Edit tour

Windows Analysis Report
aria2c.exe

Overview

General Information

Sample name:	aria2c.exe
Analysis ID:	1603271
MD5:	b95dbde252cc8ea490e1d9d04ec5fe0d
SHA1:	edd746c496ea8564367b3108736490dcfc14c360
SHA256:	0ae98794b3523634b0af362d6f8c04a9bbd32aeda959b72ca0e7fc24e84d2a66
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

aria2c.exe (PID: 6544 cmdline: "C:\Users\user\Desktop\aria2c.exe" MD5: B95DBDE252CC8EA490E1D9D04EC5FE0D)

conhost.exe (PID: 6412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: aria2c.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: aria2c.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: aria2c.exe	String found in binary or memory: http://www.metalinker.org/
Source: aria2c.exe	String found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: aria2c.exe	String found in binary or memory: https://aria2.github.io/
Source: aria2c.exe	String found in binary or memory: https://aria2.github.io/Usage:
Source: aria2c.exe	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: aria2c.exe	String found in binary or memory: https://github.com/aria2/aria2/issues
Source: aria2c.exe	String found in binary or memory: https://github.com/aria2/aria2/issuesReport

Source: aria2c.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: clean2.winEXE@2/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6412:120:WilError_03

Source: aria2c.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\aria2c.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aria2c.exe, 00000000.00000000.2045696844.000000000070D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: aria2c.exe, 00000000.00000000.2045696844.000000000070D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: aria2c.exe, 00000000.00000000.2045696844.000000000070D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: aria2c.exe, 00000000.00000000.2045696844.000000000070D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: aria2c.exe, 00000000.00000000.2045696844.000000000070D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: aria2c.exe, 00000000.00000000.2045696844.000000000070D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: aria2c.exe, 00000000.00000000.2045696844.000000000070D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: aria2c.exe	String found in binary or memory: on-download-start
Source: aria2c.exe	String found in binary or memory: on-download-stop
Source: aria2c.exe	String found in binary or memory: dht-listen-addr
Source: aria2c.exe	String found in binary or memory: dht-listen-addr6
Source: aria2c.exe	String found in binary or memory: bt-stop-timeout
Source: aria2c.exe	String found in binary or memory: pBGID#%s Stop downloading torrent due to --bt-stop-timeout option.
Source: aria2c.exe	String found in binary or memory: BtSetup.ccInitializing LpdMessageReceiver.LpdMessageReceiver initialized. multicastAddr=%s:%u, localAddr=%sLpdMessageReceiver not initialized.Initializing LpdMessageDispatcher.basic_string::_M_construct null not validLpdMessageDispatcher initialized.LpdMessageDispatcher not initialized.239.192.152.143pBGID#%s Stop downloading torrent due to --bt-stop-timeout option.BtStopDownloadCommand.ccbasic_string::_M_construct null not valid&?basic_string::appendinfo_hash=%s&peer_id=%s&uploaded=%lld&downloaded=%lld&left=%lld&compact=1&key=%s&numwant=%d&no_peer_id=1&port=%u&event=&trackerid=&supportcrypto=1&requirecrypto=1&ip=Now processing tracker response.DefaultBtAnnounce.ccTracker returned null data.Tracker returned failure reason: %sTracker returned warning message: %sTracker ID:%sInterval:%ldMin interval:%ldComplete:%dIncomplete:%dNo peer list received.No peers6 received.vector::_M_realloc_insertipportNow processing UDP tracker response.basic_string::_M_construct null not validDefaultPeerStorage.ccuniqPeers_.size() == unusedPeers_.size() + usedPeers_.size()CUID#%lld is already set for peer %s:%uCheckout peer %s:%u to CUID#%lldRemove peer %s:%ucannot create std::deque larger than max_size()Adding %s:%u is rejected, since unused peer list is full (%lu peers > %lu)Adding %s:%u is rejected because it has been already added.Adding %s:%u is rejected because it is marked bad.Now unused peer list contains %lu peersAdding peer %s:%dPurge %s from bad peerAdded %s as bad peerPeer %s:%u returned from CUID#%lldCannot find peer %s:%u in usedPeers_basic_string::_M_construct null not validCUID#%lld - Name resolution for %s failed:%sDHTEntryPointNameResolveCommand.ccNo address returnedCUID#%lld - Name resolution complete: %s -> %sException caughtcannot create std::deque larger than max_size()Issuing PeerLookup for infoHash=%sDHTGetPeersCommand.cctask finished detectedToo few peers. peers=%lu, max_peers=%d. Try again(%d)DHTNode ID=%s, Host=%s(%u), Condition=%d, RTT=%ldTrying to add node:%sDHTRoutingTable.ccAdding node with the same ID with localnode