Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
stage2.exe

Overview

General Information

Sample name:stage2.exe
Analysis ID:1428251
MD5:f4f731777157f1bc59369be4b286b5cd
SHA1:ebce4a1a3b15bce601671867d36965b15ef4108b
SHA256:fe6328938db1b9c8e3e8b1a92f0cc5ac28a6fd5e0c7e40c521f7b0f408e63c3f
Tags:exe
Infos:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Binary contains a suspicious time stamp
Found large amount of non-executed APIs
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • stage2.exe (PID: 7336 cmdline: "C:\Users\user\Desktop\stage2.exe" MD5: F4F731777157F1BC59369BE4B286B5CD)
    • conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: stage2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: stage2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: BthUdTask.pdbGCTL source: stage2.exe
Source: Binary string: BthUdTask.pdb source: stage2.exe
Source: stage2.exe, 00000000.00000002.1641867251.0000000000786000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBthUdTask.exej% vs stage2.exe
Source: stage2.exeBinary or memory string: OriginalFilenameBthUdTask.exej% vs stage2.exe
Source: stage2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: clean4.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: stage2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\stage2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\stage2.exe "C:\Users\user\Desktop\stage2.exe"
Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\stage2.exeSection loaded: newdev.dllJump to behavior
Source: C:\Users\user\Desktop\stage2.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\Desktop\stage2.exeSection loaded: devrtl.dllJump to behavior
Source: stage2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: stage2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: stage2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: stage2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: stage2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: stage2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: stage2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: stage2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: BthUdTask.pdbGCTL source: stage2.exe
Source: Binary string: BthUdTask.pdb source: stage2.exe
Source: stage2.exeStatic PE information: 0xF898BAFC [Thu Mar 2 16:08:28 2102 UTC]
Source: stage2.exeStatic PE information: real checksum: 0x15f44 should be: 0x32e44
Source: stage2.exeStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\stage2.exeCode function: 0_2_00782115 push ecx; ret 0_2_00782128
Source: C:\Users\user\Desktop\stage2.exeAPI coverage: 9.2 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\stage2.exeCode function: 0_2_0078212F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0078212F
Source: C:\Users\user\Desktop\stage2.exeCode function: 0_2_0078200B GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_0078200B

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping1
System Time Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Timestomp		LSASS Memory2
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1428251 Sample: stage2.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 4 5 stage2.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
stage2.exe8%ReversingLabsWin32.Malware.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1428251
Start date and time:2024-04-18 18:23:06 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 48s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:stage2.exe
Detection:CLEAN
Classification:clean4.winEXE@2/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 1
  • Number of non-executed functions: 5
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: stage2.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):4.64164352935891
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:stage2.exe
File size:187'372 bytes
MD5:f4f731777157f1bc59369be4b286b5cd
SHA1:ebce4a1a3b15bce601671867d36965b15ef4108b
SHA256:fe6328938db1b9c8e3e8b1a92f0cc5ac28a6fd5e0c7e40c521f7b0f408e63c3f
SHA512:e16c315826a52b3717ab2347e3b04c092fbd3d4a3fd3cf5f2514402ec1fa1c4e4d484fc635df4b3e4ca1b20a5a75a74731e933d9650f1b486dd63d138f2a87a3
SSDEEP:768:lfGgTViahszDOtfGgTViahszDOCBsMEzKzaiLFOJJfGgTViahszDOmefGgTViahZ:F4WsO94WsOf+LFS4WsOF4WsO
TLSH:FF04644A91C354B8EC7398F0F838C07A75519C814A3A429E6B34B6DF26FC066DE27D76
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................Rich............................PE..L..........

File Icon

Icon Hash:1b73e4b9f0f2512f

Static PE Info

General

Entrypoint:0x401d00
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0xF898BAFC [Thu Mar 2 16:08:28 2102 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:4d14d19b876bbb7a86ffba329be9d956

