Edit tour

Windows Analysis Report
qDukOSpqnG.exe

Overview

General Information

Sample name:qDukOSpqnG.exe
renamed because original name is a hash value
Original sample name:0933f23c466188e0a7c6fab661bdb8487cf7028c5cec557efb75fde9879a6af8.exe
Analysis ID:1670766
MD5:1add9766eb649496bc2fa516902a5965
SHA1:48d1971ec7b17adaa8189089a97503afa705ae14
SHA256:0933f23c466188e0a7c6fab661bdb8487cf7028c5cec557efb75fde9879a6af8
Tags:cactusexeransomwareuser-TheRavenFile
Infos:

Detection

Babuk
Score:64
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Babuk Ransomware
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
Contains functionality to dynamically determine API calls
Program does not show much activity (idle)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • qDukOSpqnG.exe (PID: 2612 cmdline: "C:\Users\user\Desktop\qDukOSpqnG.exe" MD5: 1ADD9766EB649496BC2FA516902A5965)
    • conhost.exe (PID: 5716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
BabukBabuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.babuk
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.1182760231.00007FF6DD45A000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_babukYara detected Babuk RansomwareJoe Security
    Process Memory Space: qDukOSpqnG.exe PID: 2612JoeSecurity_babukYara detected Babuk RansomwareJoe Security
      SourceRuleDescriptionAuthorStrings
      0.2.qDukOSpqnG.exe.7ff6dd050000.0.unpackJoeSecurity_babukYara detected Babuk RansomwareJoe Security
        No Sigma rule has matched
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: qDukOSpqnG.exeReversingLabs: Detection: 75%
        Source: qDukOSpqnG.exeVirustotal: Detection: 71%Perma Link
        Source: qDukOSpqnG.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

        Networking

        barindex
        Source: qDukOSpqnG.exeString found in binary or memory: http://sonarmsng5vzwqezlvtu2iiwwdn3dxkhotftikhowpfjuzg7p3ca5eid.onion/contact/Cactus_Support
        Source: qDukOSpqnG.exeString found in binary or memory: http://sonarmsng5vzwqezlvtu2iiwwdn3dxkhotftikhowpfjuzg7p3ca5eid.onion/contact/Cactus_Support
        Source: qDukOSpqnG.exeString found in binary or memory: https://tox.chat/):

