Edit tour

Windows Analysis Report
8082-svc-x64.exe

Overview

General Information

Sample Name:	8082-svc-x64.exe
Analysis ID:	780212
MD5:	89be3be20ca0dce73c12a5a015bcb9a5
SHA1:	4f92b6f168ee8536278fa58a6df5c9b368421030
SHA256:	37e828da01820aad58414d0b73c935a0e408c274cdd872cbbae25f9cbcba0b08
Tags:	45139105143exeopendir
Infos:

Detection

CobaltStrike

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected CobaltStrike

Multi AV Scanner detection for submitted file

Found API chain indicative of debugger detection

Machine Learning detection for sample

Yara signature match

Found large amount of non-executed APIs

Program does not show much activity (idle)

PE file contains sections with non-standard names

Classification

Process Tree

System is w10x64

8082-svc-x64.exe (PID: 6108 cmdline: C:\Users\user\Desktop\8082-svc-x64.exe MD5: 89BE3BE20CA0DCE73C12A5A015BCB9A5)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
8082-svc-x64.exe	CobaltStrike_Resources_Artifact64_v3_14_to_v4_x	Cobalt Strike\'s resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x	gssincla@google.com	0xd75:$fmtBuilder: 41 B8 5C 00 00 00 C7 44 24 50 5C 00 00 00 C7 44 24 48 65 00 00 00 C7 44 24 40 70 00 00 00 C7 44 24 38 69 00 00 00 C7 44 24 30 70 00 00 00 C7 44 24 28 5C 00 00 00 C7 44 24 20 2E 00 00 00 89 54 ... 0x44e50:$fmtString: %c%c%c%c%c%c%c%c%cMSSE-%d-server
8082-svc-x64.exe	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.8082-svc-x64.exe.400000.0.unpack	CobaltStrike_Resources_Artifact64_v3_14_to_v4_x	Cobalt Strike\'s resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x	gssincla@google.com	0xd75:$fmtBuilder: 41 B8 5C 00 00 00 C7 44 24 50 5C 00 00 00 C7 44 24 48 65 00 00 00 C7 44 24 40 70 00 00 00 C7 44 24 38 69 00 00 00 C7 44 24 30 70 00 00 00 C7 44 24 28 5C 00 00 00 C7 44 24 20 2E 00 00 00 89 54 ... 0x44e50:$fmtString: %c%c%c%c%c%c%c%c%cMSSE-%d-server
0.2.8082-svc-x64.exe.400000.0.unpack	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
0.0.8082-svc-x64.exe.400000.0.unpack	CobaltStrike_Resources_Artifact64_v3_14_to_v4_x	Cobalt Strike\'s resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x	gssincla@google.com	0xd75:$fmtBuilder: 41 B8 5C 00 00 00 C7 44 24 50 5C 00 00 00 C7 44 24 48 65 00 00 00 C7 44 24 40 70 00 00 00 C7 44 24 38 69 00 00 00 C7 44 24 30 70 00 00 00 C7 44 24 28 5C 00 00 00 C7 44 24 20 2E 00 00 00 89 54 ... 0x44e50:$fmtString: %c%c%c%c%c%c%c%c%cMSSE-%d-server
0.0.8082-svc-x64.exe.400000.0.unpack	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\8082-svc-x64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\8082-svc-x64.exe

Code function: 0_2_00403390 StartServiceCtrlDispatcherA,

0_2_00403390

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/0@0/0

Source: 8082-svc-x64.exe

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\8082-svc-x64.exe

Code function: 0_2_00403390 StartServiceCtrlDispatcherA,

0_2_00403390

Source: C:\Users\user\Desktop\8082-svc-x64.exe

API coverage: 7.2 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\8082-svc-x64.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-803

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\8082-svc-x64.exe	Code function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,GetProcAddress,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit,		0_2_00401180
Source: C:\Users\user\Desktop\8082-svc-x64.exe	Code function: 0_2_00402DD0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,		0_2_00402DD0

Source: C:\Users\user\Desktop\8082-svc-x64.exe

Code function: 0_2_00402D00 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00402D00

Source: C:\Users\user\Desktop\8082-svc-x64.exe

Code function: 0_2_00401790 CreateNamedPipeA,ConnectNamedPipe,WriteFile,WriteFile,CloseHandle,

0_2_00401790

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: 8082-svc-x64.exe, type: SAMPLE
Source: Yara match	File source: 0.2.8082-svc-x64.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.8082-svc-x64.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Service Execution	3 Windows Service	3 Windows Service	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Process Injection	1 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
8082-svc-x64.exe	80%	ReversingLabs	Win64.Backdoor.CobaltStrike
8082-svc-x64.exe	68%	Virustotal		Browse
8082-svc-x64.exe	100%	Avira	HEUR/AGEN.1202022
8082-svc-x64.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	780212
Start date and time:	2023-01-08 16:08:04 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	8082-svc-x64.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 95.8% (good quality ratio 59.2%) Quality average: 48% Quality standard deviation: 42.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 21
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.355879244825435
TrID:	Win64 Executable (generic) (12005/4) 74.80% Generic Win/DOS Executable (2004/3) 12.49% DOS Executable Generic (2002/1) 12.47% VXD Driver (31/22) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	8082-svc-x64.exe
File size:	289280
MD5:	89be3be20ca0dce73c12a5a015bcb9a5
SHA1:	4f92b6f168ee8536278fa58a6df5c9b368421030
SHA256:	37e828da01820aad58414d0b73c935a0e408c274cdd872cbbae25f9cbcba0b08
SHA512:	d8490691ad53b026586dad57bb8bc59c8c3c7c9433305d317ad9aa203d9998b4fcf0e514cc562285565a1763dca7f96cfc0c62336a98cea62026dc114908b8a7
SSDEEP:	6144:6p2TnO+/tCo4wsn5PO/ziUZmUhS6b2m+7HUDnivKMpurzC37gmdqDqq7rvxAiS7Y:6onVGia9dqD5uO6lW
TLSH:	4654BF0AE855E917CB4DE07857630F7A27FB9FFEC42519A6313944236F9BA3B98C5200
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......^........../......$...B................@.....................................:......... ............................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4014b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x5EDED518 [Tue Jun 9 00:17:28 2020 UTC]
TLS Callbacks:	0x401af0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	bed5688a4a2b5ea6984115b458755e90

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
mov dword ptr [00048BB2h], 00000001h
call 00007FF6849E9B02h
call 00007FF6849E7F7Dh
nop
nop
dec eax
add esp, 28h
ret
nop
dec eax
sub esp, 28h
mov dword ptr [00048B92h], 00000000h
call 00007FF6849E9AE2h
call 00007FF6849E7F5Dh
nop
nop
dec eax
add esp, 28h
ret
nop
dec eax
sub esp, 18h
mov eax, dword ptr [00002B12h]
test eax, eax
jle 00007FF6849E82EAh
cmp dword ptr [00002B0Bh], 00000000h
jle 00007FF6849E82E1h
dec eax
mov edx, dword ptr [00049E42h]
dec eax
cwde
dec eax
mov dword ptr [ecx+eax], edx
dec eax
arpl word ptr [00002AF5h], ax
dec eax
mov edx, dword ptr [00049E36h]
dec eax
mov dword ptr [ecx+eax], edx
dec eax
add esp, 18h
ret
push ebx
dec eax
sub esp, 00000500h
dec eax
mov ebx, dword ptr [edx+08h]
mov dword ptr [esp+60h], 00100002h
dec esp
mov dword ptr [esp+28h], eax
dec eax
lea edx, dword ptr [esp+30h]
dec eax
mov ecx, ebx
call dword ptr [00049E1Eh]
test eax, eax
dec esp
mov eax, dword ptr [esp+28h]
je 00007FF6849E82E6h
dec esp
mov dword ptr [esp+000000B0h], eax
dec eax
lea edx, dword ptr [esp+30h]
dec eax
mov ecx, ebx
call dword ptr [00049E5Fh]
test eax, eax
je 00007FF6849E82CCh
dec eax
mov ecx, ebx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4b000	0xb74	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x48000	0x2ac	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4d000	0x28	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4b2c0	0x270	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2400	0x2400	False	0.5936414930555556	data	6.129764070813093	IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4000	0x42490	0x42600	False	0.6019781367702448	data	7.3657766804633775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x47000	0x310	0x400	False	0.4541015625	data	4.1965610649629825	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x48000	0x2ac	0x400	False	0.3740234375	data	3.1610117624320244	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x49000	0x268	0x400	False	0.2587890625	data	2.847508632820401	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x4a000	0xa60	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x4b000	0xb74	0xc00	False	0.3372395833333333	data	4.3479190304641575	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x4c000	0x68	0x200	False	0.0703125	data	0.2694448386073115	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x4d000	0x48	0x200	False	0.052734375	data	0.21776995545804623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
ADVAPI32.dll	RegisterServiceCtrlHandlerA, SetServiceStatus, StartServiceCtrlDispatcherA
KERNEL32.dll	CloseHandle, ConnectNamedPipe, CreateFileA, CreateNamedPipeA, CreateProcessA, CreateThread, DeleteCriticalSection, EnterCriticalSection, ExitProcess, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentVariableA, GetLastError, GetModuleHandleA, GetProcAddress, GetStartupInfoA, GetSystemTimeAsFileTime, GetThreadContext, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryW, QueryPerformanceCounter, ReadFile, ResumeThread, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetThreadContext, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualAllocEx, VirtualProtect, VirtualProtectEx, VirtualQuery, WriteFile, WriteProcessMemory
msvcrt.dll	__C_specific_handler, __dllonexit, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _fmode, _initterm, _lock, _onexit, _snprintf, _unlock, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, signal, sprintf, strlen, strncmp, vfprintf

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: 8082-svc-x64.exePID: 6108, Parent PID: 3528

General

Target ID:	0
Start time:	16:08:59
Start date:	08/01/2023
Path:	C:\Users\user\Desktop\8082-svc-x64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\8082-svc-x64.exe
Imagebase:	0x400000
File size:	289280 bytes
MD5 hash:	89BE3BE20CA0DCE73C12A5A015BCB9A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 8082-svc-x64.exePID: 6108, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.1%
Total number of Nodes:	256
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401180 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 187
sleeplibrarystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E00401180(void* __ebx, void* __edi, void* __ebp, void* __esp, void* __rbx, signed int __rcx, void* __rdi, void* __rsi, void* __rbp, void* __r8, void* __r9, void* __r12) {
				signed short _v100;
				signed int _v104;
				char _v152;
				_Unknown_base(*)()* _t29;
				intOrPtr _t34;
				void* _t36;
				signed int _t40;
				void* _t43;
				signed int _t50;
				signed int _t54;
				signed int _t55;
				void* _t57;
				signed int _t58;
				signed int _t59;
				void* _t61;
				void* _t63;
				intOrPtr _t80;
				signed long long _t81;
				void* _t84;
				signed long long _t86;
				signed int _t88;
				signed long long _t92;
				signed int _t96;
				long long _t97;
				void* _t103;
				signed long long _t104;
				signed long long _t107;
				void* _t114;
				intOrPtr _t115;
				void* _t117;

				_t118 = __r12;
				_t117 = __r9;
				_t114 = __r8;
				_t103 = __rsi;
				_t88 = __rcx;
				_t61 = __ebp;
				_t43 = __ebx;
				_push(__r12);
				_push(__rbp);
				_push(__rdi);
				_push(__rsi);
				_push(__rbx);
				r11d =  *0x44a070;
				_t96 =  &_v152;
				_t101 = _t96;
				memset(__edi, 0, 0xd << 0);
				_t63 = __esp + 0xc;
				_t57 = __edi + 0xd;
				if(r11d != 0) {
					_t88 = _t96;
					GetStartupInfoA(??);
				}
				_t80 =  *[gs:0x30];
				_t86 =  *((intOrPtr*)(_t80 + 8));
				asm("lock dec eax");
				_t59 = 0;
				if(_t80 == 0) {
					L7:
					if( *0x44aa30 == 1) {
						goto L38;
					} else {
						goto L8;
					}
				} else {
					sil = 1;
					if(_t86 != _t80) {
						_t101 = Sleep;
						while(1) {
							Sleep();
							_t84 = _t103;
							asm("lock dec eax");
							if(_t84 == 0) {
								break;
							}
							__eflags = _t86 - _t84;
							if(_t86 == _t84) {
								_t59 = 1;
								__eflags =  *0x44aa30 - 1;
								if( *0x44aa30 != 1) {
									L8:
									if( *0x44aa30 == 0) {
										_t96 = 0x44c030;
										_t88 = 0x44c018;
										 *0x44aa30 = 1;
										L00403180();
									} else {
										 *0x44a000 = 1;
									}
									_t24 =  *0x44aa30;
									if( *0x44aa30 == 1) {
										goto L40;
									}
								} else {
									L38:
									L00403178();
									_t24 =  *0x44aa30;
									__eflags =  *0x44aa30 - 1;
									if( *0x44aa30 == 1) {
										L40:
										_t96 = 0x44c010;
										_t88 = 0x44c000;
										L00403180();
										 *0x44aa30 = 2;
									}
								}
								goto L11;
								L32:
								 *((long long*)(_t107 + _t81)) = 0;
								 *0x44a008 = _t107;
								E00402CE0(_t86, _t97, _t104);
								 *__imp____initenv =  *0x44a010;
								_t115 =  *0x44a010;
								_t34 = E00403390(_t58, _t63, __eflags, _t92); // executed
								r9d =  *0x44a01c;
								 *0x44a018 = _t34;
								__eflags = r9d;
								if(r9d == 0) {
									L00403188(); // executed
									asm("o16 nop [eax+eax]");
									 *0x44a070 = 1;
									E00402D00(_t34); // executed
									_t36 = E00401180(_t43, _t58, _t61, _t63, _t86, _t92, _t101, _t104, _t107, _t115, _t117, _t118); // executed
									return _t36;
								} else {
									r8d =  *0x44a000;
									__eflags = r8d;
									if(r8d == 0) {
										L00403170();
										_t34 =  *0x44a018;
									}
									return _t34;
								}
							} else {
								continue;
							}
							goto L11;
						}
						_t59 = 0;
					}
					goto L7;
				}
				L11:
				if(_t59 == 0) {
					_t24 = 0;
					asm("lock dec eax");
				}
				_t81 =  *0x446400;
				if(_t81 != 0) {
					r8d = 0;
					_t24 =  *_t81();
				}
				E00402530(_t24, _t43, _t81, _t86, _t88, _t101, _t103, _t114, _t118);
				SetUnhandledExceptionFilter(??);
				 *0x44a0a0 = _t81;
				E00402B60(E00401E10(2, _t57, _t63, 0, _t81, E00401F20, _t96), E00401F20);
				_t97 = "_set_invalid_parameter_handler";
				_t29 = GetProcAddress(??, ??);
				if(_t81 != 0) {
					_t29 =  *_t81();
				}
				E00402C30(_t29);
				r10d =  *0x44a070;
				if(r10d != 0) {
					_t50 = 0;
					_t81 =  *__imp___acmdln;
					while(1) {
						_t54 =  *_t81 & 0x000000ff;
						if(_t54 <= 0x20) {
							goto L19;
						}
						r8d = _t50;
						r8d = r8d ^ 0x00000001;
						_t50 =  ==  ? r8d : _t50;
						L21:
						_t81 = _t81 + 1;
						continue;
						L19:
						__eflags = _t54;
						if(_t54 != 0) {
							__eflags = _t50;
							if(_t50 == 0) {
								while(1) {
									_t81 = _t81 + 1;
									_t55 =  *_t81 & 0x000000ff;
									__eflags = _t55 - 0x20;
									if(_t55 > 0x20) {
										goto L26;
									}
									__eflags = _t55;
									if(_t55 != 0) {
										continue;
									}
									goto L26;
								}
							} else {
								goto L21;
							}
						}
						L26:
						__eflags = _v104 & 0x00000001;
						_t97 = 0x400000;
						 *0x44a990 = _t81;
						_t40 = 0xa;
						 *0x44a9a0 = 0x400000;
						if((_v104 & 0x00000001) != 0) {
							_t40 = _v100 & 0x0000ffff;
						}
						 *0x44a998 = _t40;
						goto L28;
					}
				}
				L28:
				_t58 =  *0x44a004;
				_t92 = _t101 + 1 << 3;
				malloc(??);
				_t107 = _t81;
				__eflags = _t58;
				_t104 =  *0x44a008;
				if(_t58 > 0) {
					_t43 = 0;
					asm("o16 nop [cs:eax+eax]");
					do {
						strlen();
						_t12 = _t81 + 1; // 0x1
						r12d = _t12;
						_t118 = r12d;
						malloc(??);
						 *(_t107 + _t86 * 8) = _t81;
						_t97 =  *((intOrPtr*)(_t104 + _t86 * 8));
						_t92 = _t81;
						_t86 = _t86 + 1;
						memcpy(??, ??, ??);
						__eflags = _t58;
					} while (_t58 > 0);
					_t101 = _t58;
					_t81 = _t58 * 8;
				}
				goto L32;
			}

