Edit tour
Windows
Analysis Report
courtyardhealthcare.com.exe
Overview
General Information
| Sample name: | courtyardhealthcare.com.exe |
| Analysis ID: | 1644317 |
| MD5: | 310c935a189ca01dcee92d9c002f3330 |
| SHA1: | 50f3d06b47390dabaa08089c102dcb71cd59461b |
| SHA256: | ccac0311b3e3674282d87db9fb8a151c7b11405662159a46dda71039f2200a67 |
| Tags: | ClickFixcourtyardhealthcare-comexeFakeCaptchauser-JAMESWT_MHT |
| Infos: | |
 | |
Detection
| Score: | 64 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Joe Sandbox ML detected suspicious sample
Potentially malicious time measurement code found
Contains functionality for execution timing, often used to detect debuggers
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Enables security privileges
Program does not show much activity (idle)
Classification
- System is w10x64
courtyardhealthcare.com.exe (PID: 1432 cmdline: "C:\Users\ user\Deskt op\courtya rdhealthca re.com.exe " MD5: 310C935A189CA01DCEE92D9C002F3330)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Binary or memory string: | memstr_35115f96-3 | |
| Source: | Static PE information: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_00007FF6AD0B6140 | |
| Source: | Code function: | 0_2_00007FF6AD0EC6C0 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF6AD0B1350 | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Binary or memory string: | ||
Anti Debugging | |
|---|
| Source: | Code function: | 0_2_00007FF6AD0B1350 | |
| Source: | Code function: | 0_2_00007FF6AD0B13B0 | |
| Source: | Code function: | 0_2_00007FF6AD0B1350 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_00007FF6AD845948 | |
| Source: | Key value queried: | Jump to behavior | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 DLL Side-Loading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 11 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 11 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 3 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 21% | Virustotal | Browse | ||
| 22% | ReversingLabs | Win64.Trojan.SpywareX | ||
| 100% | Avira | TR/Spy.Agent.tqqzu |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 139.180.160.173 | unknown | United States | 20473 | AS-CHOOPAUS | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1644317 |
| Start date and time: | 2025-03-20 13:40:28 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 20s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 11 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | courtyardhealthcare.com.exe |
| Detection: | MAL |
| Classification: | mal64.evad.winEXE@1/0@0/1 |
| EGA Information: | Failed |
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, s ppsvc.exe, SIHClient.exe, Sgrm Broker.exe, conhost.exe, svcho st.exe - Excluded IPs from analysis (wh
itelisted): 20.109.210.53, 184 .31.69.3 - Excluded domains from analysis
(whitelisted): fs.microsoft.c om, slscr.update.microsoft.com , ctldl.windowsupdate.com, c.p ki.goog, fe3cr.delivery.mp.mic rosoft.com - Execution Graph export aborted
for target courtyardhealthcar e.com.exe, PID 1432 because th ere are no executed function - Not all processes where analyz
ed, report is missing behavior information
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 139.180.160.173 | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | HTMLPhisher | Browse |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| AS-CHOOPAUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Okiru | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.717739174634944 |
| TrID: |
|
| File name: | courtyardhealthcare.com.exe |
| File size: | 11'413'504 bytes |
| MD5: | 310c935a189ca01dcee92d9c002f3330 |
| SHA1: | 50f3d06b47390dabaa08089c102dcb71cd59461b |
| SHA256: | ccac0311b3e3674282d87db9fb8a151c7b11405662159a46dda71039f2200a67 |
| SHA512: | ca231956a44fdd54d7b0a82dbc3d17305c39f0df164977897454d71ab3d08f72724278b90116e12827312be30d8f9eedf66774aa06d98d00f9246e0e712fa2de |
| SSDEEP: | 196608:SEKWiSU1vNkknXpoCDRUwtSATBWQlp5c266bm:KWiptKknXpoCDCwtSATBWQlp5c2x |
