Windows
Analysis Report
onestart.exe
Overview
General Information
Sample name: | onestart.exe |
Analysis ID: | 1602313 |
MD5: | 8d1970baec3509e3980627c6a30389ee |
SHA1: | 092ca5f6c75f01a738bbe1378394ec25abab5f0b |
SHA256: | 99e06b4f7ac24af3b64b5e07c2d179d75a2112a01b2c58d985d5c7cbc7a5f41f |
Infos: | |
Errors
|
Detection
Score: | 3 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w10x64
onestart.exe (PID: 2460 cmdline:
"C:\Users\ user\Deskt op\onestar t.exe" -in stall MD5: 8D1970BAEC3509E3980627C6A30389EE)
onestart.exe (PID: 1516 cmdline:
"C:\Users\ user\Deskt op\onestar t.exe" /in stall MD5: 8D1970BAEC3509E3980627C6A30389EE)
onestart.exe (PID: 2820 cmdline:
"C:\Users\ user\Deskt op\onestar t.exe" /lo ad MD5: 8D1970BAEC3509E3980627C6A30389EE)
- cleanup
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Malware Analysis System Evasion
- • Anti Debugging
- • Language, Device and Operating System Detection
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 0_2_00007FF65CF46640 | |
Source: | Code function: | 0_2_00007FF65CE7C9A0 | |
Source: | Code function: | 0_2_00007FF65CF0E2E0 | |
Source: | Code function: | 0_2_00007FF65CFE56F0 | |
Source: | Code function: | 0_2_00007FF65CEB3540 | |
Source: | Code function: | 0_2_00007FF65CF3FD40 | |
Source: | Code function: | 0_2_00007FF65CF11D40 | |
Source: | Code function: | 0_2_00007FF65CF09150 | |
Source: | Code function: | 0_2_00007FF65CF74550 | |
Source: | Code function: | 0_2_00007FF65CF2F9C0 | |
Source: | Code function: | 0_2_00007FF65CE6E2A0 | |
Source: | Code function: | 0_2_00007FF65CE9DA90 | |
Source: | Code function: | 0_2_00007FF65CF75600 | |
Source: | Code function: | 0_2_00007FF65CE71270 | |
Source: | Code function: | 0_2_00007FF65CF4D630 | |
Source: | Code function: | 0_2_00007FF65CF42440 | |
Source: | Code function: | 0_2_00007FF65CF0F840 | |
Source: | Code function: | 0_2_00007FF65CE61BD0 | |
Source: | Code function: | 0_2_00007FF65CEA8FC0 | |
Source: | Code function: | 0_2_00007FF65CE6EBA0 | |
Source: | Code function: | 0_2_00007FF65CF7F120 | |
Source: | Code function: | 0_2_00007FF65CEF7340 | |
Source: | Code function: | 0_2_00007FF65CEDD740 | |
Source: | Code function: | 0_2_00007FF65CFE5770 | |
Source: | Code function: | 0_2_00007FF65CEB0090 | |
Source: | Code function: | 0_2_00007FF65CEAB450 | |
Source: | Code function: | 0_2_00007FF65CFA041C | |
Source: | Code function: | 0_2_00007FF65CE6C440 |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Classification label: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FF65CF2F740 |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FF65CE65CFA | |
Source: | Code function: | 0_2_00007FF65CE65CEF |
Source: | Code function: | 0_2_00007FF65CE706F0 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00007FF65CE706F0 |
Source: | Code function: | 0_2_00007FF65CE61000 |
Source: | Code function: | 0_2_00007FF65CF2F740 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00007FF65CF8D008 |
Source: | Code function: | 0_2_00007FF65CF8D2B4 |
Source: | Code function: | 0_2_00007FF65CE6D9E0 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | Path Interception | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 2 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 2 Obfuscated Files or Information | Security Account Manager | 2 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
3% | Virustotal | Browse | ||
0% | ReversingLabs |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
s-part-0017.t-0009.t-msedge.net | 13.107.246.45 | true | false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1602313 |
Start date and time: | 2025-01-29 17:50:20 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 2m 49s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Run name: | Cmdline fuzzy |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | onestart.exe |