0x00401180
0x00401180
0x00401180
0x00401180
0x00401180
0x00401180
0x00401180
0x00401180
0x00401182
0x00401183
0x00401184
0x00401185
0x0040118d
0x0040119b
0x004011a3
0x004011a6
0x004011a6
0x004011a6
0x004011a9
0x00401472
0x00401475
0x00401475
0x004011af
0x004011b8
0x004011be
0x004011c7
0x004011cc
0x00401204
0x0040120d
0x00000000
0x00000000
0x00000000
0x00000000
0x004011ce
0x004011d1
0x004011d4
0x004011d6
0x004011ea
0x004011ef
0x004011f1
0x004011f4
0x00401200
0x00000000
0x00000000
0x004011e1
0x004011e4
0x00401426
0x0040142b
0x0040142e
0x00401213
0x0040121b
0x00401480
0x00401487
0x0040148e
0x00401498
0x00401221
0x00401221
0x00401221
0x0040122b
0x00401234
0x00000000
0x00000000
0x00401434
0x00401434
0x00401439
0x0040143e
0x00401444
0x00401447
0x00401450
0x00401450
0x00401457
0x0040145e
0x00401463
0x00401463
0x00401447
0x00000000
0x0040138f
0x0040138f
0x00401398
0x0040139f
0x004013b8
0x004013bb
0x004013c9
0x004013ce
0x004013d5
0x004013db
0x004013de
0x004014a4
0x004014aa
0x004014b4
0x004014be
0x004014c3
0x004014ce
0x004013e4
0x004013e4
0x004013eb
0x004013ee
0x004013f0
0x004013f5
0x004013f5
0x00401408
0x00401408
0x00000000
0x00000000
0x00000000
0x00000000
0x004011e4
0x00401202
0x00401202
0x00000000
0x004011d4
0x0040123a
0x0040123c
0x0040123e
0x00401240
0x00401240
0x00401248
0x00401252
0x00401254
0x0040125e
0x0040125e
0x00401260
0x0040126c
0x00401272
0x0040127e
0x00401283
0x0040128d
0x00401296
0x0040129f
0x0040129f
0x004012a1
0x004012a6
0x004012b0
0x004012b9
0x004012bb
0x004012cc
0x004012cc
0x004012d2
0x00000000
0x00000000
0x004012d4
0x004012d7
0x004012de
0x004012c8
0x004012c8
0x00000000
0x004012c0
0x004012c0
0x004012c2
0x004012c4
0x004012c6
0x004012e8
0x004012e8
0x004012ec
0x004012ef
0x004012f2
0x00000000
0x00000000
0x004012e4
0x004012e6
0x00000000
0x00000000
0x00000000
0x004012e6
0x00000000
0x00000000
0x00000000
0x004012c6
0x004012f4
0x004012f4
0x004012f9
0x00401300
0x00401307
0x0040130c
0x00401313
0x00401410
0x00401410
0x00401319
0x00000000
0x00401319
0x004012cc
0x0040131f
0x0040131f
0x0040132b
0x0040132f
0x00401334
0x00401339
0x0040133b
0x00401342
0x00401344
0x00401346
0x00401350
0x00401354
0x00401359
0x00401359
0x0040135d
0x00401363
0x00401368
0x0040136d
0x00401374
0x00401377
0x0040137b
0x00401380
0x00401380
0x00401384
0x00401387
0x00401387
0x00000000

APIs

Sleep.KERNEL32 ref: 004011EF
SetUnhandledExceptionFilter.KERNEL32 ref: 0040126C
GetProcAddress.KERNEL32 ref: 0040128D
malloc.MSVCRT ref: 0040132F
strlen.MSVCRT ref: 00401354
malloc.MSVCRT ref: 00401363
memcpy.MSVCRT ref: 0040137B
_cexit.MSVCRT ref: 004013F0
GetStartupInfoA.KERNEL32 ref: 00401475

Strings

_set_invalid_parameter_handler, xrefs: 00401283

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: malloc$AddressExceptionFilterInfoProcSleepStartupUnhandled_cexitmemcpystrlen
String ID: _set_invalid_parameter_handler
API String ID: 2757201259-2374863361
Opcode ID: 6bca19a444dcb599eed501cc204cc1285a57f394ab86a08b83fea6ca28c91eac
Instruction ID: 3334388251c753aec3277e1e1e3555ada3c10960b61d3fd564361280445ad126
Opcode Fuzzy Hash: 6bca19a444dcb599eed501cc204cc1285a57f394ab86a08b83fea6ca28c91eac
Instruction Fuzzy Hash: 2A71BDB121164086FB24DF66E98036A23A1FB48789F84403BDE09A77B1DF3DC855C78E

Uniqueness

Uniqueness Score: -1.00%

Function 00403382 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00403382(void* __edx, void* __edi, void* __esp, void* __rax, void* __rdi) {
				void* _v32;
				long long _v36;
				long long _v44;
				void* _t21;
				void* _t31;
				void* _t33;
				void* _t37;

				_t21 = __edi;
				_t2 = __rax - 0xdda0070;
				 *_t2 =  *((intOrPtr*)(__rax - 0xdda0070)) + __edx;
				if( *_t2 <= 0) {
					 *((intOrPtr*)(__rax - 0x7cb7a870)) =  *((intOrPtr*)(__rax - 0x7cb7a870)) + __edx;
				}
				E00402CE0(_t31, _t33, _t37);
				memset(_t21, 0, 8 << 2);
				_v36 = 0x401a37;
				_v44 = "DceRpcSs";
				StartServiceCtrlDispatcherA(??); // executed
				return 0;
			}

0x00403382
0x00403385
0x00403385
0x0040338b
0x0040338d
0x00403390
0x0040339a
0x004033a6
0x004033b4
0x004033c0
0x004033c5
0x004033d2

APIs

StartServiceCtrlDispatcherA.ADVAPI32 ref: 004033C5

Strings

DceRpcSs, xrefs: 004033B9

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID: DceRpcSs
API String ID: 3789849863-292928688
Opcode ID: 558def045d8161e24f5e96737786dab97534d7856f2bd45d8542ff1325b826b9
Instruction ID: ab4b005ad07a54ae36cfd2e19f7d5d034851c5357c3a9c43dbfc4619b985bd03
Opcode Fuzzy Hash: 558def045d8161e24f5e96737786dab97534d7856f2bd45d8542ff1325b826b9
Instruction Fuzzy Hash: 98F0826270DF8196DB218724F95434A7BA0F388348F840226D3CC53764EF7CC216C704

Uniqueness

Uniqueness Score: -1.00%

Function 00403390 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00403390(void* __edi, void* __esp, void* __eflags, void* __rcx) {
				void* _v40;
				long long _v44;
				long long _v52;
				void* _t22;
				void* _t25;
				void* _t27;

				E00402CE0(_t22, _t25, _t27);
				memset(__edi, 0, 8 << 2);
				_v44 = 0x401a37;
				_v52 = "DceRpcSs";
				StartServiceCtrlDispatcherA(??); // executed
				return 0;
			}

0x0040339a
0x004033a6
0x004033b4
0x004033c0
0x004033c5
0x004033d2

APIs

StartServiceCtrlDispatcherA.ADVAPI32 ref: 004033C5

Strings

DceRpcSs, xrefs: 004033B9

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID: DceRpcSs
API String ID: 3789849863-292928688
Opcode ID: 8359b0af28ad481c956054c4096c9acb40ceac683c1f8d142bc70995b950a724
Instruction ID: fcaf18e96a372c61e70ff033227e88cbc94a734f425085a6b3f7b80b0ad731b7
Opcode Fuzzy Hash: 8359b0af28ad481c956054c4096c9acb40ceac683c1f8d142bc70995b950a724
Instruction Fuzzy Hash: 7DE04662218B8492EB608B20F90434A73E4F788388F800232D38D927B4EF7CC259CB08

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00402DD0 Relevance: 12.0, APIs: 8, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCaptureContext.KERNEL32 ref: 00402DE4
RtlLookupFunctionEntry.KERNEL32 ref: 00402DFB
RtlVirtualUnwind.KERNEL32 ref: 00402E3D
SetUnhandledExceptionFilter.KERNEL32 ref: 00402E84
UnhandledExceptionFilter.KERNEL32 ref: 00402E91
GetCurrentProcess.KERNEL32 ref: 00402E97
TerminateProcess.KERNEL32 ref: 00402EA5
abort.MSVCRT ref: 00402EAB

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
String ID:
API String ID: 4278921479-0
Opcode ID: 3c9f7b0cbb3a5e97d00706347cbff4cee23c81c9743578c882c86815ceeaede0
Instruction ID: c244d03a489efcc9ac431e2de51b1c2ad014b87b5a9885a75f54b0b38ce00f5f
Opcode Fuzzy Hash: 3c9f7b0cbb3a5e97d00706347cbff4cee23c81c9743578c882c86815ceeaede0
Instruction Fuzzy Hash: C221EFB1251F0099FB009F62F88838937B8FB09BA8F54012AEE4E17764EF78C565C749

Uniqueness

Uniqueness Score: -1.00%

Function 00402D00 Relevance: 7.6, APIs: 5, Instructions: 53
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00402D45
GetCurrentProcessId.KERNEL32 ref: 00402D50
GetCurrentThreadId.KERNEL32 ref: 00402D58
GetTickCount.KERNEL32 ref: 00402D60
QueryPerformanceCounter.KERNEL32 ref: 00402D6D

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: fecc7836c2f8edbb03cda3874c73d18ec24d76a7d701b3421ed88593aa68e5d3
Instruction ID: 75664d232f38a149bdc014f96ab221725e5cf7ea51f5dae11f28f0bb7d324961
Opcode Fuzzy Hash: fecc7836c2f8edbb03cda3874c73d18ec24d76a7d701b3421ed88593aa68e5d3
Instruction Fuzzy Hash: BC115EA6226B1086FB515F66F9087592260F74ABB5F481639EE9D067E0DF3CC885C708

Uniqueness

Uniqueness Score: -1.00%

Function 00401790 Relevance: 6.1, APIs: 4, Instructions: 51pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32 ref: 004017DB
ConnectNamedPipe.KERNEL32 ref: 004017F3
CloseHandle.KERNEL32 ref: 00401835

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: NamedPipe$CloseConnectCreateHandle
String ID:
API String ID: 2614152119-0
Opcode ID: ef9a6366ed5f962c171c155b8fd7ceca6f620fbf907e872f5f9c7595713b106f
Instruction ID: 206f06ffe5a766268793747635b52d486af52f2bb13f1d073d91c39b3656a8d0
Opcode Fuzzy Hash: ef9a6366ed5f962c171c155b8fd7ceca6f620fbf907e872f5f9c7595713b106f
Instruction Fuzzy Hash: D811E572710A4086E7209B22E80874BB7A0F784BE4F189331EE5947BE4DF7DC545CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00401588 Relevance: 4.5, APIs: 3, Instructions: 47memoryinjectionCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32 ref: 004015B5
WriteProcessMemory.KERNEL32 ref: 004015D4
VirtualProtectEx.KERNEL32 ref: 004015FF

Part of subcall function 0040152B: GetThreadContext.KERNEL32 ref: 0040154C
Part of subcall function 0040152B: SetThreadContext.KERNEL32 ref: 0040156B
Part of subcall function 0040152B: ResumeThread.KERNEL32 ref: 00401578

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: Thread$ContextVirtual$AllocMemoryProcessProtectResumeWrite
String ID:
API String ID: 2510746765-0
Opcode ID: c5f3dc5982a54dcdb75ab6b83312de3820264c33d39150086afca4a52f716843
Instruction ID: 0b1f64976b4b43bd86d7fc027b595fdf565bd9e8de0105609dff1cfeef292252
Opcode Fuzzy Hash: c5f3dc5982a54dcdb75ab6b83312de3820264c33d39150086afca4a52f716843
Instruction Fuzzy Hash: B001BCA2301B8096DA10DB52F808B9AA321F799FD4F888132EF8D17B49DF7CC249C704

