Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
V5VGF7qJK1.exe

Overview

General Information

Sample name:V5VGF7qJK1.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:acb4da6a31d70d4e9c12e343bc4bab44aebbd6b6ef2bbac8664fc3f61c5eaa1f
Analysis ID:1467973
MD5:1f060b61b43241a2e5e52c422121aedb
SHA1:baa7350b232458d27f748a23a9a573c86fa4c518
SHA256:acb4da6a31d70d4e9c12e343bc4bab44aebbd6b6ef2bbac8664fc3f61c5eaa1f
Infos:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Found large amount of non-executed APIs
PE file contains sections with non-standard names
Program does not show much activity (idle)

Classification

Process Tree

  • System is w10x64
  • V5VGF7qJK1.exe (PID: 6512 cmdline: "C:\Users\user\Desktop\V5VGF7qJK1.exe" MD5: 1F060B61B43241A2E5E52C422121AEDB)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: V5VGF7qJK1.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\a\1\s\Recognizer\out\build\x64-release\bin\RelWithDebInfo\storestub.pdbGCTL source: V5VGF7qJK1.exe
Source: Binary string: D:\a\1\s\Recognizer\out\build\x64-release\bin\RelWithDebInfo\storestub.pdb source: V5VGF7qJK1.exe
Source: classification engineClassification label: clean2.winEXE@1/0@0/0
Source: V5VGF7qJK1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\V5VGF7qJK1.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\V5VGF7qJK1.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\V5VGF7qJK1.exeSection loaded: kernel.appcore.dllJump to behavior
Source: V5VGF7qJK1.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: V5VGF7qJK1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: V5VGF7qJK1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: V5VGF7qJK1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: V5VGF7qJK1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: V5VGF7qJK1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: V5VGF7qJK1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: V5VGF7qJK1.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: V5VGF7qJK1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\1\s\Recognizer\out\build\x64-release\bin\RelWithDebInfo\storestub.pdbGCTL source: V5VGF7qJK1.exe
Source: Binary string: D:\a\1\s\Recognizer\out\build\x64-release\bin\RelWithDebInfo\storestub.pdb source: V5VGF7qJK1.exe
Source: V5VGF7qJK1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: V5VGF7qJK1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: V5VGF7qJK1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: V5VGF7qJK1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: V5VGF7qJK1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: V5VGF7qJK1.exeStatic PE information: section name: _RDATA
Source: C:\Users\user\Desktop\V5VGF7qJK1.exeAPI coverage: 2.5 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\V5VGF7qJK1.exeCode function: 0_2_00007FF7E7C217B4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7E7C217B4
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\V5VGF7qJK1.exeCode function: 0_2_00007FF7E7C212B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7E7C212B4
Source: C:\Users\user\Desktop\V5VGF7qJK1.exeCode function: 0_2_00007FF7E7C217B4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7E7C217B4
Source: C:\Users\user\Desktop\V5VGF7qJK1.exeCode function: 0_2_00007FF7E7C21998 SetUnhandledExceptionFilter,0_2_00007FF7E7C21998
Source: C:\Users\user\Desktop\V5VGF7qJK1.exeCode function: 0_2_00007FF7E7C21688 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7E7C21688

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping1
System Time Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager2
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
V5VGF7qJK1.exe0%ReversingLabs
V5VGF7qJK1.exe1%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1467973
Start date and time:2024-07-05 07:42:43 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 31s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:V5VGF7qJK1.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:acb4da6a31d70d4e9c12e343bc4bab44aebbd6b6ef2bbac8664fc3f61c5eaa1f
Detection:CLEAN
Classification:clean2.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 1
  • Number of non-executed functions: 4
Cookbook Comments:
  • Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):5.331822253181735
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:V5VGF7qJK1.exe
File size:22'016 bytes
MD5:1f060b61b43241a2e5e52c422121aedb
SHA1:baa7350b232458d27f748a23a9a573c86fa4c518
SHA256:acb4da6a31d70d4e9c12e343bc4bab44aebbd6b6ef2bbac8664fc3f61c5eaa1f
SHA512:8d749c8d80316e3f133df9a04fd76533fd81793f769930fb04cc80f938c4a3a5d5621a688ab69257ae615e17115766ef1c83e7589ffe474583efe49b06945a2a
SSDEEP:384:4D0xGQSlPGwnXcUdLqMardFOYfcO5w/qejhi:2aHqONmtEOScOqjh
TLSH:D7A21A007ADD64E6D42AC379C4621EC6B576F2128353EACF13B845791E617C26E7E382
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........[............l.......l.......l.........[...............................7.............Rich............PE..d...UW.d.........."

