Edit tour
Windows
Analysis Report
SecuriteInfo.com.Heuristic.HEUR.AGEN.1319884.13784.6616.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.Heuristic.HEUR.AGEN.1319884.13784.6616.exe |
| Analysis ID: | 1532612 |
| MD5: | 9bb41dd377bd7e4f5ce55360442df5fa |
| SHA1: | ba3933e2f821eb60f90c0234a144eae3c202f9ab |
| SHA256: | bc71709ab6556ee1c4b72df4bd46e592d5ad94511f17bb24f7944e3d28a13217 |
| Tags: | exe |
| Infos: | |
 | |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Classification
- System is w10x64
SecuriteInfo.com.Heuristic.HEUR.AGEN.1319884.13784.6616.exe (PID: 7532 cmdline: "C:\Users\ user\Deskt op\Securit eInfo.com. Heuristic. HEUR.AGEN. 1319884.13 784.6616.e xe" MD5: 9BB41DD377BD7E4F5CE55360442DF5FA) 
conhost.exe (PID: 7540 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Code function: | 0_2_00402402 | |
| Source: | Code function: | 0_2_00401C0A | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_00402402 | |
| Source: | Code function: | 0_2_00401C0A | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_00404259 | |
| Source: | Code function: | 0_2_0040A50C | |
| Source: | Code function: | 0_2_0040A50C | |
| Source: | Code function: | 0_2_0040A50C | |
| Source: | Code function: | 0_2_00402DE0 | |
| Source: | Code function: | 0_2_00401180 | |
| Source: | Code function: | 0_2_00402D00 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | 1 File and Directory Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 2 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 3% | ReversingLabs | |||
| 2% | Virustotal | Browse | ||
| 100% | Avira | HEUR/AGEN.1319884 |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1532612 |
| Start date and time: | 2024-10-13 18:36:06 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 3m 58s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | SecuriteInfo.com.Heuristic.HEUR.AGEN.1319884.13784.6616.exe |
| Detection: | MAL |
| Classification: | mal48.winEXE@2/0@0/0 |
| EGA Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target SecuriteInfo.com.Heuristic.HEUR.AGEN.1319884.13784.6616.exe, PID 7532 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
⊘No simulations
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 5.1775593869194605 |
| TrID: |
|
| File name: | SecuriteInfo.com.Heuristic.HEUR.AGEN.1319884.13784.6616.exe |
| File size: | 94'378 bytes |
| MD5: | 9bb41dd377bd7e4f5ce55360442df5fa |
| SHA1: | ba3933e2f821eb60f90c0234a144eae3c202f9ab |
| SHA256: | bc71709ab6556ee1c4b72df4bd46e592d5ad94511f17bb24f7944e3d28a13217 |
| SHA512: | 051576c9370fe6cbbd0314e266427a4cd39e2ea609157b923071d12072171df9f4c6b9553da46751606fe1dcfe9ea9bc6dec41a9efd4cbf9f88f1dc98f7512a5 |
| SSDEEP: | 1536:BTwPKXqE4wpm4nmhEqTIm4gKN2Pw5sR3aATksIOQyeM:2LE4VLzTKNF5sJk/OQyeM |
| TLSH: | 9D93E8E136DA4CE6EA80873C40D3E235653CFDE0CA674B17A628B6311B12B913ED7759 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...YO.f....X.....'......:...n................@..............................P.......+........ ............................ |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x4014e0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | |
| Time Stamp: | 0x66DB4F59 [Fri Sep 6 18:52:09 2024 UTC] |
| TLS Callbacks: | 0x402f10 |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 2e7eb90296eecc4070a6e01756f917bb |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| dec eax |
| mov eax, dword ptr [000055F5h] |
| mov dword ptr [eax], 00000000h |
| call 00007F88D532519Fh |
| call 00007F88D532361Ah |
| nop |
| nop |
| dec eax |
| add esp, 28h |
| ret |
| nop dword ptr [eax+00h] |
| nop word ptr [eax+eax+00000000h] |
| dec eax |
| sub esp, 28h |
| call 00007F88D53265D4h |
| dec eax |
| test eax, eax |
| sete al |
| movzx eax, al |
| neg eax |
| dec eax |
| add esp, 28h |
| ret |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| dec eax |
| lea ecx, dword ptr [00000009h] |
| jmp 00007F88D5323969h |
| nop dword ptr [eax+00h] |
| ret |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| push ebp |
| push ebx |
| dec eax |
| sub esp, 000000C8h |
| dec eax |
| lea ebp, dword ptr [esp+00000080h] |
| dec eax |
| lea ecx, dword ptr [00004AA2h] |
| call 00007F88D5326548h |
| dec eax |
| mov dword ptr [ebp+38h], eax |
| dec eax |
| cmp dword ptr [ebp+38h], 00000000h |
| je 00007F88D5323B5Bh |
| dec eax |
| lea eax, dword ptr [ebp-11h] |
| dec eax |
| mov ecx, eax |
