Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
esphvcioffattkingstore444d7.exe

Overview

General Information

Sample name:esphvcioffattkingstore444d7.exe
Analysis ID:1592718
MD5:b9c7dff0cf35f581d4f922c835762246
SHA1:728aa2cd04b2c028c269389c5361e3fd4f6d8c03
SHA256:9022cdebf7bda58adf55b7203c4d7665c5def2c34a0590f503f0ad993feaf93a
Tags:exemalwaretrojanuser-Joker
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

  • System is w10x64
  • esphvcioffattkingstore444d7.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe" MD5: B9C7DFF0CF35F581D4F922C835762246)
    • conhost.exe (PID: 7424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: esphvcioffattkingstore444d7.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: esphvcioffattkingstore444d7.exeVirustotal: Detection: 43%Perma Link
Source: esphvcioffattkingstore444d7.exeReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 82.5% probability
Machine Learning detection for sample
Source: esphvcioffattkingstore444d7.exeJoe Sandbox ML: detected
Source: esphvcioffattkingstore444d7.exe, 00000000.00000000.1319601308.00007FF739FDE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_fd9ca4cd-f
Source: esphvcioffattkingstore444d7.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: <sD:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI OFF VALORANT\esp\x64\Release\Google Chrome.pdb source: esphvcioffattkingstore444d7.exe
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI OFF VALORANT\esp\x64\Release\Google Chrome.pdb source: esphvcioffattkingstore444d7.exe
Source: esphvcioffattkingstore444d7.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: esphvcioffattkingstore444d7.exeString found in binary or memory: https://github.com/googlefonts/lexend)6_ju
Source: esphvcioffattkingstore444d7.exeString found in binary or memory: https://scripts.sil.org/OFLThis
Source: esphvcioffattkingstore444d7.exeString found in binary or memory: https://scripts.sil.org/OFLhttps://www.lexend.comBonnie
Source: esphvcioffattkingstore444d7.exeBinary string: 8\Device\microsoftAudioDriver\DosDevices\microsoftAudioDriverKmdfLibraryDriverEntry failed 0x%x for driver %wZ
Source: classification engineClassification label: mal68.evad.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7424:120:WilError_03
Source: esphvcioffattkingstore444d7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: esphvcioffattkingstore444d7.exeVirustotal: Detection: 43%
Source: esphvcioffattkingstore444d7.exeReversingLabs: Detection: 55%
Source: esphvcioffattkingstore444d7.exeString found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectoryx/
Source: unknownProcess created: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe "C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe"
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exeSection loaded: d3dx11_43.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exeSection loaded: d3dcompiler_43.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exeSection loaded: vcruntime140.dllJump to behavior
Source: esphvcioffattkingstore444d7.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: esphvcioffattkingstore444d7.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: esphvcioffattkingstore444d7.exeStatic file information: File size 4211712 > 1048576
Source: esphvcioffattkingstore444d7.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x11d000
Source: esphvcioffattkingstore444d7.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x28de00
Source: esphvcioffattkingstore444d7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: esphvcioffattkingstore444d7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: esphvcioffattkingstore444d7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: esphvcioffattkingstore444d7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: esphvcioffattkingstore444d7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: esphvcioffattkingstore444d7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: esphvcioffattkingstore444d7.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: esphvcioffattkingstore444d7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: <sD:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI OFF VALORANT\esp\x64\Release\Google Chrome.pdb source: esphvcioffattkingstore444d7.exe
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI OFF VALORANT\esp\x64\Release\Google Chrome.pdb source: esphvcioffattkingstore444d7.exe
Source: esphvcioffattkingstore444d7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: esphvcioffattkingstore444d7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: esphvcioffattkingstore444d7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: esphvcioffattkingstore444d7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: esphvcioffattkingstore444d7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Malware Analysis System Evasion