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x1400012a0
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0x64E95755 [Sat Aug 26 01:37:25 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:0a7f8ff11eef0a44ecc77fa7d375147b

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F7CD5094094h
dec eax
add esp, 28h
jmp 00007F7CD5093B2Fh
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [00002D5Bh]
dec eax
mov ecx, ebx
call dword ptr [00002D4Ah]
call dword ptr [00002D54h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00002D48h]
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call dword ptr [00002D34h]
test eax, eax
je 00007F7CD5093CB9h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [00005DDAh]
call 00007F7CD5093D5Eh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [00005EC1h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [00005E51h], eax
dec eax
mov eax, dword ptr [00005EAAh]
dec eax
mov dword ptr [00005D1Bh], eax
dec eax
mov eax, dword ptr [esp+40h]
dec eax
mov dword ptr [00005E1Fh], eax
mov dword ptr [00005CF5h], C0000409h
mov dword ptr [00005CEFh], 00000001h
mov dword ptr [000000F9h], 00000000h

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x59a80xa0.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x1e0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x80000x2f4.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xb0000x128.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x53500x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x52100x140.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x40000x1e0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x22900x240002422cd6bdd6e9f68ff74fc05cc8a7f0False0.5576171875data6.226656896731465IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x40000x20fa0x2200e04a5d2c9da360cad29f49c39037087eFalse0.34191176470588236data4.13103343904437IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x70000x7b00x200e1cee86499eb7457d6fa7df6c6d2dd40False0.10546875data0.5312757255588308IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x80000x2f40x400928001126e3a90223d8cc2f76e9f5adeFalse0.408203125data3.1548490313257522IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA0x90000x15c0x200b027b864e058c67acfe3d3a43ef9fa1dFalse0.39453125data2.7535115800861174IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0xa0000x1e00x200101f04294dcfeea9dfe10d3c920461d9False0.529296875data4.701503258251789IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xb0000x1280x200699ce52536ff85999d8a239df304a2dbFalse0.458984375data3.512692637982123IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_MANIFEST0xa0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

Imports

DLLImport
KERNEL32.dllRtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwindEx, GetLastError, SetLastError, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW
api-ms-win-crt-runtime-l1-1-0.dll_cexit, _c_exit, _register_thread_local_exe_atexit_callback, exit, _get_narrow_winmain_command_line, _initterm_e, _initialize_onexit_table, _register_onexit_function, _crt_atexit, terminate, _initialize_narrow_environment, _configure_narrow_argv, _exit, abort, _initterm, _seh_filter_exe, _set_app_type
api-ms-win-crt-math-l1-1-0.dll__setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll__p__commode, _set_fmode
api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll_set_new_mode, free, calloc
api-ms-win-crt-string-l1-1-0.dllwcsncmp

