Edit tour
Windows
Analysis Report
CMCR5hvseX.exe
Overview
General Information
| Sample name: | CMCR5hvseX.exerenamed because original name is a hash value |
| Original sample name: | 396e01db56f1c0dfadc628fd7f880d3f697d79c5.exe |
| Analysis ID: | 1546807 |
| MD5: | ba09bf0918b0efca89a7930b86885c9e |
| SHA1: | 396e01db56f1c0dfadc628fd7f880d3f697d79c5 |
| SHA256: | 014de3156e730a80563fa607f6e9dd7d6a4487f04e4daf7cafdaa958d2b3a310 |
| Tags: | exeReversingLabsuser-NDA0E |
| Infos: |   |
 | |
Detection
Blihan Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Blihan Stealer
AI detected suspicious sample
Creates an autostart registry key pointing to binary in C:\Windows
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has a writeable .text section
Contains functionality to dynamically determine API calls
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
PE file contains sections with non-standard names
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
CMCR5hvseX.exe (PID: 3340 cmdline: "C:\Users\ user\Deskt op\CMCR5hv seX.exe" MD5: BA09BF0918B0EFCA89A7930B86885C9E) - microsofthelp.exe (PID: 4088 cmdline:
"C:\Window s\microsof thelp.exe" MD5: 1BF9EFC2A5A6343FD0E3C6E4B4AB5B58)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security | ||
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security | ||
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security | ||
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security | ||
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security | ||
| Click to see the 2 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security | ||
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security | ||
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security | ||
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security | ||
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security | ||
| Click to see the 1 entries | ||||
System Summary |   |
|---|
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-01T16:04:30.487377+0100 | 2022930 | 1 | A Network Trojan was detected | 172.202.163.200 | 443 | 192.168.2.5 | 49733 | TCP |
| 2024-11-01T16:05:08.654189+0100 | 2022930 | 1 | A Network Trojan was detected | 172.202.163.200 | 443 | 192.168.2.5 | 49948 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00401C80 | |
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Code function: | 0_2_004017C0 | |
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Code function: | 0_2_00401510 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_004041EE | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Persistence and Installation Behavior | |
|---|
| Source: | Executable created and started: | Jump to behavior | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
Boot Survival | |
|---|
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | File deleted: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Evasive API call chain: | graph_0-1662 | ||
| Source: | Code function: | 0_2_00401CC0 | |
| Source: | Evasive API call chain: | graph_0-1702 | ||
| Source: | Evasive API call chain: | graph_0-1876 | ||
| Source: | Code function: | 0_2_00401C80 | |
| Source: | API call chain: | graph_0-1664 | ||
| Source: | API call chain: | graph_0-1895 | ||
| Source: | Code function: | 0_2_00401510 | |
| Source: | Code function: | 0_2_00401000 | |
| Source: | Code function: | 0_2_00402D5E | |
| Source: | Code function: | 0_2_00402D70 | |
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Native API | 11 Registry Run Keys / Startup Folder | 1 Process Injection | 12 Masquerading | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 11 Registry Run Keys / Startup Folder | 1 Process Injection | LSASS Memory | 1 System Network Configuration Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 2 Obfuscated Files or Information | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Software Packing | NTDS | 1 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 File Deletion | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 92% | ReversingLabs | Win32.Trojan.Blihan | ||
| 100% | Avira | TR/Downloader.Gen | ||
| 100% | Joe Sandbox ML |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | TR/Downloader.Gen | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1546807 |
| Start date and time: | 2024-11-01 16:03:11 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 1s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | CMCR5hvseX.exerenamed because original name is a hash value |
| Original Sample Name: | 396e01db56f1c0dfadc628fd7f880d3f697d79c5.exe |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winEXE@3/1@0/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- VT rate limit hit for: CMCR5hvseX.exe
| Time | Type | Description |
|---|---|---|
| 16:04:17 | Autostart | |
| 16:04:37 | Autostart |
| Process: | C:\Users\user\Desktop\CMCR5hvseX.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 72744 |
| Entropy (8bit): | 5.821931819526967 |
| Encrypted: | false |
| SSDEEP: | 1536:qAo0+j2d6rnJqlIUlizbR9XwzSPamvDsdHgHSIQEvTbWh7MzdPAxHyHfOdIRIRvS:qAoVl4lX8Pvw2PamvDsdHgHSIQEvTbWK |
| MD5: | 1BF9EFC2A5A6343FD0E3C6E4B4AB5B58 |
| SHA1: | ACC144D02EF1CFEC1056B6DD5EE6FFA5423C131A |
| SHA-256: | 6A177330258DC2447FAEBD910972AF012B7419A5F74DC2ED642995DAC5917604 |
| SHA-512: | AD11A1DBFBB4762E37C504C63255DED48FC03CDB03840529577775197B31F0AACC0B0EB8E3B59547280F9C22463092738194125DC28E8E9F5339D1A9F08D4A7C |
| Malicious: | true |
| Yara Hits: |
|
| Antivirus: |
|
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 5.834255992022626 |
| TrID: |
|
| File name: | CMCR5hvseX.exe |
| File size: | 72'484 bytes |
| MD5: | ba09bf0918b0efca89a7930b86885c9e |
| SHA1: | 396e01db56f1c0dfadc628fd7f880d3f697d79c5 |
| SHA256: | 014de3156e730a80563fa607f6e9dd7d6a4487f04e4daf7cafdaa958d2b3a310 |
| SHA512: | c344038d8827a2b752b57a4415a6346351930607f54c9a20e43c59d1a5649b6da9c8a71b505da5b87d023308a69b51ccc636e140621606ff16a5318f5cf78400 |
| SSDEEP: | 1536:qAo0+j2d6rnJqlIUlizbR9XwzSPamvDsdHgHSIQEvTbWh7MzdPAxHyHfOdIRIRvn:qAoVl4lX8Pvw2PamvDsdHgHSIQEvTbWP |
| TLSH: | B1637D53ADE48443E896253012E8EB7B6D3FBFC21E94915387D8FC1929937C0DB2925E |
| File Content Preview: | MZ......................@....2..........................................!..L.!This program cannot be run in DOS mode....$.......................................................K.......................`.......Rich....................PE..L......O........... |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x401000 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
| DLL Characteristics: | |
| Time Stamp: | 0x4F179BFF [Thu Jan 19 04:28:47 2012 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | ed42d4abceb2444958dc2f2ce7063809 |
| Signature Valid: | |
| Signature Issuer: | |
| Signature Validation Error: | |
| Error Number: | |
| Not Before, Not After | |
| Subject Chain | |
| Version: | |
| Thumbprint MD5: | |
| Thumbprint SHA-1: | |
| Thumbprint SHA-256: | |
| Serial: |
| Instruction |
|---|
| push FFFFFFFFh |
| push 00404611h |
| mov eax, dword ptr fs:[00000000h] |
| push eax |
| mov dword ptr fs:[00000000h], esp |
| sub esp, 00000630h |
| push ebx |
| push ebp |
| push esi |
| push edi |
| mov ecx, 00000040h |
| xor eax, eax |
| lea edi, dword ptr [esp+0000013Dh] |
| mov byte ptr [esp+0000013Ch], 00000000h |
| rep stosd |
| stosw |
| stosb |
| lea eax, dword ptr [esp+0000013Ch] |
| push 00000104h |
| push eax |
| push 00000000h |
| call dword ptr [00405050h] |
| lea ecx, dword ptr [esp+14h] |
| call 00007FF14082B56Dh |
| lea ecx, dword ptr [esp+0000013Ch] |
| push 00000000h |
| push ecx |
| lea ecx, dword ptr [esp+1Ch] |
| mov dword ptr [esp+00000650h], 00000000h |
| call 00007FF14082B56Fh |
| test eax, eax |
| jne 00007FF14082A794h |
| push 000003E8h |
| call dword ptr [0040504Ch] |
| lea edx, dword ptr [esp+0000013Ch] |
| push 00000000h |
| push edx |
| lea ecx, dword ptr [esp+1Ch] |
| call 00007FF14082B54Dh |
| test eax, eax |
| je 00007FF14082A750h |
| lea ecx, dword ptr [esp+14h] |
| call 00007FF14082B700h |
| mov ebx, dword ptr [00405048h] |
| push eax |
| push 00000008h |
| mov dword ptr [004086E4h], eax |
| call ebx |
| push eax |
| call dword ptr [00405044h] |
| mov ecx, dword ptr [004086E4h] |
| mov dword ptr [004086E0h], eax |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc000 | 0x78 | .imports |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x9800 | 0x4d50 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x4000 | 0x3800 | 2ab7fd8c123b112cf3b5d1962a297b8d | False | 0.5809849330357143 | data | 6.401056074083298 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x5000 | 0x1000 | 0x600 | 28b0dcb84195a5ab4b77ee0c12902aea | False | 0.45703125 | data | 4.732953369377026 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .data | 0x6000 | 0x3000 | 0x2800 | e9acbf5d01a439b581e4c01e8d2a5f39 | False | 0.0779296875 | data | 0.9614498560336738 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .shoooo | 0x9000 | 0x3000 | 0x2800 | a7b4ffd70e877fa95b9be758de40bb67 | False | 0.9544921875 | data | 7.835447843663171 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .imports | 0xc000 | 0x1000 | 0x600 | f70ebb256fe0ad244adedff7b8bda2b7 | False | 0.345703125 | data | 3.608258743690415 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| ADVAPI32.dll | RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegCreateKeyA, RegOpenKeyA, RegCloseKey |
| iphlpapi.dll | GetAdaptersInfo |
| KERNEL32.dll | GetStringTypeA, LCMapStringW, WaitForSingleObject, CreateThread, HeapFree, DeleteFileA, ExitProcess, lstrcmpiA, lstrcatA, GetWindowsDirectoryA, HeapAlloc, GetProcessHeap, Sleep, GetModuleFileNameA, CloseHandle, GetLastError, CreateMutexA, GetProcAddress, LoadLibraryA, HeapReAlloc, GetTickCount, FindClose, FindFirstFileA, TerminateProcess, CreateProcessA, CreateFileA, ReadFile, WriteFile, FlushFileBuffers, GetFileSize, LCMapStringA, GetStringTypeW, MultiByteToWideChar, GetOEMCP, GetACP, GetCPInfo, RtlUnwind, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadWritePtr, IsBadCodePtr, GetCurrentProcess, GetStdHandle, WideCharToMultiByte |
| WININET.dll | InternetOpenA, InternetSetOptionExA, InternetOpenUrlA, InternetCloseHandle, InternetReadFile |
| USER32.dll | wsprintfA |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 11:04:12 |
| Start date: | 01/11/2024 |
| Path: | C:\Users\user\Desktop\CMCR5hvseX.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 72'484 bytes |
| MD5 hash: | BA09BF0918B0EFCA89A7930B86885C9E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 11:04:13 |
| Start date: | 01/11/2024 |
| Path: | C:\Windows\microsofthelp.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 72'744 bytes |
| MD5 hash: | 1BF9EFC2A5A6343FD0E3C6E4B4AB5B58 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Antivirus matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 5% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 27.2% |
| Total number of Nodes: | 283 |
| Total number of Limit Nodes: | 3 |
Graph
Function 00401000 Relevance: 40.6, APIs: 19, Strings: 4, Instructions: 309memorysleepstringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401A70 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401E00 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401E70 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401FB0 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401FE0 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00402010 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004017C0 Relevance: 19.6, APIs: 13, Instructions: 133memorynetworkfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401CC0 Relevance: 9.0, APIs: 6, Instructions: 47memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401510 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67librarystringloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401C80 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00402D5E Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00402D70 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004034C2 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00403615 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401D30 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 33libraryloadersynchronizationCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004041EF Relevance: 13.7, APIs: 9, Instructions: 177COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401610 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 122memorystringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401930 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 99memorysleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040443E Relevance: 9.1, APIs: 6, Instructions: 117COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401DC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|