00401f59
        0x00401f5b
        0x00000000
        0x00401f61
        0x00401f61
        0x00401f68
        0x00401f74
        0x00401f74
        0x00401f5b
        0x00401efb
        0x00401f00
        0x00000000
        0x00401f02
        0x00401f02
        0x00401f02
        0x00401f0a
        0x00401f11
        0x00401f19
        0x00401f77
        0x00401f7f
        0x00401f86
        0x00401f8b
        0x00000000
        0x00401f1b
        0x00401f1d
        0x00000000
        0x00401f1f
        0x00401f1f
        0x00401f26
        0x00401f32
        0x00401f32
        0x00401f1d
        0x00401f19
        0x00401f00
        0x00401e8b
        0x00401e8b
        0x00401e8b
        0x00401e90
        0x00401e90
        0x00401e98
        0x00401e9f
        0x00401ea7
        0x00401fc0
        0x00401fc8
        0x00401fcf
        0x00401fd6
        0x00401fdb
        0x00401fe1
        0x00401fe5
        0x00401fea
        0x00401fea
        0x00401ead
        0x00401eaf
        0x00401edc
        0x00401edc
        0x00401ee3
        0x00401ee9
        0x00401eed
        0x00401ef0
        0x00401ef2
        0x00401ef2
        0x00401fb3
        0x00401eb1
        0x00401eb1
        0x00401eb8
        0x00401eba
        0x00401eba
        0x00401eaf
        0x00401ebf
        0x00401ec4
        0x00401ec4
        0x00401e89

        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.296313654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296324809.0000000000403000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296367475.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296373209.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_8082-svc-x86.jbxd
        Yara matches
        Similarity
        • API ID: signal
        • String ID:
        • API String ID: 1946981877-0
        • Opcode ID: 076b012b2faaf7d41d1354c41d59a44ea62ea59492cc7a2cfa72c3417747e349
        • Instruction ID: 2b2fb4f13665067853871a3c03d2f8b32264b4cd48bfad70ab7f7010fc096591
        • Opcode Fuzzy Hash: 076b012b2faaf7d41d1354c41d59a44ea62ea59492cc7a2cfa72c3417747e349
        • Instruction Fuzzy Hash: D5315EB01082014AE7206B29C98475FB6E0AB45368F154B2FE995EB3E0C7BDCCC5D79B
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00401D90 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.296313654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296324809.0000000000403000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296367475.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296373209.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_8082-svc-x86.jbxd
        Yara matches
        Similarity
        • API ID: __dllonexit_lock_onexit_unlock
        • String ID:
        • API String ID: 209411981-0
        • Opcode ID: cf349437953ce9cdd134685e6851c31f3945208db190d0b57b8a3c9b102cd484
        • Instruction ID: 4b24e0666d8a981386b584918515edc42c1a0f03ce8811935d4aa7e4e0574d64
        • Opcode Fuzzy Hash: cf349437953ce9cdd134685e6851c31f3945208db190d0b57b8a3c9b102cd484
        • Instruction Fuzzy Hash: 621172B49097018FC740EF79D8C551EBBE0BF49344F01493EF884973A2E73894899B86
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00402060 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 303 402060-402074 304 402076 303->304 305 40207d-4020ba fprintf 303->305 304->305
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.296313654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296324809.0000000000403000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296367475.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296373209.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_8082-svc-x86.jbxd
        Yara matches
        Similarity
        • API ID: fprintf
        • String ID: Unknown error$`D
        • API String ID: 383729395-998694637
        • Opcode ID: a542f8e637eb038261be9fc26c95231f0cfb0aebd209d1a3285dd9a3ee82d83b
        • Instruction ID: 93609a3b73cc5ea9c3ab2400caaf39e172db4372100d30da72a34851d659c7de
        • Opcode Fuzzy Hash: a542f8e637eb038261be9fc26c95231f0cfb0aebd209d1a3285dd9a3ee82d83b
        • Instruction Fuzzy Hash: EDF0B274504641CFD304EF14E58881ABBF0FF86340F9289ADE4C99B265DB39C869CB4A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004014F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23libraryloaderCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.296313654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296324809.0000000000403000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296367475.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296373209.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_8082-svc-x86.jbxd
        Yara matches
        Similarity
        • API ID: AddressHandleModuleProc
        • String ID: .`D
        • API String ID: 1646373207-3655228630
        • Opcode ID: e241faeb086b053b208bcc9d9b737853b83041cba54b70f1211e6f0c21b8d89e
        • Instruction ID: 8eb024b395edb4ef39273b17c3dc8f3d536cf5df9895abdfe00a761acd926680
        • Opcode Fuzzy Hash: e241faeb086b053b208bcc9d9b737853b83041cba54b70f1211e6f0c21b8d89e
        • Instruction Fuzzy Hash: 30E0927960060147D7003B38BC0931FBEF4AB82340F81803ED8829B298EB78C806875B
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00402CF0 Relevance: 5.0, APIs: 4, Instructions: 46COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.296313654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296324809.0000000000403000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296367475.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296373209.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_8082-svc-x86.jbxd
        Yara matches
        Similarity
        • API ID: CriticalSection$EnterLeavefree
        • String ID:
        • API String ID: 4020351045-0
        • Opcode ID: 413271a70fe2c7e956ee13f682ff4c8723aa91665ba9eea7cd34297265814eea
        • Instruction ID: 9dfb8d21f1abe8795451ee7139cbe699519cf24ac4fb659c4a1455ff3da6f2ba
        • Opcode Fuzzy Hash: 413271a70fe2c7e956ee13f682ff4c8723aa91665ba9eea7cd34297265814eea
        • Instruction Fuzzy Hash: 600184B56041018FD700BF68D98851A7BE1BF41300B54857EDC45DB3D4EB78DC56EB8A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00402BF0 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.296313654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296324809.0000000000403000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296367475.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.296373209.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_8082-svc-x86.jbxd
        Yara matches
        Similarity
        • API ID: CriticalSection$EnterErrorLastLeaveValue
        • String ID:
        • API String ID: 682475483-0
        • Opcode ID: 7ffc1652a8f2265f8ba8a3877f0410817557b8bfda5811aed64e1766aed2b3d6
        • Instruction ID: d78717e8fd3e07e7b432b704acdbb9c6a55efd9aec4dfce1a3bc20b46d10a8eb
        • Opcode Fuzzy Hash: 7ffc1652a8f2265f8ba8a3877f0410817557b8bfda5811aed64e1766aed2b3d6
        • Instruction Fuzzy Hash: 90F028B69047008FE7107F78E9C841F7FA4EE11340B05047ECD445B358DB74A80ACBAA
        Uniqueness

        Uniqueness Score: -1.00%