Edit tour

Windows Analysis Report
antispam.exe

Overview

General Information

Sample name:	antispam.exe
Analysis ID:	1533402
MD5:	e5ad838952e63778a5708d2efc4cda86
SHA1:	1a3f14465460a61e012d11cccf301424f2c0f11d
SHA256:	e3f10c90a0614e13074f69193a9bd3310332392d17c52fbe6596fd6596327811
Tags:	exeuser-Racco42
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses ipconfig to lookup or modify the Windows network settings

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to execute programs as a different user

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

System is w10x64

antispam.exe (PID: 6120 cmdline: "C:\Users\user\Desktop\antispam.exe" MD5: E5AD838952E63778A5708D2EFC4CDA86)

conhost.exe (PID: 3844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2672 cmdline: cmd.exe /c systeminfo MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 6024 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

WmiPrvSE.exe (PID: 1420 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 5576 cmdline: cmd.exe /c route print MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ROUTE.EXE (PID: 5628 cmdline: route print MD5: 3C97E63423E527BA8381E81CBA00B8CD)

cmd.exe (PID: 1704 cmdline: cmd.exe /c ipconfig /all MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ipconfig.exe (PID: 928 cmdline: ipconfig /all MD5: 62F170FB07FDBB79CEB7147101406EB8)

cleanup

Sigma Signatures

Sigma detected: Suspicious Network Command

Source: Process started

Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: cmd.exe /c route print, CommandLine: cmd.exe /c route print, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\antispam.exe", ParentImage: C:\Users\user\Desktop\antispam.exe, ParentProcessId: 6120, ParentProcessName: antispam.exe, ProcessCommandLine: cmd.exe /c route print, ProcessId: 5576, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: antispam.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\lfkmf\source\repos\AuthFormCpp\x64\Release\AuthFormCpp.pdb%% source: antispam.exe
Source:	Binary string: C:\Users\lfkmf\source\repos\AuthFormCpp\x64\Release\AuthFormCpp.pdb source: antispam.exe

Source: C:\Users\user\Desktop\antispam.exe	Code function: 0_2_00007FF6A1F715B0	0_2_00007FF6A1F715B0
Source: C:\Users\user\Desktop\antispam.exe	Code function: 0_2_00007FF6A1F71FC0	0_2_00007FF6A1F71FC0
Source: C:\Users\user\Desktop\antispam.exe	Code function: 0_2_00007FF6A1F71230	0_2_00007FF6A1F71230

Source: qwertyuio.txt.0.dr

Binary string: Boot Device: \Device\HarddiskVolume1

Source: classification engine

Classification label: mal48.evad.winEXE@18/2@0/0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3844:120:WilError_03

Source: C:\Users\user\Desktop\antispam.exe

File created: C:\Users\user\AppData\Local\Temp\qwertyuio.txt

Jump to behavior

Source: antispam.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\antispam.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\antispam.exe "C:\Users\user\Desktop\antispam.exe"
Source: C:\Users\user\Desktop\antispam.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\antispam.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\antispam.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c route print
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ROUTE.EXE route print
Source: C:\Users\user\Desktop\antispam.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c ipconfig /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Users\user\Desktop\antispam.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c systeminfo	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c route print	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ROUTE.EXE route print	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior

Source: C:\Users\user\Desktop\antispam.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Windows\System32\systeminfo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Users\user\Desktop\antispam.exe	Automated click: OK
Source: C:\Users\user\Desktop\antispam.exe	Automated click: OK
Source: C:\Users\user\Desktop\antispam.exe	Automated click: OK
Source: C:\Users\user\Desktop\antispam.exe	Automated click: OK
Source: C:\Users\user\Desktop\antispam.exe	Automated click: OK
Source: C:\Users\user\Desktop\antispam.exe	Automated click: OK
Source: C:\Users\user\Desktop\antispam.exe	Automated click: OK
Source: C:\Users\user\Desktop\antispam.exe	Automated click: OK
Source: C:\Users\user\Desktop\antispam.exe	Automated click: OK
Source: C:\Users\user\Desktop\antispam.exe	Automated click: OK

Source: antispam.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: antispam.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: antispam.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: antispam.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: antispam.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: antispam.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: antispam.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: antispam.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: antispam.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\lfkmf\source\repos\AuthFormCpp\x64\Release\AuthFormCpp.pdb%% source: antispam.exe
Source:	Binary string: C:\Users\lfkmf\source\repos\AuthFormCpp\x64\Release\AuthFormCpp.pdb source: antispam.exe

Source: antispam.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: antispam.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: antispam.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: antispam.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: antispam.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /all

Source: C:\Windows\System32\systeminfo.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: qwertyuio.txt.0.dr	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: ROUTE.EXE, 00000008.00000002.1859464175.0000022AFC069000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\antispam.exe

Code function: 0_2_00007FF6A1F746E4 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6A1F746E4

Source: C:\Users\user\Desktop\antispam.exe	Code function: 0_2_00007FF6A1F748C4 SetUnhandledExceptionFilter,	0_2_00007FF6A1F748C4
Source: C:\Users\user\Desktop\antispam.exe	Code function: 0_2_00007FF6A1F73DC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6A1F73DC0
Source: C:\Users\user\Desktop\antispam.exe	Code function: 0_2_00007FF6A1F746E4 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6A1F746E4

Source: C:\Users\user\Desktop\antispam.exe

Code function: 0_2_00007FF6A1F71FC0 CreatePipe,SetHandleInformation,memcpy,CreateProcessW,CloseHandle,CloseHandle,CloseHandle,ReadFile,memcpy,ReadFile,CloseHandle,CloseHandle,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,Concurrency::cancel_current_task,DefWindowProcW,PostQuitMessage,SendMessageW,GetWindowTextW,GetWindowTextLengthW,GetWindowTextW,wcschr,wcscpy_s,wcscpy_s,memset,GetComputerNameExW,lstrcmpiW,LogonUserW,FlushFileBuffers,SetFilePointer,WriteFile,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SetFilePointer,WriteFile,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SetFilePointer,WriteFile,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,memcpy,memcpy,SetFilePointer,WriteFile,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,FlushFileBuffers,MessageBoxW,PostQuitMessage,CloseHandle,memcpy,memcpy,SetFilePointer,WriteFile,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,FlushFileBuffers,MessageBoxW,Concurrency::cancel_current_task,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6A1F71FC0