Entrypoint Preview

Instruction
call 00007F653CF1EC3Bh
jmp 00007F653CF1E704h
int3
int3
int3
int3
int3
int3
cmp ecx, dword ptr [00403004h]
jne 00007F653CF1E935h
retn 0000h
jmp 00007F653CF1ED74h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push dword ptr [ebp+14h]
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
push 00401D10h
push 00403004h
call 00007F653CF1EE58h
add esp, 18h
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
cmp dword ptr [eax], E06D7363h
jne 00007F653CF1E95Dh
cmp dword ptr [eax+10h], 03h
jne 00007F653CF1E957h
mov eax, dword ptr [eax+14h]
cmp eax, 19930520h
je 00007F653CF1E947h
cmp eax, 19930521h
je 00007F653CF1E940h
cmp eax, 19930522h
je 00007F653CF1E939h
cmp eax, 01994000h
jne 00007F653CF1E938h
call dword ptr [0040407Ch]
xor eax, eax
pop ebp
retn 0004h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00401D60h
call dword ptr [00404040h]
xor eax, eax
ret
int3
int3
int3
int3
int3
int3
jmp dword ptr [000040ACh]

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x40c80x78.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x6f68.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xd0000x1a0.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x12100x54.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x10080xbc.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x40000xc4.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x23bc0x60.text
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x149c0x1600f2f22146a12dac87b8c15c0607631beaFalse0.5276988636363636data5.499033431870281IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x30000x3e00x200bcb053506e7c83e9b9455a0b5f85fd94False0.048828125data0.1833387916558982IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0x40000x5880x600488e94517e0fd9462dc84b467c0c740bFalse0.4830729166666667data4.719851963347107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat0x50000x140x200806bb5285faa215c0646be1443c9a606False0.044921875data0.16476501235057214IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x6f680x7000edd1c895a02223094a114d9855a4c978False0.279296875data3.8366325984328125IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xd0000x1a00x20002bd71be5011b2c20afee2a0121c8739False0.81640625data5.410463212754183IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
MUI0xce900xd8dataEnglishUnited States0.5324074074074074
RT_ICON0x6b180x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5675675675675675
RT_ICON0x6c400x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.23699421965317918
RT_ICON0x71a80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.49193548387096775
RT_ICON0x74900x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.4174187725631769
RT_ICON0x7d380x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.375
RT_ICON0x83a00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.32116204690831557
RT_ICON0x92480x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2712765957446808
RT_ICON0x96b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.3013602251407129
RT_ICON0xa7580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.1808091286307054
RT_STRING0xcd880x108Matlab v4 mat-file (little endian) l, numeric, rows 0, columns 0EnglishUnited States0.5037878787878788
RT_GROUP_ICON0xcd000x84dataEnglishUnited States0.6439393939393939
RT_VERSION0x67680x3acdataEnglishUnited States0.46063829787234045
RT_MANIFEST0x63700x3f6XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.47830374753451677

Imports

DLLImport
ADVAPI32.dllRegCloseKey, RegQueryValueExW
KERNEL32.dllGetSystemTimeAsFileTime, GetCurrentThreadId, UnhandledExceptionFilter, QueryPerformanceCounter, GetModuleHandleW, SetUnhandledExceptionFilter, Sleep, GetTickCount, GetCurrentProcess, CloseHandle, SetEvent, OpenEventW, GetLastError, CompareStringOrdinal, TerminateProcess, GetCurrentProcessId, ResolveDelayLoadedAPI, DelayLoadFailureHook
msvcrt.dll_controlfp, ?terminate@@YAXXZ, _except_handler4_common, _initterm, __setusermatherr, __p__fmode, _cexit, _exit, exit, __set_app_type, __wgetmainargs, _amsg_exit, __p__commode, _XcptFilter, _vsnwprintf, memset
newdev.dllDiUninstallDevice
DEVOBJ.dllDevObjUninstallDevice, DevObjDestroyDeviceInfoList, DevObjGetDeviceInstanceId, DevObjGetClassDevs, DevObjCreateDeviceInfoList, DevObjOpenDevRegKey, DevObjEnumDeviceInfo

