Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
forkes.exe

Overview

General Information

Sample name:forkes.exe
Analysis ID:1670392
MD5:8485570739880a38c395c9f6dc2b0e6a
SHA1:0685095efe396f35b16a319fe597b525b282cdf1
SHA256:da4542157a8597812319be53ec1c659d907e735f2cb9247de10221a086588a44
Tags:exeuser-FelloBoiYuuka
Infos:

Detection

Score:22
Range:0 - 100
Confidence:80%

Signatures

Found API chain indicative of debugger detection
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • forkes.exe (PID: 5652 cmdline: "C:\Users\user\Desktop\forkes.exe" MD5: 8485570739880A38C395C9F6DC2B0E6A)
    • conhost.exe (PID: 3632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: forkes.exeStatic PE information: Number of sections : 17 > 10
Source: classification engineClassification label: sus22.evad.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3632:120:WilError_03
Source: forkes.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\forkes.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\forkes.exe "C:\Users\user\Desktop\forkes.exe"
Source: C:\Users\user\Desktop\forkes.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\forkes.exeSection loaded: apphelp.dllJump to behavior
Source: forkes.exeStatic PE information: section name: .xdata
Source: forkes.exeStatic PE information: section name: /4
Source: forkes.exeStatic PE information: section name: /19
Source: forkes.exeStatic PE information: section name: /31
Source: forkes.exeStatic PE information: section name: /45
Source: forkes.exeStatic PE information: section name: /57
Source: forkes.exeStatic PE information: section name: /70
Source: forkes.exeStatic PE information: section name: /81
Source: forkes.exeStatic PE information: section name: /92
Source: C:\Users\user\Desktop\forkes.exeCode function: 0_2_00410649 push rsp; iretd 0_2_0041064A
Source: C:\Users\user\Desktop\forkes.exeCode function: 0_2_0040EC51 pushfq ; ret 0_2_0040EC52
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed

Anti Debugging

barindex
Source: C:\Users\user\Desktop\forkes.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_0-747
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\forkes.exeCode function: 0_2_004011B0 Sleep,Sleep,SetUnhandledExceptionFilter,GetStartupInfoA,0_2_004011B0
Source: C:\Users\user\Desktop\forkes.exeCode function: 0_2_004022C0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004022C0
Source: C:\Users\user\Desktop\forkes.exeCode function: 0_2_004021E0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_004021E0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS2
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1670392 Sample: forkes.exe Startdate: 21/04/2025 Architecture: WINDOWS Score: 22 5 forkes.exe 1 2->5         started        signatures3 10 Found API chain indicative of debugger detection 5->10 8 conhost.exe 5->8         started        process4

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
forkes.exe4%VirustotalBrowse
forkes.exe3%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1670392
Start date and time:2025-04-21 17:31:09 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 6s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:forkes.exe
Detection:SUS
Classification:sus22.evad.winEXE@2/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 1
  • Number of non-executed functions: 4
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 52.149.20.212, 184.29.183.29
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):5.14262458839677
TrID:
  • Win64 Executable Console (202006/5) 92.64%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • VXD Driver (31/22) 0.01%
File name:forkes.exe
File size:132'859 bytes
MD5:8485570739880a38c395c9f6dc2b0e6a
SHA1:0685095efe396f35b16a319fe597b525b282cdf1
SHA256:da4542157a8597812319be53ec1c659d907e735f2cb9247de10221a086588a44
SHA512:8f1a690d774c67e2d4a8a15d0a931ee7c912a4a52455e135780bda9e6692535911c860f650904316d7cc7f10078e54424cff9379810d84c94df96d89e6bb5632
SSDEEP:1536:9IaY4fxFSsjydqmazXRcOZeWGENtGPRDAUvMFMQiNXRvA/rT+kiQQ9:9IaNLjxcVENtGPRDo2Ro/rAQQ9
TLSH:EDD31AD7BA94DD97DD15433845E68329133EF7D04B864B132E20A9360A23BD0BFD768A
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....oU`..........'...........................@.............................. .......T........ ............................