Source: C:\Users\user\Desktop\antispam.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c systeminfo	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c route print	Jump to behavior
Source: C:\Users\user\Desktop\antispam.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ROUTE.EXE route print	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior

Source: C:\Users\user\Desktop\antispam.exe

Code function: 0_2_00007FF6A1F745C4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6A1F745C4

Source: C:\Users\user\Desktop\antispam.exe

Code function: 0_2_00007FF6A1F715B0 InitCommonControlsEx,LoadIconW,LoadCursorW,LoadIconW,GetTempPathW,memcpy,_invalid_parameter_noinfo_noreturn,CreateFileW,AllocConsole,GetConsoleWindow,GetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,SetConsoleTitleW,__acrt_iob_func,freopen_s,__acrt_iob_func,freopen_s,__acrt_iob_func,freopen_s,GetStdHandle,SetStdHandle,GetStdHandle,SetStdHandle,GetStdHandle,SetStdHandle,printf,SleepEx,printf,RegisterClassExW,CreateWindowExW,GetWindowLongW,SetWindowLongW,CreateWindowExW,LoadBitmapW,SendMessageW,SendMessageW,SendMessageW,CreateWindowExW,CreateFontW,SendMessageW,CreateWindowExW,SendMessageW,NetGetJoinInformation,SetFilePointer,WriteFile,_invalid_parameter_noinfo_noreturn,SetFilePointer,WriteFile,_invalid_parameter_noinfo_noreturn,GetUserNameExW,SendMessageW,SendMessageW,CreateWindowExW,SendMessageW,CreateWindowExW,CreateWindowExW,SendMessageW,CreateWindowExW,SendMessageW,ShowWindow,UpdateWindow,GetMessageW,TranslateMessage,DispatchMessageW,GetMessageW,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6A1F715B0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	121 Windows Management Instrumentation	1 Valid Accounts	1 Valid Accounts	1 Valid Accounts	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Access Token Manipulation	11 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Process Injection	1 Access Token Manipulation	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
antispam.exe	3%	ReversingLabs

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1533402
Start date and time:	2024-10-14 17:21:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	antispam.exe
Detection:	MAL
Classification:	mal48.evad.winEXE@18/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: antispam.exe

Process:	C:\Users\user\Desktop\antispam.exe
File Type:	data
Category:	modified
Size (bytes):	11408
Entropy (8bit):	3.312724115767823
Encrypted:	false
SSDEEP:	96:7Uq/xI/fLgKK8w6hyBi31/Q4o4h4l4LN4eb2ETdSqkhtn3G0Bca5tau6NEB/fLtU:lxqfLGyVihiv
MD5:	48ACFCF866859AFFA708E2F94FD7FAF4
SHA1:	79270EE8B83D4AAB79133421314C0C2C3C7CB546
SHA-256:	24D9E7A052DCEA137F5657EC1CFF173675305B8208BBC34A2DEBB49952006B63
SHA-512:	714D13CD2985B1B61EC107D2B14016DE1BBE4C3AE48F5B2C7E0CC74CCF526A3137CACB4C2E018F12E442F71CD0FECE8401C2884EA48ADE1A8D0375499455708C
Malicious:	false
Reputation:	low
Preview:	C.o.m.p.u.t.e.r. .n.o.t. .i.n. .d.o.m.a.i.n.........H.o.s.t. .N.a.m.e.:. . . . . . . . . . . . . . . . . .J.O.N.E.S.-.P.C.....O.S. .N.a.m.e.:. . . . . . . . . . . . . . . . . . . .M.i.c.r.o.s.o.f.t. .W.i.n.d.o.w.s. .1.0. .P.r.o.....O.S. .V.e.r.s.i.o.n.:. . . . . . . . . . . . . . . . .1.0...0...1.9.0.4.5. .N./.A. .B.u.i.l.d. .1.9.0.4.5.....O.S. .M.a.n.u.f.a.c.t.u.r.e.r.:. . . . . . . . . . . .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n.....O.S. .C.o.n.f.i.g.u.r.a.t.i.o.n.:. . . . . . . . . . .S.t.a.n.d.a.l.o.n.e. .W.o.r.k.s.t.a.t.i.o.n.....O.S. .B.u.i.l.d. .T.y.p.e.:. . . . . . . . . . . . . .M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.....R.e.g.i.s.t.e.r.e.d. .O.w.n.e.r.:. . . . . . . . . . .h.a.r.d.z.....R.e.g.i.s.t.e.r.e.d. .O.r.g.a.n.i.z.a.t.i.o.n.:. . . .....P.r.o.d.u.c.t. .I.D.:. . . . . . . . . . . . . . . . .0.0.3.3.0.-.7.1.3.8.8.-.7.7.1.0.4.-.A.A.O.E.M.....O.r.i.g.i.n.a.l. .I.n.s.t.a.l.l. .D.a.t.e.:. . . . . .0.3./.1.0./.2.0.2.3.,. .0.9.:.5.7.:.1.8.....S.y.s.t.e.m. .B.o.o.t. .T.i.m.e.