is not allowed.Added DHTNode.Splitting bucket. Range:%s-%sCached node=%sbasic_string::_M_construct null not validvector::_M_realloc_insertError occurred while binding UDP port for DHTDHTSetup.ccInitialized local node ID=%sNo DHT entry point specified.Exception caught while loading DHT routing table from %sException caught while initializing DHT functionality. DHT is disabled.Updating periodicTaskQueue1DHTTaskQueueImpl.ccUpdating periodicTaskQueue2Updating immediateTaskQueuecannot create std::deque larger than max_size()Token generation failed: ipaddr=%s, port=%uDHTTokenTracker.ccException caughtDHTTokenUpdateCommand.ccDispatching LPD message for infohash=%sLpdDispatchMessageCommand.ccSending LPD message is complete.Sending LPD message %u times but all failed.Could not send LPD message, retry shortly.Failed to send LPD message.basic_string::_M_construct null not validSetting multicast outgoing interface=%sLpdMessageDispatcher.
Source: aria2c.exe	String found in binary or memory: See --on-download-start option for the
Source: aria2c.exe	String found in binary or memory: See also --on-download-stop option.
Source: aria2c.exe	String found in binary or memory: --on-download-start=COMMAND Set the command to be executed after download
Source: aria2c.exe	String found in binary or memory: --on-download-stop=COMMAND Set the command to be executed after download
Source: aria2c.exe	String found in binary or memory: --stop=SEC Stop application after SEC seconds has passed.
Source: aria2c.exe	String found in binary or memory: --stop-with-process=PID Stop application when process PID is not running.
Source: aria2c.exe	String found in binary or memory: --bt-stop-timeout=SEC Stop BitTorrent download if download speed is 0 in
Source: aria2c.exe	String found in binary or memory: --dht-listen-addr6=ADDR Specify address to bind socket for IPv6 DHT.
Source: aria2c.exe	String found in binary or memory: number to listen on. See also --dht-listen-addr6
Source: aria2c.exe	String found in binary or memory: -h, --help[=TAG\|KEYWORD] Print usage and exit.
Source: aria2c.exe	String found in binary or memory: -h, --help[=TAG\|KEYWORD] Print usage and exit.
Source: aria2c.exe	String found in binary or memory: starts with "#". For example, type "--help=#http"
Source: aria2c.exe	String found in binary or memory: starts with "#". For example, type "--help=#http"
Source: aria2c.exe	String found in binary or memory: See also --on-download-stop option. --on-download-error=COMMAND Set the command to be executed after download
Source: aria2c.exe	String found in binary or memory: See also --on-download-stop option. --on-download-pause=COMMAND Set the command to be executed after download
Source: aria2c.exe	String found in binary or memory: requirement of COMMAND. --on-download-start=COMMAND Set the command to be executed after download
Source: aria2c.exe	String found in binary or memory: Hook in man page for more details. --on-download-stop=COMMAND Set the command to be executed after download
Source: aria2c.exe	String found in binary or memory: otherwise printed in stdout to stderr. --stop=SEC Stop application after SEC seconds has passed.
Source: aria2c.exe	String found in binary or memory: If 0 is given, this feature is disabled. --stop-with-process=PID Stop application when process PID is not running.
Source: aria2c.exe	String found in binary or memory: See also --bt-metadata-only option. --bt-stop-timeout=SEC Stop BitTorrent download if download speed is 0 in
Source: aria2c.exe	String found in binary or memory: network. --dht-file-path=PATH Change the IPv4 DHT routing table file to PATH. --dht-file-path6=PATH Change the IPv6 DHT routing table file to PATH. --dht-listen-addr6=ADDR Specify address to bind socket for IPv6 DHT.
Source: aria2c.exe	String found in binary or memory: if you don't have any preferred protocol. --metalink-version=VERSION The version of the file to download. -v, --version Print the version number and exit., #all -h, --help[=TAG\|KEYWORD] Print usage and exit.
Source: aria2c.exe	String found in binary or memory: if you don't have any preferred protocol. --metalink-version=VERSION The version of the file to download. -v, --version Print the version number and exit., #all -h, --help[=TAG\|KEYWORD] Print usage and exit.
Source: aria2c.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: aria2c.exe	String found in binary or memory: %lu.%lu.%lu.%lu.in-addr.arpa
Source: aria2c.exe	String found in binary or memory: mCARES_HOSTSSystem\CurrentControlSet\Services\Tcpip\ParametersDatabasePathrares_getaddrinfo.c!hquery->ai->nodestcp%lu.%lu.%lu.%lu.in-addr.arpa%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.ip6.arpaSystem\CurrentControlSet\Services\Tcpip\ParametersDatabasePathrares__sortaddrinfo.ccur != NULLwslay_event.coff <= lenlen == off(size_t)r <= buflen

