Windows
Analysis Report
lmtyweWwbU.exe
Overview
General Information
Sample name: | lmtyweWwbU.exerenamed because original name is a hash value |
Original sample name: | d3be4981a8db02dab1f214565fc5b0b6748ff6fa218b0bcc46a915229f8078f3.exe |
Analysis ID: | 1664472 |
MD5: | d436e0b4a9aa7b9a6641ea93c4dba8ae |
SHA1: | a33e3e532dc90f08e111eab0762bce9158fd37e2 |
SHA256: | d3be4981a8db02dab1f214565fc5b0b6748ff6fa218b0bcc46a915229f8078f3 |
Tags: | 96-9-125-200exeuser-JAMESWT_WT |
Infos: | |
Detection
Score: | 48 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
lmtyweWwbU.exe (PID: 6644 cmdline:
"C:\Users\ user\Deskt op\lmtyweW wbU.exe" MD5: D436E0B4A9AA7B9A6641EA93C4DBA8AE) conhost.exe (PID: 6656 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) attrib.exe (PID: 7076 cmdline:
"attrib" + h +s C:\Us ers\user\D esktop\lmt yweWwbU.ex e MD5: 5037D8E6670EF1D89FB6AD435F12A9FD) attrib.exe (PID: 7068 cmdline:
"attrib" + h +s C:\Us ers\user\D esktop\Sys temHelper. exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD) SystemHelper.exe (PID: 6284 cmdline:
"C:\Users\ user\Deskt op\SystemH elper.exe" MD5: D436E0B4A9AA7B9A6641EA93C4DBA8AE) attrib.exe (PID: 6256 cmdline:
"attrib" + h +s C:\Us ers\user\D esktop\Sys temHelper. exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
- cleanup
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
Click to jump to signature section
Source: | Static PE information: |
Source: | Binary string: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Code function: | 0_2_00007FF6D34DE250 |
Source: | Code function: | 0_2_00007FF6D34E5D20 | |
Source: | Code function: | 0_2_00007FF6D34E59F0 | |
Source: | Code function: | 0_2_00007FF6D34E5E40 |
Source: | Code function: | 0_2_00007FF6D34E80D0 | |
Source: | Code function: | 0_2_00007FF6D34F0D10 | |
Source: | Code function: | 0_2_00007FF6D34FA4C0 | |
Source: | Code function: | 0_2_00007FF6D34E4C00 | |
Source: | Code function: | 0_2_00007FF6D34DD400 | |
Source: | Code function: | 0_2_00007FF6D34FDAC0 | |
Source: | Code function: | 0_2_00007FF6D34FAAC0 | |
Source: | Code function: | 0_2_00007FF6D34F11A0 | |
Source: | Code function: | 0_2_00007FF6D34FE1C0 | |
Source: | Code function: | 0_2_00007FF6D34E2880 | |
Source: | Code function: | 0_2_00007FF6D34D60B0 | |
Source: | Code function: | 0_2_00007FF6D34FB0C0 | |
Source: | Code function: | 0_2_00007FF6D34F2F20 | |
Source: | Code function: | 0_2_00007FF6D34DE6C0 | |
Source: | Code function: | 0_2_00007FF6D34F9D90 | |
Source: | Code function: | 0_2_00007FF6D34F8600 |
Source: | Code function: |
Source: | Classification label: |
Source: | Code function: | 0_2_00007FF6D34E5F60 |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FF6D34F1D30 |
Persistence and Installation Behavior |
---|
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | API coverage: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Binary or memory string: |
Source: | Code function: | 0_2_00007FF6D3500124 |
Source: | Code function: | 0_2_00007FF6D34F1D30 |
Source: | Code function: | 0_2_00007FF6D34F04A0 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00007FF6D35002C8 | |
Source: | Code function: | 0_2_00007FF6D3500124 |
Source: | Memory allocated: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_00007FF6D34FFFFC |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Command and Scripting Interpreter | 1 DLL Side-Loading | 11 Process Injection | 1 Disable or Modify Tools | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Process Injection | LSASS Memory | 21 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 2 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
1% | Virustotal | Browse | ||
0% | ReversingLabs |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
96.9.125.200 | unknown | Canada | 30295 | 2ICSYSTEMSINCCA | true |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1664472 |
Start date and time: | 2025-04-14 11:12:19 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 48s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 17 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | lmtyweWwbU.exerenamed because original name is a hash value |
Original Sample Name: | d3be4981a8db02dab1f214565fc5b0b6748ff6fa218b0bcc46a915229f8078f3.exe |
Detection: | MAL |
Classification: | mal48.winEXE@10/0@0/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, d llhost.exe, sppsvc.exe, SIHCli ent.exe, SgrmBroker.exe, conho st.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 172.202.163.200, 1 84.28.213.193 - Excluded domains from analysis