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\antispam.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3663
Entropy (8bit):	4.450638024403666
Encrypted:	false
SSDEEP:	24:XtwtIviRcd9lyXR7FGx9ApO77v09+ONoPmvx8P7WV4+MBSf4q+erUsDyN7Y/Y99/:hryBkF3U4FCdjUl2vAhikwO
MD5:	C065A7561AFAAB35F48A821C07680BAE
SHA1:	1F5B23DD06D18144B139793502D069CECDCA819A
SHA-256:	AFD5A11441866981E1843BA51188AC712F57611178ABAB7FBC80A68C182E9AF2
SHA-512:	19DF30E6CEAD663C35E9EB10BD57FA7F230A1C136DBBA1BD952757C83FF3BEECDADF66B7FC542BCF6627F0F8C3216CB60D7A4E253A55675420D0C47B60B210EA
Malicious:	false
Preview:	Downloading filter kb_outlook_sf_0..Downloading filter kb_outlook_sf_1..Downloading filter kb_outlook_sf_2..Downloading filter kb_outlook_sf_3..Downloading filter kb_outlook_sf_4..Downloading filter kb_outlook_sf_5..Downloading filter kb_outlook_sf_6..Downloading filter kb_outlook_sf_7..Downloading filter kb_outlook_sf_8..Downloading filter kb_outlook_sf_9..Downloading filter kb_outlook_sf_10..Downloading filter kb_outlook_sf_11..Downloading filter kb_outlook_sf_12..Downloading filter kb_outlook_sf_13..Downloading filter kb_outlook_sf_14..Downloading filter kb_outlook_sf_15..Downloading filter kb_outlook_sf_16..Downloading filter kb_outlook_sf_17..Downloading filter kb_outlook_sf_18..Downloading filter kb_outlook_sf_19..Downloading filter kb_outlook_sf_20..Downloading filter kb_outlook_sf_21..Downloading filter kb_outlook_sf_22..Downloading filter kb_outlook_sf_23..Downloading filter kb_outlook_sf_24..Downloading filter kb_outlook_sf_25..Downloading filter kb_outlook_sf_26..Downloading

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.463866558170516
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	antispam.exe
File size:	50'688 bytes
MD5:	e5ad838952e63778a5708d2efc4cda86
SHA1:	1a3f14465460a61e012d11cccf301424f2c0f11d
SHA256:	e3f10c90a0614e13074f69193a9bd3310332392d17c52fbe6596fd6596327811
SHA512:	767ff630d87accf56e4fdb0d7960965df24dd1dd58d69ba49ec46a210e9ee92e30fd983cea3b74bd843a6ce16a66357b0c64996a066f17059c0b7f81e15217a5
SSDEEP:	384:AGzr3q+r7bHNgQMIVVheHRzfl/FG5G9Nt3X9IMha/zA3unQE5NAQlWa8tWyEeSy3:fHSFX9VvQlotWSlcpzJLtOfR3
TLSH:	CA33F927B52790AACE769135112A2613D0F97D53F730ECDB1E80F52EA23A1E039A1F0D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........O].l!..l!..l!......l!..."..l!...%..l!...$..l!...%..l!... ..l!... ..l!..l ..l!...(..l!......l!..l...l!...#..l!.Rich.l!........

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140004328
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x670640E6 [Wed Oct 9 08:37:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	48f45504106095119561cb3fc0727154