Uniqueness

Uniqueness Score: -1.00%

Function 004022E0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 44%

			E004022E0(intOrPtr __eax, void* __rbx, signed long long __rcx, intOrPtr __rdx, void* __rdi, void* __rsi, intOrPtr __r8, long long __r12, signed long long __r13, long long _a8, long long _a16) {
				void* _v40;
				char _v44;
				signed long long _v56;
				signed int _v60;
				void* _v80;
				intOrPtr _v84;
				intOrPtr _v96;
				char _v104;
				char _v120;
				intOrPtr _v132;
				void* _v144;
				char _v168;
				char _v304;
				intOrPtr _t72;
				void* _t73;
				long _t74;
				long _t75;
				int _t76;
				char _t80;
				long _t81;
				intOrPtr _t87;
				intOrPtr _t88;
				int _t93;
				signed int _t97;
				signed int _t110;
				void* _t111;
				void* _t113;
				long long _t115;
				signed int* _t124;
				signed long long _t129;
				signed int _t130;
				void* _t132;
				signed char* _t140;
				intOrPtr* _t143;
				intOrPtr _t153;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t172;
				long long _t178;
				signed int _t207;
				long long _t212;

				_t218 = __r13;
				_t212 = __r12;
				_t196 = __r8;
				_t153 = __rdx;
				_t72 = __eax;
				_push(__r13);
				_push(__r12);
				_push(_t178);
				_push(__rdi);
				_push(__rsi);
				_push(__rbx);
				_t129 = __rcx;
				_t164 = __rdx;
				_t172 = __r8;
				if(__r8 != 0) {
					_t97 =  *0x44a360;
					__eflags = _t97;
					if(__eflags <= 0) {
						goto L7;
					} else {
						_t116 =  *0x44a358;
						_t113 = 0;
						asm("o16 nop [eax+eax]");
						do {
							_t153 =  *((intOrPtr*)(_t116 + 8));
							__eflags = _t129 - _t153;
							if(_t129 < _t153) {
								goto L6;
							} else {
								_t196 =  *((intOrPtr*)(_t116 + 0x10));
								r8d =  *(_t196 + 8);
								_t153 = _t153 + _t196;
								__eflags = _t129 - _t153;
								if(_t129 < _t153) {
									L17:
									_t178 = VirtualQuery;
									L11:
									r8d = 0x30;
									_t154 =  &_v168;
									_t75 = VirtualQuery(??, ??, ??);
									__eflags = _t116;
									if(_t116 == 0) {
										L25:
										_t140 = "  VirtualQuery failed for %d bytes at address %p";
										_t198 = _t129;
										_t76 = E00402270(_t75, _t129, _t140, _t154, _t164, _t172, _t198, _t207, _t212, _t218);
										_push(_t178);
										_push(_t212);
										_push(_t164);
										_push(_t172);
										_push(_t129);
										r12d =  *0x44a350;
										__eflags = r12d;
										if(__eflags == 0) {
											 *0x44a350 = 1;
											E004029A0(__eflags);
											_t76 = E00403100(_t116);
											_t130 = 0x447310;
											 *0x44a360 = 0;
											 *0x44a358 =  &_v304;
											__eflags = 0x447310 - 7;
											if(0x447310 <= 7) {
												goto L27;
											} else {
												__eflags = 0 - 0xb;
												if(0 <= 0xb) {
													L43:
													r9d =  *_t130;
													__eflags = r9d;
													if(r9d != 0) {
														goto L32;
													} else {
														r8d =  *(_t130 + 4);
														__eflags = r8d;
														if(r8d != 0) {
															goto L32;
														} else {
															goto L45;
														}
													}
												} else {
													_t110 =  *0x447310; // 0x0
													__eflags = _t110;
													if(_t110 != 0) {
														L32:
														__eflags = _t130 - 0x447310;
														if(_t130 >= 0x447310) {
															goto L27;
														} else {
															do {
																r8d = 4;
																_t140 =  &(_t140[0x400000]);
																_t80 =  *_t140 +  *_t130;
																_t130 = _t130 + 8;
																_v44 = _t80;
																_t76 = E004022E0(_t80, _t130, _t140,  &_v44, 0x400000, 0x447310, _t198, _t212, _t218);
																__eflags = _t130 - 0x447310;
															} while (_t130 < 0x447310);
															goto L35;
														}
													} else {
														r11d =  *0x447314; // 0x0
														__eflags = r11d;
														if(r11d == 0) {
															r10d =  *0x447318; // 0x0
															__eflags = r10d;
															if(r10d != 0) {
																L45:
																__eflags =  *(_t130 + 8) - 1;
																if( *(_t130 + 8) != 1) {
																	L74:
																	_t143 = "  Unknown pseudo relocation protocol version %d.\n";
																	E00402270(_t76, _t130, _t143, _t154, _t164, 0x447310, _t198, _t207, _t212, _t218);
																	0;
																	0;
																	__eflags =  *_t143 - 0x5a4d;
																	if( *_t143 != 0x5a4d) {
																		L76:
																		asm("repe ret");
																	}
																	_t143 = _t143 +  *((intOrPtr*)(_t143 + 0x3c));
																	__eflags =  *_t143 - 0x4550;
																	if( *_t143 != 0x4550) {
																		goto L76;
																	}
																	__eflags =  *((short*)(_t143 + 0x18)) - 0x20b;
																	_t71 =  *((short*)(_t143 + 0x18)) == 0x20b;
																	__eflags = _t71;
																	return 0 | _t71;
																} else {
																	_t132 = _t130 + 0xc;
																	__eflags = _t132 - 0x447310;
																	if(_t132 < 0x447310) {
																		do {
																			r8d =  *(_t132 + 8);
																			_t76 = r8b & 0xffffffff;
																			_t154 = _t154 + 0x400000;
																			_t140 =  &(_t140[0x400000]);
																			__eflags = _t76 - 0x10;
																			_t207 =  *_t154;
																			if(__eflags == 0) {
																				r8d =  *_t140 & 0x0000ffff;
																				__eflags = r8d & 0x00008000;
																				if((r8d & 0x00008000) == 0) {
																					goto L61;
																				} else {
																					_t198 = (_t198 | 0xffff0000) - _t154 + _t207;
																					__eflags = _t198;
																					_v56 = _t198;
																					goto L60;
																				}
																			} else {
																				if(__eflags > 0) {
																					L52:
																					__eflags = _t76 - 0x20;
																					if(_t76 == 0x20) {
																						r8d =  *_t140;
																						__eflags = r8d & 0x80000000;
																						if((r8d & 0x80000000) == 0) {
																							goto L61;
																						} else {
																							_t198 = (_t198 | 0x00000000) - _t154 + _t207;
																							__eflags = _t198;
																							_v56 = _t198;
																							goto L67;
																						}
																					} else {
																						__eflags = _t76 - 0x40;
																						if(_t76 != 0x40) {
																							goto L51;
																						} else {
																							_t207 = _t207 - _t154 +  *_t140;
																							__eflags = _t207;
																							_v56 = _t207;
																							goto L55;
																						}
																					}
																				} else {
																					__eflags = _t76 - 8;
																					if(_t76 == 8) {
																						r8d =  *_t140 & 0x000000ff;
																						__eflags = r8b & 0x00000080;
																						if((r8b & 0x00000080) == 0) {
																							L61:
																							_t198 = _t198 - _t154;
																							_t207 = _t207 + _t198;
																							__eflags = _t76 - 0x10;
																							_v56 = _t207;
																							if(__eflags == 0) {
																								L60:
																								_t154 =  &_v56;
																								r8d = 2;
																								_t76 = E004022E0(_t76, _t132, _t140, _t154, 0x400000, 0x447310, _t198, 0, _t218);
																							} else {
																								if(__eflags > 0) {
																									__eflags = _t76 - 0x20;
																									if(_t76 == 0x20) {
																										L67:
																										_t154 =  &_v56;
																										r8d = 4;
																										_t76 = E004022E0(_t76, _t132, _t140, _t154, 0x400000, 0x447310, _t198, 0, _t218);
																									} else {
																										__eflags = _t76 - 0x40;
																										if(_t76 == 0x40) {
																											L55:
																											_t154 =  &_v56;
																											r8d = 8;
																											_t76 = E004022E0(_t76, _t132, _t140, _t154, 0x400000, 0x447310, _t198, 0, _t218);
																										}
																									}
																								} else {
																									__eflags = _t76 - 8;
																									if(_t76 == 8) {
																										goto L64;
																									}
																								}
																							}
																						} else {
																							_t198 = (_t198 | 0xffffff00) - _t154 + _t207;
																							_v56 = _t198;
																							L64:
																							_t154 =  &_v56;
																							r8d = 1;
																							_t76 = E004022E0(_t76, _t132, _t140, _t154, 0x400000, 0x447310, _t198, 0, _t218);
																						}
																					} else {
																						L51:
																						_t140 = "  Unknown pseudo relocation bit size %d.\n";
																						_v56 = 0;
																						_t76 = E00402270(_t76, _t132, _t140, _t154, 0x400000, 0x447310, _t198, _t207, 0, _t218);
																						goto L52;
																					}
																				}
																			}
																			_t132 = _t132 + 0xc;
																			__eflags = _t132 - 0x447310;
																		} while (_t132 < 0x447310);
																		L35:
																		__eflags =  *0x44a360;
																		if( *0x44a360 > 0) {
																			_t111 = 0;
																			_t212 = VirtualQuery;
																			_t164 = VirtualProtect;
																			do {
																				_t124 = _t130 +  *0x44a358;
																				__eflags =  *_t124;
																				if( *_t124 == 0) {
																					goto L37;
																				} else {
																					r8d = 0x30;
																					_t154 =  &_v104;
																					_t81 = VirtualQuery(??, ??, ??);
																					__eflags = _t124;
																					if(_t124 == 0) {
																						_t130 = _t130 +  *0x44a358;
																						__eflags = _t130;
																						_t198 =  *(_t130 + 8);
																						_t76 = E00402270(_t81, _t130, "  VirtualQuery failed for %d bytes at address %p",  &_v104, _t164, 0x447310,  *(_t130 + 8), _t207, _t212, _t218);
																						goto L74;
																					} else {
																						_t207 =  &_v44;
																						r8d =  *( *0x44a358 + _t130);
																						_t76 = VirtualProtect(??, ??, ??, ??);
																						goto L37;
																					}
																				}
																				goto L80;
																				L37:
																				_t111 = _t111 + 1;
																				_t130 = _t130 + 0x18;
																				__eflags = _t111 -  *0x44a360;
																			} while (_t111 <  *0x44a360);
																		}
																	}
																	goto L27;
																}
															} else {
																_t130 = 0x44731c;
																goto L43;
															}
														} else {
															goto L32;
														}
													}
												}
											}
										} else {
											L27:
											return _t76;
										}
									} else {
										_t88 = _v132;
										__eflags = _t88 - 4;
										if(_t88 == 4) {
											L13:
											return memcpy();
										}
										__eflags = _t88 - 0x40;
										if(_t88 == 0x40) {
											goto L13;
										}
										r8d = 0x40;
										VirtualProtect(??, ??, ??, ??);
										memcpy(??, ??, ??);
										_t72 = _v132;
										__eflags = _t72 - 0x40;
										if(_t72 == 0x40) {
											goto L1;
										} else {
											__eflags = _t72 - 4;
											if(_t72 == 4) {
												goto L1;
											} else {
												r8d = _v60;
												return VirtualProtect(??, ??, ??, ??);
											}
										}
									}
								} else {
									goto L6;
								}
							}
							goto L80;
							L6:
							_t113 = _t113 + 1;
							_t116 = _t116 + 0x18;
							__eflags = _t113 - _t97;
						} while (__eflags != 0);
						L7:
						_t73 = E00402960(__eflags, _t129, _t164, _t172, _t196, _t207);
						__eflags = _t115;
						_t212 = _t115;
						if(__eflags == 0) {
							_t154 = _t129;
							_t74 = E00402270(_t73, _t129, "Address %p has no image-section", _t154, _t164, _t172, _t196, _t207, _t212, _t218);
							goto L24;
						} else {
							_t218 = 0 << 3;
							_a16 = _t115;
							 *((0 << 3) +  *0x44a358) = 0;
							E00402A50(__eflags, _t153);
							r8d = 0x30;
							_t154 =  &_v120;
							_a8 = _t115 + _t153;
							_t116 =  *0x44a358;
							_t178 = VirtualQuery;
							_t74 = VirtualQuery(??, ??, ??);
							__eflags = _t116;
							if(_t116 == 0) {
								L24:
								_t116 =  *0x44a358;
								_t75 = E00402270(_t74, _t129, "  VirtualQuery failed for %d bytes at address %p", _t154, _t164, _t172,  *((intOrPtr*)( *0x44a358 + _t218 + 8)), _t207, _t212, _t218);
								goto L25;
							} else {
								_t87 = _v84;
								__eflags = _t87 - 4;
								if(_t87 != 4) {
									__eflags = _t87 - 0x40;
									if(_t87 == 0x40) {
										goto L10;
									} else {
										r8d = 0x40;
										_t162 = _v96;
										_t207 =  *0x44a358 + (0 << 3);
										_t93 = VirtualProtect(??, ??, ??, ??);
										__eflags = _t93;
										if(_t93 != 0) {
											goto L10;
										} else {
											E00402270(GetLastError(), _t129, "  VirtualProtect failed with code 0x%x", _t162, _t164, _t172, _t196, _t207, _t212, 0 << 3);
											goto L17;
										}
									}
								} else {
									L10:
									 *0x44a360 =  *0x44a360 + 1;
									__eflags =  *0x44a360;
								}
								goto L11;
							}
						}
					}
				} else {
					L1:
					return _t72;
				}
				L80:
			}