(whitelisted): fs.microsoft.c om, slscr.update.microsoft.com , otelrules.svc.static.microso ft, ctldl.windowsupdate.com, c .pki.goog, fe3cr.delivery.mp.m icrosoft.com - Not all processes where analyz
ed, report is missing behavior information
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
2ICSYSTEMSINCCA | Get hash | malicious | WhiteSnake Stealer | Browse |
| |
Get hash | malicious | WhiteSnake Stealer | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | Amadey, RHADAMANTHYS | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
|
File type: | |
Entropy (8bit): | 6.292428629980115 |
TrID: |
|
File name: | lmtyweWwbU.exe |
File size: | 278'016 bytes |
MD5: | d436e0b4a9aa7b9a6641ea93c4dba8ae |
SHA1: | a33e3e532dc90f08e111eab0762bce9158fd37e2 |
SHA256: | d3be4981a8db02dab1f214565fc5b0b6748ff6fa218b0bcc46a915229f8078f3 |
SHA512: | 78b226f55a3087cfa12227247f92c6fdb4f27e1e9bc03eb8c903b8e7fe0ee863553a2047715d0c050456798b60df9619b52cb06c8fe821f631cdda0acb8166a6 |
SSDEEP: | 6144:IiORg+StTT88UEaUpKU6lBITTIqY2nWcLOqlkY2ayjtdAVhHHK0/q0Mc:Iiu5j8UEkOrm |
TLSH: | B5443A217A559CACD94AC07883468A736572B4CA1B32F9FF02C445393F6FEF52E38658 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P.C.1...1...1...I...1.......1.......1.......1.......1...I...1...1..V1...1...1....s..1.......1..Rich.1..........PE..d...~4.g... |
Icon Hash: | 39d2c0daeafad051 |
Entrypoint: | 0x14002fd1c |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x67FC347E [Sun Apr 13 22:02:38 2025 UTC] |
TLS Callbacks: | 0x40021b20, 0x1 |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 36a29e8472db44f83c8c0771c7937c8c |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007FDFBC8C845Ch |
dec eax |
add esp, 28h |
jmp 00007FDFBC8C7FF7h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
nop word ptr [eax+eax+00000000h] |
dec eax |
sub esp, 10h |
dec esp |
mov dword ptr [esp], edx |
dec esp |
mov dword ptr [esp+08h], ebx |
dec ebp |
xor ebx, ebx |
dec esp |
lea edx, dword ptr [esp+18h] |
dec esp |
sub edx, eax |
dec ebp |
cmovb edx, ebx |
dec esp |
mov ebx, dword ptr [00000010h] |
dec ebp |
cmp edx, ebx |
jnc 00007FDFBC8C8198h |
inc cx |
and edx, 8D4DF000h |
wait |
add al, dh |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3f71c | 0x118 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x45000 | 0x18b0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x42000 | 0x23a0 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x47000 | 0x4bc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x39700 | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x39780 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x395c0 | 0x140 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x32000 | 0x428 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x30b2f | 0x30c00 | 57e8aa82890cfdcbe764b423637aea03 | False | 0.4995392628205128 | data | 6.285967484787889 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x32000 | 0xe622 | 0xe800 | ded99f843977934864a950024b4575fd | False | 0.3484307650862069 | 370 XA sysV pure executable | 5.289124756054743 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x41000 | 0x310 | 0x200 | 0986951de0dd3ab6f041638c54850010 | False | 0.228515625 | data | 1.6518190552773089 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x42000 | 0x23a0 | 0x2400 | e4b52d43f1cf63b59b3eb05bf27421d5 | False | 0.4940321180555556 | data | 5.373019336555336 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x45000 | 0x18b0 | 0x1a00 | 1c86f22f25022d87c713c84503e5e7fb | False | 0.8236177884615384 | data | 7.040790659875909 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x47000 | 0x4bc | 0x600 | bcbca46df6e1a9d81082be75c10e9e02 | False | 0.5481770833333334 | data | 4.807697483412515 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x45310 | 0x1588 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9299709724238027 |
RT_GROUP_ICON | 0x46898 | 0x14 | data | English | United States | 1.05 |
RT_VERSION | 0x450f0 | 0x21c | data | English | United States | 0.4703703703703704 |
DLL | Import |
---|---|
SHELL32.dll | SHChangeNotify |
api-ms-win-core-synch-l1-2-0.dll | WaitOnAddress, WakeByAddressAll, WakeByAddressSingle |
bcryptprimitives.dll | ProcessPrng |