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F1E44E7FB98h
dec eax
add esp, 28h
jmp 00007F1E44E7F77Fh
int3
int3
dec eax
and dword ptr [ecx+10h], 00000000h
dec eax
lea eax, dword ptr [00001148h]
dec eax
mov dword ptr [ecx+08h], eax
dec eax
lea eax, dword ptr [0000112Dh]
dec eax
mov dword ptr [ecx], eax
dec eax
mov eax, ecx
ret
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F1E44E7F8D7h
dec eax
lea edx, dword ptr [000021BFh]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F1E44E80216h
int3
jmp 00007F1E44E8029Ah
int3
int3
int3
dec eax
sub esp, 28h
call 00007F1E44E801ECh
test eax, eax
je 00007F1E44E7F923h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F1E44E7F907h
dec eax
cmp ecx, eax
je 00007F1E44E7F916h
xor eax, eax
dec eax
cmpxchg dword ptr [000042E8h], ecx
jne 00007F1E44E7F8F0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F1E44E7F8F9h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F1E44E7F909h
mov byte ptr [000042D1h], 00000001h
call 00007F1E44E7FED9h
call 00007F1E44E7FBC0h
test al, al
jne 00007F1E44E7F906h
xor al, al
jmp 00007F1E44E7F916h
call 00007F1E44E7FBB3h
test al, al
jne 00007F1E44E7F90Bh
xor ecx, ecx
call 00007F1E44E7FBA8h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x661c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x5460	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x9000	0x348	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0x58	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x5aa0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5960	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5000	0x3a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3fe2	0x4000	210b610511a9c9c055ebcfe2b8b769d3	False	0.5301513671875	data	6.13184044525345	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x5000	0x23f0	0x2400	4d00644e2381d0f5c0ed48f248fb10e9	False	0.3986545138888889	data	4.2187157506719295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x8000	0x740	0x200	f98042e4a06d0d5124744c3c0baff64e	False	0.228515625	data	2.0735734567561375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x9000	0x348	0x400	a96c0ff6ee6812ca7616a2a03862e69a	False	0.4384765625	PEX Binary Archive	3.5550923239964085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x5460	0x5600	13a0fc772de4e3141d5c224fb93edb68	False	0.30496002906976744	data	6.886942552680524	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0x58	0x200	2ccba98db04f63998672fb4994f6223e	False	0.1953125	data	1.1854049465858691	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0xa360	0x4f2a	Device independent bitmap graphic, 320 x 60 x 8, image size 0, resolution 2834 x 2834 px/m	English	United States	0.2999111812888582
RT_MENU	0xa1c0	0x4a	data	English	United States	0.8648648648648649
RT_DIALOG	0xa220	0x140	data	English	United States	0.58125
RT_STRING	0xf290	0x4c	data	English	United States	0.7105263157894737
RT_ACCELERATOR	0xa210	0x10	data	English	United States	1.25
RT_MANIFEST	0xf2e0	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	GetTempPathW, CreateFileW, GetComputerNameExW, Sleep, CloseHandle, SetStdHandle, CreateProcessW, GetConsoleWindow, lstrcmpiW, AllocConsole, SetConsoleTitleW, FlushFileBuffers, RtlLookupFunctionEntry, CreatePipe, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, WriteFile, GetStdHandle, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, ReadFile, SetHandleInformation, SetFilePointer, RtlVirtualUnwind, RtlCaptureContext
USER32.dll	SendMessageW, CreateWindowExW, MessageBoxW, DefWindowProcW, GetMessageW, GetWindowTextLengthW, GetWindowLongW, RegisterClassExW, DispatchMessageW, GetWindowTextW, UpdateWindow, PostQuitMessage, SetWindowLongW, LoadCursorW, LoadIconW, TranslateMessage, LoadBitmapW, ShowWindow
GDI32.dll	CreateFontW
ADVAPI32.dll	LogonUserW
MSVCP140.dll	?_Xlength_error@std@@YAXPEBD@Z
COMCTL32.dll	InitCommonControlsEx
Secur32.dll	GetUserNameExW
NETAPI32.dll	NetApiBufferFree, NetGetJoinInformation, NetLocalGroupGetMembers
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	memset, __current_exception_context, __current_exception, _CxxThrowException, __C_specific_handler, wcschr, __std_exception_copy, memcpy, __std_exception_destroy, memmove
api-ms-win-crt-stdio-l1-1-0.dll	freopen_s, __stdio_common_vfprintf, __p__commode, __acrt_iob_func, __stdio_common_vswprintf_s, _set_fmode
api-ms-win-crt-string-l1-1-0.dll	wcscpy_s
api-ms-win-crt-runtime-l1-1-0.dll	_c_exit, _configure_narrow_argv, _cexit, _initialize_onexit_table, _register_onexit_function, _crt_atexit, terminate, _initialize_narrow_environment, _get_narrow_winmain_command_line, _invalid_parameter_noinfo_noreturn, _exit, _register_thread_local_exe_atexit_callback, exit, _set_app_type, _seh_filter_exe, _initterm_e, _initterm
api-ms-win-crt-heap-l1-1-0.dll	_callnewh, malloc, _set_new_mode, free
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	11:22:08
Start date:	14/10/2024
Path:	C:\Users\user\Desktop\antispam.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\antispam.exe"
Imagebase:	0x7ff6a1f70000
File size:	50'688 bytes
MD5 hash:	E5AD838952E63778A5708D2EFC4CDA86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	11:22:08
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	11:22:13
Start date:	14/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c systeminfo
Imagebase:	0x7ff709760000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:22:13
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:22:13
Start date:	14/10/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff66bc60000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:22:14
Start date:	14/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	11:22:14
Start date:	14/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c route print
Imagebase:	0x7ff709760000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:22:14
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:22:14
Start date:	14/10/2024
Path:	C:\Windows\System32\ROUTE.EXE
Wow64 process (32bit):	false
Commandline:	route print
Imagebase:	0x7ff6f3d00000
File size:	24'576 bytes
MD5 hash:	3C97E63423E527BA8381E81CBA00B8CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:22:14
Start date:	14/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c ipconfig /all
Imagebase:	0x7ff709760000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:22:14
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:22:14
Start date:	14/10/2024
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	ipconfig /all
Imagebase:	0x7ff71d240000
File size:	35'840 bytes
MD5 hash:	62F170FB07FDBB79CEB7147101406EB8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	37.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	38.5%
Total number of Nodes:	200
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF6A1F715B0 Relevance: 156.3, APIs: 68, Strings: 21, Instructions: 534
windowfileregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitCommonControlsEx.COMCTL32 ref: 00007FF6A1F715F4
LoadIconW.USER32 ref: 00007FF6A1F71625
LoadCursorW.USER32 ref: 00007FF6A1F71636
LoadIconW.USER32 ref: 00007FF6A1F7165F
GetTempPathW.KERNEL32 ref: 00007FF6A1F71675

Part of subcall function 00007FF6A1F73540: memcpy.VCRUNTIME140 ref: 00007FF6A1F735AA

memcpy.VCRUNTIME140 ref: 00007FF6A1F716D5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6A1F7176C
CreateFileW.KERNELBASE ref: 00007FF6A1F717B1
AllocConsole.KERNELBASE ref: 00007FF6A1F717BE
GetConsoleWindow.KERNELBASE ref: 00007FF6A1F717C4
GetWindowLongW.USER32 ref: 00007FF6A1F717DA
SetWindowLongW.USER32 ref: 00007FF6A1F717EE
ShowWindow.USER32 ref: 00007FF6A1F717F9
ShowWindow.USER32 ref: 00007FF6A1F71807
SetConsoleTitleW.KERNEL32 ref: 00007FF6A1F71814
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6A1F71821
freopen_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6A1F7183C
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6A1F71847
freopen_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6A1F71862
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6A1F7186A
freopen_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6A1F71885
GetStdHandle.KERNEL32 ref: 00007FF6A1F71890
SetStdHandle.KERNEL32 ref: 00007FF6A1F7189E
GetStdHandle.KERNEL32 ref: 00007FF6A1F718A9
SetStdHandle.KERNEL32 ref: 00007FF6A1F718B7
GetStdHandle.KERNEL32 ref: 00007FF6A1F718C2
SetStdHandle.KERNEL32 ref: 00007FF6A1F718D0
printf.MSPDB140-MSVCRT ref: 00007FF6A1F718E9

Part of subcall function 00007FF6A1F71010: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6A1F71038
Part of subcall function 00007FF6A1F71010: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6A1F71057