0x004022e0
0x004022e0
0x004022e0
0x004022e0
0x004022e0
0x004022e0
0x004022e2
0x004022e4
0x004022e5
0x004022e6
0x004022e7
0x004022f2
0x004022f5
0x004022f8
0x004022fb
0x00402310
0x00402316
0x00402318
0x00000000
0x0040231e
0x0040231e
0x00402325
0x00402327
0x00402330
0x00402330
0x00402334
0x00402337
0x00000000
0x00402339
0x00402339
0x0040233d
0x00402341
0x00402344
0x00402347
0x00402460
0x00402460
0x004023d7
0x004023d7
0x004023dd
0x004023e5
0x004023e7
0x004023ea
0x0040251a
0x0040251a
0x00402521
0x00402529
0x00402530
0x00402534
0x00402536
0x00402537
0x00402538
0x0040253d
0x00402544
0x00402547
0x00402554
0x0040255e
0x00402575
0x00402581
0x00402588
0x0040259a
0x004025a7
0x004025ab
0x00000000
0x004025ad
0x004025ad
0x004025b1
0x004026a0
0x004026a0
0x004026a3
0x004026a6
0x00000000
0x004026ac
0x004026ac
0x004026b0
0x004026b3
0x00000000
0x00000000
0x00000000
0x00000000
0x004026b3
0x004025b7
0x004025b7
0x004025bd
0x004025bf
0x004025d1
0x004025d1
0x004025d4
0x00000000
0x004025da
0x004025e1
0x004025e8
0x004025ee
0x004025f3
0x004025f5
0x004025f9
0x004025fc
0x00402601
0x00402601
0x00000000
0x004025e1
0x004025c1
0x004025c1
0x004025c8
0x004025cb
0x00402688
0x0040268f
0x00402692
0x004026b9
0x004026bc
0x004026bf
0x00402827
0x00402827
0x0040282e
0x00402839
0x0040283d
0x00402842
0x00402847
0x00402849
0x00402849
0x00402849
0x00402854
0x00402857
0x0040285d
0x00000000
0x00000000
0x00402861
0x00402867
0x00402867
0x0040286a
0x004026c5
0x004026c5
0x004026c9
0x004026cc
0x004026e3
0x004026e8
0x004026ec
0x004026f0
0x004026f3
0x004026f6
0x004026f9
0x004026fc
0x00402756
0x0040275a
0x00402761
0x00000000
0x00402763
0x0040276d
0x0040276d
0x00402770
0x00000000
0x00402770
0x004026fe
0x004026fe
0x00402721
0x00402721
0x00402724
0x004027ac
0x004027af
0x004027b6
0x00000000
0x004027b8
0x004027be
0x004027be
0x004027c1
0x00000000
0x004027c1
0x0040272a
0x0040272a
0x0040272d
0x00000000
0x0040272f
0x00402732
0x00402732
0x00402735
0x00000000
0x00402735
0x0040272d
0x00402700
0x00402700
0x00402703
0x004027d9
0x004027dd
0x004027e1
0x00402785
0x00402785
0x00402788
0x0040278b
0x0040278e
0x00402792
0x00402774
0x00402774
0x00402778
0x0040277e
0x00402794
0x00402794
0x004027f6
0x004027f9
0x004027c5
0x004027c5
0x004027c9
0x004027cf
0x004027fb
0x004027fb
0x004027fe
0x00402739
0x00402739
0x0040273d
0x00402743
0x00402743
0x004027fe
0x00402796
0x00402796
0x00402799
0x00000000
0x00000000
0x00402799
0x00402794
0x004027e3
0x004027ed
0x004027f0
0x0040279b
0x0040279b
0x0040279f
0x004027a5
0x004027a5
0x00402709
0x00402709
0x00402709
0x00402714
0x0040271c
0x00000000
0x0040271c
0x00402703
0x004026fe
0x00402748
0x0040274c
0x0040274c
0x00402606
0x0040260c
0x0040260e
0x00402616
0x00402618
0x0040261f
0x00402643
0x00402646
0x0040264f
0x00402651
0x00000000
0x00402653
0x00402657
0x0040265d
0x00402661
0x00402664
0x00402667
0x00402809
0x00402809
0x0040281b
0x00402822
0x00000000
0x0040266d
0x00402674
0x00402680
0x00402684
0x00000000
0x00402684
0x00402667
0x00000000
0x00402630
0x00402630
0x00402633
0x00402637
0x00402637
0x00402643
0x0040260e
0x00000000
0x004026cc
0x00402694
0x00402694
0x00000000
0x00402694
0x00000000
0x00000000
0x00000000
0x004025cb
0x004025bf
0x004025b1
0x00402549
0x00402549
0x00402553
0x00402553
0x004023f0
0x004023f0
0x004023f4
0x004023f7
0x004023f9
0x00403158
0x00403158
0x00402470
0x00402473
0x00000000
0x00000000
0x0040247d
0x00402494
0x0040249f
0x004024a4
0x004024a8
0x004024ab
0x00000000
0x004024b1
0x004024b1
0x004024b4
0x00000000
0x004024ba
0x004024ba
0x004024e6
0x004024e6
0x004024b4
0x004024ab
0x00000000
0x00000000
0x00000000
0x00402347
0x00000000
0x0040234d
0x0040234d
0x00402350
0x00402354
0x00402354
0x00402358
0x0040235b
0x00402360
0x00402363
0x00402366
0x004024f5
0x004024f8
0x00000000
0x0040236c
0x00402374
0x00402382
0x00402386
0x0040238d
0x00402397
0x004023a0
0x004023a5
0x004023a9
0x004023b0
0x004023bc
0x004023be
0x004023c1
0x004024fd
0x004024fd
0x00402515
0x00000000
0x004023c7
0x004023c7
0x004023cb
0x004023ce
0x00402420
0x00402423
0x00000000
0x00402425
0x0040242c
0x00402432
0x0040243c
0x0040243f
0x00402445
0x00402447
0x00000000
0x00402449
0x00402458
0x00000000
0x00402458
0x00402447
0x004023d0
0x004023d0
0x004023d0
0x004023d0
0x004023d0
0x00000000
0x004023ce
0x004023c1
0x00402366
0x004022fd
0x004022fd
0x0040230c
0x0040230c
0x00000000

APIs

VirtualQuery.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004023BC
VirtualQuery.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004023E5

Strings

VirtualProtect failed with code 0x%x, xrefs: 0040244F
VirtualQuery failed for %d bytes at address %p, xrefs: 00402509, 0040251A
Address %p has no image-section, xrefs: 004022E7, 004024EE

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 1804819252-2123141913
Opcode ID: 0792c8dda6669a92304e0101e404c0d24dcaeabf32f89e8b15c871c3c5c22671
Instruction ID: 88fc682119e1e84dd5613be26e00d6309895d6327acac6be1cb9a5017a00939a
Opcode Fuzzy Hash: 0792c8dda6669a92304e0101e404c0d24dcaeabf32f89e8b15c871c3c5c22671
Instruction Fuzzy Hash: 6B51BEA230568485EB219F56E908BAA6721F785BD8F488037EF0957794EB7CC989C708

Uniqueness

Uniqueness Score: -1.00%

Function 00401955 Relevance: 17.5, APIs: 2, Strings: 8, Instructions: 28
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00401955(void* __edi, void* __esi, void* __esp, void* __rax) {
				signed int _v16;
				intOrPtr _v24;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				long long _v64;
				intOrPtr _v72;
				signed int _t16;
				intOrPtr _t30;
				intOrPtr _t31;
				int _t38;

				_t16 = GetTickCount();
				r9d = 0x5c;
				r8d = 0x5c;
				_v24 = 0x5c;
				_v32 = 0x65;
				_v40 = 0x70;
				_v48 = 0x69;
				_v56 = 0x70;
				_v64 = 0x5c;
				_v72 = 0x2e;
				_v16 = _t16 % 0x26aa;
				L00403198();
				_v64 = 0;
				_v72 = 0;
				r9d = 0;
				CreateThread(??, ??, ??, ??, ??, ??);
				malloc(_t38);
				do {
					Sleep();
					_t30 =  *0x404004; // 0x40e03
				} while (E00401862(_t30, __rax, __rax) == 0);
				_t31 =  *0x404004; // 0x40e03
				E0040174A(_t31, __edi, __esi, __esp, __rax, __rax);
				return 0;
			}

0x00401959
0x00401966
0x00401975
0x0040197b
0x00401983
0x0040198b
0x00401993
0x0040199b
0x004019a3
0x004019ab
0x004019b3
0x004019be
0x004019cc
0x004019d5
0x004019dd
0x004019e2
0x0040190f
0x0040191e
0x00401923
0x00401925
0x00401933
0x00401937
0x00401947
0x00401954

APIs

GetTickCount.KERNEL32 ref: 00401959
CreateThread.KERNEL32 ref: 004019E2

Strings

\, xrefs: 0040197B
i, xrefs: 00401993
p, xrefs: 0040198B
%c%c%c%c%c%c%c%c%cMSSE-%d-server, xrefs: 004019B7
\, xrefs: 004019A3
e, xrefs: 00401983
., xrefs: 004019AB
p, xrefs: 0040199B

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: CountCreateThreadTick
String ID: %c%c%c%c%c%c%c%c%cMSSE-%d-server$.$\$\$e$i$p$p
API String ID: 515558314-592031345
Opcode ID: e05ad072f323f72a2a79cc493ff35362bbae31336054ceb108d5cffb157eca38
Instruction ID: bd8c15904f82b4196aa4fa4413ddfb1ff446bd0bae90e3a6362402e970df292a
Opcode Fuzzy Hash: e05ad072f323f72a2a79cc493ff35362bbae31336054ceb108d5cffb157eca38
Instruction Fuzzy Hash: 350131B1608B40CBF3248F11F85974B7BA1F3C4759F50421AE74A06AA8CBBEC149CF48

Uniqueness

Uniqueness Score: -1.00%

Function 00401F20 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E00401F20(intOrPtr* __rcx) {
				intOrPtr _v32;
				signed int _t6;
				signed int _t37;
				void* _t40;
				signed int* _t51;
				void* _t53;

				_t51 =  *((intOrPtr*)(__rcx));
				_t6 =  *_t51;
				if((_t6 & 0x20ffffff) == 0x20474343) {
					__eflags = _t51[1] & 0x00000001;
					if((_t51[1] & 0x00000001) != 0) {
						goto L1;
					} else {
						asm("o16 nop [eax+eax]");
						goto L17;
					}
				} else {
					L1:
					if(_t6 <= 0xc0000091) {
						if(_t6 < 0xc000008d) {
							__eflags = _t6 - 0xc0000008;
							if(__eflags == 0) {
								goto L17;
							} else {
								if(__eflags > 0) {
									__eflags = _t6 - 0xc000001d;
									if(_t6 == 0xc000001d) {
										goto L27;
									} else {
										__eflags = _t6 - 0xc000008c;
										if(_t6 != 0xc000008c) {
											goto L7;
										}
										goto L17;
									}
								} else {
									__eflags = _t6 - 0x80000002;
									if(_t6 == 0x80000002) {
										goto L17;
									} else {
										__eflags = _t6 - 0xc0000005;
										if(_t6 != 0xc0000005) {
											goto L7;
										}
										L004031C8();
										__eflags = _t47 - 1;
										if(_t47 == 1) {
											L004031C8();
											return 0xffffffff;
										}
										__eflags = _t47;
										if(_t47 == 0) {
											goto L7;
										}
										 *_t47();
										return 0xffffffff;
									}
								}
							}
						} else {
							goto L10;
						}
					} else {
						_t40 = _t6 - 0xc0000094;
						if(_t40 == 0) {
							_t37 = 0;
							goto L11;
						} else {
							if(_t40 > 0) {
								__eflags = _t6 - 0xc0000095;
								if(_t6 == 0xc0000095) {
									goto L17;
								} else {
									__eflags = _t6 - 0xc0000096;
									if(_t6 != 0xc0000096) {
										goto L7;
									}
									L27:
									L004031C8();
									__eflags = _t47 - 1;
									if(_t47 == 1) {
										L004031C8();
										return 0xffffffff;
									}
									__eflags = _t47;
									if(_t47 == 0) {
										goto L7;
									}
									 *_t47();
									return 0xffffffff;
								}
							} else {
								if(_t6 == 0xc0000092) {
									L17:
									return 0xffffffff;
								} else {
									if(_t6 != 0xc0000093) {
										L7:
										_t47 =  *0x44a0a0;
										if( *0x44a0a0 == 0) {
											return 0;
										}
										_t53 = _t53 + 0x38;
										goto __rax;
									}
									L10:
									_t37 = 1;
									L11:
									L004031C8();
									if(_t47 != 1) {
										if(_t47 == 0) {
											goto L7;
										}
										 *_t47();
										return 0xffffffff;
									}
									L004031C8();
									__eflags = _t37;
									if(_t37 != 0) {
										_v32 = 0xffffffff;
										E00402C30(0xffffffff);
										return _v32;
									}
									return 0xffffffff;
								}
							}
						}
					}
				}
			}

0x00401f26
0x00401f2c
0x00401f3c
0x00401fd0
0x00401fd4
0x00000000
0x00401fda
0x00401fda
0x00000000
0x00401fda
0x00401f42
0x00401f42
0x00401f47
0x00401f95
0x00401ff0
0x00401ff5
0x00000000
0x00401ff7
0x00401ff7
0x00402090
0x00402095
0x00000000
0x00402097
0x00402097
0x0040209c
0x00000000
0x00000000
0x00000000
0x004020a2
0x00401ffd
0x00401ffd
0x00402002
0x00000000
0x00402004
0x00402004
0x00402009
0x00000000
0x00000000
0x00402016
0x0040201b
0x0040201f
0x004020fa
0x00000000
0x004020ff
0x00402025
0x00402028
0x00000000
0x00000000
0x00402033
0x00402040
0x00402040
0x00402002
0x00401ff7
0x00000000
0x00000000
0x00000000
0x00401f49
0x00401f49
0x00401f4e
0x00402085
0x00000000
0x00401f54
0x00401f54
0x00402041
0x00402046
0x00000000
0x00402048
0x00402048
0x0040204d
0x00000000
0x00000000
0x00402053
0x0040205a
0x0040205f
0x00402063
0x0040211a
0x00000000
0x0040211f
0x00402069
0x0040206c
0x00000000
0x00000000
0x00402077
0x00402084
0x00402084
0x00401f5a
0x00401f5f
0x00401fe0
0x00401feb
0x00401f61
0x00401f66
0x00401f70
0x00401f70
0x00401f7a
0x00000000
0x004020b0
0x00401f83
0x00401f89
0x00401f89
0x00401f97
0x00401f97
0x00401f9c
0x00401fa3
0x00401fac
0x00401fb5
0x00000000
0x00000000
0x00401fbc
0x00000000
0x00401fbe
0x004020ca
0x004020cf
0x004020d6
0x004020dc
0x004020e0
0x00000000
0x004020e5
0x00401fc9
0x00401fc9
0x00401f5f
0x00401f54
0x00401f4e
0x00401f47

APIs

signal.MSVCRT ref: 00401FA3
signal.MSVCRT ref: 0040205A

Strings

CCG , xrefs: 00401F36

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: bd94bdd654f52c4ed5147b46818f35080280a777b2882d2b05581189ab25bde7
Instruction ID: 8e7c3a05cc17fdf1b5badb01421512bcab6a528367bbf551d61aa2c38f8b0cfc
Opcode Fuzzy Hash: bd94bdd654f52c4ed5147b46818f35080280a777b2882d2b05581189ab25bde7
Instruction Fuzzy Hash: CB31E632B1450206EA292278995477A11415B8E3B8F2D8737EE29E73F5CF7CCCC1920A

Uniqueness

Uniqueness Score: -1.00%

Function 00401628 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 70
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 39%

			E00401628(void* __edx, void* __edi, void* __esi, void* __esp, intOrPtr __rax, void* __rcx, long long __r8) {
				char _v80;
				intOrPtr _v104;
				char _v184;
				intOrPtr _v196;
				void* _v1232;
				void* _v2232;
				void* _v2256;
				void* _v2264;
				char _v2276;
				long long _v2296;
				long long _v2304;
				long long _v2312;
				long long _v2320;
				intOrPtr _v2328;
				long long _v2336;
				int _t22;
				int _t26;
				void* _t30;
				void* _t43;
				void* _t44;
				intOrPtr _t51;
				void* _t71;

