Edit tour
Windows
Analysis Report
ForkieByKKosty4ka.exe
Overview
General Information
| Sample name: | ForkieByKKosty4ka.exe |
| Analysis ID: | 1670048 |
| MD5: | 94ea622991260a77c641a89b0fdda267 |
| SHA1: | 9193d2daf9efa2865a36155533603ca8b95c2be9 |
| SHA256: | 284c8b2f5b187d6b221d60da2fe055cd3a0f083546cea9b122f4327eef477ed1 |
| Tags: | exeuser-FelloBoiYuuka |
| Infos: | |
 | |
Detection
| Score: | 60 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to infect the boot sector
Protects its processes via BreakOnTermination flag
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
ForkieByKKosty4ka.exe (PID: 6612 cmdline: "C:\Users\ user\Deskt op\ForkieB yKKosty4ka .exe" MD5: 94EA622991260A77C641A89B0FDDA267)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
- • AV Detection
- • Compliance
- • Spreading
- • Operating System Destruction
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Boot Survival
- • Malware Analysis System Evasion
- • Anti Debugging
- • Language, Device and Operating System Detection
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 2_2_00AD92D0 | |
| Source: | Code function: | 2_2_00A6EA81 | |
| Source: | Code function: | 2_2_00AD9730 | |
Operating System Destruction | |
|---|
| Source: | Code function: | 2_2_00A73700 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Code function: | 2_2_00AF6880 | |
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_00A73930 | |
| Source: | Code function: | 2_2_00A6DA19 | |
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 2_2_00A73BE0 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 2_2_00B09E76 | |
Persistence and Installation Behavior | |
|---|
| Source: | Code function: | 2_2_00A73700 | |
Boot Survival | |
|---|
| Source: | Code function: | 2_2_00A73700 | |
| Source: | API coverage: | ||
| Source: | Code function: | 2_2_00AD92D0 | |
| Source: | Code function: | 2_2_00A6EA81 | |
| Source: | Code function: | 2_2_00AD9730 | |
| Source: | Code function: | 2_2_00ACC080 | |
| Source: | API call chain: | graph_2-53887 | ||
| Source: | Code function: | 2_2_00A74950 | |
| Source: | Code function: | 2_2_00AD2AC0 | |
| Source: | Code function: | 2_2_00A73BE0 | |
| Source: | Code function: | 2_2_00A916C0 | |
| Source: | Code function: | 2_2_00ADDEE0 | |
| Source: | Code function: | 2_2_00ADDE10 | |
| Source: | Code function: | 2_2_00ADDFB0 | |
| Source: | Code function: | 2_2_00ADE080 | |
| Source: | Code function: | 2_2_00A767E0 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Code function: | 2_2_00A74DD0 | |
| Source: | Code function: | 2_2_00A6E1D0 | |
| Source: | Code function: | 2_2_00AD18A0 | |
| Source: | Code function: | 2_2_00A75DA0 | |
| Source: | Code function: | 2_2_00A76050 | |
| Source: | Code function: | 2_2_00AE48A0 | |
| Source: | Code function: | 2_2_00AE4A30 | |
| Source: | Code function: | 2_2_00AE4B00 | |
| Source: | Code function: | 2_2_00AE4C20 | |
| Source: | Code function: | 2_2_00AE4D70 | |
| Source: | Code function: | 2_2_00A6E58B | |
| Source: | Code function: | 2_2_00A6D1F4 | |
| Source: | Code function: | 2_2_00AE5330 | |
| Source: | Code function: | 2_2_00AE5630 | |
| Source: | Code function: | 2_2_00AE5770 | |
| Source: | Code function: | 2_2_00AE58C0 | |
| Source: | Code function: | 2_2_00AE5F80 | |
| Source: | Code function: | 2_2_00AE6F40 | |
| Source: | Code function: | 2_2_00A6E90F | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 2 Bootkit | 1 Access Token Manipulation | 2 Bootkit | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Access Token Manipulation | LSASS Memory | 3 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 13 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Obfuscated Files or Information | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 8% | Virustotal | Browse | ||
| 4% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
⊘No contacted IP infos
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1670048 |
| Start date and time: | 2025-04-21 04:12:14 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 53s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 8 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Critical Process Termination |
| Sample name: | ForkieByKKosty4ka.exe |
| Detection: | MAL |
| Classification: | mal60.evad.winEXE@1/0@0/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): dllhost.exe, SI HClient.exe, SgrmBroker.exe, s vchost.exe - Excluded IPs from analysis (wh
itelisted): 184.29.183.29, 20. 109.210.53 - Excluded domains from analysis