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x401500
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:
Time Stamp:0x60556FE1 [Sat Mar 20 03:45:37 2021 UTC]
TLS Callbacks:0x4023f0
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:a3576ef3be25c8a4a63391be7baa3ec4
Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00002F15h]
mov dword ptr [eax], 00000000h
call 00007EFE9CD8EE0Fh
call 00007EFE9CD8DDDAh
nop
nop
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
dec eax
mov ebp, esp
mov dword ptr [ebp+10h], ecx
cmp dword ptr [ebp+10h], 06h
jne 00007EFE9CD8E155h
dec eax
lea eax, dword ptr [000064DCh]
mov eax, dword ptr [eax]
lea edx, dword ptr [eax+01h]
mov eax, dword ptr [ebp+10h]
add eax, edx
jmp 00007EFE9CD8E147h
mov eax, 00000003h
pop ebp
ret
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 30h
mov dword ptr [ebp+10h], ecx
dec eax
mov dword ptr [ebp+18h], edx
call 00007EFE9CD8ED9Ah
jmp 00007EFE9CD8E152h
dec eax
lea eax, dword ptr [000064ACh]
mov eax, dword ptr [eax]
mov ecx, eax
call 00007EFE9CD8F7A8h
call 00007EFE9CD8F7ABh
mov edx, eax
dec eax
lea eax, dword ptr [00006495h]
mov dword ptr [eax], edx
dec eax
lea eax, dword ptr [0000648Ch]
mov eax, dword ptr [eax]
test eax, eax
je 00007EFE9CD8E150h
dec eax
lea eax, dword ptr [0000647Fh]
mov eax, dword ptr [eax]
cmp eax, 0Ah
jne 00007EFE9CD8E107h
mov ecx, 0000000Ah
call 00007EFE9CD8F773h
dec eax
mov eax, dword ptr [00006D4Fh]
call eax
dec eax
add eax, 60h
dec eax
mov ecx, eax
call 00007EFE9CD8F76Eh
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80000x874.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x50000x240.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0xa0200x28.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x82280x1d8.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x1d600x1e009755a67b5c38f60a57bc8af961b84895False0.5825520833333333data5.935759965292137IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x30000x900x200fb953c0928b15e25558096dfae7f046eFalse0.11328125data0.6340284493823642IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0x40000x7d00x800d09d2c918b549721a5c3211229fc9420False0.26171875data3.832450840484838IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata0x50000x2400x400763a383b6bb798fc700b780c89d634e1False0.3330078125data2.492695937306695IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata0x60000x2000x2004549e21e1c74076a546ad14ab85aeea3False0.478515625data3.9382644047902273IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss0x70000xa700x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0x80000x8740xa00e3cfb031bb64af1f255542b24fe304e1False0.30859375data3.549480342424801IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT0x90000x680x200cc97298dcb493a65b195618dee1deb35False0.072265625data0.2672080280062829IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0xa0000x680x2002bd5567299f63df2221729a367be7003False0.060546875data0.19743807838821048IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
/40xb0000x4200x600e5b5e5228187d472b8a38420d59a01feFalse0.16471354166666666data1.1902002416599278IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/190xc0000xbe7a0xc0005b5dada3cbcfeb546ca4235faec99a83False0.39385986328125data5.961946733536635IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/310x180000x1a3c0x1c0046a6d791529dca13c85fa94a1936fa1dFalse0.23465401785714285data4.478882777167657IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/450x1a0000x19b50x1a006a5c0524da4930a6af8245032f527560False0.3348858173076923data5.633836454546328IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/570x1c0000xae00xc00c8a638bc27deeb3d569e9bd4ba3ec6b8False0.3232421875data3.9981487255946626IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/700x1d0000x3000x4006fbf4551012e4d090b9f6b805c4bb8d9False0.36328125data4.203682850575412IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/810x1e0000x2c040x2e001abb8199baa6efb2a3eda8df66dbbabbFalse0.20108695652173914data2.244851133120261IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/920x210000x5200x600c792483200c7bd47e0810b5db34918c1False0.20963541666666666data1.3849517103723048IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
DLLImport
KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetStartupInfoA, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, QueryPerformanceCounter, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualProtect, VirtualQuery
msvcrt.dll__C_specific_handler, __dllonexit, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _fmode, _initterm, _lock, _onexit, _unlock, abort, calloc, exit, fflush, fprintf, free, fwrite, getchar, malloc, memcpy, printf, putchar, signal, strlen, strncmp, vfprintf
USER32.dllMessageBoxA