				_t51 = __rax;
				_t45 = __esp;
				_t44 = __esi;
				_t40 = __edi;
				_t71 = __rcx;
				_t30 = __edx;
				if(__r8 == 0 ||  *((char*)(__r8)) == 0) {
					_t22 = GetCurrentProcess();
					goto L5;
				} else {
					r8d = 0x400;
					_t26 = memset(__edi, 0, 0x1a << 2);
					_t43 = __edi + 0x1a;
					_v196 = 0x68;
					memset(_t43, _t26, 0 << 2);
					_t45 = __esp + 0x18;
					_t40 = _t43 + 6;
					GetEnvironmentVariableA(??, ??, ??);
					_v2336 = __r8;
					_snprintf(??, ??, ??);
					r9d = 0;
					r8d = 0;
					_v2296 =  &_v80;
					_v2304 =  &_v184;
					_v2312 = 0;
					_v2320 = 0;
					_v2328 = 4;
					_v2336 = 1;
					_t22 = CreateProcessA(??, ??, ??, ??, ??, ??, ??, ??, ??, ??);
					if(_t22 != 0) {
						_t51 = _v104;
						L5:
						if(_t51 != 0) {
							memcpy(_t40, _t44, 6 << 2);
							return E00401588(_t44 + 0xc, _t44, _t45 + 0xc, _t51, _t51,  &_v2276, _t71, _t30);
						}
					}
				}
				return _t22;
			}

0x00401628
0x00401628
0x00401628
0x00401628
0x0040163a
0x0040163d
0x00401642
0x0040164a
0x00000000
0x00401655
0x0040166c
0x0040167a
0x0040167a
0x0040167f
0x0040168c
0x0040168c
0x0040168c
0x00401695
0x004016b4
0x004016b9
0x004016bf
0x004016c2
0x004016c7
0x004016cc
0x004016d9
0x004016e2
0x004016eb
0x004016f3
0x004016fb
0x00401703
0x00401705
0x0040170d
0x00401710
0x00401724
0x00000000
0x00401734
0x00401710
0x00401703
0x00401749

APIs

GetCurrentProcess.KERNEL32 ref: 0040164A
GetEnvironmentVariableA.KERNEL32 ref: 00401695
_snprintf.MSVCRT ref: 004016B9
CreateProcessA.KERNEL32 ref: 004016FB

Strings

h, xrefs: 0040167F
%s\System32\%s, xrefs: 004016A0
windir, xrefs: 0040168E

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: Process$CreateCurrentEnvironmentVariable_snprintf
String ID: %s\System32\%s$h$windir
API String ID: 3047511472-1023121253
Opcode ID: 131f64c1b2ff6963427ed9f77d07ad06644603e5bda81e9966d56fa131363955
Instruction ID: e003f1d9c7db07e131edcd89633c62f6a6acf270d99a59b5c4f71ee12ea20cdc
Opcode Fuzzy Hash: 131f64c1b2ff6963427ed9f77d07ad06644603e5bda81e9966d56fa131363955
Instruction Fuzzy Hash: C721A162208BC4D2E7208F65F80079AB3A1F788748F844126EF8953B98CF7DC14ACB44

Uniqueness

Uniqueness Score: -1.00%

Function 00402530 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00402530(int __eax, void* __ebx, void* __rax, void* __rbx, signed char* __rcx, void* __rdi, void* __rsi, signed long long __r8, void* __r12) {
				void* _v40;
				char _v44;
				signed long long _v56;
				void* _v80;
				char _v104;
				int _t45;
				char _t49;
				long _t50;
				signed int _t65;
				void* _t66;
				void* _t68;
				signed int* _t76;
				signed int _t80;
				void* _t82;
				signed char* _t83;
				intOrPtr* _t86;
				signed int _t113;
				void* _t118;

				_t115 = __r12;
				_t106 = __r8;
				_t92 = __rdi;
				_t83 = __rcx;
				_t68 = __rax;
				_t45 = __eax;
				_push(__r12);
				_push(__rdi);
				_push(__rsi);
				_push(__rbx);
				r12d =  *0x44a350;
				if(r12d == 0) {
					 *0x44a350 = 1;
					E004029A0(__eflags);
					_t45 = E00403100(_t68);
					_t80 = 0x447310;
					 *0x44a360 = 0;
					 *0x44a358 =  &_v104;
					__eflags = 0x447310 - 7;
					if(0x447310 <= 7) {
						goto L1;
					} else {
						__eflags = 0 - 0xb;
						if(0 <= 0xb) {
							L17:
							r9d =  *_t80;
							__eflags = r9d;
							if(r9d != 0) {
								goto L6;
							} else {
								r8d =  *(_t80 + 4);
								__eflags = r8d;
								if(r8d != 0) {
									goto L6;
								} else {
									goto L19;
								}
							}
						} else {
							_t65 =  *0x447310; // 0x0
							__eflags = _t65;
							if(_t65 != 0) {
								L6:
								__eflags = _t80 - 0x447310;
								if(_t80 >= 0x447310) {
									goto L1;
								} else {
									do {
										r8d = 4;
										_t83 =  &(_t83[0x400000]);
										_t49 =  *_t83 +  *_t80;
										_t80 = _t80 + 8;
										_v44 = _t49;
										_t45 = E004022E0(_t49, _t80, _t83,  &_v44, 0x400000, 0x447310, _t106, _t115, _t118);
										__eflags = _t80 - 0x447310;
									} while (_t80 < 0x447310);
									goto L9;
								}
							} else {
								r11d =  *0x447314; // 0x0
								__eflags = r11d;
								if(r11d == 0) {
									r10d =  *0x447318; // 0x0
									__eflags = r10d;
									if(r10d != 0) {
										L19:
										__eflags =  *(_t80 + 8) - 1;
										if( *(_t80 + 8) != 1) {
											L48:
											_t86 = "  Unknown pseudo relocation protocol version %d.\n";
											E00402270(_t45, _t80, _t86, _t88, _t92, 0x447310, _t106, _t113, _t115, _t118);
											0;
											0;
											__eflags =  *_t86 - 0x5a4d;
											if( *_t86 != 0x5a4d) {
												L50:
												asm("repe ret");
											}
											_t86 = _t86 +  *((intOrPtr*)(_t86 + 0x3c));
											__eflags =  *_t86 - 0x4550;
											if( *_t86 != 0x4550) {
												goto L50;
											}
											__eflags =  *((short*)(_t86 + 0x18)) - 0x20b;
											_t44 =  *((short*)(_t86 + 0x18)) == 0x20b;
											__eflags = _t44;
											return 0 | _t44;
										} else {
											_t82 = _t80 + 0xc;
											__eflags = _t82 - 0x447310;
											if(_t82 < 0x447310) {
												do {
													r8d =  *(_t82 + 8);
													_t45 = r8b & 0xffffffff;
													_t88 = _t88 + 0x400000;
													_t83 =  &(_t83[0x400000]);
													__eflags = _t45 - 0x10;
													_t113 =  *_t88;
													if(__eflags == 0) {
														r8d =  *_t83 & 0x0000ffff;
														__eflags = r8d & 0x00008000;
														if((r8d & 0x00008000) == 0) {
															goto L35;
														} else {
															_t106 = (_t106 | 0xffff0000) - _t88 + _t113;
															__eflags = _t106;
															_v56 = _t106;
															goto L34;
														}
													} else {
														if(__eflags > 0) {
															L26:
															__eflags = _t45 - 0x20;
															if(_t45 == 0x20) {
																r8d =  *_t83;
																__eflags = r8d & 0x80000000;
																if((r8d & 0x80000000) == 0) {
																	goto L35;
																} else {
																	_t106 = (_t106 | 0x00000000) - _t88 + _t113;
																	__eflags = _t106;
																	_v56 = _t106;
																	goto L41;
																}
															} else {
																__eflags = _t45 - 0x40;
																if(_t45 != 0x40) {
																	goto L25;
																} else {
																	_t113 = _t113 - _t88 +  *_t83;
																	__eflags = _t113;
																	_v56 = _t113;
																	goto L29;
																}
															}
														} else {
															__eflags = _t45 - 8;
															if(_t45 == 8) {
																r8d =  *_t83 & 0x000000ff;
																__eflags = r8b & 0x00000080;
																if((r8b & 0x00000080) == 0) {
																	L35:
																	_t106 = _t106 - _t88;
																	_t113 = _t113 + _t106;
																	__eflags = _t45 - 0x10;
																	_v56 = _t113;
																	if(__eflags == 0) {
																		L34:
																		_t88 =  &_v56;
																		r8d = 2;
																		_t45 = E004022E0(_t45, _t82, _t83, _t88, 0x400000, 0x447310, _t106, 0, _t118);
																	} else {
																		if(__eflags > 0) {
																			__eflags = _t45 - 0x20;
																			if(_t45 == 0x20) {
																				L41:
																				_t88 =  &_v56;
																				r8d = 4;
																				_t45 = E004022E0(_t45, _t82, _t83, _t88, 0x400000, 0x447310, _t106, 0, _t118);
																			} else {
																				__eflags = _t45 - 0x40;
																				if(_t45 == 0x40) {
																					L29:
																					_t88 =  &_v56;
																					r8d = 8;
																					_t45 = E004022E0(_t45, _t82, _t83, _t88, 0x400000, 0x447310, _t106, 0, _t118);
																				}
																			}
																		} else {
																			__eflags = _t45 - 8;
																			if(_t45 == 8) {
																				goto L38;
																			}
																		}
																	}
																} else {
																	_t106 = (_t106 | 0xffffff00) - _t88 + _t113;
																	_v56 = _t106;
																	L38:
																	_t88 =  &_v56;
																	r8d = 1;
																	_t45 = E004022E0(_t45, _t82, _t83, _t88, 0x400000, 0x447310, _t106, 0, _t118);
																}
															} else {
																L25:
																_t83 = "  Unknown pseudo relocation bit size %d.\n";
																_v56 = 0;
																_t45 = E00402270(_t45, _t82, _t83, _t88, 0x400000, 0x447310, _t106, _t113, 0, _t118);
																goto L26;
															}
														}
													}
													_t82 = _t82 + 0xc;
													__eflags = _t82 - 0x447310;
												} while (_t82 < 0x447310);
												L9:
												__eflags =  *0x44a360;
												if( *0x44a360 > 0) {
													_t66 = 0;
													_t115 = VirtualQuery;
													_t92 = VirtualProtect;
													do {
														_t76 = _t80 +  *0x44a358;
														__eflags =  *_t76;
														if( *_t76 == 0) {
															goto L11;
														} else {
															r8d = 0x30;
															_t88 =  &_v104;
															_t50 = VirtualQuery(??, ??, ??);
															__eflags = _t76;
															if(_t76 == 0) {
																_t80 = _t80 +  *0x44a358;
																__eflags = _t80;
																_t106 =  *(_t80 + 8);
																_t45 = E00402270(_t50, _t80, "  VirtualQuery failed for %d bytes at address %p",  &_v104, _t92, 0x447310,  *(_t80 + 8), _t113, _t115, _t118);
																goto L48;
															} else {
																_t113 =  &_v44;
																r8d =  *( *0x44a358 + _t80);
																_t45 = VirtualProtect(??, ??, ??, ??);
																goto L11;
															}
														}
														goto L53;
														L11:
														_t66 = _t66 + 1;
														_t80 = _t80 + 0x18;
														__eflags = _t66 -  *0x44a360;
													} while (_t66 <  *0x44a360);
												}
											}
											goto L1;
										}
									} else {
										_t80 = 0x44731c;
										goto L17;
									}
								} else {
									goto L6;
								}
							}
						}
					}
				} else {
					L1:
					return _t45;
				}
				L53:
			}

0x00402530
0x00402530
0x00402530
0x00402530
0x00402530
0x00402530
0x00402534
0x00402536
0x00402537
0x00402538
0x0040253d
0x00402547
0x00402554
0x0040255e
0x00402575
0x00402581
0x00402588
0x0040259a
0x004025a7
0x004025ab
0x00000000
0x004025ad
0x004025ad
0x004025b1
0x004026a0
0x004026a0
0x004026a3
0x004026a6
0x00000000
0x004026ac
0x004026ac
0x004026b0
0x004026b3
0x00000000
0x00000000
0x00000000
0x00000000
0x004026b3
0x004025b7
0x004025b7
0x004025bd
0x004025bf
0x004025d1
0x004025d1
0x004025d4
0x00000000
0x004025da
0x004025e1
0x004025e8
0x004025ee
0x004025f3
0x004025f5
0x004025f9
0x004025fc
0x00402601
0x00402601
0x00000000
0x004025e1
0x004025c1
0x004025c1
0x004025c8
0x004025cb
0x00402688
0x0040268f
0x00402692
0x004026b9
0x004026bc
0x004026bf
0x00402827
0x00402827
0x0040282e
0x00402839
0x0040283d
0x00402842
0x00402847
0x00402849
0x00402849
0x00402849
0x00402854
0x00402857
0x0040285d
0x00000000
0x00000000
0x00402861
0x00402867
0x00402867
0x0040286a
0x004026c5
0x004026c5
0x004026c9
0x004026cc
0x004026e3
0x004026e8
0x004026ec
0x004026f0
0x004026f3
0x004026f6
0x004026f9
0x004026fc
0x00402756
0x0040275a
0x00402761
0x00000000
0x00402763
0x0040276d
0x0040276d
0x00402770
0x00000000
0x00402770
0x004026fe
0x004026fe
0x00402721
0x00402721
0x00402724
0x004027ac
0x004027af
0x004027b6
0x00000000
0x004027b8
0x004027be
0x004027be
0x004027c1
0x00000000
0x004027c1
0x0040272a
0x0040272a
0x0040272d
0x00000000
0x0040272f
0x00402732
0x00402732
0x00402735
0x00000000
0x00402735
0x0040272d
0x00402700
0x00402700
0x00402703
0x004027d9
0x004027dd
0x004027e1
0x00402785
0x00402785
0x00402788
0x0040278b
0x0040278e
0x00402792
0x00402774
0x00402774
0x00402778
0x0040277e
0x00402794
0x00402794
0x004027f6
0x004027f9
0x004027c5
0x004027c5
0x004027c9
0x004027cf
0x004027fb
0x004027fb
0x004027fe
0x00402739
0x00402739
0x0040273d
0x00402743
0x00402743
0x004027fe
0x00402796
0x00402796
0x00402799
0x00000000
0x00000000
0x00402799
0x00402794
0x004027e3
0x004027ed
0x004027f0
0x0040279b
0x0040279b
0x0040279f
0x004027a5
0x004027a5
0x00402709
0x00402709
0x00402709
0x00402714
0x0040271c
0x00000000
0x0040271c
0x00402703
0x004026fe
0x00402748
0x0040274c
0x0040274c
0x00402606
0x0040260c
0x0040260e
0x00402616
0x00402618
0x0040261f
0x00402643
0x00402646
0x0040264f
0x00402651
0x00000000
0x00402653
0x00402657
0x0040265d
0x00402661
0x00402664
0x00402667
0x00402809
0x00402809
0x0040281b
0x00402822
0x00000000
0x0040266d
0x00402674
0x00402680
0x00402684
0x00000000
0x00402684
0x00402667
0x00000000
0x00402630
0x00402630
0x00402633
0x00402637
0x00402637
0x00402643
0x0040260e
0x00000000
0x004026cc
0x00402694
0x00402694
0x00000000
0x00402694
0x00000000
0x00000000
0x00000000
0x004025cb
0x004025bf
0x004025b1
0x00402549
0x00402549
0x00402553
0x00402553
0x00000000