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: esphvcioffattkingstore444d7.exeBinary or memory string: PROCESSHACKER.EXE
Source: esphvcioffattkingstore444d7.exeBinary or memory string: PROCMON.EXE
Source: esphvcioffattkingstore444d7.exeBinary or memory string: OLLYDBG.EXE
Source: esphvcioffattkingstore444d7.exeBinary or memory string: [ %.FM ] HEALTH RENDERED][ CR][VALORANT PLUS] - FPS: %.1FCPLUSPLUSEXAMPLE/1.0GETKEYAUTH.WIN980C8DE97FFFFAD4C5E27B1E48A37561DDA18BD70D38E6D40AE0AC84529DAB4FDIEC.EXEDWNEJFE.EXEWIN64.EXESYSTEMINFORMER.EXEPROCESSHACKER.EXEFILEALYZER2.EXERESOURCEHACKER.EXEDEPENDS.EXEPEXPLORER.EXEDIEL.EXEDIE.EXEPE-BEAR.EXELORDPE.EXEWIRESHARK.EXETCPVIEW.EXEPROCEXP64.EXEPROCEXP.EXEREGMON.EXEFILEMON.EXEPROCMON.EXESCYLLA_X86.EXESCYLLA_X64.EXEOLLYDUMPEX_SA64.EXEOLLYDUMPEX_SA32.EXEHXD.EXEIMMUNITYDEBUGGER.EXEWINDBG.EXEX96DBG.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEIDA64.EXEDOTPEEK64.EXEIDA32.EXEIDA.EXERECLASS.NET.EXERECLASS.EXEHEYRAYS.EXELIGHTHOUSE.EXECHEATENGINE-X86_64.EXECLASSINFORMER.EXEIDA-X86EMU.EXECFFEXPLORER.EXEWINHEX.EXEHIEW.EXEFIDDLER.EXEHTTPDEBUGGER.EXEHTTPDEBUGGERPRO.EXESCYLLA.EXECHEAT ENGINE.EXEDNSPY.EXEDNSPY.CONSOLE.EXECLS
Source: esphvcioffattkingstore444d7.exeBinary or memory string: X64DBG.EXE
Source: esphvcioffattkingstore444d7.exeBinary or memory string: REGMON.EXE
Source: esphvcioffattkingstore444d7.exeBinary or memory string: WINDBG.EXE
Source: esphvcioffattkingstore444d7.exeBinary or memory string: FIDDLER.EXE
Source: esphvcioffattkingstore444d7.exeBinary or memory string: IDAQ.EXEH
Source: esphvcioffattkingstore444d7.exeBinary or memory string: PEID.EXEH
Source: esphvcioffattkingstore444d7.exeBinary or memory string: IDAG.EXEH
Source: esphvcioffattkingstore444d7.exeBinary or memory string: WIRESHARK.EXE
Source: esphvcioffattkingstore444d7.exeBinary or memory string: FILEMON.EXE
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exeCode function: 0_2_00007FF739FDB8F0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF739FDB8F0
Source: esphvcioffattkingstore444d7.exe, 00000000.00000000.1319601308.00007FF739FDE000.00000002.00000001.01000000.00000003.sdmp, esphvcioffattkingstore444d7.exe, 00000000.00000002.2571785383.00007FF739FDF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
Source: esphvcioffattkingstore444d7.exe, 00000000.00000000.1319601308.00007FF739FDE000.00000002.00000001.01000000.00000003.sdmp, esphvcioffattkingstore444d7.exe, 00000000.00000002.2571785383.00007FF739FDF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OLLYDBG.exe
Source: esphvcioffattkingstore444d7.exe, 00000000.00000000.1319601308.00007FF739FDE000.00000002.00000001.01000000.00000003.sdmp, esphvcioffattkingstore444d7.exe, 00000000.00000002.2571785383.00007FF739FDF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe
Source: esphvcioffattkingstore444d7.exe, 00000000.00000000.1319601308.00007FF739FDE000.00000002.00000001.01000000.00000003.sdmp, esphvcioffattkingstore444d7.exe, 00000000.00000002.2571785383.00007FF739FDF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: procexp.exe
Source: esphvcioffattkingstore444d7.exe, 00000000.00000000.1319601308.00007FF739FDE000.00000002.00000001.01000000.00000003.sdmp, esphvcioffattkingstore444d7.exe, 00000000.00000002.2571785383.00007FF739FDF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: LordPE.exe
Source: esphvcioffattkingstore444d7.exe, 00000000.00000000.1319601308.00007FF739FDE000.00000002.00000001.01000000.00000003.sdmp, esphvcioffattkingstore444d7.exe, 00000000.00000002.2571785383.00007FF739FDF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: Tcpview.exe
Source: esphvcioffattkingstore444d7.exe, 00000000.00000000.1319601308.00007FF739FDE000.00000002.00000001.01000000.00000003.sdmp, esphvcioffattkingstore444d7.exe, 00000000.00000002.2571785383.00007FF739FDF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: regmon.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
DLL Side-Loading		LSASS Memory11
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager2
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
esphvcioffattkingstore444d7.exe43%VirustotalBrowse
esphvcioffattkingstore444d7.exe55%ReversingLabsWin64.Spyware.AsyncRAT
esphvcioffattkingstore444d7.exe100%AviraHEUR/AGEN.1363336
esphvcioffattkingstore444d7.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://scripts.sil.org/OFLhttps://www.lexend.comBonnie0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://github.com/googlefonts/lexend)6_juesphvcioffattkingstore444d7.exefalse
    		high
    https://scripts.sil.org/OFLThisesphvcioffattkingstore444d7.exefalse
      		high
      https://scripts.sil.org/OFLhttps://www.lexend.comBonnieesphvcioffattkingstore444d7.exefalse
      • Avira URL Cloud: safe
      		unknown
      https://curl.haxx.se/docs/http-cookies.htmlesphvcioffattkingstore444d7.exefalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:42.0.0 Malachite
        Analysis ID:1592718
        Start date and time:2025-01-16 13:15:15 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 4m 24s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:7
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:esphvcioffattkingstore444d7.exe
        Detection:MAL
        Classification:mal68.evad.winEXE@2/0@0/0
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 1
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
        • Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200, 20.109.210.53
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
        • Execution Graph export aborted for target esphvcioffattkingstore444d7.exe, PID 7408 because there are no executed function
        • Not all processes where analyzed, report is missing behavior information