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Source: Yara matchFile source: 0.2.qDukOSpqnG.exe.7ff6dd050000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.1182760231.00007FF6DD45A000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: qDukOSpqnG.exe PID: 2612, type: MEMORYSTR
        Source: qDukOSpqnG.exeBinary or memory string: vssadmin delete shadows /all /quiet
        Source: qDukOSpqnG.exe, 00000000.00000002.1182760231.00007FF6DD45A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: steam.exethebat.exemsftesql.exesqlagent.exesqlbrowser.exesqlwriter.exeoracle.exeocssd.exedbsnmp.exesynctime.exexfssvccon.exesqlservr.exemydesktopservice.exeocautoupds.exeagntsvc.exeencsvc.exefirefoxconfig.exetbirdconfig.exemydesktopqos.exeocomm.exemysqld.exemysqld-nt.exemysqld-opt.exedbeng5o.exesqbcoreservice.exeexcel.exeinfopath.exemsaccess.exemspub.exeonenote.exeoutlook.exepowerpnt.exethunderbird.exevisio.exewinword.exewordpad.exesql.exeagntsvc.exeisqlplussvc.exeencsvc.exefirefox.exedbeng50.exenotepad.exephonesvcveeammemtassqlbackupvsssophossvc$mepocsmsexchangegxvssgxblrgxfwdgxcvdgxcimgrCLOSEDvssadmin delete shadows /all /quietC:\Windows\System32\vssadmin.exeWMIC shadowcopy deleteC:\Windows\System32\wbem\WMIC.exebcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\System32\bcdedit.exebcdedit /set {default} recoveryenabled nobasic_string: construction from null is not valid
        Source: classification engineClassification label: mal64.rans.evad.winEXE@2/0@0/0
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5716:120:WilError_03
        Source: C:\Users\user\Desktop\qDukOSpqnG.exeMutant created: \Sessions\1\BaseNamedObjects\md94-hohi-5mk2-15rocAcTuS
        Source: C:\Users\user\Desktop\qDukOSpqnG.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: qDukOSpqnG.exeReversingLabs: Detection: 75%
        Source: qDukOSpqnG.exeVirustotal: Detection: 71%
        Source: qDukOSpqnG.exeString found in binary or memory: set-addPolicy
        Source: qDukOSpqnG.exeString found in binary or memory: id-cmc-addExtensions
        Source: unknownProcess created: C:\Users\user\Desktop\qDukOSpqnG.exe "C:\Users\user\Desktop\qDukOSpqnG.exe"
        Source: C:\Users\user\Desktop\qDukOSpqnG.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\qDukOSpqnG.exeSection loaded: rstrtmgr.dllJump to behavior
        Source: C:\Users\user\Desktop\qDukOSpqnG.exeSection loaded: wsock32.dllJump to behavior
        Source: C:\Users\user\Desktop\qDukOSpqnG.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\Desktop\qDukOSpqnG.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\qDukOSpqnG.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\qDukOSpqnG.exeSection loaded: ntmarta.dllJump to behavior
        Source: qDukOSpqnG.exeStatic PE information: Image base 0x140000000 > 0x60000000
        Source: qDukOSpqnG.exeStatic file information: File size 4758606 > 1048576
        Source: qDukOSpqnG.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x208400
        Source: qDukOSpqnG.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
        Source: C:\Users\user\Desktop\qDukOSpqnG.exeCode function: 0_2_00007FF6DD6ED0D0 LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00007FF6DD6ED0D0
        Source: initial sampleStatic PE information: section name: UPX0
        Source: initial sampleStatic PE information: section name: UPX1
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: C:\Users\user\Desktop\qDukOSpqnG.exeAPI call chain: ExitProcess graph end nodegraph_0-76
        Source: C:\Users\user\Desktop\qDukOSpqnG.exeCode function: 0_2_00007FF6DD6ED0D0 LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00007FF6DD6ED0D0
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
        Command and Scripting Interpreter
        1
        DLL Side-Loading
        1
        Process Injection
        1
        Software Packing
        OS Credential Dumping1
        System Information Discovery
        Remote ServicesData from Local System1
        Proxy
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        Native API
        Boot or Logon Initialization Scripts1
        DLL Side-Loading
        1
        Process Injection
        LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
        DLL Side-Loading
        Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Obfuscated Files or Information
        NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        File Deletion
        LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1670766 Sample: qDukOSpqnG.exe Startdate: 22/04/2025 Architecture: WINDOWS Score: 64 11 Multi AV Scanner detection for submitted file 2->11 13 Yara detected Babuk Ransomware 2->13 15 Found Tor onion address 2->15 17 Deletes shadow drive data (may be related to ransomware) 2->17 6 qDukOSpqnG.exe 1 2->6         started        process3 signatures4 19 Deletes shadow drive data (may be related to ransomware) 6->19 9 conhost.exe 6->9         started        process5

