Windows Analysis Report
68#U2591.exe

Overview

General Information

Sample name: 68#U2591.exe
renamed because original name is a hash value
Original sample name: .exe
Analysis ID: 1467849
MD5: 22342e77c7b9c74bccf3eb48621e3e4b
SHA1: 68577e7840691d8a0c8533f0c703f13432cad144
SHA256: 3d686d48bf794ce3814f7001c4f5916733acf2eeab5140e373e0bd863f105a25
Tags: DCRATexe
Infos:

Detection

Score: 4
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found evasive API chain (date check)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Uses code obfuscation techniques (call, push, ret)

Classification

Source: 68#U2591.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 68#U2591.exe
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC0B190 SetDlgItemTextW,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,SetForegroundWindow,DialogBoxParamW,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,GetDlgItem,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7FEC0B190
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBF40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7FEBF40BC
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC1FCA0 FindFirstFileExA, 0_2_00007FF7FEC1FCA0
Contains functionality to call native functions
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC07D10 SetWindowLongPtrW,NtdllDefWindowProc_W,NtdllDefWindowProc_W, 0_2_00007FF7FEC07D10
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBEC2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7FEBEC2F0
Detected potential crypto function
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC0CE88 0_2_00007FF7FEC0CE88
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBE5E24 0_2_00007FF7FEBE5E24
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC10754 0_2_00007FF7FEC10754
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBFA4AC 0_2_00007FF7FEBFA4AC
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC0B190 0_2_00007FF7FEC0B190
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC01F20 0_2_00007FF7FEC01F20
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBFAF18 0_2_00007FF7FEBFAF18
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC22080 0_2_00007FF7FEC22080
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC08DF4 0_2_00007FF7FEC08DF4
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC10754 0_2_00007FF7FEC10754
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC02D58 0_2_00007FF7FEC02D58
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC04B98 0_2_00007FF7FEC04B98
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBF5B60 0_2_00007FF7FEBF5B60
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBFBB90 0_2_00007FF7FEBFBB90
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC18C1C 0_2_00007FF7FEC18C1C
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC189A0 0_2_00007FF7FEC189A0
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC03964 0_2_00007FF7FEC03964
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBFC96C 0_2_00007FF7FEBFC96C
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBEF930 0_2_00007FF7FEBEF930
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBF4928 0_2_00007FF7FEBF4928
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC25AF8 0_2_00007FF7FEC25AF8
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBE1AA4 0_2_00007FF7FEBE1AA4
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC02AB0 0_2_00007FF7FEC02AB0
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC1FA94 0_2_00007FF7FEC1FA94
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBF1A48 0_2_00007FF7FEBF1A48
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBE4840 0_2_00007FF7FEBE4840
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC1C838 0_2_00007FF7FEC1C838
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBFB534 0_2_00007FF7FEBFB534
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC22550 0_2_00007FF7FEC22550
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBE76C0 0_2_00007FF7FEBE76C0
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC053F0 0_2_00007FF7FEC053F0
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC03484 0_2_00007FF7FEC03484
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC021D0 0_2_00007FF7FEC021D0
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBFF180 0_2_00007FF7FEBFF180
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBEC2F0 0_2_00007FF7FEBEC2F0
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBEA310 0_2_00007FF7FEBEA310
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBF126C 0_2_00007FF7FEBF126C
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBE7288 0_2_00007FF7FEBE7288
Searches for the Microsoft Outlook file path
Source: C:\Users\user\Desktop\68#U2591.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: classification engine Classification label: clean4.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBEB6D8 GetLastError,FormatMessageW,LocalFree, 0_2_00007FF7FEBEB6D8
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC08624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_00007FF7FEC08624
Source: 68#U2591.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\68#U2591.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe File read: C:\Users\user\Desktop\68#U2591.exe Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: ehstorshell.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: cscui.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Section loaded: networkexplorer.dll Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Automated click: OK
Source: C:\Users\user\Desktop\68#U2591.exe Automated click: OK
Source: C:\Users\user\Desktop\68#U2591.exe Automated click: OK
Source: C:\Users\user\Desktop\68#U2591.exe Automated click: OK
Source: C:\Users\user\Desktop\68#U2591.exe Automated click: OK
Source: C:\Users\user\Desktop\68#U2591.exe Automated click: OK
Source: C:\Users\user\Desktop\68#U2591.exe Automated click: OK
Source: C:\Users\user\Desktop\68#U2591.exe Automated click: OK
Source: C:\Users\user\Desktop\68#U2591.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 68#U2591.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: 68#U2591.exe Static file information: File size 3200437 > 1048576
Source: 68#U2591.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 68#U2591.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 68#U2591.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 68#U2591.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 68#U2591.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 68#U2591.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 68#U2591.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: 68#U2591.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 68#U2591.exe
