Windows
Analysis Report
7zba89tklZ.exe
Overview
General Information
Sample name: | 7zba89tklZ.exerenamed because original name is a hash value |
Original sample name: | 2b5e1dfe4e4db4e886b079f054182055.exe |
Analysis ID: | 1579669 |
MD5: | 2b5e1dfe4e4db4e886b079f054182055 |
SHA1: | d90e2828ea0082917583975f4a054f7c85d45053 |
SHA256: | 92382cc3402b6fb7cbd68fe7fa49a00ae204682a90fe0b4e69a6ef2c6d324793 |
Tags: | exeuser-abuse_ch |
Infos: | |
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- 7zba89tklZ.exe (PID: 5700 cmdline:
"C:\Users\ user\Deskt op\7zba89t klZ.exe" MD5: 2B5E1DFE4E4DB4E886B079F054182055)
- 7zba89tklZ.exe (PID: 4836 cmdline:
"C:\Users\ user\Deskt op\7zba89t klZ.exe" MD5: 2B5E1DFE4E4DB4E886B079F054182055)
- svcapp.exe (PID: 5416 cmdline:
"C:\Users\ user\AppDa ta\Local\M icrosoft\s vcapp.exe" MD5: 2B5E1DFE4E4DB4E886B079F054182055)
- cleanup
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_004F184C |
Source: | Code function: | 0_2_004F184C |
Source: | Code function: | 0_2_004F17EC |
Source: | Process Stats: |
Source: | Code function: | 0_2_004F7529 | |
Source: | Code function: | 0_2_004F19DF | |
Source: | Code function: | 0_2_004FB464 | |
Source: | Code function: | 0_2_004FBC1E | |
Source: | Code function: | 0_2_004FB836 | |
Source: | Code function: | 0_2_004FAC31 | |
Source: | Code function: | 0_2_004FB0C6 | |
Source: | Code function: | 3_2_0037B836 | |
Source: | Code function: | 3_2_0037AC31 | |
Source: | Code function: | 3_2_0037BC1E | |
Source: | Code function: | 3_2_0037B464 | |
Source: | Code function: | 3_2_0037B0C6 | |
Source: | Code function: | 3_2_00377529 | |
Source: | Code function: | 3_2_003719DF |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | Command line argument: | 0_2_004F2235 | |
Source: | Command line argument: | 3_2_00372235 |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_004F1000 |
Source: | Code function: | 0_2_004F983E | |
Source: | Code function: | 0_2_004FDB98 | |
Source: | Code function: | 3_2_0037983E | |
Source: | Code function: | 3_2_0037DB98 |
Source: | File created: | Jump to dropped file |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | Evasive API call chain: | graph_3-11755 | ||
Source: | Evasive API call chain: | graph_0-11367 |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Evasive API call chain: | graph_0-10465 | ||
Source: | Evasive API call chain: | graph_3-10457 |
Source: | API coverage: |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior |
Source: | API call chain: | graph_0-10466 | ||
Source: | API call chain: | graph_0-10558 | ||
Source: | API call chain: | graph_0-11246 | ||
Source: | API call chain: | graph_3-10458 | ||
Source: | API call chain: | graph_3-10551 |
Anti Debugging |
---|
Source: | Debugger detection routine: | graph_0-11242 |
Source: | Code function: | 0_2_004F2235 |
Source: | Code function: | 0_2_004F1000 |
Source: | Code function: | 0_2_004FCA46 | |
Source: | Code function: | 0_2_004F8A8F | |
Source: | Code function: | 0_2_005002B8 | |
Source: | Code function: | 3_2_0037CA46 | |
Source: | Code function: | 3_2_003802B8 | |
Source: | Code function: | 3_2_00378A8F |
Source: | Code function: | 0_2_00501453 | |
Source: | Code function: | 0_2_00502CBB | |
Source: | Code function: | 0_2_00502D95 | |
Source: | Code function: | 0_2_0050125C | |
Source: | Code function: | 0_2_00502A77 | |
Source: | Code function: | 0_2_00501624 | |
Source: | Code function: | 0_2_005016E4 | |
Source: | Code function: | 0_2_00501351 | |
Source: | Code function: | 0_2_0050174B | |
Source: | Code function: | 0_2_00501BCC | |
Source: | Code function: | 0_2_005013F8 | |
Source: | Code function: | 0_2_00501787 | |
Source: | Code function: | 0_2_00502BAC | |
Source: | Code function: | 3_2_00381453 | |
Source: | Code function: | 3_2_00382CBB | |
Source: | Code function: | 3_2_00382D95 | |
Source: | Code function: | 3_2_00381624 | |
Source: | Code function: | 3_2_00382A77 | |
Source: | Code function: | 3_2_0038125C | |
Source: | Code function: | 3_2_003816E4 | |