APIs

VirtualQuery.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,00401265), ref: 00402661
VirtualProtect.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,00401265), ref: 00402684

Strings

Unknown pseudo relocation protocol version %d., xrefs: 00402827
Unknown pseudo relocation bit size %d., xrefs: 00402709
VirtualQuery failed for %d bytes at address %p, xrefs: 00402509, 0040251A, 00402810

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: Virtual$ProtectQuery
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p
API String ID: 1027372294-974437099
Opcode ID: 6ed31c0bac4eeb1dfd0b269d04b35f1aeb1cab811be8f1d220e551309a886f30
Instruction ID: c454143055e79fd397673f87f084222c0a1c0298268923b062999b768bb8b6f9
Opcode Fuzzy Hash: 6ed31c0bac4eeb1dfd0b269d04b35f1aeb1cab811be8f1d220e551309a886f30
Instruction Fuzzy Hash: 2B71E4B2710A6486EB10CF65DA4879D3360F305BA8F58462BDE18377D4DBBDC942C709

Uniqueness

Uniqueness Score: -1.00%

Function 00401C70 Relevance: 7.6, APIs: 5, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00401C70(long long* __rax, intOrPtr* __rcx) {
				intOrPtr _v16;
				intOrPtr _t3;
				long long* _t17;
				long long* _t37;
				long long* _t38;

				_t35 = __rax;
				_t3 =  *__rcx;
				if(_t3 > 0xc0000091) {
					__eflags = _t3 - 0xc0000094;
					if(__eflags == 0) {
						_t17 = 0;
						goto L3;
					} else {
						if(__eflags > 0) {
							__eflags = _t3 - 0xc0000095;
							if(_t3 == 0xc0000095) {
								goto L27;
							} else {
								__eflags = _t3 - 0xc0000096;
								if(_t3 != 0xc0000096) {
									goto L11;
								} else {
									goto L21;
								}
							}
						} else {
							__eflags = _t3 - 0xc0000092;
							if(_t3 == 0xc0000092) {
								goto L27;
							} else {
								__eflags = _t3 - 0xc0000093;
								if(_t3 == 0xc0000093) {
									goto L2;
								} else {
									goto L11;
								}
							}
						}
					}
				} else {
					if(_t3 < 0xc000008d) {
						__eflags = _t3 - 0xc0000008;
						if(__eflags == 0) {
							L27:
							__eflags = 0;
							return 0;
						} else {
							if(__eflags > 0) {
								__eflags = _t3 - 0xc000001d;
								if(_t3 == 0xc000001d) {
									L21:
									L004031C8();
									__eflags = _t35 - 1;
									_t38 = _t35;
									if(_t35 == 1) {
										L004031C8();
										return 0;
									}
									__eflags = _t38;
									_t4 = 4;
									if(_t38 != 0) {
										 *_t38();
										return 0;
									}
									goto L6;
								} else {
									__eflags = _t3 - 0xc000008c;
									if(_t3 != 0xc000008c) {
										goto L11;
									} else {
										goto L27;
									}
								}
							} else {
								__eflags = _t3 - 0x80000002;
								if(_t3 == 0x80000002) {
									goto L27;
								} else {
									__eflags = _t3 - 0xc0000005;
									if(_t3 != 0xc0000005) {
										L11:
										return 1;
									} else {
										L004031C8();
										__eflags = __rax - 1;
										if(__rax == 1) {
											L004031C8();
											return 0;
										}
										__eflags = __rax;
										_t4 = 4;
										if(__rax != 0) {
											 *__rax();
											return 0;
										}
										goto L6;
									}
								}
							}
						}
					} else {
						L2:
						_t17 = 1;
						L3:
						L004031C8();
						_t37 = _t35;
						if(_t35 == 1) {
							L004031C8();
							_t4 = 0;
							__eflags = _t17;
							if(_t17 != 0) {
								_v16 = 0;
								E00402C30(0);
								return _v16;
							}
						} else {
							_t4 = 1;
							if(_t37 != 0) {
								 *_t37();
								return 0;
							}
						}
						L6:
						return _t4;
					}
				}
			}

0x00401c70
0x00401c75
0x00401c7c
0x00401cc0
0x00401cc5
0x00401d90
0x00000000
0x00401ccb
0x00401ccb
0x00401d44
0x00401d49
0x00000000
0x00401d4b
0x00401d4b
0x00401d50
0x00000000
0x00000000
0x00000000
0x00000000
0x00401d50
0x00401ccd
0x00401ccd
0x00401cd2
0x00000000
0x00401cd8
0x00401cd8
0x00401cdd
0x00000000
0x00000000
0x00000000
0x00000000
0x00401cdd
0x00401cd2
0x00401ccb
0x00401c7e
0x00401c83
0x00401cf0
0x00401cf5
0x00401db2
0x00401db2
0x00401db9
0x00401cfb
0x00401cfb
0x00401da0
0x00401da5
0x00401d52
0x00401d59
0x00401d5e
0x00401d62
0x00401d65
0x00401dfc
0x00000000
0x00401e01
0x00401d6b
0x00401d6e
0x00401d73
0x00401d7e
0x00000000
0x00401d80
0x00000000
0x00401da7
0x00401da7
0x00401dac
0x00000000
0x00000000
0x00000000
0x00000000
0x00401dac
0x00401d01
0x00401d01
0x00401d06
0x00000000
0x00401d0c
0x00401d0c
0x00401d11
0x00401cdf
0x00401ce9
0x00401d13
0x00401d1a
0x00401d1f
0x00401d26
0x00401deb
0x00000000
0x00401df0
0x00401d2c
0x00401d2f
0x00401d34
0x00401d3b
0x00000000
0x00401d3d
0x00000000
0x00401d34
0x00401d11
0x00401d06
0x00401cfb
0x00401c85
0x00401c85
0x00401c85
0x00401c8a
0x00401c91
0x00401c9a
0x00401c9d
0x00401dc5
0x00401dca
0x00401dcc
0x00401dce
0x00401dd4
0x00401dd8
0x00000000
0x00401ddd
0x00401ca3
0x00401ca6
0x00401cab
0x00401cb2
0x00000000
0x00401cb4
0x00401cab
0x00401cbb
0x00401cbb
0x00401cbb
0x00401c83

APIs

signal.MSVCRT ref: 00401C91
signal.MSVCRT ref: 00401D1A
signal.MSVCRT ref: 00401DC5

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 5519d9f8778c7515352c36e8946173902d582a2b0c9c55cf290954e4f866c631
Instruction ID: 7d128fa255b8fe378b3d2b76ca095190f151b34c0f5602ff0362c625f2c5edcd
Opcode Fuzzy Hash: 5519d9f8778c7515352c36e8946173902d582a2b0c9c55cf290954e4f866c631
Instruction Fuzzy Hash: 6621C1A17681114BFF68927984C472B10429F8C395F29893BDA0AEB3F1EC3CDDC1111E

Uniqueness

Uniqueness Score: -1.00%

Function 00402180 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__iob_func.MSVCRT ref: 004021B0
fprintf.MSVCRT ref: 004021D5

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004021B5
Unknown error, xrefs: 0040218F

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 620453056-3474627141
Opcode ID: 5664749843ab7f4281eb78d7fc4b5b2173bd09fe0b7de7c35795833e29b1dcce
Instruction ID: b61746155111f2d7cc4efb5aad7128311b5069edc69900175d8448b51bc180d4
Opcode Fuzzy Hash: 5664749843ab7f4281eb78d7fc4b5b2173bd09fe0b7de7c35795833e29b1dcce
Instruction Fuzzy Hash: 29F087B2615B4495DA109F16E940B983BB5F349BDAF684122EF4C13398DB39C683C708

Uniqueness

Uniqueness Score: -1.00%

Function 00402240 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 004021B0
fprintf.MSVCRT ref: 004021D5

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00402240
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004021B5

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 620453056-2187435201
Opcode ID: 70a5fad4df8da673e74cd78cea4bf351c8c1bad253974bc27c6eb3996130214f
Instruction ID: 3fda13f5c3002c01bb56df92233cbde8f7069fc0ec9f327b639105cb1d49328b
Opcode Fuzzy Hash: 70a5fad4df8da673e74cd78cea4bf351c8c1bad253974bc27c6eb3996130214f
Instruction Fuzzy Hash: B9E039B3214B4095D6109F06E8403987364F348BE9FA80126EF8C177A4CF39C683C708

Uniqueness

Uniqueness Score: -1.00%

Function 00402250 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 004021B0
fprintf.MSVCRT ref: 004021D5

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004021B5
Total loss of significance (TLOSS), xrefs: 00402250

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 620453056-4273532761
Opcode ID: cb24257366d0d8f9c50af8c3a61f50b1c510b386d6eb77aa21932950f34e71e0
Instruction ID: ff3a90cd802184d1b37c07242a5d5341b32401a8c00ad52cc69c0c38e6844533
Opcode Fuzzy Hash: cb24257366d0d8f9c50af8c3a61f50b1c510b386d6eb77aa21932950f34e71e0
Instruction Fuzzy Hash: 7EE039B3214B4095D6109F06E8403987364F348BE9FA80126DF8C277A4CF39C683C708

Uniqueness

Uniqueness Score: -1.00%

Function 00402202 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__iob_func.MSVCRT ref: 004021B0
fprintf.MSVCRT ref: 004021D5

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004021B5
Partial loss of significance (PLOSS), xrefs: 00402202

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 620453056-4283191376
Opcode ID: 0ba884e6ec1d4451d0b14812ced9295676d6f7eeb1160479ba6f5f4925bf4c7a
Instruction ID: 80c076e3f0585dc642847406495aacac54e743d69e61995310db27f34450b86f
Opcode Fuzzy Hash: 0ba884e6ec1d4451d0b14812ced9295676d6f7eeb1160479ba6f5f4925bf4c7a
Instruction Fuzzy Hash: 32E039B3214B4095D6119F06E8403983364F348BE9FA80126EF8C177A4CF39C683C708

Uniqueness

Uniqueness Score: -1.00%

Function 00402210 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__iob_func.MSVCRT ref: 004021B0
fprintf.MSVCRT ref: 004021D5

Strings

Argument domain error (DOMAIN), xrefs: 00402210
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004021B5

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 620453056-2713391170
Opcode ID: c44963c47ca9f90aacc2e6ce41b113bdc135d57d9ec7966c7acc202850251e17
Instruction ID: fd2bd81a5517a7f696e63bb9baeac2a55bd67766aab559b42eb37b527b43f7e7
Opcode Fuzzy Hash: c44963c47ca9f90aacc2e6ce41b113bdc135d57d9ec7966c7acc202850251e17
Instruction Fuzzy Hash: 52E039B3214B4495D6109F06E8403983364F348BE9FA80126EF8C177A4DF39C683C708

Uniqueness

Uniqueness Score: -1.00%

Function 00402220 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 004021B0
fprintf.MSVCRT ref: 004021D5

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004021B5
Argument singularity (SIGN), xrefs: 00402220

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 620453056-2468659920
Opcode ID: 02deb9d2806da54c03c492bb07d233467691d5c4467b1243c7e621cec4b7b8b5
Instruction ID: d01de4ac6177404e7b6db5e19fe0364507a8127954eade7022529d24d2f77981
Opcode Fuzzy Hash: 02deb9d2806da54c03c492bb07d233467691d5c4467b1243c7e621cec4b7b8b5
Instruction Fuzzy Hash: A5E039B3214B4095D6109F06E8403983364F348BE9FA80126DF8C577A5CF39C687C708

Uniqueness

Uniqueness Score: -1.00%

Function 00402230 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 004021B0
fprintf.MSVCRT ref: 004021D5

Strings

Overflow range error (OVERFLOW), xrefs: 00402230
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004021B5

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 620453056-4064033741
Opcode ID: 73a878ddbbe0b047fe4021053390a7dcb22e9d4371b01f7b0f137aaed45d7621
Instruction ID: 37e83fe092d742cbcaad9b17cd01710a6ccc3a0e2857bf025fb84eeff51f151a
Opcode Fuzzy Hash: 73a878ddbbe0b047fe4021053390a7dcb22e9d4371b01f7b0f137aaed45d7621
Instruction Fuzzy Hash: 85E039B3214B4095D6109F06E8403983364F348BE9FA80126EF8C177A4CF39C683C708

Uniqueness

Uniqueness Score: -1.00%

Function 00402B60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59
libraryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00402B60(struct HINSTANCE__* __eax, void* __rcx) {
				struct HINSTANCE__* _t7;
				struct HINSTANCE__* _t9;
				signed char* _t10;
				signed char* _t11;
				signed int _t12;
				signed int _t13;
				signed int _t14;
				signed int _t15;
				signed int _t16;
				signed int _t17;
				signed char* _t20;
				void* _t21;
				void* _t24;
				void* _t25;

				_t21 = __rcx;
				_t7 = __eax;
				_t20 =  *0x44a370;
				if(_t20 == 0) {
					_t11 = 0;
					__eflags = 0;
					while(1) {
						_t1 = _t21 + 1; // 0x2
						_t10 = _t1;
						E00402AD0(_t11, __eflags, _t24, _t25);
						__eflags = _t20;
						if(_t20 == 0) {
							break;
						}
						_t12 =  *_t20 & 0x000000ff;
						__eflags = _t12 - 0x4d;
						if(_t12 != 0x4d) {
							__eflags = _t12 - 0x6d;
							if(__eflags != 0) {
								L18:
								_t11 = _t10;
								continue;
							}
						}
						_t13 = _t20[1] & 0x000000ff;
						__eflags = _t13 - 0x53;
						if(_t13 != 0x53) {
							__eflags = _t13 - 0x73;
							if(__eflags != 0) {
								goto L18;
							}
						}
						_t14 = _t20[2] & 0x000000ff;
						__eflags = _t14 - 0x56;
						if(_t14 != 0x56) {
							__eflags = _t14 - 0x76;
							if(__eflags != 0) {
								goto L18;
							}
						}
						_t15 = _t20[3] & 0x000000ff;
						__eflags = _t15 - 0x43;
						if(_t15 != 0x43) {
							__eflags = _t15 - 0x63;
							if(__eflags != 0) {
								goto L18;
							}
						}
						_t16 = _t20[4] & 0x000000ff;
						__eflags = _t16 - 0x52;
						if(_t16 != 0x52) {
							__eflags = _t16 - 0x72;
							if(__eflags != 0) {
								goto L18;
							}
						}
						_t17 = _t20[5] & 0x000000ff;
						__eflags = _t17 - 0x54;
						if(_t17 != 0x54) {
							__eflags = _t17 - 0x74;
							if(_t17 != 0x74) {
								__eflags = _t17 - 0x30 - 9;
								if(__eflags > 0) {
									goto L18;
								}
							}
						}
						_t7 = GetModuleHandleA();
						__eflags = _t20;
						 *0x44a370 = _t20;
						if(_t20 == 0) {
							break;
						}
						goto L1;
					}
					_t9 = LoadLibraryW();
					 *0x44a370 = _t20;
					return _t9;
				}
				L1:
				return _t7;
			}