(whitelisted): fs.microsoft.c om, slscr.update.microsoft.com , ctldl.windowsupdate.com, pro d.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edg ekey.net, fs-wildcard.microsof t.com.edgekey.net.globalredir. akadns.net, e16604.dscf.akamai edge.net, c.pki.goog, dns.msft ncsi.com, fe3cr.delivery.mp.mi crosoft.com
⊘No simulations
⊘No context
⊘No context
⊘No context
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 5.488603955904169 |
| TrID: |
|
| File name: | ForkieByKKosty4ka.exe |
| File size: | 972'288 bytes |
| MD5: | 94ea622991260a77c641a89b0fdda267 |
| SHA1: | 9193d2daf9efa2865a36155533603ca8b95c2be9 |
| SHA256: | 284c8b2f5b187d6b221d60da2fe055cd3a0f083546cea9b122f4327eef477ed1 |
| SHA512: | f6ad1ce37e917b3cb03800a13ca52ac691affe2ef4d558fd161406707dc86c9f7630038e8dc589f94bdecf97ac47d62a1ec1ed3cc5c360cff880e9505b3127df |
| SSDEEP: | 12288:DoSQzU9QWLWiiOuuXAu42Acd/oNTpRJ/PLDscuHcqS8n8:8pU9QWMumcd/oNTpTnLwZJn8 |
| TLSH: | EB25D502A7A43C54F8B626F957BF63E89B2DF8E01314D0CB51C01AED962DAE17C31796 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.../.../.../...;..."...;.......;...=...............>.......<...;...(.../...q.............L...../.$.............Rich/.......... |
 | |
| Icon Hash: | 17170f6d2b2d2d13 |
| Entrypoint: | 0x44ffdf |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6039F43A [Sat Feb 27 07:26:50 2021 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | c3cb5b63856746e4235505d18ac02137 |
| Instruction |
|---|
| jmp 00007FD3508FB651h |
| jmp 00007FD35092F8FCh |
| jmp 00007FD350934C57h |
| jmp 00007FD35097B392h |
| jmp 00007FD35096532Dh |
| jmp 00007FD3508FC398h |
| jmp 00007FD35090E913h |
| jmp 00007FD35094822Eh |
| jmp 00007FD35098CCB9h |
| jmp 00007FD3508FF824h |
| jmp 00007FD350978FFFh |
| jmp 00007FD350957C5Ah |
| jmp 00007FD350969BE5h |
| jmp 00007FD35090C800h |
| jmp 00007FD35099032Dh |
| jmp 00007FD350923E56h |
| jmp 00007FD350962D71h |
| jmp 00007FD350951E8Ch |
| jmp 00007FD35097B247h |
| jmp 00007FD35092D012h |
| jmp 00007FD35090464Dh |
| jmp 00007FD3508FADE6h |
| jmp 00007FD35094F603h |
| jmp 00007FD350906D6Eh |
| jmp 00007FD3509903F1h |
| jmp 00007FD35094BF04h |
| jmp 00007FD35092865Fh |
| jmp 00007FD3509077FAh |
| jmp 00007FD3508FFAA5h |
| jmp 00007FD3509558C0h |
| jmp 00007FD35092D0CBh |
| jmp 00007FD35098CB6Bh |
| jmp 00007FD350985801h |
| jmp 00007FD3509352DCh |
| jmp 00007FD35095DF07h |
| jmp 00007FD350961322h |
| jmp 00007FD35092930Dh |
| jmp 00007FD35096E358h |
| jmp 00007FD35092BDE3h |
| jmp 00007FD3508FD06Eh |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x11a240 | 0x50 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x11d000 | 0x1bdd3 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x139000 | 0x4b10 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x1147f0 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x114828 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x11a000 | 0x240 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .textbss | 0x1000 | 0x4be95 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .text | 0x4d000 | 0xa3997 | 0xa3a00 | a734d6070b2f2aa730251fa96f1c02d5 | False | 0.27788686497326204 | data | 5.454126167322379 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0xf1000 | 0x25a6a | 0x25c00 | da83f385f6ea407808982bafffe84705 | False | 0.17560663286423842 | data | 3.428532913864218 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x117000 | 0x25b0 | 0x1000 | f8fe2ceaa14e754a052a9468d800a37a | False | 0.123291015625 | data | 1.770321824723131 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0x11a000 | 0xd78 | 0xe00 | 7bf0bbd61d6d83007d7aea3f65b7a08f | False | 0.3482142857142857 | data | 4.551611089189057 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .msvcjmc | 0x11b000 | 0x116 | 0x200 | 1a9d52a62a070d7f046386b7c4039a8e | False | 0.03125 | Targa image data - Map (257-257) 257 x 257 x 1 +257 +257 - 1-bit alpha "\001" | 0.2288780584184795 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .00cfg | 0x11c000 | 0x109 | 0x200 | 11a8d5e1e06af3a6d0c38f68ccbf53a7 | False | 0.03515625 | data | 0.11055713125913882 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x11d000 | 0x1bdd3 | 0x1be00 | 432fcbc05562f115e27dbd1bd78809d9 | False | 0.099679442264574 | data | 3.6099294776359274 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x139000 | 0x5a2f | 0x5c00 | d987c05411d734a182c1af845b223cc3 | False | 0.6224949048913043 | data | 6.014243707282866 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x11d780 | 0x115a | PNG image data, 256 x 256, 8-bit colormap, non-interlaced | Russian | Russia | 0.33340837460603334 |
