Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
YBuzMywtqU.exe

Overview

General Information

Sample name:YBuzMywtqU.exe
renamed because original name is a hash value
Original sample name:win_graphical_proton_dc79c213a28493bb4ba2c8e274696a41530a5983c7a3586b31ff69a5291754e6.exe
Analysis ID:1431551
MD5:a74514a8689c48fdd73fe4a340802ed0
SHA1:aa6b986f6307efe38d25e2140ed3b1c3ef396c4b
SHA256:dc79c213a28493bb4ba2c8e274696a41530a5983c7a3586b31ff69a5291754e6
Tags:apt29exegraphicalprotonunpacked
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Found direct / indirect Syscall (likely to bypass EDR)
Contains functionality to dynamically determine API calls
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

  • System is w10x64
  • YBuzMywtqU.exe (PID: 4292 cmdline: "C:\Users\user\Desktop\YBuzMywtqU.exe" MD5: A74514A8689C48FDD73FE4A340802ED0)
    • conhost.exe (PID: 1100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: YBuzMywtqU.exeVirustotal: Detection: 11%Perma Link
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: login.microsoftonline.com
Source: YBuzMywtqU.exe, 00000000.00000003.2086127232.0000000002CC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
Source: YBuzMywtqU.exe, 00000000.00000003.2086127232.0000000002CC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
Source: YBuzMywtqU.exe, 00000000.00000002.3325000916.0000000000587000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000003.2631249631.0000000000587000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/
Source: YBuzMywtqU.exe, 00000000.00000002.3325000916.0000000000587000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000003.2631249631.0000000000587000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/8/I
Source: YBuzMywtqU.exe, 00000000.00000002.3325000916.0000000000587000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000003.2631230487.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000002.3324875055.0000000000534000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000003.2086127232.0000000002CC5000.00000004.00000001.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000003.2631249631.0000000000587000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000002.3325069493.00000000005F3000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000002.3325254749.0000000002CC0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/token
Source: YBuzMywtqU.exe, 00000000.00000003.2086127232.0000000002CC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/token0
Source: YBuzMywtqU.exe, 00000000.00000003.2631249631.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000002.3325000916.00000000005A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/token03
Source: YBuzMywtqU.exe, 00000000.00000002.3325000916.0000000000587000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000003.2631249631.0000000000587000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/token3-
Source: YBuzMywtqU.exe, 00000000.00000002.3325000916.0000000000587000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000003.2631249631.0000000000587000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/tokenK-
Source: YBuzMywtqU.exe, 00000000.00000003.2631230487.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000002.3325069493.00000000005F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/tokenSY
Source: YBuzMywtqU.exe, 00000000.00000002.3325254749.0000000002CC0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/tokenlt
Source: YBuzMywtqU.exe, 00000000.00000002.3325254749.0000000002CC0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/tokenltificate
Source: YBuzMywtqU.exe, 00000000.00000003.2086127232.0000000002CC5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/tokenou
Source: YBuzMywtqU.exe, 00000000.00000002.3325000916.00000000005A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/error?code=70000
Source: YBuzMywtqU.exe, 00000000.00000002.3325000916.0000000000587000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000003.2631249631.0000000000587000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/osoftonline.com/5)6
Source: C:\Users\user\Desktop\YBuzMywtqU.exeCode function: 0_3_021600000_3_02160000
Source: classification engineClassification label: mal52.evad.winEXE@2/0@1/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1100:120:WilError_03
Source: YBuzMywtqU.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\YBuzMywtqU.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: YBuzMywtqU.exeVirustotal: Detection: 11%
Source: unknownProcess created: C:\Users\user\Desktop\YBuzMywtqU.exe "C:\Users\user\Desktop\YBuzMywtqU.exe"
Source: C:\Users\user\Desktop\YBuzMywtqU.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: YBuzMywtqU.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: YBuzMywtqU.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: YBuzMywtqU.exeStatic file information: File size 1412096 > 1048576
Source: YBuzMywtqU.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x117400
Source: C:\Users\user\Desktop\YBuzMywtqU.exeCode function: 0_2_00000001400F6C6C LoadLibraryW,GetProcAddressForCaller,0_2_00000001400F6C6C
Source: YBuzMywtqU.exeStatic PE information: section name: .00cfg
Source: YBuzMywtqU.exeStatic PE information: section name: .gehcont
Source: YBuzMywtqU.exeStatic PE information: section name: _RDATA
Source: C:\Users\user\Desktop\YBuzMywtqU.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: YBuzMywtqU.exe, 00000000.00000003.2631249631.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000002.3324875055.0000000000565000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000002.3325000916.00000000005A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\YBuzMywtqU.exeCode function: 0_2_00000001400F6C6C LoadLibraryW,GetProcAddressForCaller,0_2_00000001400F6C6C