0x00402b60
0x00402b60
0x00402b65
0x00402b6f
0x00402b80
0x00402b80
0x00402b82
0x00402b82
0x00402b82
0x00402b85
0x00402b8a
0x00402b8d
0x00000000
0x00000000
0x00402b93
0x00402b96
0x00402b99
0x00402b9b
0x00402b9e
0x00402bf0
0x00402bf0
0x00000000
0x00402bf0
0x00402b9e
0x00402ba0
0x00402ba4
0x00402ba7
0x00402ba9
0x00402bac
0x00000000
0x00000000
0x00402bac
0x00402bae
0x00402bb2
0x00402bb5
0x00402bb7
0x00402bba
0x00000000
0x00000000
0x00402bba
0x00402bbc
0x00402bc0
0x00402bc3
0x00402bc5
0x00402bc8
0x00000000
0x00000000
0x00402bc8
0x00402bca
0x00402bce
0x00402bd1
0x00402bd3
0x00402bd6
0x00000000
0x00000000
0x00402bd6
0x00402bd8
0x00402bdc
0x00402bdf
0x00402be1
0x00402be4
0x00402be9
0x00402bec
0x00000000
0x00000000
0x00402bec
0x00402be4
0x00402bf7
0x00402bfd
0x00402c00
0x00402c07
0x00000000
0x00000000
0x00000000
0x00402c07
0x00402c17
0x00402c1d
0x00000000
0x00402c1d
0x00402b76
0x00402b76

APIs

GetModuleHandleA.KERNEL32 ref: 00402BF7
LoadLibraryW.KERNEL32 ref: 00402C17

Strings

msvcrt.dll, xrefs: 00402C10

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: HandleLibraryLoadModule
String ID: msvcrt.dll
API String ID: 4133054770-370904613
Opcode ID: 0d02aed1ec9913c824d623205299ce68f455a40440a3a782726cd63094a18dd8
Instruction ID: 8b2694992b2920be825b1922059b7f305df937d85553eea56994966b37faab82
Opcode Fuzzy Hash: 0d02aed1ec9913c824d623205299ce68f455a40440a3a782726cd63094a18dd8
Instruction Fuzzy Hash: 6D11B25150959848EF241F25C6AE3773BB76741701F8CC437CA49223E3DBBEAA88E61D

Uniqueness

Uniqueness Score: -1.00%

Function 00402270 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00402270(intOrPtr __eax, void* __rbx, intOrPtr __rcx, long long __rdx, void* __rdi, void* __rsi, long long __r8, long long __r9, long long __r12, signed long long __r13, long long _a8, long long _a16, long long _a24, long long _a32) {
				long long _v32;
				void* _v40;
				int _v44;
				signed long long _v56;
				void* _v80;
				char _v104;
				signed int _v132;
				intOrPtr _v156;
				intOrPtr _v168;
				char _v192;
				intOrPtr _v204;
				void* _v216;
				char _v240;
				char _v376;
				intOrPtr _t80;
				void* _t81;
				long _t82;
				long _t83;
				int _t84;
				long _t88;
				intOrPtr _t94;
				intOrPtr _t95;
				int _t100;
				signed int _t104;
				signed int _t118;
				void* _t119;
				void* _t121;
				long long _t123;
				signed int* _t132;
				signed long long _t138;
				signed int _t139;
				void* _t141;
				signed long long _t147;
				signed char* _t151;
				intOrPtr* _t154;
				intOrPtr _t165;
				intOrPtr _t174;
				intOrPtr _t176;
				intOrPtr _t184;
				intOrPtr _t185;
				long long _t191;
				intOrPtr _t211;
				signed int _t223;
				long long _t228;

				_t234 = __r13;
				_t228 = __r12;
				_t80 = __eax;
				_push(__rsi);
				_push(__rbx);
				_t123 =  &_a16;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_v32 = _t123;
				L004031D8();
				_t6 = _t123 + 0x60; // 0x60
				_t223 = _t6;
				r8d = 0x1b;
				L004031E8();
				_t184 = _v32;
				L004031D8();
				_t8 = _t123 + 0x60; // 0x60
				_t147 = _t8;
				_t165 = __rcx;
				_t211 = _t184;
				L004031F0();
				L004031F8();
				asm("o16 nop [cs:eax+eax]");
				_push(__r13);
				_push(__r12);
				_push(_t191);
				_push(__rdi);
				_push(_t184);
				_push(__rcx);
				_t138 = _t147;
				_t176 = __rcx;
				_t185 = _t211;
				if(_t211 != 0) {
					_t104 =  *0x44a360;
					__eflags = _t104;
					if(__eflags <= 0) {
						goto L8;
					} else {
						_t124 =  *0x44a358;
						_t121 = 0;
						asm("o16 nop [eax+eax]");
						do {
							_t165 =  *((intOrPtr*)(_t124 + 8));
							__eflags = _t138 - _t165;
							if(_t138 < _t165) {
								goto L7;
							} else {
								_t211 =  *((intOrPtr*)(_t124 + 0x10));
								r8d =  *(_t211 + 8);
								_t165 = _t165 + _t211;
								__eflags = _t138 - _t165;
								if(_t138 < _t165) {
									L18:
									_t191 = VirtualQuery;
									L12:
									r8d = 0x30;
									_t166 =  &_v240;
									_t83 = VirtualQuery(??, ??, ??);
									__eflags = _t124;
									if(_t124 == 0) {
										L26:
										_t151 = "  VirtualQuery failed for %d bytes at address %p";
										_t213 = _t138;
										_t84 = E00402270(_t83, _t138, _t151, _t166, _t176, _t185, _t213, _t223, _t228, _t234);
										_push(_t191);
										_push(_t228);
										_push(_t176);
										_push(_t185);
										_push(_t138);
										r12d =  *0x44a350;
										__eflags = r12d;
										if(__eflags == 0) {
											 *0x44a350 = 1;
											E004029A0(__eflags);
											_t84 = E00403100(_t124);
											_t139 = 0x447310;
											 *0x44a360 = 0;
											 *0x44a358 =  &_v376;
											__eflags = 0x447310 - 7;
											if(0x447310 <= 7) {
												goto L28;
											} else {
												__eflags = 0 - 0xb;
												if(0 <= 0xb) {
													L44:
													r9d =  *_t139;
													__eflags = r9d;
													if(r9d != 0) {
														goto L33;
													} else {
														r8d =  *(_t139 + 4);
														__eflags = r8d;
														if(r8d != 0) {
															goto L33;
														} else {
															goto L46;
														}
													}
												} else {
													_t118 =  *0x447310; // 0x0
													__eflags = _t118;
													if(_t118 != 0) {
														L33:
														__eflags = _t139 - 0x447310;
														if(_t139 >= 0x447310) {
															goto L28;
														} else {
															do {
																r8d = 4;
																_t151 =  &(_t151[0x400000]);
																_t84 =  *_t151 +  *_t139;
																_t139 = _t139 + 8;
																_v44 = _t84;
																L1();
																__eflags = _t139 - 0x447310;
															} while (_t139 < 0x447310);
															goto L36;
														}
													} else {
														r11d =  *0x447314; // 0x0
														__eflags = r11d;
														if(r11d == 0) {
															r10d =  *0x447318; // 0x0
															__eflags = r10d;
															if(r10d != 0) {
																L46:
																__eflags =  *(_t139 + 8) - 1;
																if( *(_t139 + 8) != 1) {
																	L75:
																	_t154 = "  Unknown pseudo relocation protocol version %d.\n";
																	E00402270(_t84, _t139, _t154, _t166, _t176, 0x447310, _t213, _t223, _t228, _t234);
																	0;
																	0;
																	__eflags =  *_t154 - 0x5a4d;
																	if( *_t154 != 0x5a4d) {
																		L77:
																		asm("repe ret");
																	}
																	_t154 = _t154 +  *((intOrPtr*)(_t154 + 0x3c));
																	__eflags =  *_t154 - 0x4550;
																	if( *_t154 != 0x4550) {
																		goto L77;
																	}
																	__eflags =  *((short*)(_t154 + 0x18)) - 0x20b;
																	_t79 =  *((short*)(_t154 + 0x18)) == 0x20b;
																	__eflags = _t79;
																	return 0 | _t79;
																} else {
																	_t141 = _t139 + 0xc;
																	__eflags = _t141 - 0x447310;
																	if(_t141 < 0x447310) {
																		do {
																			r8d =  *(_t141 + 8);
																			_t84 = r8b & 0xffffffff;
																			_t166 = _t166 + 0x400000;
																			_t151 =  &(_t151[0x400000]);
																			__eflags = _t84 - 0x10;
																			_t223 =  *_t166;
																			if(__eflags == 0) {
																				r8d =  *_t151 & 0x0000ffff;
																				__eflags = r8d & 0x00008000;
																				if((r8d & 0x00008000) == 0) {
																					goto L62;
																				} else {
																					_t213 = (_t213 | 0xffff0000) - _t166 + _t223;
																					__eflags = _t213;
																					_v56 = _t213;
																					goto L61;
																				}
																			} else {
																				if(__eflags > 0) {
																					L53:
																					__eflags = _t84 - 0x20;
																					if(_t84 == 0x20) {
																						r8d =  *_t151;
																						__eflags = r8d & 0x80000000;
																						if((r8d & 0x80000000) == 0) {
																							goto L62;
																						} else {
																							_t213 = (_t213 | 0x00000000) - _t166 + _t223;
																							__eflags = _t213;
																							_v56 = _t213;
																							goto L68;
																						}
																					} else {
																						__eflags = _t84 - 0x40;
																						if(_t84 != 0x40) {
																							goto L52;
																						} else {
																							_t223 = _t223 - _t166 +  *_t151;
																							__eflags = _t223;
																							_v56 = _t223;
																							goto L56;
																						}
																					}
																				} else {
																					__eflags = _t84 - 8;
																					if(_t84 == 8) {
																						r8d =  *_t151 & 0x000000ff;
																						__eflags = r8b & 0x00000080;
																						if((r8b & 0x00000080) == 0) {
																							L62:
																							_t213 = _t213 - _t166;
																							_t223 = _t223 + _t213;
																							__eflags = _t84 - 0x10;
																							_v56 = _t223;
																							if(__eflags == 0) {
																								L61:
																								_t166 =  &_v56;
																								r8d = 2;
																								L1();
																							} else {
																								if(__eflags > 0) {
																									__eflags = _t84 - 0x20;
																									if(_t84 == 0x20) {
																										L68:
																										_t166 =  &_v56;
																										r8d = 4;
																										L1();
																									} else {
																										__eflags = _t84 - 0x40;
																										if(_t84 == 0x40) {
																											L56:
																											_t166 =  &_v56;
																											r8d = 8;
																											L1();
																										}
																									}
																								} else {
																									__eflags = _t84 - 8;
																									if(_t84 == 8) {
																										goto L65;
																									}
																								}
																							}
																						} else {
																							_t213 = (_t213 | 0xffffff00) - _t166 + _t223;
																							_v56 = _t213;
																							L65:
																							_t166 =  &_v56;
																							r8d = 1;
																							L1();
																						}
																					} else {
																						L52:
																						_t151 = "  Unknown pseudo relocation bit size %d.\n";
																						_v56 = 0;
																						_t84 = E00402270(_t84, _t141, _t151, _t166, 0x400000, 0x447310, _t213, _t223, 0, _t234);
																						goto L53;
																					}
																				}
																			}
																			_t141 = _t141 + 0xc;
																			__eflags = _t141 - 0x447310;
																		} while (_t141 < 0x447310);
																		L36:
																		__eflags =  *0x44a360;
																		if( *0x44a360 > 0) {
																			_t119 = 0;
																			_t228 = VirtualQuery;
																			_t176 = VirtualProtect;
																			do {
																				_t132 = _t139 +  *0x44a358;
																				__eflags =  *_t132;
																				if( *_t132 == 0) {
																					goto L38;
																				} else {
																					r8d = 0x30;
																					_t166 =  &_v104;
																					_t88 = VirtualQuery(??, ??, ??);
																					__eflags = _t132;
																					if(_t132 == 0) {
																						_t139 = _t139 +  *0x44a358;
																						__eflags = _t139;
																						_t213 =  *(_t139 + 8);
																						_t84 = E00402270(_t88, _t139, "  VirtualQuery failed for %d bytes at address %p",  &_v104, _t176, 0x447310,  *(_t139 + 8), _t223, _t228, _t234);
																						goto L75;
																					} else {
																						_t223 =  &_v44;
																						r8d =  *( *0x44a358 + _t139);
																						_t84 = VirtualProtect(??, ??, ??, ??);
																						goto L38;
																					}
																				}
																				goto L81;
																				L38:
																				_t119 = _t119 + 1;
																				_t139 = _t139 + 0x18;
																				__eflags = _t119 -  *0x44a360;
																			} while (_t119 <  *0x44a360);
																		}
																	}
																	goto L28;
																}
															} else {
																_t139 = 0x44731c;
																goto L44;
															}
														} else {
															goto L33;
														}
													}
												}
											}
										} else {
											L28:
											return _t84;
										}
									} else {
										_t95 = _v204;
										__eflags = _t95 - 4;
										if(_t95 == 4) {
											L14:
											return memcpy();
										}
										__eflags = _t95 - 0x40;
										if(_t95 == 0x40) {
											goto L14;
										}
										r8d = 0x40;
										VirtualProtect(??, ??, ??, ??);
										memcpy(??, ??, ??);
										_t80 = _v204;
										__eflags = _t80 - 0x40;
										if(_t80 == 0x40) {
											goto L2;
										} else {
											__eflags = _t80 - 4;
											if(_t80 == 4) {
												goto L2;
											} else {
												r8d = _v132;
												return VirtualProtect(??, ??, ??, ??);
											}
										}
									}
								} else {
									goto L7;
								}
							}
							goto L81;
							L7:
							_t121 = _t121 + 1;
							_t124 = _t124 + 0x18;
							__eflags = _t121 - _t104;
						} while (__eflags != 0);
						L8:
						_t81 = E00402960(__eflags, _t138, _t176, _t185, _t211, _t223);
						__eflags = _t123;
						_t228 = _t123;
						if(__eflags == 0) {
							_t166 = _t138;
							_t82 = E00402270(_t81, _t138, "Address %p has no image-section", _t166, _t176, _t185, _t211, _t223, _t228, _t234);
							goto L25;
						} else {
							_t234 = 0 << 3;
							_a16 = _t123;
							 *((0 << 3) +  *0x44a358) = 0;
							E00402A50(__eflags, _t165);
							r8d = 0x30;
							_t166 =  &_v192;
							_a8 = _t123 + _t165;
							_t124 =  *0x44a358;
							_t191 = VirtualQuery;
							_t82 = VirtualQuery(??, ??, ??);
							__eflags = _t124;
							if(_t124 == 0) {
								L25:
								_t124 =  *0x44a358;
								_t83 = E00402270(_t82, _t138, "  VirtualQuery failed for %d bytes at address %p", _t166, _t176, _t185,  *((intOrPtr*)( *0x44a358 + _t234 + 8)), _t223, _t228, _t234);
								goto L26;
							} else {
								_t94 = _v156;
								__eflags = _t94 - 4;
								if(_t94 != 4) {
									__eflags = _t94 - 0x40;
									if(_t94 == 0x40) {
										goto L11;
									} else {
										r8d = 0x40;
										_t174 = _v168;
										_t223 =  *0x44a358 + (0 << 3);
										_t100 = VirtualProtect(??, ??, ??, ??);
										__eflags = _t100;
										if(_t100 != 0) {
											goto L11;
										} else {
											E00402270(GetLastError(), _t138, "  VirtualProtect failed with code 0x%x", _t174, _t176, _t185, _t211, _t223, _t228, 0 << 3);
											goto L18;
										}
									}
								} else {
									L11:
									 *0x44a360 =  *0x44a360 + 1;
									__eflags =  *0x44a360;
								}
								goto L12;
							}
						}
					}
				} else {
					L2:
					return _t80;
				}
				L81:
			}

