Windows
Analysis Report
3gp.exe
Overview
General Information
Detection
Score: | 88 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
3gp.exe (PID: 7788 cmdline:
"C:\Users\ user\Deskt op\3gp.exe " MD5: 8C008E5354F8BBCB45525B242360A590)
- cleanup
- • AV Detection
- • Spreading
- • Key, Mouse, Clipboard, Microphone and Screen Capturing
- • Operating System Destruction
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Boot Survival
- • Malware Analysis System Evasion
- • Anti Debugging
- • Language, Device and Operating System Detection
- • Lowering of HIPS / PFW / Operating System Security Settings
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Code function: | 0_2_00402698 |
Operating System Destruction |
---|
Source: | Code function: | 0_2_00401B60 |
System Summary |
---|
Source: | Hard error raised: | Jump to behavior |
Source: | Code function: | 0_2_00403CDD |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_00403CDD |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_00414C52 | |
Source: | Code function: | 0_2_00408529 |
Persistence and Installation Behavior |
---|
Source: | Code function: | 0_2_00401B60 |
Source: | File written: | Jump to behavior |
Boot Survival |
---|
Source: | Code function: | 0_2_00401B60 |
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior |
Anti Debugging |
---|
Source: | Debugger detection routine: | graph_0-1390 |
Source: | Code function: | 0_2_00403CDD |
Source: | Code function: | 0_2_004011B0 | |
Source: | Code function: | 0_2_00406241 | |
Source: | Code function: | 0_2_0040C548 | |
Source: | Code function: | 0_2_004051B0 |
Source: | Code function: | 0_2_004050D0 |
Lowering of HIPS / PFW / Operating System Security Settings |
---|
Source: | Registry value created: | Jump to behavior |
Source: | Registry key created or modified: | Jump to behavior |
Source: | Registry key created or modified: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | 1 Replication Through Removable Media | 1 Native API | 3 Bootkit | 1 DLL Side-Loading | 3 Disable or Modify Tools | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | Data Obfuscation | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | Boot or Logon Initialization Scripts | 121 Virtualization/Sandbox Evasion | LSASS Memory | 11 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 121 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Bootkit | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 11 Peripheral Device Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 12 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
67% | Virustotal | Browse | ||
58% | ReversingLabs | Win64.Trojan.Nekark | ||
100% | Avira | TR/AD.Nekark.onzgh |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1667864 |
Start date and time: | 2025-04-17 21:12:27 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 38s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | |
Sample name: | 3gp.exe |
Detection: | MAL |
Classification: | mal88.rans.evad.winEXE@1/1@0/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Connection to analysis system
has been lost, crash info: Unk nown - Exclude process from analysis
(whitelisted): dllhost.exe, au diodg.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 23.79.17.61, 23.4. 43.62 - Excluded domains from analysis
(whitelisted): cac-ocsp.digic ert.com.edgekey.net, fs.micros oft.com, ocsp.digicert.com, e3 913.cd.akamaiedge.net, ocsp.ed ge.digicert.com, prod.fs.micro soft.com.akadns.net, fs-wildca rd.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edge key.net.globalredir.akadns.net , e16604.dscf.akamaiedge.net
Time | Type | Description |
---|---|---|
15:13:34 | API Interceptor |
Process: | C:\Users\user\Desktop\3gp.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 32768 |
Entropy (8bit): | 2.6140688932684544 |
Encrypted: | false |
SSDEEP: | 192:ZA9KensrHQum8AzN57idpL0aqF/gxyrqVg+oJ/7YL/oIoIn0un:W9KKslqidpL0amsqqVbbWEDn |
MD5: | BB4B2512514FA052B80C1EE618BD14D4 |
SHA1: | 01D445199F453DDB8DD51235E46D907D88733409 |
SHA-256: | 36C04C2BAA97CACDF0BCEC39CA2036D9F62FD849EDAE617BCE03FC967A3EF966 |
