Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
autocad.exe

Overview

General Information

Sample name:autocad.exe
Analysis ID:1445859
MD5:4c2a76ceee9becfeffe78265166182ba
SHA1:c70b71f7aa367d88c6ec5942269a45cbc66510b3
SHA256:ea139458b4e88736a3d48e81569178fd5c11156990b6a90e2d35f41b1ad9bac1
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Submitted sample is a known malware sample
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)

Classification

Process Tree

  • System is w10x64_ra
  • autocad.exe (PID: 4692 cmdline: "C:\Users\user\Desktop\autocad.exe" MD5: 4C2A76CEEE9BECFEFFE78265166182BA)
    • conhost.exe (PID: 1792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: autocad.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: d:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: autocad.exe

System Summary

barindex
Submitted sample is a known malware sample
Source: autocad.exeInitial file: MD5: 4c2a76ceee9becfeffe78265166182ba Family: xHunt Alias: SectorD01, xHunt Description: xHunt, uncovered by PaloAlto, is an attack campaign on Kuwait shipping and transportation organizations. The names of the tools collected include backdoor tools Sakabota, Hisoka, Netero and Killua. These tools not only use HTTP for their command and control (C2) channels, but some use DNS tunneling or emails to communicate with their C2 as well. References: https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/Data Source: https://github.com/RedDrip7/APT_Digital_Weapon
Source: autocad.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: classification engineClassification label: clean1.winEXE@2/1@0/0
Source: C:\Users\user\Desktop\autocad.exeFile created: C:\Users\user\AppData\Roaming\WinRARJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1792:120:WilError_03
Source: autocad.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\autocad.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\autocad.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\autocad.exe "C:\Users\user\Desktop\autocad.exe"
Source: C:\Users\user\Desktop\autocad.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\autocad.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\autocad.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\autocad.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\autocad.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\autocad.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\autocad.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\autocad.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\autocad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: autocad.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: autocad.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: autocad.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: autocad.exe
Source: C:\Users\user\Desktop\autocad.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
File and Directory Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1445859 Sample: autocad.exe Startdate: 22/05/2024 Architecture: WINDOWS Score: 1 10 Submitted sample is a known malware sample 2->10 6 autocad.exe 3 2->6         started        process3 process4 8 conhost.exe 6->8         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
autocad.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1445859
Start date and time:2024-05-22 17:22:07 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 46s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:autocad.exe
Detection:CLEAN
Classification:clean1.winEXE@2/1@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: autocad.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

\Device\ConDrv

Download File
Process:C:\Users\user\Desktop\autocad.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):5575
Entropy (8bit):4.307652486098576
Encrypted:false
SSDEEP:48:w2x1DQ4x+aXpkIykO5svjnjL6zjxMUxyNIzej+o4ChWzCdz4cztK7GT7ZOczJENz:HopocAW0Ma7Ttfz+JLyvKyAK9fLZkLt
MD5:ED9230D5E83F466BFD8741B7E62D659A
SHA1:2B873F9BF9FF4238BAC1DF6A454FA6EE8D480270
SHA-256:70EC6342FB4712E23C55067A1CF934F05E059BE9635E38779D09FB601A07EB7E
SHA-512:E5604CC6A1EE77DFE5FE371B4F5704E0CDC5A85E4E48B038CDB2501DEBF357D225F09A30C958329EC71275C9972402DEE2BA6816D84E20A4D561E3B362366171
Malicious:false
Reputation:low
Preview:..RAR 4.20 Copyright (c) 1993-2012 Alexander Roshal 9 Jun 2012..Trial version Type RAR -? for help....Usage: rar <command> -<switch 1> -<switch N> <archive> <files...>.. <@listfiles...> <path_to_extract\>....<Commands>.. a Add files to archive.. c Add archive comment.. cf Add files comment.. ch Change archive parameters.. cw Write archive comment to file.. d Delete files from archive.. e Extract files to current directory.. f Freshen files in archive.. i[par]=<str> Find string in archives.. k Lock archive.. l[t,b] List archive [technical, bare].. m[f] Move to archive [files only].. p Print file to stdout.. r Repair archive.. rc Reconstruct missing volumes.. rn Rename archived files.. rr[N] Add data recovery record.. rv[N] Create recovery volumes.. s[nam