Detection: | UNKNOWN |
Classification: | unknown3.winEXE@3/0@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Corrupt sample or wrongly sele
cted analyzer. Details: 36b1 - Corrupt sample or wrongly sele
cted analyzer. Details: 36b1 - Corrupt sample or wrongly sele
cted analyzer. Details: 36b1
- Exclude process from analysis
(whitelisted): dllhost.exe - Excluded IPs from analysis (wh
itelisted): 13.107.246.45, 20. 109.210.53 - Excluded domains from analysis
(whitelisted): otelrules.azur eedge.net, slscr.update.micros oft.com, otelrules.afd.azureed ge.net, azureedge-t-prod.traff icmanager.net - Execution Graph export aborted
for target onestart.exe, PID 2460 because there are no exec uted function
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
s-part-0017.t-0009.t-msedge.net | Get hash | malicious | Credential Flusher | Browse |
| |
Get hash | malicious | MassLogger RAT, XRed | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
File type: | |
Entropy (8bit): | 6.406375638675686 |
TrID: |
|
File name: | onestart.exe |
File size: | 2'670'816 bytes |
MD5: | 8d1970baec3509e3980627c6a30389ee |
SHA1: | 092ca5f6c75f01a738bbe1378394ec25abab5f0b |
SHA256: | 99e06b4f7ac24af3b64b5e07c2d179d75a2112a01b2c58d985d5c7cbc7a5f41f |
SHA512: | 21faf4494b14eafebe73d83ba21cb17c476757b495bf128e561a476c2eb3ea74e334a9175a9adda23b2009869e815773c012b41fb7642a1da0fb02571ec4196a |
SSDEEP: | 49152:IQ4h1M/bW8si0sLAUvqy967e7CBksusuR6LgVm98l:bpDWCAUCysFksusC |
TLSH: | DDC56B13F29940D8D05AC0758746D632E9B2BC854B31B6DF12A07B5A2F77EE02B3DB25 |
File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....S/e.........."............................@..............................).....8.)...`........................................ |
Icon Hash: | 870f3cf0f80c0107 |
Entrypoint: | 0x14012d2a0 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x652F530F [Wed Oct 18 03:37:51 2023 UTC] |
TLS Callbacks: | 0x4002ee20, 0x1, 0x4012c510, 0x1, 0x400712d0, 0x1, 0x4012bc00, 0x1, 0x40008a80, 0x1, 0x400999a0, 0x1 |
CLR (.Net) Version: | |
OS Version Major: | 10 |
OS Version Minor: | 0 |
File Version Major: | 10 |
File Version Minor: | 0 |
Subsystem Version Major: | 10 |
Subsystem Version Minor: | 0 |
Import Hash: | 440c94dddc5c0e1fd2b6ae7701f67a3e |
Signature Valid: | true |
Signature Issuer: | CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 373A4AB5CF5347A5256C0B1B2EEAADBA |
Thumbprint SHA-1: | EB5A7872B0563D261362F00BC6AF0AFC36877A89 |
Thumbprint SHA-256: | 061E448E8AE39BB153B6B45FCF31CD2EBBCB1EAFC7814C4C5E8D9D919D8112C7 |
Serial: | 7DE8123E2B4CB350291ED602EDBC4592 |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007F51E04F6660h |
dec eax |
add esp, 28h |
jmp 00007F51E04F64CFh |
int3 |
int3 |
dec eax |
mov dword ptr [esp+18h], ebx |
push ebp |
dec eax |
mov ebp, esp |
dec eax |
sub esp, 30h |
dec eax |
mov eax, dword ptr [00102D78h] |
dec eax |
mov ebx, 2DDFA232h |
cdq |
sub eax, dword ptr [eax] |
add byte ptr [eax+3Bh], cl |
ret |
jne 00007F51E04F66C6h |
dec eax |
and dword ptr [ebp+10h], 00000000h |
dec eax |
lea ecx, dword ptr [ebp+10h] |
call dword ptr [000F6C3Ah] |
dec eax |
mov eax, dword ptr [ebp+10h] |
dec eax |
mov dword ptr [ebp-10h], eax |
call dword ptr [000F6AF4h] |
mov eax, eax |
dec eax |
xor dword ptr [ebp-10h], eax |
call dword ptr [000F6AD0h] |
mov eax, eax |
dec eax |
lea ecx, dword ptr [ebp+18h] |
dec eax |
xor dword ptr [ebp-10h], eax |
call dword ptr [000F6D90h] |
mov eax, dword ptr [ebp+18h] |
dec eax |
lea ecx, dword ptr [ebp-10h] |
dec eax |
shl eax, 20h |
dec eax |
xor eax, dword ptr [ebp+18h] |
dec eax |
xor eax, dword ptr [ebp-10h] |
dec eax |
xor eax, ecx |
dec eax |
