Windows
Analysis Report
T858989498.exe
Overview
General Information
Detection
Score: | 64 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
T858989498.exe (PID: 7560 cmdline:
"C:\Users\ user\Deskt op\T858989 498.exe" MD5: 2E32380EECB399E8F85CF30E8A4F6BA7) dfrgui.exe (PID: 2420 cmdline:
C:\windows \syswow64\ dfrgui.exe MD5: 1167953AFDD83E704CE79B8814E54D69)
- cleanup
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | TCP traffic: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Key opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Code function: | 9_2_1477ABC0 |
Source: | Code function: | 9_2_131955BC |
Source: | Window / User API: | Jump to behavior |
Source: | Evasive API call chain: | graph_9-6854 |
Source: | API coverage: |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: |
Source: | API call chain: | graph_9-7896 |
Anti Debugging |
---|
Source: | Debugger detection routine: | graph_9-6843 |
Source: | Code function: | 9_2_131A1BBF |
Source: | Code function: | 9_2_1477ABC0 |
Source: | Code function: | 9_2_131B2105 | |
Source: | Code function: | 9_2_131ACCC5 |
Source: | Code function: | 9_2_131A1BBF | |
Source: | Code function: | 9_2_13194662 |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory allocated: | Jump to behavior |
Source: | Memory written: | Jump to behavior |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Code function: | 9_2_131B170D | |
Source: | Code function: | 9_2_131BB331 | |
Source: | Code function: | 9_2_131BB79C | |
Source: | Code function: | 9_2_131BB3D8 | |
Source: | Code function: | 9_2_131BBA97 | |
Source: | Code function: | 9_2_131BB136 | |
Source: | Code function: | 9_2_131BB549 | |
Source: | Code function: | 9_2_131BB9C8 | |
Source: | Code function: | 9_2_131BB423 | |
Source: | Code function: | 9_2_131BB4BE | |
Source: | Code function: | 9_2_131BB8C2 | |
Source: | Code function: | 9_2_131B1CC6 |
Source: | Code function: | 9_2_13181AF4 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Native API | 1 DLL Side-Loading | 311 Process Injection | 111 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | 1 Non-Standard Port | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 311 Process Injection | LSASS Memory | 111 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 111 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
46% | Virustotal | Browse | ||
53% | ReversingLabs | Win32.Trojan.Strictor |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
5.42.221.140 | unknown | Iraq | 198802 | MIDYAIQ | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1670595 |
Start date and time: | 2025-04-21 22:41:11 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 43s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 11 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | T858989498.exe |
Detection: | MAL |
Classification: | mal64.evad.winEXE@3/0@0/1 |
EGA Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, W MIADAP.exe, SIHClient.exe, Sgr mBroker.exe, conhost.exe, svch ost.exe - Excluded IPs from analysis (wh
itelisted): 184.29.183.29, 131 .253.33.254, 4.245.163.56 - Excluded domains from analysis
(whitelisted): a-ring-fallbac k.msedge.net, fs.microsoft.com , slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.co m - Not all processes where analyz
ed, report is missing behavior information
Time | Type | Description |
---|---|---|
16:42:18 | API Interceptor | |
16:43:48 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
5.42.221.140 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
MIDYAIQ | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
File type: | |
Entropy (8bit): | 6.1619146188962945 |
TrID: |
|
File name: | T858989498.exe |
File size: | 21'199'360 bytes |
MD5: | 2e32380eecb399e8f85cf30e8a4f6ba7 |