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:PE32+ executable (console) x86-64, for MS Windows
        Entropy (8bit):7.6772149250924535
        TrID:
        • Win64 Executable Console (202006/5) 92.65%
        • Win64 Executable (generic) (12005/4) 5.51%
        • Generic Win/DOS Executable (2004/3) 0.92%
        • DOS Executable Generic (2002/1) 0.92%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:esphvcioffattkingstore444d7.exe
        File size:4'211'712 bytes
        MD5:b9c7dff0cf35f581d4f922c835762246
        SHA1:728aa2cd04b2c028c269389c5361e3fd4f6d8c03
        SHA256:9022cdebf7bda58adf55b7203c4d7665c5def2c34a0590f503f0ad993feaf93a
        SHA512:df4447f83350af3eca2cde9c2ad41b65541cf93e6c20c475036fcea8e0aaa2f611b66f073acc9f0d00952d054b43f140fa9f9bd50712a355293a37bfe193c7b1
        SSDEEP:98304:PPT7MW4L1mhttYvhDo4CyZwg562/K5a6e6c8hDkDeRV:PPnMW5tYhoryEJg6cYV
        TLSH:B216F183A3A541E9C567C13C86479B1BE77174091720ABDB67E08E6A3F13BE16F3A350
        File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............h...h...h....i..h.......h.......h.......h.......h.......h..n....h..k....h../....h../....h.......h..?:f..h...h...j.......h.

        File Icon

        Icon Hash:90cececece8e8eb0

        Static PE Info

        General

        Entrypoint:0x14011b1b8
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x140000000
        Subsystem:windows cui
        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Time Stamp:0x676B0B0C [Tue Dec 24 19:27:08 2024 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:6
        OS Version Minor:0
        File Version Major:6
        File Version Minor:0
        Subsystem Version Major:6
        Subsystem Version Minor:0
        Import Hash:1fe3c21b18f7d7b7d47141e2c678dd5b