| TLSH: | 77B6AE5AA2B800D9D4BBC178CA5A9617E771741D03F057EB26A096F52F23BE07E3B740 |
| File Content Preview: | MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......!..Ee...e...e.......r...........tO~.l...tO..q...tO..k...tO..........G....L......e...[.......d.......v...e........O.......O..... |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x1407952f0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67B9FD7C [Sat Feb 22 16:38:20 2025 UTC] |
| TLS Callbacks: | 0x40794a70, 0x1, 0x40795640, 0x1 |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 0dc0b4d7c2e6e0a3d7a894a55ea5045a |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007F1830E1DEE4h |
| dec eax |
| add esp, 28h |
| jmp 00007F1830E1D70Fh |
| int3 |
| int3 |
| dec eax |
| mov dword ptr [esp+10h], ebx |
| dec eax |
| mov dword ptr [esp+18h], esi |
| push ebp |
| push edi |
| inc ecx |
| push esi |
| dec eax |
| mov ebp, esp |
| dec eax |
| sub esp, 10h |
| xor eax, eax |
| xor ecx, ecx |
| cpuid |
| inc esp |
| mov eax, ecx |
| inc esp |
| mov edx, edx |
| inc ecx |
| xor edx, 49656E69h |
| inc ecx |
| xor eax, 6C65746Eh |
| inc esp |
| mov ecx, ebx |
| inc esp |
| mov esi, eax |
| xor ecx, ecx |
| mov eax, 00000001h |
| cpuid |
| inc ebp |
| or edx, eax |
| mov dword ptr [ebp-10h], eax |
| inc ecx |
| xor ecx, 756E6547h |
| mov dword ptr [ebp-0Ch], ebx |
| inc ebp |
| or edx, ecx |
| mov dword ptr [ebp-08h], ecx |
| mov edi, ecx |
| mov dword ptr [ebp-04h], edx |
| jne 00007F1830E1D8EDh |
| dec eax |
| or dword ptr [002DE981h], FFFFFFFFh |
| and eax, 0FFF3FF0h |
| dec eax |
| mov dword ptr [002DE969h], 00008000h |
| cmp eax, 000106C0h |
| je 00007F1830E1D8BAh |
| cmp eax, 00020660h |
| je 00007F1830E1D8B3h |
| cmp eax, 00020670h |
| je 00007F1830E1D8ACh |
| add eax, FFFCF9B0h |
| cmp eax, 20h |
| jnbe 00007F1830E1D8B6h |
| dec eax |
| mov ecx, 00010001h |
| add dword ptr [eax], eax |
| add byte ptr [eax], al |
| dec eax |
| bt ecx, eax |
| jnc 00007F1830E1D8A6h |
| inc esp |
| mov eax, dword ptr [0031B8A7h] |
| inc ecx |
| or eax, 01h |
| inc esp |
| mov dword ptr [0031B89Ch], eax |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xa677fc | 0xc8 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xb02000 | 0x1e0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0xab3000 | 0x4e0c0 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xb03000 | 0xeee0 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x9e1a10 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x9e1c00 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x9e18d0 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x813000 | 0xa88 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x811640 | 0x811800 | b4d0263e5e4b0e966e9e2b438087a44f | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x813000 | 0x256a3a | 0x256c00 | 68261aabe13895283a5e19eed8030359 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xa6a000 | 0x488dc | 0x1cc00 | 1a1ee7d7293f9abbe6d00645d28e600f | False | 0.1604874320652174 | data | 4.848575646260079 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0xab3000 | 0x4e0c0 | 0x4e200 | b932986a0d2b5f9d159c8da76f26ebe3 | False | 0.4862375 | data | 6.492490871740419 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0xb02000 | 0x1e0 | 0x200 | d2714ef1147a2cbbe247589769dea29a | False | 0.529296875 | data | 4.704363013479242 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xb03000 | 0xeee0 | 0xf000 | b77fbc1304a60e5c5ba40075abcc09a1 | False | 0.26881510416666665 | data | 5.458176145315414 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0xb02060 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
| DLL | Import |
|---|---|
| ole32.dll | CoInitialize, StgCreateDocfile, CoTaskMemFree, CoCreateInstance, CoUninitialize |
| USER32.dll | GetUserObjectInformationW, MessageBoxW, GetProcessWindowStation |
| WS2_32.dll | gethostname, __WSAFDIsSet, inet_ntop, WSAWaitForMultipleEvents, WSAResetEvent, WSAEventSelect, WSAEnumNetworkEvents, WSACreateEvent, WSACloseEvent, WSAIoctl, inet_pton, sendto, recvfrom, getpeername, socket, listen, bind, accept, send, recv, getservbyname, getservbyport, gethostbyaddr, inet_ntoa, inet_addr, gethostbyname, getsockname, freeaddrinfo, getaddrinfo, shutdown, ntohs, WSASocketW, WSARecv, select, getsockopt, connect, WSAStringToAddressW, WSASend, WSAGetLastError, WSASetLastError, WSACleanup, WSAStartup, setsockopt, ntohl, htons, htonl, ioctlsocket, closesocket |
| bcrypt.dll | BCryptGenRandom |
| ADVAPI32.dll | CryptImportKey, RegOpenKeyExW, RegGetValueW, RegEnumKeyExW, RegQueryInfoKeyW, RegSetValueExW, SystemFunction036, CryptAcquireContextA, CryptReleaseContext, CryptGenRandom, CryptEnumProvidersA, CryptAcquireContextW, DeregisterEventSource, RegisterEventSourceW, ReportEventW, CryptGetHashParam, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptEncrypt, RegCloseKey, CryptDestroyKey |
| KERNEL32.dll | SignalObjectAndWait, QueryDepthSList, InterlockedFlushSList, InterlockedPushEntrySList, InterlockedPopEntrySList, DuplicateHandle, LoadLibraryExW, FreeLibraryAndExitThread, GetThreadTimes, GetCurrentThread, GetStartupInfoW, IsDebuggerPresent, InitializeSListHead, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, LCMapStringEx, GetCPInfo, CompareStringEx, DecodePointer, EncodePointer, CreateThread, GetThreadPriority, GetCurrentProcessorNumberEx, GetLogicalProcessorInformationEx, GetNumaHighestNodeNumber, GetThreadGroupAffinity, SetThreadGroupAffinity, GetProcessAffinityMask, ExitThread, ResumeThread, SetConsoleCtrlHandler, ExitProcess, GetDriveTypeW, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, SetStdHandle, GetLastError, FormatMessageA, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, LocalFree, CloseHandle, SetLastError, CreateIoCompletionPort, GetQueuedCompletionStatus, PostQueuedCompletionStatus, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, SetEvent, WaitForSingleObject, SleepEx, CreateEventW, SetWaitableTimer, WaitForMultipleObjects, QueueUserAPC, TerminateThread, InitializeCriticalSectionEx, CreateWaitableTimerW, LoadLibraryA, InitializeCriticalSection, Sleep, GetSystemInfo, VirtualFree, GetEnvironmentVariableW, GetCurrentDirectoryW, CreateFileW, DeleteFileW, FlushFileBuffers, GetFileAttributesW, GetFileInformationByHandle, GetFileTime, GetFullPathNameW, RemoveDirectoryW, SetEndOfFile, SetFileAttributesW, SetFilePointerEx, DeviceIoControl, GetWindowsDirectoryW, GetModuleHandleW, GetProcAddress, GetConsoleOutputCP, AreFileApisANSI, DeleteFileA, GetTempPathA, GetTempFileNameA, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, GetCurrentProcess, GetExitCodeProcess, GetNativeSystemInfo, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleExA, CreateFileA, GetFileAttributesExA, LockFileEx, UnlockFileEx, FreeLibrary, LoadLibraryW, FindClose, ResetEvent, CreateEventA, GetTickCount, QueryPerformanceCounter, MapViewOfFile, CreateFileMappingW, GetSystemTime, GetSystemTimeAsFileTime, SystemTimeToFileTime, GetProcessHeap, GetCurrentProcessId, GetFileSize, UnlockFile, HeapDestroy, HeapCompact, HeapAlloc, HeapReAlloc, WaitForSingleObjectEx, FlushViewOfFile, OutputDebugStringW, GetFileAttributesExW, GetFileAttributesA, GetDiskFreeSpaceA, HeapSize, HeapValidate, UnmapViewOfFile, CloseThreadpoolWait, GetTempPathW, GetFullPathNameA, SetFilePointer, LockFile, OutputDebugStringA, GetDiskFreeSpaceW, WriteFile, HeapFree, HeapCreate, ReadFile, RaiseException, TryEnterCriticalSection, GetCurrentThreadId, RtlVirtualUnwind, GetStdHandle, GetFileType, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleExW, GetACP, ReleaseSemaphore, GetExitCodeThread, CreateSemaphoreA, GetSystemDirectoryA, TerminateProcess, GetConsoleMode, SetConsoleMode, ReadConsoleA, ReadConsoleW, FindFirstFileW, FindNextFileW, InitializeConditionVariable, WakeConditionVariable, SleepConditionVariableCS, SetThreadPriority, GetFileSizeEx, CreateFileMappingA, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, QueryPerformanceFrequency, GetSystemDirectoryW, GetEnvironmentVariableA, VerSetConditionMask, GetModuleHandleA, VerifyVersionInfoW, PeekNamedPipe, SetThreadpoolWait, CreateThreadpoolWait, CloseThreadpoolTimer, WaitForThreadpoolTimerCallbacks, SetThreadpoolTimer, CreateThreadpoolTimer, FreeLibraryWhenCallbackReturns, FlushProcessWriteBuffers, CreateSemaphoreExW, CreateEventExW, SetEnvironmentVariableW, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, IsValidCodePage, WriteConsoleW, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, MoveFileExW, CreateMutexW, SwitchToThread, ReleaseSRWLockShared, AcquireSRWLockShared, TryAcquireSRWLockExclusive, SleepConditionVariableSRW, GetTickCount64, GetStringTypeW, WakeAllConditionVariable, GetLocaleInfoEx, FindFirstFileExW, FreeEnvironmentStringsW |