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtQueryInformationToken: Direct from: 0x1400616ACJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtProtectVirtualMemory: Direct from: 0x1400619AAJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtMapViewOfSection: Direct from: 0x140017816Jump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtProtectVirtualMemory: Direct from: 0x14001804BJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtAllocateVirtualMemory: Direct from: 0x140061CA5Jump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtProtectVirtualMemory: Direct from: 0x140017A30Jump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtAllocateVirtualMemory: Direct from: 0x1400038A1Jump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtAllocateVirtualMemory: Direct from: 0x216034FJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtAllocateVirtualMemory: Direct from: 0x21603A3Jump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtDeviceIoControlFile: Direct from: 0x140064861Jump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtProtectVirtualMemory: Direct from: 0x1400180A7Jump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtAllocateVirtualMemory: Direct from: 0x1400F476CJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtProtectVirtualMemory: Direct from: 0x2160AE3Jump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtCreateFile: Direct from: 0x1400177A5Jump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtSetSecurityObject: Direct from: 0x7FF8C88A26A1Jump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtAllocateVirtualMemory: Direct from: 0x2160379Jump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtAllocateVirtualMemory: Direct from: 0x14006114DJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtAllocateVirtualMemory: Direct from: 0x7FF8C88C4B5EJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtProtectVirtualMemory: Direct from: 0x2140265Jump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtAllocateVirtualMemory: Direct from: 0x21403A3Jump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtAllocateVirtualMemory: Direct from: 0x214034FJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtWriteVirtualMemory: Direct from: 0x14001807EJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtProtectVirtualMemory: Direct from: 0x140017989Jump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtAllocateVirtualMemory: Direct from: 0x140004874Jump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtProtectVirtualMemory: Direct from: 0x1400623CAJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtProtectVirtualMemory: Direct from: 0x140061F3AJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtAllocateVirtualMemory: Direct from: 0x2140379Jump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtProtectVirtualMemory: Direct from: 0x1400048CCJump to behavior
Source: C:\Users\user\Desktop\YBuzMywtqU.exeNtProtectVirtualMemory: Direct from: 0x2160265Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping1
Query Registry		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Abuse Elevation Control Mechanism		1
Abuse Elevation Control Mechanism		LSASS Memory1
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
DLL Side-Loading		Security Account Manager1
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431551 Sample: YBuzMywtqU.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 52 12 login.microsoftonline.com 2->12 14 Multi AV Scanner detection for submitted file 2->14 7 YBuzMywtqU.exe 1 13 2->7         started        signatures3 process4 signatures5 16 Found direct / indirect Syscall (likely to bypass EDR) 7->16 10 conhost.exe 7->10         started        process6

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
YBuzMywtqU.exe11%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.micro0%URL Reputationsafe
http://crl.microsoft0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
login.microsoftonline.com
unknown
unknownfalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://login.microsoftonline.com/YBuzMywtqU.exe, 00000000.00000002.3325000916.0000000000587000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000003.2631249631.0000000000587000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      https://login.microsoftonline.com/error?code=70000YBuzMywtqU.exe, 00000000.00000002.3325000916.00000000005A4000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://login.microsoftonline.com/8/IYBuzMywtqU.exe, 00000000.00000002.3325000916.0000000000587000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000003.2631249631.0000000000587000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://crl.microYBuzMywtqU.exe, 00000000.00000003.2086127232.0000000002CC5000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://crl.microsoftYBuzMywtqU.exe, 00000000.00000003.2086127232.0000000002CC5000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://login.microsoftonline.com/common/oauth2/v2.0/token0YBuzMywtqU.exe, 00000000.00000003.2086127232.0000000002CC5000.00000004.00000001.00020000.00000000.sdmpfalse
            		high
            https://login.microsoftonline.com/osoftonline.com/5)6YBuzMywtqU.exe, 00000000.00000002.3325000916.0000000000587000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000003.2631249631.0000000000587000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://login.microsoftonline.com/common/oauth2/v2.0/token03YBuzMywtqU.exe, 00000000.00000003.2631249631.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000002.3325000916.00000000005A4000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://login.microsoftonline.com/common/oauth2/v2.0/tokenK-YBuzMywtqU.exe, 00000000.00000002.3325000916.0000000000587000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000003.2631249631.0000000000587000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://login.microsoftonline.com/common/oauth2/v2.0/tokenltYBuzMywtqU.exe, 00000000.00000002.3325254749.0000000002CC0000.00000004.00000001.00020000.00000000.sdmpfalse
                    		high
                    https://login.microsoftonline.com/common/oauth2/v2.0/tokenSYYBuzMywtqU.exe, 00000000.00000003.2631230487.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000002.3325069493.00000000005F3000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://login.microsoftonline.com/common/oauth2/v2.0/tokenouYBuzMywtqU.exe, 00000000.00000003.2086127232.0000000002CC5000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        https://login.microsoftonline.com/common/oauth2/v2.0/tokenltificateYBuzMywtqU.exe, 00000000.00000002.3325254749.0000000002CC0000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          https://login.microsoftonline.com/common/oauth2/v2.0/token3-YBuzMywtqU.exe, 00000000.00000002.3325000916.0000000000587000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000003.2631249631.0000000000587000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://login.microsoftonline.com/common/oauth2/v2.0/tokenYBuzMywtqU.exe, 00000000.00000002.3325000916.0000000000587000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000003.2631230487.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000002.3324875055.0000000000534000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000003.2086127232.0000000002CC5000.00000004.00000001.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000003.2631249631.0000000000587000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000002.3325069493.00000000005F3000.00000004.00000020.00020000.00000000.sdmp, YBuzMywtqU.exe, 00000000.00000002.3325254749.0000000002CC0000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              No contacted IP infos

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1431551
                              Start date and time:2024-04-25 12:29:10 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 4m 59s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:5
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:YBuzMywtqU.exe
                              renamed because original name is a hash value
                              Original Sample Name:win_graphical_proton_dc79c213a28493bb4ba2c8e274696a41530a5983c7a3586b31ff69a5291754e6.exe
                              Detection:MAL
                              Classification:mal52.evad.winEXE@2/0@1/0
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:Failed
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                              • Excluded IPs from analysis (whitelisted): 40.126.29.10, 40.126.29.6, 40.126.29.14, 40.126.29.7, 40.126.29.12, 20.190.157.11, 40.126.29.11, 40.126.29.15
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, www.tm.ak.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.mso.msidentity.com, ak.privatelink.msidentity.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASNs

                              No context

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32+ executable (console) x86-64, for MS Windows
                              Entropy (8bit):6.345438478908123
                              TrID:
                              • Win64 Executable Console (202006/5) 92.65%
                              • Win64 Executable (generic) (12005/4) 5.51%
                              • Generic Win/DOS Executable (2004/3) 0.92%
                              • DOS Executable Generic (2002/1) 0.92%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:YBuzMywtqU.exe
                              File size:1'412'096 bytes
                              MD5:a74514a8689c48fdd73fe4a340802ed0
                              SHA1:aa6b986f6307efe38d25e2140ed3b1c3ef396c4b
                              SHA256:dc79c213a28493bb4ba2c8e274696a41530a5983c7a3586b31ff69a5291754e6
                              SHA512:ecc1df7a4b1534494b306391e522cdead6000fb3dddea45f985ee4ffa0b08aee33f789d4380a27e14459233120e812f006d5494fb0191f40531ad62940dd824a
                              SSDEEP:12288:ZOdMlcPltvWG+ktEmwjbmmIXlBJLZYcmIfPizEjKNxis7EiUfF/RlZKvyJQSZVYN:muc3vWq2NbEEEiUN9KvyJHVYw02lZ5i
                              TLSH:01654A03A76551E5C17BC13DC6572B27F9B138550339A7EB4BA04AA62F23BF06A7E310
                              File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d..... e.........."......t...........l.........@.......................................... ........................................

                              File Icon

                              Icon Hash:00928e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0x1400a6cc0
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x140000000
                              Subsystem:windows cui
                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                              DLL Characteristics:HIGH_ENTROPY_VA, NO_ISOLATION, TERMINAL_SERVER_AWARE
                              Time Stamp:0x652016F4 [Fri Oct 6 14:17:24 2023 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:0
                              File Version Major:6
                              File Version Minor:0
                              Subsystem Version Major:6
                              Subsystem Version Minor:0
                              Import Hash:4af58f90bf89d80e9b252aae09d25711

                              Entrypoint Preview

                              Instruction
                              dec eax
                              sub esp, 28h
                              call 00007F474CF86460h
                              dec eax
                              add esp, 28h
                              jmp 00007F474CF862B3h
                              int3
                              int3
                              dec eax
                              mov dword ptr [esp+20h], ebx
                              push ebp
                              dec eax
                              mov ebp, esp
                              dec eax
                              sub esp, 20h
                              dec eax
                              mov eax, dword ptr [000A25D0h]
                              dec eax
                              mov ebx, 2DDFA232h
                              cdq
                              sub eax, dword ptr [eax]
                              add byte ptr [eax+3Bh], cl
                              ret
                              jne 00007F474CF864C6h
                              dec eax
                              and dword ptr [ebp+18h], 00000000h
                              dec eax
                              lea ecx, dword ptr [ebp+18h]
                              call dword ptr [000904BAh]
                              dec eax
                              mov eax, dword ptr [ebp+18h]
                              dec eax
                              mov dword ptr [ebp+10h], eax
                              call dword ptr [000903F4h]
                              mov eax, eax
                              dec eax
                              xor dword ptr [ebp+10h], eax
                              call dword ptr [000903D0h]
                              mov eax, eax
                              dec eax
                              lea ecx, dword ptr [ebp+20h]
                              dec eax
                              xor dword ptr [ebp+10h], eax
                              call dword ptr [000905A0h]
                              mov eax, dword ptr [ebp+20h]
                              dec eax
                              lea ecx, dword ptr [ebp+10h]
                              dec eax
                              shl eax, 20h
                              dec eax
                              xor eax, dword ptr [ebp+20h]
                              dec eax
                              xor eax, dword ptr [ebp+10h]
                              dec eax
                              xor eax, ecx
                              dec eax
                              mov ecx, FFFFFFFFh

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1369480x8c.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1660000xe46c.pdata
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1790000xff8.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x133b900x28.rdata
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1258700x138.rdata
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x136f700x598.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x1173460x1174000ed4b8f91f0322ce6acbc05ce04f5023False0.4180605486235452data6.244370374476929IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rdata0x1190000x2f56c0x2f600c5d0238f92701c15998e6cb7630a4a8eFalse0.444931151055409data5.8376621423589885IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0x1490000x1c0300x20003b734c7c16733251e7759678c787882eFalse0.158447265625data3.6918325660057882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .pdata0x1660000xe46c0xe600cbbf1049a5d5f700a34f1fa66a16e5b9False0.48897758152173915data6.109140271481087IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .00cfg0x1750000x280x200265b368d5d7f2c277e92ec3b90fb890fFalse0.060546875data0.39736543218226683IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .gehcont0x1760000x600x200618ff9533c5cbb4568d02ea353b96ba2False0.1484375big endian ispell hash file (?), 8-bit, no capitalization, 26 flags0.6316126284867231IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .tls0x1770000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              _RDATA0x1780000xf40x200edf98975763f41ffddc6301bd4a46293False0.3046875data2.4575593112849665IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x1790000xff80x1000b649bce58d3477202b46af0ae398aaf7False0.458251953125data5.428160960193478IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Imports

                              DLLImport
                              KERNEL32.dllAcquireSRWLockExclusive, CloseHandle, CloseThreadpoolTimer, CloseThreadpoolWait, CloseThreadpoolWork, CompareStringEx, CompareStringW, CreateEventExW, CreateEventW, CreateFileA, CreateFileMappingA, CreateFileW, CreatePipe, CreateProcessW, CreateSemaphoreExW, CreateSymbolicLinkW, CreateThread, CreateThreadpoolTimer, CreateThreadpoolWait, CreateThreadpoolWork, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlsAlloc, FlsFree, FlsGetValue, FlsSetValue, FlushFileBuffers, FlushProcessWriteBuffers, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, FreeLibraryWhenCallbackReturns, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentProcessorNumber, GetCurrentThread, GetCurrentThreadId, GetDateFormatW, GetEnvironmentStringsW, GetExitCodeProcess, GetExitCodeThread, GetFileInformationByHandleEx, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoEx, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetNativeSystemInfo, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemDirectoryA, GetSystemTimeAsFileTime, GetTickCount64, GetTimeFormatW, GetTimeZoneInformation, GetUserDefaultLCID, HeapAlloc, HeapCreate, HeapDestroy, HeapFree, HeapReAlloc, HeapSize, InitOnceExecuteOnce, InitializeConditionVariable, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, InitializeSRWLock, InterlockedFlushSList, InterlockedPushEntrySList, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, K32GetModuleBaseNameW, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, LocalAlloc, LocalFree, MapViewOfFile, MultiByteToWideChar, OutputDebugStringW, PeekNamedPipe, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, ResetEvent, ResumeThread, RtlCaptureContext, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwind, RtlUnwindEx, RtlVirtualUnwind, SetConsoleCtrlHandler, SetEndOfFile, SetEnvironmentVariableW, SetEvent, SetFileInformationByHandle, SetFilePointerEx, SetLastError, SetStdHandle, SetThreadpoolTimer, SetThreadpoolWait, SetUnhandledExceptionFilter, Sleep, SleepConditionVariableCS, SleepConditionVariableSRW, SubmitThreadpoolWork, SwitchToThread, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnhandledExceptionFilter, UnmapViewOfFile, VirtualProtect, WaitForSingleObject, WaitForSingleObjectEx, WaitForThreadpoolTimerCallbacks, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile
                              USER32.dllwsprintfW
                              ADVAPI32.dllRegCloseKey, RegCreateKeyExA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA
                              ole32.dllCoTaskMemFree
                              urlmon.dllFindMimeFromData
                              WININET.dllHttpOpenRequestA, HttpQueryInfoA, HttpSendRequestA, InternetCloseHandle, InternetConnectA, InternetOpenA, InternetQueryOptionA, InternetReadFile, InternetSetCookieA, InternetSetOptionA

                              Network Behavior

                              Network Port Distribution

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Apr 25, 2024 12:30:07.535625935 CEST5531353192.168.2.51.1.1.1

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Apr 25, 2024 12:30:07.535625935 CEST192.168.2.51.1.1.10x1006Standard query (0)login.microsoftonline.comA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Apr 25, 2024 12:30:07.645661116 CEST1.1.1.1192.168.2.50x1006No error (0)login.microsoftonline.comlogin.mso.msidentity.comCNAME (Canonical name)IN (0x0001)false

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:12:30:06
                              Start date:25/04/2024
                              Path:C:\Users\user\Desktop\YBuzMywtqU.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Users\user\Desktop\YBuzMywtqU.exe"
                              Imagebase:0x140000000
                              File size:1'412'096 bytes
                              MD5 hash:A74514A8689C48FDD73FE4A340802ED0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:false

                              General

                              Target ID:1
                              Start time:12:30:06
                              Start date:25/04/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:false

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:3.6%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:2.8%
                                Total number of Nodes:433
                                Total number of Limit Nodes:23
                                execution_graph 1803 1400d6700 1809 1400d6968 1803->1809 1805 1400d6a0b 1806 1400d6a11 1805->1806 1814 1400d68e8 1805->1814 1808 1400d6a23 1810 1400d6b58 1809->1810 1811 1400d6b74 _invalid_parameter_noinfo_noreturn 1810->1811 1817 1400d6a24 1811->1817 1813 1400d6b7d _invalid_parameter_noinfo_noreturn 1813->1805 1885 1400fc708 1814->1885 1816 1400d68f5 1816->1808 1818 1400d6a93 1817->1818 1819 1400d6a3a 1817->1819 1818->1813 1819->1818 1821 1400d9ab8 1819->1821 1824 1400d9fb0 1821->1824 1823 1400d9aed 1823->1818 1825 1400d9fcc _invalid_parameter_noinfo_noreturn 1824->1825 1828 1400d9dac 1825->1828 1827 1400d9fd5 _invalid_parameter_noinfo_noreturn 1827->1823 1829 1400d9dda 1828->1829 1830 1400d9dd2 1828->1830 1829->1830 1832 1400f46e0 1829->1832 1830->1827 1833 1400f4705 __free_lconv_num 1832->1833 1834 1400f46e5 1832->1834 1833->1830 1834->1833 1836 1400d9fec 1834->1836 1839 1400f4b1c 1836->1839 1840 1400f4b31 1839->1840 1841 1400f4b43 1840->1841 1861 1400f5b74 1840->1861 1845 1400d9ff5 1841->1845 1864 1400f5bbc 1841->1864 1845->1833 1848 1400f4b97 1850 1400f5bbc _invalid_parameter_noinfo_noreturn 2 API calls 1848->1850 1849 1400f4b87 1851 1400f5bbc _invalid_parameter_noinfo_noreturn 2 API calls 1849->1851 1852 1400f4b9f 1850->1852 1855 1400f4b8e 1851->1855 1853 1400f4bb5 1852->1853 1854 1400f4ba3 1852->1854 1871 1400f4e3c 1853->1871 1857 1400f5bbc _invalid_parameter_noinfo_noreturn 2 API calls 1854->1857 1856 1400f46e0 __free_lconv_num 2 API calls 1855->1856 1856->1845 1857->1855 1860 1400f46e0 __free_lconv_num 2 API calls 1860->1845 1875 1400f6c6c 1861->1875 1865 1400f6c6c try_get_function 2 API calls 1864->1865 1866 1400f4b66 1865->1866 1866->1845 1867 1400f8428 1866->1867 1869 1400f8439 _invalid_parameter_noinfo_noreturn 1867->1869 1868 1400d9fec __free_lconv_num 2 API calls 1870 1400f4b79 1868->1870 1869->1868 1869->1870 1870->1848 1870->1849 1872 1400f4eee _invalid_parameter_noinfo_noreturn 1871->1872 1881 1400f5410 1872->1881 1874 1400f4bbd 1874->1860 1876 1400f5b9b 1875->1876 1880 1400f6cc8 try_get_function 1875->1880 1877 1400f6db0 1877->1876 1879 1400f6dbe GetProcAddressForCaller 1877->1879 1878 1400f6cfc LoadLibraryW 1878->1880 1879->1876 1880->1876 1880->1877 1880->1878 1882 1400f542c _invalid_parameter_noinfo_noreturn 1881->1882 1883 1400f4c78 _invalid_parameter_noinfo_noreturn LoadLibraryW GetProcAddressForCaller 1882->1883 1884 1400f5442 _invalid_parameter_noinfo_noreturn 1883->1884 1884->1874 1886 1400fc730 1885->1886 1887 1400fc726 1885->1887 1886->1816 1889 1400f6398 1887->1889 1890 1400f6c6c try_get_function 2 API calls 1889->1890 1891 1400f63c0 1890->1891 1891->1886 1892 1400f6c6c 1893 1400f6ccd 1892->1893 1897 1400f6cc8 try_get_function 1892->1897 1894 1400f6db0 1894->1893 1896 1400f6dbe GetProcAddressForCaller 1894->1896 1895 1400f6cfc LoadLibraryW 1895->1897 1896->1893 1897->1893 1897->1894 1897->1895 2099 1400f9bfc 2101 1400f9c18 _invalid_parameter_noinfo_noreturn 2099->2101 2100 1400d9fec __free_lconv_num 2 API calls 2102 1400f9caa 2100->2102 2101->2100 2104 1400f9c3b _invalid_parameter_noinfo_noreturn 2101->2104 2103 1400db2f0 _invalid_parameter_noinfo 2 API calls 2102->2103 2103->2104 2105 1400d9fec __free_lconv_num 2 API calls 2104->2105 2109 1400f9ce3 2104->2109 2106 1400f9d41 2105->2106 2107 1400db2f0 _invalid_parameter_noinfo 2 API calls 2106->2107 2107->2109 2108 1400f9d7d _invalid_parameter_noinfo_noreturn 2109->2108 2110 1400f46e0 __free_lconv_num 2 API calls 2109->2110 2110->2108 2111 1400f919c 2116 1400f9458 2111->2116 2113 1400f9247 _invalid_parameter_noinfo_noreturn 2115 1400f91c7 _invalid_parameter_noinfo_noreturn 2115->2113 2119 1400f99f0 2115->2119 2127 1400a9354 2116->2127 2120 1400f9a2d 2119->2120 2126 1400f9b23 _invalid_parameter_noinfo_noreturn 2119->2126 2120->2126 2254 1400f87e4 2120->2254 2122 1400f9ab7 2261 1400f8974 2122->2261 2124 1400f9aea 2125 1400f8974 2 API calls 2124->2125 2125->2126 2126->2113 2128 1400a9378 2127->2128 2134 1400a9373 2127->2134 2129 1400f49a0 2 API calls 2128->2129 2128->2134 2130 1400a9393 2129->2130 2135 1400f5538 2130->2135 2134->2115 2136 1400f554d 2135->2136 2137 1400a93b6 2135->2137 2136->2137 2143 1400fe340 2136->2143 2139 1400f556c 2137->2139 2140 1400f5594 2139->2140 2141 1400f5581 2139->2141 2140->2134 2141->2140 2243 1400f9078 2141->2243 2144 1400f49a0 2 API calls 2143->2144 2146 1400fe34f _invalid_parameter_noinfo_noreturn 2144->2146 2145 1400fe39a 2145->2137 2146->2145 2151 1400fe3b0 2146->2151 2148 1400fe388 _invalid_parameter_noinfo_noreturn 2148->2145 2149 1400dc6e0 2 API calls 2148->2149 2150 1400fe3ad 2149->2150 2152 1400fe3cf 2151->2152 2153 1400fe3c2 _invalid_parameter_noinfo_noreturn 2151->2153 2152->2148 2153->2152 2155 1400fe140 2153->2155 2156 1400fe1dc 2155->2156 2159 1400fe163 2155->2159 2157 1400fe22f 2156->2157 2160 1400f46e0 __free_lconv_num 2 API calls 2156->2160 2221 1400fe308 2157->2221 2159->2156 2161 1400fe1a2 2159->2161 2166 1400f46e0 __free_lconv_num 2 API calls 2159->2166 2162 1400fe200 2160->2162 2164 1400fe1c4 2161->2164 2168 1400f46e0 __free_lconv_num 2 API calls 2161->2168 2163 1400f46e0 __free_lconv_num 2 API calls 2162->2163 2167 1400fe214 2163->2167 2165 1400f46e0 __free_lconv_num 2 API calls 2164->2165 2170 1400fe1d0 2165->2170 2171 1400fe196 2166->2171 2172 1400f46e0 __free_lconv_num 2 API calls 2167->2172 2174 1400fe1b8 2168->2174 2169 1400fe29a 2175 1400f46e0 __free_lconv_num 2 API calls 2170->2175 2181 1400fcf34 2171->2181 2173 1400fe223 2172->2173 2178 1400f46e0 __free_lconv_num 2 API calls 2173->2178 2209 1400fd3ac 2174->2209 2175->2156 2177 1400fe23b 2177->2169 2180 1400f46e0 LoadLibraryW GetProcAddressForCaller __free_lconv_num 2177->2180 2178->2157 2180->2177 2182 1400fcf3d 2181->2182 2207 1400fd038 2181->2207 2183 1400fcf57 2182->2183 2184 1400f46e0 __free_lconv_num 2 API calls 2182->2184 2185 1400f46e0 __free_lconv_num 2 API calls 2183->2185 2187 1400fcf69 2183->2187 2184->2183 2185->2187 2186 1400fcf7b 2189 1400fcf8d 2186->2189 2190 1400f46e0 __free_lconv_num 2 API calls 2186->2190 2187->2186 2188 1400f46e0 __free_lconv_num 2 API calls 2187->2188 2188->2186 2191 1400fcf9f 2189->2191 2192 1400f46e0 __free_lconv_num 2 API calls 2189->2192 2190->2189 2193 1400fcfb1 2191->2193 2194 1400f46e0 __free_lconv_num 2 API calls 2191->2194 2192->2191 2195 1400fcfc3 2193->2195 2196 1400f46e0 __free_lconv_num 2 API calls 2193->2196 2194->2193 2197 1400fcfd5 2195->2197 2198 1400f46e0 __free_lconv_num 2 API calls 2195->2198 2196->2195 2199 1400fcfe7 2197->2199 2200 1400f46e0 __free_lconv_num 2 API calls 2197->2200 2198->2197 2201 1400fcff9 2199->2201 2202 1400f46e0 __free_lconv_num 2 API calls 2199->2202 2200->2199 2203 1400fd00e 2201->2203 2205 1400f46e0 __free_lconv_num 2 API calls 2201->2205 2202->2201 2204 1400fd023 2203->2204 2206 1400f46e0 __free_lconv_num 2 API calls 2203->2206 2204->2207 2208 1400f46e0 __free_lconv_num 2 API calls 2204->2208 2205->2203 2206->2204 2207->2161 2208->2207 2211 1400fd3b1 2209->2211 2219 1400fd412 2209->2219 2210 1400fd3ca 2213 1400fd3dc 2210->2213 2215 1400f46e0 __free_lconv_num 2 API calls 2210->2215 2211->2210 2212 1400f46e0 __free_lconv_num 2 API calls 2211->2212 2212->2210 2214 1400fd3ee 2213->2214 2216 1400f46e0 __free_lconv_num 2 API calls 2213->2216 2217 1400fd400 2214->2217 2218 1400f46e0 __free_lconv_num 2 API calls 2214->2218 2215->2213 2216->2214 2217->2219 2220 1400f46e0 __free_lconv_num 2 API calls 2217->2220 2218->2217 2219->2164 2220->2219 2222 1400fe338 2221->2222 2223 1400fe30d 2221->2223 2222->2177 2223->2222 2227 1400fd4e8 2223->2227 2226 1400f46e0 __free_lconv_num 2 API calls 2226->2222 2228 1400fd5e0 2227->2228 2229 1400fd4f1 2227->2229 2228->2226 2230 1400f46e0 __free_lconv_num 2 API calls 2229->2230 2231 1400fd551 2230->2231 2232 1400f46e0 __free_lconv_num 2 API calls 2231->2232 2233 1400fd55d 2232->2233 2234 1400f46e0 __free_lconv_num 2 API calls 2233->2234 2235 1400fd569 2234->2235 2236 1400f46e0 __free_lconv_num 2 API calls 2235->2236 2237 1400fd5bc 2236->2237 2238 1400f46e0 __free_lconv_num 2 API calls 2237->2238 2239 1400fd5c8 2238->2239 2240 1400f46e0 __free_lconv_num 2 API calls 2239->2240 2241 1400fd5d4 2240->2241 2242 1400f46e0 __free_lconv_num 2 API calls 2241->2242 2242->2228 2244 1400f49a0 2 API calls 2243->2244 2245 1400f9081 _invalid_parameter_noinfo_noreturn 2244->2245 2246 1400dc6e0 2 API calls 2245->2246 2247 1400f961f 2246->2247 2249 1400f9568 2247->2249 2250 1400f959e _invalid_parameter_noinfo_noreturn 2249->2250 2251 1400dc6e0 2 API calls 2250->2251 2252 1400f961f 2251->2252 2253 1400f9568 2 API calls 2252->2253 2255 1400a9354 2 API calls 2254->2255 2256 1400f8826 2255->2256 2258 1400f8863 _invalid_parameter_noinfo_noreturn 2256->2258 2259 1400f8888 _invalid_parameter_noinfo_noreturn 2256->2259 2264 1400f4728 2256->2264 2258->2122 2259->2258 2260 1400f46e0 __free_lconv_num 2 API calls 2259->2260 2260->2258 2262 1400a9354 2 API calls 2261->2262 2263 1400f8999 2262->2263 2263->2124 2265 1400f4737 _invalid_parameter_noinfo_noreturn 2264->2265 2266 1400f4773 2264->2266 2265->2266 2268 1400f475a RtlAllocateHeap 2265->2268 2267 1400d9fec __free_lconv_num 2 API calls 2266->2267 2269 1400f4771 2267->2269 2268->2265 2268->2269 2269->2259 2270 1400da11c 2271 1400f4b1c _invalid_parameter_noinfo_noreturn 2 API calls 2270->2271 2272 1400da12d 2271->2272 2273 1400f4b1c _invalid_parameter_noinfo_noreturn 2 API calls 2272->2273 2274 1400da146 __free_lconv_num 2273->2274 1898 1400f4728 1899 1400f4737 _invalid_parameter_noinfo_noreturn 1898->1899 1900 1400f4773 1898->1900 1899->1900 1902 1400f475a RtlAllocateHeap 1899->1902 1901 1400d9fec __free_lconv_num 2 API calls 1900->1901 1903 1400f4771 1901->1903 1902->1899 1902->1903 2275 1400fa6d8 2282 1400fa7a0 2275->2282 2277 1400fa6ea 2278 1400fa754 2277->2278 2279 1400f4728 3 API calls 2277->2279 2280 1400fa74a 2279->2280 2281 1400f46e0 __free_lconv_num 2 API calls 2280->2281 2281->2278 2284 1400fa7b3 2282->2284 2283 1400fa7d6 2283->2277 2284->2283 2288 1400fbf10 2284->2288 2289 1400fa7cf 2288->2289 2290 1400fbf19 2288->2290 2294 14010b7bc 2289->2294 2291 1400d9fec __free_lconv_num 2 API calls 2290->2291 2292 1400fbf1e 2291->2292 2293 1400db2f0 _invalid_parameter_noinfo 2 API calls 2292->2293 2293->2289 2295 14010b7d2 2294->2295 2296 14010b7c5 2294->2296 2298 14010b7ca 2295->2298 2299 1400d9fec __free_lconv_num 2 API calls 2295->2299 2297 1400d9fec __free_lconv_num 2 API calls 2296->2297 2297->2298 2298->2283 2300 14010b809 2299->2300 2301 1400db2f0 _invalid_parameter_noinfo 2 API calls 2300->2301 2301->2298 1904 1400613d0 1907 140061430 1904->1907 1908 140061443 1907->1908 1911 140061460 1908->1911 1912 140061473 1911->1912 1913 1400613f8 1911->1913 1915 14007ce98 1912->1915 1916 14007cea1 1915->1916 1923 14007cec8 1915->1923 1919 14007ceb5 1916->1919 1916->1923 1924 14007cec0 1916->1924 1925 1400dc6e0 1916->1925 1917 14007ced4 2 API calls 1918 14007ced3 1917->1918 1931 14007ced4 1919->1931 1920 14007ced4 2 API calls 1920->1923 1923->1917 1924->1920 1926 1400dc6e9 1925->1926 1930 1400dc6f8 _invalid_parameter_noinfo_noreturn 1926->1930 1935 1400fa208 1926->1935 1954 1400d6700 1930->1954 1932 14007ceed 1931->1932 2015 14007cf24 1932->2015 1934 14007cf09 std::_Xinvalid_argument 1936 1400fa230 1935->1936 1937 1400fa251 _invalid_parameter_noinfo_noreturn 1935->1937 1936->1937 1938 1400f4b1c _invalid_parameter_noinfo_noreturn 2 API calls 1936->1938 1939 1400fa244 1936->1939 1941 1400fa459 _invalid_parameter_noinfo_noreturn 1937->1941 1945 1400fa356 1937->1945 1953 1400fa397 _invalid_parameter_noinfo_noreturn 1937->1953 1938->1939 1939->1937 1940 1400fa2ce 1939->1940 1950 1400fa28e 1939->1950 1942 1400d9fec __free_lconv_num 2 API calls 1940->1942 1943 1400d6700 2 API calls 1941->1943 1944 1400fa2d3 1942->1944 1946 1400fa470 1943->1946 1961 1400db2f0 1944->1961 1945->1953 1964 1400f49a0 1945->1964 1946->1930 1949 1400f49a0 LoadLibraryW GetProcAddressForCaller 1949->1953 1950->1930 1951 1400fa387 1952 1400f49a0 2 API calls 1951->1952 1952->1953 1953->1949 1960 1400d6968 1954->1960 1955 1400d6b58 2 API calls 1956 1400d6a0b 1955->1956 1957 1400d6a11 1956->1957 1958 1400d68e8 2 API calls 1956->1958 1957->1919 1959 1400d6a23 1958->1959 1960->1955 2012 1400db5fc 1961->2012 1963 1400db309 1963->1950 1965 1400f49b5 1964->1965 1966 1400f49c7 1965->1966 1968 1400f5b74 _invalid_parameter_noinfo_noreturn 2 API calls 1965->1968 1967 1400f5bbc _invalid_parameter_noinfo_noreturn 2 API calls 1966->1967 1975 1400f49cf 1966->1975 1969 1400f49ea 1967->1969 1968->1966 1970 1400f8428 _invalid_parameter_noinfo_noreturn 2 API calls 1969->1970 1969->1975 1971 1400f49fd 1970->1971 1972 1400f4a1b 1971->1972 1973 1400f4a0b 1971->1973 1977 1400f5bbc _invalid_parameter_noinfo_noreturn 2 API calls 1972->1977 1974 1400f5bbc _invalid_parameter_noinfo_noreturn 2 API calls 1973->1974 1988 1400f4a12 1974->1988 1976 1400f4a5e 1975->1976 1978 1400dc6e0 2 API calls 1975->1978 1976->1951 1979 1400f4a23 1977->1979 1986 1400f4a73 1978->1986 1980 1400f4a39 1979->1980 1981 1400f4a27 1979->1981 1983 1400f4e3c _invalid_parameter_noinfo_noreturn 2 API calls 1980->1983 1982 1400f5bbc _invalid_parameter_noinfo_noreturn 2 API calls 1981->1982 1982->1988 1989 1400f4a41 1983->1989 1984 1400f46e0 __free_lconv_num 2 API calls 1984->1975 1985 1400f4a8a 1990 1400f5bbc _invalid_parameter_noinfo_noreturn 2 API calls 1985->1990 1993 1400f4a92 1985->1993 1986->1985 1987 1400f5b74 _invalid_parameter_noinfo_noreturn 2 API calls 1986->1987 1987->1985 1988->1984 1991 1400f46e0 __free_lconv_num 2 API calls 1989->1991 1992 1400f4aa9 1990->1992 1991->1975 1992->1993 1994 1400f8428 _invalid_parameter_noinfo_noreturn 2 API calls 1992->1994 1995 1400dc6e0 2 API calls 1993->1995 2000 1400f4b0c 1993->2000 1996 1400f4abc 1994->1996 1997 1400f4b1a 1995->1997 1998 1400f4ada 1996->1998 1999 1400f4aca 1996->1999 2001 1400f5bbc _invalid_parameter_noinfo_noreturn 2 API calls 1998->2001 2002 1400f5bbc _invalid_parameter_noinfo_noreturn 2 API calls 1999->2002 2000->1951 2003 1400f4ae2 2001->2003 2004 1400f4ad1 2002->2004 2005 1400f4af8 2003->2005 2006 1400f4ae6 2003->2006 2009 1400f46e0 __free_lconv_num 2 API calls 2004->2009 2008 1400f4e3c _invalid_parameter_noinfo_noreturn 2 API calls 2005->2008 2007 1400f5bbc _invalid_parameter_noinfo_noreturn 2 API calls 2006->2007 2007->2004 2010 1400f4b00 2008->2010 2009->1993 2011 1400f46e0 __free_lconv_num 2 API calls 2010->2011 2011->1993 2013 1400f4b1c _invalid_parameter_noinfo_noreturn 2 API calls 2012->2013 2014 1400db621 _invalid_parameter_noinfo_noreturn 2013->2014 2014->1963 2016 14007cf6e 2015->2016 2022 140026290 2016->2022 2019 14007cfca _invalid_parameter_noinfo_noreturn 2019->1934 2023 1400262d9 2022->2023 2033 1400263c0 2023->2033 2029 140026326 2029->2019 2030 1400db310 2029->2030 2031 1400db5fc _invalid_parameter_noinfo_noreturn 2 API calls 2030->2031 2032 1400db329 _invalid_parameter_noinfo_noreturn 2031->2032 2034 1400263eb 2033->2034 2035 140026404 2034->2035 2050 140026520 2034->2050 2054 14001d820 2035->2054 2039 140001770 2 API calls 2040 140026431 2039->2040 2041 140001770 2 API calls 2040->2041 2042 140026308 2041->2042 2043 140026460 2042->2043 2044 14002648d 2043->2044 2068 1400265e0 2044->2068 2047 140001770 2085 1400018d0 2047->2085 2049 14000178b 2049->2029 2051 140026545 2050->2051 2058 14001d870 2051->2058 2053 14002655f 2053->2035 2055 14001d853 2054->2055 2056 14001d870 2 API calls 2055->2056 2057 14001d865 2056->2057 2057->2039 2059 14001d91b 2058->2059 2061 14001d8ad 2058->2061 2062 14001d950 2059->2062 2061->2053 2063 14001d9b2 2062->2063 2064 140002050 LoadLibraryW GetProcAddressForCaller 2063->2064 2066 14001d9cd 2063->2066 2064->2066 2065 14001db3d 2065->2061 2066->2065 2067 140001a10 LoadLibraryW GetProcAddressForCaller 2066->2067 2067->2065 2069 14002661e _invalid_parameter_noinfo_noreturn 2068->2069 2072 1400a8484 2069->2072 2071 140026317 2071->2047 2073 1400a84a5 2072->2073 2074 1400a84da 2072->2074 2073->2074 2076 1400e2448 2073->2076 2074->2071 2077 1400e2455 2076->2077 2078 1400e245f 2076->2078 2077->2078 2083 1400e247a 2077->2083 2079 1400d9fec __free_lconv_num LoadLibraryW GetProcAddressForCaller 2078->2079 2080 1400e2466 2079->2080 2081 1400db2f0 _invalid_parameter_noinfo LoadLibraryW GetProcAddressForCaller 2080->2081 2082 1400e2472 2081->2082 2082->2074 2083->2082 2084 1400d9fec __free_lconv_num LoadLibraryW GetProcAddressForCaller 2083->2084 2084->2080 2087 1400018eb 2085->2087 2086 1400018fd 2086->2049 2087->2086 2089 140001a10 2087->2089 2092 140001a80 2089->2092 2091 140001a39 2091->2086 2093 140001aac 2092->2093 2094 140001a9d 2092->2094 2093->2091 2095 140001ad0 LoadLibraryW GetProcAddressForCaller 2094->2095 2095->2093 2096 1400da084 2097 1400f4b1c _invalid_parameter_noinfo_noreturn 2 API calls 2096->2097 2098 1400da08d 2097->2098 2302 140001000 2305 1400dea00 2302->2305 2304 140001012 2306 1400dea3c 2305->2306 2311 1400dea19 2305->2311 2307 1400f49a0 2 API calls 2306->2307 2308 1400dea41 2307->2308 2309 1400f5538 2 API calls 2308->2309 2310 1400dea5a 2309->2310 2310->2311 2314 1400fc01c 2310->2314 2311->2304 2313 1400dea93 2313->2304 2315 1400a9354 2 API calls 2314->2315 2316 1400fc055 2315->2316 2317 1400f87e4 3 API calls 2316->2317 2318 1400fc061 _invalid_parameter_noinfo_noreturn 2316->2318 2317->2318 2318->2313