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        qDukOSpqnG.exe75%ReversingLabsWin64.Ransomware.Cactus
        qDukOSpqnG.exe72%VirustotalBrowse
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        https://tox.chat/):0%Avira URL Cloudsafe
        No contacted domains info
        NameSourceMaliciousAntivirus DetectionReputation
        https://tox.chat/):qDukOSpqnG.exefalse
        • Avira URL Cloud: safe
        unknown
        http://sonarmsng5vzwqezlvtu2iiwwdn3dxkhotftikhowpfjuzg7p3ca5eid.onion/contact/Cactus_SupportqDukOSpqnG.exefalse
          high
          No contacted IP infos
          Joe Sandbox version:42.0.0 Malachite
          Analysis ID:1670766
          Start date and time:2025-04-22 07:17:40 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 4m 5s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:11
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:qDukOSpqnG.exe
          renamed because original name is a hash value
          Original Sample Name:0933f23c466188e0a7c6fab661bdb8487cf7028c5cec557efb75fde9879a6af8.exe
          Detection:MAL
          Classification:mal64.rans.evad.winEXE@2/0@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:Failed
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 184.29.183.29, 4.245.163.56
          • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          No simulations
          No context
          No context
          No context
          No context
          No context
          No created / dropped files found
          File type:PE32+ executable (console) x86-64, for MS Windows
          Entropy (8bit):6.8384636614245045
          TrID:
          • Win64 Executable Console (202006/5) 81.26%
          • UPX compressed Win32 Executable (30571/9) 12.30%
          • Win64 Executable (generic) (12005/4) 4.83%
          • Generic Win/DOS Executable (2004/3) 0.81%
          • DOS Executable Generic (2002/1) 0.81%
          File name:qDukOSpqnG.exe
          File size:4'758'606 bytes
          MD5:1add9766eb649496bc2fa516902a5965
          SHA1:48d1971ec7b17adaa8189089a97503afa705ae14
          SHA256:0933f23c466188e0a7c6fab661bdb8487cf7028c5cec557efb75fde9879a6af8
          SHA512:8c9034c23e06ae13630005ed34ecfdc68630ceb9de8020b7cbbe2612a72838f5b9121a9ecd2bdde5e9230a89f1973cb76e68426a533c73c1f9fa1462a92265d9
          SSDEEP:98304:ilMZsSO06bKbg6oQ/maNBq8CaQUEPC5h3kX1kqogMe:Cus1UBeaNwaQUEj
          TLSH:2B264B8228DF0D9ADDC13BB8A1C7631A677CBE71CB6B4F27A60841356C532C57D2AB50
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....aFd.rd.......&....(.. ......@I.P.i..PI....@..............................i...........`... ............................
          Icon Hash:90cececece8e8eb0
          Entrypoint:0x14069d050
          Entrypoint Section:UPX1
          Digitally signed:false
          Imagebase:0x140000000
          Subsystem:windows cui
          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
          Time Stamp:0x644661E3 [Mon Apr 24 11:02:59 2023 UTC]
          TLS Callbacks:0x4069d2a0, 0x1
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:35bc16e5f49a914ec22a20433406e198
          Instruction
          push ebx
          push esi
          push edi
          push ebp
          dec eax
          lea esi, dword ptr [FFDF7FCAh]
          dec eax
          lea edi, dword ptr [esi-00494025h]
          dec eax
          lea eax, dword ptr [edi+00569F7Ch]
          push dword ptr [eax]
          mov dword ptr [eax], 596DE401h
          push eax
          push edi
          xor ebx, ebx
          xor ecx, ecx
          dec eax
          or ebp, FFFFFFFFh
          call 00007FC87C803805h
          add ebx, ebx
          je 00007FC87C8037B4h
          rep ret
          mov ebx, dword ptr [esi]
          dec eax
          sub esi, FFFFFFFCh
          adc ebx, ebx
          mov dl, byte ptr [esi]
          rep ret
          dec eax
          lea eax, dword ptr [edi+ebp]
          cmp ecx, 05h
          mov dl, byte ptr [eax]
          jbe 00007FC87C8037D3h
          dec eax
          cmp ebp, FFFFFFFCh
          jnbe 00007FC87C8037CDh
          sub ecx, 04h
          mov edx, dword ptr [eax]
          dec eax
          add eax, 04h
          sub ecx, 04h
          mov dword ptr [edi], edx
          dec eax
          lea edi, dword ptr [edi+04h]
          jnc 00007FC87C8037A1h
          add ecx, 04h
          mov dl, byte ptr [eax]
          je 00007FC87C8037C2h
          dec eax
          inc eax
          mov byte ptr [edi], dl
          sub ecx, 01h
          mov dl, byte ptr [eax]
          dec eax
          lea edi, dword ptr [edi+01h]
          jne 00007FC87C8037A2h
          rep ret
          cld
          inc ecx
          pop ebx
          jmp 00007FC87C8037BAh
          dec eax
          inc esi
          mov byte ptr [edi], dl
          dec eax
          inc edi
          mov dl, byte ptr [esi]
          add ebx, ebx
          jne 00007FC87C8037BCh
          mov ebx, dword ptr [esi]
          dec eax
          sub esi, FFFFFFFCh
          adc ebx, ebx
          mov dl, byte ptr [esi]
          jc 00007FC87C803798h
          lea eax, dword ptr [ecx+01h]
          jmp 00007FC87C8037B9h
          dec eax
          inc ecx
          call ebx
          adc eax, eax
          inc ecx
          call ebx
          adc eax, eax
          add ebx, ebx
          jne 00007FC87C8037BCh
          mov ebx, dword ptr [esi]
          dec eax
          sub esi, FFFFFFFCh
          adc ebx, ebx
          mov dl, byte ptr [esi]
          jnc 00007FC87C803796h
          sub eax, 03h
          jc 00007FC87C8037CBh
          shl eax, 08h
          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x69e4ec0x230.rsrc
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x69e0000x4ec.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x4d50000x27ad4UPX1
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x69e71c0x14.rsrc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x69d2c80x28UPX1
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          UPX00x10000x4940000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          UPX10x4950000x2090000x208400daf1853a8f44f3a1c7ff93325c822c57unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0x69e0000x10000x800c0ba7bc46af92c6c76af76a3df5f46a1False0.39013671875data4.835418443624258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_MANIFEST0x69e05c0x48fXML 1.0 document, ASCII text0.40102827763496146
          DLLImport
          ADVAPI32.dllOpenServiceA
          KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
          msvcrt.dllatoi
          RstrtMgr.DLLRmGetList
          SHELL32.dllStrStrIW
          USER32.dllShowWindow
          WS2_32.dllhtonl
          WSOCK32.dllbind
          No network behavior found
          050100s020406080100