0x00402270
0x00402270
0x00402270
0x00402270
0x00402271
0x00402276
0x0040227e
0x00402283
0x00402288
0x0040228d
0x00402292
0x0040229e
0x0040229e
0x004022a2
0x004022ad
0x004022b2
0x004022b7
0x004022bc
0x004022bc
0x004022c0
0x004022c3
0x004022c6
0x004022cb
0x004022d1
0x004022e0
0x004022e2
0x004022e4
0x004022e5
0x004022e6
0x004022e7
0x004022f2
0x004022f5
0x004022f8
0x004022fb
0x00402310
0x00402316
0x00402318
0x00000000
0x0040231e
0x0040231e
0x00402325
0x00402327
0x00402330
0x00402330
0x00402334
0x00402337
0x00000000
0x00402339
0x00402339
0x0040233d
0x00402341
0x00402344
0x00402347
0x00402460
0x00402460
0x004023d7
0x004023d7
0x004023dd
0x004023e5
0x004023e7
0x004023ea
0x0040251a
0x0040251a
0x00402521
0x00402529
0x00402530
0x00402534
0x00402536
0x00402537
0x00402538
0x0040253d
0x00402544
0x00402547
0x00402554
0x0040255e
0x00402575
0x00402581
0x00402588
0x0040259a
0x004025a7
0x004025ab
0x00000000
0x004025ad
0x004025ad
0x004025b1
0x004026a0
0x004026a0
0x004026a3
0x004026a6
0x00000000
0x004026ac
0x004026ac
0x004026b0
0x004026b3
0x00000000
0x00000000
0x00000000
0x00000000
0x004026b3
0x004025b7
0x004025b7
0x004025bd
0x004025bf
0x004025d1
0x004025d1
0x004025d4
0x00000000
0x004025da
0x004025e1
0x004025e8
0x004025ee
0x004025f3
0x004025f5
0x004025f9
0x004025fc
0x00402601
0x00402601
0x00000000
0x004025e1
0x004025c1
0x004025c1
0x004025c8
0x004025cb
0x00402688
0x0040268f
0x00402692
0x004026b9
0x004026bc
0x004026bf
0x00402827
0x00402827
0x0040282e
0x00402839
0x0040283d
0x00402842
0x00402847
0x00402849
0x00402849
0x00402849
0x00402854
0x00402857
0x0040285d
0x00000000
0x00000000
0x00402861
0x00402867
0x00402867
0x0040286a
0x004026c5
0x004026c5
0x004026c9
0x004026cc
0x004026e3
0x004026e8
0x004026ec
0x004026f0
0x004026f3
0x004026f6
0x004026f9
0x004026fc
0x00402756
0x0040275a
0x00402761
0x00000000
0x00402763
0x0040276d
0x0040276d
0x00402770
0x00000000
0x00402770
0x004026fe
0x004026fe
0x00402721
0x00402721
0x00402724
0x004027ac
0x004027af
0x004027b6
0x00000000
0x004027b8
0x004027be
0x004027be
0x004027c1
0x00000000
0x004027c1
0x0040272a
0x0040272a
0x0040272d
0x00000000
0x0040272f
0x00402732
0x00402732
0x00402735
0x00000000
0x00402735
0x0040272d
0x00402700
0x00402700
0x00402703
0x004027d9
0x004027dd
0x004027e1
0x00402785
0x00402785
0x00402788
0x0040278b
0x0040278e
0x00402792
0x00402774
0x00402774
0x00402778
0x0040277e
0x00402794
0x00402794
0x004027f6
0x004027f9
0x004027c5
0x004027c5
0x004027c9
0x004027cf
0x004027fb
0x004027fb
0x004027fe
0x00402739
0x00402739
0x0040273d
0x00402743
0x00402743
0x004027fe
0x00402796
0x00402796
0x00402799
0x00000000
0x00000000
0x00402799
0x00402794
0x004027e3
0x004027ed
0x004027f0
0x0040279b
0x0040279b
0x0040279f
0x004027a5
0x004027a5
0x00402709
0x00402709
0x00402709
0x00402714
0x0040271c
0x00000000
0x0040271c
0x00402703
0x004026fe
0x00402748
0x0040274c
0x0040274c
0x00402606
0x0040260c
0x0040260e
0x00402616
0x00402618
0x0040261f
0x00402643
0x00402646
0x0040264f
0x00402651
0x00000000
0x00402653
0x00402657
0x0040265d
0x00402661
0x00402664
0x00402667
0x00402809
0x00402809
0x0040281b
0x00402822
0x00000000
0x0040266d
0x00402674
0x00402680
0x00402684
0x00000000
0x00402684
0x00402667
0x00000000
0x00402630
0x00402630
0x00402633
0x00402637
0x00402637
0x00402643
0x0040260e
0x00000000
0x004026cc
0x00402694
0x00402694
0x00000000
0x00402694
0x00000000
0x00000000
0x00000000
0x004025cb
0x004025bf
0x004025b1
0x00402549
0x00402549
0x00402553
0x00402553
0x004023f0
0x004023f0
0x004023f4
0x004023f7
0x004023f9
0x00403158
0x00403158
0x00402470
0x00402473
0x00000000
0x00000000
0x0040247d
0x00402494
0x0040249f
0x004024a4
0x004024a8
0x004024ab
0x00000000
0x004024b1
0x004024b1
0x004024b4
0x00000000
0x004024ba
0x004024ba
0x004024e6
0x004024e6
0x004024b4
0x004024ab
0x00000000
0x00000000
0x00000000
0x00402347
0x00000000
0x0040234d
0x0040234d
0x00402350
0x00402354
0x00402354
0x00402358
0x0040235b
0x00402360
0x00402363
0x00402366
0x004024f5
0x004024f8
0x00000000
0x0040236c
0x00402374
0x00402382
0x00402386
0x0040238d
0x00402397
0x004023a0
0x004023a5
0x004023a9
0x004023b0
0x004023bc
0x004023be
0x004023c1
0x004024fd
0x004024fd
0x00402515
0x00000000
0x004023c7
0x004023c7
0x004023cb
0x004023ce
0x00402420
0x00402423
0x00000000
0x00402425
0x0040242c
0x00402432
0x0040243c
0x0040243f
0x00402445
0x00402447
0x00000000
0x00402449
0x00402458
0x00000000
0x00402458
0x00402447
0x004023d0
0x004023d0
0x004023d0
0x004023d0
0x004023d0
0x00000000
0x004023ce
0x004023c1
0x00402366
0x004022fd
0x004022fd
0x0040230c
0x0040230c
0x00000000

APIs

__iob_func.MSVCRT ref: 004022B7
VirtualQuery.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004023BC
VirtualQuery.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004023E5

Strings

Mingw-w64 runtime failure:, xrefs: 00402297
Address %p has no image-section, xrefs: 004022E7

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: QueryVirtual$__iob_func
String ID: Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 830446740-3215938747
Opcode ID: 11f8344743db9335b068c0ccbe57145f8aff73dab604a69fde55688215150dbb
Instruction ID: 3443046c56344b1f3eb48678ed28b2076be9aadf8acb61c7a92a91f5610818b4
Opcode Fuzzy Hash: 11f8344743db9335b068c0ccbe57145f8aff73dab604a69fde55688215150dbb
Instruction Fuzzy Hash: 7B01A232604B4860D610AB53B84179ABF28A79E7D4F584136FE4827B96DA3CC286C704

Uniqueness

Uniqueness Score: -1.00%

Function 00401A37 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21
registryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00401A37(long long __rax) {
				int _t2;
				void* _t5;
				void* _t6;
				void* _t7;

				 *0x44aa00 = 0x30;
				 *0x44aa04 = 2;
				 *0x44aa08 = 5;
				 *0x44aa0c = 0;
				 *0x44aa10 = 0;
				 *0x44aa14 = 0;
				 *0x44aa18 = 0;
				_t2 = RegisterServiceCtrlHandlerA(??, ??);
				 *0x44a9f0 = __rax;
				if(__rax != 0) {
					_t2 = E00401955(_t5, _t6, _t7, __rax);
					ExitProcess(??);
				}
				return _t2;
			}

0x00401a3b
0x00401a45
0x00401a56
0x00401a60
0x00401a71
0x00401a7b
0x00401a85
0x00401a8f
0x00401a98
0x00401a9f
0x00401aa3
0x00401aaa
0x00401aaa
0x00401ab5

APIs

RegisterServiceCtrlHandlerA.ADVAPI32 ref: 00401A8F

Part of subcall function 00401955: GetTickCount.KERNEL32 ref: 00401959
Part of subcall function 00401955: CreateThread.KERNEL32 ref: 004019E2

ExitProcess.KERNEL32 ref: 00401AAA

Strings

DceRpcSs, xrefs: 00401A6A

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: CountCreateCtrlExitHandlerProcessRegisterServiceThreadTick
String ID: DceRpcSs
API String ID: 1761743205-292928688
Opcode ID: fc4bbc9d8fc1c0ceaeb450da0adfbc9aab21f16672a555df5927c8beef1b4582
Instruction ID: 20e1aff3e82d261fe453e2693d5f26814d49d4f5a2d736e4db67f184d88fd4fa
Opcode Fuzzy Hash: fc4bbc9d8fc1c0ceaeb450da0adfbc9aab21f16672a555df5927c8beef1b4582
Instruction Fuzzy Hash: 44F0ACF024674096F705DF21FE5931637A0B708306F808519C20A667A1DBBD8169CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00402FC0 Relevance: 5.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00402FE7
free.MSVCRT ref: 00403038
LeaveCriticalSection.KERNEL32 ref: 00403044

Memory Dump Source

Source File: 00000000.00000002.306397768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.306389065.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306405463.0000000000404000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306465026.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.306475955.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8082-svc-x64.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: 545c16c45322939c092fb185b0bc4a33db0f94b8ff8325428ca366f3d2b44c77
Instruction ID: 685eacec7b8a546341f4a75773148f97976bdf31423b58f8f8462ecc0cb59cc8
Opcode Fuzzy Hash: 545c16c45322939c092fb185b0bc4a33db0f94b8ff8325428ca366f3d2b44c77
Instruction Fuzzy Hash: 07017CF1302B0082EF18CF51E89032A27A8E798B91F558836CA09933A4DB3CCA95C349

Uniqueness

Uniqueness Score: -1.00%

Source: 8082-svc-x64.exe	ReversingLabs: Detection: 80%
Source: 8082-svc-x64.exe	Virustotal: Detection: 68%			Perma Link

Source: 8082-svc-x64.exe, type: SAMPLE	Matched rule: CobaltStrike_Resources_Artifact64_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = decfcca0018f2cec4a200ea057c804bb357300a67c6393b097d52881527b1c44
Source: 0.2.8082-svc-x64.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Resources_Artifact64_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = decfcca0018f2cec4a200ea057c804bb357300a67c6393b097d52881527b1c44
Source: 0.0.8082-svc-x64.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Resources_Artifact64_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = decfcca0018f2cec4a200ea057c804bb357300a67c6393b097d52881527b1c44

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8082-svc-x64.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: 8082-svc-x64.exePID: 6108, Parent PID: 3528

General

Chronological Activities

Disassembly

Analysis Process: 8082-svc-x64.exePID: 6108, Parent PID: 3528COMMON

Execution Graph

Graph

Callgraph

Executed Functions

Function 00401180 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 187sleeplibrarystringCOMMON

Control-flow Graph

Function 00403382 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Control-flow Graph

Function 00403390 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON

Windows Analysis Report
8082-svc-x64.exe

Function 00401180 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 187
sleeplibrarystringCOMMON

Function 00403382 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
COMMON

Function 00403390 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17
COMMON

Function 00402DD0 Relevance: 12.0, APIs: 8, Instructions: 50
COMMON

Function 00402D00 Relevance: 7.6, APIs: 5, Instructions: 53
timethreadCOMMON

Function 004022E0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 167
COMMON

Function 00401955 Relevance: 17.5, APIs: 2, Strings: 8, Instructions: 28
threadCOMMON

Function 00401F20 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 121
COMMON

Function 00401628 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 70
processCOMMON

Function 00402530 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 203
memoryCOMMON

Function 00401C70 Relevance: 7.6, APIs: 5, Instructions: 98
COMMON

Function 00402180 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36
COMMON

Function 00402202 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23
COMMON

Function 00402210 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23
COMMON

Function 00402B60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59
libraryCOMMON

Function 00402270 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
COMMON

Function 00401A37 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21
registryCOMMON