SHA1: | 6217ece3cf61036c583b632555b5b26c4a275ac8 |
SHA256: | 24cdb0aaafbf6e551f5ef4b0d12a3bfe3edb4ba9e66a3bce4d23db2e55c82d7b |
SHA512: | 56fd4b87a52606ffa7682825c9dce62835211dcfc78953b4797302a7b6a930444c5c8f66c0ff04b25f01165652c4f46194f6ab1ecec516fd3e3ef5931ff7f17b |
SSDEEP: | 49152:9l/orA4rWaOVruZFMCVHcX47nEnfvvWKKkn80BLwZkQAuTXqj9RNI7BL4rxddHus:9l/Ebc |
TLSH: | D7273311BFF54D7AC5BC5238B8BF5F0C1B706E504818D5EB23D4A88F662BB82581B2E5 |
File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
Icon Hash: | 1cfac2d2c2d2c2d8 |
Entrypoint: | 0x46a884 |
Entrypoint Section: | .itext |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
DLL Characteristics: | |
Time Stamp: | 0x6805CA8E [Mon Apr 21 04:33:18 2025 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 38d37983c9eb8f477e3a62c02cbb3400 |
Instruction |
---|
push ebp |
mov ebp, esp |
add esp, FFFFFFF0h |
push ebx |
push esi |
push edi |
mov eax, 00469130h |
call 00007FAB88C191DEh |
xor eax, eax |
push ebp |
push 0046A9DBh |
push dword ptr fs:[eax] |
mov dword ptr fs:[eax], esp |
push 00000000h |
push 00000064h |
call 00007FAB88C7B837h |
xor ecx, ecx |
mov dl, 01h |
mov eax, dword ptr [0044A1C8h] |
call 00007FAB88C5F931h |
mov edx, 0046A9F4h |
call 00007FAB88C4AD7Bh |
xor eax, eax |
push ebp |
push 0046A8F8h |
push dword ptr fs:[eax] |
mov dword ptr fs:[eax], esp |
mov eax, dword ptr [00476894h] |
call 00007FAB88C653F3h |
mov dl, 01h |
mov eax, dword ptr [00476890h] |
mov si, FFB4h |
call 00007FAB88C16443h |
xor eax, eax |
pop edx |
pop ecx |
pop ecx |
mov dword ptr fs:[eax], edx |
jmp 00007FAB88C7D0FCh |
jmp 00007FAB88C16700h |
call 00007FAB88C16B0Bh |
mov eax, dword ptr [0046F6ECh] |
mov byte ptr [eax], 00000000h |
xor eax, eax |
push ebp |
push 0046A936h |
push dword ptr fs:[eax] |
mov dword ptr fs:[eax], esp |
mov eax, dword ptr [00476894h] |
call 00007FAB88C653AFh |
mov eax, dword ptr [00476890h] |
call 00007FAB88C4E655h |
xor eax, eax |
pop edx |
pop ecx |
pop ecx |
mov dword ptr fs:[eax], edx |
jmp 00007FAB88C7D101h |
jmp 00007FAB88C166C2h |
call 00007FAB88C713E1h |
call 00007FAB88C16AC8h |
call 00007FAB88C7B72Bh |
mov eax, 00000088h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x77000 | 0x2672 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x84000 | 0x13bf800 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x7c000 | 0x7604 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x7b000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x7774c | 0x5f8 | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x68460 | 0x68600 | 61fc3f2021f6c6819621ddb855d7aada | False | 0.5166541916167665 | data | 6.548853032018104 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.itext | 0x6a000 | 0xa1c | 0xc00 | 1aff11072ee38892948217a08b02b3bc | False | 0.5276692708333334 | data | 5.714325025286978 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x6b000 | 0x4934 | 0x4a00 | b2df5a6f7255dc9c857c45ab86b5bf2b | False | 0.5140413851351351 | data | 5.16112904051681 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.bss | 0x70000 | 0x68a0 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0x77000 | 0x2672 | 0x2800 | 885bef561476cb5b81f17a607e786c5d | False | 0.3099609375 | data | 5.080213932432005 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0x7a000 | 0x3c | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0x7b000 | 0x18 | 0x200 | 459a4935b407f13c11734f71f14d8bfa | False | 0.05078125 | data | 0.2108262677871819 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x7c000 | 0x7604 | 0x7800 | 7167033f69dbb419bdac4d28d56fdd7d | False | 0.6189778645833334 | data | 6.635938913782678 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.rsrc | 0x84000 | 0x13bf800 | 0x13bf800 | 5bde8bd0a8224a3991c9d86c8b6ebbb8 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RTYUI | 0x84c20 | 0x13862ac | ASCII text, with very long lines (65536), with no line terminators | English | United States | 0.7574520111083984 |