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:01:43:28
Start date:05/07/2024
Path:C:\Users\user\Desktop\V5VGF7qJK1.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\V5VGF7qJK1.exe"
Imagebase:0x7ff7e7c20000
File size:22'016 bytes
MD5 hash:1F060B61B43241A2E5E52C422121AEDB
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:4.8%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:8.3%
    Total number of Nodes:144
    Total number of Limit Nodes:1
    execution_graph 766 7ff7e7c21e48 773 7ff7e7c224d8 766->773 769 7ff7e7c21e55 774 7ff7e7c224e0 773->774 776 7ff7e7c22511 774->776 778 7ff7e7c21e51 774->778 786 7ff7e7c227d4 774->786 777 7ff7e7c22520 __vcrt_uninitialize_locks DeleteCriticalSection 776->777 777->778 778->769 779 7ff7e7c2246c 778->779 791 7ff7e7c226a8 779->791 787 7ff7e7c22558 __vcrt_InitializeCriticalSectionEx 5 API calls 786->787 788 7ff7e7c2280a 787->788 789 7ff7e7c2281f InitializeCriticalSectionAndSpinCount 788->789 790 7ff7e7c22814 788->790 789->790 790->774 792 7ff7e7c22558 __vcrt_InitializeCriticalSectionEx 5 API calls 791->792 793 7ff7e7c226cd TlsAlloc 792->793 625 7ff7e7c2112c 649 7ff7e7c21474 625->649 628 7ff7e7c21278 664 7ff7e7c217b4 IsProcessorFeaturePresent 628->664 629 7ff7e7c21148 __scrt_acquire_startup_lock 631 7ff7e7c21282 629->631 636 7ff7e7c21166 __scrt_release_startup_lock 629->636 632 7ff7e7c217b4 7 API calls 631->632 633 7ff7e7c2128d 632->633 635 7ff7e7c21295 _exit 633->635 634 7ff7e7c2118b 636->634 637 7ff7e7c21211 636->637 641 7ff7e7c21209 _register_thread_local_exe_atexit_callback 636->641 655 7ff7e7c21900 637->655 639 7ff7e7c21216 _get_narrow_winmain_command_line 640 7ff7e7c21232 639->640 658 7ff7e7c21944 GetModuleHandleW 640->658 641->637 644 7ff7e7c2123d 645 7ff7e7c21247 644->645 646 7ff7e7c21242 _cexit 644->646 660 7ff7e7c21608 645->660 646->645 671 7ff7e7c21a8c 649->671 652 7ff7e7c214a3 __scrt_initialize_crt 654 7ff7e7c21140 652->654 673 7ff7e7c21e70 652->673 654->628 654->629 700 7ff7e7c21f60 655->700 657 7ff7e7c21917 GetStartupInfoW 657->639 659 7ff7e7c21239 658->659 659->633 659->644 662 7ff7e7c21619 __scrt_initialize_crt 660->662 661 7ff7e7c21250 661->634 662->661 663 7ff7e7c21e70 __scrt_initialize_crt 7 API calls 662->663 663->661 665 7ff7e7c217da __scrt_get_show_window_mode 664->665 666 7ff7e7c217f9 RtlCaptureContext RtlLookupFunctionEntry 665->666 667 7ff7e7c2185e __scrt_get_show_window_mode 666->667 668 7ff7e7c21822 RtlVirtualUnwind 666->668 669 7ff7e7c21890 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 667->669 668->667 670 7ff7e7c218e2 669->670 670->631 672 7ff7e7c21496 __scrt_dllmain_crt_thread_attach 671->672 672->652 672->654 674 7ff7e7c21e78 673->674 675 7ff7e7c21e82 673->675 679 7ff7e7c224b4 674->679 675->654 680 7ff7e7c21e7d 679->680 681 7ff7e7c224c3 679->681 683 7ff7e7c22520 680->683 687 7ff7e7c226f0 681->687 684 7ff7e7c2254b 683->684 685 7ff7e7c2252e