mov ecx, FFFFFFFFh |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x223394 | 0x87 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x22341c | 0x64 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x260000 | 0x37a78 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x24a000 | 0xdcbc | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x289c00 | 0x24e0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x298000 | 0x2290 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x220a7c | 0x38 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x220950 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x1ef170 | 0x140 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x223bf0 | 0x770 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x2224b0 | 0x180 | .rdata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x1ecd7f | 0x1ece00 | 20b54d3cff80506bbb36d33d6590358e | False | 0.5096417900393102 | data | 6.519800631046198 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x1ee000 | 0x4164c | 0x41800 | 1bb8f5946c0ec9c5961e1ee6de8ae274 | False | 0.3774153148854962 | data | 5.570528347976777 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x230000 | 0x19670 | 0xf400 | 69a018e8b054e24fe4a3498e9a96bb96 | False | 0.033203125 | data | 1.4248717927616121 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x24a000 | 0xdcbc | 0xde00 | 9ffc582e1e42162f74b5cce5084be846 | False | 0.5115427927927928 | data | 5.991029736699372 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.gxfg | 0x258000 | 0x2e80 | 0x3000 | 133bbd43e0b29e003b9139a57a0ffcc7 | False | 0.40478515625 | data | 5.129224756439478 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.retplne | 0x25b000 | 0xac | 0x200 | 5255fc51b70bb72c37739ecd335cecfe | False | 0.134765625 | data | 1.320312118710215 | |
.tls | 0x25c000 | 0x231 | 0x400 | ffd165880605c7661e990b8841ed3327 | False | 0.04296875 | data | 0.21447604792517 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
CPADinfo | 0x25d000 | 0x38 | 0x200 | 60d3ea61d541c9be2e845d2787fb9574 | False | 0.04296875 | data | 0.12227588125913882 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
_RDATA | 0x25e000 | 0x1f4 | 0x200 | 43c9f395d51dccdd5abe31a27dc4e5e0 | False | 0.53125 | data | 4.222626840457297 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
malloc_h | 0x25f000 | 0x5a3 | 0x600 | 5a673d975585c16f700e4eae2d82285c | False | 0.6354166666666666 | data | 6.04971676914019 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0x260000 | 0x37a78 | 0x37c00 | b825b7a27f0dc2aabc0d86d39fa14c92 | False | 0.2223453265134529 | data | 4.407312866060774 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x298000 | 0x2290 | 0x2400 | ba73c4467be1a092930e9224ad3dad1b | False | 0.3228081597222222 | GLS_BINARY_LSB_FIRST | 5.384928991724464 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
GOOGLEUPDATEAPPLICATIONCOMMANDS | 0x2892b0 | 0x4 | data | English | United States | 3.0 |
RT_CURSOR | 0x2896d0 | 0x134 | data | 0.4837662337662338 | ||
RT_CURSOR | 0x289820 | 0x134 | data | 0.22402597402597402 | ||
RT_CURSOR | 0x289970 | 0x134 | Targa image data - RLE 64 x 65536 x 1 +32 "\001" | 0.2077922077922078 | ||
RT_CURSOR | 0x289ac0 | 0x134 | data | 0.461038961038961 | ||
RT_CURSOR | 0x289c10 | 0x134 | data | 0.39935064935064934 | ||
RT_CURSOR | 0x289d48 | 0xcac | data | 0.08446362515413071 | ||
RT_CURSOR | 0x28aa20 | 0x134 | data | 0.32142857142857145 | ||
RT_CURSOR | 0x28ab58 | 0xcac | data | 0.06103575832305795 | ||
RT_CURSOR | 0x28b830 | 0x10ac | Targa image data 64 x 65536 x 1 +32 " " | 0.03280224929709466 | ||
RT_CURSOR | 0x28c8f8 | 0x10ac | Targa image data 64 x 65536 x 1 +32 " " | 0.07966260543580131 | ||
RT_CURSOR | 0x28d9c0 | 0x10ac | Targa image data 64 x 65536 x 1 +32 " " | 0.07872539831302718 | ||
RT_CURSOR | 0x28ea88 | 0x10ac | Targa image data 64 x 65536 x 1 +32 " " | 0.07591377694470477 | ||
RT_CURSOR | 0x28fb50 | 0x10ac | Targa image data 64 x 65536 x 1 +32 " " | 0.03420805998125586 | ||