Source: unknown	Process created: C:\Users\user\Desktop\aria2c.exe "C:\Users\user\Desktop\aria2c.exe"
Source: C:\Users\user\Desktop\aria2c.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\aria2c.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aria2c.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aria2c.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aria2c.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aria2c.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\aria2c.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: aria2c.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: aria2c.exe

Static file information: File size 5949966 > 1048576

Source: aria2c.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x447400

Source: aria2c.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: aria2c.exe

Static PE information: section name: /4

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: aria2c.exe, 00000000.00000002.2047739523.000000000123E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
aria2c.exe	0%	ReversingLabs
aria2c.exe	0%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://www.metalinker.org/basic_string::_M_construct	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://aria2.github.io/Usage:	aria2c.exe	false		high
https://gcc.gnu.org/bugs/):	aria2c.exe	false		high
https://github.com/aria2/aria2/issuesReport	aria2c.exe	false		high
http://www.metalinker.org/	aria2c.exe	false		high
https://aria2.github.io/	aria2c.exe	false		high
https://github.com/aria2/aria2/issues	aria2c.exe	false		high
http://www.metalinker.org/basic_string::_M_construct	aria2c.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1603271
Start date and time:	2025-01-30 19:35:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	aria2c.exe
Detection:	CLEAN
Classification:	clean2.winEXE@2/0@0/0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

File type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.443448262854648
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	aria2c.exe
File size:	5'949'966 bytes
MD5:	b95dbde252cc8ea490e1d9d04ec5fe0d
SHA1:	edd746c496ea8564367b3108736490dcfc14c360
SHA256:	0ae98794b3523634b0af362d6f8c04a9bbd32aeda959b72ca0e7fc24e84d2a66
SHA512:	d2df384b979f01fbf77067b2d68879221684ffcbfc270000a50be972c8c6bc8f3cc3c1f03ea79216b7b0b296ea27581d38b311472281571bc20d47e61d7cca47
SSDEEP:	98304:YkGkHBfhGbdvHp+PTwHbQApPCNmQ5U7dI/v4GW/F/P9w9Teai3qAiaOdH3qXYFE9:YvkhfO/7QyOU7XGW/F/P9w9xiXGqXCd8
TLSH:	54567D59EE8314F1FA2351B1818FE7BF96246B128021EDBBFF4ED949F7336112909216
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........Z............#.tD...Z..0............D...@..........................P[......W[...@... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4014c0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x6e9130, 0x6e90e0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2a3472599d3319861edd3c59c3b538b6