SleepEx.KERNELBASE ref: 00007FF6A1F718F0
printf.MSPDB140-MSVCRT ref: 00007FF6A1F71904
RegisterClassExW.USER32 ref: 00007FF6A1F7190D
CreateWindowExW.USER32 ref: 00007FF6A1F7195F
GetWindowLongW.USER32 ref: 00007FF6A1F71979
SetWindowLongW.USER32 ref: 00007FF6A1F7198E
CreateWindowExW.USER32 ref: 00007FF6A1F719D8
LoadBitmapW.USER32 ref: 00007FF6A1F719E9
SendMessageW.USER32 ref: 00007FF6A1F71A00
SendMessageW.USER32 ref: 00007FF6A1F71A14
SendMessageW.USER32 ref: 00007FF6A1F71A28
CreateWindowExW.USER32 ref: 00007FF6A1F71A7C
CreateFontW.GDI32 ref: 00007FF6A1F71AD0
SendMessageW.USER32 ref: 00007FF6A1F71AE7
CreateWindowExW.USER32 ref: 00007FF6A1F71B3E
SendMessageW.USER32 ref: 00007FF6A1F71B59
NetGetJoinInformation.NETAPI32 ref: 00007FF6A1F71B6D
SetFilePointer.KERNELBASE ref: 00007FF6A1F71BFE
WriteFile.KERNELBASE ref: 00007FF6A1F71C27
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6A1F71C71
SetFilePointer.KERNEL32 ref: 00007FF6A1F71CA4
WriteFile.KERNEL32 ref: 00007FF6A1F71CCD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6A1F71D0B
GetUserNameExW.SECUR32 ref: 00007FF6A1F71D2B
SendMessageW.USER32 ref: 00007FF6A1F71D44
SendMessageW.USER32 ref: 00007FF6A1F71D5C
CreateWindowExW.USER32 ref: 00007FF6A1F71DB0
SendMessageW.USER32 ref: 00007FF6A1F71DC4
CreateWindowExW.USER32 ref: 00007FF6A1F71E1B
CreateWindowExW.USER32 ref: 00007FF6A1F71E76
SendMessageW.USER32 ref: 00007FF6A1F71E8A
CreateWindowExW.USER32 ref: 00007FF6A1F71EDE
SendMessageW.USER32 ref: 00007FF6A1F71EF2
ShowWindow.USER32 ref: 00007FF6A1F71EFE
UpdateWindow.USER32 ref: 00007FF6A1F71F07
GetMessageW.USER32 ref: 00007FF6A1F71F19
TranslateMessage.USER32 ref: 00007FF6A1F71F27
DispatchMessageW.USER32 ref: 00007FF6A1F71F31
GetMessageW.USER32 ref: 00007FF6A1F71F43

Part of subcall function 00007FF6A1F71230: NetLocalGroupGetMembers.NETAPI32 ref: 00007FF6A1F712A0
Part of subcall function 00007FF6A1F71230: memset.VCRUNTIME140 ref: 00007FF6A1F712DC
Part of subcall function 00007FF6A1F71230: SetFilePointer.KERNEL32 ref: 00007FF6A1F71324
Part of subcall function 00007FF6A1F71230: WriteFile.KERNEL32 ref: 00007FF6A1F7134F
Part of subcall function 00007FF6A1F71230: SetFilePointer.KERNEL32 ref: 00007FF6A1F713EE

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6A1F71F87

Strings

Username:, xrefs: 00007FF6A1F71A33
Microsoft Sans Serif, xrefs: 00007FF6A1F71A8D
EDIT, xrefs: 00007FF6A1F71DDB
b, xrefs: 00007FF6A1F718F8
K, xrefs: 00007FF6A1F71EC6
Provide credentials to continue setup update..., xrefs: 00007FF6A1F718FD
Cancel, xrefs: 00007FF6A1F71E95
Downloading filter kb_outlook_sf_%i, xrefs: 00007FF6A1F718E2
Password:, xrefs: 00007FF6A1F71D67
BUTTON, xrefs: 00007FF6A1F71E32, 00007FF6A1F71EA1
SpamFilterWindow, xrefs: 00007FF6A1F71644
Unk error, xrefs: 00007FF6A1F71C78
P, xrefs: 00007FF6A1F71E13
CONIN$, xrefs: 00007FF6A1F7187A
qwertyuio.txt, xrefs: 00007FF6A1F716C4, 00007FF6A1F716E7
CONOUT$, xrefs: 00007FF6A1F71831, 00007FF6A1F71857
d, xrefs: 00007FF6A1F719BE
, xrefs: 00007FF6A1F71A9E
STATIC, xrefs: 00007FF6A1F719A5, 00007FF6A1F71A3F, 00007FF6A1F71D73
COMBOBOX, xrefs: 00007FF6A1F71B1C
Spam filter update, xrefs: 00007FF6A1F7180D, 00007FF6A1F71921

Memory Dump Source

Source File: 00000000.00000002.3047043551.00007FF6A1F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A1F70000, based on PE: true

Associated: 00000000.00000002.3047032144.00007FF6A1F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047057712.00007FF6A1F75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047070366.00007FF6A1F78000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047082374.00007FF6A1F79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a1f70000_antispam.jbxd

Similarity

API ID: Window$Message$CreateSend$File$Handle$LoadLongPointer__acrt_iob_func_invalid_parameter_noinfo_noreturn$ConsoleShowWritefreopen_s$Iconmemcpyprintf$AllocBitmapClassCommonControlsCursorDispatchFontGroupInformationInitJoinLocalMembersNamePathRegisterSleepTempTitleTranslateUpdateUser__stdio_common_vfprintfmemset
String ID: $BUTTON$COMBOBOX$CONIN$$CONOUT$$Cancel$Downloading filter kb_outlook_sf_%i$EDIT$K$Microsoft Sans Serif$P$Password:$Provide credentials to continue setup update...$STATIC$Spam filter update$SpamFilterWindow$Unk error$Username:$b$d$qwertyuio.txt
API String ID: 302576863-3539170726
Opcode ID: ea99f84902e5ba4aa69d1c95a5d9dfe7b7d1d270e9860f1fef6137fcf582684a
Instruction ID: 5dcf859592464d4b6804f15261176c69e8cf5cfd6d3b22ba588784eef5976ee6
Opcode Fuzzy Hash: ea99f84902e5ba4aa69d1c95a5d9dfe7b7d1d270e9860f1fef6137fcf582684a
Instruction Fuzzy Hash: 9A424071A19BC286FB108B74F8543AA77E1FB84798F500236EA5D87AA4DF7CD149CB40