        Entrypoint Preview

        Instruction
        dec eax
        sub esp, 28h
        call 00007F1558F51074h
        dec eax
        add esp, 28h
        jmp 00007F1558F507B7h
        int3
        int3
        dec eax
        sub esp, 28h
        dec ebp
        mov eax, dword ptr [ecx+38h]
        dec eax
        mov ecx, edx
        dec ecx
        mov edx, ecx
        call 00007F1558F50952h
        mov eax, 00000001h
        dec eax
        add esp, 28h
        ret
        int3
        int3
        int3
        inc eax
        push ebx
        inc ebp
        mov ebx, dword ptr [eax]
        dec eax
        mov ebx, edx
        inc ecx
        and ebx, FFFFFFF8h
        dec esp
        mov ecx, ecx
        inc ecx
        test byte ptr [eax], 00000004h
        dec esp
        mov edx, ecx
        je 00007F1558F50955h
        inc ecx
        mov eax, dword ptr [eax+08h]
        dec ebp
        arpl word ptr [eax+04h], dx
        neg eax
        dec esp
        add edx, ecx
        dec eax
        arpl ax, cx
        dec esp
        and edx, ecx
        dec ecx
        arpl bx, ax
        dec edx
        mov edx, dword ptr [eax+edx]
        dec eax
        mov eax, dword ptr [ebx+10h]
        mov ecx, dword ptr [eax+08h]
        dec eax
        mov eax, dword ptr [ebx+08h]
        test byte ptr [ecx+eax+03h], 0000000Fh
        je 00007F1558F5094Dh
        movzx eax, byte ptr [ecx+eax+03h]
        and eax, FFFFFFF0h
        dec esp
        add ecx, eax
        dec esp
        xor ecx, edx
        dec ecx
        mov ecx, ecx
        pop ebx
        jmp 00007F1558F509DEh
        int3
        dec eax
        mov eax, esp
        dec eax
        mov dword ptr [eax+08h], ebx
        dec eax
        mov dword ptr [eax+10h], ebp
        dec eax
        mov dword ptr [eax+18h], esi
        dec eax
        mov dword ptr [eax+20h], edi
        inc ecx
        push esi
        dec eax
        sub esp, 20h
        dec ecx
        mov ebx, dword ptr [ecx+38h]
        dec eax
        mov esi, edx
        dec ebp
        mov esi, eax
        dec eax
        mov ebp, ecx
        dec ecx
        mov edx, ecx
        dec eax
        mov ecx, esi
        dec ecx
        mov edi, ecx
        dec esp
        lea eax, dword ptr [ebx+04h]
        call 00007F1558F508B1h

        Rich Headers

        Programming Language:
        • [IMP] VS2008 SP1 build 30729

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x1653300x26c.rdata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x4060000x1e8.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x3f90000xccb4.pdata
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x4070000x12c0.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x1510300x70.rdata
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x1511000x28.rdata
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x150ef00x140.rdata
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x11e0000xe80.rdata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x11cfb00x11d0005c79d850ba11632c35082892d8211948False0.5487553111293859data6.4857938431515025IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rdata0x11e0000x4ad340x4ae00977636b607b0d5b06d6b722514316092False0.4488568186560935data6.226494922395862IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x1690000x28f2280x28de008b2715d5f21a45d1b04fe33fc1a3fae1unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .pdata0x3f90000xccb40xce00de7cd3b771e7300e087da007927fcb96False0.4794258191747573data6.147952816912107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .rsrc0x4060000x1e80x200b7c1279fe16cf1ba4290285404663f54False0.5390625data4.768131151703051IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x4070000x12c00x14004c2a91967576ef50b87ea1645e259eb6False0.4064453125data5.30049024367891IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_MANIFEST0x4060600x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