                                Executed Functions

                                Function 02160000 Relevance: 18.3, APIs: 7, Strings: 3, Instructions: 807memoryCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000003.2621686173.0000000002160000.00000020.00000001.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_3_2160000_YBuzMywtqU.jbxd
                                Similarity
                                • API ID: Virtual$Alloc$FreeProtect
                                • String ID: $d$t
                                • API String ID: 980677596-3253589775
                                • Opcode ID: f2689706e4079bc3578597176f62b2d51519960daff802b50d073e5cff18d046
                                • Instruction ID: f320003e0a13a0284aebf6a6e1243c2809a94a4c72a1f498c11903f46ea113ab
                                • Opcode Fuzzy Hash: f2689706e4079bc3578597176f62b2d51519960daff802b50d073e5cff18d046
                                • Instruction Fuzzy Hash: 9B52A63425CB888FD7B9EB18C498BEAB7E1FBAD305F10496D948DC7251CB35A845CB42
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00000001400F4728 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.3325280000.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140001000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_140001000_YBuzMywtqU.jbxd
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 80e182f0c58fdce4281596ba67404a115e385637f604d173bbecca85b3f82d18
                                • Instruction ID: a23216d62fc58cccaa9d927a3bf200ef26c9b3cd8511c29d5ea5c68b306df38c
                                • Opcode Fuzzy Hash: 80e182f0c58fdce4281596ba67404a115e385637f604d173bbecca85b3f82d18
                                • Instruction Fuzzy Hash: C8F05430318B054AFB66B77B58A57B931C5DB5D381F4405287E16C31F5DBB4C840E156
                                Uniqueness

                                Uniqueness Score: -1.00%