DeleteCriticalSection 684->685 686 7ff7e7c2254f 684->686 685->684 686->675 691 7ff7e7c22558 687->691 692 7ff7e7c2259c 691->692 698 7ff7e7c22672 TlsFree 691->698 693 7ff7e7c225ca LoadLibraryExW 692->693 694 7ff7e7c22661 GetProcAddress 692->694 692->698 699 7ff7e7c2260d LoadLibraryExW 692->699 695 7ff7e7c225eb GetLastError 693->695 696 7ff7e7c22641 693->696 694->698 695->692 696->694 697 7ff7e7c22658 FreeLibrary 696->697 697->694 699->692 699->696 701 7ff7e7c21f40 700->701 701->657 701->701 702 7ff7e7c22370 703 7ff7e7c2238a 702->703 704 7ff7e7c22379 702->704 704->703 705 7ff7e7c22385 free 704->705 705->703 706 7ff7e7c21110 710 7ff7e7c21998 SetUnhandledExceptionFilter 706->710 711 7ff7e7c219b0 712 7ff7e7c219e4 711->712 713 7ff7e7c219c8 711->713 713->712 718 7ff7e7c21f04 713->718 717 7ff7e7c21a02 724 7ff7e7c22390 718->724 720 7ff7e7c219f6 721 7ff7e7c21f18 720->721 722 7ff7e7c22390 10 API calls 721->722 723 7ff7e7c21f21 722->723 723->717 727 7ff7e7c223ac 724->727 726 7ff7e7c22399 726->720 728 7ff7e7c223cb GetLastError 727->728 729 7ff7e7c223c4 727->729 741 7ff7e7c22738 728->741 729->726 742 7ff7e7c22558 __vcrt_InitializeCriticalSectionEx 5 API calls 741->742 743 7ff7e7c2275f TlsGetValue 742->743 745 7ff7e7c231a0 _seh_filter_exe 746 7ff7e7c212a0 749 7ff7e7c21688 746->749 750 7ff7e7c216ab GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 749->750 751 7ff7e7c212a9 749->751 750->751 752 7ff7e7c21020 753 7ff7e7c21029 752->753 754 7ff7e7c212f0 IsProcessorFeaturePresent 753->754 755 7ff7e7c21034 753->755 756 7ff7e7c21308 754->756 761 7ff7e7c213c4 RtlCaptureContext 756->761 762 7ff7e7c213de RtlLookupFunctionEntry 761->762 763 7ff7e7c2131b 762->763 764 7ff7e7c213f4 RtlVirtualUnwind 762->764 765 7ff7e7c212b4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 763->765 764->762 764->763 795 7ff7e7c21c50 798 7ff7e7c21c80 _IsNonwritableInCurrentImage __except_validate_context_record 795->798 796 7ff7e7c21d3c RtlUnwindEx 796->798 797 7ff7e7c21d71 798->796 798->797 811 7ff7e7c21040 812 7ff7e7c21050 811->812 824 7ff7e7c214c0 812->824 814 7ff7e7c217b4 7 API calls 815 7ff7e7c210f5 814->815 816 7ff7e7c21074 _RTC_Initialize 821 7ff7e7c210d7 816->821 832 7ff7e7c21744 InitializeSListHead 816->832 821->814 823 7ff7e7c210e5 821->823 825 7ff7e7c214d1 824->825 829 7ff7e7c21503 824->829 826 7ff7e7c21540 825->826 830 7ff7e7c214d6 __scrt_release_startup_lock 825->830 827 7ff7e7c217b4 7 API calls 826->827 828 7ff7e7c2154a 827->828 829->816 830->829 831 7ff7e7c214f3 _initialize_onexit_table 830->831 831->829 799 7ff7e7c21254 800 7ff7e7c21944 GetModuleHandleW 799->800 801 7ff7e7c2125b 800->801 802 7ff7e7c21295 _exit 801->802 803 7ff7e7c2125f 801->803 804 7ff7e7c231d6 805 7ff7e7c2325a 804->805 806 7ff7e7c231ee 804->806 806->805 807 7ff7e7c22390 10 API calls 806->807 808 7ff7e7c2323b 807->808 809 7ff7e7c22390 10 API calls 808->809 810 7ff7e7c23250 terminate 809->810 810->805

