Joe Sandbox Cloud Basic Analysis Report
Play interactive tourEdit tour

Windows Analysis Report msfeedssync.exe

Overview

General Information

Sample Name:msfeedssync.exe
Analysis ID:434297
MD5:7b78efe7918c41a90c554bd7362c66e9
SHA1:94e4ac749feb5ccaafa3b198e99a79aea9d77e66
SHA256:ce95233922882f70354d637b12f4738042e189f9a92f4e99945fcbf84ec611f7
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Binary contains a suspicious time stamp
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • msfeedssync.exe (PID: 2416 cmdline: 'C:\Users\user\Desktop\msfeedssync.exe' MD5: 7B78EFE7918C41A90C554BD7362C66E9)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: msfeedssync.exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: msfeedssync.pdbUGP source: msfeedssync.exe
Source: Binary string: msfeedssync.pdb source: msfeedssync.exe
Source: msfeedssync.exeBinary or memory string: OriginalFilename vs msfeedssync.exe
Source: classification engineClassification label: clean1.winEXE@1/0@0/0
Source: msfeedssync.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\msfeedssync.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: msfeedssync.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: msfeedssync.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: msfeedssync.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: msfeedssync.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: msfeedssync.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: msfeedssync.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: msfeedssync.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: msfeedssync.exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: msfeedssync.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: msfeedssync.pdbUGP source: msfeedssync.exe
Source: Binary string: msfeedssync.pdb source: msfeedssync.exe
Source: msfeedssync.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: msfeedssync.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: msfeedssync.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: msfeedssync.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: msfeedssync.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: msfeedssync.exeStatic PE information: 0xD2758D08 [Fri Nov 21 02:52:56 2081 UTC]
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\msfeedssync.exeCode function: 0_2_00007FF65FF51A20 SetUnhandledExceptionFilter,0_2_00007FF65FF51A20
Source: C:\Users\user\Desktop\msfeedssync.exeCode function: 0_2_00007FF65FF51CFC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF65FF51CFC
Source: C:\Users\user\Desktop\msfeedssync.exeCode function: 0_2_00007FF65FF51BF4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,0_2_00007FF65FF51BF4
Source: C:\Users\user\Desktop\msfeedssync.exeCode function: 0_2_00007FF65FF515B0 GetVersionExA,0_2_00007FF65FF515B0

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionTimestomp1OS Credential DumpingSystem Time Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemorySystem Information Discovery3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 434297 Sample: msfeedssync.exe Startdate: 14/06/2021 Architecture: WINDOWS Score: 1 4 msfeedssync.exe 2->4         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
msfeedssync.exe0%VirustotalBrowse
msfeedssync.exe0%MetadefenderBrowse
msfeedssync.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:32.0.0 Black Diamond
Analysis ID:434297
Start date:14.06.2021
Start time:17:44:16
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 0s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:msfeedssync.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean1.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 34.3%)
  • Quality average: 30.6%
  • Quality standard deviation: 43.6%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
  • Exclude process from analysis (whitelisted): svchost.exe

Simulations

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):5.323200985507428
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:msfeedssync.exe
File size:15360
MD5:7b78efe7918c41a90c554bd7362c66e9
SHA1:94e4ac749feb5ccaafa3b198e99a79aea9d77e66
SHA256:ce95233922882f70354d637b12f4738042e189f9a92f4e99945fcbf84ec611f7
SHA512:4924ce094816ff9757aba6fd2ad7e67bad5de3733f4e2a5c818f40fcc7c8ce7e31efbd57658ce5943b7328f69a374cf3883e3b92c90b6755dfeae14b28cab3c1
SSDEEP:192:5hMHubsargEfoNuwHozeh5nKjB2v5v5UHGlndjadGHULBlS5WcsH:5hQMrXqueomnKNEhnnjaC8s5WcsH
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]eH.36H.36H.36A..6J.36-.67I.36-.07J.36-.77Z.36-.27O.36H.26t.36-.=7O.36-..6I.36-.17I.36RichH.36........................PE..d..