Network Behavior

No network behavior found

Statistics

CPU Usage

050100s020406080100

Click to jump to process

Memory Usage

050100s0.0051015MB

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:11:32:16
Start date:21/04/2025
Path:C:\Users\user\Desktop\forkes.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\forkes.exe"
Imagebase:0x400000
File size:132'859 bytes
MD5 hash:8485570739880A38C395C9F6DC2B0E6A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:1
Start time:11:32:16
Start date:21/04/2025
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff642da0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Disassembly

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:10.9%
Dynamic/Decrypted Code Coverage:0%
Signature Coverage:22.9%
Total number of Nodes:96
Total number of Limit Nodes:3
Show Legend
Hide Nodes/Edges
execution_graph 741 401500 746 4021e0 741->746 743 401516 750 4011b0 743->750 745 40151b 747 402220 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 746->747 748 402209 746->748 749 40227d 747->749 748->743 749->743 751 401490 GetStartupInfoA 750->751 752 4011e5 750->752 757 4013e8 751->757 753 40120d Sleep 752->753 754 401222 752->754 753->752 754->757 768 4019b0 754->768 756 40127d SetUnhandledExceptionFilter 781 401e60 756->781 759 4021e0 5 API calls 757->759 767 4013fc 757->767 760 4014e6 759->760 761 4011b0 16 API calls 760->761 762 4014eb 761->762 762->745 763 401299 763->757 765 4013a2 763->765 785 402bb0 memcpy 763->785 786 401557 765->786 767->745 769 4019cb 768->769 775 4019e0 768->775 769->756 770 401c9c 772 4017d0 6 API calls 770->772 771 401b04 771->769 776 401b53 VirtualQuery 771->776 780 401ca8 772->780 773 401bcd 792 4017d0 773->792 775->769 775->770 775->771 775->773 778 401c4f 775->778 777 401b6c VirtualProtect 776->777 776->778 777->771 779 4017d0 6 API calls 778->779 779->770 780->756 783 401e6f 781->783 782 401e9c 782->763 783->782 784 401f30 RtlAddFunctionTable 783->784 784->782 788 40156b 786->788 787 4015a8 789 402be0 putchar 787->789 788->787 804 402be0 putchar 788->804 791 4015b2 789->791 791->757 795 4017f7 792->795 793 401939 memcpy 795->793 796 4018d3 VirtualQuery 795->796 800 401975 795->800 797 401901 796->797 796->800 797->793 798 401915 VirtualProtect 797->798 798->793 799 401961 GetLastError 798->799 799->800 801 401b53 VirtualQuery 800->801 803 4019cb 800->803 802 401b6c VirtualProtect 801->802 801->803 802->800 803->778 805 4083c0 804->805 806 4022c0 RtlCaptureContext RtlLookupFunctionEntry 807 4023a0 806->807 808 4022fd RtlVirtualUnwind 806->808 809 402333 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 807->809 808->809 809->807 810 4023c0 811 4023c8 810->811 812 4023cd 811->812 815 402a80 811->815 814 4023e5 816 402ad2 815->816 817 402a89 815->817 818 402af0 InitializeCriticalSection 816->818 819 402adc 816->819 820 402a8b 817->820 821 402aa4 817->821 818->819 819->814 823 402a9a 820->823 827 4028f0 EnterCriticalSection 820->827 822 402aae 821->822 825 4028f0 3 API calls 821->825 822->823 824 402ab9 DeleteCriticalSection 822->824 823->814 824->823 825->822 828 402944 827->828 830 402911 827->830 829 402920 TlsGetValue GetLastError 829->830 830->828 830->829 832 402960 833 402980 832->833 834 402971 832->834 833->834 835 40299c EnterCriticalSection LeaveCriticalSection 833->835 836 4029e0 837 402a00 EnterCriticalSection 836->837 838 4029ef 836->838 839 402a37 LeaveCriticalSection 837->839 841 402a1b 837->841 840 402a44 839->840 841->839 842 402a21 841->842 843 402a60 LeaveCriticalSection 842->843 843->840 844 4023f0 845 402402 844->845 846 402a80 5 API calls 845->846 847 402412 845->847 846->847 831 402cd9 RtlCaptureContext

