Windows
Analysis Report
GIYUCke96G.exe
Overview
General Information
Sample name: | GIYUCke96G.exe (renamed file extension from none to exe, renamed because original name is a hash value) |
Original sample name: | bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9 |
Analysis ID: | 1446955 |
MD5: | 63ba5ec400ebbe6af65441f442652faa |
SHA1: | 3b8807f8124c0e0d8c8cd816f9a7bc30476fbf5c |
SHA256: | bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9 |
Infos: | |
Detection
Score: | 52 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
GIYUCke96G.exe (PID: 2724 cmdline:
"C:\Users\ user\Deskt op\GIYUCke 96G.exe" MD5: 63BA5EC400EBBE6AF65441F442652FAA) WerFault.exe (PID: 3664 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 2 724 -s 396 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Code function: | 0_2_00000001402B25F8 |
Source: | String found in binary or memory: |
Source: | Code function: | 0_2_0000000140008E2E | |
Source: | Code function: | 0_2_00000001402B109C | |
Source: | Code function: | 0_2_00000001402B25F8 | |
Source: | Code function: | 0_2_0000000140008ED6 |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00000001400041A0 |
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | API coverage: |
Source: | Code function: | 0_2_00000001402B25F8 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 0_2_00000001402B1FEC |
Source: | Code function: | 0_2_00000001400041A0 |
Source: | Code function: | 0_2_00000001402B4E20 |
Source: | Code function: | 0_2_00000001402B1FEC | |
Source: | Code function: | 0_2_00000001402AC894 | |
Source: | Code function: | 0_2_00000001402AC6B4 | |
Source: | Code function: | 0_2_00000001402B8BC8 |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | NtMapViewOfSection: | Jump to behavior |
Source: | Code function: | 0_2_00000001402AC58C |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Process Injection | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 Abuse Elevation Control Mechanism | 1 Process Injection | LSASS Memory | 41 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 1 Abuse Elevation Control Mechanism | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 2 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
17% | ReversingLabs | |||
14% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1446955 |
Start date and time: | 2024-05-24 05:24:35 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 35s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 9 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | GIYUCke96G.exe (renamed file extension from none to exe, renamed because original name is a hash value) |
Original Sample Name: | bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9 |
Detection: | MAL |
Classification: | mal52.evad.winEXE@2/5@0/0 |
EGA Information: |
|
HCA Information: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 104.208.16.94
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Time | Type | Description |
---|---|---|
23:25:43 | API Interceptor |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_GIYUCke96G.exe_4f8fc75c7ae03519ba32df973fcbeda86d1ecbbb_135d818b_9064d5b3-0f98-489e-9c5d-f62a688a6a9c\Report.wer
Download File
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.745139971575256 |
Encrypted: | false |
SSDEEP: | 96:AtF1t44FzGsycqhsoa7JnuQXIDcQNc6dcEjcw3eM+HbHg/TgJ3YOZUXOyKnhfHNI:A3t4qzGxu0zZZa1j/yzuiFSZ24lO8I |
MD5: | 7718659ED72AAADC4C66260869ED5DE1 |
SHA1: | 73E1D294BBA0B133C45F7FF64591BBF560251B87 |
SHA-256: | 51DD5720C8BCD3DBDFDE6C5070A294CFA3F38E855BC4D2284C1E7B622BF88484 |
SHA-512: | C2FE993DC4A6D56C79068C879CB2AC8126FFD1FB608F78ABD26EED16067B598350201CADD461E3C16CD83593AB678822B2D2A38F07EA9C7D53D2C1F2E93F195E |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 295220 |
Entropy (8bit): | 2.652347589422294 |
Encrypted: | false |
SSDEEP: | 3072:fqqSyxQf7GmTWZikG9e4vvYTFpCPxLHk9EMG6h1HOE1t:fqTGAWCvMqHtMG/E1 |
MD5: | 362BC322FD2ED697FA854D6F3D379361 |
SHA1: | BF53CA314CD01C18D7008DC571E308992E7B2096 |
SHA-256: | A2DCD1BE59F91D37797C7AABA59AED063763674E6F30A1FC8592749251AAEF2A |
SHA-512: | D3C8DF8CE196D0E7823747FE56C376D80C767B0B817158CFFD6C6CA5FD4719C63F3B960F1D63FFE7C6DEB6354A8AFEC24F833AF80CE1895748C71A4ACCBD5D5D |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8570 |
Entropy (8bit): | 3.708714771647923 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJ17cRRBQ6YEIsE2SzgmfYVTprV89bXngfUq9m:R6lXJZcRRBQ6YEzE2SzgmfYWXgfUZ |
MD5: | 3ACB8FE8E07C479A490D3E8351931A95 |
SHA1: | FCDEE5500DFB41F777D72D0369C97F0281CA7852 |
SHA-256: | 86FA126B26F23FDEF6EECE0AE6A0EE813E1A8072A25088958FDC7E35A0722FA6 |