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x140001980
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:0xD2758D08 [Fri Nov 21 02:52:56 2081 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:e22b4193ac1639ccdca0dcf2c8c3f735
Instruction
dec eax
sub esp, 28h
call 00007FEDB8462DA0h
dec eax
add esp, 28h
jmp 00007FEDB84628B3h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [00002651h]
jne 00007FEDB8462B42h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007FEDB8462B33h
ret
dec eax
ror ecx, 10h
jmp 00007FEDB8462EA7h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [ecx]
cmp dword ptr [eax], E06D7363h
jne 00007FEDB8462B55h
cmp dword ptr [eax+18h], 04h
jne 00007FEDB8462B4Fh
mov ecx, dword ptr [eax+20h]
lea eax, dword ptr [ecx-19930520h]
cmp eax, 02h
jbe 00007FEDB8462B3Ah
cmp ecx, 01994000h
jne 00007FEDB8462B39h
call dword ptr [000017E7h]
int3
xor eax, eax
dec eax
add esp, 28h
ret
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
dec eax
lea ecx, dword ptr [FFFFFFB5h]
call dword ptr [00001777h]
xor eax, eax
dec eax
add esp, 28h
ret
int3
int3
int3
int3
int3
int3
jmp dword ptr [00001824h]
int3
int3
int3
Programming Language:
  • [IMP] VS2008 SP1 build 30729
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x38900x50.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000xaf8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x50000x12c.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x70000x20.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x33e00x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x30100x108.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x31180x168.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x176b0x1800False0.609212239583data6.18812885141IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x30000xd580xe00False0.435825892857data4.21918778221IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x40000x6c80x200False0.072265625data0.317809824313IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata0x50000x12c0x200False0.37890625PEX Binary Archive2.46198525012IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x60000xaf80xc00False0.3662109375data4.60715723413IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x70000x200x200False0.083984375data0.406847371581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountry
RT_VERSION0x67780x380dataEnglishUnited States
RT_MANIFEST0x60a00x6d1XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States
DLLImport
KERNEL32.dllGetModuleHandleW, GetVersionExA, LocalFree, GetProcAddress, InitOnceExecuteOnce, GetVersion, VirtualAlloc, LocalAlloc, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, GetTickCount, GetSystemTimeAsFileTime, Sleep, GetStartupInfoW, SetUnhandledExceptionFilter, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId
msvcrt.dll?terminate@@YAXXZ, _commode, _fmode, rand_s, _wcmdln, __C_specific_handler, _initterm, __setusermatherr, _cexit, _exit, exit, __set_app_type, __wgetmainargs, _amsg_exit, _XcptFilter, wcstoul
api-ms-win-core-com-l1-1-0.dllCLSIDFromString, CoCreateInstance, CoUninitialize, CoInitializeEx
DescriptionData
LegalCopyright Microsoft Corporation. All rights reserved.
InternalNamemsfeedssync
FileVersion11.00.17763.1 (WinBuild.160101.0800)
CompanyNameMicrosoft Corporation
ProductNameInternet Explorer
ProductVersion11.00.17763.1
FileDescriptionMicrosoft Feeds Synchronization
OriginalFilenamemsfeedssync.exe
Translation0x0409 0x04b0

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

05101520s020406080100

Click to jump to process

Memory Usage

05101520sMB

Click to jump to process

System Behavior

Analysis Process: msfeedssync.exe PID: 2416 Parent PID: 5840

Function Logs

General

Start time:17:45:02
Start date:14/06/2021
Path:C:\Users\user\Desktop\msfeedssync.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\msfeedssync.exe'
Imagebase:0x7ff65ff50000
File size:15360 bytes
MD5 hash:7B78EFE7918C41A90C554BD7362C66E9
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Show Windows behavior

Memory Activities

Show Windows behavior

System Activities

Disassembly

Code Analysis

Analysis Process: msfeedssync.exe PID: 2416 Parent PID: 5840 msfeedssync.exeCOMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:17.5%
Dynamic/Decrypted Code Coverage:0%
Signature Coverage:11.3%
Total number of Nodes:53
Total number of Limit Nodes:1