Static File Info

General

File type:PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):6.324166325898655
TrID:
  • Win64 Executable Console (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:autocad.exe
File size:426'496 bytes
MD5:4c2a76ceee9becfeffe78265166182ba
SHA1:c70b71f7aa367d88c6ec5942269a45cbc66510b3
SHA256:ea139458b4e88736a3d48e81569178fd5c11156990b6a90e2d35f41b1ad9bac1
SHA512:c2d9cfc4c9cf596382e0cbe29e3eefc12a9f9a8f158714aa924360d62d0f4d7b2af9ec3cfca25a40869e4b0b2eaa909afb1378b9c6dcaf139231d70ffe2f40bd
SSDEEP:6144:32rmLvg3Ao3DIygbCQf/1uuczYi0zhsy4acfy5sRlTrmjgyRcaKM:3LLv5rFCQf/ouMYi09LcDTQcaKM
TLSH:86946D55EBF400B9F0B7E979CEF64617F6B778491A30874F03AD8A5A1F233609925322
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N....vr..vr..vr..9...vr.....zvr......vr......vr..vs..vr.....evr......vr......vr.Rich.vr.........PE..d...\M.O.........."........

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x1400446f0
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x4FD34D5C [Sat Jun 9 13:19:24 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:2
File Version Major:5
File Version Minor:2
Subsystem Version Major:5
Subsystem Version Minor:2
Import Hash:4b9cd3ebe4c995fb411345f7fa1d4966

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FC81967113Ch
dec eax
add esp, 28h
jmp 00007FC81966A2CBh
int3
int3
dec esp
lea ecx, dword ptr [00018245h]
xor eax, eax
dec ecx
mov edx, ecx
inc esp
lea eax, dword ptr [eax+08h]
cmp ecx, dword ptr [edx]
je 00007FC81966A49Dh
inc eax
dec ecx
add edx, eax
cmp eax, 2Dh
jc 00007FC81966A464h
lea eax, dword ptr [ecx-13h]
cmp eax, 11h
jnbe 00007FC81966A478h
mov eax, 0000000Dh
ret
add ecx, FFFFFF44h
mov eax, 00000016h
cmp ecx, 0Eh
inc ecx
cmovbe eax, eax
ret
dec eax
cwde
inc ecx
mov eax, dword ptr [ecx+eax*8+04h]
ret
int3
dec eax
sub esp, 28h
call 00007FC81966BAA8h
dec eax
test eax, eax
jne 00007FC81966A47Bh
dec eax
lea eax, dword ptr [00018357h]
jmp 00007FC81966A476h
dec eax
add eax, 10h
dec eax
add esp, 28h
ret
dec eax
sub esp, 28h
call 00007FC81966BA88h
dec eax
test eax, eax
jne 00007FC81966A47Bh
dec eax
lea eax, dword ptr [0001833Bh]
jmp 00007FC81966A476h
dec eax
add eax, 14h
dec eax
add esp, 28h
ret
inc eax
push ebx
dec eax
sub esp, 20h
mov ebx, ecx
call 00007FC81966BA64h
dec eax
test eax, eax
jne 00007FC81966A47Bh
dec eax
lea eax, dword ptr [00018317h]
jmp 00007FC81966A476h
dec eax
add eax, 14h
mov dword ptr [eax], ebx
call 00007FC81966BA4Bh
dec esp
lea edx, dword ptr [000182FFh]