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:18:23:54
Start date:18/04/2024
Path:C:\Users\user\Desktop\stage2.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\stage2.exe"
Imagebase:0x780000
File size:187'372 bytes
MD5 hash:F4F731777157F1BC59369BE4B286B5CD
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:1
Start time:18:23:54
Start date:18/04/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:13.3%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:5%
    Total number of Nodes:100
    Total number of Limit Nodes:2
    execution_graph 253 781ad9 255 781ae5 253->255 254 781b0a 257 781b29 _amsg_exit 254->257 259 781b33 254->259 255->254 256 781b11 Sleep 255->256 256->255 257->259 258 781b75 _initterm 261 781b90 __IsNonwritableInCurrentImage 258->261 259->258 260 781b56 259->260 259->261 267 781911 261->267 264 781bf1 exit _XcptFilter 265 781c27 265->260 266 781c30 _cexit 265->266 266->260 271 781920 267->271 268 78195c 269 7819d0 268->269 270 781960 memset 268->270 269->264 269->265 303 7818bf 270->303 271->268 271->269 284 7816cf DevObjCreateDeviceInfoList 271->284 276 7816cf 19 API calls 279 781950 276->279 277 781999 OpenEventW 280 7819bd SetEvent 277->280 281 7819b5 GetLastError 277->281 278 7819c4 306 7819e8 278->306 283 7816cf 19 API calls 279->283 280->278 281->278 283->268 285 781722 DevObjGetClassDevs 284->285 286 781703 GetLastError 284->286 309 7815a6 285->309 288 78170f 286->288 288->285 289 7818a8 288->289 325 781d10 289->325 291 78173f DevObjEnumDeviceInfo 294 7815a6 GetLastError 291->294 292 781890 292->289 295 7818a1 DevObjDestroyDeviceInfoList 292->295 293 7818b7 293->276 300 781736 294->300 295->289 296 781799 DevObjOpenDevRegKey 297 7817db memset RegQueryValueExW 296->297 298 7817be GetLastError 296->298 299 78182a RegCloseKey 297->299 297->300 298->300 299->300 300->291 300->292 300->296 300->297 300->299 301 78184f CompareStringOrdinal 300->301 313 7815cf 300->313 301->300 304 7818d4 _vsnwprintf 303->304 305 7818cd 303->305 304->305 305->277 305->278 307 7819ec CloseHandle 306->307 308 7819f3 306->308 307->308 308->269 310 7815aa 309->310 311 7815ad GetLastError 309->311 310->300 312 7815b7 311->312 312->300 314 781607 313->314 315 781612 DevObjGetDeviceInstanceId 314->315 316 7816a3 DevObjUninstallDevice 314->316 318 7815a6 GetLastError 315->318 317 7815a6 GetLastError 316->317 319 7816b6 317->319 322 78162f 318->322 320 781d10 4 API calls 319->320 321 7816c7 320->321 321->300 323 781669 DiUninstallDevice 322->323 324 781687 322->324 323->324 324->316 324->319 326 781d18 325->326 327 781d1b 325->327 326->293 330 78212f SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 327->330 329 78226b 329->293 330->329 344 781c0c 345 781c20 _exit 344->345 346 781c27 344->346 345->346 347 781c3b 346->347 348 781c30 _cexit 346->348 348->347 331 781a30 332 781a35 331->332 340 781e4a GetModuleHandleW 332->340 334 781a41 __set_app_type __p__fmode __p__commode 335 781a79 334->335 336 781a8e 335->336 337 781a82 __setusermatherr 335->337 342 7820a9 _controlfp 336->342 337->336 339 781a93 341 781e5b 340->341 341->334 342->339 343 781d30 _except_handler4_common 354 781d60 355 781d9d 354->355 357 781d72 354->357 356 781d97 ?terminate@ 356->355 357->355 357->356 358 781d00 361 78200b 358->361 360 781d05 360->360 362 782030 361->362 363 782034 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 361->363 362->363 364 782083 362->364 363->364 364->360 365 782282 366 782293 365->366 369 7819fa ResolveDelayLoadedAPI 366->369 368 7822a0 369->368 370 782324 371 781d10 4 API calls 370->371 372 78232e 371->372 372->372