Callgraph

Hide Legend
  • Executed
  • Not Executed
  • Opacity -> Relevance
  • Disassembly available
callgraph 0 Function_004022C0 1 Function_00401640 2 Function_00402540 3 Function_00402840 11 Function_00402550 3->11 50 Function_00402590 3->50 4 Function_004023C0 39 Function_00402A80 4->39 5 Function_004021C0 30 Function_00402470 5->30 6 Function_00404143 7 Function_004016C6 8 Function_00410649 9 Function_0040D9CA 10 Function_00401F50 45 Function_00402110 10->45 12 Function_00401650 13 Function_004026D0 13->11 14 Function_004017D0 14->13 14->14 37 Function_00402680 14->37 14->45 52 Function_00402B20 14->52 54 Function_004027A0 14->54 15 Function_0040EC51 16 Function_00401557 16->5 27 Function_00402BE0 16->27 58 Function_00401530 16->58 17 Function_0040F557 18 Function_00402CD9 19 Function_00402460 20 Function_004025E0 20->11 21 Function_00401660 22 Function_00401E60 22->20 46 Function_00402710 22->46 22->54 23 Function_004021E0 24 Function_00401160 25 Function_00402960 26 Function_004027E0 26->11 26->50 28 Function_004029E0 29 Function_0040F262 30->1 30->12 31 Function_00401670 32 Function_00401770 33 Function_004028F0 34 Function_004023F0 34->39 35 Function_00402B71 36 Function_00402572 37->11 38 Function_00401780 39->33 40 Function_00401500 40->23 59 Function_004011B0 40->59 41 Function_00401701 42 Function_0040FF0A 43 Function_0041050F 44 Function_00401790 46->11 47 Function_00401010 47->12 47->21 48 Function_00402B90 49 Function_00408290 51 Function_00410696 53 Function_00402120 54->11 55 Function_004017A0 56 Function_0040E028 57 Function_004019B0 57->13 57->14 57->45 57->52 59->5 59->16 59->22 59->23 59->45 59->48 59->57 59->59 60 Function_00402BB0 59->60 61 Function_004017B0 62 Function_0040D9BB

Executed Functions

Control-flow Graph

APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.2263967093.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.2263912991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.2264016291.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.2264062740.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.2264109768.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_forkes.jbxd
Similarity
  • API ID: ExceptionFilterInfoSleepStartupUnhandled
  • String ID: (z@$0p@$0z@
  • API String ID: 2839300629-1184389195
  • Opcode ID: 013227f148234dfd7fc7b890683df697662211ffc69753b55119e7d8c126c7bd
  • Instruction ID: 26a586db46de6d11c516d36740011c36e5193a1d63fa6891b216a5215f8ac1d4
  • Opcode Fuzzy Hash: 013227f148234dfd7fc7b890683df697662211ffc69753b55119e7d8c126c7bd
  • Instruction Fuzzy Hash: CC71CDB270064086EB159F26E99072A3361B789B88F84813AEF09777F1DF7CD841C709

