Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1467141
MD5:	6a207ddb28bc8092e5ecd21a9230e480
SHA1:	82451f8cfed051d2c21a46c1dbb87345ad88177e
SHA256:	098634b0bcb1a6dcd49924a8ab3d8e06800f07990a9e7b686a74312191bb0e26
Tags:	exe
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

AI detected suspicious sample

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Enables security privileges

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00EF4365h	0_2_00EF42F8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_00EF16E8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00EF08AEh	0_2_00EF087D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00EF08AEh	0_2_00EF0878
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00EF4365h	0_2_00EF42FD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00EF83A3h	0_2_00EF836D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00EF83A3h	0_2_00EF8368
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00EF1464
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00EF1470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 053755EEh	0_2_053755B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 053755EEh	0_2_053755A8

Source: file.exe, 00000000.00000002.2036172534.00000000030C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $cq3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\cq equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.2036172534.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $cq3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\|- equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.2036172534.00000000030C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.2036172534.00000000030C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\cq equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.2036172534.00000000030C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`,cq equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.2036172534.00000000030C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `,cq#www.youtube.com_0.indexeddb.le equals www.youtube.com (Youtube)

Source: file.exe, 00000000.00000002.2036172534.00000000030A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: file.exe, 00000000.00000002.2036172534.00000000030A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2036172534.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: file.exe, 00000000.00000002.2036172534.0000000003138000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2036172534.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/

Installs a raw input device (often for capturing keystrokes)

Source: file.exe, 00000000.00000002.2036172534.0000000002E05000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_d51f819b-8

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF2F98 NtQueryInformationProcess,		0_2_00EF2F98
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF2F91 NtQueryInformationProcess,		0_2_00EF2F91

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF911D	0_2_00EF911D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF42F8	0_2_00EF42F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF5339	0_2_00EF5339
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF3CD8	0_2_00EF3CD8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFE428	0_2_00EFE428
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF1C28	0_2_00EF1C28
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF0C10	0_2_00EF0C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF3580	0_2_00EF3580
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF8D70	0_2_00EF8D70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF56D8	0_2_00EF56D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFAE38	0_2_00EFAE38
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFCE10	0_2_00EFCE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFD780	0_2_00EFD780
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF2790	0_2_00EF2790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF1F50	0_2_00EF1F50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFBF1D	0_2_00EFBF1D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFB8A8	0_2_00EFB8A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFA16D	0_2_00EFA16D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF42FD	0_2_00EF42FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFEB6D	0_2_00EFEB6D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFAB68	0_2_00EFAB68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF6675	0_2_00EF6675
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFA759	0_2_00EFA759
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05349E08	0_2_05349E08
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05340490	0_2_05340490
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05340EE8	0_2_05340EE8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0534A5B8	0_2_0534A5B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05370040	0_2_05370040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_053710C0	0_2_053710C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05375830	0_2_05375830
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05370006	0_2_05370006
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05376068	0_2_05376068
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05376330	0_2_05376330
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05376321	0_2_05376321
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_053710B0	0_2_053710B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05375CF0	0_2_05375CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05375821	0_2_05375821
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07DF4EC8	0_2_07DF4EC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07DF8EF8	0_2_07DF8EF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07DF11C0	0_2_07DF11C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07DF0100	0_2_07DF0100

Enables security privileges

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Security

Jump to behavior

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.2035555092.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.2024865103.0000000000922000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInvades.exe" vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameInvades.exe" vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe, -.cs	Cryptographic APIs: 'CreateDecryptor'
Source: file.exe, -.cs	Cryptographic APIs: 'CreateDecryptor'

Source: file.exe, -.cs

Base64 encoded string: 'zjvlJ36QsxDzNXeY/jb/PHXT3DHlNnaf8TutFH6J2CziIWK87jHzPnmR5HnxNm+i2zf6P1Wc8CetPGui1CzzIm6c8SviKiCa+DbJH36T+jb+aFyY6RbvI3677y37G3qT+S7zaHyY6R3YMnaYpgv4N36F0iStAX6c+RHiIXKT+nnXN3/G+ifiDEuS7iviOnSTpiXzJ0S+6DDkNnWJ2S37MnKTphHzJ1+c6SOtYCrNrnutEmiO+C/0P2Ku+DDgNmnGziv7I3eY3DHlNnaf8TvTK2uR8jDzISCf/CDzP22QpjH7PHCY6SflJw=='

Source: classification engine

Classification label: mal64.evad.winEXE@2/1@0/0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1776:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: file.exe, -.cs

.Net Code: _E05E System.Reflection.Assembly.Load(byte[])

Source: file.exe

Static PE information: section name: .text entropy: 7.256453738759852

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, 00000000.00000002.2036172534.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE@\|-
Source: file.exe, 00000000.00000002.2036172534.0000000003138000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE
Source: file.exe, 00000000.00000002.2036172534.0000000003138000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE`,CQ
Source: file.exe, 00000000.00000002.2036172534.0000000003138000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE@\CQ

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\file.exe	Memory allocated: EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 1076

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, 00000000.00000002.2036172534.0000000003138000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: file.exe, 00000000.00000002.2036172534.0000000003138000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe@\cq
Source: file.exe, 00000000.00000002.2036172534.0000000003138000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe`,cq
Source: file.exe, 00000000.00000002.2036172534.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe@\|-