SHA-512: | 1FC71C78030DDD473EE27BFACD7EEDEB11D7A83BB5E21664C5D639BCE18FA6C33DB85D4E67206CD840B758A079C2691B98DBEDC29A2DBF2C28D3C3015BA3CC86 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4752 |
Entropy (8bit): | 4.515548037207879 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsWJg771I9xmWpW8VY375Ym8M4JdzFuPyq85YqhZko+Pfd:uIjfsI7+n7VEoJ+Pyoo+nd |
MD5: | DFF5547E812D29404E1B7C7D21C21040 |
SHA1: | E6E62A3FCA6F226C8A0838AC006349FE44438F05 |
SHA-256: | 8451172605F0D6D68711E4674CE4E4A7960EE68FB4B3C0F84F83736CAA346BAA |
SHA-512: | 64D38B6009A6FAEB98542B0DC8B1C03E5518404D938BAB822EB4A6BE5737421AA6A1078F0C972D02C1752829DB7F56010EB6A11A319E57EE2B7C84929CC095B9 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.42205093861428 |
Encrypted: | false |
SSDEEP: | 6144:qSvfpi6ceLP/9skLmb0OT3WSPHaJG8nAgeMZMMhA2fX4WABlEnNX0uhiTw:ZvloT3W+EZMM6DFyh03w |
MD5: | C199CD56AEA1F55A426FD179DCDE59DA |
SHA1: | 71B790689E8732CF76DCEBF189C999374E976FFB |
SHA-256: | 6B54B6ECF8B3F9B0CDA7DB6107475F1D8729591C4883D1F4FD06D552C324F09C |
SHA-512: | C43817830796541C65B0BC3F7B734F94FA50657D03E5EDFFACDD54463ED5884A8E1825A2EF650E95F3BF9566E5FB5B9F374C9DDC679A8D0F7FDDEFFEAA617FB0 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 5.506337696486408 |
TrID: |
|
File name: | GIYUCke96G.exe |
File size: | 2'983'936 bytes |
MD5: | 63ba5ec400ebbe6af65441f442652faa |
SHA1: | 3b8807f8124c0e0d8c8cd816f9a7bc30476fbf5c |
SHA256: | bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9 |
SHA512: | e240e9e07d88908057bba587e32ef1499d0c2d235eed61f1e996ce8959e1c323068ad483a96a7010ea0050440e12a0d82782e79baa186e880e4727452f3a4baf |
SSDEEP: | 49152:2mVZpRE5HFjH4MLMmcX17+kSmn75+dEsgY5OK:fgvFcXV3cJ5 |
TLSH: | 4CD564092A3E0A95E0519CF0A23B4552A9BD7D1CC01C66F9CFD49B457F9AF50A0FA3EC |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............n...n...n...m...n...k...n...j...n.Gek...n.Gej...n.Gem...n...o...n...o...n..em...n...n...n.vfk...n.vf....n.vfl...n.Rich..n |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x1402ac338 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x663BBDCA [Wed May 8 18:00:42 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 05f2715d0397538255a9df69b1b5b827 |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007F1D1950B530h |
dec eax |
add esp, 28h |
jmp 00007F1D1950B15Fh |
int3 |
int3 |
dec eax |
sub esp, 28h |
call 00007F1D1950BAB4h |
test eax, eax |
je 00007F1D1950B303h |
dec eax |
mov eax, dword ptr [00000030h] |
dec eax |
mov ecx, dword ptr [eax+08h] |
jmp 00007F1D1950B2E7h |
dec eax |
cmp ecx, eax |
je 00007F1D1950B2F6h |
xor eax, eax |
dec eax |
cmpxchg dword ptr [00032A68h], ecx |
jne 00007F1D1950B2D0h |
xor al, al |
dec eax |
add esp, 28h |
ret |
mov al, 01h |
jmp 00007F1D1950B2D9h |
int3 |
int3 |
int3 |
dec eax |
sub esp, 28h |
test ecx, ecx |
jne 00007F1D1950B2E9h |
mov byte ptr [00032A51h], 00000001h |
call 00007F1D1950B8C1h |
call 00007F1D1950BC8Ch |
test al, al |
jne 00007F1D1950B2E6h |
xor al, al |
jmp 00007F1D1950B2F6h |
call 00007F1D19510493h |
test al, al |
jne 00007F1D1950B2EBh |
xor ecx, ecx |
call 00007F1D1950BC9Ch |
jmp 00007F1D1950B2CCh |
mov al, 01h |
dec eax |
add esp, 28h |
ret |
int3 |
int3 |
inc eax |
push ebx |
dec eax |
sub esp, 20h |
cmp byte ptr [00032A18h], 00000000h |
mov ebx, ecx |
jne 00007F1D1950B349h |
cmp ecx, 01h |
jnbe 00007F1D1950B34Ch |
call 00007F1D1950BA2Ah |
test eax, eax |
je 00007F1D1950B30Ah |
test ebx, ebx |
jne 00007F1D1950B306h |
dec eax |
lea ecx, dword ptr [00032A02h] |
call 00007F1D195102B2h |
test eax, eax |
jne 00007F1D1950B2F2h |
dec eax |
lea ecx, dword ptr [00032A0Ah] |
call 00007F1D1950B3A2h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2cbc7c | 0x3c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x2e3000 | 0x628 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x2e1000 | 0xffc | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x2ca600 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2ca4c0 | 0x140 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2ba000 | 0x370 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x2b8d10 | 0x2b8e00 | a04fa86212fb20790f5541270260e5d2 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x2ba000 | 0x1283c | 0x12a00 | bedf5cc00eb85189c09aa8e63533827d | False | 0.688863255033557 | data | 6.694651511423994 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x2cd000 | 0x13098 | 0xb200 | 869ad6d69795428d7887f676a87fb57f | False | 0.9097392907303371 | data | 7.555905753084373 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x2e1000 | 0xffc | 0x1000 | af9df1cd9b1dc42a0358078c4a79b40c | False | 0.490478515625 | data | 5.411108677102532 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
_RDATA | 0x2e2000 | 0x1f4 | 0x200 | 5ac9d95ea0733dc97f6055d8be2e8295 | False | 0.5078125 | data | 4.198538142721472 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x2e3000 | 0x628 | 0x800 | c9b6fe748d633493bb092a6791cac656 | False | 0.357421875 | data | 3.260315682123659 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x2e3200 | 0x428 | data | English | United States | 0.4718045112781955 |
RT_MANIFEST | 0x2e30a0 | 0x15a | ASCII text, with CRLF line terminators | English | United States | 0.5491329479768786 |
DLL | Import |
---|---|
KERNEL32.dll | GetModuleHandleA, GetProcAddress, LoadLibraryA, HeapCreate, WriteConsoleW, CloseHandle, CreateFileW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, HeapReAlloc, HeapSize, GetProcessHeap, LCMapStringW, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, GetStringTypeW, GetFileType, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, MultiByteToWideChar, GetCommandLineW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, RtlUnwindEx, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, EncodePointer, RaiseException, RtlPcToFileHeader, GetStdHandle, WriteFile, GetModuleFileNameW, GetCurrentProcess, ExitProcess, TerminateProcess, GetModuleHandleExW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA |
ole32.dll | OleGetAutoConvert, IsAccelerator, GetClassFile, MonikerRelativePathTo, CoGetObject, CoTreatAsClass, CoFileTimeToDosDateTime, CoIsOle1Class, CoGetInstanceFromFile, CoRevokeInitializeSpy, CoRevokeMallocSpy, CLSIDFromProgIDEx, CoFileTimeNow, CoTaskMemFree, CoTaskMemRealloc, CoInvalidateRemoteMachineBindings, CoGetInterceptor, ProgIDFromCLSID, IIDFromString, StringFromIID, CoSetCancelObject, CoRevertToSelf, CoQueryClientBlanket, CoQueryProxyBlanket, CoGetCallContext, CoLockObjectExternal, CoUnmarshalHresult, CoGetPSClsid, CoResumeClassObjects, CoGetObjectContext, CoGetCurrentLogicalThreadId, CoGetCallerTID, CoGetMalloc, CoGetTreatAsClass |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 23:25:22 |
Start date: | 23/05/2024 |
Path: | C:\Users\user\Desktop\GIYUCke96G.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x140000000 |
File size: | 2'983'936 bytes |
MD5 hash: | 63BA5EC400EBBE6AF65441F442652FAA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 4 |
Start time: | 23:25:23 |
Start date: | 23/05/2024 |
Path: | C:\Windows\System32\WerFault.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff69d980000 |
File size: | 570'736 bytes |
MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 0.7% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 5.4% |
Total number of Nodes: | 949 |
Total number of Limit Nodes: | 17 |
Graph
Function 0000000140008E2E Relevance: 27.5, Strings: 6, Instructions: 20001threadCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001400041A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001402AC202 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71COMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001402B2530 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001402B1FEC Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001402AC58C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001402B8BC8 Relevance: 4.5, APIs: 3, Instructions: 13COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001402B109C Relevance: .1, Instructions: 126COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001402AC894 Relevance: .0, Instructions: 2COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001400040D0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 35libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001402ADEF0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001402B4930 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001402AD1A4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001402B1BD4 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001402B7F14 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001402B1D4C Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001402B0DA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001402B8264 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001402B1E14 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001402AE3C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001402AE770 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001402B06C4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001402ACB30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001402B6B64 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001402AF218 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|