    Callgraph

    Executed Functions

    Function 00781AD9 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 105sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1641847303.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
    • Associated: 00000000.00000002.1641827045.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1641867251.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1641867251.0000000000786000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_780000_stage2.jbxd
    Similarity
    • API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
    • String ID: |3x$|3x
    • API String ID: 796493780-635866703
    • Opcode ID: 2c6eaa1807472b68387e617c7bf87086a1384417bfab07cc08b1661ff2632064
    • Instruction ID: 3cf91d28a7a09508cccf1d5f5f77a3a701556def564812198df3398baa3b0c26
    • Opcode Fuzzy Hash: 2c6eaa1807472b68387e617c7bf87086a1384417bfab07cc08b1661ff2632064
    • Instruction Fuzzy Hash: 9031E4B1AC4301DFD725BB68EC09B297BA9F708B21F70412DE105976E1EB7C8942DB58
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 0078212F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 13COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,0078226B,P0x), ref: 00782136
    • UnhandledExceptionFilter.KERNEL32(k"x,?,0078226B,P0x), ref: 0078213F
    • GetCurrentProcess.KERNEL32(C0000409,?,0078226B,P0x), ref: 0078214A
    • TerminateProcess.KERNEL32(00000000,?,0078226B,P0x), ref: 00782151
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1641847303.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
    • Associated: 00000000.00000002.1641827045.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1641867251.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1641867251.0000000000786000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_780000_stage2.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
    • String ID: k"x
    • API String ID: 3231755760-1118782205
    • Opcode ID: e0bd7668cc656f72302726a20a2ebd1a0cb826100394baaf5a430d57d38ec1e9
    • Instruction ID: 21db214431e48085be7d72f4ce6edf63cf7b9a8542918559eb2ab3efff1fb4cb
    • Opcode Fuzzy Hash: e0bd7668cc656f72302726a20a2ebd1a0cb826100394baaf5a430d57d38ec1e9
    • Instruction Fuzzy Hash: A8D0E972184205BBD7002BE1ED0DA5A3E29EB84656F258490F70A9A461DBB954118B69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0078200B Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00782038
    • GetCurrentProcessId.KERNEL32 ref: 00782047
    • GetCurrentThreadId.KERNEL32 ref: 00782050
    • GetTickCount.KERNEL32 ref: 00782059
    • QueryPerformanceCounter.KERNEL32(?), ref: 0078206E
    Memory Dump Source
    • Source File: 00000000.00000002.1641847303.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
    • Associated: 00000000.00000002.1641827045.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1641867251.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1641867251.0000000000786000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_780000_stage2.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: a8ff6f29617d13f3b896024143b102d12b899b4977c2a10a9b55ed51768a7021
    • Instruction ID: eaa2a1dc148c231d43a62ee183c8ff855f8a1308118d1a84c9c523d80b9acb4c
    • Opcode Fuzzy Hash: a8ff6f29617d13f3b896024143b102d12b899b4977c2a10a9b55ed51768a7021
    • Instruction Fuzzy Hash: FE111871D41209EBCB10DBB8DA4869EBBF5FF48351F6188A6D502EB210E6789B04DB04
    Uniqueness