RT_CURSOR | 0x290c18 | 0x10ac | Targa image data 64 x 65536 x 1 +32 " " | 0.03655107778819119 | ||
RT_CURSOR | 0x291ce0 | 0x10ac | Targa image data 64 x 65536 x 1 +32 " " | 0.03795688847235239 | ||
RT_CURSOR | 0x292da8 | 0x10ac | Targa image data 64 x 65536 x 1 +32 " " | 0.03303655107778819 | ||
RT_CURSOR | 0x293e70 | 0x10ac | Targa image data 64 x 65536 x 1 +32 " " | 0.036785379568884724 | ||
RT_CURSOR | 0x294f38 | 0x10ac | Targa image data 64 x 65536 x 1 +32 " " | 0.03608247422680412 | ||
RT_CURSOR | 0x296000 | 0x10ac | Targa image data 64 x 65536 x 1 +32 " " | 0.042877225866916585 | ||
RT_CURSOR | 0x2970c8 | 0x134 | Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001" | 0.23376623376623376 | ||
RT_CURSOR | 0x297218 | 0x134 | Targa image data - Mono 64 x 65536 x 1 +32 "\001" | 0.1590909090909091 | ||
RT_CURSOR | 0x297368 | 0x134 | data | 0.3181818181818182 | ||
RT_CURSOR | 0x2974b8 | 0x134 | data | 0.30194805194805197 | ||
RT_ICON | 0x260df0 | 0x49db | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9996826572169037 |
RT_ICON | 0x2657d0 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 11811 x 11811 px/m | English | United States | 0.11448598130841121 |
RT_ICON | 0x275ff8 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 11811 x 11811 px/m | English | United States | 0.17949929145016533 |
RT_ICON | 0x27a220 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 11811 x 11811 px/m | English | United States | 0.2628630705394191 |
RT_ICON | 0x27c7c8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 11811 x 11811 px/m | English | United States | 0.32598499061913694 |
RT_ICON | 0x27d870 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 11811 x 11811 px/m | English | United States | 0.599290780141844 |
RT_ICON | 0x27dd38 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | English | United States | 0.2273454157782516 |
RT_ICON | 0x27ebe0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | English | United States | 0.34657039711191334 |
RT_ICON | 0x27f488 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | English | United States | 0.5043352601156069 |
RT_ICON | 0x27f9f0 | 0x7c8 | PNG image data, 256 x 256, 8-bit colormap, non-interlaced | English | United States | 0.8699799196787149 |
RT_ICON | 0x2801b8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | United States | 0.06182572614107884 |
RT_ICON | 0x282760 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States | 0.09849906191369606 |
RT_ICON | 0x283808 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | United States | 0.23138297872340424 |
RT_ICON | 0x283cd8 | 0x4a8 | Device independent bitmap graphic, 17 x 32 x 32, image size 1088, resolution 2835 x 2835 px/m | English | United States | 0.28439597315436244 |
RT_ICON | 0x284180 | 0x1234 | Device independent bitmap graphic, 33 x 66 x 32, image size 4356, resolution 2835 x 2835 px/m | English | United States | 0.11566523605150214 |
RT_ICON | 0x2853b8 | 0x2668 | Device independent bitmap graphic, 49 x 96 x 32, image size 9408, resolution 2835 x 2835 px/m | English | United States | 0.07811228641171684 |
RT_ICON | 0x287a20 | 0x184b | PNG image data, 257 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.992603312429651 |
RT_GROUP_CURSOR | 0x289808 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.25 | ||
RT_GROUP_CURSOR | 0x289958 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.25 | ||
RT_GROUP_CURSOR | 0x289aa8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.3 | ||
RT_GROUP_CURSOR | 0x289bf8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.3 | ||
RT_GROUP_CURSOR | 0x28a9f8 | 0x22 | Lotus unknown worksheet or configuration, revision 0x2 | 1.0 | ||
RT_GROUP_CURSOR | 0x28b808 | 0x22 | Lotus unknown worksheet or configuration, revision 0x2 | 1.0 | ||
