Windows Analysis Report
app.exe

Overview

General Information

Sample name:	app.exe
Analysis ID:	1436386
MD5:	75b9ef9142a78671d449c8d22ab6be14
SHA1:	0461f1c46644acde8020bb59b53b1e34b65977ca
SHA256:	e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c
Tags:	185213208245exe
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to infect the boot sector

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Queries memory information (via WMI often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: app.exe

Virustotal: Detection: 11%

Perma Link

Machine Learning detection for sample

Source: app.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024404D0 TlsGetValue,TlsGetValue,TlsSetValue,BCryptGenRandom,TlsSetValue,HeapFree,TlsSetValue,		0_2_024404D0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024404C0 TlsGetValue,TlsGetValue,TlsSetValue,BCryptGenRandom,		0_2_024404C0

Uses 32bit PE files

Source: app.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00427361 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_00427361
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0243A710 CloseHandle,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree,	0_2_0243A710
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02454B93 FindFirstFileExW,	0_2_02454B93
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0243FEC0 HeapFree,HeapFree,HeapFree,HeapFree,FindFirstFileW,HeapFree,HeapFree,GetLastError,HeapFree,HeapFree,	0_2_0243FEC0

Source: app.exe, 00000000.00000002.2022098881.0000000002300000.00000004.00001000.00020000.00000000.sdmp

String found in binary or memory: https://POSTHTTP/1.1Content-Type:

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00424B38 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

0_2_00424B38

System Summary

PE file contains section with special chars

Source: app.exe

Static PE information: section name: )m&

PE file has a writeable .text section

Source: app.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Contains functionality to call native functions

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024302D0 GetStdHandle,GetLastError,GetConsoleMode,NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,CloseHandle,	0_2_024302D0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024377D0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,	0_2_024377D0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02419E36 AcquireSRWLockExclusive,AcquireSRWLockExclusive,NtDeviceIoControlFile,RtlNtStatusToDosError,AcquireSRWLockExclusive,AcquireSRWLockExclusive,AcquireSRWLockExclusive,AcquireSRWLockExclusive,	0_2_02419E36

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0040A44A: GetCurrentProcess,SetPriorityClass,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,