Rich Headers

Programming Language:
  • [ C ] VS2008 SP1 build 30729
  • [ASM] VS2008 SP1 build 30729
  • [IMP] VS2008 SP1 build 30729
  • [C++] VS2008 SP1 build 30729
  • [LNK] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x59c440x64.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x730000x7218.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x6f0000x35dc.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x7b0000x24c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x516000x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x510000x558.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x4fc4e0x4fe00e1f890ab222e3078143e63a31cf3e5f0False0.5732681680359938data6.480990480865944IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x510000x9e560xa00079d31b7d0d8c7e1ab1009f63a373f06cFalse0.4149169921875OpenPGP Public Key Version 55.2082106512561595IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x5b0000x133a00x2e006ceafd513a06b58531ba581d4da2caa0False0.45779551630434784data4.726189508461243IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x6f0000x35dc0x3600ce5c2d07c1496af8bbfa6733d027c1c9False0.47605613425925924data5.613044934632713IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x730000x72180x740087c5a65f1ec13bd2063c990be2ee36a1False0.2458917025862069data3.4811134604421348IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x7b0000x7da0x8001c54ca685dfb2030e6f7d1a014eb38e2False0.21728515625data2.197289899211127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_STRING0x740c80x70dataEnglishUnited States0.5535714285714286
RT_STRING0x741380x20edataEnglishUnited States0.47338403041825095
RT_STRING0x743480x50dataEnglishUnited States0.7
RT_STRING0x743980x1d0dataEnglishUnited States0.38362068965517243
RT_STRING0x745680x2b2Targa image data - RGB - RLE 32 x 32 x 32 +97 +32 " "EnglishUnited States0.30144927536231886
RT_STRING0x748200x28edataEnglishUnited States0.37003058103975534
RT_STRING0x74ab00x298dataEnglishUnited States0.3990963855421687
RT_STRING0x74d480x348Targa image data - RGB - RLE 32 x 32 x 32 +45 +32 " "EnglishUnited States0.3678571428571429
RT_STRING0x750900x328Targa image data - RGB - RLE 32 x 32 x 32 +97 +115 " "EnglishUnited States0.33292079207920794
RT_STRING0x753b80x320Targa image data - RGB - RLE 32 x 32 x 32 +100 +104 " "EnglishUnited States0.3675
RT_STRING0x756d80x2d0Targa image data - RGB - RLE 32 x 32 x 32 +101 +112 " "EnglishUnited States0.3888888888888889
RT_STRING0x759a80x2ceTarga image data - RGB - RLE 114 x 114 x 32 +105 +101 " "EnglishUnited States0.4052924791086351
RT_STRING0x75c780x39adataEnglishUnited States0.40563991323210413
RT_STRING0x760180x2dcdataEnglishUnited States0.3797814207650273
RT_STRING0x762f80x304Targa image data - RGB - RLE 32 x 32 x 32 +114 +32 " "EnglishUnited States0.3898963730569948
RT_STRING0x766000x322dataEnglishUnited States0.36034912718204487
RT_STRING0x769280x3bedataEnglishUnited States0.3058455114822547
RT_STRING0x76ce80x328dataEnglishUnited States0.3997524752475248
RT_STRING0x770100x20adataEnglishUnited States0.45977011494252873
RT_STRING0x772200x1b2Targa image data - RGB - RLE 82 x 58 x 32 +82 +79 "P"EnglishUnited States0.4631336405529954
RT_STRING0x773d80x16cTarga image data - RGB - RLE 111 x 116 x 32 +110 +110 "r"EnglishUnited States0.4725274725274725
RT_STRING0x775480x1b2dataEnglishUnited States0.4377880184331797
RT_STRING0x777000x17eTarga image data - RGB - RLE 111 x 116 x 32 +110 +110 "c"EnglishUnited States0.5314136125654451
RT_STRING0x778800x17cdataEnglishUnited States0.4868421052631579
RT_STRING0x77a000x1c4dataEnglishUnited States0.4314159292035398
RT_STRING0x77bc80x176dataEnglishUnited States0.5133689839572193
RT_STRING0x77d400x178dataEnglishUnited States0.5319148936170213
RT_STRING0x77eb80x186dataEnglishUnited States0.47435897435897434
RT_STRING0x780400x1acdataEnglishUnited States0.48364485981308414
RT_STRING0x781f00x1cadataEnglishUnited States0.4279475982532751
RT_STRING0x783c00x1f2dataEnglishUnited States0.3674698795180723
RT_STRING0x785b80x184dataEnglishUnited States0.4690721649484536
RT_STRING0x787400xccTarga image data - RGB - RLE 82 x 58 x 32 +82 +79 "P"EnglishUnited States0.6372549019607843
RT_STRING0x788100x22edataEnglishUnited States0.4336917562724014
RT_STRING0x78a400x10cdataEnglishUnited States0.6119402985074627
RT_STRING0x78b500x18cdataEnglishUnited States0.5353535353535354
RT_STRING0x78ce00x1b8Targa image data - RGB - RLE 105 x 116 x 32 +100 +32 "t"EnglishUnited States0.45454545454545453
RT_STRING0x78e980x240dataEnglishUnited States0.3472222222222222
RT_STRING0x790d80x21adataEnglishUnited States0.44423791821561337
RT_STRING0x792f80x286dataEnglishUnited States0.3126934984520124
RT_STRING0x795800x284dataEnglishUnited States0.4161490683229814
RT_STRING0x798080x252dataEnglishUnited States0.44107744107744107
RT_STRING0x79a600x190Targa image data - RGB - RLE 82 x 58 x 32 +82 +79 "%"EnglishUnited States0.47
RT_STRING0x79bf00x2a0dataEnglishUnited States0.45982142857142855
RT_STRING0x79e900x2c8Targa image data - RGB - RLE 32 x 32 x 32 +45 +116 " "EnglishUnited States0.44241573033707865
RT_STRING0x7a1580xbcdataEnglishUnited States0.6436170212765957
RT_VERSION0x73e100x2b8COM executable for DOSEnglishUnited States0.46120689655172414
RT_MANIFEST0x739600x4afXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4603836530442035