Function 00007FF6A1F71FC0 Relevance: 143.1, APIs: 72, Strings: 9, Instructions: 1308processpipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE ref: 00007FF6A1F72025
SetHandleInformation.KERNEL32 ref: 00007FF6A1F720A3
memcpy.VCRUNTIME140 ref: 00007FF6A1F721E8
CreateProcessW.KERNELBASE ref: 00007FF6A1F72234
CloseHandle.KERNEL32 ref: 00007FF6A1F72246
CloseHandle.KERNEL32 ref: 00007FF6A1F72251

Part of subcall function 00007FF6A1F74060: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000000100000000,00007FF6A1F7363C), ref: 00007FF6A1F7407A

Strings

Wrong:, xrefs: 00007FF6A1F73130
Error, xrefs: 00007FF6A1F73488
Update succesfully applied!, xrefs: 00007FF6A1F72FDB
Wrong password or username!, xrefs: 00007FF6A1F7348F
/c , xrefs: 00007FF6A1F721C9
Failed to execute command., xrefs: 00007FF6A1F72257
Success:, xrefs: 00007FF6A1F72C8A
int, xrefs: 00007FF6A1F7290B
Success, xrefs: 00007FF6A1F72FD4

Memory Dump Source

Source File: 00000000.00000002.3047043551.00007FF6A1F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A1F70000, based on PE: true

Associated: 00000000.00000002.3047032144.00007FF6A1F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047057712.00007FF6A1F75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047070366.00007FF6A1F78000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047082374.00007FF6A1F79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a1f70000_antispam.jbxd

Similarity

API ID: Handle$CloseCreate$InformationPipeProcessmallocmemcpy
String ID: /c $Error$Failed to execute command.$Success$Success:$Update succesfully applied!$Wrong password or username!$Wrong:$int
API String ID: 1890791042-4241727988
Opcode ID: b1ae045b091a8bfff54fc21e415f4360624d2cd78d6228df44858e001e5a4410
Instruction ID: 412862d151031fc529977f347fd6219f7da1c9140edc39e3b2a22945ffb8351d
Opcode Fuzzy Hash: b1ae045b091a8bfff54fc21e415f4360624d2cd78d6228df44858e001e5a4410
Instruction Fuzzy Hash: 10D28162E19BC291EB10CB74E4443AD63A1FB847A4F505732DA6D93AE9DF7CE185CB00

Function 00007FF6A1F741B4 Relevance: 9.1, APIs: 6, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_release_startup_lock.LIBCMT ref: 00007FF6A1F74246
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6A1F74294
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6A1F74299
_get_narrow_winmain_command_line.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6A1F742A1
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6A1F742CA
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6A1F7431F

Memory Dump Source

Source File: 00000000.00000002.3047043551.00007FF6A1F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A1F70000, based on PE: true

Associated: 00000000.00000002.3047032144.00007FF6A1F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047057712.00007FF6A1F75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047070366.00007FF6A1F78000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047082374.00007FF6A1F79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a1f70000_antispam.jbxd

Similarity

API ID: __scrt_get_show_window_mode__scrt_release_startup_lock_cexit_exit_get_narrow_winmain_command_line_register_thread_local_exe_atexit_callback
String ID:
API String ID: 3633349063-0
Opcode ID: dac4e24135b1a57a8a98a4411cd44da1665d8ee50dabc9f3bcd288c41ea35a99
Instruction ID: 090826e7e07ea3e0aa0b8fa88ff519c243ec6711af3bce25e4da37a42ec30f0f
Opcode Fuzzy Hash: dac4e24135b1a57a8a98a4411cd44da1665d8ee50dabc9f3bcd288c41ea35a99
Instruction Fuzzy Hash: E5313C61E4F6D381FB54ABB5A4523B922D1AF51384F44443BEA0DCB6E3DE2CB814CE01

Non-executed Functions

Function 00007FF6A1F71230 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 200
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NetLocalGroupGetMembers.NETAPI32 ref: 00007FF6A1F712A0
SetFilePointer.KERNEL32 ref: 00007FF6A1F71324
WriteFile.KERNEL32 ref: 00007FF6A1F7134F
SetFilePointer.KERNEL32 ref: 00007FF6A1F713EE
WriteFile.KERNEL32 ref: 00007FF6A1F71419
SendMessageW.USER32 ref: 00007FF6A1F71484
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6A1F7149E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6A1F714A5
memset.VCRUNTIME140 ref: 00007FF6A1F712DC

Part of subcall function 00007FF6A1F73680: __stdio_common_vswprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,00007FF6A1F714D3), ref: 00007FF6A1F736C3

Part of subcall function 00007FF6A1F73540: memcpy.VCRUNTIME140 ref: 00007FF6A1F735AA

memset.VCRUNTIME140 ref: 00007FF6A1F714B8
SetFilePointer.KERNEL32 ref: 00007FF6A1F714FC
WriteFile.KERNEL32 ref: 00007FF6A1F71527
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6A1F71566
NetApiBufferFree.NETAPI32 ref: 00007FF6A1F7157E

Strings

%s\%s, xrefs: 00007FF6A1F712E4
Domain Admins, xrefs: 00007FF6A1F71273
error: %i domain: %ls, xrefs: 00007FF6A1F714C0

Memory Dump Source

Source File: 00000000.00000002.3047043551.00007FF6A1F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A1F70000, based on PE: true