    Callgraph

    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_00007FF7E7C21FEB 1 Function_00007FF7E7C226F0 57 Function_00007FF7E7C22558 1->57 2 Function_00007FF7E7C228D8 3 Function_00007FF7E7C21ED8 4 Function_00007FF7E7C224D8 42 Function_00007FF7E7C227D4 4->42 86 Function_00007FF7E7C22520 4->86 5 Function_00007FF7E7C215DD 6 Function_00007FF7E7C228E0 7 Function_00007FF7E7C230E0 69 Function_00007FF7E7C23090 7->69 79 Function_00007FF7E7C23130 7->79 8 Function_00007FF7E7C21FE2 9 Function_00007FF7E7C215E4 99 Function_00007FF7E7C21C38 9->99 10 Function_00007FF7E7C22DE3 11 Function_00007FF7E7C21608 51 Function_00007FF7E7C21E70 11->51 96 Function_00007FF7E7C21754 11->96 12 Function_00007FF7E7C2200C 13 Function_00007FF7E7C21A0C 14 Function_00007FF7E7C21110 19 Function_00007FF7E7C21000 14->19 33 Function_00007FF7E7C21998 14->33 15 Function_00007FF7E7C2290F 16 Function_00007FF7E7C228F8 17 Function_00007FF7E7C22BF8 18 Function_00007FF7E7C21FF9 20 Function_00007FF7E7C21900 58 Function_00007FF7E7C21F60 20->58 21 Function_00007FF7E7C22300 22 Function_00007FF7E7C21F04 68 Function_00007FF7E7C22390 22->68 23 Function_00007FF7E7C226A8 23->57 24 Function_00007FF7E7C217AC 25 Function_00007FF7E7C223AC 73 Function_00007FF7E7C22780 25->73 101 Function_00007FF7E7C22738 25->101 26 Function_00007FF7E7C22FB0 26->21 78 Function_00007FF7E7C22330 26->78 27 Function_00007FF7E7C219B0 27->22 84 Function_00007FF7E7C21F18 27->84 28 Function_00007FF7E7C222B1 29 Function_00007FF7E7C217B4 29->24 29->58 30 Function_00007FF7E7C212B4 31 Function_00007FF7E7C224B4 31->1 32 Function_00007FF7E7C21FB5 34 Function_00007FF7E7C2179C 35 Function_00007FF7E7C231A0 36 Function_00007FF7E7C228A0 37 Function_00007FF7E7C212A0 63 Function_00007FF7E7C21688 37->63 38 Function_00007FF7E7C217A4 39 Function_00007FF7E7C21FA3 40 Function_00007FF7E7C21FD2 41 Function_00007FF7E7C22BD1 42->57 43 Function_00007FF7E7C231D6 43->68 44 Function_00007FF7E7C231BE 45 Function_00007FF7E7C214C0 45->29 45->99 46 Function_00007FF7E7C228C0 47 Function_00007FF7E7C213C4 48 Function_00007FF7E7C2176C 49 Function_00007FF7E7C2246C 49->23 49->31 49->73 50 Function_00007FF7E7C21670 81 Function_00007FF7E7C21634 50->81 51->31 51->86 52 Function_00007FF7E7C22370 53 Function_00007FF7E7C23270 54 Function_00007FF7E7C2296F 55 Function_00007FF7E7C21774 55->48 61 Function_00007FF7E7C21764 55->61 56 Function_00007FF7E7C21474 56->51 65 Function_00007FF7E7C21A8C 56->65 56->96 59 Function_00007FF7E7C21760 60 Function_00007FF7E7C22960 62 Function_00007FF7E7C22E63 62->21 62->78 64 Function_00007FF7E7C2298A 66 Function_00007FF7E7C22D8C 67 Function_00007FF7E7C21790 68->25 70 Function_00007FF7E7C22992 71 Function_00007FF7E7C21E94 72 Function_00007FF7E7C2297D 73->57 74 Function_00007FF7E7C22880 75 Function_00007FF7E7C22F80 75->21 76 Function_00007FF7E7C22984 77 Function_00007FF7E7C2112C 77->9 77->11 77->19 77->20 77->29 77->34 77->38 77->56 91 Function_00007FF7E7C2154C 77->91 100 Function_00007FF7E7C21438 77->100 106 Function_00007FF7E7C21944 77->106 80 Function_00007FF7E7C21734 82 Function_00007FF7E7C22334 83 Function_00007FF7E7C22936 84->68 85 Function_00007FF7E7C21020 85->30 85->47 87 Function_00007FF7E7C22920 88 Function_00007FF7E7C23120 89 Function_00007FF7E7C29020 90 Function_00007FF7E7C21E48 90->4 90->49 90->86 92 Function_00007FF7E7C21A50 93 Function_00007FF7E7C21C50 93->7 93->21 93->78 93->82 94 Function_00007FF7E7C22850 95 Function_00007FF7E7C22F50 95->21 95->78 97 Function_00007FF7E7C21254 97->106 98 Function_00007FF7E7C22953 100->99 101->57 102 Function_00007FF7E7C2173C 103 Function_00007FF7E7C2913B 104 Function_00007FF7E7C21040 104->13 104->19 104->29 104->45 104->50 104->55 104->59 104->67 104->80 104->96 104->102 105 Function_00007FF7E7C21744 104->105 107 Function_00007FF7E7C22945