Graph

Show Legend
Hide Nodes/Edges
execution_graph 182 7ff65ff516c0 __wgetmainargs 198 7ff65ff51980 201 7ff65ff51bf4 198->201 202 7ff65ff51989 201->202 203 7ff65ff51c21 6 API calls 201->203 203->202 204 7ff65ff52660 205 7ff65ff52674 204->205 206 7ff65ff526e3 205->206 207 7ff65ff526a3 CLSIDFromString 205->207 207->206 208 7ff65ff526b9 207->208 212 7ff65ff5270c wcstoul 208->212 211 7ff65ff526cc CLSIDFromString 211->206 213 7ff65ff526c8 212->213 213->206 213->211 214 7ff65ff519e0 215 7ff65ff51a12 214->215 216 7ff65ff519ef 214->216 216->215 217 7ff65ff51a0b ?terminate@ 216->217 217->215 218 7ff65ff515e0 220 7ff65ff515f2 218->220 225 7ff65ff51aa8 GetModuleHandleW 220->225 221 7ff65ff51659 __set_app_type 222 7ff65ff51696 221->222 223 7ff65ff516ac 222->223 224 7ff65ff5169f __setusermatherr 222->224 224->223 226 7ff65ff51abd 225->226 226->221 227 7ff65ff51929 228 7ff65ff51938 _exit 227->228 229 7ff65ff51941 227->229 228->229 230 7ff65ff5194a _cexit 229->230 231 7ff65ff51956 229->231 230->231 183 7ff65ff51710 GetStartupInfoW 184 7ff65ff5174f 183->184 185 7ff65ff51761 184->185 186 7ff65ff5176a Sleep 184->186 187 7ff65ff51786 _amsg_exit 185->187 190 7ff65ff51794 185->190 186->184 188 7ff65ff517e7 187->188 189 7ff65ff5180a _initterm 188->189 191 7ff65ff517eb 188->191 192 7ff65ff51827 _IsNonwritableInCurrentImage 188->192 189->192 190->188 190->191 197 7ff65ff51a20 SetUnhandledExceptionFilter 190->197 192->191 193 7ff65ff518e8 exit 192->193 194 7ff65ff518f0 192->194 193->194 194->191 195 7ff65ff518f9 _cexit 194->195 195->191 197->190 232 7ff65ff51f70 _XcptFilter 233 7ff65ff519b0 234 7ff65ff519b9 233->234 235 7ff65ff519c4 234->235 236 7ff65ff51d40 RtlCaptureContext RtlLookupFunctionEntry 234->236 237 7ff65ff51dc7 236->237 238 7ff65ff51d85 RtlVirtualUnwind 236->238 241 7ff65ff51cfc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 237->241 238->237 242 7ff65ff515b0 GetVersionExA