Source: 68#U2591.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 68#U2591.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 68#U2591.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 68#U2591.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 68#U2591.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: 68#U2591.exe Static PE information: section name: .didat
Source: 68#U2591.exe Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC25166 push rsi; retf 0_2_00007FF7FEC25167
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC25156 push rsi; retf 0_2_00007FF7FEC25157
Source: C:\Users\user\Desktop\68#U2591.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\68#U2591.exe Memory allocated: 1D80A200000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Memory allocated: 1D80E880000 memory reserve | memory write watch Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\68#U2591.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC0B190 SetDlgItemTextW,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,SetForegroundWindow,DialogBoxParamW,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,GetDlgItem,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7FEC0B190
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBF40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7FEBF40BC
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC1FCA0 FindFirstFileExA, 0_2_00007FF7FEC1FCA0
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC116A4 VirtualQuery,GetSystemInfo, 0_2_00007FF7FEC116A4
Source: 68#U2591.exe, 00000000.00000003.2209584881.000001D80E46B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
Source: 68#U2591.exe, 00000000.00000003.2073400394.000001D80E46F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
Source: 68#U2591.exe, 00000000.00000003.3033217202.000001D80E467000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}2
Source: 68#U2591.exe, 00000000.00000003.2623368167.000001D80E46E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 68#U2591.exe, 00000000.00000003.3175942372.000001D80E44C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ECVMWar&Prod_VMware_SATA_CD00#4&
Source: 68#U2591.exe, 00000000.00000003.2073400394.000001D80E46F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\#
Source: 68#U2591.exe, 00000000.00000003.3033217202.000001D80E467000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:U
Source: 68#U2591.exe, 00000000.00000003.3031890332.000001D80E44C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: 68#U2591.exe, 00000000.00000003.2623368167.000001D80E46E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}
Source: 68#U2591.exe, 00000000.00000003.3031890332.000001D80E46E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: 68#U2591.exe, 00000000.00000003.2622294439.000001D80E44C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_p
Source: 68#U2591.exe, 00000000.00000003.2622294439.000001D80E46E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\2
Source: 68#U2591.exe, 00000000.00000002.3248490915.000001D80E44C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}
Source: 68#U2591.exe, 00000000.00000003.2209888802.000001D80E466000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_
Source: 68#U2591.exe, 00000000.00000003.2623368167.000001D80E46E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Local PicturesProd_VMware_SATA_CD00#4&
Source: 68#U2591.exe, 00000000.00000003.3033217202.000001D80E467000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}\W
Source: 68#U2591.exe, 00000000.00000003.3031890332.000001D80E46E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\W
Source: 68#U2591.exe, 00000000.00000003.3175942372.000001D80E44C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: 68#U2591.exe, 00000000.00000003.2623368167.000001D80E46E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: 68#U2591.exe, 00000000.00000003.3176038912.000001D80E467000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: 68#U2591.exe, 00000000.00000003.2073400394.000001D80E480000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 07500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 68#U2591.exe, 00000000.00000003.3031890332.000001D80E46E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 68#U2591.exe, 00000000.00000003.2209584881.000001D80E46B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
Source: 68#U2591.exe, 00000000.00000003.2623368167.000001D80E46E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\2
Source: 68#U2591.exe, 00000000.00000002.3247009335.000001D0080F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_p<
Source: 68#U2591.exe, 00000000.00000002.3248490915.000001D80E44C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: E#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: 68#U2591.exe, 00000000.00000003.2622294439.000001D80E46E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\W
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC176D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7FEC176D8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC20D20 GetProcessHeap, 0_2_00007FF7FEC20D20
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC176D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7FEC176D8
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC13354 SetUnhandledExceptionFilter, 0_2_00007FF7FEC13354
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC12510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF7FEC12510
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC13170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7FEC13170
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBFDC70 cpuid 0_2_00007FF7FEBFDC70
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\68#U2591.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_00007FF7FEC0A2CC
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\68#U2591.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEC10754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7FEC10754
Source: C:\Users\user\Desktop\68#U2591.exe Code function: 0_2_00007FF7FEBF4EB0 GetVersionExW, 0_2_00007FF7FEBF4EB0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1467849 Sample: 68#U2591.exe Startdate: 04/07/2024 Architecture: WINDOWS Score: 4 4 68#U2591.exe 2 21 2->4         started       
No contacted IP infos