Entrypoint Preview

Instruction
mov dword ptr [0098E374h], 00000000h
jmp 00007FB6486B3396h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007FB6489B1D86h
test eax, eax
sete al
add esp, 1Ch
movzx eax, al
neg eax
ret
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 0084D000h
call dword ptr [0098F724h]
sub esp, 04h
test eax, eax
je 00007FB6486B3765h
mov ebx, eax
mov dword ptr [esp], 0084D000h
call dword ptr [0098F790h]
mov edi, dword ptr [0098F72Ch]
sub esp, 04h
mov dword ptr [0098C028h], eax
mov dword ptr [esp+04h], 0084D013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 0084D029h
mov dword ptr [esp], ebx
call edi
mov dword ptr [00849004h], eax
sub esp, 08h
test esi, esi
je 00007FB6486B3703h
mov dword ptr [esp+04h], 0098C02Ch
mov dword ptr [esp], 008B9000h
call esi
mov dword ptr [esp], 004015A0h
call 00007FB6486B3653h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi
pop edi
pop ebp
ret
lea esi, dword ptr [esi+00000000h]
mov dword ptr [00849004h], 0000EE20h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x58f000	0x22dc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x594000	0x20fd8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x49c73c	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x58f5f8	0x51c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x447348	0x447400	e41b30a3926d82225abf8946187d619d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x449000	0x3ef4	0x4000	0156b3a7e7f916eb1d348b147a42749b	False	0.16998291015625	DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 8619896832.000000	2.14305710973823	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x44d000	0x6b3a0	0x6b400	028e326423e947aad9ac983750d8761d	False	0.3356529538170163	data	6.0491285911051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
/4	0x4b9000	0xd249c	0xd2600	218725932a23693638885a9eaa91bc4a	False	0.2440048462566845	data	5.055869401118246	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x58c000	0x2eb8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x58f000	0x22dc	0x2400	726299d17094169f68f054ec8d120606	False	0.3651258680555556	data	5.446611665474483	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x592000	0x34	0x200	204abf66751dcf3f1c1c3dc3828d3a2f	False	0.072265625	Matlab v4 mat-file (little endian) \300\220n, numeric, rows 4198704, columns 0	0.2804011676589459	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x593000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x594000	0x20fd8	0x21000	8547aa74a2bb17f13701a4fb57d06017	False	0.5849905303030303	data	6.681867726431836	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	AdjustTokenPrivileges, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetTokenInformation, LookupPrivilegeValueA, OpenProcessToken, RegCloseKey, RegEnumKeyExA, RegOpenKeyExA, RegQueryValueExA
bcrypt.dll	BCryptCloseAlgorithmProvider, BCryptCreateHash, BCryptDecrypt, BCryptDestroyHash, BCryptDestroyKey, BCryptEncrypt, BCryptFinishHash, BCryptGenRandom, BCryptGetProperty, BCryptHashData, BCryptImportKey, BCryptImportKeyPair, BCryptOpenAlgorithmProvider, BCryptSetProperty, BCryptSignHash, BCryptVerifySignature
CRYPT32.dll	CertCloseStore, CertEnumCertificatesInStore, CertFreeCertificateContext, CryptDecodeObjectEx, PFXImportCertStore, PFXIsPFXBlob
IPHLPAPI.DLL	GetAdaptersAddresses