SHA-512: | AE7E4F836894F36FFA3885B5D3DDE8F06D09D570E91F7D427C953440DCBA5115108BB3E98E9D52D59268A957C53A611FB145FE81FC85785AD86CA66938CAE5C4 |
Malicious: | true |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 5.296758362030382 |
TrID: |
|
File name: | 3gp.exe |
File size: | 189'056 bytes |
MD5: | 8c008e5354f8bbcb45525b242360a590 |
SHA1: | 188294fa1d6b7652f887ec0542b406bf24da8391 |
SHA256: | 5fb6629ea119fd2f4237bbf45121c24e7532bb56432f3e8fab744e655533e631 |
SHA512: | d4ea624a1e520edf20b4e349a32c31b49857f73cccf6824c0ef599ddb4c4c44397726dc8c44cb783fbc32fb5b7c57c664b6c5fc3b6e40270b777c79642079e80 |
SSDEEP: | 1536:BOKohcywXeCVnhtd+wDnhd1kRfWKqs5ypmaClXRDageWfBfj5WdvkvcUvMFM7iNl:Hpnh71W+KYoDRBfj5WdccBRU1gemktyP |
TLSH: | D90407E776969C9BE911433805D6C335273EFB908BC34B072E2069361E13BD0BED665A |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....{.g....C.....'......T...D................@............................................... ............................ |
Icon Hash: | d117324c74253aca |
Entrypoint: | 0x4014d0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE |
DLL Characteristics: | |
Time Stamp: | 0x67A97BCF [Mon Feb 10 04:08:47 2025 UTC] |
TLS Callbacks: | 0x4052e0 |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | b5c90181d89f90dda2d6f2b29bf1618f |
Instruction |
---|
dec eax |
sub esp, 28h |
dec eax |
mov eax, dword ptr [00007625h] |
mov dword ptr [eax], 00000001h |
call 00007F51F8B8722Fh |
call 00007F51F8B8330Ah |
nop |
nop |
dec eax |
add esp, 28h |
ret |
nop word ptr [eax+eax+00000000h] |
dec eax |
sub esp, 28h |
dec eax |
mov eax, dword ptr [000075F5h] |
mov dword ptr [eax], 00000000h |
call 00007F51F8B871FFh |
call 00007F51F8B832DAh |
nop |
nop |
dec eax |
add esp, 28h |
ret |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
push ebp |
dec eax |
mov ebp, esp |
dec eax |
sub esp, 70h |
movaps ebp-10h, dqword ptr [xmm6] |
dec eax |
mov dword ptr [ebp+10h], ecx |
mov dword ptr [ebp+18h], edx |
movzx eax, byte ptr [ebp+1Ah] |
mov byte ptr [ebp-19h], al |
movzx eax, byte ptr [ebp+19h] |
mov byte ptr [ebp-1Ah], al |
movzx eax, byte ptr [ebp+18h] |
mov byte ptr [ebp-1Bh], al |
movzx eax, byte ptr [ebp-19h] |
pxor xmm0, xmm0 |
cvtsi2ss xmm0, eax |
movss xmm1, dword ptr [00007094h] |
divss xmm0, xmm1 |
movd eax, xmm0 |
mov dword ptr [ebp-20h], eax |
movzx eax, byte ptr [ebp-1Ah] |
pxor xmm0, xmm0 |
cvtsi2ss xmm0, eax |
movss xmm1, dword ptr [00007075h] |
divss xmm0, xmm1 |
movd eax, xmm0 |
mov dword ptr [ebp-24h], eax |
movzx eax, byte ptr [eax] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc000 | 0xf5c | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xf000 | 0x1478 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x9000 | 0x390 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xe020 | 0x28 | .tls |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xc3f8 | 0x358 | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x53b0 | 0x5400 | a38abbf0d707b8ab4094a65a33acd09e | False | 0.44884672619047616 | data | 5.990094457258481 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x7000 | 0x90 | 0x200 | 800afdffff2b0727d5877de48d355e4e | False | 0.11328125 | data | 0.6379346993823642 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0x8000 | 0xfb0 | 0x1000 | 27ee02e11092adaf46f55cc6d53ab6ae | False | 0.409912109375 | COM executable for DOS | 4.670165023914094 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
.pdata | 0x9000 | 0x390 | 0x400 | d5ea913a7a3c76c1e404fedd4dde6b26 | False | 0.4951171875 | data | 3.847732580028875 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
.xdata | 0xa000 | 0x374 | 0x400 | 91bc88e7e63bb3a6c03660e214574a57 | False | 0.3623046875 | data | 3.9443421496510696 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
.bss | 0xb000 | 0xa60 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0xc000 | 0xf5c | 0x1000 | bf91e9d0789d830dab059589ceadc27e | False | 0.33203125 | data | 4.069800559994343 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.CRT | 0xd000 | 0x68 | 0x200 | 088f8de9c7bfc11829d3ed60b187856b | False | 0.072265625 | data | 0.2748254782599745 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0xe000 | 0x68 | 0x200 | 3d9f6d41d3fc682200d345ba64a9d400 | False | 0.060546875 | data | 0.19743807838821048 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0xf000 | 0x1478 | 0x1600 | e009b57fdc546568472586457512dc6a | False | 0.2853338068181818 | data | 3.6598208571764954 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
