Windows Analysis Report
filedata.exe

ID:	1467815
Product:	CloudBasic
Start time:	20:14:55
Start date:	04.07.2024
Sample:	filedata
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	7794b42506387d60de24b9c86dc835ee
SHA1:	ef90fd11ba251cc7390993e7fb06627e1e35696c
SHA256:	fa341b1799bc1f666359ed075ef1873b3482ab24d9d6de7f2ec6b70b9faad717
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: filedata.exe

Avira: detected

Compliance

Source: filedata.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: filedata.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\DevRepos\ProfessionalServices\PEAC\Projects\Custom\PSImport\obj\Debug\PEACPSImport.pdb source: filedata.exe
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: filedata.exe, 00000000.00000002.3279089458.0000000000B32000.00000004.00000020.00020000.00000000.sdmp

Networking

Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: filedata.exe	String found in binary or memory: http://www.archivesystems.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\filedata.exe

Code function: 0_2_0995D2A8 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

0_2_0995D2A8

System Summary

Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_0102C1B8		0_2_0102C1B8
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_071EE0B0		0_2_071EE0B0
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_071E3F20		0_2_071E3F20
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_071E0F18		0_2_071E0F18
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_071E3F10		0_2_071E3F10
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_071E0F07		0_2_071E0F07
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_09959A49		0_2_09959A49
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_09956CA0		0_2_09956CA0
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_09955C18		0_2_09955C18
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_09959A49		0_2_09959A49
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_09955C18		0_2_09955C18
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_09981348		0_2_09981348

Source: filedata.exe, 00000000.00000002.3279996737.00000000029F4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.Remoting.dllT vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.00000000029F4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $cq,\\StringFileInfo\\040904B0\\OriginalFilename vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.00000000029F4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesystem.data.dllT vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279089458.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorlib.dllT vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $cq,\\StringFileInfo\\040904B0\\OriginalFilename vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePEACPSImport.exe: vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $cq,\\StringFileInfo\\000004B0\\OriginalFilename vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.dllT vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Drawing.dllT vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Configuration.dllT vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Core.dllT vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Xml.dllT vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs filedata.exe
Source: filedata.exe, 00000000.00000000.2032970445.0000000000650000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePEACPSImport.exe: vs filedata.exe
Source: filedata.exe	Binary or memory string: OriginalFilenamePEACPSImport.exe: vs filedata.exe

Source: filedata.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\filedata.exe

Mutant created: NULL

Source: filedata.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: filedata.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\filedata.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\filedata.exe

File read: C:\Users\user\Desktop\filedata.exe

Jump to behavior

Source: C:\Users\user\Desktop\filedata.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: dwrite.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: windowscodecs.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: wintypes.dll			Jump to behavior

Source: C:\Users\user\Desktop\filedata.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: filedata.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: filedata.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: filedata.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\DevRepos\ProfessionalServices\PEAC\Projects\Custom\PSImport\obj\Debug\PEACPSImport.pdb source: filedata.exe
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: filedata.exe, 00000000.00000002.3279089458.0000000000B32000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_0102E732 push eax; ret		0_2_0102E739
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_071E64C0 push eax; iretd		0_2_071E6511

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\filedata.exe	Memory allocated: FB0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Memory allocated: 2960000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Memory allocated: 4960000 memory reserve | memory write watch			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\filedata.exe

Memory allocated: page read and write | page guard

Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\filedata.exe	Queries volume information: C:\Users\user\Desktop\filedata.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\filedata.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior