Windows
Analysis Report
file.exe
Overview
General Information
Detection
Score: | 64 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- file.exe (PID: 6500 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: FBEC778F85341774DE2B32ABB7AAFF98) - WerFault.exe (PID: 5812 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 6 500 -s 138 4 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | String found in binary or memory: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FF67B6A3F90 |
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FF67B6A6AB0 | |
Source: | Code function: | 0_2_00007FF67B6A6D7C | |
Source: | Code function: | 0_2_00007FF67B6A5FF0 | |
Source: | Code function: | 0_2_00007FF67B6A8204 | |
Source: | Code function: | 0_2_00007FF67B6A5FF0 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 0_2_00007FF67B6A3F90 |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | NtMapViewOfSection: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_00007FF67B79EC4C |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Process Injection | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 Abuse Elevation Control Mechanism | 1 Disable or Modify Tools | LSASS Memory | 21 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 1 Process Injection | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Abuse Elevation Control Mechanism | NTDS | 12 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Obfuscated Files or Information | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
21% | ReversingLabs | Win64.Trojan.Generic | ||
100% | Avira | TR/ATRAPS.Gen2 | ||
100% | Joe Sandbox ML |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1431862 |
Start date and time: | 2024-04-25 21:58:07 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 7s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | file.exe |
Detection: | MAL |
Classification: | mal64.evad.winEXE@2/5@0/0 |
EGA Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 104.208.16.94
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: file.exe
Time | Type | Description |
---|---|---|
21:59:01 | API Interceptor |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_27c76d217e7db32957fa7abe56b83776a3685_227d8efd_7922f88d-aa2a-4d2c-9ec8-5d144dfb4073\Report.wer
Download File
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.7437706375885127 |
Encrypted: | false |
SSDEEP: | 192:xxBqbvVPgy50VGSaI3jXuzuiFPZ24lO8QxB:hYVYPVGSpjezuiFPY4lO8QH |
MD5: | 43C1121FD7A200106F66E629383BD142 |
SHA1: | 181CF09C60F111BA5766EF3100E45B5D839A5ACE |
SHA-256: | 238C68B62D865F4AD752E16C8ED2E2259D50D23B927C830D39D80C5D3F6D4017 |
SHA-512: | C294698B0FDFCAC794C8D344D3D147ABC7BAA3BA6F39E6F947740C062768233FEA0E0248E45DD58870E312982343BC9D7C692F0BFC3D29BCE7D784A1787FFE3D |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 169848 |
Entropy (8bit): | 3.0721334383995664 |
Encrypted: | false |
SSDEEP: | 1536:QEiFkuBujLggHibBQg9tS7esiA8BkyWNk0e:biFkRj5US7hJ |
MD5: | B016D2074ED61793F068751EA9443042 |
SHA1: | EB9D63570E9F6F89F72482A29F31E90FF3E0132B |
SHA-256: | 153074677F5CCE7C4E2B85E643EBEFDEB761605016B457896F0D780521021B09 |
SHA-512: | 2D1756D9F9D3F188F99C5FA7FEFDE2F0921A32940DBB7E57805F27FB8B6871F233301C8A1203090DAFEA2957F56605FDE1FDD25E2672AFAAEA757B83A8D79BED |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8538 |
Entropy (8bit): | 3.6997427572270865 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJhCe8Dv6Y9elwgmfBrJRpr3q89b+Ulfoqm:R6lXJN8Dv6YklwgmfLP+efk |
MD5: | 6DA9218711C1210B64FA529E7EEB5368 |
SHA1: | F3AFA8FBFAB992159C64B8E7F160F795CA83986F |
SHA-256: | CB2FC7FD3EF5AE38CF0479C41B6AE6C0A21D7642E43B0B5B43E0730A0B4AF6E2 |
SHA-512: | 236BCFB1422785246BBD217F7DBFD141203D03654A4097D543E3DDD7564ABFC9933AA636803B36AE51D613303926204C4B447ABCEE0E6384D4DEAFE02795450B |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4723 |
Entropy (8bit): | 4.479372905483836 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zs7Jg771I9KVWpW8VYJYm8M4J7NrrFEyq857DPPED+7asAmd:uIjfVI7Fk7VhJ7VC8D0D+7asfd |
MD5: | F91189813615EC788A35DEBD2679309F |
SHA1: | 4074DEBE46818CAD6ED700EA0129C888B4C5829C |
SHA-256: | BBFDD8B0EB565A95F36130446B3B2F0919A60839307F443EE13B2D5B463691E6 |
SHA-512: | A89198D874FDDDD3FF9B1D2124B4C2D338234838FD7494D4AD740BD7935147446A8C48AF48C1C982695ABC7CE89F14D58AD36BF4ED3ED64BD412DDDCC425DE51 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.465889814896879 |
Encrypted: | false |
SSDEEP: | 6144:BIXfpi67eLPU9skLmb0b4YWSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSbX:CXD94YWlLZMM6YFH1+X |
MD5: | DCF305B41C06A18F1A32076DAEB0ABAB |
SHA1: | 88DB16DA56572B7BC822163A83202C6C6F87C8E7 |
SHA-256: | 20C18BA10D545FE45EA9FED247241FF4395BB948D62C2488D1BC93AB6A4D6EBA |
SHA-512: | 95F727ADDBEB41BC551E043079CBF9D5CF78DE54F5542C2EC26EA713C2DA1A71101EB3E0EB067E8BD58E6C4190DFB2443E88F5524E606988D1D03D5C67B5DCBE |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 6.102212805681943 |
TrID: |
|
File name: | file.exe |
File size: | 1'620'992 bytes |
MD5: | fbec778f85341774de2b32abb7aaff98 |
SHA1: | 945531568035c569fb61b036a257c07a85954c3c |
SHA256: | bcce85eac3795965ef9359dc8d4366121887b7265a45c7749da4a85acc4e3808 |
SHA512: | d8a28a1360eaf99ba0647becd474b3a51608b66285c7f679b02f5f73812c29ae0e0e8aecab87daeee5ed6cfd72492fae83e93bc9897054091aeaa589dda60944 |
SSDEEP: | 24576:wRzV4+t4yoPahuXo613HHW8xz9h+GKKdLM+Eg/Tb:wRe+t4RCh+TlWq/+gdX |
TLSH: | 7E7519072B3B4A9DC51184BED67A1163D95C7D0CD024F8B98EC44A05BF62FA06A7E7EC |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........x;a.+;a.+;a.+p..*>a.+p..*1a.+...*.a.+...*+a.+...**a.+p..*.a.+p..*<a.+;a.+.a.+;a.+9a.+...*:a.+V..*8a.+..,+:a.+...*:a.+Rich;a. |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x1400fe9f8 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x661D6EA8 [Mon Apr 15 18:15:04 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 2ca1f7af050d22fd80a619bcf1246004 |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007F1094F7E100h |
dec eax |
add esp, 28h |
jmp 00007F1094F7DD2Fh |
int3 |
int3 |
dec eax |
sub esp, 28h |
call 00007F1094F7E684h |
test eax, eax |
je 00007F1094F7DED3h |
dec eax |
mov eax, dword ptr [00000030h] |
dec eax |
mov ecx, dword ptr [eax+08h] |
jmp 00007F1094F7DEB7h |
dec eax |
cmp ecx, eax |
je 00007F1094F7DEC6h |
xor eax, eax |
dec eax |
cmpxchg dword ptr [0008FFE8h], ecx |
jne 00007F1094F7DEA0h |
xor al, al |
dec eax |
add esp, 28h |
ret |
mov al, 01h |
jmp 00007F1094F7DEA9h |
int3 |
int3 |
int3 |
dec eax |
sub esp, 28h |
test ecx, ecx |
jne 00007F1094F7DEB9h |
mov byte ptr [0008FFD1h], 00000001h |
call 00007F1094F7E491h |
call 00007F1094F7E85Ch |
test al, al |
jne 00007F1094F7DEB6h |
xor al, al |
jmp 00007F1094F7DEC6h |
call 00007F1094F8309Fh |
test al, al |
jne 00007F1094F7DEBBh |
xor ecx, ecx |
call 00007F1094F7E86Ch |
jmp 00007F1094F7DE9Ch |
mov al, 01h |
dec eax |
add esp, 28h |
ret |
int3 |
int3 |
inc eax |
push ebx |
dec eax |
sub esp, 20h |
cmp byte ptr [0008FF98h], 00000000h |
mov ebx, ecx |
jne 00007F1094F7DF19h |
cmp ecx, 01h |
jnbe 00007F1094F7DF1Ch |
call 00007F1094F7E5FAh |
test eax, eax |
je 00007F1094F7DEDAh |
test ebx, ebx |
jne 00007F1094F7DED6h |
dec eax |
lea ecx, dword ptr [0008FF82h] |
call 00007F1094F82EBEh |
test eax, eax |
jne 00007F1094F7DEC2h |
dec eax |
lea ecx, dword ptr [0008FF8Ah] |
call 00007F1094F7DFAEh |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x159bbc | 0x50 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x193000 | 0x668 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x190000 | 0x1068 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x194000 | 0x668 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x1584e0 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x1583a0 | 0x140 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x10e000 | 0x678 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x10c210 | 0x10c400 | cf069fca81dcb5358722b4e6e3b2f83b | False | 0.44960009174044735 | data | 5.656884668685357 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x10e000 | 0x4d184 | 0x4d200 | e01c0fc253e40cc388a77dfa5af45094 | False | 0.7329695097244733 | dBase III DBT, version number 0, next free block index 1420532, 1st item "\236\247\025" | 6.300379726506215 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x15c000 | 0x33bc8 | 0x2fe00 | 2ee7f066b09de60fbae9e64b8c6a9656 | False | 0.7388167020234987 | OpenPGP Secret Key | 5.8389121231663195 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x190000 | 0x1068 | 0x1200 | 6f2853c38daa97f762de39f2c0e0f7ef | False | 0.4496527777777778 | data | 5.052342509461047 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
_RDATA | 0x192000 | 0x1f4 | 0x200 | b15ecf3c52ade70ca8f1740b1c18da73 | False | 0.51953125 | data | 4.170166079282163 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x193000 | 0x668 | 0x800 | d65932c234353d2e182b4422b55dc15a | False | 0.36767578125 | data | 3.3405595161759307 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x194000 | 0x668 | 0x800 | 910b2945bb4164c524fd69b57e4643f7 | False | 0.50634765625 | data | 4.894148520570021 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x193200 | 0x468 | data | English | United States | 0.4601063829787234 |
RT_MANIFEST | 0x1930a0 | 0x15a | ASCII text, with CRLF line terminators | English | United States | 0.5491329479768786 |
DLL | Import |
---|---|
KERNEL32.dll | GetModuleFileNameA, GetModuleFileNameW, LockResource, GlobalUnlock, GlobalCompact, GlobalUnfix, GlobalUnWire, LocalUnlock, LocalCompact, GetProcessAffinityMask, ConvertFiberToThread, CreateFiber, PulseEvent, GlobalDeleteAtom, DeleteAtom, SetMessageWaitingIndicator, DisableThreadLibraryCalls, EscapeCommFunction, GetCommMask, GetCommModemStatus, GetCommTimeouts, TransmitCommChar, PrepareTape, EraseTape, CreateTapePartition, GetTapeStatus, MulDiv, GetMailslotInfo, SetMailslotInfo, AddAtomW, GetNamedPipeHandleStateA, MapUserPhysicalPagesScatter, WriteConsoleW, SetInformationJobObject, AssignProcessToJobObject, IsProcessInJob, CreateMemoryResourceNotification, GetWriteWatch, SetProcessWorkingSetSize, FlushViewOfFile, SetSystemTimeAdjustment, GetNativeSystemInfo, GetVersion, GetThreadIOPendingFlag, SetProcessPriorityBoost, GetProcessPriorityBoost, GetProcessHandleCount, OpenProcess, GetThreadTimes, FlushInstructionCache, GetProcessId, SetPriorityClass, GetProcessVersion, GetThreadPriority, GetThreadPriorityBoost, GetCurrentProcessId, GetModuleHandleA, GetProcessTimes, WaitForMultipleObjects, CancelWaitableTimer, CreateEventW, CreateMutexW, WaitForSingleObject, ReleaseMutex, ReleaseSemaphore, ResetEvent, SetEvent, PostQueuedCompletionStatus, CreateIoCompletionPort, HeapCreate, GetNamedPipeHandleStateW, GetNamedPipeInfo, PeekNamedPipe, SetLastError, DecodeSystemPointer, EncodeSystemPointer, DecodePointer, EncodePointer, GetFileTime, GetFileInformationByHandle, FlushFileBuffers, FindNextChangeNotification, FindFirstFileExW, SetStdHandle, GetStdHandle, FreeResource, GetProcAddress, LoadLibraryA, ClearCommBreak, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, RtlUnwindEx, GetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, RtlPcToFileHeader, WriteFile, GetCurrentProcess, ExitProcess, TerminateProcess, GetModuleHandleExW, HeapAlloc, HeapFree, FindClose, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetFileType, GetStringTypeW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, LCMapStringW, GetProcessHeap, HeapSize, HeapReAlloc, GetConsoleOutputCP, GetConsoleMode, SetFilePointerEx, CreateFileW, CloseHandle |
GDI32.dll | SetBrushOrgEx, SetBitmapDimensionEx, PolylineTo, PolyBezierTo, LPtoDP, PolyDraw, GetPath, AbortPath, GetDIBColorTable, SetWorldTransform, AngleArc, CopyEnhMetaFileW, SetTextJustification, SetTextAlign, SetROP2, SetPixelV, GetLayout, SetBoundsRect, SetDCPenColor, SetDCBrushColor, ResizePalette, PtVisible, MaskBlt, RemoveFontMemResourceEx, GetFontUnicodeRanges, GetFontLanguageInfo, GetTextExtentPoint32W, GetTextExtentPointW, GetSystemPaletteUse, GetSystemPaletteEntries, GetRandomRgn, GetRasterizerCaps, GetPaletteEntries, GetOutlineTextMetricsW, GetDIBits, GetMetaRgn, GetCharABCWidthsFloatW, GetCharWidthFloatW, GetBoundsRect, GetBitmapBits, GetDCPenColor, GetBkColor, GetROP2, FrameRgn, ExcludeClipRect, EnumFontFamiliesW, EnumFontFamiliesExW, Chord, CancelDC, Arc, AnimatePalette, GetTextAlign |
ADVAPI32.dll | GetUserNameW, DecryptFileW |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 21:58:52 |
Start date: | 25/04/2024 |
Path: | C:\Users\user\Desktop\file.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff67b6a0000 |
File size: | 1'620'992 bytes |
MD5 hash: | FBEC778F85341774DE2B32ABB7AAFF98 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 3 |
Start time: | 21:58:52 |
Start date: | 25/04/2024 |
Path: | C:\Windows\System32\WerFault.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6633e0000 |
File size: | 570'736 bytes |
MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 4.3% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 33.3% |
Total number of Nodes: | 18 |
Total number of Limit Nodes: | 0 |
Graph
Callgraph
Function 00007FF67B6A3F90 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF67B79EC4C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF67B6A3FF0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 35libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |