Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nFCO4kIQS2.exe

Overview

General Information

Sample name:nFCO4kIQS2.exe
renamed because original name is a hash value
Original sample name:win_graphical_proton_46299f696566a15638b4fdeffe91dc01ab1e4e07e980573c29531f1bc49d33f0.exe
Analysis ID:1431552
MD5:5638409c5aed265b586a43c86b8c2a17
SHA1:03d9942ddd8f932c27b15592bfc1ec543b760ef1
SHA256:46299f696566a15638b4fdeffe91dc01ab1e4e07e980573c29531f1bc49d33f0
Tags:apt29exegraphicalprotonunpacked
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Found direct / indirect Syscall (likely to bypass EDR)
Contains functionality to dynamically determine API calls
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

  • System is w10x64
  • nFCO4kIQS2.exe (PID: 6136 cmdline: "C:\Users\user\Desktop\nFCO4kIQS2.exe" MD5: 5638409C5AED265B586A43C86B8C2A17)
    • conhost.exe (PID: 3800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: nFCO4kIQS2.exeVirustotal: Detection: 11%Perma Link
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: login.microsoftonline.com
Source: nFCO4kIQS2.exe, 00000000.00000002.3394689877.00000000005D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/
Source: nFCO4kIQS2.exe, 00000000.00000002.3394689877.00000000005D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/0
Source: nFCO4kIQS2.exe, 00000000.00000002.3394689877.00000000005D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/V
Source: nFCO4kIQS2.exe, 00000000.00000003.2890352640.0000000000644000.00000004.00000020.00020000.00000000.sdmp, nFCO4kIQS2.exe, 00000000.00000003.2890453695.000000000061C000.00000004.00000020.00020000.00000000.sdmp, nFCO4kIQS2.exe, 00000000.00000002.3394941355.0000000000644000.00000004.00000020.00020000.00000000.sdmp, nFCO4kIQS2.exe, 00000000.00000002.3394941355.000000000061C000.00000004.00000020.00020000.00000000.sdmp, nFCO4kIQS2.exe, 00000000.00000002.3394689877.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, nFCO4kIQS2.exe, 00000000.00000002.3394689877.000000000057C000.00000004.00000020.00020000.00000000.sdmp, nFCO4kIQS2.exe, 00000000.00000003.2166130692.0000000000644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/token
Source: nFCO4kIQS2.exe, 00000000.00000003.2166130692.0000000000644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/token.dlls
Source: nFCO4kIQS2.exe, 00000000.00000002.3394689877.000000000057C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/token8R
Source: nFCO4kIQS2.exe, 00000000.00000002.3394689877.00000000005D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/tokenLocald
Source: nFCO4kIQS2.exe, 00000000.00000002.3394689877.000000000057C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/tokenXR
Source: nFCO4kIQS2.exe, 00000000.00000003.2890352640.0000000000644000.00000004.00000020.00020000.00000000.sdmp, nFCO4kIQS2.exe, 00000000.00000002.3394941355.0000000000644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/tokenlll
Source: nFCO4kIQS2.exe, 00000000.00000003.2890352640.0000000000644000.00000004.00000020.00020000.00000000.sdmp, nFCO4kIQS2.exe, 00000000.00000002.3394941355.0000000000644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/tokenlllP
Source: nFCO4kIQS2.exe, 00000000.00000003.2890352640.0000000000644000.00000004.00000020.00020000.00000000.sdmp, nFCO4kIQS2.exe, 00000000.00000002.3394941355.0000000000644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/tokenndconnroutehelper.dll
Source: nFCO4kIQS2.exe, 00000000.00000002.3394689877.00000000005D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/e
Source: nFCO4kIQS2.exe, 00000000.00000002.3394689877.0000000000606000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/error?code=70000
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeCode function: 0_3_020600000_3_02060000
Source: classification engineClassification label: mal52.evad.winEXE@2/0@1/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3800:120:WilError_03
Source: nFCO4kIQS2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: nFCO4kIQS2.exeVirustotal: Detection: 11%
Source: unknownProcess created: C:\Users\user\Desktop\nFCO4kIQS2.exe "C:\Users\user\Desktop\nFCO4kIQS2.exe"
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
Source: nFCO4kIQS2.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: nFCO4kIQS2.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: nFCO4kIQS2.exeStatic file information: File size 1412096 > 1048576
Source: nFCO4kIQS2.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x117400
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeCode function: 0_2_00000001400F6C6C LoadLibraryW,GetProcAddressForCaller,0_2_00000001400F6C6C
Source: nFCO4kIQS2.exeStatic PE information: section name: .00cfg
Source: nFCO4kIQS2.exeStatic PE information: section name: .gehcont
Source: nFCO4kIQS2.exeStatic PE information: section name: _RDATA
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: nFCO4kIQS2.exe, 00000000.00000002.3394689877.0000000000606000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: nFCO4kIQS2.exe, 00000000.00000002.3394689877.000000000057C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeCode function: 0_2_00000001400F6C6C LoadLibraryW,GetProcAddressForCaller,0_2_00000001400F6C6C