        Imports

        DLLImport
        d3dx11_43.dllD3DX11CreateShaderResourceViewFromMemory
        d3d11.dllD3D11CreateDeviceAndSwapChain
        D3DCOMPILER_43.dllD3DCompile
        KERNEL32.dllGetFileSizeEx, CreateFileMappingA, PeekNamedPipe, ReadFile, GetFileType, GetEnvironmentVariableA, InitializeCriticalSectionEx, DeleteCriticalSection, GetCurrentProcess, VirtualProtect, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, GetModuleFileNameA, GetModuleHandleW, QueryPerformanceCounter, FreeLibrary, VerSetConditionMask, WaitForSingleObjectEx, HeapFree, OutputDebugStringW, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetProcAddress, QueryPerformanceFrequency, LoadLibraryA, GetModuleHandleA, GlobalUnlock, GlobalLock, GlobalFree, GlobalAlloc, GetFileAttributesW, lstrcmpiW, GetConsoleWindow, WideCharToMultiByte, CreateThread, CloseHandle, Process32FirstW, CreateFileA, Process32NextW, GetLastError, Sleep, MoveFileExA, GetTickCount, VerifyVersionInfoA, GetSystemDirectoryA, SleepEx, LeaveCriticalSection, EnterCriticalSection, CreateFileW, WaitForMultipleObjects, HeapDestroy, HeapAlloc, HeapSize, MultiByteToWideChar, CreateToolhelp32Snapshot, SetConsoleWindowInfo, TerminateProcess, DeviceIoControl, GetStdHandle, SetConsoleScreenBufferSize, SetConsoleTitleA, SetConsoleTextAttribute, HeapReAlloc, IsDebuggerPresent, QueryFullProcessImageNameW, LocalFree, SetLastError, FormatMessageA, GetProcessHeap
        USER32.dllOpenClipboard, CloseClipboard, EmptyClipboard, SetCursorPos, GetClipboardData, GetKeyState, GetWindow, DestroyWindow, keybd_event, SetCursor, LoadCursorW, SetWindowLongPtrW, GetCursorPos, UpdateWindow, FindWindowA, SetClipboardData, GetClientRect, TranslateMessage, SetLayeredWindowAttributes, GetForegroundWindow, ScreenToClient, MessageBoxA, PeekMessageW, ClientToScreen, DispatchMessageW, GetAsyncKeyState, GetSystemMetrics, SetWindowPos, GetWindowLongPtrW, ShowWindow
        ADVAPI32.dllOpenServiceW, StartServiceW, ControlService, DeleteService, OpenSCManagerW, CloseServiceHandle, QueryServiceStatus, CreateServiceW, OpenProcessToken, AddAccessAllowedAce, GetLengthSid, GetTokenInformation, InitializeAcl, IsValidSid, CryptEncrypt, CryptImportKey, CryptDestroyKey, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGenRandom, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextA, ConvertSidToStringSidA, CopySid, SetSecurityInfo
        SHELL32.dllShellExecuteA
        MSVCP140.dll?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z, ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ, ?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ, ??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z, ?in@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEA_W3AEAPEA_W@Z, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z, ?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ, ?_Incref@facet@locale@std@@UEAAXXZ, ??Bid@locale@std@@QEAA_KXZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z, _Mtx_unlock, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, _Xtime_get_ticks, _Query_perf_counter, _Thrd_sleep, _Cnd_do_broadcast_at_thread_exit, _Mtx_init_in_situ, _Mtx_lock, _Mtx_destroy_in_situ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A, ?id@?$ctype@D@std@@2V0locale@2@A, ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z, ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Xout_of_range@std@@YAXPEBD@Z, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?uncaught_exceptions@std@@YAHXZ, ?_Throw_Cpp_error@std@@YAXH@Z, ??0_Lockit@std@@QEAA@H@Z, ??1_Lockit@std@@QEAA@XZ, _Query_perf_frequency, ?_Xlength_error@std@@YAXPEBD@Z, ?_Xbad_function_call@std@@YAXXZ
        dwmapi.dllDwmExtendFrameIntoClientArea
        WINHTTP.dllWinHttpReceiveResponse, WinHttpOpen, WinHttpOpenRequest, WinHttpConnect, WinHttpQueryOption, WinHttpSendRequest, WinHttpCloseHandle
        CRYPT32.dllCertCreateCertificateChainEngine, CryptQueryObject, CertGetNameStringA, CertFreeCertificateChainEngine, CertGetCertificateChain, CertFindExtension, CertAddCertificateContextToStore, CryptDecodeObjectEx, PFXImportCertStore, CryptStringToBinaryA, CertFindCertificateInStore, CertEnumCertificatesInStore, CertOpenStore, CertGetCertificateContextProperty, CertFreeCertificateChain, CertCloseStore, CertFreeCertificateContext
        IMM32.dllImmReleaseContext, ImmSetCompositionWindow, ImmGetContext, ImmSetCandidateWindow
        Normaliz.dllIdnToAscii
        WLDAP32.dll
        WS2_32.dllgetaddrinfo, __WSAFDIsSet, freeaddrinfo, ioctlsocket, listen, htonl, accept, recvfrom, WSACleanup, WSAStartup, WSAIoctl, WSASetLastError, sendto, gethostname, ntohl, socket, setsockopt, ntohs, htons, getsockopt, getsockname, select, getpeername, bind, WSAGetLastError, send, connect, recv, closesocket
        RPCRT4.dllUuidToStringA, RpcStringFreeA, UuidCreate
        PSAPI.DLLGetModuleInformation
        USERENV.dllUnloadUserProfile
        VCRUNTIME140_1.dll__CxxFrameHandler4
        VCRUNTIME140.dll__current_exception, __C_specific_handler, longjmp, strrchr, strchr, memset, memmove, __intrinsic_setjmp, memcmp, memchr, strstr, __std_terminate, __std_exception_copy, __std_exception_destroy, __current_exception_context, memcpy, _CxxThrowException
        api-ms-win-crt-runtime-l1-1-0.dllexit, _invalid_parameter_noinfo_noreturn, terminate, strerror, __sys_nerr, _invalid_parameter_noinfo, _resetstkoflw, system, _getpid, _beginthreadex, _register_thread_local_exe_atexit_callback, _c_exit, __p___argv, __p___argc, _exit, _initterm_e, _initterm, _get_initial_narrow_environment, _set_app_type, _seh_filter_exe, _cexit, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment, _configure_narrow_argv, _errno
        api-ms-win-crt-stdio-l1-1-0.dllfclose, __p__commode, __acrt_iob_func, _lseeki64, __stdio_common_vsprintf_s, fgetc, fflush, _read, feof, fputs, fopen, _write, _close, _open, __stdio_common_vfprintf, fputc, _pclose, fgets, fwrite, _set_fmode, __stdio_common_vsscanf, _wfopen, __stdio_common_vsprintf, fseek, ftell, _get_stream_buffer_pointers, _fseeki64, fread, fsetpos, ungetc, fgetpos, setvbuf, _popen
        api-ms-win-crt-heap-l1-1-0.dllrealloc, _callnewh, malloc, free, _set_new_mode, calloc
        api-ms-win-crt-math-l1-1-0.dllasinf, acosf, atanf, ceilf, cos, cosf, fmodf, _dclass, tanf, powf, roundf, sin, sinf, sqrtf, __setusermatherr
        api-ms-win-crt-string-l1-1-0.dllstrncmp, strncpy, isupper, tolower, strpbrk, strcmp, _strdup, strspn, strcspn
        api-ms-win-crt-time-l1-1-0.dll_localtime64_s, _gmtime64, strftime, _time64
        api-ms-win-crt-convert-l1-1-0.dllatoi, strtod, strtoull, strtol, strtoul, strtoll
        api-ms-win-crt-utility-l1-1-0.dllqsort, rand
        api-ms-win-crt-filesystem-l1-1-0.dll_access, _lock_file, _unlink, _unlock_file, _fstat64, _stat64
        api-ms-win-crt-locale-l1-1-0.dlllocaleconv, _configthreadlocale