KERNEL32.dll | GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, CloseHandle, GetConsoleWindow, FreeEnvironmentStringsW, CompareStringOrdinal, GetLastError, AddVectoredExceptionHandler, SetThreadStackGuarantee, GetCurrentThread, WaitForSingleObject, QueryPerformanceCounter, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetLastError, GetCurrentDirectoryW, GetEnvironmentStringsW, GetEnvironmentVariableW, SetFileInformationByHandle, GetCurrentProcess, DuplicateHandle, GetStdHandle, GetCurrentProcessId, SetHandleInformation, WriteFileEx, SleepEx, GetExitCodeProcess, GetProcessHeap, HeapFree, HeapReAlloc, lstrlenW, ReleaseMutex, CreateFileW, CreateEventW, GetOverlappedResult, MoveFileExW, ReadFile, CancelIo, GetModuleHandleW, FormatMessageW, GetModuleFileNameW, ExitProcess, CreateNamedPipeW, ReadFileEx, WaitForMultipleObjects, GetFullPathNameW, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, GetConsoleMode, GetConsoleOutputCP, MultiByteToWideChar, WriteConsoleW, WideCharToMultiByte, CreateThread, IsProcessorFeaturePresent, GetProcAddress, HeapAlloc, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA |
USER32.dll | ShowWindow |
ntdll.dll | RtlNtStatusToDosError, NtReadFile, NtWriteFile |
WS2_32.dll | recv, send, WSASocketW, getaddrinfo, connect, WSAGetLastError, freeaddrinfo, WSACleanup, WSAStartup, closesocket |
VCRUNTIME140.dll | __C_specific_handler, __current_exception_context, _CxxThrowException, memmove, memset, memcmp, __CxxFrameHandler3, memcpy, __current_exception |
api-ms-win-crt-runtime-l1-1-0.dll | exit, _exit, _initterm_e, _initterm, _configure_narrow_argv, __p___argv, _cexit, _c_exit, _register_thread_local_exe_atexit_callback, _get_initial_narrow_environment, _set_app_type, _seh_filter_exe, _initialize_onexit_table, _register_onexit_function, _crt_atexit, terminate, __p___argc, _initialize_narrow_environment |
api-ms-win-crt-math-l1-1-0.dll | __setusermatherr |
api-ms-win-crt-stdio-l1-1-0.dll | _set_fmode, __p__commode |
api-ms-win-crt-locale-l1-1-0.dll | _configthreadlocale |
api-ms-win-crt-heap-l1-1-0.dll | free, _set_new_mode |
Description | Data |
---|---|
FileDescription | Freelancer_Contract_Viewer |
ProductVersion | 0.1.0 |
SubSystem | windows |
FileVersion | 0.1.0 |
ProductName | Freelancer_Contract_Viewer |
Translation | 0x0000 0x04b0 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Download Network PCAP: filtered – full
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 14, 2025 11:13:21.245634079 CEST | 49692 | 4443 | 192.168.2.8 | 96.9.125.200 |
Apr 14, 2025 11:13:22.230652094 CEST | 49692 | 4443 | 192.168.2.8 | 96.9.125.200 |
Apr 14, 2025 11:13:24.230693102 CEST | 49692 | 4443 | 192.168.2.8 | 96.9.125.200 |
Apr 14, 2025 11:13:28.230592966 CEST | 49692 | 4443 | 192.168.2.8 | 96.9.125.200 |
Apr 14, 2025 11:13:36.230555058 CEST | 49692 | 4443 | 192.168.2.8 | 96.9.125.200 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 05:13:19 |
Start date: | 14/04/2025 |
Path: | C:\Users\user\Desktop\lmtyweWwbU.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d34d0000 |
File size: | 278'016 bytes |
MD5 hash: | D436E0B4A9AA7B9A6641EA93C4DBA8AE |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 05:13:19 |
Start date: | 14/04/2025 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6e60e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 05:13:19 |
Start date: | 14/04/2025 |
Path: | C:\Windows\System32\attrib.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff762130000 |
File size: | 23'040 bytes |
MD5 hash: | 5037D8E6670EF1D89FB6AD435F12A9FD |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 4 |
Start time: | 05:13:19 |
Start date: | 14/04/2025 |
Path: | C:\Windows\System32\attrib.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff762130000 |
File size: | 23'040 bytes |
MD5 hash: | 5037D8E6670EF1D89FB6AD435F12A9FD |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 5 |
Start time: | 05:13:20 |
Start date: | 14/04/2025 |
Path: | C:\Users\user\Desktop\SystemHelper.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d34d0000 |
File size: | 278'016 bytes |
MD5 hash: | D436E0B4A9AA7B9A6641EA93C4DBA8AE |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 6 |
Start time: | 05:13:20 |
Start date: | 14/04/2025 |
Path: | C:\Windows\System32\attrib.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff762130000 |
File size: | 23'040 bytes |
MD5 hash: | 5037D8E6670EF1D89FB6AD435F12A9FD |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
Execution Coverage: | 3.7% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 11.2% |
Total number of Nodes: | 374 |
Total number of Limit Nodes: | 8 |
Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6D34F2350 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 221libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|