UNICODEDATA | 0x140aecc | 0x723f | data | 0.36769583205115053 | ||
UNICODEDATA | 0x141210c | 0x7ebd | data | 0.42552011095700415 | ||
UNICODEDATA | 0x1419fcc | 0x6a8 | data | 0.5985915492957746 | ||
UNICODEDATA | 0x141a674 | 0xaf7d | data | 0.4191430161380078 | ||
UNICODEDATA | 0x14255f4 | 0xd3cf | data | 0.4500857569666009 | ||
UNICODEDATA | 0x14329c4 | 0x14c5 | data | 0.6482979123565921 | ||
RT_CURSOR | 0x1433e8c | 0x134 | Targa image data - Map 64 x 65536 x 1 +32 "\001" | English | United States | 0.38636363636363635 |
RT_CURSOR | 0x1433fc0 | 0x134 | data | English | United States | 0.4642857142857143 |
RT_CURSOR | 0x14340f4 | 0x134 | data | English | United States | 0.4805194805194805 |
RT_CURSOR | 0x1434228 | 0x134 | data | English | United States | 0.38311688311688313 |
RT_CURSOR | 0x143435c | 0x134 | data | English | United States | 0.36038961038961037 |
RT_CURSOR | 0x1434490 | 0x134 | data | English | United States | 0.4090909090909091 |
RT_CURSOR | 0x14345c4 | 0x134 | Targa image data - RGB 64 x 65536 x 1 +32 "\001" | English | United States | 0.4967532467532468 |
RT_ICON | 0x14346f8 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | 0.1050425129900803 | ||
RT_ICON | 0x1438920 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | 0.12105809128630705 | ||
RT_ICON | 0x143aec8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | 0.15877110694183866 | ||
RT_ICON | 0x143bf70 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | 0.20573770491803278 | ||
RT_ICON | 0x143c8f8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | 0.2730496453900709 | ||
RT_STRING | 0x143cd60 | 0x1cc | data | 0.4608695652173913 | ||
RT_STRING | 0x143cf2c | 0x798 | data | 0.15637860082304528 | ||
RT_STRING | 0x143d6c4 | 0x85c | data | 0.14626168224299066 | ||
RT_STRING | 0x143df20 | 0x888 | data | 0.1446886446886447 | ||
RT_STRING | 0x143e7a8 | 0x7b4 | data | 0.16835699797160245 | ||
RT_STRING | 0x143ef5c | 0x920 | data | 0.12585616438356165 | ||
RT_STRING | 0x143f87c | 0x9fc | data | 0.128716744913928 | ||
RT_STRING | 0x1440278 | 0x58c | data | 0.2795774647887324 | ||
RT_STRING | 0x1440804 | 0x268 | data | 0.37662337662337664 | ||
RT_STRING | 0x1440a6c | 0x204 | data | 0.38953488372093026 | ||
RT_STRING | 0x1440c70 | 0x114 | data | 0.5833333333333334 | ||
RT_STRING | 0x1440d84 | 0x118 | data | 0.5857142857142857 | ||
RT_STRING | 0x1440e9c | 0x174 | data | 0.5268817204301075 | ||
RT_STRING | 0x1441010 | 0x2e8 | data | 0.46639784946236557 | ||
RT_STRING | 0x14412f8 | 0xc0 | data | 0.6770833333333334 | ||
RT_STRING | 0x14413b8 | 0x258 | data | 0.48833333333333334 | ||
RT_STRING | 0x1441610 | 0x3d8 | data | 0.3851626016260163 | ||
RT_STRING | 0x14419e8 | 0x37c | data | 0.41816143497757846 | ||
RT_STRING | 0x1441d64 | 0x418 | data | 0.36736641221374045 | ||
RT_STRING | 0x144217c | 0x140 | data | 0.515625 | ||
RT_STRING | 0x14422bc | 0xcc | data | 0.6127450980392157 | ||
RT_STRING | 0x1442388 | 0x1ec | data | 0.5345528455284553 | ||
RT_STRING | 0x1442574 | 0x3b0 | data | 0.326271186440678 | ||
RT_STRING | 0x1442924 | 0x354 | data | 0.4107981220657277 | ||
RT_STRING | 0x1442c78 | 0x2a4 | data | 0.4363905325443787 | ||
RT_RCDATA | 0x1442f1c | 0x10 | data | 1.5 | ||
RT_RCDATA | 0x1442f2c | 0x4b0 | data | 0.6575 | ||
RT_GROUP_CURSOR | 0x14433dc | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.25 |
RT_GROUP_CURSOR | 0x14433f0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.25 |