Imports

DLLImport
KERNEL32.dllSetConsoleCtrlHandler, LocalFree, FormatMessageW, CloseHandle, GetCurrentProcess, CreateFileW, BackupRead, BackupSeek, SetFileTime, MoveFileW, FlushFileBuffers, SetFilePointer, SetEndOfFile, GetFileTime, GetFileType, CreateFileA, ReadFile, WriteFile, GetDriveTypeA, GetDiskFreeSpaceA, GetVolumeInformationA, GetFileAttributesA, GetFileAttributesW, SetFileAttributesA, SetFileAttributesW, MoveFileA, DeleteFileA, DeleteFileW, RemoveDirectoryA, RemoveDirectoryW, DeviceIoControl, CreateDirectoryA, CreateDirectoryW, ExpandEnvironmentStringsW, ExpandEnvironmentStringsA, FindClose, FindNextFileA, FindFirstFileA, FindNextFileW, FindFirstFileW, GetVersionExW, CreateThread, Sleep, GetProcessAffinityMask, WaitForSingleObject, SetEvent, ResetEvent, SetThreadPriority, GetCurrentThread, WaitForMultipleObjects, CreateEventW, GetFullPathNameA, GetFullPathNameW, GetModuleFileNameA, GetModuleFileNameW, MultiByteToWideChar, SetErrorMode, FreeLibrary, LoadLibraryW, LoadLibraryExW, GetCurrentProcessId, CompareStringA, SetPriorityClass, SetCurrentDirectoryA, GetCurrentDirectoryA, LocalFileTimeToFileTime, FileTimeToSystemTime, FileTimeToLocalFileTime, WideCharToMultiByte, CompareStringW, IsDBCSLeadByte, GetCPInfo, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, SetEnvironmentVariableA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryW, GetTickCount, GetSystemTime, SystemTimeToFileTime, GetStdHandle, GetConsoleMode, SetConsoleMode, ReadConsoleW, GetCommandLineW, GetModuleHandleW, GetProcAddress, ExitThread, SetLastError, GetStringTypeW, GetStringTypeA, GetConsoleCP, GetSystemTimeAsFileTime, QueryPerformanceCounter, HeapFree, HeapReAlloc, HeapAlloc, RtlLookupFunctionEntry, RtlUnwindEx, ExitProcess, RaiseException, RtlPcToFileHeader, GetCommandLineA, HeapSetInformation, HeapCreate, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlCaptureContext, EncodePointer, DecodePointer, FlsGetValue, FlsSetValue, FlsFree, GetCurrentThreadId, FlsAlloc, GetACP, GetOEMCP, IsValidCodePage, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapSize, LoadLibraryA, InitializeCriticalSectionAndSpinCount, LCMapStringA, LCMapStringW, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetStartupInfoA
USER32.dllCharLowerW, ExitWindowsEx, CharUpperA, CharLowerA, LoadStringW, CharUpperW, CharToOemBuffW, CharToOemBuffA, OemToCharA, OemToCharBuffA, CharToOemA
ADVAPI32.dllRegQueryValueExW, RegOpenKeyExA, RegQueryValueExA, RegCloseKey, GetFileSecurityW, GetFileSecurityA, GetSecurityDescriptorLength, SetFileSecurityW, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW
SHELL32.dllSHGetPathFromIDListW, SHGetMalloc, SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHFileOperationW

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:11:22:38
Start date:22/05/2024
Path:C:\Users\user\Desktop\autocad.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\autocad.exe"
Imagebase:0x7ff785da0000
File size:426'496 bytes
MD5 hash:4C2A76CEEE9BECFEFFE78265166182BA
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:1
Start time:11:22:38
Start date:22/05/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6684c0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

No disassembly