| call 00007F88D5324FFDh |
| dec eax |
| lea ecx, dword ptr [ebp-11h] |
| dec eax |
| mov edx, dword ptr [ebp+38h] |
| dec eax |
| lea eax, dword ptr [ebp-40h] |
| dec ecx |
| mov eax, ecx |
| dec eax |
| mov ecx, eax |
| call 00007F88D5324F86h |
| dec eax |
| lea eax, dword ptr [ebp-60h] |
| dec eax |
| lea edx, dword ptr [ebp-40h] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xa000 | 0x1484 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x7000 | 0x408 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x6640 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xa3fc | 0x370 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x39d0 | 0x3a00 | bdb094b267df445835421068083f85ca | False | 0.5119207974137931 | data | 5.837674320735723 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x5000 | 0xd0 | 0x200 | 451b2706ca9afdf6400177aa4903059f | False | 0.1328125 | data | 0.8091241115352077 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x6000 | 0xbac | 0xc00 | 0e329a0e669eb638de73a255f0a319a6 | False | 0.435546875 | data | 4.301819997212616 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .pdata | 0x7000 | 0x408 | 0x600 | 30457931d1e871f300354be0212bd840 | False | 0.3697916666666667 | data | 3.0506747130120404 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .xdata | 0x8000 | 0x518 | 0x600 | ece7d407eb7792367c031485e2954e6b | False | 0.3763020833333333 | data | 4.22171820334505 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .bss | 0x9000 | 0x980 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0xa000 | 0x1484 | 0x1600 | 330adc7b7bdaffaa69ed6c2f9b740555 | False | 0.2702414772727273 | PGP symmetric key encrypted data - Plaintext or unencrypted data | 4.510574065804716 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .CRT | 0xc000 | 0x68 | 0x200 | ecd52873df11312502a6cff23fbbe7cb | False | 0.068359375 | data | 0.2694448386073115 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0xd000 | 0x10 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| /4 | 0xe000 | 0x50 | 0x200 | bbc92d299452795933a0d3c230f03e71 | False | 0.0703125 | data | 0.2123006574398449 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /19 | 0xf000 | 0x1f08 | 0x2000 | 90ce22180dd119967abbc40756bbdae3 | False | 0.4593505859375 | data | 5.822398830664757 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /31 | 0x11000 | 0x149 | 0x200 | 5d291f74219487bffd06356d36f3a0e4 | False | 0.375 | data | 3.2872917906726884 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /45 | 0x12000 | 0x222 | 0x400 | a9361b8d8e0473c697dea2bf351914e5 | False | 0.287109375 | data | 3.226557686933141 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /57 | 0x13000 | 0x48 | 0x200 | 0af43945309a635e21b34a9759bc09bc | False | 0.119140625 | data | 0.6853378241542495 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /70 | 0x14000 | 0x9b | 0x200 | 406b70665a5983d1f1682455c669f732 | False | 0.259765625 | data | 2.320780444544343 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| libgcc_s_seh-1.dll | _Unwind_Resume |
| KERNEL32.dll | CloseHandle, CreateToolhelp32Snapshot, DeleteCriticalSection, DeleteFileA, DeleteFileW, EnterCriticalSection, FindClose, FindFirstFileA, FindFirstFileW, FindNextFileA, FindNextFileW, GetConsoleWindow, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetStartupInfoA, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, MoveFileA, OpenProcess, Process32First, Process32Next, QueryPerformanceCounter, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualProtect, VirtualQuery |
| msvcrt.dll | __C_specific_handler, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _errno, _fmode, _initterm, _onexit, abort, calloc, exit, fprintf, free, fwrite, getenv, malloc, memcpy, signal, strcmp, strlen, strncmp, system, vfprintf |
| libwinpthread-1.dll | nanosleep |
| USER32.dll | ShowWindow |
