Edit tour

Windows Analysis Report
km711n.exe

Overview

General Information

Sample name:	km711n.exe
Analysis ID:	1670111
MD5:	85ca37c7f4ee5781b33eb2d80c17e923
SHA1:	db2466d397331194fe939d08a33ff62681a0268d
SHA256:	afd090984a3ece5530dbdb934197d452f327d0f06688c83e57a25c69635072cc
Infos:

Detection

Sliver

Score:	56
Range:	0 - 100
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Yara detected Sliver Implants

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Classification

Process Tree

System is w10x64_ra

km711n.exe (PID: 5252 cmdline: "C:\Users\user\Desktop\km711n.exe" MD5: 85CA37C7F4EE5781B33EB2D80C17E923)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Sliver	According to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army.	No Attribution	https://asec.ahnlab.com/en/47088/ https://asec.ahnlab.com/en/55652/ https://asec.ahnlab.com/en/56941/ https://blog.cluster25.duskrise.com/2024/01/30/russian-apt-opposition https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
km711n.exe	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
km711n.exe	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0xd0c0cb:$a1: ).RequestResend 0xcfb24b:$a2: ).GetPrivInfo
km711n.exe	INDICATOR_TOOL_Sliver	Detects Sliver implant cross-platform adversary emulation/red team	ditekSHen	0xa44e87:$s3: .WGTCPForwarder 0xa45c81:$s3: .WGTCPForwarder 0xa47c03:$s3: .WGTCPForwarder 0xa48546:$s3: .WGTCPForwarder 0xa4ae01:$s3: .WGTCPForwarder 0xa4bc14:$s3: .WGTCPForwarder 0xa40b9b:$s6: .BackdoorReq 0xa44de5:$s7: .ProcessDumpReq 0xa47a5c:$s8: .InvokeSpawnDllReq 0xa3bcc8:$s9: .SpawnDll 0xa40cd3:$s9: .SpawnDll

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1109283367.000000C00016A000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
00000000.00000002.1109283367.000000C000138000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
00000000.00000002.1109283367.000000C000166000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
00000000.00000000.1104984814.00000000012E3000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
00000000.00000000.1104984814.000000000154D000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
00000000.00000000.1104984814.000000000154D000.00000002.00000001.01000000.00000003.sdmp	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0x804cb:$a1: ).RequestResend 0x6f64b:$a2: ).GetPrivInfo
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: km711n.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

System Summary

Malicious sample detected (through community Yara rule)

Source: km711n.exe, type: SAMPLE	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: km711n.exe, type: SAMPLE	Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
Source: 00000000.00000000.1104984814.000000000154D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown

Source: km711n.exe, type: SAMPLE	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: km711n.exe, type: SAMPLE	Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
Source: 00000000.00000000.1104984814.000000000154D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14

Source: classification engine

Classification label: mal56.troj.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\km711n.exe

File opened: C:\Windows\system32\00f26352cd11593d22a9c7dbec26d9a2ef9814ada29fa2f1a0d1e1d39af9843dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Source: km711n.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\km711n.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\km711n.exe

File read: C:\Users\user\Desktop\km711n.exe

Source: C:\Users\user\Desktop\km711n.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\km711n.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\km711n.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\km711n.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Desktop\km711n.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Desktop\km711n.exe	Section loaded: winhttp.dll

Source: km711n.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: km711n.exe

Static file information: File size 17377280 > 1048576

Source: km711n.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0xa21600
Source: km711n.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x602e00

Source: km711n.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: km711n.exe

Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\km711n.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\km711n.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\km711n.exe

Queries volume information: C:\Users\user\Desktop\km711n.exe VolumeInformation

Stealing of Sensitive Information

Yara detected Sliver Implants

Source: Yara match	File source: km711n.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000002.1109283367.000000C00016A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1109283367.000000C000138000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1109283367.000000C000166000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1104984814.00000000012E3000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1104984814.000000000154D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Sliver Implants

Source: Yara match	File source: km711n.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000002.1109283367.000000C00016A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1109283367.000000C000138000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1109283367.000000C000166000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1104984814.00000000012E3000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1104984814.000000000154D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	12 System Information Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1670111
Start date and time:	2025-04-21 05:34:01 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	km711n.exe
Detection:	MAL
Classification:	mal56.troj.winEXE@1/0@0/0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.114383063680728
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	km711n.exe
File size:	17'377'280 bytes
MD5:	85ca37c7f4ee5781b33eb2d80c17e923
SHA1:	db2466d397331194fe939d08a33ff62681a0268d
SHA256:	afd090984a3ece5530dbdb934197d452f327d0f06688c83e57a25c69635072cc
SHA512:	e1a38d2e52ff2732da90ff03cc03c72bff2f28077b81a3fbd17ba221c12ff926e3439b04099240c16033c0a1e2939db17613e623e736d487d20e771c45e370fb
SSDEEP:	98304:Z3fbx4y2SYVeZAXr0Zcqq5Gqe0JHeOz1saz/MJeqcIEox9EQhxh:pjx0rCq5Bei+Q1bLMJeqchoxH
TLSH:	70071903F4D611D4C4F9D1B489258272BA71785C0B7963DB2BA1F7A42B327F09E7AB90
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........&........".........."................@..............................P............`... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x45d0e0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	f0ea7b7844bbc5bfa9bb32efdcea957c

Entrypoint Preview

Instruction
jmp 00007F4A844FA2A0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
dec eax
sub esp, 30h
dec ecx
mov ebp, ecx
dec ecx
mov edi, eax
dec eax
mov edx, dword ptr [01065D23h]
dec eax
mov edx, dword ptr [edx]
dec eax
cmp edx, 00000000h
jne 00007F4A844FDF6Eh
dec eax
mov eax, 00000000h
jmp 00007F4A844FE033h
dec eax
mov edx, dword ptr [edx]
dec eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10d7000	0x490	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10d8000	0x2b39a	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1026040	0x148	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa214fd	0xa21600	f691c17be49c459bab6ac1b1dced485d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa23000	0x602c88	0x602e00	0eb27375e993c02f73f990a85f3db47b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1026000	0xb0550	0x42200	51d34de6b12c4f2129525db90c2f7836	False	0.3885758801984877	data	4.761555515996491	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x10d7000	0x490	0x600	33eff7ffb87dac62176eb4faa579b545	False	0.3365885416666667	data	3.7228114832174795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x10d8000	0x2b39a	0x2b400	b0e8b137e2dc4cbd701d6b8d20bc9f71	False	0.13596233742774566	data	5.4426107756440585	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x1104000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
kernel32.dll	WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report km711n.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Windows Analysis Report
km711n.exe