Associated: 00000000.00000002.3047032144.00007FF6A1F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047057712.00007FF6A1F75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047070366.00007FF6A1F78000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047082374.00007FF6A1F79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a1f70000_antispam.jbxd

Similarity

API ID: File$PointerWrite_invalid_parameter_noinfo_noreturn$memset$BufferFreeGroupLocalMembersMessageSend__stdio_common_vswprintf_smemcpy
String ID: %s\%s$Domain Admins$error: %i domain: %ls
API String ID: 892554801-949378498
Opcode ID: 7ce54611bf7bb1dc039a77cb4120c5fff18c2931df77d10df1153c05735f6a9c
Instruction ID: 272e0a8d3510c8864c1f7d265f1637461cf3d67782707b5914924f0fb525cfd4
Opcode Fuzzy Hash: 7ce54611bf7bb1dc039a77cb4120c5fff18c2931df77d10df1153c05735f6a9c
Instruction Fuzzy Hash: 04919F72B09B9291FB108B75E4443AD73A1FB857A4F504232DA6D97AA8DF3CD545CF00

Function 00007FF6A1F746E4 Relevance: 13.6, APIs: 9, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6A1F74700
memset.VCRUNTIME140 ref: 00007FF6A1F74724
RtlCaptureContext.KERNEL32 ref: 00007FF6A1F7472D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6A1F74747
RtlVirtualUnwind.KERNEL32 ref: 00007FF6A1F74788
memset.VCRUNTIME140 ref: 00007FF6A1F747BB
IsDebuggerPresent.KERNEL32 ref: 00007FF6A1F747DC
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6A1F747F9
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6A1F74804

Memory Dump Source

Source File: 00000000.00000002.3047043551.00007FF6A1F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A1F70000, based on PE: true

Associated: 00000000.00000002.3047032144.00007FF6A1F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047057712.00007FF6A1F75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047070366.00007FF6A1F78000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047082374.00007FF6A1F79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a1f70000_antispam.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: dd96b891e0ced7b4437af63341e93c711b2a5dcd7386378946f4af32eb462ce2
Instruction ID: 71a8e25bd63acf3bd324eeeb195e1b23149831a2b8cde950c9c25d89773ea048
Opcode Fuzzy Hash: dd96b891e0ced7b4437af63341e93c711b2a5dcd7386378946f4af32eb462ce2
Instruction Fuzzy Hash: A0311C7260ABC19AEB609F70E8507ED73A4FB84744F44443ADA4E87B99DF78D548CB10

Function 00007FF6A1F745C4 Relevance: 6.0, APIs: 4, Instructions: 39
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6A1F745F0
GetCurrentThreadId.KERNEL32 ref: 00007FF6A1F745FE
GetCurrentProcessId.KERNEL32 ref: 00007FF6A1F7460A
QueryPerformanceCounter.KERNEL32 ref: 00007FF6A1F7461A

Memory Dump Source

Source File: 00000000.00000002.3047043551.00007FF6A1F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A1F70000, based on PE: true

Associated: 00000000.00000002.3047032144.00007FF6A1F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047057712.00007FF6A1F75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047070366.00007FF6A1F78000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047082374.00007FF6A1F79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a1f70000_antispam.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 891ab46001a77083f4c6b7ad9002c9910e24d89c7f5cdb7820509e571a20d365
Instruction ID: 22496fe74ad180284c54d2a8f40e29fd1802acade7cb590b3657376404d56de1
Opcode Fuzzy Hash: 891ab46001a77083f4c6b7ad9002c9910e24d89c7f5cdb7820509e571a20d365
Instruction Fuzzy Hash: 77113C22B15F428AEB00DF70E8542B833A4FB19758F440E32DA6D877A4DF7CD1588780

Function 00007FF6A1F748C4 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3047043551.00007FF6A1F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A1F70000, based on PE: true

Associated: 00000000.00000002.3047032144.00007FF6A1F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047057712.00007FF6A1F75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047070366.00007FF6A1F78000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047082374.00007FF6A1F79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a1f70000_antispam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6053e07554fbea29175d1a6608e895179c4e48defbed01a2436aa287dea70c02
Instruction ID: 80806195ecdc873397866184dfccf3240b2dcf3dce128b5c8862c7f68d689ddc
Opcode Fuzzy Hash: 6053e07554fbea29175d1a6608e895179c4e48defbed01a2436aa287dea70c02
Instruction Fuzzy Hash: C6A0012294A8C6A4E7058B60A95042022A0AB54700B490072C00D820649E3CA558CB40

Function 00007FF6A1F739E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140(?,7FFFFFFFFFFFFFFE,?,?), ref: 00007FF6A1F73A77
memcpy.VCRUNTIME140(?,7FFFFFFFFFFFFFFE,?,?), ref: 00007FF6A1F73ADA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,7FFFFFFFFFFFFFFE,?,?), ref: 00007FF6A1F73B79

Part of subcall function 00007FF6A1F74060: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000000100000000,00007FF6A1F7363C), ref: 00007FF6A1F7407A

memcpy.VCRUNTIME140(?,7FFFFFFFFFFFFFFE,?,?), ref: 00007FF6A1F73BA9
memcpy.VCRUNTIME140(?,7FFFFFFFFFFFFFFE,?,?), ref: 00007FF6A1F73BC7
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6A1F73BEA

Strings

qwertyuio.txt, xrefs: 00007FF6A1F739EA

Memory Dump Source

Source File: 00000000.00000002.3047043551.00007FF6A1F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A1F70000, based on PE: true