    Uniqueness Score: -1.00%

    Function 007816CF Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 152registryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • DevObjCreateDeviceInfoList.DEVOBJ(00000000,00000000,00000000,00000000,00000000), ref: 007816F6
    • GetLastError.KERNEL32 ref: 00781703
    • DevObjGetClassDevs.DEVOBJ(00000000,00000000,?,00000004,00000000,00000000), ref: 00781729
    • DevObjEnumDeviceInfo.DEVOBJ(00000000,00000000,?,?,00000004,00000000,00000000), ref: 00781782
    • DevObjOpenDevRegKey.DEVOBJ(00000000,00000024,00000001,00000000,00000001,00020019,?,00000004,00000000,00000000), ref: 007817AB
    • GetLastError.KERNEL32(?,00000004,00000000,00000000), ref: 007817BE
    • memset.MSVCRT ref: 007817EA
    • RegQueryValueExW.ADVAPI32(00000000,Bluetooth_UniqueID,00000000,?,?,0000007C), ref: 00781815
    • RegCloseKey.ADVAPI32(?), ref: 00781830
    • CompareStringOrdinal.KERNEL32(?,000000FF,?,000000FF,00000001), ref: 0078185F
    • DevObjDestroyDeviceInfoList.DEVOBJ(00000000,?,00000004,00000000,00000000), ref: 007818A2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1641847303.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
    • Associated: 00000000.00000002.1641827045.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1641867251.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1641867251.0000000000786000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_780000_stage2.jbxd
    Similarity
    • API ID: DeviceInfo$ErrorLastList$ClassCloseCompareCreateDestroyDevsEnumOpenOrdinalQueryStringValuememset
    • String ID: $$Bluetooth_UniqueID$|
    • API String ID: 304487998-582949365
    • Opcode ID: b1abfcc9ed44351500aee800b9716bf634bd9dbc451d8f005e1fc687777699d5
    • Instruction ID: 1f8fded754c48708d60862a8fbc995f1bdc18683e3267dd7337f0c8ef1445dd0
    • Opcode Fuzzy Hash: b1abfcc9ed44351500aee800b9716bf634bd9dbc451d8f005e1fc687777699d5
    • Instruction Fuzzy Hash: B451E972D402349FCB209B248C45B9BBABDEF85730F614295F919E3280DB788D458F90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00781911 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • memset.MSVCRT ref: 0078196E
    • OpenEventW.KERNEL32(00000002,00000000,?), ref: 007819A3
    • GetLastError.KERNEL32 ref: 007819B5
      • Part of subcall function 007816CF: DevObjCreateDeviceInfoList.DEVOBJ(00000000,00000000,00000000,00000000,00000000), ref: 007816F6
      • Part of subcall function 007816CF: GetLastError.KERNEL32 ref: 00781703
      • Part of subcall function 007816CF: DevObjGetClassDevs.DEVOBJ(00000000,00000000,?,00000004,00000000,00000000), ref: 00781729
      • Part of subcall function 007816CF: DevObjDestroyDeviceInfoList.DEVOBJ(00000000,?,00000004,00000000,00000000), ref: 007818A2
      • Part of subcall function 007816CF: DevObjEnumDeviceInfo.DEVOBJ(00000000,00000000,?,?,00000004,00000000,00000000), ref: 00781782
      • Part of subcall function 007816CF: DevObjOpenDevRegKey.DEVOBJ(00000000,00000024,00000001,00000000,00000001,00020019,?,00000004,00000000,00000000), ref: 007817AB
      • Part of subcall function 007816CF: GetLastError.KERNEL32(?,00000004,00000000,00000000), ref: 007817BE
      • Part of subcall function 007816CF: memset.MSVCRT ref: 007817EA
      • Part of subcall function 007816CF: RegQueryValueExW.ADVAPI32(00000000,Bluetooth_UniqueID,00000000,?,?,0000007C), ref: 00781815
      • Part of subcall function 007816CF: RegCloseKey.ADVAPI32(?), ref: 00781830
      • Part of subcall function 007816CF: CompareStringOrdinal.KERNEL32(?,000000FF,?,000000FF,00000001), ref: 0078185F
    • SetEvent.KERNEL32(00000000), ref: 007819BE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1641847303.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
    • Associated: 00000000.00000002.1641827045.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1641867251.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1641867251.0000000000786000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_780000_stage2.jbxd
    Similarity
    • API ID: DeviceErrorInfoLast$EventListOpenmemset$ClassCloseCompareCreateDestroyDevsEnumOrdinalQueryStringValue
    • String ID: BTHLE$BTHLEDevice$Global\BTH_UNINSTALL_DEVICE_%s$bthenum
    • API String ID: 3367271578-2565694137
    • Opcode ID: 8cf0f7c367de1ff50fc0887adca70fc4ab3f5f266eab092d859aff534a3865eb
    • Instruction ID: fb281b8a1f13f4eaf59cf8ffaaeef4807d2c1a8d6bf99ab2f2261ea84e3a2c19
    • Opcode Fuzzy Hash: 8cf0f7c367de1ff50fc0887adca70fc4ab3f5f266eab092d859aff534a3865eb
    • Instruction Fuzzy Hash: B4112972F80228EBC310BB94981DA9AB7EDDF84760F544195E914D7241DA78DD02CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00781A30 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 00781E4A: GetModuleHandleW.KERNEL32(00000000), ref: 00781E51
    • __set_app_type.MSVCRT ref: 00781A42
    • __p__fmode.MSVCRT ref: 00781A58
    • __p__commode.MSVCRT ref: 00781A66
    • __setusermatherr.MSVCRT ref: 00781A87
    Memory Dump Source
    • Source File: 00000000.00000002.1641847303.0000000000781000.00000020.00000001.01000000.00000003.sdmp, Offset: 00780000, based on PE: true
    • Associated: 00000000.00000002.1641827045.0000000000780000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1641867251.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1641867251.0000000000786000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_780000_stage2.jbxd
    Similarity
    • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
    • String ID:
    • API String ID: 1632413811-0
    • Opcode ID: b35dfd960ca9559575b566accda3d0ea9829bc4b4a1171b794744dc09b26507b
    • Instruction ID: fe6e200eef668483f907eb5b7b1f8927fc969a67bd2195f70e9305be3b67cfff
    • Opcode Fuzzy Hash: b35dfd960ca9559575b566accda3d0ea9829bc4b4a1171b794744dc09b26507b
    • Instruction Fuzzy Hash: 19F0F2715C0301DFE728BB78ED4E6153B2AAB01B22B708659E812862E1CF7D92458B29
    Uniqueness

    Uniqueness Score: -1.00%