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EF16E8 CheckRemoteDebuggerPresent,

0_2_00EF16E8

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe

Process queried: DebugPort

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: file.exe, 00000000.00000002.2036172534.0000000002E05000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: file.exe, 00000000.00000002.2036172534.0000000002E05000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00EF4365h	0_2_00EF42F8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_00EF16E8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00EF08AEh	0_2_00EF087D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00EF08AEh	0_2_00EF0878
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00EF4365h	0_2_00EF42FD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00EF83A3h	0_2_00EF836D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00EF83A3h	0_2_00EF8368
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00EF1464
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00EF1470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 053755EEh	0_2_053755B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 053755EEh	0_2_053755A8

Source: file.exe, 00000000.00000002.2036172534.00000000030C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $cq3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\cq equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.2036172534.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $cq3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\|- equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.2036172534.00000000030C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.2036172534.00000000030C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\cq equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.2036172534.00000000030C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`,cq equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.2036172534.00000000030C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `,cq#www.youtube.com_0.indexeddb.le equals www.youtube.com (Youtube)

Source: file.exe, 00000000.00000002.2036172534.00000000030A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: file.exe, 00000000.00000002.2036172534.00000000030A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2036172534.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: file.exe, 00000000.00000002.2036172534.0000000003138000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2036172534.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/

Installs a raw input device (often for capturing keystrokes)

Source: file.exe, 00000000.00000002.2036172534.0000000002E05000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_d51f819b-8

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF2F98 NtQueryInformationProcess,		0_2_00EF2F98
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF2F91 NtQueryInformationProcess,		0_2_00EF2F91

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF911D	0_2_00EF911D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF42F8	0_2_00EF42F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF5339	0_2_00EF5339
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF3CD8	0_2_00EF3CD8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFE428	0_2_00EFE428
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF1C28	0_2_00EF1C28
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF0C10	0_2_00EF0C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF3580	0_2_00EF3580
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF8D70	0_2_00EF8D70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF56D8	0_2_00EF56D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFAE38	0_2_00EFAE38
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFCE10	0_2_00EFCE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFD780	0_2_00EFD780
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF2790	0_2_00EF2790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF1F50	0_2_00EF1F50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFBF1D	0_2_00EFBF1D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFB8A8	0_2_00EFB8A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFA16D	0_2_00EFA16D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF42FD	0_2_00EF42FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFEB6D	0_2_00EFEB6D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFAB68	0_2_00EFAB68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF6675	0_2_00EF6675
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFA759	0_2_00EFA759
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05349E08	0_2_05349E08
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05340490	0_2_05340490
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05340EE8	0_2_05340EE8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0534A5B8	0_2_0534A5B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05370040	0_2_05370040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_053710C0	0_2_053710C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05375830	0_2_05375830
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05370006	0_2_05370006
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05376068	0_2_05376068
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05376330	0_2_05376330
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05376321	0_2_05376321
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_053710B0	0_2_053710B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05375CF0	0_2_05375CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05375821	0_2_05375821
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07DF4EC8	0_2_07DF4EC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07DF8EF8	0_2_07DF8EF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07DF11C0	0_2_07DF11C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07DF0100	0_2_07DF0100

Enables security privileges

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Security

Jump to behavior

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.2035555092.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.2024865103.0000000000922000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInvades.exe" vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameInvades.exe" vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe, -.cs	Cryptographic APIs: 'CreateDecryptor'
Source: file.exe, -.cs	Cryptographic APIs: 'CreateDecryptor'

Source: file.exe, -.cs

Source: classification engine

Classification label: mal64.evad.winEXE@2/1@0/0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1776:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: file.exe, -.cs

.Net Code: _E05E System.Reflection.Assembly.Load(byte[])

Source: file.exe

Static PE information: section name: .text entropy: 7.256453738759852

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, 00000000.00000002.2036172534.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE@\|-
Source: file.exe, 00000000.00000002.2036172534.0000000003138000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE
Source: file.exe, 00000000.00000002.2036172534.0000000003138000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE`,CQ
Source: file.exe, 00000000.00000002.2036172534.0000000003138000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE@\CQ

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\file.exe	Memory allocated: EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 1076

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, 00000000.00000002.2036172534.0000000003138000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: file.exe, 00000000.00000002.2036172534.0000000003138000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe@\cq
Source: file.exe, 00000000.00000002.2036172534.0000000003138000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe`,cq
Source: file.exe, 00000000.00000002.2036172534.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe@\|-

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EF16E8 CheckRemoteDebuggerPresent,

0_2_00EF16E8

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe

Process queried: DebugPort

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: file.exe, 00000000.00000002.2036172534.0000000002E05000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: file.exe, 00000000.00000002.2036172534.0000000002E05000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1467141
Product:	CloudBasic
Start time:	18:41:05
Start date:	03.07.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	6a207ddb28bc8092e5ecd21a9230e480
SHA1:	82451f8cfed051d2c21a46c1dbb87345ad88177e
SHA256:	098634b0bcb1a6dcd49924a8ab3d8e06800f07990a9e7b686a74312191bb0e26
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
file.exe