| OLEAUT32.dll | OleCreatePropertyFrame, SysAllocStringByteLen, SysStringByteLen, VariantClear, VariantInit, SysFreeString, SysAllocString |
| ntdll.dll | RtlPcToFileHeader, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlUnwind |
| CRYPT32.dll | CertGetCertificateChain, CertCloseStore, CertFindCertificateInStore, CertFreeCertificateContext, CertOpenSystemStoreW, CertOpenStore, CertEnumCertificatesInStore, CryptStringToBinaryW, PFXImportCertStore, CryptDecodeObjectEx, CertAddCertificateContextToStore, CertFindExtension, CertGetNameStringW, CryptQueryObject, CertCreateCertificateChainEngine, CertFreeCertificateChainEngine, CertFreeCertificateChain |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeDownload Network PCAP: filtered – full
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 20, 2025 13:41:22.126188040 CET | 49681 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:41:23.140393972 CET | 49681 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:41:25.156328917 CET | 49681 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:41:29.155961037 CET | 49681 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:41:37.171552896 CET | 49681 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:41:43.187727928 CET | 49687 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:41:44.202936888 CET | 49687 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:41:46.218553066 CET | 49687 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:41:50.234184027 CET | 49687 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:41:58.234900951 CET | 49687 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:42:09.250227928 CET | 49693 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:42:10.249780893 CET | 49693 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:42:12.249815941 CET | 49693 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:42:16.249840021 CET | 49693 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:42:24.249850035 CET | 49693 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:42:35.266072035 CET | 49695 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:42:36.281232119 CET | 49695 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:42:38.281209946 CET | 49695 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:42:42.281311035 CET | 49695 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:42:50.281150103 CET | 49695 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:43:01.297296047 CET | 49696 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:43:02.312419891 CET | 49696 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:43:04.312489033 CET | 49696 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:43:08.328099012 CET | 49696 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:43:16.328080893 CET | 49696 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:43:27.360472918 CET | 49697 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:43:28.374912024 CET | 49697 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:43:30.374923944 CET | 49697 | 7712 | 192.168.2.7 | 139.180.160.173 |
| Mar 20, 2025 13:43:34.390562057 CET | 49697 | 7712 | 192.168.2.7 | 139.180.160.173 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 08:41:20 |
| Start date: | 20/03/2025 |
| Path: | C:\Users\user\Desktop\courtyardhealthcare.com.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6ad0b0000 |
| File size: | 11'413'504 bytes |
| MD5 hash: | 310C935A189CA01DCEE92D9C002F3330 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