        Possible Origin

        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States

        Network Behavior

        No network behavior found

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:07:16:14
        Start date:16/01/2025
        Path:C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe
        Wow64 process (32bit):false
        Commandline:"C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe"
        Imagebase:0x7ff739ec0000
        File size:4'211'712 bytes
        MD5 hash:B9C7DFF0CF35F581D4F922C835762246
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:false

        General

        Target ID:2
        Start time:07:16:14
        Start date:16/01/2025
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff68cce0000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        Disassembly

        Reset < >

          Non-executed Functions

          Function 00007FF739FDB8F0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2571692262.00007FF739EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF739EC0000, based on PE: true
          • Associated: 00000000.00000002.2571676309.00007FF739EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2571769384.00007FF739FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2571785383.00007FF739FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2571814994.00007FF73A029000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2571830745.00007FF73A02A000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2571972295.00007FF73A2B9000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff739ec0000_esphvcioffattkingstore444d7.jbxd
          Similarity
          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
          • String ID:
          • API String ID: 2933794660-0
          • Opcode ID: 27c0ca1b344ab1cee752261c6d13e264ffd2da370c38fa2e77aaaf54833b21ea
          • Instruction ID: e3e5db45e382e37ffb36c08c713d9bd982cc7dd3b8aa95b761ae03f7ce4b66b1
          • Opcode Fuzzy Hash: 27c0ca1b344ab1cee752261c6d13e264ffd2da370c38fa2e77aaaf54833b21ea
          • Instruction Fuzzy Hash: 11115A26B14F069AEB00DF60E8452B873B4FB19758F840E31EA6D427A8EF38D155C350