KERNEL32.dll	AreFileApisANSI, CloseHandle, CreateFileA, CreateFileMappingA, CreateFileMappingW, CreateFileW, CreateMutexW, CreateProcessW, CreateSemaphoreW, DeleteCriticalSection, DeleteFileA, DeleteFileW, DeviceIoControl, EnterCriticalSection, ExpandEnvironmentStringsA, FlushFileBuffers, FlushViewOfFile, FormatMessageA, FormatMessageW, FreeLibrary, GetCommandLineW, GetConsoleMode, GetConsoleScreenBufferInfo, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceA, GetDiskFreeSpaceW, GetEnvironmentVariableW, GetFileAttributesA, GetFileAttributesExW, GetFileAttributesW, GetFileSize, GetFileSizeEx, GetFullPathNameA, GetFullPathNameW, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetStdHandle, GetSystemInfo, GetSystemTime, GetSystemTimeAsFileTime, GetTempPathA, GetTempPathW, GetTickCount, GetTimeZoneInformation, GetVersionExA, GetVersionExW, GetWindowsDirectoryA, HeapAlloc, HeapCompact, HeapCreate, HeapDestroy, HeapFree, HeapReAlloc, HeapSize, HeapValidate, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, LocalFree, LockFile, LockFileEx, MapViewOfFile, MoveFileExW, MultiByteToWideChar, OpenProcess, OutputDebugStringA, OutputDebugStringW, QueryPerformanceCounter, ReadFile, ReleaseSemaphore, SetConsoleCtrlHandler, SetConsoleTextAttribute, SetEndOfFile, SetFilePointer, SetFilePointerEx, SetFileTime, SetFileValidData, SetLastError, SetUnhandledExceptionFilter, Sleep, SystemTimeToFileTime, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnlockFile, UnlockFileEx, UnmapViewOfFile, VirtualProtect, VirtualQuery, WaitForSingleObject, WaitForSingleObjectEx, WideCharToMultiByte, WriteConsoleW, WriteFile
msvcrt.dll	__getmainargs, __initenv, __lconv_init, __mb_cur_max, __p___argv, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _assert, _beginthreadex, _cexit, _endthreadex, _errno, _commit, _filelengthi64, _fileno, _fstat64, _initterm, _iob, _lock, _lseeki64, _onexit, _setmode, _unlock, _wfopen, _wfsopen, _wgetcwd, _wgetenv, _wmkdir, _wopen, _wrmdir, _wsopen, _wunlink, abort, acos, asctime, asin, atan, atoi, calloc, cosh, exit, fclose, feof, ferror, fflush, fgetpos, fgets, fopen, fprintf, fputc, fputs, fread, free, fsetpos, fwrite, getc, getenv, getwc, islower, isspace, isupper, iswctype, isxdigit, ldiv, localeconv, log10, malloc, memchr, memcmp, memcpy, memmove, memset, localtime, gmtime, difftime, perror, putc, putwc, qsort, raise, rand, realloc, rewind, setlocale, setvbuf, signal, sinh, strchr, strcmp, strcoll, strcpy, strcspn, strerror, strftime, strlen, strncat, strncmp, strncpy, strrchr, strtol, strtoul, strxfrm, tan, tanh, tolower, towlower, towupper, ungetc, ungetwc, vfprintf, time, _stricmp, _strnicmp, wcscoll, wcsftime, wcslen, wcstombs, wcsxfrm, _wstati64, _tzname, _write, _tzset, _strnicmp, _strdup, _read, _open, _lseek, _isatty, _fileno, _fdopen, _dup, _close
Secur32.dll	AcceptSecurityContext, AcquireCredentialsHandleW, ApplyControlToken, DecryptMessage, DeleteSecurityContext, EncryptMessage, FreeContextBuffer, FreeCredentialsHandle, InitializeSecurityContextA, QueryContextAttributesA
SHELL32.dll	CommandLineToArgvW
WS2_32.dll	WSASend, freeaddrinfo, getaddrinfo, gethostname, getnameinfo, getservbyname, getservbyport
WSOCK32.DLL	WSACleanup, WSAGetLastError, WSAStartup, __WSAFDIsSet, accept, bind, closesocket, connect, getpeername, getsockname, getsockopt, htonl, htons, ioctlsocket, listen, ntohl, ntohs, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket

• aria2c.exe
• conhost.exe

Click to jump to process

Click to jump to process

Behavior

• aria2c.exe
• conhost.exe

Click to jump to process

Target ID:	0
Start time:	13:36:05
Start date:	30/01/2025
Path:	C:\Users\user\Desktop\aria2c.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\aria2c.exe"
Imagebase:	0x2c0000
File size:	5'949'966 bytes
MD5 hash:	B95DBDE252CC8EA490E1D9D04EC5FE0D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:36:05
Start date:	30/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report aria2c.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: aria2c.exePID: 6544, Parent PID: 1028

General

File Activities

File Opened

File Created

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Registry Activities

Key Opened

Key Value Queried

Key Monitored

Windows Analysis Report
aria2c.exe