RT_GROUP_CURSOR | 0x1443404 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_CURSOR | 0x1443418 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_CURSOR | 0x144342c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_CURSOR | 0x1443440 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_CURSOR | 0x1443454 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_ICON | 0x1443468 | 0x4c | data | 0.8026315789473685 | ||
RT_VERSION | 0x14434b4 | 0x31c | data | 0.4158291457286432 |
DLL | Import |
---|---|
oleaut32.dll | SysFreeString, SysReAllocStringLen, SysAllocStringLen |
advapi32.dll | RegQueryValueExA, RegOpenKeyExA, RegCloseKey |
user32.dll | GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA |
kernel32.dll | GetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle |
kernel32.dll | TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA |
user32.dll | CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout |
gdi32.dll | UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt |
version.dll | VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA |
kernel32.dll | lstrcpyA, WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringW, CompareStringA, CloseHandle |
advapi32.dll | RegQueryValueExW, RegQueryValueExA, RegOpenKeyExW, RegOpenKeyExA, RegFlushKey, RegCloseKey |
kernel32.dll | Sleep |
oleaut32.dll | GetErrorInfo, SysFreeString |
ole32.dll | CoUninitialize, CoInitialize |
oleaut32.dll | SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit |
comctl32.dll | _TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create |
kernel32.dll | GetVersionExA |
Description | Data |
---|---|
CompanyName | AGLResources |
FileDescription | VertexSystems |
FileVersion | 7.8.9.8 |
InternalName | VertexSystems |
LegalCopyright | VertexSystems |
LegalTrademarks | VertexSystems |
OriginalFilename | VertexSystems |
ProductName | VertexSystems |
ProductVersion | 7.8.9.8 |
Comments | |
Translation | 0x100a 0x04e4 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Download Network PCAP: filtered – full
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 21, 2025 22:43:48.685729980 CEST | 49723 | 7455 | 192.168.2.4 | 5.42.221.140 |
Apr 21, 2025 22:43:49.697673082 CEST | 49723 | 7455 | 192.168.2.4 | 5.42.221.140 |
Apr 21, 2025 22:43:51.714415073 CEST | 49723 | 7455 | 192.168.2.4 | 5.42.221.140 |
Apr 21, 2025 22:43:55.713313103 CEST | 49723 | 7455 | 192.168.2.4 | 5.42.221.140 |
Apr 21, 2025 22:44:03.728981018 CEST | 49723 | 7455 | 192.168.2.4 | 5.42.221.140 |
Apr 21, 2025 22:44:09.838978052 CEST | 49724 | 7455 | 192.168.2.4 | 5.42.221.140 |
Apr 21, 2025 22:44:10.854100943 CEST | 49724 | 7455 | 192.168.2.4 | 5.42.221.140 |
Apr 21, 2025 22:44:12.869651079 CEST | 49724 | 7455 | 192.168.2.4 | 5.42.221.140 |
Apr 21, 2025 22:44:16.895538092 CEST | 49724 | 7455 | 192.168.2.4 | 5.42.221.140 |
Apr 21, 2025 22:44:24.900875092 CEST | 49724 | 7455 | 192.168.2.4 | 5.42.221.140 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 16:42:17 |
Start date: | 21/04/2025 |
Path: | C:\Users\user\Desktop\T858989498.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 21'199'360 bytes |
MD5 hash: | 2E32380EECB399E8F85CF30E8A4F6BA7 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Borland Delphi |
Reputation: | low |
Has exited: | false |
Target ID: | 9 |
Start time: | 16:43:46 |
Start date: | 21/04/2025 |
Path: | C:\Windows\SysWOW64\dfrgui.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xda0000 |
File size: | 97'280 bytes |
MD5 hash: | 1167953AFDD83E704CE79B8814E54D69 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | false |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
Execution Coverage: | 2.5% |
Dynamic/Decrypted Code Coverage: | 7.4% |
Signature Coverage: | 6.9% |
Total number of Nodes: | 1128 |
Total number of Limit Nodes: | 3 |
Graph
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|