Associated: 00000000.00000002.3047032144.00007FF6A1F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047057712.00007FF6A1F75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047070366.00007FF6A1F78000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047082374.00007FF6A1F79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a1f70000_antispam.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID: qwertyuio.txt
API String ID: 1155477157-3707364253
Opcode ID: 3459bad5fd16917d938506398ab97c25b63a862a8be19253d07954d0298f490c
Instruction ID: 2348eaabcd0b5247bc8fbf0207f414d87dbd6394cb40b1c60cec5f521d2c3dc6
Opcode Fuzzy Hash: 3459bad5fd16917d938506398ab97c25b63a862a8be19253d07954d0298f490c
Instruction Fuzzy Hash: 4C519E22E09B85A1EB10AF39D4042BC33A4FB55BA4F544A36DE2C933C5DF78E194C385

Function 00007FF6A1F73820 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140 ref: 00007FF6A1F73936
memcpy.VCRUNTIME140 ref: 00007FF6A1F73944
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6A1F73982
memcpy.VCRUNTIME140 ref: 00007FF6A1F7398C
memcpy.VCRUNTIME140 ref: 00007FF6A1F7399A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6A1F739D0

Strings

SpamFilterWindow, xrefs: 00007FF6A1F73825

Memory Dump Source

Source File: 00000000.00000002.3047043551.00007FF6A1F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A1F70000, based on PE: true

Associated: 00000000.00000002.3047032144.00007FF6A1F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047057712.00007FF6A1F75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047070366.00007FF6A1F78000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047082374.00007FF6A1F79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a1f70000_antispam.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: SpamFilterWindow
API String ID: 1775671525-526305039
Opcode ID: 987b76db52ead99c51807693e86a34ee33ea1b3a47a374d769e5fb3bb4e1a207
Instruction ID: 7daef361dfb0482c413190a4e7233cca4e9edacf9d3e937541475cfaa2bafc22
Opcode Fuzzy Hash: 987b76db52ead99c51807693e86a34ee33ea1b3a47a374d769e5fb3bb4e1a207
Instruction Fuzzy Hash: 7E41C162B1AA81A1EF10DB35A5042A9A3A6EB44BE0F540732DE6E87BD5DE3CE055C704

Function 00007FF6A1F73BF0 Relevance: 9.1, APIs: 6, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,7FFFFFFFFFFFFFFE,?,?), ref: 00007FF6A1F73CF9
memcpy.VCRUNTIME140(?,?,?,?,?,?,7FFFFFFFFFFFFFFE,?,?), ref: 00007FF6A1F73D07
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,7FFFFFFFFFFFFFFE,?,?), ref: 00007FF6A1F73D3F
memcpy.VCRUNTIME140(?,?,?,?,?,?,7FFFFFFFFFFFFFFE,?,?), ref: 00007FF6A1F73D46
memcpy.VCRUNTIME140(?,?,?,?,?,?,7FFFFFFFFFFFFFFE,?,?), ref: 00007FF6A1F73D54
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6A1F73D7F

Memory Dump Source

Source File: 00000000.00000002.3047043551.00007FF6A1F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A1F70000, based on PE: true

Associated: 00000000.00000002.3047032144.00007FF6A1F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047057712.00007FF6A1F75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047070366.00007FF6A1F78000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047082374.00007FF6A1F79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a1f70000_antispam.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 546ff1afa53c00b1364939035d7581988a91f38338a6455a9548f4f537a81813
Instruction ID: 4255a04b51ec92f1840a5c991d35545e8f242221d53461f4484ee3d2e67415cb
Opcode Fuzzy Hash: 546ff1afa53c00b1364939035d7581988a91f38338a6455a9548f4f537a81813
Instruction Fuzzy Hash: E3418362B0AA8991EF109B36A4042A9A3D5BB44BE0F540B32DE6D977D5DF3CE451C704

Function 00007FF6A1F73540 Relevance: 6.1, APIs: 4, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140 ref: 00007FF6A1F735AA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6A1F73630
memcpy.VCRUNTIME140 ref: 00007FF6A1F73656
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6A1F7367A

Part of subcall function 00007FF6A1F74060: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000000100000000,00007FF6A1F7363C), ref: 00007FF6A1F7407A

Memory Dump Source

Source File: 00000000.00000002.3047043551.00007FF6A1F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A1F70000, based on PE: true

Associated: 00000000.00000002.3047032144.00007FF6A1F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047057712.00007FF6A1F75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047070366.00007FF6A1F78000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3047082374.00007FF6A1F79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a1f70000_antispam.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: f2283278108291882d25e802012c46d915fca41191c32668bfa0381252e2fc1d
Instruction ID: b66b5fe8d5cf23dbc28fa6cdcd34eeb58e4652fdae4898a06438d6035a4818d9
Opcode Fuzzy Hash: f2283278108291882d25e802012c46d915fca41191c32668bfa0381252e2fc1d
Instruction Fuzzy Hash: 4331E462A0B7C291EF149B21A80027962D5EB45BF0F640B36DE3D977D0DE7CE4918704

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report antispam.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\qwertyuio.txt

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: antispam.exePID: 6120, Parent PID: 2580

General

Chronological Activities

Analysis Process: conhost.exePID: 3844, Parent PID: 6120

General

Chronological Activities

Windows Analysis Report
antispam.exe

Function 00007FF6A1F715B0 Relevance: 156.3, APIs: 68, Strings: 21, Instructions: 534
windowfileregistryCOMMON

Function 00007FF6A1F741B4 Relevance: 9.1, APIs: 6, Instructions: 94
COMMON

Function 00007FF6A1F71230 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 200
filewindowCOMMON

Function 00007FF6A1F746E4 Relevance: 13.6, APIs: 9, Instructions: 71
COMMON

Function 00007FF6A1F745C4 Relevance: 6.0, APIs: 4, Instructions: 39
timethreadCOMMON

Function 00007FF6A1F739E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145
COMMON

Function 00007FF6A1F73820 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 128
COMMON

Function 00007FF6A1F73BF0 Relevance: 9.1, APIs: 6, Instructions: 126
COMMON

Function 00007FF6A1F73540 Relevance: 6.1, APIs: 4, Instructions: 88
COMMON