0_2_0040A44A

Detected potential crypto function

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_004092DE	0_2_004092DE
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00404358	0_2_00404358
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0040941D	0_2_0040941D
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0040964F	0_2_0040964F
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0040A770	0_2_0040A770
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00407703	0_2_00407703
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_004077F6	0_2_004077F6
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00409A38	0_2_00409A38
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00412AC0	0_2_00412AC0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00425B56	0_2_00425B56
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00407DBE	0_2_00407DBE
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00404E54	0_2_00404E54
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00418E0E	0_2_00418E0E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F01BB	0_2_023F01BB
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024491D2	0_2_024491D2
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0242E5F7	0_2_0242E5F7
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0240AA16	0_2_0240AA16
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F3ABA	0_2_023F3ABA
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02441862	0_2_02441862
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02401E40	0_2_02401E40
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0240BD08	0_2_0240BD08
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02410225	0_2_02410225
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02413224	0_2_02413224
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02443239	0_2_02443239
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024272C2	0_2_024272C2
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024342F5	0_2_024342F5
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0241628E	0_2_0241628E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0243F340	0_2_0243F340
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D6320	0_2_023D6320
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244430E	0_2_0244430E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244632B	0_2_0244632B
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244D3C0	0_2_0244D3C0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245D3D0	0_2_0245D3D0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024153DD	0_2_024153DD
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023FC38E	0_2_023FC38E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02453389	0_2_02453389
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024613BD	0_2_024613BD
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023EA020	0_2_023EA020
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02413001	0_2_02413001
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0242E030	0_2_0242E030
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024420E3	0_2_024420E3
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023EB090	0_2_023EB090
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D3130	0_2_023D3130
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245E16F	0_2_0245E16F
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0241B13B	0_2_0241B13B
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DA1B0	0_2_023DA1B0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F11A0	0_2_023F11A0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02421180	0_2_02421180
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DB1F0	0_2_023DB1F0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245E605	0_2_0245E605
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D2670	0_2_023D2670
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023EB695	0_2_023EB695
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02430690	0_2_02430690
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0241C6AE	0_2_0241C6AE
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E771C	0_2_023E771C
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E670C	0_2_023E670C
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E7754	0_2_023E7754
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D3790	0_2_023D3790
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E47F3	0_2_023E47F3
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02416468	0_2_02416468
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D3400	0_2_023D3400
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F2449	0_2_023F2449
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245F4C2	0_2_0245F4C2
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024274D0	0_2_024274D0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024234D6	0_2_024234D6
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DE490	0_2_023DE490
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DB4C0	0_2_023DB4C0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02414544	0_2_02414544
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244352A	0_2_0244352A
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024085C9	0_2_024085C9
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024485F4	0_2_024485F4
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02408A44	0_2_02408A44
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023FBAB0	0_2_023FBAB0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E3AF8	0_2_023E3AF8
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02414A88	0_2_02414A88
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02441B40	0_2_02441B40
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02412B5E	0_2_02412B5E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023FDB7B	0_2_023FDB7B
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023FEB69	0_2_023FEB69
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02426B1B	0_2_02426B1B
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245BB18	0_2_0245BB18
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F6B58	0_2_023F6B58
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D1B50	0_2_023D1B50
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DBB50	0_2_023DBB50
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DAB90	0_2_023DAB90
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245D844	0_2_0245D844
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0240585F	0_2_0240585F
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D48A0	0_2_023D48A0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DF8EC	0_2_023DF8EC
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02443890	0_2_02443890
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024298A5	0_2_024298A5
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E3962	0_2_023E3962
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D9950	0_2_023D9950
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E799F	0_2_023E799F
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02431E40	0_2_02431E40
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02460E40	0_2_02460E40
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023FAE37	0_2_023FAE37
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02427E74	0_2_02427E74
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02419E36	0_2_02419E36
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02426ECC	0_2_02426ECC
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0241DEE0	0_2_0241DEE0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F7EF1	0_2_023F7EF1
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D6EC0	0_2_023D6EC0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02426F5B	0_2_02426F5B
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E2F21	0_2_023E2F21
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0241CF7C	0_2_0241CF7C
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F3C05	0_2_023F3C05
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02420C00	0_2_02420C00
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02407C09	0_2_02407C09
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E2C6E	0_2_023E2C6E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F7C6F	0_2_023F7C6F
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02426CC5	0_2_02426CC5
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02445CD3	0_2_02445CD3
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F7CA3	0_2_023F7CA3
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245DCE6	0_2_0245DCE6
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D2C90	0_2_023D2C90
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245FCA7	0_2_0245FCA7
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02412D42	0_2_02412D42
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02424D4A	0_2_02424D4A
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02417D14	0_2_02417D14
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02418D25	0_2_02418D25
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02426DD2	0_2_02426DD2
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02434DD0	0_2_02434DD0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\app.exe	Code function: String function: 00416398 appears 132 times
Source: C:\Users\user\Desktop\app.exe	Code function: String function: 0244DE90 appears 33 times
Source: C:\Users\user\Desktop\app.exe	Code function: String function: 023D3D50 appears 96 times
Source: C:\Users\user\Desktop\app.exe	Code function: String function: 00416EF8 appears 50 times
Source: C:\Users\user\Desktop\app.exe	Code function: String function: 0245CAF0 appears 158 times
Source: C:\Users\user\Desktop\app.exe	Code function: String function: 0245C9A0 appears 60 times

Sample file is different than original file name gathered from version info

Source: app.exe, 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs app.exe
Source: app.exe	Binary or memory string: OriginalFilename vs app.exe

Uses 32bit PE files

Source: app.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: app.exe	Binary string: Could not open \device\physicalmemory
Source: app.exe	Binary string: Could not map view of %X length %XCould not open \device\physicalmemory\device\physicalmemoryRtlNtStatusToDosErrorNtMapViewOfSectionNtOpenSectionNtUnmapViewOfSectionntdll.dllRtlInitUnicodeString%c

Source: classification engine

Classification label: mal76.evad.winEXE@2/0@0/0

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_02432A50 GetModuleHandleW,FormatMessageW,GetLastError,HeapFree,

0_2_02432A50

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0040A130 GetVersionExA,CoCreateInstance,CoSetProxyBlanket,VariantInit,lstrlenW,lstrcpynA,WideCharToMultiByte,_strcat,

0_2_0040A130

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00423119 EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,

0_2_00423119

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_03
Source: C:\Users\user\Desktop\app.exe	Mutant created: \Sessions\1\BaseNamedObjects\hrzbaov

Source: app.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\app.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process

Source: C:\Users\user\Desktop\app.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: app.exe

Virustotal: Detection: 11%

Source: unknown	Process created: C:\Users\user\Desktop\app.exe "C:\Users\user\Desktop\app.exe"
Source: C:\Users\user\Desktop\app.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\app.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\app.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: app.exe

Static file information: File size 1290240 > 1048576

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0042C59F VirtualAlloc,VirtualAlloc,LoadLibraryA,GetProcAddress,

0_2_0042C59F

PE file contains sections with non-standard names

Source: app.exe

Static PE information: section name: )m&

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00416398 push eax; ret	0_2_004163B6
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00415460 push eax; ret	0_2_00415474
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00415460 push eax; ret	0_2_0041549C
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0047EC7F push FFFFFFA1h; retf	0_2_0047EC82
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00416F33 push ecx; ret	0_2_00416F43
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024623AD push es; iretd	0_2_02462454
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245C6A1 push ecx; ret	0_2_0245C6B4
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02463881 push eax; ret	0_2_02463882
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0246691F push eax; ret	0_2_02466997

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,CreateFileA,_strncpy,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d	0_2_0040A770
Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,CreateFileA,_strncpy,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d	0_2_0040A770
Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,DeviceIoControl,_strcat,_strcat,CloseHandle, \\.\PhysicalDrive%d	0_2_00409F46

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,CreateFileA,_strncpy,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d	0_2_0040A770
Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,CreateFileA,_strncpy,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d	0_2_0040A770
Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,DeviceIoControl,_strcat,_strcat,CloseHandle, \\.\PhysicalDrive%d	0_2_00409F46

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00401660 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		0_2_00401660
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0040CFF1 IsIconic,GetWindowPlacement,GetWindowRect,		0_2_0040CFF1

Source: C:\Users\user\Desktop\app.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\app.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: app.exe, 00000000.00000003.1976771818.0000000000871000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000000.00000002.2021942238.0000000000867000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000000.00000003.2021386733.0000000000864000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000000.00000003.2021401793.0000000000866000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: IDAQ.EXE

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00408FF2 rdtsc

0_2_00408FF2

Contains functionality to query network adapater information

Source: C:\Users\user\Desktop\app.exe

Code function: __EH_prolog,LoadLibraryA,FreeLibrary,GetAdaptersInfo,_strcat,GetAdaptersInfo,

0_2_00402D69

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\app.exe

API coverage: 1.8 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00427361 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_00427361
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0243A710 CloseHandle,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree,	0_2_0243A710
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02454B93 FindFirstFileExW,	0_2_02454B93
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0243FEC0 HeapFree,HeapFree,HeapFree,HeapFree,FindFirstFileW,HeapFree,HeapFree,GetLastError,HeapFree,HeapFree,	0_2_0243FEC0

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0041E91D VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,

0_2_0041E91D

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00408FF2 rdtsc

0_2_00408FF2

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_024544E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_024544E2

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0042C59F VirtualAlloc,VirtualAlloc,LoadLibraryA,GetProcAddress,

0_2_0042C59F

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0243D430 GetProcessHeap,RtlAllocateHeap,

0_2_0243D430

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0041B198 SetUnhandledExceptionFilter,	0_2_0041B198
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0041B1AC SetUnhandledExceptionFilter,	0_2_0041B1AC
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DEAC0 RtlAddVectoredExceptionHandler,SetThreadStackGuarantee,GetLastError,HeapFree,HeapFree,	0_2_023DEAC0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244E0C8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0244E0C8
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024544E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_024544E2
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244DC6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0244DC6E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244DDCA SetUnhandledExceptionFilter,	0_2_0244DDCA

Source: C:\Users\user\Desktop\app.exe

Memory allocated: page read and write | page guard

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00409127 cpuid

0_2_00409127

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\app.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	0_2_00401000
Source: C:\Users\user\Desktop\app.exe	Code function: GetLocaleInfoA,	0_2_0041E705
Source: C:\Users\user\Desktop\app.exe	Code function: lstrcpyA,wsprintfA,LoadLibraryA,GetLocaleInfoA,	0_2_00429E88

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0041C882 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0041C882

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00415DDE EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,

0_2_00415DDE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Multi AV Scanner detection for submitted file

Source: app.exe

Virustotal: Detection: 11%

Perma Link

Machine Learning detection for sample

Source: app.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024404D0 TlsGetValue,TlsGetValue,TlsSetValue,BCryptGenRandom,TlsSetValue,HeapFree,TlsSetValue,		0_2_024404D0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024404C0 TlsGetValue,TlsGetValue,TlsSetValue,BCryptGenRandom,		0_2_024404C0

Uses 32bit PE files

Source: app.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00427361 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_00427361
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0243A710 CloseHandle,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree,	0_2_0243A710
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02454B93 FindFirstFileExW,	0_2_02454B93
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0243FEC0 HeapFree,HeapFree,HeapFree,HeapFree,FindFirstFileW,HeapFree,HeapFree,GetLastError,HeapFree,HeapFree,	0_2_0243FEC0

Source: app.exe, 00000000.00000002.2022098881.0000000002300000.00000004.00001000.00020000.00000000.sdmp

String found in binary or memory: https://POSTHTTP/1.1Content-Type:

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00424B38 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

0_2_00424B38

System Summary

PE file contains section with special chars

Source: app.exe

Static PE information: section name: )m&

PE file has a writeable .text section

Source: app.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Contains functionality to call native functions

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024302D0 GetStdHandle,GetLastError,GetConsoleMode,NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,CloseHandle,	0_2_024302D0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024377D0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,	0_2_024377D0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02419E36 AcquireSRWLockExclusive,AcquireSRWLockExclusive,NtDeviceIoControlFile,RtlNtStatusToDosError,AcquireSRWLockExclusive,AcquireSRWLockExclusive,AcquireSRWLockExclusive,AcquireSRWLockExclusive,	0_2_02419E36

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0040A44A: GetCurrentProcess,SetPriorityClass,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,