| libstdc++-6.dll | _ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE5c_strEv, _ZNKSt7__cxx1112basic_stringIwSt11char_traitsIwESaIwEE5c_strEv, _ZNSaIcEC1Ev, _ZNSaIcED1Ev, _ZNSaIwEC1Ev, _ZNSaIwED1Ev, _ZNSolsEPFRSoS_E, _ZNSolsEm, _ZNSt13basic_ostreamIwSt11char_traitsIwEElsEPFRS2_S3_E, _ZNSt13basic_ostreamIwSt11char_traitsIwEElsEm, _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6appendEPKc, _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6appendERKS4_, _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6insertEyRKS4_, _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1EOS4_, _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1EPKcRKS3_, _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1ERKS4_, _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev, _ZNSt7__cxx1112basic_stringIwSt11char_traitsIwESaIwEE6appendEPKw, _ZNSt7__cxx1112basic_stringIwSt11char_traitsIwESaIwEEC1EOS4_, _ZNSt7__cxx1112basic_stringIwSt11char_traitsIwESaIwEEC1EPKwRKS3_, _ZNSt7__cxx1112basic_stringIwSt11char_traitsIwESaIwEEC1ERKS4_, _ZNSt7__cxx1112basic_stringIwSt11char_traitsIwESaIwEED1Ev, _ZNSt8ios_base4InitC1Ev, _ZNSt8ios_base4InitD1Ev, _ZSt4cerr, _ZSt4cout, _ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_, _ZSt4endlIwSt11char_traitsIwEERSt13basic_ostreamIT_T0_ES6_, _ZSt5wcerr, _ZSt5wcout, _ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc, _ZStlsIcSt11char_traitsIcESaIcEERSt13basic_ostreamIT_T0_ES7_RKNSt7__cxx1112basic_stringIS4_S5_T1_EE, _ZStlsIwSt11char_traitsIwEERSt13basic_ostreamIT_T0_ES6_PKS3_, _ZStlsIwSt11char_traitsIwESaIwEERSt13basic_ostreamIT_T0_ES7_RKNSt7__cxx1112basic_stringIS4_S5_T1_EE, __gxx_personality_seh0 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
Click to jump to process
| Target ID: | 0 |
| Start time: | 12:37:06 |
| Start date: | 13/10/2024 |
| Path: | C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319884.13784.6616.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 94'378 bytes |
| MD5 hash: | 9BB41DD377BD7E4F5CE55360442DF5FA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
| Target ID: | 1 |
| Start time: | 12:37:06 |
| Start date: | 13/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
Function 00401C0A Relevance: 100.0, APIs: 45, Strings: 12, Instructions: 263COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401180 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 198sleepstringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402DE0 Relevance: 12.0, APIs: 8, Instructions: 50COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A50C Relevance: .0, Instructions: 40COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404259 Relevance: .0, Instructions: 4COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402755 Relevance: 70.2, APIs: 27, Strings: 13, Instructions: 157processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403300 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 283memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402283 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 77stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004018C5 Relevance: 12.0, APIs: 8, Instructions: 35COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004016C9 Relevance: 12.0, APIs: 8, Instructions: 35COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403130 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 148memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004018D6 Relevance: 10.5, APIs: 7, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004016DA Relevance: 10.5, APIs: 7, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004020DC Relevance: 9.0, APIs: 6, Instructions: 39COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040219F Relevance: 9.0, APIs: 6, Instructions: 37COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402A13 Relevance: 9.0, APIs: 6, Instructions: 28COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004026F7 Relevance: 9.0, APIs: 6, Instructions: 25COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402A4F Relevance: 7.5, APIs: 5, Instructions: 25COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402A3E Relevance: 7.5, APIs: 5, Instructions: 25COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401A5C Relevance: 7.5, APIs: 5, Instructions: 23COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401BBD Relevance: 7.5, APIs: 5, Instructions: 23COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402A60 Relevance: 6.0, APIs: 4, Instructions: 21COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401901 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401705 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401A6D Relevance: 6.0, APIs: 4, Instructions: 19COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401BCE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403B30 Relevance: 5.0, APIs: 4, Instructions: 42COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|