    Executed Functions

    Function 00007FF7E7C2112C Relevance: 12.1, APIs: 8, Instructions: 94COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1623914674.00007FF7E7C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E7C20000, based on PE: true
    • Associated: 00000000.00000002.1623901567.00007FF7E7C20000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1623928435.00007FF7E7C24000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1623942439.00007FF7E7C28000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e7c20000_V5VGF7qJK1.jbxd
    Similarity
    • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock_cexit_exit_get_narrow_winmain_command_line_register_thread_local_exe_atexit_callback
    • String ID:
    • API String ID: 2422930594-0
    • Opcode ID: c12ba577349f14bf3de623afeccd9f9ed67a9b509a4bc3f3f4162b53bf3e297f
    • Instruction ID: 9a0e1dd672823225b36b0d1b436ed401f5f96d02abb1df309ff60e3b2de1a7f9
    • Opcode Fuzzy Hash: c12ba577349f14bf3de623afeccd9f9ed67a9b509a4bc3f3f4162b53bf3e297f
    • Instruction Fuzzy Hash: AF310710E88DC786EB14BB65D4513B9929D9F41784FC44137EA6E4B2F3DE3DA9078232

    Non-executed Functions

    Function 00007FF7E7C217B4 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1623914674.00007FF7E7C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E7C20000, based on PE: true
    • Associated: 00000000.00000002.1623901567.00007FF7E7C20000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1623928435.00007FF7E7C24000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1623942439.00007FF7E7C28000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e7c20000_V5VGF7qJK1.jbxd
    Similarity
    • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
    • String ID:
    • API String ID: 3140674995-0
    • Opcode ID: 4dbf8cf4ac7298cee6e4abd22a63f03b4808eaaaa7e9403d1e09ecb8078d4916
    • Instruction ID: 2b6a408db47e893330f28f59f3cd6c7c5bf272d10a6cd4d0e15a0699f23eeb50
    • Opcode Fuzzy Hash: 4dbf8cf4ac7298cee6e4abd22a63f03b4808eaaaa7e9403d1e09ecb8078d4916
    • Instruction Fuzzy Hash: 96315272645FC1C6EB60AF60E8407EDB368FB84744F84403ADA5D47A98DF38D649C725
    Function 00007FF7E7C21998 Relevance: .0, Instructions: 2COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1623914674.00007FF7E7C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E7C20000, based on PE: true
    • Associated: 00000000.00000002.1623901567.00007FF7E7C20000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1623928435.00007FF7E7C24000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1623942439.00007FF7E7C28000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e7c20000_V5VGF7qJK1.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 690a4080002b2268773b5ca1581736de77755f809fb4d50db68104c7fa7567af
    • Instruction ID: 8d3b0d5aa0e342520c1d921df2df3f3e500429a7d0cb39ba1eab2f2ee568b038
    • Opcode Fuzzy Hash: 690a4080002b2268773b5ca1581736de77755f809fb4d50db68104c7fa7567af
    • Instruction Fuzzy Hash: 3BA00121999D82D2E744EB00E851620A23DBB54341B940132D12D410B4DF3CAA428622
    Function 00007FF7E7C22558 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?,00007FF7E7C2280A,?,?,?,00007FF7E7C224FC,?,?,00000001,00007FF7E7C21E51), ref: 00007FF7E7C225DD
    • GetLastError.KERNEL32(?,?,?,00007FF7E7C2280A,?,?,?,00007FF7E7C224FC,?,?,00000001,00007FF7E7C21E51), ref: 00007FF7E7C225EB
    • LoadLibraryExW.KERNEL32(?,?,?,00007FF7E7C2280A,?,?,?,00007FF7E7C224FC,?,?,00000001,00007FF7E7C21E51), ref: 00007FF7E7C22615
    • FreeLibrary.KERNEL32(?,?,?,00007FF7E7C2280A,?,?,?,00007FF7E7C224FC,?,?,00000001,00007FF7E7C21E51), ref: 00007FF7E7C2265B
    • GetProcAddress.KERNEL32(?,?,?,00007FF7E7C2280A,?,?,?,00007FF7E7C224FC,?,?,00000001,00007FF7E7C21E51), ref: 00007FF7E7C22667