0_2_0040A44A

Detected potential crypto function

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_004092DE	0_2_004092DE
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00404358	0_2_00404358
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0040941D	0_2_0040941D
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0040964F	0_2_0040964F
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0040A770	0_2_0040A770
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00407703	0_2_00407703
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_004077F6	0_2_004077F6
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00409A38	0_2_00409A38
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00412AC0	0_2_00412AC0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00425B56	0_2_00425B56
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00407DBE	0_2_00407DBE
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00404E54	0_2_00404E54
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00418E0E	0_2_00418E0E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F01BB	0_2_023F01BB
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024491D2	0_2_024491D2
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0242E5F7	0_2_0242E5F7
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0240AA16	0_2_0240AA16
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F3ABA	0_2_023F3ABA
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02441862	0_2_02441862
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02401E40	0_2_02401E40
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0240BD08	0_2_0240BD08
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02410225	0_2_02410225
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02413224	0_2_02413224
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02443239	0_2_02443239
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024272C2	0_2_024272C2
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024342F5	0_2_024342F5
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0241628E	0_2_0241628E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0243F340	0_2_0243F340
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D6320	0_2_023D6320
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244430E	0_2_0244430E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244632B	0_2_0244632B
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244D3C0	0_2_0244D3C0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245D3D0	0_2_0245D3D0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024153DD	0_2_024153DD
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023FC38E	0_2_023FC38E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02453389	0_2_02453389
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024613BD	0_2_024613BD
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023EA020	0_2_023EA020
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02413001	0_2_02413001
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0242E030	0_2_0242E030
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024420E3	0_2_024420E3
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023EB090	0_2_023EB090
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D3130	0_2_023D3130
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245E16F	0_2_0245E16F
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0241B13B	0_2_0241B13B
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DA1B0	0_2_023DA1B0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F11A0	0_2_023F11A0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02421180	0_2_02421180
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DB1F0	0_2_023DB1F0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245E605	0_2_0245E605
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D2670	0_2_023D2670
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023EB695	0_2_023EB695
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02430690	0_2_02430690
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0241C6AE	0_2_0241C6AE
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E771C	0_2_023E771C
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E670C	0_2_023E670C
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E7754	0_2_023E7754
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D3790	0_2_023D3790
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E47F3	0_2_023E47F3
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02416468	0_2_02416468
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D3400	0_2_023D3400
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F2449	0_2_023F2449
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245F4C2	0_2_0245F4C2
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024274D0	0_2_024274D0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024234D6	0_2_024234D6
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DE490	0_2_023DE490
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DB4C0	0_2_023DB4C0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02414544	0_2_02414544
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244352A	0_2_0244352A
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024085C9	0_2_024085C9
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024485F4	0_2_024485F4
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02408A44	0_2_02408A44
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023FBAB0	0_2_023FBAB0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E3AF8	0_2_023E3AF8
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02414A88	0_2_02414A88
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02441B40	0_2_02441B40
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02412B5E	0_2_02412B5E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023FDB7B	0_2_023FDB7B
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023FEB69	0_2_023FEB69
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02426B1B	0_2_02426B1B
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245BB18	0_2_0245BB18
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F6B58	0_2_023F6B58
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D1B50	0_2_023D1B50
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DBB50	0_2_023DBB50
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DAB90	0_2_023DAB90
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245D844	0_2_0245D844
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0240585F	0_2_0240585F
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D48A0	0_2_023D48A0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DF8EC	0_2_023DF8EC
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02443890	0_2_02443890
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024298A5	0_2_024298A5
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E3962	0_2_023E3962
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D9950	0_2_023D9950
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E799F	0_2_023E799F
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02431E40	0_2_02431E40
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02460E40	0_2_02460E40
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023FAE37	0_2_023FAE37
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02427E74	0_2_02427E74
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02419E36	0_2_02419E36
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02426ECC	0_2_02426ECC
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0241DEE0	0_2_0241DEE0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F7EF1	0_2_023F7EF1
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D6EC0	0_2_023D6EC0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02426F5B	0_2_02426F5B
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E2F21	0_2_023E2F21
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0241CF7C	0_2_0241CF7C
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F3C05	0_2_023F3C05
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02420C00	0_2_02420C00
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02407C09	0_2_02407C09
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E2C6E	0_2_023E2C6E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F7C6F	0_2_023F7C6F
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02426CC5	0_2_02426CC5
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02445CD3	0_2_02445CD3
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F7CA3	0_2_023F7CA3
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245DCE6	0_2_0245DCE6
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D2C90	0_2_023D2C90
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245FCA7	0_2_0245FCA7
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02412D42	0_2_02412D42
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02424D4A	0_2_02424D4A
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02417D14	0_2_02417D14
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02418D25	0_2_02418D25
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02426DD2	0_2_02426DD2
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02434DD0	0_2_02434DD0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\app.exe	Code function: String function: 00416398 appears 132 times
Source: C:\Users\user\Desktop\app.exe	Code function: String function: 0244DE90 appears 33 times
Source: C:\Users\user\Desktop\app.exe	Code function: String function: 023D3D50 appears 96 times
Source: C:\Users\user\Desktop\app.exe	Code function: String function: 00416EF8 appears 50 times
Source: C:\Users\user\Desktop\app.exe	Code function: String function: 0245CAF0 appears 158 times
Source: C:\Users\user\Desktop\app.exe	Code function: String function: 0245C9A0 appears 60 times

Sample file is different than original file name gathered from version info

Source: app.exe, 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs app.exe
Source: app.exe	Binary or memory string: OriginalFilename vs app.exe

Uses 32bit PE files

Source: app.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: app.exe	Binary string: Could not open \device\physicalmemory
Source: app.exe	Binary string: Could not map view of %X length %XCould not open \device\physicalmemory\device\physicalmemoryRtlNtStatusToDosErrorNtMapViewOfSectionNtOpenSectionNtUnmapViewOfSectionntdll.dllRtlInitUnicodeString%c

Source: classification engine

Classification label: mal76.evad.winEXE@2/0@0/0

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_02432A50 GetModuleHandleW,FormatMessageW,GetLastError,HeapFree,

0_2_02432A50

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0040A130 GetVersionExA,CoCreateInstance,CoSetProxyBlanket,VariantInit,lstrlenW,lstrcpynA,WideCharToMultiByte,_strcat,

0_2_0040A130

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00423119 EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,

0_2_00423119

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_03
Source: C:\Users\user\Desktop\app.exe	Mutant created: \Sessions\1\BaseNamedObjects\hrzbaov

Source: app.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\app.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process

Source: C:\Users\user\Desktop\app.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: app.exe

Virustotal: Detection: 11%

Source: unknown	Process created: C:\Users\user\Desktop\app.exe "C:\Users\user\Desktop\app.exe"
Source: C:\Users\user\Desktop\app.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\app.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\app.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: app.exe

Static file information: File size 1290240 > 1048576

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0042C59F VirtualAlloc,VirtualAlloc,LoadLibraryA,GetProcAddress,

0_2_0042C59F

PE file contains sections with non-standard names

Source: app.exe

Static PE information: section name: )m&

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00416398 push eax; ret	0_2_004163B6
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00415460 push eax; ret	0_2_00415474
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00415460 push eax; ret	0_2_0041549C
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0047EC7F push FFFFFFA1h; retf	0_2_0047EC82
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00416F33 push ecx; ret	0_2_00416F43
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024623AD push es; iretd	0_2_02462454
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245C6A1 push ecx; ret	0_2_0245C6B4
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02463881 push eax; ret	0_2_02463882
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0246691F push eax; ret	0_2_02466997

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,CreateFileA,_strncpy,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d	0_2_0040A770
Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,CreateFileA,_strncpy,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d	0_2_0040A770
Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,DeviceIoControl,_strcat,_strcat,CloseHandle, \\.\PhysicalDrive%d	0_2_00409F46

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,CreateFileA,_strncpy,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d	0_2_0040A770
Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,CreateFileA,_strncpy,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d	0_2_0040A770
Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,DeviceIoControl,_strcat,_strcat,CloseHandle, \\.\PhysicalDrive%d	0_2_00409F46

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00401660 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		0_2_00401660
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0040CFF1 IsIconic,GetWindowPlacement,GetWindowRect,		0_2_0040CFF1

Source: C:\Users\user\Desktop\app.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\app.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Binary or memory string: IDAQ.EXE

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00408FF2 rdtsc

0_2_00408FF2

Contains functionality to query network adapater information

Source: C:\Users\user\Desktop\app.exe

Code function: __EH_prolog,LoadLibraryA,FreeLibrary,GetAdaptersInfo,_strcat,GetAdaptersInfo,

0_2_00402D69

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\app.exe

API coverage: 1.8 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00427361 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_00427361
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0243A710 CloseHandle,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree,	0_2_0243A710
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02454B93 FindFirstFileExW,	0_2_02454B93
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0243FEC0 HeapFree,HeapFree,HeapFree,HeapFree,FindFirstFileW,HeapFree,HeapFree,GetLastError,HeapFree,HeapFree,	0_2_0243FEC0

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0041E91D VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,

0_2_0041E91D

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00408FF2 rdtsc

0_2_00408FF2

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_024544E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_024544E2

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0042C59F VirtualAlloc,VirtualAlloc,LoadLibraryA,GetProcAddress,

0_2_0042C59F

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0243D430 GetProcessHeap,RtlAllocateHeap,

0_2_0243D430

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0041B198 SetUnhandledExceptionFilter,	0_2_0041B198
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0041B1AC SetUnhandledExceptionFilter,	0_2_0041B1AC
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DEAC0 RtlAddVectoredExceptionHandler,SetThreadStackGuarantee,GetLastError,HeapFree,HeapFree,	0_2_023DEAC0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244E0C8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0244E0C8
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024544E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_024544E2
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244DC6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0244DC6E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244DDCA SetUnhandledExceptionFilter,	0_2_0244DDCA

Source: C:\Users\user\Desktop\app.exe

Memory allocated: page read and write | page guard

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00409127 cpuid

0_2_00409127

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\app.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	0_2_00401000
Source: C:\Users\user\Desktop\app.exe	Code function: GetLocaleInfoA,	0_2_0041E705
Source: C:\Users\user\Desktop\app.exe	Code function: lstrcpyA,wsprintfA,LoadLibraryA,GetLocaleInfoA,	0_2_00429E88

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0041C882 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0041C882

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00415DDE EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,

0_2_00415DDE

ID:	1436386
Product:	CloudBasic
Start time:	00:18:08
Start date:	05.05.2024
Sample:	app.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	75b9ef9142a78671d449c8d22ab6be14
SHA1:	0461f1c46644acde8020bb59b53b1e34b65977ca
SHA256:	e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c
Filetype:	Win32 Executable (generic) a (10002005/4) 99.83%

Windows Analysis Report
app.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report app.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
app.exe