Callgraph

Executed Functions

Download Yara Rule

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 50 7ff65ff51a20-7ff65ff51a37 SetUnhandledExceptionFilter
APIs
Memory Dump Source
  • Source File: 00000000.00000002.199848491.00007FF65FF51000.00000020.00020000.sdmp, Offset: 00007FF65FF50000, based on PE: true
  • Associated: 00000000.00000002.199844935.00007FF65FF50000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.199852367.00007FF65FF53000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.199856118.00007FF65FF55000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff65ff50000_msfeedssync.jbxd
Similarity
  • API ID: ExceptionFilterUnhandled
  • String ID:
  • API String ID: 3192549508-0
  • Opcode ID: ecbe52100670dbb0f34d984600349deb9274d9a6b3de93d846e16d5f8b9be604
  • Instruction ID: eb9d3cc771ba6204df25419a00940f7df7d153a39561508e2fac01518eb927af
  • Opcode Fuzzy Hash: ecbe52100670dbb0f34d984600349deb9274d9a6b3de93d846e16d5f8b9be604
  • Instruction Fuzzy Hash: 55B09210F66402E2EA04AB61EC8206113A06B58351FC84531C01DD2520EE1CE19A8700
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 0 7ff65ff51710-7ff65ff5174c GetStartupInfoW 1 7ff65ff5174f-7ff65ff5175a 0->1 2 7ff65ff5175c-7ff65ff5175f 1->2 3 7ff65ff51777 1->3 4 7ff65ff5176a-7ff65ff51775 Sleep 2->4 5 7ff65ff51761-7ff65ff51768 2->5 6 7ff65ff5177c-7ff65ff51784 3->6 4->1 5->6 7 7ff65ff51786-7ff65ff51792 _amsg_exit 6->7 8 7ff65ff51794-7ff65ff5179c 6->8 9 7ff65ff51800-7ff65ff51808 7->9 10 7ff65ff517f5 8->10 11 7ff65ff5179e-7ff65ff517ba 8->11 14 7ff65ff5180a-7ff65ff5181d _initterm 9->14 15 7ff65ff51827-7ff65ff51829 9->15 13 7ff65ff517fb 10->13 12 7ff65ff517be-7ff65ff517c1 11->12 18 7ff65ff517e7-7ff65ff517e9 12->18 19 7ff65ff517c3-7ff65ff517c5 12->19 13->9 14->15 16 7ff65ff5182b-7ff65ff5182e 15->16 17 7ff65ff51835-7ff65ff5183c 15->17 16->17 20 7ff65ff51868-7ff65ff51875 17->20 21 7ff65ff5183e-7ff65ff5184c call 7ff65ff51b60 17->21 18->13 22 7ff65ff517eb-7ff65ff517f0 18->22 19->22 23 7ff65ff517c7-7ff65ff517ca 19->23 27 7ff65ff51877-7ff65ff5187c 20->27 28 7ff65ff51881-7ff65ff51886 20->28 21->20 32 7ff65ff5184e-7ff65ff5185e 21->32 29 7ff65ff51956-7ff65ff51973 22->29 25 7ff65ff517dc-7ff65ff517e5 23->25 26 7ff65ff517cc-7ff65ff517d6 call 7ff65ff51a20 23->26 25->12 33 7ff65ff517d8 26->33 27->29 31 7ff65ff5188a-7ff65ff51891 28->31 34 7ff65ff51907-7ff65ff5190b 31->34 35 7ff65ff51893-7ff65ff51896 31->35 32->20 33->25 36 7ff65ff5191b-7ff65ff51924 34->36 37 7ff65ff5190d-7ff65ff51917 34->37 38 7ff65ff5189c-7ff65ff518a2 35->38 39 7ff65ff51898-7ff65ff5189a 35->39 36->31 37->36 40 7ff65ff518b2-7ff65ff518e6 call 7ff65ff51010 38->40 41 7ff65ff518a4-7ff65ff518b0 38->41 39->34 39->38 44 7ff65ff518e8-7ff65ff518ea exit 40->44 45 7ff65ff518f0-7ff65ff518f7 40->45 41->38 44->45 46 7ff65ff518f9-7ff65ff518ff _cexit 45->46 47 7ff65ff51905 45->47 46->47 47->29
APIs
Memory Dump Source
  • Source File: 00000000.00000002.199848491.00007FF65FF51000.00000020.00020000.sdmp, Offset: 00007FF65FF50000, based on PE: true
  • Associated: 00000000.00000002.199844935.00007FF65FF50000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.199852367.00007FF65FF53000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.199856118.00007FF65FF55000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff65ff50000_msfeedssync.jbxd
Similarity
  • API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_cexit_inittermexit
  • String ID:
  • API String ID: 642454821-0
  • Opcode ID: abdfc2eb81d9496fc24d9da0086cc9d567d25b619f036b6ac76b60ec7207a4de
  • Instruction ID: eddc5c6aa1268f11a7a7341e2c6b2684797f6e2e2f084739ae244fb419853078
  • Opcode Fuzzy Hash: abdfc2eb81d9496fc24d9da0086cc9d567d25b619f036b6ac76b60ec7207a4de
  • Instruction Fuzzy Hash: 28614436A08A4286FB609F19E95027937A1FF44B84F588135DA6DF7EA5EF3CF8458700
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 49 7ff65ff516c0-7ff65ff51708 __wgetmainargs
APIs
Memory Dump Source
  • Source File: 00000000.00000002.199848491.00007FF65FF51000.00000020.00020000.sdmp, Offset: 00007FF65FF50000, based on PE: true
  • Associated: 00000000.00000002.199844935.00007FF65FF50000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.199852367.00007FF65FF53000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.199856118.00007FF65FF55000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff65ff50000_msfeedssync.jbxd
Similarity
  • API ID: __wgetmainargs
  • String ID:
  • API String ID: 1709950718-0
  • Opcode ID: 025d3d0ce6aeb5c1aaad524a1dfb4355b6887830611116b8b7b4f2f046bb39d3
  • Instruction ID: b7af08c5a3b9380dbbef09b29f983d34e2e73f06939d5281e52af56549328711
  • Opcode Fuzzy Hash: 025d3d0ce6aeb5c1aaad524a1dfb4355b6887830611116b8b7b4f2f046bb39d3
  • Instruction Fuzzy Hash: 1DE05A75E08A4796EA008B40B8605A13BB0FB44354BA88132C93DA3B20DE7CE24ECB00
Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Download Yara Rule

Control-flow Graph

APIs
Memory Dump Source
  • Source File: 00000000.00000002.199848491.00007FF65FF51000.00000020.00020000.sdmp, Offset: 00007FF65FF50000, based on PE: true
  • Associated: 00000000.00000002.199844935.00007FF65FF50000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.199852367.00007FF65FF53000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.199856118.00007FF65FF55000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff65ff50000_msfeedssync.jbxd
Similarity
  • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
  • String ID:
  • API String ID: 4104442557-0
  • Opcode ID: 1f8884c76d1a2d044707f5495109fdece0acd3d15dd3d1b508826b8b699cad50
  • Instruction ID: aecfb236b2b130398c77497a75b8a423c8644f70c9e7add77d32770be6b865a4
  • Opcode Fuzzy Hash: 1f8884c76d1a2d044707f5495109fdece0acd3d15dd3d1b508826b8b699cad50
  • Instruction Fuzzy Hash: 76112922A44F418AEF10DF74FC581A833A4FB49758B485A35EA7D83B94EF7CD5A88340
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule

Control-flow Graph

APIs
Memory Dump Source
  • Source File: 00000000.00000002.199848491.00007FF65FF51000.00000020.00020000.sdmp, Offset: 00007FF65FF50000, based on PE: true
  • Associated: 00000000.00000002.199844935.00007FF65FF50000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.199852367.00007FF65FF53000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.199856118.00007FF65FF55000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff65ff50000_msfeedssync.jbxd
Similarity
  • API ID: ExceptionFilterUnhandled$CurrentProcess
  • String ID:
  • API String ID: 1249254920-0
  • Opcode ID: 08e97b0cdec26a76eae47f4f246da45c6425eb0e1d855b8281d94ac35d675de0
  • Instruction ID: 58469c883794e66187f8b247c20e84c495d805fb9e2f33ef38c82c885f755182
  • Opcode Fuzzy Hash: 08e97b0cdec26a76eae47f4f246da45c6425eb0e1d855b8281d94ac35d675de0
  • Instruction Fuzzy Hash: C9D0C751F4850696FF1917B97C1503513129F5DB41F0C9034C92B97B20DD3CD4858700
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 125 7ff65ff515b0-7ff65ff515d4 GetVersionExA
APIs
Memory Dump Source
  • Source File: 00000000.00000002.199848491.00007FF65FF51000.00000020.00020000.sdmp, Offset: 00007FF65FF50000, based on PE: true
  • Associated: 00000000.00000002.199844935.00007FF65FF50000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.199852367.00007FF65FF53000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.199856118.00007FF65FF55000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff65ff50000_msfeedssync.jbxd
Similarity
  • API ID: Version
  • String ID:
  • API String ID: 1889659487-0
  • Opcode ID: dbed41dbd2f1ea802dc60283af1b85b7a64a6c1237d9e1d2a6e3666732c99dfa
  • Instruction ID: 0b172a3e3ec536429f91565e1ed5a2c6248f02cdbdfcbdf6f21b0bffc3f66ea9
  • Opcode Fuzzy Hash: dbed41dbd2f1ea802dc60283af1b85b7a64a6c1237d9e1d2a6e3666732c99dfa
  • Instruction Fuzzy Hash: 5AC04CA8E05541C2FB049F25F8653646360BB58301FC45530D42D93B509F6CD15A8F14
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule

Control-flow Graph

APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.199848491.00007FF65FF51000.00000020.00020000.sdmp, Offset: 00007FF65FF50000, based on PE: true
  • Associated: 00000000.00000002.199844935.00007FF65FF50000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.199852367.00007FF65FF53000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.199856118.00007FF65FF55000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff65ff50000_msfeedssync.jbxd
Similarity
  • API ID: FromString
  • String ID: ProcessEnclosure
  • API String ID: 1694596556-2903036508
  • Opcode ID: 2cc8930706c4562ffe9e21dfa2a17929633d301f8e2c3cb0e761c8128ed29b5f
  • Instruction ID: ea82eb44697ffd2ae639fe28d910851d10741208c91ec33d4d07c6893004dbdc
  • Opcode Fuzzy Hash: 2cc8930706c4562ffe9e21dfa2a17929633d301f8e2c3cb0e761c8128ed29b5f
  • Instruction Fuzzy Hash: 22118622A18652C2EB114F39E45413E6791EB54B95F18D331EE6EE7AE8EF2CE5908600
Uniqueness

Uniqueness Score: -1.00%