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1623914674.00007FF7E7C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E7C20000, based on PE: true
    • Associated: 00000000.00000002.1623901567.00007FF7E7C20000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1623928435.00007FF7E7C24000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1623942439.00007FF7E7C28000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e7c20000_V5VGF7qJK1.jbxd
    Similarity
    • API ID: Library$Load$AddressErrorFreeLastProc
    • String ID: api-ms-
    • API String ID: 2559590344-2084034818
    • Opcode ID: 3f542797cf39825d4e984c96133b38e0b48a114e7c96576ae85bd320eed8e479
    • Instruction ID: 715f6985c6875af88c0b301927ce7a1bcf9e0bd7f99d0faa7299b5ab45d3cb3a
    • Opcode Fuzzy Hash: 3f542797cf39825d4e984c96133b38e0b48a114e7c96576ae85bd320eed8e479
    • Instruction Fuzzy Hash: E3319322A5EE8291EB15BB11F400775A29CFF44BA0F9A0536DD2D063A0DE3CE4568326
    Function 00007FF7E7C21C50 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 90 7ff7e7c21c50-7ff7e7c21c96 call 7ff7e7c22334 93 7ff7e7c21d78-7ff7e7c21d7f 90->93 94 7ff7e7c21c9c-7ff7e7c21ca1 90->94 96 7ff7e7c21e1a-7ff7e7c21e1e 93->96 95 7ff7e7c21ca6-7ff7e7c21ca8 94->95 98 7ff7e7c21e24 95->98 99 7ff7e7c21cae-7ff7e7c21cba 95->99 97 7ff7e7c21d84-7ff7e7c21d90 96->97 96->98 103 7ff7e7c21e18 97->103 104 7ff7e7c21d96-7ff7e7c21d9d 97->104 100 7ff7e7c21e29-7ff7e7c21e46 98->100 101 7ff7e7c21d6a-7ff7e7c21d6c 99->101 102 7ff7e7c21cc0-7ff7e7c21cc7 99->102 101->95 102->101 106 7ff7e7c21ccd-7ff7e7c21cd2 102->106 103->96 104->103 105 7ff7e7c21d9f-7ff7e7c21da7 104->105 107 7ff7e7c21da9-7ff7e7c21dae 105->107 108 7ff7e7c21ded-7ff7e7c21df3 105->108 106->101 109 7ff7e7c21cd8-7ff7e7c21cdd 106->109 110 7ff7e7c21de8-7ff7e7c21deb 107->110 111 7ff7e7c21db0-7ff7e7c21dbe 107->111 112 7ff7e7c21e01-7ff7e7c21e12 108->112 113 7ff7e7c21df5-7ff7e7c21df8 108->113 114 7ff7e7c21cdf-7ff7e7c21cf2 109->114 115 7ff7e7c21cf6-7ff7e7c21cfd 109->115 110->98 110->108 118 7ff7e7c21de0-7ff7e7c21de6 111->118 119 7ff7e7c21dc0-7ff7e7c21dc8 111->119 112->103 113->103 120 7ff7e7c21dfa-7ff7e7c21dfd 113->120 129 7ff7e7c21d71-7ff7e7c21d73 114->129 130 7ff7e7c21cf4 114->130 116 7ff7e7c21d27-7ff7e7c21d65 call 7ff7e7c22300 RtlUnwindEx call 7ff7e7c22330 115->116 117 7ff7e7c21cff-7ff7e7c21d07 115->117 116->101 117->116 121 7ff7e7c21d09-7ff7e7c21d17 call 7ff7e7c230e0 117->121 118->110 118->111 119->118 122 7ff7e7c21dca-7ff7e7c21dd3 119->122 120->98 124 7ff7e7c21dff 120->124 121->116 133 7ff7e7c21d19-7ff7e7c21d1e 121->133 122->118 127 7ff7e7c21dd5-7ff7e7c21dde 122->127 124->103 127->110 127->118 129->100 130->101 130->115 133->116
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1623914674.00007FF7E7C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E7C20000, based on PE: true
    • Associated: 00000000.00000002.1623901567.00007FF7E7C20000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1623928435.00007FF7E7C24000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1623942439.00007FF7E7C28000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff7e7c20000_V5VGF7qJK1.jbxd
    Similarity
    • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
    • String ID: csm$f
    • API String ID: 2395640692-629598281
    • Opcode ID: fabfc63b26c32b8af0229a184c4d385c90bce7646b15be9cf304f03efa56a3c8
    • Instruction ID: fa5d714c3f330c34d17e42974a1ded00d9959f017ef2f79dd544dae3b9d754d7
    • Opcode Fuzzy Hash: fabfc63b26c32b8af0229a184c4d385c90bce7646b15be9cf304f03efa56a3c8
    • Instruction Fuzzy Hash: 4B51A032A49A82C7DB15EF15E804B69B79DFB40B98F918132DE2E43758DF38E942C711