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtQueryInformationToken: Direct from: 0x1400616ACJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtProtectVirtualMemory: Direct from: 0x1400619AAJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtMapViewOfSection: Direct from: 0x140017816Jump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtProtectVirtualMemory: Direct from: 0x14001804BJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtProtectVirtualMemory: Direct from: 0x140017A30Jump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtAllocateVirtualMemory: Direct from: 0x1400038A1Jump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtDeviceIoControlFile: Direct from: 0x140064861Jump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtProtectVirtualMemory: Direct from: 0x1400180A7Jump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtCreateFile: Direct from: 0x1400177A5Jump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtSetSecurityObject: Direct from: 0x7FFDB43E26A1Jump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtDeviceIoControlFile: Direct from: 0x7FFDB4404B5EJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtAllocateVirtualMemory: Direct from: 0x14006114DJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtAllocateVirtualMemory: Direct from: 0x50034FJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtAllocateVirtualMemory: Direct from: 0x5003A3Jump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtAllocateVirtualMemory: Direct from: 0x20603A3Jump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtAllocateVirtualMemory: Direct from: 0x206034FJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtWriteVirtualMemory: Direct from: 0x14001807EJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtProtectVirtualMemory: Direct from: 0x140017989Jump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtAllocateVirtualMemory: Direct from: 0x140004874Jump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtProtectVirtualMemory: Direct from: 0x1400623CAJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtAllocateVirtualMemory: Direct from: 0x500379Jump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtProtectVirtualMemory: Direct from: 0x140061F3AJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtAllocateVirtualMemory: Direct from: 0x2060379Jump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtProtectVirtualMemory: Direct from: 0x1400048CCJump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtProtectVirtualMemory: Direct from: 0x500265Jump to behavior
Source: C:\Users\user\Desktop\nFCO4kIQS2.exeNtProtectVirtualMemory: Direct from: 0x2060AE3Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping1
Query Registry		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Abuse Elevation Control Mechanism		1
Abuse Elevation Control Mechanism		LSASS Memory1
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
DLL Side-Loading		Security Account Manager1
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431552 Sample: nFCO4kIQS2.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 52 12 login.microsoftonline.com 2->12 14 Multi AV Scanner detection for submitted file 2->14 7 nFCO4kIQS2.exe 1 13 2->7         started        signatures3 process4 signatures5 16 Found direct / indirect Syscall (likely to bypass EDR) 7->16 10 conhost.exe 7->10         started        process6

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
nFCO4kIQS2.exe5%ReversingLabs
nFCO4kIQS2.exe11%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
login.microsoftonline.com
unknown
unknownfalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://login.microsoftonline.com/nFCO4kIQS2.exe, 00000000.00000002.3394689877.00000000005D5000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      https://login.microsoftonline.com/0nFCO4kIQS2.exe, 00000000.00000002.3394689877.00000000005D5000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://login.microsoftonline.com/error?code=70000nFCO4kIQS2.exe, 00000000.00000002.3394689877.0000000000606000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://login.microsoftonline.com/VnFCO4kIQS2.exe, 00000000.00000002.3394689877.00000000005D5000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://login.microsoftonline.com/common/oauth2/v2.0/tokenlllnFCO4kIQS2.exe, 00000000.00000003.2890352640.0000000000644000.00000004.00000020.00020000.00000000.sdmp, nFCO4kIQS2.exe, 00000000.00000002.3394941355.0000000000644000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://login.microsoftonline.com/common/oauth2/v2.0/tokenlllPnFCO4kIQS2.exe, 00000000.00000003.2890352640.0000000000644000.00000004.00000020.00020000.00000000.sdmp, nFCO4kIQS2.exe, 00000000.00000002.3394941355.0000000000644000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://login.microsoftonline.com/common/oauth2/v2.0/tokenndconnroutehelper.dllnFCO4kIQS2.exe, 00000000.00000003.2890352640.0000000000644000.00000004.00000020.00020000.00000000.sdmp, nFCO4kIQS2.exe, 00000000.00000002.3394941355.0000000000644000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://login.microsoftonline.com/common/oauth2/v2.0/tokenLocaldnFCO4kIQS2.exe, 00000000.00000002.3394689877.00000000005D5000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://login.microsoftonline.com/enFCO4kIQS2.exe, 00000000.00000002.3394689877.00000000005D5000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://login.microsoftonline.com/common/oauth2/v2.0/token8RnFCO4kIQS2.exe, 00000000.00000002.3394689877.000000000057C000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://login.microsoftonline.com/common/oauth2/v2.0/tokenXRnFCO4kIQS2.exe, 00000000.00000002.3394689877.000000000057C000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://login.microsoftonline.com/common/oauth2/v2.0/tokennFCO4kIQS2.exe, 00000000.00000003.2890352640.0000000000644000.00000004.00000020.00020000.00000000.sdmp, nFCO4kIQS2.exe, 00000000.00000003.2890453695.000000000061C000.00000004.00000020.00020000.00000000.sdmp, nFCO4kIQS2.exe, 00000000.00000002.3394941355.0000000000644000.00000004.00000020.00020000.00000000.sdmp, nFCO4kIQS2.exe, 00000000.00000002.3394941355.000000000061C000.00000004.00000020.00020000.00000000.sdmp, nFCO4kIQS2.exe, 00000000.00000002.3394689877.00000000005D5000.00000004.00000020.00020000.00000000.sdmp, nFCO4kIQS2.exe, 00000000.00000002.3394689877.000000000057C000.00000004.00000020.00020000.00000000.sdmp, nFCO4kIQS2.exe, 00000000.00000003.2166130692.0000000000644000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://login.microsoftonline.com/common/oauth2/v2.0/token.dllsnFCO4kIQS2.exe, 00000000.00000003.2166130692.0000000000644000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              No contacted IP infos

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1431552
                              Start date and time:2024-04-25 12:29:11 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 5m 3s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:6
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:nFCO4kIQS2.exe
                              renamed because original name is a hash value
                              Original Sample Name:win_graphical_proton_46299f696566a15638b4fdeffe91dc01ab1e4e07e980573c29531f1bc49d33f0.exe
                              Detection:MAL
                              Classification:mal52.evad.winEXE@2/0@1/0
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:Failed
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                              • Excluded IPs from analysis (whitelisted): 40.126.29.9, 40.126.29.6, 20.190.157.11, 40.126.29.12, 40.126.29.10, 40.126.29.5, 40.126.29.13, 40.126.29.8
                              • Excluded domains from analysis (whitelisted): www.tm.ak.prd.aadg.trafficmanager.net, client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, login.mso.msidentity.com, ak.privatelink.msidentity.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASNs

                              No context

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32+ executable (console) x86-64, for MS Windows
                              Entropy (8bit):6.3455592876318185
                              TrID:
                              • Win64 Executable Console (202006/5) 92.65%
                              • Win64 Executable (generic) (12005/4) 5.51%
                              • Generic Win/DOS Executable (2004/3) 0.92%
                              • DOS Executable Generic (2002/1) 0.92%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:nFCO4kIQS2.exe
                              File size:1'412'096 bytes
                              MD5:5638409c5aed265b586a43c86b8c2a17
                              SHA1:03d9942ddd8f932c27b15592bfc1ec543b760ef1
                              SHA256:46299f696566a15638b4fdeffe91dc01ab1e4e07e980573c29531f1bc49d33f0
                              SHA512:1eaa082f941660ad72c26c2fe5847c328f93f8d8149e0227fdd3d491243eb878585fd8697b3ab278425d6bed5165e716dac33ff2ef44d8482afe9951e9d40541
                              SSDEEP:12288:FOd4lcPlevW6+ktEmwjbmmIXlBJLZYcmIfPizEjKNxis7EiUfF/RlZKvyJQSZVYO:yScMvWu2NbEEEiUN9KvyJHVYw02lo5i
                              TLSH:E6654A03A76551E5C17BC13DC6576B27F9B138450339A7EB4BA04AA62F23BF06A7E310
                              File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......t...........l.........@.......................................... ........................................

                              File Icon

                              Icon Hash:00928e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0x1400a6cc0
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x140000000
                              Subsystem:windows cui
                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                              DLL Characteristics:HIGH_ENTROPY_VA, NO_ISOLATION, TERMINAL_SERVER_AWARE
                              Time Stamp:0x6516A9AB [Fri Sep 29 10:40:43 2023 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:0
                              File Version Major:6
                              File Version Minor:0
                              Subsystem Version Major:6
                              Subsystem Version Minor:0
                              Import Hash:4af58f90bf89d80e9b252aae09d25711

                              Entrypoint Preview

                              Instruction
                              dec eax
                              sub esp, 28h
                              call 00007FF0B4BA6550h
                              dec eax
                              add esp, 28h
                              jmp 00007FF0B4BA63A3h
                              int3
                              int3
                              dec eax
                              mov dword ptr [esp+20h], ebx
                              push ebp
                              dec eax
                              mov ebp, esp
                              dec eax
                              sub esp, 20h
                              dec eax
                              mov eax, dword ptr [000A25D0h]
                              dec eax
                              mov ebx, 2DDFA232h
                              cdq
                              sub eax, dword ptr [eax]
                              add byte ptr [eax+3Bh], cl
                              ret
                              jne 00007FF0B4BA65B6h
                              dec eax
                              and dword ptr [ebp+18h], 00000000h
                              dec eax
                              lea ecx, dword ptr [ebp+18h]
                              call dword ptr [000904BAh]
                              dec eax
                              mov eax, dword ptr [ebp+18h]
                              dec eax
                              mov dword ptr [ebp+10h], eax
                              call dword ptr [000903F4h]
                              mov eax, eax
                              dec eax
                              xor dword ptr [ebp+10h], eax
                              call dword ptr [000903D0h]
                              mov eax, eax
                              dec eax
                              lea ecx, dword ptr [ebp+20h]
                              dec eax
                              xor dword ptr [ebp+10h], eax
                              call dword ptr [000905A0h]
                              mov eax, dword ptr [ebp+20h]
                              dec eax
                              lea ecx, dword ptr [ebp+10h]
                              dec eax
                              shl eax, 20h
                              dec eax
                              xor eax, dword ptr [ebp+20h]
                              dec eax
                              xor eax, dword ptr [ebp+10h]
                              dec eax
                              xor eax, ecx
                              dec eax
                              mov ecx, FFFFFFFFh

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1369480x8c.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1660000xe46c.pdata
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1790000xff8.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x133b900x28.rdata
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1258700x138.rdata
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x136f700x598.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x1173460x117400fb93cead5ef5161f8f5ded8389f17fbaFalse0.4180605486235452data6.244372801644056IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rdata0x1190000x2f56c0x2f600e859a4db902c52a1beb83b1884759902False0.4448074703166227data5.837095232197055IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0x1490000x1c0300x20003b734c7c16733251e7759678c787882eFalse0.158447265625data3.6918325660057882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .pdata0x1660000xe46c0xe600cbbf1049a5d5f700a34f1fa66a16e5b9False0.48897758152173915data6.109140271481087IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .00cfg0x1750000x280x200265b368d5d7f2c277e92ec3b90fb890fFalse0.060546875data0.39736543218226683IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .gehcont0x1760000x600x200618ff9533c5cbb4568d02ea353b96ba2False0.1484375big endian ispell hash file (?), 8-bit, no capitalization, 26 flags0.6316126284867231IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .tls0x1770000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              _RDATA0x1780000xf40x200edf98975763f41ffddc6301bd4a46293False0.3046875data2.4575593112849665IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x1790000xff80x1000b649bce58d3477202b46af0ae398aaf7False0.458251953125data5.428160960193478IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Imports

                              DLLImport
                              KERNEL32.dllAcquireSRWLockExclusive, CloseHandle, CloseThreadpoolTimer, CloseThreadpoolWait, CloseThreadpoolWork, CompareStringEx, CompareStringW, CreateEventExW, CreateEventW, CreateFileA, CreateFileMappingA, CreateFileW, CreatePipe, CreateProcessW, CreateSemaphoreExW, CreateSymbolicLinkW, CreateThread, CreateThreadpoolTimer, CreateThreadpoolWait, CreateThreadpoolWork, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlsAlloc, FlsFree, FlsGetValue, FlsSetValue, FlushFileBuffers, FlushProcessWriteBuffers, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, FreeLibraryWhenCallbackReturns, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentProcessorNumber, GetCurrentThread, GetCurrentThreadId, GetDateFormatW, GetEnvironmentStringsW, GetExitCodeProcess, GetExitCodeThread, GetFileInformationByHandleEx, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoEx, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetNativeSystemInfo, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemDirectoryA, GetSystemTimeAsFileTime, GetTickCount64, GetTimeFormatW, GetTimeZoneInformation, GetUserDefaultLCID, HeapAlloc, HeapCreate, HeapDestroy, HeapFree, HeapReAlloc, HeapSize, InitOnceExecuteOnce, InitializeConditionVariable, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, InitializeSRWLock, InterlockedFlushSList, InterlockedPushEntrySList, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, K32GetModuleBaseNameW, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, LocalAlloc, LocalFree, MapViewOfFile, MultiByteToWideChar, OutputDebugStringW, PeekNamedPipe, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, ResetEvent, ResumeThread, RtlCaptureContext, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwind, RtlUnwindEx, RtlVirtualUnwind, SetConsoleCtrlHandler, SetEndOfFile, SetEnvironmentVariableW, SetEvent, SetFileInformationByHandle, SetFilePointerEx, SetLastError, SetStdHandle, SetThreadpoolTimer, SetThreadpoolWait, SetUnhandledExceptionFilter, Sleep, SleepConditionVariableCS, SleepConditionVariableSRW, SubmitThreadpoolWork, SwitchToThread, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnhandledExceptionFilter, UnmapViewOfFile, VirtualProtect, WaitForSingleObject, WaitForSingleObjectEx, WaitForThreadpoolTimerCallbacks, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile
                              USER32.dllwsprintfW
                              ADVAPI32.dllRegCloseKey, RegCreateKeyExA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA
                              ole32.dllCoTaskMemFree
                              urlmon.dllFindMimeFromData
                              WININET.dllHttpOpenRequestA, HttpQueryInfoA, HttpSendRequestA, InternetCloseHandle, InternetConnectA, InternetOpenA, InternetQueryOptionA, InternetReadFile, InternetSetCookieA, InternetSetOptionA

                              Network Behavior

                              Network Port Distribution

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Apr 25, 2024 12:30:10.662055016 CEST6206753192.168.2.61.1.1.1

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Apr 25, 2024 12:30:10.662055016 CEST192.168.2.61.1.1.10xfbfbStandard query (0)login.microsoftonline.comA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Apr 25, 2024 12:30:10.771950006 CEST1.1.1.1192.168.2.60xfbfbNo error (0)login.microsoftonline.comlogin.mso.msidentity.comCNAME (Canonical name)IN (0x0001)false

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:12:30:08
                              Start date:25/04/2024
                              Path:C:\Users\user\Desktop\nFCO4kIQS2.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Users\user\Desktop\nFCO4kIQS2.exe"
                              Imagebase:0x140000000
                              File size:1'412'096 bytes
                              MD5 hash:5638409C5AED265B586A43C86B8C2A17
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:false

                              General

                              Target ID:1
                              Start time:12:30:08
                              Start date:25/04/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:false

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:3.7%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:2.6%
                                Total number of Nodes:458
                                Total number of Limit Nodes:26
                                execution_graph 2025 1400f6c6c 2026 1400f6ccd 2025->2026 2030 1400f6cc8 try_get_function 2025->2030 2027 1400f6db0 2027->2026 2029 1400f6dbe GetProcAddressForCaller 2027->2029 2028 1400f6cfc LoadLibraryW 2028->2030 2029->2026 2030->2026 2030->2027 2030->2028 2031 1400f4728 2032 1400f4773 2031->2032 2036 1400f4737 _invalid_parameter_noinfo_noreturn 2031->2036 2033 1400d9fec __std_exception_copy 2 API calls 2032->2033 2035 1400f4771 2033->2035 2034 1400f475a RtlAllocateHeap 2034->2035 2034->2036 2036->2032 2036->2034 2054 1400613d0 2057 140061430 2054->2057 2058 140061443 2057->2058 2061 140061460 2058->2061 2062 140061473 2061->2062 2063 1400613f8 2061->2063 2065 14007ce98 2062->2065 2068 14007cea1 2065->2068 2072 14007cec8 2065->2072 2066 14007ced4 2 API calls 2067 14007ced3 2066->2067 2068->2072 2073 14007ceb5 2068->2073 2074 14007cec0 2068->2074 2075 1400dc6e0 2068->2075 2069 14007ced4 2 API calls 2069->2072 2072->2066 2081 14007ced4 2073->2081 2074->2069 2076 1400dc6e9 2075->2076 2080 1400dc6f8 _invalid_parameter_noinfo_noreturn 2076->2080 2085 1400fa208 2076->2085 2104 1400d6700 2080->2104 2082 14007ceed 2081->2082 2162 14007cf24 2082->2162 2084 14007cf09 std::_Xinvalid_argument 2086 1400fa230 2085->2086 2087 1400fa251 _invalid_parameter_noinfo_noreturn 2085->2087 2086->2087 2088 1400f4b1c _invalid_parameter_noinfo_noreturn 2 API calls 2086->2088 2089 1400fa244 2086->2089 2091 1400fa459 _invalid_parameter_noinfo_noreturn 2087->2091 2095 1400fa356 2087->2095 2103 1400fa397 _invalid_parameter_noinfo_noreturn 2087->2103 2088->2089 2089->2087 2090 1400fa2ce 2089->2090 2100 1400fa28e 2089->2100 2092 1400d9fec __std_exception_copy 2 API calls 2090->2092 2093 1400d6700 2 API calls 2091->2093 2094 1400fa2d3 2092->2094 2096 1400fa470 2093->2096 2111 1400db2f0 2094->2111 2095->2103 2114 1400f49a0 2095->2114 2096->2080 2099 1400f49a0 LoadLibraryW GetProcAddressForCaller 2099->2103 2100->2080 2101 1400fa387 2102 1400f49a0 2 API calls 2101->2102 2102->2103 2103->2099 2110 1400d6968 2104->2110 2105 1400d6b58 2 API calls 2106 1400d6a0b 2105->2106 2107 1400d6a11 2106->2107 2108 1400d68e8 2 API calls 2106->2108 2107->2073 2109 1400d6a23 2108->2109 2110->2105 2112 1400db5fc _invalid_parameter_noinfo_noreturn 2 API calls 2111->2112 2113 1400db309 2112->2113 2113->2100 2115 1400f49b5 2114->2115 2116 1400f49c7 2115->2116 2117 1400f5b74 _invalid_parameter_noinfo_noreturn 2 API calls 2115->2117 2118 1400f5bbc _invalid_parameter_noinfo_noreturn 2 API calls 2116->2118 2122 1400f49cf 2116->2122 2117->2116 2119 1400f49ea 2118->2119 2120 1400f8428 _invalid_parameter_noinfo_noreturn 2 API calls 2119->2120 2119->2122 2121 1400f49fd 2120->2121 2123 1400f4a1b 2121->2123 2124 1400f4a0b 2121->2124 2125 1400f4a5e 2122->2125 2128 1400dc6e0 2 API calls 2122->2128 2126 1400f5bbc _invalid_parameter_noinfo_noreturn 2 API calls 2123->2126 2127 1400f5bbc _invalid_parameter_noinfo_noreturn 2 API calls 2124->2127 2125->2101 2129 1400f4a23 2126->2129 2130 1400f4a12 2127->2130 2131 1400f4a73 2128->2131 2132 1400f4a39 2129->2132 2133 1400f4a27 2129->2133 2134 1400f46e0 __free_lconv_num 2 API calls 2130->2134 2135 1400f4a8a 2131->2135 2138 1400f5b74 _invalid_parameter_noinfo_noreturn 2 API calls 2131->2138 2137 1400f4e3c _invalid_parameter_noinfo_noreturn 2 API calls 2132->2137 2136 1400f5bbc _invalid_parameter_noinfo_noreturn 2 API calls 2133->2136 2134->2122 2140 1400f5bbc _invalid_parameter_noinfo_noreturn 2 API calls 2135->2140 2142 1400f4a92 2135->2142 2136->2130 2139 1400f4a41 2137->2139 2138->2135 2141 1400f46e0 __free_lconv_num 2 API calls 2139->2141 2143 1400f4aa9 2140->2143 2141->2122 2144 1400dc6e0 2 API calls 2142->2144 2150 1400f4b0c 2142->2150 2143->2142 2145 1400f8428 _invalid_parameter_noinfo_noreturn 2 API calls 2143->2145 2147 1400f4b1a 2144->2147 2146 1400f4abc 2145->2146 2148 1400f4ada 2146->2148 2149 1400f4aca 2146->2149 2152 1400f5bbc _invalid_parameter_noinfo_noreturn 2 API calls 2148->2152 2151 1400f5bbc _invalid_parameter_noinfo_noreturn 2 API calls 2149->2151 2150->2101 2153 1400f4ad1 2151->2153 2154 1400f4ae2 2152->2154 2157 1400f46e0 __free_lconv_num 2 API calls 2153->2157 2155 1400f4af8 2154->2155 2156 1400f4ae6 2154->2156 2159 1400f4e3c _invalid_parameter_noinfo_noreturn 2 API calls 2155->2159 2158 1400f5bbc _invalid_parameter_noinfo_noreturn 2 API calls 2156->2158 2157->2142 2158->2153 2160 1400f4b00 2159->2160 2161 1400f46e0 __free_lconv_num 2 API calls 2160->2161 2161->2142 2163 14007cf6e 2162->2163 2169 140026290 2163->2169 2165 14007cfca _invalid_parameter_noinfo_noreturn 2165->2084 2167 1400db310 _invalid_parameter_noinfo_noreturn 2 API calls 2168 14007d000 2167->2168 2168->2084 2170 1400262d9 2169->2170 2177 1400263c0 2170->2177 2176 140026326 2176->2165 2176->2167 2178 1400263eb 2177->2178 2179 140026404 2178->2179 2194 140026520 2178->2194 2198 14001d820 2179->2198 2183 140001770 2 API calls 2184 140026431 2183->2184 2185 140001770 2 API calls 2184->2185 2186 140026308 2185->2186 2187 140026460 2186->2187 2188 14002648d 2187->2188 2212 1400265e0 2188->2212 2191 140001770 2229 1400018d0 2191->2229 2193 14000178b 2193->2176 2195 140026545 2194->2195 2202 14001d870 2195->2202 2197 14002655f 2197->2179 2199 14001d853 2198->2199 2200 14001d870 2 API calls 2199->2200 2201 14001d865 2200->2201 2201->2183 2203 14001d91b 2202->2203 2205 14001d8ad 2202->2205 2206 14001d950 2203->2206 2205->2197 2207 14001d9b2 2206->2207 2208 140002050 LoadLibraryW GetProcAddressForCaller 2207->2208 2209 14001d9cd 2207->2209 2208->2209 2210 14001db3d 2209->2210 2211 140001a10 LoadLibraryW GetProcAddressForCaller 2209->2211 2210->2205 2211->2210 2213 14002661e std::_Xinvalid_argument 2212->2213 2216 1400a8484 2213->2216 2215 140026317 2215->2191 2217 1400a84a5 2216->2217 2218 1400a84da 2216->2218 2217->2218 2220 1400e2448 2217->2220 2218->2215 2221 1400e2455 2220->2221 2222 1400e245f 2220->2222 2221->2222 2227 1400e247a 2221->2227 2223 1400d9fec __std_exception_copy LoadLibraryW GetProcAddressForCaller 2222->2223 2224 1400e2466 2223->2224 2225 1400db2f0 _invalid_parameter_noinfo LoadLibraryW GetProcAddressForCaller 2224->2225 2226 1400e2472 2225->2226 2226->2218 2227->2226 2228 1400d9fec __std_exception_copy LoadLibraryW GetProcAddressForCaller 2227->2228 2228->2224 2230 1400018eb 2229->2230 2231 1400018fd 2230->2231 2233 140001a10 2230->2233 2231->2193 2234 140001a80 2 API calls 2233->2234 2235 140001a39 2234->2235 2235->2231 2236 1400fa924 2237 1400fa92c 2236->2237 2243 1400fa962 2237->2243 2247 1400a9354 2237->2247 2240 1400fa9b0 2240->2243 2258 140109b98 2240->2258 2241 1400fa98e 2255 14010b81c 2241->2255 2245 1400fa9f0 2245->2243 2246 1400d9fec __std_exception_copy 2 API calls 2245->2246 2246->2243 2248 1400a9373 2247->2248 2249 1400a9378 2247->2249 2248->2240 2248->2241 2249->2248 2250 1400f49a0 2 API calls 2249->2250 2251 1400a9393 2250->2251 2261 1400f5538 2251->2261 2380 1401132b8 2255->2380 2257 14010b82f 2257->2243 2259 1400a9354 2 API calls 2258->2259 2260 140109bab 2259->2260 2260->2245 2262 1400f554d 2261->2262 2263 1400a93b6 2261->2263 2262->2263 2269 1400fe340 2262->2269 2265 1400f556c 2263->2265 2266 1400f5581 2265->2266 2268 1400f5594 2265->2268 2266->2268 2369 1400f9078 2266->2369 2268->2248 2270 1400f49a0 2 API calls 2269->2270 2272 1400fe34f _invalid_parameter_noinfo_noreturn 2270->2272 2271 1400fe39a 2271->2263 2272->2271 2277 1400fe3b0 2272->2277 2274 1400fe388 _invalid_parameter_noinfo_noreturn 2274->2271 2275 1400dc6e0 2 API calls 2274->2275 2276 1400fe3ad 2275->2276 2278 1400fe3cf 2277->2278 2279 1400fe3c2 _invalid_parameter_noinfo_noreturn 2277->2279 2278->2274 2279->2278 2281 1400fe140 2279->2281 2282 1400fe1dc 2281->2282 2285 1400fe163 2281->2285 2283 1400fe22f 2282->2283 2286 1400f46e0 __free_lconv_num 2 API calls 2282->2286 2347 1400fe308 2283->2347 2285->2282 2287 1400fe1a2 2285->2287 2292 1400f46e0 __free_lconv_num 2 API calls 2285->2292 2288 1400fe200 2286->2288 2289 1400fe1c4 2287->2289 2295 1400f46e0 __free_lconv_num 2 API calls 2287->2295 2290 1400f46e0 __free_lconv_num 2 API calls 2288->2290 2291 1400f46e0 __free_lconv_num 2 API calls 2289->2291 2293 1400fe214 2290->2293 2297 1400fe1d0 2291->2297 2298 1400fe196 2292->2298 2294 1400f46e0 __free_lconv_num 2 API calls 2293->2294 2299 1400fe223 2294->2299 2300 1400fe1b8 2295->2300 2296 1400fe29a 2301 1400f46e0 __free_lconv_num 2 API calls 2297->2301 2307 1400fcf34 2298->2307 2303 1400f46e0 __free_lconv_num 2 API calls 2299->2303 2335 1400fd3ac 2300->2335 2301->2282 2303->2283 2305 1400fe23b 2305->2296 2306 1400f46e0 LoadLibraryW GetProcAddressForCaller __free_lconv_num 2305->2306 2306->2305 2308 1400fcf3d 2307->2308 2333 1400fd038 2307->2333 2309 1400fcf57 2308->2309 2310 1400f46e0 __free_lconv_num 2 API calls 2308->2310 2311 1400fcf69 2309->2311 2312 1400f46e0 __free_lconv_num 2 API calls 2309->2312 2310->2309 2313 1400fcf7b 2311->2313 2315 1400f46e0 __free_lconv_num 2 API calls 2311->2315 2312->2311 2314 1400fcf8d 2313->2314 2316 1400f46e0 __free_lconv_num 2 API calls 2313->2316 2317 1400fcf9f 2314->2317 2318 1400f46e0 __free_lconv_num 2 API calls 2314->2318 2315->2313 2316->2314 2319 1400fcfb1 2317->2319 2320 1400f46e0 __free_lconv_num 2 API calls 2317->2320 2318->2317 2321 1400fcfc3 2319->2321 2322 1400f46e0 __free_lconv_num 2 API calls 2319->2322 2320->2319 2323 1400fcfd5 2321->2323 2325 1400f46e0 __free_lconv_num 2 API calls 2321->2325 2322->2321 2324 1400fcfe7 2323->2324 2326 1400f46e0 __free_lconv_num 2 API calls 2323->2326 2327 1400fcff9 2324->2327 2328 1400f46e0 __free_lconv_num 2 API calls 2324->2328 2325->2323 2326->2324 2329 1400fd00e 2327->2329 2330 1400f46e0 __free_lconv_num 2 API calls 2327->2330 2328->2327 2331 1400fd023 2329->2331 2332 1400f46e0 __free_lconv_num 2 API calls 2329->2332 2330->2329 2331->2333 2334 1400f46e0 __free_lconv_num 2 API calls 2331->2334 2332->2331 2333->2287 2334->2333 2336 1400fd412 2335->2336 2337 1400fd3b1 2335->2337 2336->2289 2338 1400fd3ca 2337->2338 2339 1400f46e0 __free_lconv_num 2 API calls 2337->2339 2340 1400fd3dc 2338->2340 2341 1400f46e0 __free_lconv_num 2 API calls 2338->2341 2339->2338 2342 1400fd3ee 2340->2342 2343 1400f46e0 __free_lconv_num 2 API calls 2340->2343 2341->2340 2344 1400fd400 2342->2344 2345 1400f46e0 __free_lconv_num 2 API calls 2342->2345 2343->2342 2344->2336 2346 1400f46e0 __free_lconv_num 2 API calls 2344->2346 2345->2344 2346->2336 2348 1400fe338 2347->2348 2349 1400fe30d 2347->2349 2348->2305 2349->2348 2353 1400fd4e8 2349->2353 2352 1400f46e0 __free_lconv_num 2 API calls 2352->2348 2354 1400fd4f1 2353->2354 2368 1400fd5e0 2353->2368 2355 1400f46e0 __free_lconv_num 2 API calls 2354->2355 2356 1400fd551 2355->2356 2357 1400f46e0 __free_lconv_num 2 API calls 2356->2357 2358 1400fd55d 2357->2358 2359 1400f46e0 __free_lconv_num 2 API calls 2358->2359 2360 1400fd569 2359->2360 2361 1400f46e0 __free_lconv_num 2 API calls 2360->2361 2362 1400fd5bc 2361->2362 2363 1400f46e0 __free_lconv_num 2 API calls 2362->2363 2364 1400fd5c8 2363->2364 2365 1400f46e0 __free_lconv_num 2 API calls 2364->2365 2366 1400fd5d4 2365->2366 2367 1400f46e0 __free_lconv_num 2 API calls 2366->2367 2367->2368 2368->2352 2370 1400f49a0 2 API calls 2369->2370 2371 1400f9081 _invalid_parameter_noinfo_noreturn 2370->2371 2372 1400dc6e0 2 API calls 2371->2372 2373 1400f961f 2372->2373 2375 1400f9568 2373->2375 2376 1400f959e _invalid_parameter_noinfo_noreturn 2375->2376 2377 1400dc6e0 2 API calls 2376->2377 2378 1400f961f 2377->2378 2379 1400f9568 2 API calls 2378->2379 2381 140113315 _invalid_parameter_noinfo_noreturn 2380->2381 2383 140113321 2380->2383 2381->2257 2382 1400d9fec __std_exception_copy 2 API calls 2382->2381 2383->2381 2383->2382 2384 1400da084 2385 1400f4b1c _invalid_parameter_noinfo_noreturn 2 API calls 2384->2385 2386 1400da08d 2385->2386 2037 140001a10 2040 140001a80 2037->2040 2039 140001a39 2041 140001aac 2040->2041 2042 140001a9d 2040->2042 2041->2039 2044 140001ad0 2042->2044 2045 140001b32 2044->2045 2047 140001b3e 2045->2047 2048 1400db310 2045->2048 2047->2041 2051 1400db5fc 2048->2051 2050 1400db329 _invalid_parameter_noinfo_noreturn 2052 1400f4b1c _invalid_parameter_noinfo_noreturn 2 API calls 2051->2052 2053 1400db621 _invalid_parameter_noinfo_noreturn 2052->2053 2053->2050 2387 1400ad27c 2388 1400f49a0 2 API calls 2387->2388 2389 1400ad285 2388->2389 2390 1400f5538 2 API calls 2389->2390 2391 1400ad29e 2390->2391 1936 1400d6700 1942 1400d6968 1936->1942 1938 1400d6a0b 1939 1400d6a11 1938->1939 1947 1400d68e8 1938->1947 1941 1400d6a23 1943 1400d6b58 1942->1943 1944 1400d6b74 _invalid_parameter_noinfo_noreturn 1943->1944 1950 1400d6a24 1944->1950 1946 1400d6b7d _invalid_parameter_noinfo_noreturn 1946->1938 2018 1400fc708 1947->2018 1949 1400d68f5 1949->1941 1951 1400d6a93 1950->1951 1952 1400d6a3a 1950->1952 1951->1946 1952->1951 1954 1400d9ab8 1952->1954 1957 1400d9fb0 1954->1957 1956 1400d9aed 1956->1951 1958 1400d9fcc _invalid_parameter_noinfo_noreturn 1957->1958 1961 1400d9dac 1958->1961 1960 1400d9fd5 _invalid_parameter_noinfo_noreturn 1960->1956 1962 1400d9dd2 1961->1962 1963 1400d9dda 1961->1963 1962->1960 1963->1962 1965 1400f46e0 1963->1965 1966 1400f46e5 1965->1966 1968 1400f4705 __free_lconv_num 1965->1968 1966->1968 1969 1400d9fec 1966->1969 1968->1962 1972 1400f4b1c 1969->1972 1973 1400f4b31 1972->1973 1974 1400f4b43 1973->1974 1994 1400f5b74 1973->1994 1979 1400d9ff5 1974->1979 1997 1400f5bbc 1974->1997 1979->1968 1981 1400f4b97 1984 1400f5bbc _invalid_parameter_noinfo_noreturn 2 API calls 1981->1984 1982 1400f4b87 1983 1400f5bbc _invalid_parameter_noinfo_noreturn 2 API calls 1982->1983 1985 1400f4b8e 1983->1985 1986 1400f4b9f 1984->1986 1990 1400f46e0 __free_lconv_num 2 API calls 1985->1990 1987 1400f4bb5 1986->1987 1988 1400f4ba3 1986->1988 2004 1400f4e3c 1987->2004 1991 1400f5bbc _invalid_parameter_noinfo_noreturn 2 API calls 1988->1991 1990->1979 1991->1985 1993 1400f46e0 __free_lconv_num 2 API calls 1993->1979 2008 1400f6c6c 1994->2008 1998 1400f6c6c try_get_function 2 API calls 1997->1998 1999 1400f4b66 1998->1999 1999->1979 2000 1400f8428 1999->2000 2002 1400f8439 _invalid_parameter_noinfo_noreturn 2000->2002 2001 1400d9fec __std_exception_copy 2 API calls 2003 1400f4b79 2001->2003 2002->2001 2002->2003 2003->1981 2003->1982 2005 1400f4eee _invalid_parameter_noinfo_noreturn 2004->2005 2014 1400f5410 2005->2014 2007 1400f4bbd 2007->1993 2009 1400f5b9b 2008->2009 2013 1400f6cc8 try_get_function 2008->2013 2010 1400f6db0 2010->2009 2012 1400f6dbe GetProcAddressForCaller 2010->2012 2011 1400f6cfc LoadLibraryW 2011->2013 2012->2009 2013->2009 2013->2010 2013->2011 2015 1400f542c _invalid_parameter_noinfo_noreturn 2014->2015 2016 1400f4c78 _invalid_parameter_noinfo_noreturn LoadLibraryW GetProcAddressForCaller 2015->2016 2017 1400f5442 _invalid_parameter_noinfo_noreturn 2016->2017 2017->2007 2019 1400fc730 2018->2019 2020 1400fc726 2018->2020 2019->1949 2022 1400f6398 2020->2022 2023 1400f6c6c try_get_function 2 API calls 2022->2023 2024 1400f63c0 2023->2024 2024->2019 2392 1400f9bfc 2394 1400f9c18 std::_Xinvalid_argument _invalid_parameter_noinfo_noreturn 2392->2394 2393 1400d9fec __std_exception_copy 2 API calls 2395 1400f9caa 2393->2395 2394->2393 2397 1400f9c3b std::_Xinvalid_argument 2394->2397 2396 1400db2f0 _invalid_parameter_noinfo 2 API calls 2395->2396 2396->2397 2398 1400d9fec __std_exception_copy 2 API calls 2397->2398 2402 1400f9ce3 2397->2402 2399 1400f9d41 2398->2399 2400 1400db2f0 _invalid_parameter_noinfo 2 API calls 2399->2400 2400->2402 2401 1400f9d7d _invalid_parameter_noinfo_noreturn 2402->2401 2403 1400f46e0 __free_lconv_num 2 API calls 2402->2403 2403->2401 2404 1400f919c 2409 1400f9458 2404->2409 2406 1400f9247 std::_Xinvalid_argument _invalid_parameter_noinfo_noreturn 2408 1400f91c7 std::_Xinvalid_argument 2408->2406 2412 1400f99f0 2408->2412 2410 1400a9354 2 API calls 2409->2410 2411 1400f946c 2410->2411 2411->2408 2413 1400f9a2d 2412->2413 2419 1400f9b23 _invalid_parameter_noinfo_noreturn 2412->2419 2413->2419 2420 1400f87e4 2413->2420 2415 1400f9ab7 2427 1400f8974 2415->2427 2417 1400f9aea 2418 1400f8974 2 API calls 2417->2418 2418->2419 2419->2406 2421 1400a9354 2 API calls 2420->2421 2422 1400f8826 2421->2422 2424 1400f8863 _invalid_parameter_noinfo_noreturn 2422->2424 2425 1400f8888 std::_Xinvalid_argument 2422->2425 2430 1400f4728 2422->2430 2424->2415 2425->2424 2426 1400f46e0 __free_lconv_num 2 API calls 2425->2426 2426->2424 2428 1400a9354 2 API calls 2427->2428 2429 1400f8999 2428->2429 2429->2417 2431 1400f4773 2430->2431 2435 1400f4737 _invalid_parameter_noinfo_noreturn 2430->2435 2432 1400d9fec __std_exception_copy 2 API calls 2431->2432 2434 1400f4771 2432->2434 2433 1400f475a RtlAllocateHeap 2433->2434 2433->2435 2434->2425 2435->2431 2435->2433 2441 1400fa6d8 2448 1400fa7a0 2441->2448 2443 1400fa6ea 2444 1400fa754 2443->2444 2445 1400f4728 3 API calls 2443->2445 2446 1400fa74a 2445->2446 2447 1400f46e0 __free_lconv_num 2 API calls 2446->2447 2447->2444 2449 1400fa7b3 2448->2449 2450 1400fa7d6 2449->2450 2454 1400fbf10 2449->2454 2450->2443 2455 1400fa7cf 2454->2455 2456 1400fbf19 2454->2456 2460 14010b7bc 2455->2460 2457 1400d9fec __std_exception_copy 2 API calls 2456->2457 2458 1400fbf1e 2457->2458 2459 1400db2f0 _invalid_parameter_noinfo 2 API calls 2458->2459 2459->2455 2461 14010b7d2 2460->2461 2462 14010b7c5 2460->2462 2464 14010b7ca 2461->2464 2465 1400d9fec __std_exception_copy 2 API calls 2461->2465 2463 1400d9fec __std_exception_copy 2 API calls 2462->2463 2463->2464 2464->2450 2466 14010b809 2465->2466 2467 1400db2f0 _invalid_parameter_noinfo 2 API calls 2466->2467 2467->2464 2468 140001000 2471 1400dea00 2468->2471 2470 140001012 2472 1400dea19 2471->2472 2473 1400dea3c 2471->2473 2472->2470 2474 1400f49a0 2 API calls 2473->2474 2475 1400dea41 2474->2475 2476 1400f5538 2 API calls 2475->2476 2477 1400dea5a 2476->2477 2477->2472 2480 1400fc01c 2477->2480 2479 1400dea93 2479->2470 2481 1400a9354 2 API calls 2480->2481 2483 1400fc055 2481->2483 2482 1400fc061 _invalid_parameter_noinfo_noreturn 2482->2479 2483->2482 2484 1400f87e4 3 API calls 2483->2484 2484->2482

                                Executed Functions

                                Function 02060000 Relevance: 16.6, APIs: 6, Strings: 3, Instructions: 807memoryCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000003.2881457923.0000000002060000.00000020.00000001.00020000.00000000.sdmp, Offset: 02060000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_3_2060000_nFCO4kIQS2.jbxd
                                Similarity
                                • API ID: Virtual$Alloc$Free$Protect
                                • String ID: $d$t
                                • API String ID: 1004437363-3253589775
                                • Opcode ID: f2689706e4079bc3578597176f62b2d51519960daff802b50d073e5cff18d046
                                • Instruction ID: 3db6408895d26a850073a73270b46da798c632c5ba298ffea896f216627055ba
                                • Opcode Fuzzy Hash: f2689706e4079bc3578597176f62b2d51519960daff802b50d073e5cff18d046
                                • Instruction Fuzzy Hash: 7652A83425CB888FD7B9DB1CC498BEAB7E2FBAD305F10496D948DC7251CA35A845CB42
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00000001400F4728 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.3395420972.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140001000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_140001000_nFCO4kIQS2.jbxd
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 80e182f0c58fdce4281596ba67404a115e385637f604d173bbecca85b3f82d18
                                • Instruction ID: a23216d62fc58cccaa9d927a3bf200ef26c9b3cd8511c29d5ea5c68b306df38c
                                • Opcode Fuzzy Hash: 80e182f0c58fdce4281596ba67404a115e385637f604d173bbecca85b3f82d18
                                • Instruction Fuzzy Hash: C8F05430318B054AFB66B77B58A57B931C5DB5D381F4405287E16C31F5DBB4C840E156
                                Uniqueness

                                Uniqueness Score: -1.00%