          Click to jump to process

          Click to jump to process

          Click to jump to process

          Target ID:0
          Start time:01:18:37
          Start date:22/04/2025
          Path:C:\Users\user\Desktop\qDukOSpqnG.exe
          Wow64 process (32bit):false
          Commandline:"C:\Users\user\Desktop\qDukOSpqnG.exe"
          Imagebase:0x7ff6dd050000
          File size:4'758'606 bytes
          MD5 hash:1ADD9766EB649496BC2FA516902A5965
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_babuk, Description: Yara detected Babuk Ransomware, Source: 00000000.00000002.1182760231.00007FF6DD45A000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
          Reputation:low
          Has exited:true

          Target ID:1
          Start time:01:18:37
          Start date:22/04/2025
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff62fc20000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          Execution Graph

          Execution Coverage

          Dynamic/Packed Code Coverage

          Signature Coverage

          Execution Coverage:55%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:88.9%
          Total number of Nodes:9
          Total number of Limit Nodes:1
          Show Legend
          Hide Nodes/Edges
          execution_graph 67 7ff6dd6ed050 70 7ff6dd6ed0d0 67->70 72 7ff6dd6ed0d5 70->72 71 7ff6dd6ed193 LoadLibraryA 73 7ff6dd6ed1ad 71->73 72->71 77 7ff6dd6ed1dd VirtualProtect VirtualProtect 72->77 73->72 74 7ff6dd6ed1b6 GetProcAddress 73->74 74->73 76 7ff6dd6ed1d7 ExitProcess 74->76 78 7ff6dd6ed286 77->78

          Callgraph

          Hide Legend
          • Executed
          • Not Executed
          • Opacity -> Relevance
          • Disassembly available
          callgraph 0 Function_00007FF6DD6ED092 1 Function_00007FF6DD6ED2A0 2 Function_00007FF6DD6ED0D0 2->0 2->1 3 Function_00007FF6DD6ED050 3->2