| RT_ICON | 0x11e8e0 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | Russian | Russia | 0.09408315565031983 |
| RT_ICON | 0x11f788 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | Russian | Russia | 0.11507220216606498 |
| RT_ICON | 0x120030 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | Russian | Russia | 0.12427745664739884 |
| RT_ICON | 0x120598 | 0x90b | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | Russian | Russia | 0.791792656587473 |
| RT_ICON | 0x120ea8 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | Russian | Russia | 0.03235710911667454 |
| RT_ICON | 0x1250d0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | Russian | Russia | 0.04595435684647303 |
| RT_ICON | 0x127678 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | Russian | Russia | 0.075046904315197 |
| RT_ICON | 0x128720 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | Russian | Russia | 0.15070921985815602 |
| RT_ICON | 0x128c10 | 0x115a | PNG image data, 256 x 256, 8-bit colormap, non-interlaced | Russian | Russia | 0.33340837460603334 |
| RT_ICON | 0x129d70 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | Russian | Russia | 0.09408315565031983 |
| RT_ICON | 0x12ac18 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | Russian | Russia | 0.11507220216606498 |
| RT_ICON | 0x12b4c0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | Russian | Russia | 0.12427745664739884 |
| RT_ICON | 0x12ba28 | 0x90b | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | Russian | Russia | 0.791792656587473 |
| RT_ICON | 0x12c338 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | Russian | Russia | 0.03235710911667454 |
| RT_ICON | 0x130560 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | Russian | Russia | 0.04595435684647303 |
| RT_ICON | 0x132b08 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | Russian | Russia | 0.075046904315197 |
| RT_ICON | 0x133bb0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | Russian | Russia | 0.15070921985815602 |
| RT_MENU | 0x1340a0 | 0x5c | data | Russian | Russia | 0.8913043478260869 |
| RT_DIALOG | 0x134110 | 0x120 | data | Russian | Russia | 0.6180555555555556 |
| RT_STRING | 0x134230 | 0x38 | data | Russian | Russia | 0.6607142857142857 |
| RT_ACCELERATOR | 0x134100 | 0x10 | data | Russian | Russia | 1.25 |
| RT_GROUP_ICON | 0x128b88 | 0x84 | data | Russian | Russia | 0.6590909090909091 |
| RT_GROUP_ICON | 0x134018 | 0x84 | data | Russian | Russia | 0.6515151515151515 |
| RT_MANIFEST | 0x134268 | 0x184 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5979381443298969 |
| DLL | Import |
|---|---|
| KERNEL32.dll | WriteFile, CloseHandle, Sleep, GetCurrentProcess, ExitProcess, SetFilePointerEx, GetProcAddress, LoadLibraryA, ReadConsoleW, DecodePointer, FlushFileBuffers, GetConsoleMode, SetFilePointer, ReadFile, CreateThread, CreateFileA, GetCurrentThreadId, IsDebuggerPresent, RaiseException, MultiByteToWideChar, WideCharToMultiByte, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeSListHead, GetStartupInfoW, GetModuleHandleW, GetLastError, HeapAlloc, HeapFree, GetProcessHeap, VirtualQuery, FreeLibrary, InterlockedPushEntrySList, InterlockedFlushSList, GetModuleFileNameW, LoadLibraryExW, RtlUnwind, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, GetModuleHandleExW, GetStdHandle, HeapValidate, GetSystemInfo, GetFileType, OutputDebugStringW, WriteConsoleW, SetConsoleCtrlHandler, GetCurrentThread, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetStringTypeW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, HeapReAlloc, HeapSize, HeapQueryInformation, GetFileSizeEx, GetConsoleOutputCP, CreateFileW |
| USER32.dll | MessageBoxA, MessageBoxW |
| ADVAPI32.dll | AdjustTokenPrivileges, OpenProcessToken, LookupPrivilegeValueA |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Russian | Russia |  |
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
| Target ID: | 2 |
| Start time: | 22:13:17 |
| Start date: | 20/04/2025 |
| Path: | C:\Users\user\Desktop\ForkieByKKosty4ka.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa20000 |
| File size: | 972'288 bytes |
| MD5 hash: | 94EA622991260A77C641A89B0FDDA267 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
| Execution Coverage: | 0.7% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 55.8% |
| Total number of Nodes: | 129 |
| Total number of Limit Nodes: | 14 |
Graph
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