Source: | Code function: | 3_2_00381351 | |
Source: | Code function: | 3_2_0038174B | |
Source: | Code function: | 3_2_00382BAC | |
Source: | Code function: | 3_2_00381787 | |
Source: | Code function: | 3_2_003813F8 | |
Source: | Code function: | 3_2_00381BCC |
Source: | Code function: | 0_2_004FDD2F |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 Registry Run Keys / Startup Folder | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 12 Native API | 1 DLL Side-Loading | 1 Registry Run Keys / Startup Folder | 111 Virtualization/Sandbox Evasion | LSASS Memory | 21 Security Software Discovery | Remote Desktop Protocol | 3 Clipboard Data | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 1 Process Injection | Security Account Manager | 111 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Obfuscated Files or Information | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
62% | Virustotal | Browse | ||
61% | ReversingLabs | Win32.Trojan.Doina | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
61% | ReversingLabs | Win32.Trojan.Doina | ||
62% | Virustotal | Browse |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1579669 |
Start date and time: | 2024-12-23 07:19:39 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 7m 1s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Sample name: | 7zba89tklZ.exerenamed because original name is a hash value |
Original Sample Name: | 2b5e1dfe4e4db4e886b079f054182055.exe |
Detection: | MAL |
Classification: | mal76.evad.winEXE@3/2@0/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Time | Type | Description |
---|---|---|
01:20:29 | API Interceptor | |
07:20:28 | Autostart | |
07:20:36 | Autostart |
Process: | C:\Users\user\Desktop\7zba89tklZ.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 112640 |
Entropy (8bit): | 6.3674970206945 |
Encrypted: | false |
SSDEEP: | 1536:XkhBm8BvFsJMAjrUTXqKgcs5Btdyhy3NZRgYDnRQKlw2LWeSMD+/G:0rjBvKrUbqKgRTHvRgYVQKlw2SeSJO |
MD5: | 2B5E1DFE4E4DB4E886B079F054182055 |
SHA1: | D90E2828EA0082917583975F4A054F7C85D45053 |
SHA-256: | 92382CC3402B6FB7CBD68FE7FA49A00AE204682A90FE0B4E69A6EF2C6D324793 |
SHA-512: | 954F56680E32E5AFB7F70596C10AC74416CC2DDA93F1835BFE330660792B8CE9591C56B43A40A3A36B6434AEB59FD0D5C6E189547161DB3F9A7F81605F83C087 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\7zba89tklZ.exe |
File Type: | |
Category: | modified |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 6.3674970206945 |
TrID: |
|
File name: | 7zba89tklZ.exe |
File size: | 112'640 bytes |
MD5: | 2b5e1dfe4e4db4e886b079f054182055 |
SHA1: | d90e2828ea0082917583975f4a054f7c85d45053 |
SHA256: | 92382cc3402b6fb7cbd68fe7fa49a00ae204682a90fe0b4e69a6ef2c6d324793 |
SHA512: | 954f56680e32e5afb7f70596c10ac74416cc2dda93f1835bfe330660792b8ce9591c56b43a40a3a36b6434aeb59fd0d5c6e189547161db3f9a7f81605f83c087 |
SSDEEP: | 1536:XkhBm8BvFsJMAjrUTXqKgcs5Btdyhy3NZRgYDnRQKlw2LWeSMD+/G:0rjBvKrUbqKgRTHvRgYVQKlw2SeSJO |
TLSH: | 8CB39E21B2C5C4F3D11211308DA69BE28EBFFCB15EB125AF6BD9066D0F696C1CA58353 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0F..t'..t'..t'..}_[.w'..t'..='...QV.e'...Qc.W'...Qb.='...Qg.w'...QU.u'..Richt'..........PE..L....jdg........................... |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x408a85 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x67646AD3 [Thu Dec 19 18:49:55 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | ebb56531f9710b9a467b3b47d8223424 |
Instruction |
---|
call 00007FE1F8E177AAh |
jmp 00007FE1F8E1238Eh |
cmp ecx, dword ptr [0041A2F0h] |
jne 00007FE1F8E12504h |
rep ret |
jmp 00007FE1F8E17831h |
mov edi, edi |
push ebp |
mov ebp, esp |
mov eax, ecx |
mov ecx, dword ptr [ebp+08h] |
mov dword ptr [eax], 00414210h |
mov ecx, dword ptr [ecx] |
mov dword ptr [eax+04h], ecx |
mov byte ptr [eax+08h], 00000000h |
pop ebp |
retn 0008h |
mov eax, dword ptr [ecx+04h] |
test eax, eax |
jne 00007FE1F8E12507h |
mov eax, 00414218h |
ret |
mov edi, edi |
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+08h], 00000000h |