/4 | 0x11000 | 0x600 | 0x600 | 0e78de464c68fa0acdd948f628d31a51 | False | 0.22786458333333334 | data | 1.6710394076117343 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
/19 | 0x12000 | 0xdce6 | 0xde00 | 81f8875f55347e5b738af306cde8c5e3 | False | 0.3779560810810811 | data | 5.951578477311184 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
/31 | 0x20000 | 0x23c8 | 0x2400 | f668052ed1ec57583e4eff853b15bfc4 | False | 0.2138671875 | data | 4.605200814310725 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
/45 | 0x23000 | 0x21a4 | 0x2200 | f666b4ece5949545a64815350fa43e5d | False | 0.3050321691176471 | data | 5.610135942574295 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
/57 | 0x26000 | 0xcc8 | 0xe00 | ed498850cf239b23ca9c13d992e40156 | False | 0.3099888392857143 | data | 3.991934598130095 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
/70 | 0x27000 | 0x4ce | 0x600 | 6327078cd03de34e4da5925489a3fce4 | False | 0.2649739583333333 | data | 4.316064494959888 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
/81 | 0x28000 | 0x37db | 0x3800 | b57acacb9539f6beb40d0e3e968eeeab | False | 0.20375279017857142 | data | 2.3647523633362253 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
/92 | 0x2c000 | 0x5d0 | 0x600 | 49fd23ba829765ce1a4cf16722003a1f | False | 0.22721354166666666 | data | 1.5077615221213083 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0xf0f0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | English | United States | 0.2781425891181989 |
RT_GROUP_ICON | 0x10198 | 0x14 | data | English | United States | 1.1 |
RT_VERSION | 0x101b0 | 0x2c8 | data | English | United States | 0.46207865168539325 |
DLL | Import |
---|---|
ADVAPI32.dll | RegCloseKey, RegCreateKeyExW, RegSetValueExW |
GDI32.dll | BitBlt, CreateBitmap, CreateCompatibleDC, CreateDIBSection, CreatePen, CreateSolidBrush, DeleteDC, DeleteObject, GetBitmapBits, Polygon, SelectObject, SetBitmapBits, StretchBlt, TextOutA |
KERNEL32.dll | CloseHandle, CreateFileW, CreateThread, DeleteCriticalSection, DeleteVolumeMountPointA, EnterCriticalSection, ExitProcess, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetProcAddress, GetStartupInfoA, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryW, QueryPerformanceCounter, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TerminateThread, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualProtect, VirtualQuery, WriteFile |
MSIMG32.dll | AlphaBlend |
msvcrt.dll | __C_specific_handler, __dllonexit, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _errno, _fmode, _initterm, _lock, _onexit, _unlock, _time64, abort, calloc, exit, fprintf, free, frexp, fwrite, malloc, memcpy, memset, rand, signal, srand, strlen, strncmp, vfprintf |
USER32.dll | DrawIcon, GetCursorInfo, GetDC, GetForegroundWindow, GetSystemMetrics, GetWindowRect, InvalidateRect, MessageBoxW, ReleaseDC, SetWindowPos |
WINMM.dll | waveOutClose, waveOutOpen, waveOutPrepareHeader, waveOutUnprepareHeader, waveOutWrite |
Description | Data |
---|---|
CompanyName | Ryan |
FileVersion | 6.6.6.6 |
FileDescription | Buy Ryans World Eggs from Dark Web 2025 |
InternalName | 3gp |
LegalCopyright | Ryan |
LegalTrademarks | Ryan |
OriginalFilename | 3gp |
ProductName | 3gp |
ProductVersion | 6.6.6.6 |
Translation | 0x0409 0x04e4 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 15:13:22 |
Start date: | 17/04/2025 |
Path: | C:\Users\user\Desktop\3gp.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 189'056 bytes |
MD5 hash: | 8C008E5354F8BBCB45525B242360A590 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
Execution Coverage: | 23.2% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 15% |
Total number of Nodes: | 340 |
Total number of Limit Nodes: | 7 |
Graph
Callgraph
Function 00403CDD Relevance: 157.9, APIs: 52, Strings: 38, Instructions: 404threadwindownativeCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|