          Executed Functions

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 0 7ff6dd6ed0d0-7ff6dd6ed0d3 1 7ff6dd6ed0dd-7ff6dd6ed0e1 0->1 2 7ff6dd6ed0e3-7ff6dd6ed0eb 1->2 3 7ff6dd6ed0ed 1->3 2->3 4 7ff6dd6ed0d5-7ff6dd6ed0da 3->4 5 7ff6dd6ed0ef-7ff6dd6ed0f2 3->5 4->1 6 7ff6dd6ed0fb-7ff6dd6ed102 5->6 8 7ff6dd6ed104-7ff6dd6ed10c 6->8 9 7ff6dd6ed10e 6->9 8->9 10 7ff6dd6ed0f4-7ff6dd6ed0f9 9->10 11 7ff6dd6ed110-7ff6dd6ed113 9->11 10->6 12 7ff6dd6ed115-7ff6dd6ed123 11->12 13 7ff6dd6ed12e-7ff6dd6ed130 11->13 15 7ff6dd6ed125-7ff6dd6ed12a 12->15 16 7ff6dd6ed17d-7ff6dd6ed186 12->16 17 7ff6dd6ed132-7ff6dd6ed138 13->17 18 7ff6dd6ed13a 13->18 20 7ff6dd6ed164-7ff6dd6ed167 15->20 22 7ff6dd6ed12c 15->22 19 7ff6dd6ed18d-7ff6dd6ed191 16->19 17->18 18->20 21 7ff6dd6ed13c-7ff6dd6ed140 18->21 23 7ff6dd6ed193-7ff6dd6ed1ab LoadLibraryA 19->23 24 7ff6dd6ed1dd-7ff6dd6ed1e5 19->24 34 7ff6dd6ed169-7ff6dd6ed178 call 7ff6dd6ed092 20->34 25 7ff6dd6ed142-7ff6dd6ed148 21->25 26 7ff6dd6ed14a 21->26 22->21 27 7ff6dd6ed1ad-7ff6dd6ed1b4 23->27 29 7ff6dd6ed1e9-7ff6dd6ed1f2 24->29 25->26 26->20 28 7ff6dd6ed14c-7ff6dd6ed153 26->28 27->19 31 7ff6dd6ed1b6-7ff6dd6ed1cc GetProcAddress 27->31 42 7ff6dd6ed155-7ff6dd6ed15b 28->42 43 7ff6dd6ed15d 28->43 32 7ff6dd6ed1f4-7ff6dd6ed1f6 29->32 33 7ff6dd6ed221-7ff6dd6ed281 VirtualProtect * 2 call 7ff6dd6ed2a0 29->33 35 7ff6dd6ed1ce-7ff6dd6ed1d5 31->35 36 7ff6dd6ed1d7 ExitProcess 31->36 38 7ff6dd6ed1f8-7ff6dd6ed207 32->38 39 7ff6dd6ed209-7ff6dd6ed217 32->39 45 7ff6dd6ed286-7ff6dd6ed28b 33->45 34->1 35->27 38->29 39->38 44 7ff6dd6ed219-7ff6dd6ed21f 39->44 42->43 43->28 48 7ff6dd6ed15f-7ff6dd6ed162 43->48 44->38 47 7ff6dd6ed290-7ff6dd6ed295 45->47 47->47 49 7ff6dd6ed297 47->49 48->34
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.1182760231.00007FF6DD5CC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DD050000, based on PE: true
          • Associated: 00000000.00000002.1182740705.00007FF6DD050000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1182760231.00007FF6DD051000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1182760231.00007FF6DD45A000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1182760231.00007FF6DD5BC000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1183215521.00007FF6DD6EE000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff6dd050000_qDukOSpqnG.jbxd
          Yara matches
          Similarity
          • API ID: ProtectVirtual$AddressLibraryLoadProc
          • String ID:
          • API String ID: 3300690313-0
          • Opcode ID: 76e79c2fb7391b34fa530670d04efefae9675b977043e47bc3ff28d61e76f7c0
          • Instruction ID: 6f1451e395e7818047dbb1d619b0d02ae656f893b090de0a1006b75f4f1d1eec
          • Opcode Fuzzy Hash: 76e79c2fb7391b34fa530670d04efefae9675b977043e47bc3ff28d61e76f7c0
          • Instruction Fuzzy Hash: C9510972F582C245E721AF64AD801BC6251AB017B4F588332CBBDC73C5FE6CE426AB50