RT_GROUP_CURSOR | 0x28c8e0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.2 | ||
RT_GROUP_CURSOR | 0x28d9a8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.2 | ||
RT_GROUP_CURSOR | 0x28ea70 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.2 | ||
RT_GROUP_CURSOR | 0x28fb38 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.2 | ||
RT_GROUP_CURSOR | 0x290c00 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.2 | ||
RT_GROUP_CURSOR | 0x291cc8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.2 | ||
RT_GROUP_CURSOR | 0x292d90 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.2 | ||
RT_GROUP_CURSOR | 0x293e58 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.2 | ||
RT_GROUP_CURSOR | 0x294f20 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.2 | ||
RT_GROUP_CURSOR | 0x295fe8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.2 | ||
RT_GROUP_CURSOR | 0x2970b0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.2 | ||
RT_GROUP_CURSOR | 0x297200 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.3 | ||
RT_GROUP_CURSOR | 0x297350 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.3 | ||
RT_GROUP_CURSOR | 0x2974a0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.3 | ||
RT_GROUP_CURSOR | 0x2975f0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.3 | ||
RT_GROUP_ICON | 0x27dcd8 | 0x5a | data | English | United States | 0.7666666666666667 |
RT_GROUP_ICON | 0x283c70 | 0x68 | data | English | United States | 0.7019230769230769 |
RT_GROUP_ICON | 0x289270 | 0x3e | data | English | United States | 0.8870967741935484 |
RT_VERSION | 0x2892b8 | 0x418 | data | English | United States | 0.4351145038167939 |
RT_MANIFEST | 0x297608 | 0x46c | XML 1.0 document, ASCII text, with very long lines (1018) | English | United States | 0.48586572438162545 |
DLL | Import |
---|---|
chrome_elf.dll | GetInstallDetailsPayload, IsBrowserProcess, IsExtensionPointDisableSet, SignalChromeElf, SignalInitializeCrashReporting |
KERNEL32.dll | AcquireSRWLockExclusive, AddVectoredExceptionHandler, CloseHandle, CompareStringW, ConnectNamedPipe, CreateDirectoryW, CreateEventW, CreateFileMappingW, CreateFileW, CreateIoCompletionPort, CreateJobObjectW, CreateMutexW, CreateNamedPipeW, CreateProcessW, CreateRemoteThread, CreateSemaphoreW, CreateThread, DebugBreak, DeleteCriticalSection, DeleteFileW, DeleteProcThreadAttributeList, DisconnectNamedPipe, DuplicateHandle, EncodePointer, EnterCriticalSection, EnumSystemLocalesEx, EnumSystemLocalesW, ExitProcess, ExitThread, ExpandEnvironmentStringsW, FileTimeToSystemTime, FindClose, FindFirstFileExW, FindNextFileW, FlsAlloc, FlsFree, FlsGetValue, FlsSetValue, FlushFileBuffers, FlushViewOfFile, FormatMessageA, FormatMessageW, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetComputerNameExW, GetConsoleMode, GetConsoleOutputCP, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentProcessorNumber, GetCurrentThread, GetCurrentThreadId, GetDateFormatW, GetDriveTypeW, GetEnvironmentStringsW, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileSizeEx, GetFileTime, GetFileType, GetFullPathNameW, GetLastError, GetLocalTime, GetLocaleInfoW, GetLogicalProcessorInformation, GetLongPathNameW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetNativeSystemInfo, GetOEMCP, GetProcAddress, GetProcessHandleCount, GetProcessHeap, GetProcessHeaps, GetProcessId, GetProcessMitigationPolicy, GetProcessTimes, GetProductInfo, GetQueuedCompletionStatus, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemDefaultLCID, GetSystemDirectoryW, GetSystemInfo, GetSystemTimeAsFileTime, GetTempPathW, GetThreadContext, GetThreadId, GetThreadLocale, GetThreadPriority, GetTickCount, GetTimeFormatW, GetTimeZoneInformation, GetUserDefaultLCID, GetUserDefaultLangID, GetUserDefaultLocaleName, GetVersionExW, GetWindowsDirectoryW, HeapDestroy, HeapSetInformation, InitOnceExecuteOnce, InitializeConditionVariable, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeProcThreadAttributeList, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, IsWow64Process, K32GetModuleInformation, K32GetPerformanceInfo, K32GetProcessMemoryInfo, K32QueryWorkingSetEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExA, LoadLibraryExW, LoadLibraryW, LocalFree, LockFileEx, MapViewOfFile, MoveFileW, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PeekNamedPipe, PostQueuedCompletionStatus, PrefetchVirtualMemory, QueryDosDeviceW, QueryInformationJobObject, QueryPerformanceCounter, QueryPerformanceFrequency, QueryThreadCycleTime, RaiseException, ReadConsoleW, ReadFile, ReadProcessMemory, RegisterWaitForSingleObject, ReleaseSRWLockExclusive, ReleaseSemaphore, RemoveDirectoryW, RemoveVectoredExceptionHandler, ReplaceFileW, ResetEvent, ResumeThread, RtlCaptureContext, RtlCaptureStackBackTrace, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwind, RtlUnwindEx, RtlVirtualUnwind, SetConsoleCtrlHandler, SetCurrentDirectoryW, SetDefaultDllDirectories, SetEndOfFile, SetEnvironmentVariableW, SetEvent, SetFileAttributesW, SetFilePointerEx, SetHandleInformation, SetInformationJobObject, SetLastError, SetNamedPipeHandleState, SetProcessMitigationPolicy, SetProcessShutdownParameters, SetStdHandle, SetThreadAffinityMask, SetThreadInformation, SetThreadPriority, SetUnhandledExceptionFilter, Sleep, SleepConditionVariableSRW, SleepEx, SuspendThread, SwitchToThread, SystemTimeToTzSpecificLocalTime, TerminateJobObject, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TransactNamedPipe, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, UnlockFileEx, UnmapViewOfFile, UnregisterWaitEx, UpdateProcThreadAttribute, VerSetConditionMask, VerifyVersionInfoW, VirtualAlloc, VirtualAllocEx, VirtualFree, VirtualFreeEx, VirtualProtect, VirtualProtectEx, VirtualQuery, VirtualQueryEx, WaitForMultipleObjects, WaitForSingleObject, WaitNamedPipeW, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, Wow64GetThreadContext, WriteConsoleW, WriteFile, WriteProcessMemory, lstrlenA |
VERSION.dll | GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW |
ntdll.dll | RtlInitUnicodeString |
Name | Ordinal | Address |
---|---|---|
GetHandleVerifier | 1 | 0x14006eb20 |
GetPakFileHashes | 2 | 0x140097130 |
IsSandboxedProcess | 3 | 0x140098500 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Jan 29, 2025 17:51:31.567310095 CET | 1.1.1.1 | 192.168.2.5 | 0x9175 | No error (0) | s-part-0017.t-0009.t-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Jan 29, 2025 17:51:31.567310095 CET | 1.1.1.1 | 192.168.2.5 | 0x9175 | No error (0) | 13.107.246.45 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 11:51:16 |
Start date: | 29/01/2025 |
Path: | C:\Users\user\Desktop\onestart.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff65ce60000 |
File size: | 2'670'816 bytes |
MD5 hash: | 8D1970BAEC3509E3980627C6A30389EE |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 11:51:18 |
Start date: | 29/01/2025 |
Path: | C:\Users\user\Desktop\onestart.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff65ce60000 |
File size: | 2'670'816 bytes |
MD5 hash: | 8D1970BAEC3509E3980627C6A30389EE |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 3 |
Start time: | 11:51:20 |
Start date: | 29/01/2025 |
Path: | C:\Users\user\Desktop\onestart.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff65ce60000 |
File size: | 2'670'816 bytes |
MD5 hash: | 8D1970BAEC3509E3980627C6A30389EE |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF65CE9DA90 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 149libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF65CEAAA80 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 129libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|