push edi |
mov edi, ecx |
je 00007FE1F8E1252Fh |
push esi |
push dword ptr [ebp+08h] |
call 00007FE1F8E17956h |
lea esi, dword ptr [eax+01h] |
push esi |
call 00007FE1F8E1420Eh |
pop ecx |
pop ecx |
mov dword ptr [edi+04h], eax |
test eax, eax |
je 00007FE1F8E12513h |
push dword ptr [ebp+08h] |
push esi |
push eax |
call 00007FE1F8E178DAh |
add esp, 0Ch |
mov byte ptr [edi+08h], 00000001h |
pop esi |
pop edi |
pop ebp |
retn 0004h |
mov edi, edi |
push esi |
mov esi, ecx |
cmp byte ptr [esi+08h], 00000000h |
je 00007FE1F8E1250Bh |
push dword ptr [esi+04h] |
call 00007FE1F8E1296Bh |
pop ecx |
and dword ptr [esi+04h], 00000000h |
mov byte ptr [esi+08h], 00000000h |
pop esi |
ret |
mov edi, edi |
push ebp |
mov ebp, esp |
mov eax, dword ptr [ebp+08h] |
push esi |
mov esi, ecx |
and dword ptr [esi+04h], 00000000h |
mov dword ptr [esi], 00414210h |
mov byte ptr [esi+08h], 00000000h |
push dword ptr [eax] |
call 00007FE1F8E12487h |
mov eax, esi |
pop esi |
pop ebp |
retn 0004h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x18fa4 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1d000 | 0x2b8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1e000 | 0x1210 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x17710 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x14000 | 0x110 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x12d5c | 0x12e00 | 0c92ac62242b124a32252ddc926ef20c | False | 0.5768832781456954 | data | 6.610430575360831 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x14000 | 0x55c4 | 0x5600 | bb84a75048842581960fa9790cb583fd | False | 0.35846656976744184 | data | 4.822094045067747 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x1a000 | 0x20c0 | 0x1000 | 7bfb1ee1a98f05a772f0fc0aea792a8f | False | 0.258056640625 | data | 3.4184107185858905 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x1d000 | 0x2b8 | 0x400 | 7cc9e164c83cbadc629bacfeff29fda1 | False | 0.3203125 | data | 5.171342193183488 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x1e000 | 0x1ba4 | 0x1c00 | 3e08707dc6e8c85e5f4b7ee4e18ad05c | False | 0.5330636160714286 | data | 5.052251546929224 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0x1d058 | 0x25f | ASCII text, with very long lines (607), with no line terminators | English | United States | 0.43492586490939045 |
DLL | Import |
---|---|
KERNEL32.dll | GetProcAddress, LoadLibraryA, ExitProcess, GlobalLock, GlobalAlloc, Sleep, GlobalUnlock, GetLastError, IsDebuggerPresent, CreateThread, InterlockedIncrement, InterlockedDecrement, EncodePointer, DecodePointer, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetCommandLineW, HeapSetInformation, GetStartupInfoW, HeapFree, HeapReAlloc, RaiseException, RtlUnwind, HeapAlloc, CompareStringW, MultiByteToWideChar, GetCPInfo, WideCharToMultiByte, LCMapStringW, SetUnhandledExceptionFilter, GetModuleHandleW, WriteFile, GetStdHandle, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsProcessorFeaturePresent, HeapSize, GetACP, GetOEMCP, IsValidCodePage, GetUserDefaultLCID, GetLocaleInfoW, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, GetStringTypeW, LoadLibraryW |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 01:20:28 |
Start date: | 23/12/2024 |
Path: | C:\Users\user\Desktop\7zba89tklZ.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x4f0000 |
File size: | 112'640 bytes |
MD5 hash: | 2B5E1DFE4E4DB4E886B079F054182055 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 2 |
Start time: | 01:20:36 |
Start date: | 23/12/2024 |
Path: | C:\Users\user\Desktop\7zba89tklZ.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x4f0000 |
File size: | 112'640 bytes |
MD5 hash: | 2B5E1DFE4E4DB4E886B079F054182055 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 3 |
Start time: | 01:20:44 |
Start date: | 23/12/2024 |
Path: | C:\Users\user\AppData\Local\Microsoft\svcapp.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x370000 |
File size: | 112'640 bytes |