Non-executed Functions

Control-flow Graph

APIs
  • RtlCaptureContext.KERNEL32 ref: 004022D4
  • RtlLookupFunctionEntry.KERNEL32 ref: 004022EB
  • RtlVirtualUnwind.KERNEL32 ref: 0040232D
  • SetUnhandledExceptionFilter.KERNEL32 ref: 00402374
  • UnhandledExceptionFilter.KERNEL32 ref: 00402381
  • GetCurrentProcess.KERNEL32 ref: 00402387
  • TerminateProcess.KERNEL32 ref: 00402395
Memory Dump Source
  • Source File: 00000000.00000002.2263967093.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.2263912991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.2264016291.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.2264062740.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.2264109768.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_forkes.jbxd
Similarity
  • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtual
  • String ID:
  • API String ID: 3266983031-0
  • Opcode ID: 3cf6096b1c83583e0393c6ff9e611468c7c163e63f96e8c366d91667716da33e
  • Instruction ID: 149671cdd3c55400a0126d6b62503c735117f2040a81a54adb99b516cbfc0f57
  • Opcode Fuzzy Hash: 3cf6096b1c83583e0393c6ff9e611468c7c163e63f96e8c366d91667716da33e
  • Instruction Fuzzy Hash: 9A21C2B5A15F0099FB009F61F84879937A8BB08B94F44422ADF8D27764EF3CD149C759

Control-flow Graph

APIs
  • GetSystemTimeAsFileTime.KERNEL32 ref: 00402225
  • GetCurrentProcessId.KERNEL32 ref: 00402230
  • GetCurrentThreadId.KERNEL32 ref: 00402238
  • GetTickCount.KERNEL32 ref: 00402240
  • QueryPerformanceCounter.KERNEL32 ref: 0040224D
Memory Dump Source
  • Source File: 00000000.00000002.2263967093.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.2263912991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.2264016291.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.2264062740.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.2264109768.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_forkes.jbxd
Similarity
  • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
  • String ID:
  • API String ID: 1445889803-0
  • Opcode ID: 8d3d2463463609734dbb6402b03b217993e5058972b03aad8d2d1681ea8eff7a
  • Instruction ID: 870485c13ac068f68f504d795742df0ba6b0159206ac2b250ba0cb8a7ca546df
  • Opcode Fuzzy Hash: 8d3d2463463609734dbb6402b03b217993e5058972b03aad8d2d1681ea8eff7a
  • Instruction Fuzzy Hash: 4911C162B16F0086F7105B65B9087156260B748BA1F081379DF9D53BE8DE3CC98AD308

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 107 4017d0-40186e call 402bd8 call 402c10 call 402bd8 call 402c18 call 402c20 120 401872-401878 107->120 121 40187a-401888 120->121 122 40188e-401899 120->122 121->122 123 401940-402bb0 memcpy 121->123 122->120 124 40189b-4018a9 call 402680 122->124 128 401992-4019c9 call 4017d0 124->128 129 4018af-4018ff call 4027a0 VirtualQuery 124->129 138 4019e0-401a37 call 4026d0 call 402b20 128->138 139 4019cb-4019d8 128->139 135 401901-40190b 129->135 136 401975-40198d call 4017d0 129->136 140 401939 135->140 141 40190d-401913 135->141 136->128 138->139 149 401a39-401a3d 138->149 140->123 141->140 143 401915-401937 VirtualProtect 141->143 143->140 145 401961-401970 GetLastError call 4017d0 143->145 145->136 150 401a65-401a6b 149->150 151 401a3f-401a45 149->151 152 401b90-401b93 150->152 153 401a71-401a76 150->153 151->152 154 401a4b-401a52 151->154 152->139 157 401b99-401ba0 152->157 153->152 156 401a7c-401a82 153->156 154->152 155 401a58-401a5f 154->155 155->156 158 401a61 155->158 159 401a88-401a8f 156->159 160 401c9c-401cbb call 4017d0 156->160 161 401ba4-401bc6 call 401840 157->161 158->150 159->139 162 401a95-401aa0 159->162 171 401d20-401d25 160->171 172 401cbd-401cc2 160->172 170 401bc8 161->170 165 401aaa-401abf 162->165 168 401ac5 165->168 169 401c06-401c36 call 401840 165->169 174 401acb-401ace 168->174 175 401bcd-401bd0 168->175 189 401c3b-401c4a call 4017d0 169->189 176 401b04-401b10 170->176 177 401df0-401e03 call 402c28 171->177 178 401d2b 171->178 179 401cc4-401cc9 172->179 180 401d3f-401d52 call 402c28 172->180 186 401ad4-401ad7 174->186 187 401c4f-401c79 call 401840 174->187 188 401bd2-401c01 call 401840 175->188 175->189 176->139 192 401b16-401b28 176->192 209 401d54-401d5c 177->209 213 401e09-401e1a call 402c28 177->213 190 401d70-401d75 178->190 191 401d2d-401d32 178->191 181 401de0-401de6 179->181 182 401ccf 179->182 180->209 210 401dc8-401ddc call 402c28 call 402110 180->210 194 401db0-401db5 182->194 195 401cd5-401cda 182->195 186->189 201 401add-401b02 call 401840 186->201 217 401c7e-401c97 call 4017d0 187->217 188->169 189->187 190->181 199 401d77-401d7c 190->199 191->181 203 401d38-401d3d 191->203 193 401b43-401b51 192->193 206 401b30-401b3d 193->206 207 401b53-401b66 VirtualQuery 193->207 204 401db7-401dbc 194->204 205 401d7e-401d8e call 402c28 194->205 195->181 208 401ce0-401ce5 195->208 199->205 212 401dbe-401dc7 199->212 201->165 201->176 203->180 203->212 204->181 204->212 233 401d94-401d97 205->233 234 401e2a-401e3b call 402c28 205->234 206->139 206->193 216 401b6c-401b85 VirtualProtect 207->216 207->217 208->212 218 401ceb-401cfb call 402c28 208->218 219 401d13-401d17 209->219 220 401d5e-401d6b 209->220 210->181 213->219 216->206 217->160 236 401e40-401e51 call 402c28 218->236 237 401d01-401d04 218->237 239 401e20-401e29 233->239 240 401d9d-401da6 233->240 234->219 236->219 237->239 243 401d0a-401d11 237->243 240->219 243->219
APIs
Strings
  • Mingw-w64 runtime failure:, xrefs: 004017F7
  • VirtualProtect failed with code 0x%x, xrefs: 00401967
  • Address %p has no image-section, xrefs: 00401847, 00401992
  • VirtualQuery failed for %d bytes at address %p, xrefs: 00401981
Memory Dump Source
  • Source File: 00000000.00000002.2263967093.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.2263912991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.2264016291.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.2264062740.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.2264109768.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_forkes.jbxd
Similarity
  • API ID: Virtual$ProtectQuery
  • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
  • API String ID: 1027372294-1534286854
  • Opcode ID: e5c7d007481e01950e5c1a0051bfc475fed0a39dbd5d0f833dd6c8d0a4ffb9ad
  • Instruction ID: f127189bdcb155d89f588702382d532f048ecc7074e53cb9c19961d2038f919e
  • Opcode Fuzzy Hash: e5c7d007481e01950e5c1a0051bfc475fed0a39dbd5d0f833dd6c8d0a4ffb9ad
  • Instruction Fuzzy Hash: D541C5B2704B4495EA10AF12EC44B9A7B24F799BD4F488236EF4C277A4DB3CD586C708

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 275 4019b0-4019c9 276 4019e0-401a37 call 4026d0 call 402b20 275->276 277 4019cb-4019d8 275->277 276->277 282 401a39-401a3d 276->282 283 401a65-401a6b 282->283 284 401a3f-401a45 282->284 285 401b90-401b93 283->285 286 401a71-401a76 283->286 284->285 287 401a4b-401a52 284->287 285->277 290 401b99-401ba0 285->290 286->285 289 401a7c-401a82 286->289 287->285 288 401a58-401a5f 287->288 288->289 291 401a61 288->291 292 401a88-401a8f 289->292 293 401c9c-401cbb call 4017d0 289->293 294 401ba4-401bc6 call 401840 290->294 291->283 292->277 295 401a95-401aa0 292->295 304 401d20-401d25 293->304 305 401cbd-401cc2 293->305 303 401bc8 294->303 298 401aaa-401abf 295->298 301 401ac5 298->301 302 401c06-401c36 call 401840 298->302 307 401acb-401ace 301->307 308 401bcd-401bd0 301->308 322 401c3b-401c4a call 4017d0 302->322 309 401b04-401b10 303->309 310 401df0-401e03 call 402c28 304->310 311 401d2b 304->311 312 401cc4-401cc9 305->312 313 401d3f-401d52 call 402c28 305->313 319 401ad4-401ad7 307->319 320 401c4f-401c79 call 401840 307->320 321 401bd2-401c01 call 401840 308->321 308->322 309->277 325 401b16-401b28 309->325 342 401d54-401d5c 310->342 346 401e09-401e1a call 402c28 310->346 323 401d70-401d75 311->323 324 401d2d-401d32 311->324 314 401de0-401de6 312->314 315 401ccf 312->315 313->342 343 401dc8-401ddc call 402c28 call 402110 313->343 327 401db0-401db5 315->327 328 401cd5-401cda 315->328 319->322 334 401add-401b02 call 401840 319->334 350 401c7e-401c97 call 4017d0 320->350 321->302 322->320 323->314 332 401d77-401d7c 323->332 324->314 336 401d38-401d3d 324->336 326 401b43-401b51 325->326 339 401b30-401b3d 326->339 340 401b53-401b66 VirtualQuery 326->340 337 401db7-401dbc 327->337 338 401d7e-401d8e call 402c28 327->338 328->314 341 401ce0-401ce5 328->341 332->338 345 401dbe-401dc7 332->345 334->298 334->309 336->313 336->345 337->314 337->345 366 401d94-401d97 338->366 367 401e2a-401e3b call 402c28 338->367 339->277 339->326 349 401b6c-401b85 VirtualProtect 340->349 340->350 341->345 351 401ceb-401cfb call 402c28 341->351 352 401d13-401d17 342->352 353 401d5e-401d6b 342->353 343->314 346->352 349->339 350->293 369 401e40-401e51 call 402c28 351->369 370 401d01-401d04 351->370 372 401e20-401e29 366->372 373 401d9d-401da6 366->373 367->352 369->352 370->372 376 401d0a-401d11 370->376 373->352 376->352
APIs
  • VirtualQuery.KERNEL32(?,?,?,?,00407A30,00407A28,00000001,00007FFC1968ADA0,?,?,00407030,0040127D), ref: 00401B60
  • VirtualProtect.KERNEL32(?,?,?,?,00407A30,00407A28,00000001,00007FFC1968ADA0,?,?,00407030,0040127D), ref: 00401B82
Strings
  • Unknown pseudo relocation protocol version %d., xrefs: 00401C9C
  • Unknown pseudo relocation bit size %d., xrefs: 00401C3B
  • VirtualQuery failed for %d bytes at address %p, xrefs: 00401981, 00401C85
Memory Dump Source
  • Source File: 00000000.00000002.2263967093.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.2263912991.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.2264016291.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.2264062740.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.2264109768.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_forkes.jbxd
Similarity
  • API ID: Virtual$ProtectQuery
  • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p
  • API String ID: 1027372294-974437099
  • Opcode ID: 6b42cb4e106b03c0c4c23193a902c45779caabfce9a424767106aca652079dd7
  • Instruction ID: 8b7165e88d542a46492d334731efcfdbd60fac4e5031038250f0bb102c3db7e3
  • Opcode Fuzzy Hash: 6b42cb4e106b03c0c4c23193a902c45779caabfce9a424767106aca652079dd7
  • Instruction Fuzzy Hash: 6EA103B1B1055086EB10AB62E95475B23A1BB85BD8F58863BEF0D673F4DA3CD885C309