MD5 hash: | 2B5E1DFE4E4DB4E886B079F054182055 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Reputation: | low |
Has exited: | true |
Execution Graph
Execution Coverage: | 7.9% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 4.7% |
Total number of Nodes: | 1683 |
Total number of Limit Nodes: | 25 |
Graph
Function 004F19DF Relevance: 27.6, APIs: 1, Strings: 17, Instructions: 550sleepCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004F7529 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 205filesleepCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004F2235 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 32sleepsynchronizationthreadCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004F744F Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74registryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004F91DE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004F2B41 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004F234F Relevance: 1.5, APIs: 1, Instructions: 31COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004F5076 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004F17EC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40clipboardCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0050125C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004FCA46 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004FBC1E Relevance: .4, Instructions: 355COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004FB836 Relevance: .3, Instructions: 349COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004FB464 Relevance: .3, Instructions: 332COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004FB0C6 Relevance: .3, Instructions: 326COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004FD99F Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004FC185 Relevance: 34.8, APIs: 23, Instructions: 290COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004FD729 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004F139D Relevance: 9.0, APIs: 6, Instructions: 41COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004FE928 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004FD3BD Relevance: 6.0, APIs: 4, Instructions: 41COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004FE6A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004F17CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 4.6% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 0% |
Total number of Nodes: | 1635 |
Total number of Limit Nodes: | 22 |
Graph
Function 00372235 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 32sleepsynchronizationthreadCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003791DE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00372B41 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0037234F Relevance: 1.5, APIs: 1, Instructions: 31COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00375076 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00377529 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 205filesleepCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0038125C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0037D99F Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0037C185 Relevance: 34.8, APIs: 23, Instructions: 290COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0037744F Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0037D729 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0037139D Relevance: 9.0, APIs: 6, Instructions: 41COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0037E928 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0037184C Relevance: 7.5, APIs: 5, Instructions: 36memoryCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0037D3BD Relevance: 6.0, APIs: 4, Instructions: 41COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0037E6A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00379874 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 003717CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|